Podcast: COVID-19: European Regulatory Update for Asset Managers: 26 May 2020
Welcome to the second installment of Ropes & Gray’s European regulatory podcast for asset managers. These fortnightly podcasts and accompanying speaker notes are intended to provide an overview of updates relevant to GCs, CCOs and other compliance professionals to help you navigate both COVID-19 and other developments relevant to your business. The speakers on today’s podcast are Eve Ellis, a partner in our asset management group specialising in fund regulation, Rosemarie Paul, a partner in our litigation & enforcement group specialising in regulatory enforcement matters, and Rohan Massey, a partner and leader of our data, privacy and cybersecurity group.
This update covers topics relating to liquidity, business interruption insurance, the Financial Services Regulatory Initiatives Forum, short selling, financial crime, data privacy, a collaboration between the Financial Conduct Authority (“FCA”) and Her Majesty’s Revenue and Customs (“HMRC”) and the FCA’s Dear CEO letters.
ESRB statement on liquidity for asset managers
The importance of liquidity management for asset managers during the COVID-19 crisis has been reiterated at the EU level. The European Systemic Risk Board (“ESRB”) has published a statement setting out its recommendation to the European Securities and Markets Authority (“ESMA”) regarding liquidity risks in investment funds.
This recommendation follows its announcement in April against the backdrop of the COVID-19 crisis that it was focusing on five priority areas where coordination between local regulators would be key to ensuring financial stability. One of these priorities is financial market liquidity and implications for asset managers.
The ESRB highlighted the pressure asset managers face given the difficult macroeconomic outlook. It also explained that there are additional vulnerabilities for funds that have short redemption periods but exposure to less liquid assets – this liquidity mismatch adds additional pressure on asset valuations in times of stress if managers sell assets over a short time period to meet redemption requests.
The ESRB has identified two segments which it considers are at greater risk in this area and require greater scrutiny from a financial stability perspective. These are funds which have exposure to corporate debt and real estate. ESMA is therefore tasked with coordinating with local regulators to prepare a piece of supervisory work focused on these areas by the end of October.
In addition, the ESRB also issued a statement on the use of liquidity management tools where the ESRB emphasised the importance of the availability and timely use of such measures, especially in times of stressed market conditions. Such tools include anti-dilution levies, redemption fees, swing pricing, redemption gates and the suspension of redemptions.
ESMA has supported the ESRB recommendations, and asset managers with funds investing in corporate debt or real estate should be prepared for further regulatory scrutiny in this area.
Business Interruption Insurance – High Court Test Case
The COVID-19 pandemic and the government controls imposed as a result are causing a substantial level of loss and distress for businesses, in particular for SMEs. A large number of claims are being made to insurers under the terms of business interruption (“BI”) insurance policies. This may be relevant to you as an organisation, or possibly relevant to your portfolio companies.
There is continuing and widespread concern about the lack of a positive response of some of those BI insurance policies, and the basis on which some insurers are making decisions in relation to claims.
The FCA intends to obtain court declarations aimed at resolving contractual uncertainty in selected BI insurance policies.
The result of the test case will be legally binding on the insurers that are parties to the test case in respect of the representative sample considered. It will also provide persuasive guidance for the interpretation of similar policy wordings and claims that can be taken into account in other court cases, by the Financial Ombudsman Service and by the FCA in looking at whether insurers are handling claims fairly.
The FCA is inviting policyholders and insurance intermediaries who are aware of unresolved disputes with insurers over the terms of BI policies to engage with it, if they want it to take their concerns into account as part of the test case. The FCA has said it will engage with policy holders and keep them informed, as well as make public all pleadings in the test case.
Financial Services Regulatory Initiative Forum – Grid
The Financial Services Regulatory Initiatives Forum has published a grid which sets out the regulatory pipeline across the Bank of England, FCA, Prudential Regulation Authority (“PRA”), Payment Services Regulator and the Competition and Markets Authority (the “Grid”). This is so the financial services industry and other stakeholders can understand – and plan for – the timing of the initiatives that may have a significant operational impact on them.
This will help in any environment but it’s especially necessary during the current COVID-19 crisis. The Grid provides detail on the timing of initiatives by quarter over a 12-month horizon – in future editions it is intended to extend this to 24 months.
This is a one-year pilot exercise – worth providing feedback!
After two months, Austria, Belgium, France, Greece, Italy and Spain have lifted their respective short selling bans. One key point to bear in mind is that the lower notification limit of 0.1% still remains in place.
