- Culture created by the Board – The ICAAP process must be owned by the Board and delegated downwards, with clear lines of reporting and escalation.
- Risk management framework embedded in ‘business as usual’ – Have a risk management strategy set by the board, with its own risk appetite, detailed assessments of risks, policies and procedures.
- Complete Pillar 2A capital assessment – Thoroughly assess and quantify Pillar 2 capital requirements, considering risks not fully captured in Pillar 1.
- Relevant stress and scenario tests – Scenarios should be linked the risks assessed as material to the firm, where base case financial plans are flexed based on the impact such risks could have on the business over time.
10 Regulatory change – The Investment Firms Regulation and Directive is coming.
And despite the fact that many firm types can expect significant increases regulatory capital amounts, some do not have a plan as they either:
- Disregarded the new rules as not applicable to them;
- Assumed there is no capital or liquidity impact; or
- Pushed it down the road thinking it’s a long way off.
Firms should examine the impact of this regulatory change now and make preparations to increase capital, if needed.
11 Market abuse
An area where the FCA wants, and expects, more from market participants.
As with all areas of financial crime, the FCA has repeatedly stated that a full and comprehensive Market Abuse risk assessment is the first step in a firm’s market abuse systems and controls.
However, based on our experience, many firms do not do this particularly well, if at all.
In Market Watch 58, the FCA highlighted just how much of a challenge transaction monitoring continues to be for firms.
In addition, firms still struggle to complete an annual market abuse risk assessment, as well as perform communications surveillance, and surveillance of staff personal account dealing – something the FCA specifically called out in its Market Watch 62, in which it expresses significant concerns about authorised firms’ systems and controls when it comes to Personal Account Dealing.
The FCA has repeatedly articulated the practices it expects to see, and said market abuse remains an area of focus.
Written and telephone communications surveillance - such as emails and instant messaging chats - are also often overlooked, despite, for MiFID Firms being required by the rules.
Many firms see this as being a tedious and time-consuming exercise akin to looking for a needle in a haystack.
While total random sampling of communications is not the most effective way of doing this, firms can be smart about how they select which communications to review and this should be dictated by a market abuse risk assessment and conducted on a regular basis.
Lastly, and more often than not, surveillance of staff Personal Account Dealing does not occur within investment firms we meet with, despite the FCA highlighting this as good practice in the results of its market abuse thematic review, published in 2015.
Many firms take the view that they operate strict pre-approval models and require submission of contract notes or statements, and this together with holding periods mean that they believe there is no risk of market abuse being conducted by their employees. We challenge these firms and ask them: how do they really know?
Without a method to frequently review employees PA trading against, for example, historical trades, other employee trades, market movements and announcements how can a firm be sure that their employees are not entering into abusive transactions?
12 Transaction reporting
Firms are not meeting the required standard across a variety of fronts, from incomplete or incorrect data being submitted to their ARM, to failing to reconcile the data, process rejections, and monitor resubmissions.
Questions appear on the last page of this article.