Chapter 6: Principles and rules as set out in the regulatory framework Flashcards
6.1: Regulatory processes: authorisation
TOTAL NUMBER OF QUESTIONS 9/100
5 /13 MULTIPLE RESPONSE
We started to cover the rules and general structure of the FCA in relation to general prohibition in chapter 5, and we will build on that knowledge in this chapter.
We will first return to the Authorisation division and consider its role in greater detail. From there, we will look at the role of approved persons, also known as controlled functions.
KEYFACT
General prohibition states that only authorised or exempt persons can legally carry out regulated activities.
It is a criminal offence to do so if you are not authorised for the specific activities being carried out.
This is listed in s.19 of the FSMA 2000. Any breach may be punishable by a maximum of two years’
imprisonment and/or a fine.
6.1.1: Transitional arrangements for authorised firms
As we covered in chapter, 4 the financial services
industry has gone through a variety of changes
and different statutes over the years, the main
ones being:
The Financial Services Act 1986, FSMA 2000, The Financial Services Act 2012
When the FSMA 2000 came in, certain firms, which were previously authorised under the Financial Services Act 1986, were ‘grand fathered over automatically to be authorised by the FSA and now the PRA/FCA.
The exception to this ‘grand fathering process was either:
• Regulated activities that, at the time of FSMA 2000, were not classed as regulated activities.
This included both mortgage and general insurance advice
• Firms previously authorised through membership of Recognised Professional Bodies (RPBs)
Most of these were accountants and solicitors who had little regulatory involvement and did not
want to be regulated under the perceived constraints of the FCA.
Many of these individuals and firms chose to remain unauthorised and are now restricted to giving factual information to their clients, incidental to their professional duties.
Under s.22 of FSMA, it states an activity is only regulated if it is carried out ‘by way of business’.
Examples of things that may indicate that an activity is carried out ‘by way of business’ would include it being carried out on a commercial basis, over a period of time, taking a large proportion of the firm’s time, to generate income or profits.
Authorisation is not required if regulated activities are ‘incidental to an individual or firm’s professional services, as described above. An example is where an accountant may give advice on the taxation of an Investment Bond. The advice is ‘incidental’ to his usual accountancy advice.
In such cases, they will now be known as an Exempt Professional Firm (EPF) and will be listed separately on the Financial Services Register. They will still be a member of their Designated Professional Body (DPB). If DPB members do want to carry out regulated activities (life and pensions), this requires direct
authorisation from the regulator - so Part 4a permission.
They will then be known as an Authorised Professional Firm (APF).
So, as a summary, such firms now fall into one of
two categories of Designated Professional Body
How does a new firm become authorised?
Any firm wanting to undertake regulatory activity must apply to the appropriate regulator.
They cannot start trading in that area until they are authorised, so have received Part 4a permission.
The Upper Tribunal will hear any appeals generated from a declined application from Authorisation.
As well as registering for regulated activities the FCA is also responsible for the:
• Registration of firms under the Money Laundering Regulations 2007
• Registration of firms under the Payment Services Directive.
• Authorisation of Consumer Credit activities since April 2014
• The FOS, FSCS and the Money Advice Service (all of which are funded by levies
6.1.2: Authorised and exempt status
We are going to cover the key elements of authorisation. Before we do, it’s important to be aware that some entities can be granted ‘exempt status’ based on either the way they do business or the professional body to which they belong.
KEYFACT
Remember, the key phrase regarding carrying out regulated activities:
General prohibition states regulated activities can only be carried out by someone who is
authorised or exempt. Otherwise this is a criminal offence.
Who is the authorised person?
• An authorised person could be an individual, firm, or market…
- granted Part 4a permission by the regulator
- to carry out regulated activities legally under the terms of general prohibition
• It is most likely to be a firm, or market. Individual authorisation is rare, due to the costs involved
• Another term for the authorised person is the principal
What is exempt status?
