Dallas J. McGillivray is an experienced international regulatory and business manager. He is a Fellow of the Institute of Chartered Accountant, Member of Institute of Directors and a Member of the Chartered Institute of Securities and Investment. He has extensive regulatory experience in senior management roles including as a Director and Trustee.
He is also the Managing Director of FMConsult– a company that provides compliance, regulatory, product development and risk management services to a range of large international and start-up financial services companies since 2004.
On top of that, Dallas serves as Global Compliance and Operational Risk Director at a major asset management company for all business outside the Americas for 17 years with experience in global regulatory issues, covering both retail and institutional. He’s also a Director of UK Asset Management Companies and Trustee of UK Pension Schemes.
Here he speaks to Finance Monthly about asset management and tells us more about his company – FMConsult.
What attracted you to the consulting sector?
What brought me to the sector was an invitation to work with a small consultancy, with the objective to grow it. We binned the company and set up FMConsult. The work is varied and you meet a lot of bright entrepreneurs that are just starting out who need a bit of “grey hair” to help them along.
What are the key sectors that you provide asset management services to? What are the unique challenges of each sector, from an asset management perspective?
We have a very wide range of clients from start-ups (that want a collective investment scheme set up, introductions to management companies, investment managers to attach to, etc.) to very large mature businesses that need some support during periods of change ( e.g. interim Head of Compliance role ). We are in the asset management space from wealth management to institutional asset management and everything in between.
What strategies do you implement to ensure that your clients’ goals and objectives are achieved?
At FMConsult, we adopt a risk based approach to assess those business functions that have the largest impact on the business. Where are the issues? That’s what we need to know to be able to add real value.
What are the challenges that your clients typically face in relation to meeting regulation?
In the smaller entities, it may be capital resources and regulatory knowledge. They rely on FMConsult to add the regulatory knowledge. Outsourcing compliance is an economic way of delivering compliance standards, but it cannot replace senior management understanding that they are responsible and need to understand their responsibilities. Outsourcing compliance is not an abdication of regulatory responsibility.
What were your main objectives when setting up FMConsult?
Our main goal was to be a well-respected, independent regulatory and operational & investment risk consultancy firm, committed to working with clients to assist them in aligning financial services processes with ongoing regulatory requirements.
We also wanted to provide compliance solutions that enable senior management of financial services firm’s to demonstrate that they and their firm are currently and will continue to be aligned with UK and other regulatory requirements.
How would you evaluate your role within FMConsult?
My role at FMConsult encompasses a focus on business development and looking after a range of clients. I’m proud that the company punches above its weight in the industry. We have a very diverse range of clients that do take compliance seriously.
Below, Richard Smith, Director of Business Strategy at Inprova Energy discusses phase two of ESOS, the latest energy compliance rules.
Phase 2 of the UK Government's Energy Savings Opportunity Scheme (ESOS) has been given the official go ahead by each of the UK's environment agencies. This ends recent uncertainty surrounding the future of the mandatory energy assessment scheme, which was under review as part of the previous government's 2015 energy efficiency tax landscape reform.
Who does ESOS concern?
ESOS applies across the UK to 'large undertakings', such as organisations with more than 250 employees, or a turnover in excess of 50 million Euros and balance sheet worth more than 43 million Euros. It requires qualifying organisations to measure their total energy consumption and identify energy efficiency opportunities, but is not applicable to organisations that are required to comply with the Public Contracts Regulations.
There are four-yearly compliance phases. The first phase covered from 6 December 2011 to 5 December 2015 and phase 2 follows on from 6 December 2015 to 5 December 2019. Organisations that participated in ESOS phase 1 must repeat the exercise if they continue to meet the criteria, but cannot use the same data. There are also likely to be a number of new organisations that now qualify for the second phase due to a growth in employee numbers or turnover.
The scheme administrators have taken robust action to penalise organisations that fail to comply with phase one of ESOS. As well as fines of up to £50,000, non-compliant organisations are also 'named and shamed'.
