Cryptoassets – what should the second line of defence be focussing on?

First published on Thomson Reuters Regulatory Intelligence on 12 June 2019 (this version includes updates as at 28 June 2019).

In our first article on cryptoassets we discussed considerations for boards and senior management. This second article considers regulatory risks specific to cryptoassets which the second line of defence (i.e. compliance and risk functions) within the three lines of defence (TLOD) model of compliance should consider.

Continue reading

FCA publishes its latest Industry Feedback on its 5 Conduct Questions Programme

Authors: Clive Cunningham, Harry Millerchip, Katie McGrory


The FCA recently published its Industry Feedback for 2018/19 on its 5 Conduct Questions (5CQ) Programme (which can be accessed on the FCA’s website, here).

The 5CQ Programme was introduced by the FCA in 2015 for wholesale banks as a tool to help firms improve their conduct risk management and drive cultural change. This year, the 5CQ Programme was rolled out more widely across other wholesale financial services firms, including brokers.

The Industry Feedback is divided into three sections:

  • Section 1 identifies the FCA’s high-level observations over recent years on efforts by firms to improve culture in the wholesale banking sector;
  • Section 2 address each of the 5CQs in turn and provides an update on industry progress, outlining specific examples of firm behaviours observed by the FCA during its supervision work; and
  • Section 3 sets out the FCA’s assessment of ‘speak up’ cultures and whistleblowing procedures in wholesale banks.

In this blog post we provide a brief overview of the content of the Industry Feedback; the key themes; and next steps in the 5CQ Programme. Although the Industry Feedback looks at the wholesale banking sector, the FCA has emphasised that it is broadly applicable to all firms in the financial sector and will be of interest to boards and non-executive directors (NEDs) of firms (among other stakeholders).

The Industry Feedback reflects the key priorities raised in the FCA’s Business Plan for 2019/20 (which can be accessed on the FCA’s website, here). The 5CQ Programme fits into the FCA’s broader focus on culture and governance, particularly with the upcoming extension of the UK Senior Managers and Certification Regime (SMCR).

Overview of the FCA’s Industry Feedback

Overall, the FCA concludes that firms have made significant progress with their conduct initiatives since the 5CQ Programme was introduced. As part of the 5CQ Programme, firms initially focused on correcting bad behaviours and problematic internal processes and procedures by implementing new policies and procedures, training and surveillance. The FCA now wants firms to focus on encouraging and protecting positive behaviour in its own right. Good culture and conduct are increasingly recognised as a key driver in corporate growth and a differentiating factor for customers.

The FCA highlighted a number of key themes and issues, including the following:

  • although firms in the wholesale financial services sector have improved their conduct, non-financial misconduct remains a serious issue – the treatment of a firm’s own staff should be included in its definition of ‘conduct risk’;
  • risk identification efforts are often top-down rather than bottom-up. Identifying risk (including conflicts) remains a weakness;
  • close proximity of senior managers to the trading floor will not necessarily prevent or improve conduct risk management;
  • there is little evidence of firms restructuring remuneration (eg. commission-based) to avoid or manage potential for harm; and
  • firms are establishing new committees to focus on conduct risk.

Industry progress

We set out some of the FCA’s key messages on industry progress on the 5CQ Programme below. The FCA also outlines specific examples of good and bad initiatives and responses to its 5CQ Programme, which may be of interest to firms. See Section 2 of the Industry Feedback for more detail.