Exempt status can firstly be broken down into three groups, as there is not one simple explanation (this is
financial services after all!)
• Some bodies are exempt from the need to apply for authorised person status.
• For example, individuals and firms can have appointed representative status and thus be exempt. They come under the remit of their principal, who has been granted Part 4a permission and who is responsible for their activities and advice. This is probably the most common model in the UK financial services marketplace today. Another term, historically, for this type of individual was a tied agent.
• Others are exempt because the regulated activities they undertake are incidental to their professional
duties.
Many individuals or small businesses cannot afford direct regulator authorisation and therefore choose to work within an authorised person and appointed representative framework.
This currently includes networks such as St James’s Place Wealth Management, Openwork, Intrinsic and Hargreaves Lansdown, to name a few examples.
Certain bodies, types of company, firms, and individuals to whom exempt status applies to:
Bodies • The Bank of England • The European Central Bank • The central banks of EEA states • Local authorities • Various government bodies
Companies
• Professional firms that are a member of a Designated Professional Body (DPB)
• The types of professions that are members of DPBs include lawyers, chartered surveyors, accountants, actuaries, and licensed conveyancers
• They will only receive exemption if their ‘regulated’ activities are ‘incidental to their usual professional services
For example, an accountant or solicitor giving investment taxation advice as part of their usual tax advice would be considered an Exempt Professional Firm. They would only need to become an Authorised Professional Firm if they started giving investment advice or arranging investments on a more than ‘incidental basis.
Individuals / Firms
- Appointed Representative firms (ARs) are exempt if an authorised person(s) takes responsibility for their actions
- The authorised person(s) is known as the principal. It is the principal who is liable for the actions of the AR
- ARs are also known as ‘tied agents’
- Sometimes, certain employees of a regulated firm are also classified as ARS
- An AR can be classed as full (giving advice) or an introducer (facilitating introductions)
- AR contract terminations must be put in writing from the principal
- The FCA must be notified within 10 working days of such terminations
KEYFACT
An authorised firm has sacked one of its appointed representatives.
Why must they immediately inform the FCA?
The FCA keep records of all authorised and approved persons, so this enables the individual
to be removed from the relevant register.
6.1.3: Applying for authorisation
Anyone that isn’t exempt needs to apply for authorisation. As we have mentioned before, this is known as
applying for Part 4a permission.
A firm needs to complete the form that is relevant to their business area.
Large firms e.g. a new insurance company or bank, will need to apply for their permission to the PRA, who will determine whether they meet the threshold conditions.
Smaller firms will apply to the FCA for their authorisation, and similar standards apply.
Both large and small firms are answerable to the FCA for their conduct. A failure to meet their conduct obligations or their threshold conditions could compromise any application or lead it to be reviewed.
The regulator will want to satisfy itself that those running the company are ‘fit and proper’ i.e. they are capable of holding office.
The decision-making process can be relatively slow, with a statutory time limit standard of six months for a complete application and twelve months for an incomplete one.
Once satisfied, the FCA will confirm their authorisation and send a Scope of Permission notice, which is the formal Part 4a permission.
This states the start date and the permissions granted.
Authorised firms must have systems in place to manage the risks they are subject to.
As well as the Capital Adequacy Rules, which we have mentioned several times, firms have a responsibility to keep abreast of regulatory changes and maintain adequate solvency margins.
They must also ensure that individuals carrying out controlled functions are approved.
Remember, individuals carrying out controlled functions are also known as approved persons.
Investment firms will have a nominated compliance officer, who usually has a team under their wings who
will ensure that the firm complies with its obligations.
Any breach will need reporting to them in the first instance e.g. in the event of a complaint.
Appointed representatives: additional considerations
The principal firm (authorised person) takes full responsibility for all their AR’s actions or inactions related to regulated business. An AR cannot be an authorised person as well. There is no dual authorisation.
ARs simply advise and arrange investments; for example, they cannot hold client money.