How to comply with ESOS phase 2
Benefits of ESOS
Although ESOS doesn't yet require organisations to implement the recommended energy saving measures, there is powerful evidence of the financial wisdom.
From more than 150 ESOS audits completed by Inprova Energy during phase 1 of the scheme, our assessors identified energy savings opportunities ranging from 5 to 20%. This could amount to tens and hundreds of thousands of pounds worth of potential cost savings for typical sites.
Routes to compliance
Organisations can achieve automatic compliance with ESOS by gaining accreditation under the international ISO 50001 Energy Management Standard, which specifies the requirements for building, maintaining and continually improving a high functioning energy management system. When choosing this route to compliance, it is important for all of your organisation's energy data to come within the scope of your ISO 50001 certification.
Alternative routes include implementing ESOS compliant energy surveys to identify energy saving opportunities; commissioning Display Energy Certificates (DECs) with accompanying advisory reports; or Green Deal Assessments.
ESOS Lead Assessors may also be able to consider audit work undertaken within the four-year compliance period (2015 -19) as part of other energy audit schemes, such as activity under the Carbon Trust Standard, and Logistics and Green Fleet Reviews, where these meet the requirements of ESOS.
The environment agencies are encouraging organisations to begin the auditing process as soon as possible. In particular, the ISO 50001 route requires early action, as it can often take well over 12 months to achieve certification and put in place a high performing energy management system. Allowing plenty of time will also avoid the last minute bottlenecks experienc
There are just six months left until Open Banking phase two begins, when customers will be able to digitally access and securely share their bank transaction data to get the most from their finances.
The initiative will encourage financial service providers to offer high quality, targeted services and in turn boost competition.
Roger Vincent, Head of Banking and Innovation at Equifax, comments: “The banking industry is set for a huge customer-centric shake-up with the implementation of Open Banking phase two in January 2018. This exciting development will dramatically change the customer banking experience, helping consumers and businesses to use their financial transaction data to access products more easily and better understand their finances.
“The initiative kicked off earlier this year with stage one, where the ‘CMA9’ (nine banks mandated by the Competition and Markets Authority) provided improved access to information such as ATM locations and product listings. The second stage is the real game changer, with bank transaction data made available digitally for consumers and businesses to share securely, and only with their agreed consent, via open application program interfaces (APIs). Through the open APIs the data can be used by authorised third parties to build new high quality and targeted services, including new digital offerings, facilitating a more competitive environment.
“The ability for transaction data to be used for automated creditworthiness and affordability assessments, fraud detection and product accessibility is endless. Customers will be able to control how their financial data is shared digitally and provide a deeper picture of the way they manage their money. This could mean a quicker, more secure and fully digital mortgage application process or faster access to finance for a new business venture. For those currently underserved by the market, for example young people or the self-employed, it could mean the start of a journey to better financial health.
“Over the next six months, banks need to embrace the move towards a more transparent banking world. To do this successfully, preparations must focus on meeting the long-term practical benefits of consumer empowered data sharing rather than approaching this change as a tick-box compliance activity.”
(Source: Equifax)
Life is about to get tougher for money launderers. One of the new government’s first tasks will be to approve draft regulations to implement EU 4MLD[i]. These new regulations, with their more rigorous approach, apply to banks and other relevant persons[ii]. One of the major changes is the need to thoroughly search for adverse information on potential and existing customers and to evidence this has been done. Carrying out Customer Due Diligence (CDD) manually on entities which are abroad is particularly demanding.
Today RegTech company Kompli-Global launched Kompli-IQ™, a unique search platform with the technology and expertise to meet these challenges.
Kompli-Global CEO Jane Jee, who is also a barrister, says: "Companies will be questioning how they can comply efficiently and cost effectively with the new legislation, particularly the new level of searching/monitoring. The starting point has to be to want to tackle money laundering because it is the right thing to do."