The 5 Conduct Questions Key messages on industry progress
What proactive steps do you take as a firm to identify the conduct risks inherent within your business?
  • A firm’s definition of ‘conduct risk’ must be tailored to its own history and circumstances. It should focus on the risk of ‘good’ conduct deteriorating in addition to existing ‘bad’ conduct.
  • Firms are increasingly supplementing a top-down approach to identifying and managing conduct risk, with bottom-up initiatives.
  • Training provided by firms is shifting from conduct risk awareness to scenario-based training (without clear outcomes) to help encourage staff to better identify conduct risk and develop their own understanding of acceptable (and unacceptable) behaviours.
How do you encourage the individuals who work in front, middle, back office, control and support functions to feel and be responsible for managing the conduct of their business?
  • Firms should consider reframing ‘Tone from the Top’ as ‘Tone from Above’, acknowledging the importance that most staff give to messages from their immediate manager (not just senior management).
  • Firms are reporting a significant and positive impact of SMCR on governance and conduct.
  • Most firms have introduced conduct elements to performance conversations and remuneration structures; however, in practice the FCA believes this is having only a modest effect on remuneration. Firms need to continue to focus on managing the link between conduct and remuneration.
What support (broadly defined) does the firm put in place to enable those who work for it to improve the conduct of their business or function?
  • Internal infrastructure has improved and there is evidence of an increase in positive feedback loop.
  • Centrally-led and overly complex governance structures remain a challenge to improving culture and setting clear accountability.
  • Some firms may not be providing sufficient conduct risk training or adequate follow-on support for NEDs.
How does the Board and ExCo (or appropriate senior management) gain oversight of the conduct of business within their organisation and equally importantly, how does the Board or ExCo consider the conduct implications of the strategic decisions that they make?
  • Investment in data aggregation and analysis has enabled firms’ management to gain better oversight of conduct.
  • Firms should ensure these systems also focus on encouraging and protecting ‘good’ conduct – not just remediating ‘bad’ conduct.
Has the firm assessed whether there are any other activities that it undertakes that could undermine strategies put in place to improve conduct?
  • Horizon-scanning and assessments for risks that might undermine conduct objectives are generally underdeveloped.
  • Business line representatives should be present at horizon-scanning sessions (ie. horizon-scanning should not be conducted for the whole of the firm without business involvement).

‘Speak up’ and whistleblowing

The FCA also commented on the status and health of ‘speak up’ cultures and whistleblowing structures and procedures. It emphasised that ‘speak up’ initiatives and whistleblowing procedures will continue to attract periodic testing and validation as part of the FCA’s routine supervision. The FCA’s key comments include:

  • staff at firms need to feel comfortable to speak up, and share concerns and mistakes without fear of blame or retribution;
  • ‘speak up’ initiatives should be about day-to-day conversations, discussions and challenge across the whole firm. They should be framed inclusively and designed to encourage participation – not (as the FCA observed in some firms) as “speak up, or else”;
  • the FCA identified some uncertainty about the division between different channels of escalation (ie. ‘speak up’ initiatives versus whistleblowing). Firms have acknowledged they need to be clearer about the division;
  • non-financial misconduct (including sexual harassment, bullying, favouritism and exclusion) is a significant problem which needs to be tackled with buy-in from staff at all levels, including senior management. Some firms reported that their whistleblowing channels had seen an increase in the number of non-financial misconduct cases. Firms expect this has been caused by increased media coverage and firm initiatives which have encouraged reporting, rather than a deterioration in behaviour; and
  • many firms had no sense of what a normal level of whistleblowing events should be. The FCA recommends that firms establish case level expectations.

Next steps

The FCA will continue to engage with firms on their conduct across the wholesale financial services sector, both as part of the 5CQ Programme and as part of its routine supervision. The FCA has indicated that it will increasingly test and challenge management and staff on conduct progress.

As part of its wider rollout of the 5CQ Programme, the FCA noted that few firms had the range of conduct initiatives which it has seen in the larger wholesale banks. Firms should be engaging with changing their conduct as an ongoing matter of priority (and not just in response to the rollout of the 5CQ Programme).

Firms in the wholesale financial services sector (and more broadly) should review the Industry Feedback carefully and take it into account as part of their ongoing work on conduct, culture and governance, and their engagement with the FCA.