As mentioned earlier, there is a lesser grade ‘Introducer Appointed Representative’ (IAR) classification. The
IAR exists purely as a non-advice-providing introducer.
Principals will want to satisfy themselves that Ars do not represent an undue risk to the business, specifically that:
• the AR does not negatively impact upon their threshold conditions
• the AR is fit and proper - solvent, qualified and no conflicts of interest
• they can control the conduct of the AR
Directors and senior managers of the AR must also be approved persons, and have the same rules applied to
them.
The responsibilities of authorised firms are far reaching.
They have responsibility for the conduct of their employees, agents, and appointed representatives, and
must not use unauthorised products or services.
Multi principles
An AR may work within the parameters of several principal firms. A mortgage AR for example may have one principle for residential mortgages and another for lifetime mortgages.
Such a relationship requires the existence of a multiple principal agreement to be in place.
One principal must be identified as the lead principal, who will be responsible for handling all complaints received about the AR, regardless of which type of advice the complaint relates to.
Changes to authorisations
If, for example, a sole-trader or partnership changes to a limited company, the new entity must apply for authorisation.
This is because the FSMA 2000 does not permit the transfer of authorisation from one party to another. Most firms continue to trade under their existing permission whilst awaiting their new application.
We will now look at the approved persons regime and the rules within it
6.1.4: Approved persons
You need to understand the difference between an approved person and an authorised person.
• The authorised person is usually the business that carries on regulated activities.
• The approved person is the individual who has been approved to carry out one or more controlled functions within the business.
KEYFACT
A controlled function will be carried out by an approved person
Individuals undertaking controlled functions within a firm must be individually approved and registered.
Controlled functions are those which whose roles involve:
• a significant influence on the conduct of an authorised person’s affairs
• dealing with customers in connection with regulated activities
• dealing with the property of customers in connection with regulated activities
Remember the term ‘property’ means an individual’s assets, not just bricks and mortar.
KEYFACT
‘Approved persons’ are the only people within an ‘authorised person’ who can carry out…
‘Influential’ or ‘controlled functions’.
This means that they have significant influence within the authorised person.
Controlled functions are broken down by the FCA into five different types:
Governing functions- These include directors, chief
executives, partners. Senior employees basically.
Required functions- Including: Money Laundering Reporting Officer (MLRO), CASS rules, submissions to FCA, Compliance.
Systems and control functions- Anything to do
with systems and controls such as an operations
manager.
Significant management functions- Senior management or key roles but non-executive such as a HR manager or a supervisor of individuals in the customer dealing function below.
Customer dealing functions- Individuals carrying out
regulated activities in a customer-facing role, such as
giving advice to clients or acting as an investment manager.
The first four categories are also classed as significant influence functions (SIF). This is because they have a
big influence on the authorised person.
Approved persons CONT..
The PRA does not have a significant management function or a customer dealing function as these are often roles that have conduct at their heart, rather than prudence.
The FCA cover conduct and the PRA mainly prudence for the ‘major players’.
The PRA controlled functions revolve around senior management and are divided into:
• Executive functions
Chief executive, heads of etc.
• Oversight functions
Board members, non-executives and committee chairs.
Approval can be withdrawn if it is decided that an individual is no longer ‘fit and proper’ for that function.
The regulator cannot bring proceedings against an approved person more than three years after any alleged
misconduct was first known.
In practice, they only tend to concern themselves with individuals when clear personal culpability exists.
They do, however, regularly remove advisers who are proven to be no longer fit and proper, and can still prosecute advisers, even after their authorisation has been removed.
Any individual classed as an approved person is not only bound by the 11 Principles for Business, but also another sourcebook; APER, which we discussed in chapter 5.
This contains another 7 principles for approved persons. The first 4 principles apply to all types of approved person 1: Integrity 2: Skill, care and diligence 3: Market conduct 4: Open and co-operative
The last 3 apply only to those carrying out a significant influence function, so the first four FCA categories.