Searching for adverse information has become far more difficult given the explosion of information on the web, which makes it almost impossible to hold this amount of data in structured databases. The alternative, manual searching of the web, is very time consuming and often hit and miss with important information regularly overlooked or hidden from researchers. Using Artificial Intelligence (AI) to judiciously search the World Wide Web and directories invisible to many search engines, such as Google, produces quicker, more accurate results allowing the records found to be saved and future searches scheduled, so the bots can do all the hard work leaving the researcher to simply view any new results found.
To access this information Kompli-Global has developed Kompli-IQTM - a multi-lingual, licensed software as a service (SaaS) search platform. Using proprietary machine learning technology, Kompli-IQTM interrogates a wide variety of global data sources on the web for published adverse information on individuals and entities.
A company's or individual's name will be cross referenced against hundreds of search terms such as: court, fine, bribery or scam. Kompli-IQTM filters the data and search results are rapidly assessed, ranked and sorted. Additionally, these searches can be carried out in the right foreign language where the individual or company has associations outside of the home jurisdiction. Kompli-IQTM forms a key weapon in enabling companies to accept the vast majority of customers who do not present a risk quickly and easily.
"In today's world, it is virtually impossible to conduct the required searches without harnessing the power of Artificial Intelligence (AI). If you try it will be expensive, inefficient and inconsistent. Above all, adverse information will be missed," explains Jane.
The new Regulations introduce a more rigorous approach to Customer Due Diligence and Enhanced Due Diligence and have broadened the scope of Politically Exposed Persons (PEPs)[iii] to include those living in the UK (previously excluded) and their relatives/close associates. Add to this the need to check against sanctions lists and establish the beneficial ownership of companies and it is clear that there is a considerable increase in the amount of work involved.
"To address this, in addition to licensing Kompli-IQTM, Kompli-Global offers Due Diligence reports tailored to our clients’ specific requirements based upon their risk based policies. To compile these reports Kompli-Global interrogates multiple data sources and draws on the local expertise of its extensive advisory community in 66 countries covering 158 regions. With this level of input Kompli-Global can provide the most in-depth information on which companies can base their risk based decisions and, importantly, provide the audit trail that a Regulator will demand," explains Jane.
"RegTech and human expertise can be a powerful defence against money laundering and Kompli-Global is harnessing the power of both - it's the right thing to do," she concludes.
(Source: Kompli-Global)
Deloitte recently announced its alliance with Thomson Reuters to combine Thomson Reuters' global tax technology and intelligence with Deloitte's direct and indirect tax services to help companies address dynamic tax regulatory and compliance challenges.
"Technology is the centerpiece of the transformation taking place at many tax departments today," said Steve Kimble, chairman and CEO, Deloitte Tax LLP. "The emergence of new technologies allows tax departments to more effectively make use of data to develop insights for their businesses. Our alliance with Thomson Reuters will strengthen the link between tax and the broader organization, allowing the tax function to make an even greater strategic contribution to the business."
The ONESOURCE corporate tax technology platform is a critical component of the tax ecosystem, enabling tax compliance and reporting in 180 countries. Deloitte's integration of this market-leading technology platform with its tax consultancy insights will provide businesses with solutions to enhance their specific tax lifecycles. Enhancement areas include global compliance, reporting and risk management for corporate taxes, sales tax and other indirect taxes.
"In today's complex regulatory environment, tax technology enables businesses to simplify their tax processes, drive down operating costs, while simultaneously ensuring accurate and transparent global tax compliance," said Joe Harpaz, SVP and managing director, corporate segment for the tax and accounting business of Thomson Reuters. "We have joined Deloitte's alliance program to bring to market joint solutions that leverage our ONESOURCE global tax technology and applications with Deloitte's tax services to help businesses meet the current and pending challenges of multijurisdictional tax operations."
The alliance expands a longstanding relationship between Thomson Reuters and Deloitte. Deloitte is part of the Tax & Accounting Certified Implementer Program at Thomson Reuters, a training and support service for leading accounting and consulting organizations to provide implementation assistance for Thomson Reuters software products. Deloitte is certified in all of the Thomson Reuters ONESOURCE tax solutions.