Clive Cunningham
Clive Cunningham
Partner, London
+44 20 7466 2278
Harry Millerchip
Harry Millerchip
Associate, London
+44 20 7466 6447
Katie McGrory
Katie McGrory
Associate, London
+44 20 7466 2669

Crypto asset compliance in an uncertain regulatory environment

First published on Thomson Reuters Regulatory Intelligence on 10 May 2019.

Authors: Clive Cunningham and Wendy Saunders

This is the first in a series of articles looking at crypto-assets (encompassing exchange tokens, security tokens, and utility tokens) through the lens of prevailing regulatory expectations of governance and risk management in the UK. In the absence of a specific regime for crypto assets, the legal and regulatory environment remains uncertain. Some crypto assets fall within the current regulatory regime; others do not. UK policymakers are in the process of clarifying the current perimeter and may expand it in the future.

Continue reading

Retail bank fined £1.89m by FCA and PRA for outsourcing failings

Author: Hanne Gundersrud


The FCA and PRA have announced their second enforcement action in relation to outsourcing failures by the retail bank R. Raphael & Sons plc (“Raphaels“). The firm failed to manage its outsourcing arrangements properly, in breach of FCA Principles 2 and 3, the applicable provisions of Chapter 8 of the FCA’s Senior Management Arrangements, Systems and Controls sourcebook (“SYSC 8”), and PRA Fundamental Rules 2, 5 and 6. Raphaels received separate fines of £775,100 from the FCA and £1,112,152 from the PRA in respect of the breaches, resulting in a combined fine of £1,887,252. Raphaels agreed to resolve the matter with its regulators and therefore qualified for a 30% discount in the fines imposed by both regulators.

Continue reading

EU adopts new sanctions framework targeting external cyber-attacks

Authors: Susannah Cogman, Daniel Hudson and Hannah Lau

On 17 May, the EU adopted legislation which will enable it to impose sanctions against persons and entities who engage in cyber-attacks against the EU and its member states. The sanctions will be designed “to deter and respond to cyber-attacks with a significant effect which constitute an external threat to the EU and its Member States”. The new regime underlines a clear commitment by the EU to continue to strengthen its capability to address its “[concern] at the rise of malicious behaviour in cyberspace”.


In recent years, the EU has taken a series of actions to tackle cyber threats. On 19 June 2017, the EU developed a framework for a joint response to malicious cyber threats (known as the “Cyber Diplomacy Toolbox”), and subsequent implementing guidelines envisaged sanctions as one of the tools available. The timing of the announcement of the new regime is also notable given its proximity to the EU Parliament elections which started on 23 May.

Reported concerns amongst officials from the EU and certain member states in the past have related to hacking incidents or threats linked to China, Russia and North Korea. However, the legislation explicitly states that the imposition of sanctions against a person or entity does not amount to attribution of responsibility to a third state, which is a political decision.


The sanctions will target persons involved in cyber-attacks with a significant effect which constitute an external threat to the EU and/or its member states. It also covers attempted attacks with a potentially significant effect.


Cyber-attacks constituting an external threat include those which:

  1. originate, or are carried out, from outside the EU;
  2. use infrastructure outside the EU;
  3. are carried out by any person or entity established or operating outside the EU; or
  4. are carried out with the support, at the direction of or under the control of any person or entity operating outside the EU.

“Threat to member states or the EU”

Attacks which are a threat to member states are envisaged to be cyber-attacks targeting: (a) critical infrastructure; (b) social and economic services (such as in the energy, health and financial markets sector); (c) critical state functions (such as areas of defence and public elections); and (d) classified information.

Threats to the EU include cyber-attacks carried out against its various institutions and its common security and defence policy (“CFSP”). The legislation also reserves the right to apply sanctions in relation to cyber-attacks against third States and international organisations where deemed necessary to achieve CFSP objectives, giving it a potentially broad scope.

“Significant effect”

Whether an attack has a “significant effect” will depend on a range of factors including the scale of disruption, the number of persons or entities concerned, the loss caused, and the nature of the data stolen.