5: Organisation and control
6: Skill, care and diligence in managing
7: Compliance
This graphic may help confirm your understanding of the relationship between the parties:
Authorised Person Individual, firm, or market with Part 4a permission ↓ Approved Person Working within the authorised person carrying out a significant role I Appointed Representative Exempt individual acting under Part 4a permission of the authorised person
Regulatory processes: authorisation SUMMARY
- Grandfathering took place from the FSA 1986 to FSMA 2000
- Only individuals and firms that were categorised under Recognised Professional Bodies were not grandfathered across. They had to re-apply for their authorisation
- Exempt Professional Firms (EPF) only give advice that is incidental to their professional duties
- Authorised Professional Firms require direct authorisation from the regulator
- General Prohibition means regulated activities must be carried out by someone authorised or exempt
- The authorised person is the individual, firm, or market with Part 4a permission
- Appointed Representatives (ARs) are exempt under the remit of their authorised person or principal
- The authorised person is responsible for all AR activities and advice
- Transfers of authorisation, from one party to another are not permitted
- An approved person carries out a role of significant influence within the authorised person
• There are five FCA approved person functions: governing functions, required functions, systems and
control functions, significant management functions, and customer dealing
- The first four are classed as significant influence functions (SIFS)
- There are seven APER principles - the first four apply to all categories, the last three just to SIFS
- There are two PRA functions: executive and oversight
6.2: Key responsibilities of the authorised person
Having successfully been granted Part 4a permission, with all controlled functions also approved, the Individual, firm, or market must then ensure they meet certain key responsibilities.
Whilst there are several of these, this section will specifically focus on two:
- Fighting financial crime
- Protection of data
6.2.1: Fighting financial crime
There are different types of financial crime.
In this first section, we will look at anti-money laundering regulations and the requirements placed on all authorised persons and individuals working within them.
So, what is the definition of money laundering?
The Crown Prosecution Service website defines money-laundering as:
The process by which criminal proceeds are sanitised to disguise their illicit origins. Acquisitive criminals will attempt to distance themselves from their crimes by finding safe havens for their profits where they can avoid confiscation orders, and where those proceeds can be made to appear legitimate’.
6.2.1.1: Stages of money laundering
Most money laundering schemes involve three stages:
Placement
The process of getting criminal money into the financial system, often into a bank account with a respectable financial institution.
Layering
The process of moving money in the financial system through a complex web of transactions.
Effectively this is a series of transactions designed to ‘muddy the water’.
This could be by mixing it with legitimate money or by purchasing an investment that will be surrendered early.
Intergration
The process by which criminal money ultimately becomes
absorbed into the economy, such as through investment in property
At this stage ‘laundered’ money is withdraw or invested long-term, and seems legitimate.
The financial services industry is most likely to be involved in the first two stages.
For the launderer, these stages are the riskiest, as they rely on their actions not being spotted by an eagle eyed cashier or adviser.
KEY FACT
Money laundering has three distinct stages: placement, layering and integration.
And is a common R01 exam question.
6.2.1.2: Money laundering offences
The FATF issued global ML guidance
↓
Which informed the EU 3rd ML directive
↓
Paving the way for the ML Regulations Act 2007
↓
Setting up the Joint Money Laundering Steering Group (JMLSG)
↓
Firms must appoint a MLRO who reports suspicions to NCA
The UK, and other EU members, are part of the global anti-money laundering group, The Financial Action Task Force (FATF). The Proceeds of Crime Act 2002 is the principle UK statute against money-laundering. This Act created several criminal offences. It is illegal to:
• Conceal, disguise, convert or transfer criminal property
or remove it from the UK
• Assist in the acquisition, retention or control of criminal property
• Acquire or use criminal property
• Fail to disclose your suspicion, or to ‘tip off launderers
The EU’s third Money Laundering Directive paved the way for the Money Laundering Regulations 2007 to be published and set up the Joint Money Laundering Steering Group (MLSG) which is made up of leading trade associations in the financial sector under the chairmanship of the Bank of England. This group publishes books containing industry guidance.