Deloitte professionals have also won Thomson Reuters' annual "Taxologist of the Year – Certified Implementer" award the past two years for being the top certified implementer. Deloitte's clients have also won other categories of the Taxologist Awards through their demonstrated ability to increase tax department effectiveness using ONESOURCE.
(Source: Deloitte)
Written by Justin Baxter, Neil Adams and Neil Mockett from Crowe Horwath
With only 12 months left until the new GDPR regulations come into force, many organisations are already busy, preparing for May 2018. But for others, the challenge is still about getting started with a proportional approach that will enable sufficient progress in the time remaining, and provide a defensible position in the event of any breach or incident. Unfortunately, there is no blueprint for easy compliance and no easy, plug-in solution. Each firm will have a different starting point and will therefore need to determine its own approach.
The ICO has described GDPR as a “journey”. This is very true, however, it is one that is best prepared for by taking into account some practical advice.
Give GDPR the level of sponsorship it deserves. Compliance with GDPR regulations, and data protection more generally, should be regarded as a key operational risk. As such, the board should appoint a member of the management committee to oversee progress. The potential for significant fines, exposure to legal action, and the inevitable bad publicity and reputational impact, should an incident occur, necessitates the need for senior management oversight. However, GDPR is also about the rights of the individual, and the expectations individuals have of the firms holding their data and acting as custodian. Therefore, GDPR is also an issue of ‘conduct’ which, as Financial Services firms know all too well, can cause significant problems with the regulator if not taken seriously.
As with any business change, the direction, drive and tone from the top can be one of the main differences between success and failure, so it is worth ensuring you have the right sponsorship in place.
Getting started. There are many reasons why plenty of firms are struggling to get started. However, one of the key issues is that GDPR is a principles based regulation and, in addition to detailed guidance on a number of key areas still being work in progress, the regulation is, quite simply, open to interpretation. As a result, in the absence of a more prescriptive GDPR “instruction manual”, organisations need to determine for themselves what GDPR means. This includes the organisation deciding where to set the “bar”, especially in areas where the regulations refer to rather unhelpful terms such as “appropriate” or “sufficient”.
Really understand what happens to data across the organisation. This is such a simple statement to make, yet it is an absolutely critical starting point. Organisations have to be brutally honest about the personally identifiable data they have, why they need it, where it came from, how it is used, where it is stored and where it goes. For many organisations, performing this step is a daunting prospect. However, firms do not need to take a ‘scorched earth’ approach to understanding their data - even some high level work will most likely reveal where the key areas of concern exist.
Gaining this understanding as early as possible will prove extremely insightful, and should form the basis of many other areas of work over the next twelve months.
Identify the areas of greatest impact. Although GDPR introduces a number of new requirements, for example in relation to gaining consent, or customer requests such as the right to ‘erasure’, much of it is not actually new and it is really just an extension of the core principles of the existing Data Protection Act (DPA). An organisation’s existing maturity against the DPA will therefore have a significant bearing on the breadth and depth of scope that needs to be addressed under GDPR. In the absence of a detailed or recent DPA gap analysis, almost every organisation will have one or more open audit points relating to data protection, which is usually a good place to start.
Invest time upfront in developing formal data protection related polices and standards. Strong governance is important for lots of reasons, and well written policies and standards provide the foundations of good governance. In the case of GDPR, investing time early on to revise existing data protection policies to ensure they address the requirements of GDPR will help create clarity and focus for the organisation, and a point of reference against which compliance can be assessed. The exercise will also inevitably produce some surprises in terms of other related polices that will need to be amended to address GDPR, such as HR, Procurement, Outsourcing, and Information Security.
If in doubt, complete a Privacy Impact Assessment (PIA). The principle of embedding is key to successfully implementing any change, and in support of this aim for data protection, the ICO published guidance in 2014 on the use of PIAs as a business-as-usual (BAU) “tool”. In effect, a PIA is a structured assessment of a given business situation with the explicit purpose of assessing the level of data protection related risk. Though originally conceived as a tool to be used in BAU, completing a PIA against areas of concern or uncertainty as you work towards compliance can be a very powerful, and extremely revealing, approach.