Who can be penalised

There is a broad scope for those who could be listed. The sanctions could target individuals or entities who:

  1. carry out (attempted) cyber-attacks;
  2. provide financial, technical or material support for such attacks including facilitating such attacks by action or omission; or
  3. are associated with those in (a) or (b) above.

The type of sanctions imposed

The sanctions available will include a ban on any listed persons from travelling to the EU and asset freezes. EU persons and entities will also be forbidden from making funds or economic resources available directly or indirectly to those listed.


The new regime emphasises the continuing willingness of the EU to use sanctions to address concerns, noting the similarity of these sanctions to recent EU sanctions aimed at targeting the use of chemical weapons. While no one has yet been listed under this framework, there is a continuing need for companies to ensure that they have thorough, up-to-date and ongoing screening to identify any listed persons they might directly or indirectly deal with.

It is noted that the UK government has said that in the event of a “no deal” Brexit, it will look to carry over all EU sanctions through regulations made under the Sanctions and Anti-Money Laundering Act 2018, in order to ensure a smooth transition. These UK regulations will come into force on 11 June 2019.

Susannah Cogman
Susannah Cogman
Partner, London
+44 20 7466 2580
Daniel Hudson
Daniel Hudson
Partner, London
+44 20 7466 2470
Hannah Lau
Hannah Lau
Associate, London
+44 20 7466 2314
Andrew Moir
Andrew Moir
Partner, London
+44 20 7466 2773
Elena Hogg
Elena Hogg
Associate, London
+44 20 7466 2590

The month ahead in financial services regulatory developments…

In this blog post, we round-up forthcoming developments in the UK and at EU and International levels in financial services regulation for June 2019.

3 Jun
5 Jun
8-9 Jun
  • G20 ministerial meetings:
    • finance ministers and central bank governors (Fukuoka, Japan)
    • trade and digital economy (Tsubuka, Japan)
10 Jun
11 Jun
12 Jun
13-14 Jun
14 Jun
15-16 Jun
19-20 Jun
20-21 Jun
21 Jun
26 Jun
27 Jun
28-29 Jun
29 Jun
  • Deadline for responses to the European Securities and Markets Authority (ESMA) CP on ELTIF RTS
By 30 Jun
End Jun

Key themes from the FCA’s Approach to Enforcement

Authors: Benedicte Perowne and Kimberly Everitt

On 24 April 2019 the FCA published its final “Approach to Enforcement” document, following a consultation period which ended in June 2018. The approach document attempts to provide transparency and explain the FCA’s approach in greater depth.

The FCA’s overriding principle in its approach to enforcement is substantive justice – a commitment to achieve fair and just outcomes in response to misconduct. It intends to conduct consistent and open-minded investigations in order to achieve the right outcomes. Continue reading

Proposed ‘duty of care’ in financial services: next steps

Authors: Jenny Stainsby, Jon Ford and Cheryl Jones

The FCA has published its Feedback Statement on ‘A duty of care and potential alternative approaches’ (FS19/2). This contains a summary of responses to its Discussion Paper on this subject which was published in July 2018 (DP18/5). For more information on the Discussion Paper, see our briefing here.

In the Feedback Statement, the FCA does not put forward any specific options for change but confirms that the “quality of responses received have given us a strong foundation on which to advance our consideration of the issues”.

So where does this take us and what can we expect next?

Continue reading

Impact of Article 50 extension on the UK Temporary Permissions Regime

Following the agreement last week between the UK and the EU to extend Article 50 until 31 October 2019 11pm GMT (see our earlier post), the FCA has now confirmed that it will extend the notification window for incoming EEA firms and fund managers to enter the UK Temporary Permission Regime (“TPR“) to the end of 30 May 2019. Fund managers that need to update their existing TPR notification as a result of the FCA’s extension should also notify the FCA that this is the case by 16 May 2019.

Continue reading