This emphasises a risk-based approach to firms carrying out regulated activities. Firms need to assess their own risks and apply appropriate procedures to minimise such risks, with reporting, record keeping and compliance playing a major part.
Policy and procedures must be put in place and a Money Laundering Reporting Officer (MLRO) must be appointed to act as a central point for reports of suspicious activity. The MLRO reports into the National Crime Agency (NCA) where necessary (used to be the Serious Organised Crime Agency (SOCA)).
The role of the NCA is to bring to justice serious / organised criminals who present the highest risk to the UK.
The Fourth Money Laundering Directive (4MLD) is the most recent MLD. As mentioned earlier, it brings the guidance on Anti Money Laundering up-to date, factoring in current risks and practices, introducing new requirements, and replacing the previous MLDs.
KEY FACT
The Financial Action Task Force is a global organisation.
The MLRO is an example of an approved person under the ‘required’ function, and a
significant influence function.
6.2.1.3: Customer due diligence (CDD)
This involves the identification of the customer and obtaining information on the purpose of the relationship between the client and the adviser. Identification must be obtained and independently verified for any transaction other than those classed as simplified transactions. Simplified transactions include:
- Small life policies with annual premiums of not more than 1,000 Euros or 2,500 Euros for lump sums
- Pension contracts with no surrender value, or where members cannot assign rights
In reality, most organisations just take ID for all transactions, as this is easier and less open to error.
Certain high-risk individuals, most notably politicians, have special or extra stringent rules to adhere to, as they are deemed to be ‘Politically Exposed Persons’ (PEPs).
These include the requirement for additional signed verification from a professional organisation such as a
bank or a solicitor.
Customer verification
What must be verified under CDD?
When carrying out CDD, acceptable ID is required for two things:
• Verification of customer name
Documents acceptable for verification of the individual’s name would include a valid UK passport, full UK driving licence, firearms certificate, national identity card, or a recognised employer ID card. Something ‘official with your photo on it.
• Verification of customer address
Documents acceptable for verification of the individual’s address would include utility bills, bank or building society statements, or a successful credit reference search. Physically entering someone’s home can also be used as address verification.
Companies also need verifying, with company registration documents supporting the ID of the directors. This could involve sight of documents such as the company registration certificate and number, and evidence of the company’s registered address.
CDD record keeping
Records of money laundering checks must be kept for at least five years after the end of the customer relationship. Records of the transactions themselves must also be kept for a minimum of five years, but this
does depend on the type of transaction. Such records can be paper-based or electronic.
Training
Firms are required to take appropriate measures to train all staff on CDD as well as what to do if they suspect money laundering activity. Retraining must occur regularly (usually at least annually). Firms can be held to account and partners or directors may be fined and/or sent to prison for a maximum of two years for taking inappropriate action. An annual report from the MLRO is mandatory.
Staff within the business must report suspicions to the MLRO, or they can find themselves in hot water. Failure to report, when you suspect or should have suspected financial crime, can also lead to a fine and/or prison sentence, not to mention almost inevitable dismissal from work. The person reporting is protected by law with their names concealed in any investigations.
The Asset Recovery Agency had the powers to confiscate assets from criminals and redistribute the assets as felt necessary. This agency is now part of the National Crime Agency (NCA).
Anti Money Laundering Summary
- There are three stages of money laundering: placement, layering, and integration
- The Financial Action Task Force is a global organisation fighting financial crime
- Proceeds of Crime Act 2002 created new offences such as failure to disclose suspicions/tipping off
- The JMLSG publishes guidance books for the UK financial services industry
- Each authorised person must appoint a MLRO who is an example of a ‘required approved person and a SIF
- They would in turn report into the National Crime Agency
- CDD must be done on all customers, other than those carrying out simplified transactions
- Identity and address must be verified, using a variety of acceptable methods and documents
- Records must be kept for a minimum of 5 years after the end of the client relationship
- All staff must be regularly trained on anti-money-laundering procedures (usually annually)
- There is a maximum two-year prison sentence for breaking these rules
6.2.2: Data Protection
Data is about you and information that relates to you. Data protection rules are designed to control how such information is used by organisations, businesses or the government.
Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly, lawfully and in a transparent manner
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- accurate and kept up to date
- kept for no longer than is necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the EEA without adequate protection
The Data Protection Act 1988
The EU Data Protection Directive led to the Data Protection Act 1998, which regulated the use of computer and manual records of customer data. This was repealed by the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
Firms must have a Data Protection Compliance Officer known as a controller.
These rules are pretty much still the same under the new Act and Regulation.
General Data Protection Regulation (GDPR)
There was a recognition that the application of data protection across the EU was inconsistent, and that
there was a need to align the data protection laws of all Member States.
This led to the General Data Protection Regulation (GDPR), which came into force in all states on 25th May
2018. It has much harsher penalties for anyone that breaches its terms. As mentioned in chapter 4 of this
study guide, an EU Regulation is applicable to all EU Member States, without the need for ratification.
There are many similarities with the Data Protection Act 1988, but GDPR goes further, is more specific and aims to harmonise EU data protection laws. Firms need to document how they comply with the principles.
GDPR applies to both controllers and processors,
What is the difference between the two?
- A controller stipulates how and why data is processed. They cannot pass on responsibility to any processor,
- A processor acts on behalf of the controller. They must keep records of personal data and their processing
activities. The controller role was in existence prior to GDR under the Data Protection Act as covered on the
previous page., and so, in all but name, was the processor role.
What information does the GDPR cover?
Relates to personal data, and extra forms of personal data that reflect the technological advances in the world including:
• IP addresses
• Biometric information such as social security numbers (used to uniquely identify an individual)
• Personal and online identifiers
• Personal data that has been key-coded
Data Protection Act 2018
Aimed to modernise data protection law in addition to GDPR requirements. UK national security is outside the scope of GDPR, so this Act introduced rules concerning
areas such as immigration and crime prevention. The main elements of the 2018 Act are summarised below:
General Data Processing
- To implement GDPR standards across all data processing
- To clarify GPDR definitions in a UK context
- To ensure continued confidentiality of personal sensitive data
- Age 13 set for when parental consent is not required to process data
Law Enforcement Processing
- Introduction of a bespoke regime for data processing by the police, and other criminal justice organisations
- Balancing an unhindered data flow side by side with the relevant safeguards to protect personal data
National Security Processing
- Keep data processing laws by criminal justice organisations up to date
- Introduce appropriate safeguards by which intelligence communities can take on existing, and new national security threats
Regulation and Enforcement
- Additional powers have been given to the ICO
- Increased fines are now available
- Ability to bring criminal proceedings against controllers/ processors
Some decent fines have been handed out by ICO recently including:
- Bounty UK fined £400,000 for sharing personal data
- London Borough of Newham fined £145,000 for disclosing personal data
- Avalon Ltd fined £80,000 for calling 52,000 people registered with the Telephone Preference Service (should mean you cannot be cold called!)
What areas should individuals, firms and markets review in relation to their own data security?
Client data definition
• This is defined as personal information held in any format
• Such information must be kept secure as fraudsters can steal it and use it to commit identity theft
Main risks are
• This can include the physical safety of a business
• The vetting of new hires in terms of employees
• Credit and criminal checks should be considered
Risks by third party suppliers
• Firms must carry out sufficient due diligence on third party suppliers
• Companies that do your office cleaning/IT support can
potentially have access to client data
• Especially if staff are lax in their treatment of confidential client paperwork
• The task can be outsourced but not the responsibility
Maintenance of current solid data protection policies
• Firms need to ensure staff understand the current data
protection policies
• And are kept up to date on any changes
• Plus have their knowledge reviewed at least annually
Data Types
There are two types of data: Personal and Sensitive Personal.