Model your response to Customer Requests. Subject Access Requests (SARs) are not a new concept. But GDPR means they will become free of charge for members of the public. GDPR also introduces new customer rights, around areas such as portability and erasure. Therefore, it is reasonable to expect that volumes of customer requests will increase after May 2018. To address this situation, it is key to establish what would be involved in providing the information outlined in the regulations, including for the new request types. Also key is the testing of scenarios where volumes significantly increase from historical levels, in order to understand their potential operational impact.
Don’t forget Third Parties. The changes in accountability and liability regarding Data Processors are significant under GDPR. While Data Controllers remain liable for infringements caused by their Data Processors, those Processors now also have direct duties under the GDPR. It is therefore critical for both Controllers and Processors to understand what has to happen to keep processing operations compliant. As most organizations have tens, if not hundreds, of third parties that they rely upon, this can be no small task and needs to be sized and tackled with the priority it deserves.
Information Security is key. This won’t be a surprise to most people, however, too often organisations seem to “miss the wood for the trees” when it comes to information security. There is little point spending small fortunes on leading edge IT protection systems if a firm isn’t sure it has the basics in place – as an example, look no further than the recent attack on the NHS and issues caused by the lack of recent Windows patches. Also, information security is not just about the structured data held in core systems, it equally needs to apply to physical data and the unstructured or “dark” data that resides in emails, on network drives and the Excel downloads from core systems that all organisations possess.
Staff training and awareness. Kicking off a gradual programme of awareness and training around the principles of data protection, and explaining to staff how the organisation is addressing the needs of GDPR, is essential. How staff handle data related queries with customers and third parties will be a key factor in mitigating data protection risks, and demonstrating to customers, and the regulator, that the organisation takes data protection seriously. Organisations need to be careful not to neglect the ‘people’ side of things in favour of more tangible areas such as IT.
Complying with GDPR. Complying with new regulations is almost always harder than originally expected - vague requirements from the regulator, a fixed end date and a lack of in-house experience don’t tend to mix well. In reality, given the breadth of impacts from GDPR, most organisations will struggle to address every last detail before May 2018. Though this may be true, what is key is that organisations can demonstrate they understand the size and nature of the gaps they have to address, they have a plan in place and are making good progress, and they can show the regulator, and other key stakeholders, that they are in control and are taking GDPR seriously.
Crowe Horwath is a member of the Crowe Horwath International (CHI) network of accounting, tax, risk and performance management firms. Crowe has years of experience implementing regulatory and compliance changes and helping firms refine their approach to risk management. Justin Baxter is a Partner in the London office and together with Neil Adams, and Neil Mockett, they are leading the development with clients of practical and pragmatic approaches to the challenges presented by GDPR.
For more information, please email justin.baxter@crowehorwathgrc.com, neil.adams@crowehorwathgrc.com or neil.mockett@crowehorwathgrc.com
Written by Justin Baxter, Neil Adams and Neil Mockett from Crowe Horwath
The deadline for the enforcement of the General Data Protection Regulations (GDPR) provisions in May 2018 has finally reached the agenda of most companies. It coincides with an increasing fever pitch in the press and on social networks regarding cyber attacks, hackers from the east, Smart TVs watching us, et al. Privacy is news. Businesses that get caught out on privacy matters are subject to huge focus in social networking circles.
The recent focus on GDPR as “something new” is a surprise though. The regulations are an extension of the UK 1998 Data Protection Act and the EU GDPR regulations were technically in force from May 2016. It is an unfortunate fact that this new regulation is turning the spotlight on how lax some companies may have been since 1998 and as a result the scale of the current programme to address GDPR provisions suddenly appears very significant.
Privacy and Security
Privacy is an individual thing. It is increasingly apparent that as individuals we need to be more aware and protect our digital existence. Firms have to accept that the “privacy train has left the station” and people are demanding more control over personal data.
Central to the issue are two core principles: the respect for privacy; and the provision of adequate security. Importantly, underlying this is the notion of custodianship. It is this custodianship that should be considered as a key corporate responsibility and one that defines the seriousness with which firms have responded. In the event of a breach of privacy, this is where the regulators will look first.