Personal data is, in short, any information which can be used to identify an individual. From the launch of GDPR, the definition is more detailed to reflect changes in technology.
Sensitive data is personal information in relation to, for example, an individual’s race, health and sexuality.
Personal Data can include records of….
- Your name and address
- Occupation and salary
- Date of birth and age
- Your gender
- Your contact details
- Training and qualification records
- IP addresses
Sensitive Personal Data can include records of….
- Your ethnic origin or race
- Sexual orientation
- Physical or mental health
- Criminal record
- Any affiliations such as political persuasion or trade union membership
So, as you can see, personal data means data relating to an identifiable living individual.
Consent must be given to handle such data.
Any sensitive personal data is subject to even stricter handling and conditions.
Data types CONT…
The general principle is that, unless you provide permission, there is very little that firms can do with data they hold about you, and they should only store data for as long as they need to.
KEYFACT
Outsourcing compliance with the Data Protection Act does not mean the responsibility is not yours. Responsibility cannot be outsourced…
Individuals can ask to see data held about them. This is called a subject access request (SAR). This must be complied with without undue delay and, at a maximum, within 1 month of receiving the request.
KEYFACT
The Information Commissioner’s Office oversees compliance with the Data Protection Act.
When reviewing their data security, firms need to consider that:
• client data is any personal information, held in any format
• data can be compromised in many ways, not just down to IT
• visitors to an office often have the freedom to walk around premises
• new staff may have more access to data than some senior managers
• Does the firm have a ‘clear desk policy?
Data Protection Summary
- The ICO oversees compliance with the Data Protection Act and GDPR
- Any authorised person with a ‘relevant filing system’ is subject to the Act and the ICO
- A Data Protection Compliance Officer must be appointed; since GDPR and the new 2018 Act this is both a controller and a processor
- They must ensure the authorised person complies with six data protection principles
• Requests for data are known as subject access
requests (SARs)
- Data is split into two categories: personal and sensitive
- Personal data is factual such as name and address, occupational and salary
- Sensitive personal data includes information on political views, gender, sexual orientation and ethnic origin
- There can be a charge for each SAR, though the ICO expects charging to be rare
- There are strict rules relating to the use of data held on an individual
- It cannot be used for marketing purposes without consent
- An individual can ask for data to be corrected but they must supply evidence that it is incorrect
6.3: Training and Competence (T&C)
The T & C rules are designed to ensure that employees are competent for the work they do and are properly supervised. The authorised person is responsible for the recruitment and competence of all their workers, and for ensuring that they hold ‘appropriate’ examinations.
It makes no difference if individuals are employed, self-employed, or on a contract. Their competence’ is still the responsibility of their authorised person.
Individuals must have appropriate qualifications, be assessed as competent by their firm, maintain their competence through training, and meet standards of behaviour.
Firms need to meet competence requirements in three principal areas: assessing competence, maintaining
competence and record keeping.
Some initiatives, such as the Retail Distribution Review (RDR), and the MMR and MCD in relation to mortgage business, have introduced new minimums in relation to appropriate examinations that are required to give certain advice.
Training and competence is not a one-off test. It needs to be initially assessed, then regularly reviewed with accurate records kept.
Trainee financial advisers must have reached a certain T&C level before they will be allowed to see clients and give advice unsupervised.
Initial recruitment
• Identifies existing knowledge and future training needs
↓
Competence
• Advisers cannot advise clients until qualified
• Training must be continuous and ongoing
↓
Appropriate examinations must be held
• RDR, MMR and MCD have introduced higher minimum qualification standards
6.3.1: Initial recruitment
The firm must assess the knowledge and skills of any individuals it hires, and any future training needs they
have. This will involve details of any professional qualifications they hold, and the appropriate certificates.
Any individual dealing with retail clients must be assessed in terms of their training needs, and a programme put in place to cover such needs. Training must cover off:
- Market
- Legislative
- Regulatory and
- Product changes and updates.
6.3.2: Competence
Employees (including ARs and the self-employed) must be assessed as competent ahead of undertaking client activity. Core knowledge testing may apply to certain roles. Details of training must be retained for:
3 years from the cessation of employment for…
Non-MiFID firms - (Non = 3 letters)
5 years from the cessation of employment for…
MiFID firms- (MiFID = 5 letters)
Indefinitely for…
Pension transfer specialists
Training and competence of staff is ultimately then responsibility of the authorised person.
When setting up a T&C scheme, the authorised person must ensure it meets certain regulator criteria, which includes:
Assessing competence
• As part of the recruitment process
• Taking into account knowledge, skills and qualifications
Reviewing competence
• Competence must be reviewed regularly
• Otherwise employees cannot deal with retail clients, even under supervision
Record keeping
• Record keeping depends on training type:
- indefinitely for anything on pension transfers
- Otherwise three or five years for non MIFIF and
MiFID firms
Training record keeping minimum periods start from…
• The end of the employee’s appointment or
• Indefinitely for pension transfer specialists
6.3.3: Appropriate examinations
Different levels of qualification are required for different roles. Certain types of transactions, such as pension transfers, need ‘enhanced authorisation’.
The benchmarking for qualifications is the Qualifications and Credit Framework (QCF).
At entry level, investment advisers need a QCF level 4 qualification (such as the CII Diploma in Regulated Financial Planning) and mortgage advisers need a QCF level 3 qualification (such as the Certificate in Mortgage Practice) offered by the Financial Skills Partnership.
Without holding an appropriate qualification, a financial adviser is not permitted to see retail clients, even if accompanied by a supervisor. A supervisor must always hold a qualification ‘at least an equivalent to’ the adviser under supervision.
Certain areas of business, as mentioned previously, require specialist qualifications. Without the required
qualification, the financial adviser cannot give advice in this market area.
KEYFACT
A manager that is supervising a financial adviser must hold at least an equivalent qualification to the individual that they are supervising.
No suitable qualification? No advice can be given!
Individuals now have 48 months to attain a level 4 qualification (up from a previous 30 month maximum).
6.3.4: Reporting of competence
From 15 July 2011, firms must report certain changes in an individual’s competence status directly to the FCA.
As soon as it becomes apparent, they must report any adviser who:
• was previously assessed as competent, but is no longer considered competent
• has failed to attain an appropriate qualification within the time limit permitted (often 48 months maximum)
• has failed to comply with a Statement of Principle in carrying out their duty
• has advised the public without appropriate supervision
KEYFACT
Can a trainee financial adviser see a retail client unsupervised?
No.
Training and Competence (T&C) SUMMARY
- Competence must be ‘appropriate to the type of regulated activity being carried out
- The status of the worker does not matter. They can be employed, self-employed or under contract, the responsibility still lies with the authorised person
- Appropriate examinations must be held, such as a level 4 qualification for anyone giving full financial advice
- No relevant qualification means advice cannot be given in this area
- Any supervisor must be qualified to at least the same level as the person they are supervising
- Unqualified financial advisers cannot give advice to retail clients, even if supervised
- Staff must be, and continue to be, competent for the role they are carrying out
- Records of any training must be kept for minimum time periods from the cessation of employment of the staff member
- Indefinitely for pension transfer training
- 5 or 3 years minimum for other training records
6.4: Record keeping, reporting, and notification requirements
6.4.1: Record keeping
COBS rules outline how long records must be kept for. The timescale varies depending upon the nature of the business involved.
3 years
• Non-MiFID cases
5 years
• Life policies and pension contracts
• MiFID cases
• Most other cases
6 years
• Promotions of life and pension materials
Indefinitely • Pension transfers • Pension opt-outs • FSAVCS • Any records relating to the above