Appreciating how you are impacted as an individual is relevant. It is hard not to conclude that the provisions of current privacy laws are not keeping up with the pervasiveness of today’s technology. It is a salutary exercise to count up the number of devices connected to the internet in your home – most are capable of enabling access and extracting information. The latest concerns expressed by Tim Berners-Lee that we have lost control of our personal data is timely. Whether we like it or not, privacy matters.
Why GDPR is different
Successfully addressing the requirements of GDPR requires a number of important challenges to be overcome.
All these points will test a firm’s approach to risk and risk appetite for data protection related activity. At the end of the day, data protection is just another operational risk.
Stewardship: The CFO is no stranger to stewardship. The addition of custodianship should fit quite easily but requires absolute confidence that all preparations for GDPR are sufficient.
Lines of Defence: Executives within the “second line of defence” will have a key role in ensuring an independent perspective is maintained. Executives in the “first line of defence” will be confronted with many of the decisions and implications of GDPR driven changes and what is a proportionate response. The CFO and CEO may be drawn into debates about both areas.
Managing GDPR incidents: In the event of breach, it will often be the CFO and CEO in the spotlight, with tensions rising as the matter may become an exercise in crisis management. Anecdotal evidence suggests that the “finger pointing” starts very quickly. At which point, it will be too late as one of the first tests will be to evidence that reasonable steps had been taken to prevent the incident happening.
It starts with taking the view of the customer
In assessing any privacy issue, the key question is “What would you have expected the firm to have done?” Fuelled by privacy stories, customers will learn quickly of their rights and will have expectations of what response they will get when approaching your business to exercise these rights. They will also assume that should something happen it is controlled and they are informed. Firms need to beware of the power of the customer to disrupt; especially with the viral nature of social media. The inclusion of the customer view from the outset will mean that this dialogue, should it arise, will better reflect the intended approach of the firm. Custodianship is a serious responsibility.
Pragmatic steps to ensure appropriate oversight and control
Senior executives should own the GDPR programme and maintain a keen eye to ensure it does not drift into a purely second line compliance project..
Progress assessment: The hardest question to answer in absolute terms is “when will we be compliant with GDPR?” A number of dimensions can be constructed around some simple principles: the less sensitive data you lose, the more manageable the response; the more that you understand what personal data you have, the better you can secure it; the more information you can provide about a breach, the more likely you will receive an empathetic hearing from customers and regulators. Measures should be designed to help people understand “how far” you have secured a reasonable position. It will focus minds.
Risk based approach: It will be essential that a risk based approach to GDPR related decisions is taken. Decisions on data minimisation and retention periods, for example, will expose tensions between the need to comply and the commercial and practical implications of deleting customer data.
Governance and Accountability: The GDPR regulations assume an ongoing commitment by the firm to embrace privacy and security responsibilities. There is no big bang and therefore, arguably, no obvious finishing line. The voice of all stakeholders across the GDPR programme need to be represented through to the Board.
Measuring operational impacts: There will be operational implications should customers past and present exercise their new rights under GDPR. For example, early indications suggested that there would be a 25 – 40% increase in the numbers of Subject Access Right requests. To this number needs to be added an estimate for the new provisions (including the right to be forgotten, portability etc.). Will current response processes be up to it?
Pragmatism is the watchword: Implementing regulatory change is not straightforward. A pragmatic and practical approach is essential to overcome many of the issues that will be raised. The risk of projects becoming detached from the realities of running a business are high: the message of effective custodianship will help. The firm must demonstrate and justify the pragmatic judgements taken on the journey towards their compliant position. Permitting every possible aspect to be debated at length will likely result in compliance paralysis. Therefore, the importance of proportion and measured decision making cannot be overstated.
Be prepared
Personal data is an asset and companies are the custodians. The expectation we have about the behaviour of how other organisations handle our own personal data should influence our own roles within our organisations. The way we work with colleagues to achieve a level of assurance and mutual confidence is key. There are effective ways to think about and implement regulatory change, which need to ensure that the response to the various challenges of GDPR as outlined above are appropriate, measured and reasonable. In the event of having to react to any privacy incident, having a clearly agreed position on the custodianship responsibilities will be a good place to start a defence.
It’s true to say that the role of HR in the modern business landscape is shifting, as modern workplace culture continues to be re-defined.
Millennials have challenged the status quo of the conventional workplace, and HR has responded by implementing a ‘customer-centric’ approach, aiming to consistently provide a great employee experience.
This has led to a more relaxed approach, and traditional HR functions being combined such as recruitment, retention and development with the creation of a unique office culture and communications, marketing, branding and social responsibility.
But while it’s down to HR professionals to help drive this ethos, it cannot be at the cost of legal HR obligations. The common pitfalls, particularly for start-ups or SME’s with little knowledge or experience of HR is actually the most basic administration. Such as providing a water tight, comprehensive employee contract and statement of particulars, which at their most basic should include details of salary, hours of work, holiday entitlement and notice periods. If you are dealing with your HR in-house, it is best practice to have a professional over-see these legal documents as a preventative approach to disputes.
Thanks to a political and media spotlight on a global level, migrants and working rights has come under scrutiny. This is an area that businesses need to make a priority because ultimately, they take the full brunt of consequences for employing individuals that didn’t have a right to work, their leave had expired, they were employed for work they were not allowed to carry out or if their documents were false.
The result is hefty fines and damage to your brand – and the latter can prove to be just as costly. In 2015 the fines issued by the Home Office equated to £21.6 million, and it wasn’t just small companies that have been found guilty of employing illegal workers; Tesco’s has previously been fined for employing foreign students who were breaking the conditions of their visas.
Millennial’s and modern culture has also seen a shift in the way that many businesses recruit, and the entire recruitment process. Out are the questions with a very specific ‘right or wrong’ style of answer; while experience and qualifications are not completely dismissed, progressive employers want to find a culture fit and an alignment of values and vision to ensure the arrangement is mutually beneficial. Aspects such as technology and social media are driving the change (while also throwing up some tricky situations of their own!) ,but recruiters need to remain vigilant in their processes in order to guarantee that they are not acting in a discriminatory manner – whether they are aware of it or not.
To shed some light on the most common areas that businesses fail, we have created an interactive quiz that aims to shed some light on where your business could be falling short in its HR practices.
Powered by Bradfield HR
Competition compliance programmes must take account of the FCA’s rules for mandatory self-reporting of existing or potential competition law infringements. Here Finance Monthly benefits from exclusive insight, written by James Marshall and Marieke Datema of Berwin Leighton Paisner (BLP), who take a look at the powerful toolkit at the FCA’s disposal and explain what it means for firms in the year ahead.
A heavy use of market studies
Since acquiring a competition mandate in April 2013, the FCA has conducted several market studies. These allow the regulator to ‘peer behind the curtain’ in any given market to identify structural competition, consumer or market integrity concerns. In just over three years, the FCA reviewed insurance add-ons, cash savings, credit cards, retirement income, investment and corporate banking, asset management and residential mortgages.
The FCA has a uniquely powerful toolkit; it can use either sectoral (Financial Services and Markets Act 2000 (FSMA)) or competition (Enterprise Act 2002) powers to conduct market reviews.
To date, all FCA market studies, including those launched after the FCA acquired concurrent competition law enforcement powers in April 2015, have been carried out using FSMA powers, rather than pure competition powers under the Enterprise Act. The FCA chooses the most appropriate power on a case-by-case basis. In practice, the FCA enjoys the ‘best of both worlds’, in that it can pursue competition-focused investigations using extensive data-gathering powers under FSMA without being bound by tight timetables under the Enterprise Act.
If, following a market study, the FCA concludes that a market is not functioning well, it may seek regulatory changes to fix the issues identified. Potential remedies include structural reforms (e.g. rule-making, guidance and/or proposing enhanced self-regulation), or firm-specific changes (e.g. varying regulatory permissions, public censure and/or financial penalties). The FCA can also “name and shame” firms by publishing data – one of the remedies imposed in the cash savings market study, for example, was the publication of interest rates made available by over 30 banks and building societies on certain types of savings accounts and ISAs. The FCA furthermore has the power to refer a market to the Competition and Markets Authority (CMA) for a detailed “phase 2” market investigation, the outcome of which could include forced divestments or other major interventions.
A market study offers the opportunity for quite considerable change. We would therefore encourage firms affected by market studies to consider what features of the market they may wish to change or defend and then consider how to engage with the FCA on those fronts.
Zeroing-in on individual firms – ‘hard’ and ‘soft’ enforcement measures
Investigations of individual firms are common outcomes of market studies in other sectors. Early in 2016, the FCA launched its first antitrust investigation. Details of the behaviour and the firms under investigation remain confidential. The FCA Director of Competition stated that she hoped the investigation “sends a signal that we take competition law seriously alongside other regulatory enforcement” and noted that the FCA is “well placed” to detect and take action in relation to breaches of competition law. It is certainly true that the FCA is ‘well placed’ – it has a team of around 100 competition specialists, a number of whom used to work for the CMA.
We anticipate an uptick in antitrust investigations in 2017. The CMA publishes an annual report assessing the operation of the concurrent powers by the FCA and other sector regulators. In its April 2016 report the CMA stated that it hoped to see a greater number of cases opened by the concurrent sector regulators (including the FCA) in the year ahead. The FCA, like its peer concurrent regulators, has been given its competition law powers on a ‘use it or lose it’ basis. This may be a real spur for greater enforcement action in future. The competition between sector regulators and the FCA’s desire to be regarded as ‘first among equals’ may also motivate further competition enforcement. Finally, following Brexit, cases involving possible anti-competitive conduct in the financial sector that previously may have been investigated by the European Commission are likely fall to the FCA or CMA.
Despite little ‘hard’ antitrust enforcement, the FCA has been astute in its use of ‘soft’ enforcement methods and we expect this trend to continue in 2017. The FCA has made use of “on notice” letters which notify a firm that the FCA has information about a suspected breach of competition law. The firm must conduct an internal review and report back to the FCA on the scale of any competition breach identified, and what measures the firm will take to address the problem. “On notice” letters transfer the burden of investigating and remedying competition problems to individual firms. This can free-up FCA resource for higher priority matters, whilst also solving potential competition concerns - a regulatory ‘win-win’.
To date, the FCA has publicly confirmed the use of several “on notice” letters prompted by information gathered during the retirement income market study. The FCA met with the relevant firms to better understand their proposed solutions and the firms have since undertaken a number of initiatives to strengthen their compliance.
The FCA has also sent three advisory letters – intended to raise competition law awareness and promote compliance amongst targeted firms.
Self-reporting competition issues – a significant question
Both market studies and “on-notice” letters can place considerable burdens on individual firms to provide evidence in response to an FCA information request. Responding to such requests can also cause firms to ‘flush out’ potential issues which may require self-notification under the FCA’s handbook. SUP 15.3.32R (1) requires firms to notify the FCA of any significant infringement (or potential infringement) of any applicable competition law. The reference to “any applicable competition law” means that the notification obligation extends to infringements of competition law outside the UK. Despite the extensive scope of the notification obligation, only limited guidance has been provided by the FCA, in particular in relation to how firms can determine whether an infringement is “significant”.
The position adopted by the FCA is in stark contrast with the standard application of competition law. Leniency programmes generally provide that companies can choose whether or not to self-report competition infringements and there are, in many cases, incentives for companies to do so. If the relevant conduct identified by a firm is sufficiently serious, the FCA’s mandatory self-reporting obligation can effectively force a firm to apply for leniency. Moreover, the same conduct could prove problematic under both the FCA’s conduct rules and competition law. It is therefore more important than ever that regulated firms bring their competition compliance programmes in line with the self-reporting obligation and think through the wider implications of any notifications to the FCA.