There have been a number of developments in this area over the last couple of weeks.
European Commission Communication on AML and CTF Action Plan
Firstly, the European Commission (“EC”) has set out plans to assume new pan-European powers to crack down on money laundering after a series of scandals rocked the region’s banking sector and exposed patchy enforcement across the Union. As part of this, a consultation with Member States will focus on whether to create a new supervisor to oversee anti-money laundering or to hand additional powers to the European Banking Authority. This highlights the importance of financial crime at the European level and also shows a broader direction of travel of having EU-wide supervision rather than on a country-by-country basis.
European Commission adopts new Delegated Regulation amending list of high-risk third countries under MLD4
The second update in this area is the publication of a revised high-risk third country list under the Fourth Anti-Money Laundering Directive (“MLD4”). By way of background and broadly, if you are dealing with a person from a high-risk third country you will be required to conduct enhanced customer due diligence. The EC also published its revised methodology on how it determines whether a country should be considered high risk. A few points to bear in mind:
- The updated list is similar but not identical to the Financial Action Task Force (“FATF”) list of monitored countries. The MLD4 list includes Afghanistan, Iraq, Trinidad & Tobago and Vanuatu (despite being delisted by FATF) and the FATF list includes Iceland and Albania (which do not appear on the MLD4 list). This means firms should ensure both lists are checked.
- There is a slight distinction between the lists – firms are to consider whether to undertake enhanced due diligence on countries on the FATF monitored countries list whereas they must undertake enhanced due diligence on countries on the MLD4 list.
- The updated MLD4 list comes into force in October 2020 (it has been delayed as result of COVID-19).
Statement from UK Government on information sharing within groups and data protection considerations
Lastly on financial crime, the UK Government issued a brief statement endorsing the current FATF guidance on Information Sharing and Recommendations on International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation (the “Statement”).
The Statement highlights the benefits of information sharing in achieving positive anti-money laundering / counter-terrorism financing (“AML/CTF”) outcomes and that:
- group wide policies on information sharing should result in better “mitigation of risks” in relation to AML/CTF; and
- it may allow a regulated entity to perform better customer due diligence and file higher quality Suspicious Activity Reports.
The Statement reiterates that personal data should be shared in accordance with the General Data Protection Regulation 2016/697 (“GDPR”) and the Data Protection Act 2018 (“DPA”).
GDPR and DPA issues
It is critical for organisations to remember that in the EU all data that indentifies an individual must be processed in accordance with the GDPR (the substance of which will also apply in the UK post-Brexit under the DPA).
When considering sharing personal data either within corporate groups or with third parties, organisations will need to consider the following principles which are at the core of the GDPR:
- Lawfulness, Fairness, and Transparency: Personal data must be used in a lawful, fair, and transparent manner. Organisations must have a legal basis for sharing the personal data; more often than not in relation to AML/CTF measures, there may be a legal obligation on the organisation necessitating the sharing. However, in some scenarios, perhaps where the sharing is for ease of group administration, a different legal basis may be relied on, such as the organisation’s legitimate interests. When relying on this legal basis an organisation must undertake a legitimate interest assessment to ensure that its interests are balanced against the rights of the individual. It is required that an organisation documents all of these decisions and, in the UK, have in place an appropriate document setting out and explaining relevant procedures for securing compliance with the data protection principles, and detailing the policies regarding the retention and erasure of such personal data. In some instances an organization may determine that they need the individual’s consent to legitimize the sharing. This is often the case where special categories of data, including data relating to criminal convictions, or political, religious or philosophical beliefs are being shared. It is important to remember that for consent to be valid the organisation must (i) provide sufficient information to the individual to make an informed decision; (ii) allow them to give consent freely and not under any form of duress or pressure; and (iii) structure the consent process so that the individual can withdraw his/her consent at any time as easily as it was given. In all instances, organisations should clearly communicate what personal data they will be sharing and why. This information is usually included in a published privacy statement or notice.
- Data Minimisation: Organisations should consider what information needs to be shared and only share the personal data that is relevant to, and necessary to achieve the stated goals.
- Accuracy: When sharing personal data, efforts must be made to ensure accuracy and allow for correction of inaccurate data. Risk may be heightened here as the potential impact on the individuals of inaccurate data being shared for the purposes of AML/CTF is great.
- Security: When processing personal data, which includes sharing, the security principle in the GDPR requires organisations to use appropriate technical or organisational measures to keep the data secure. It will be up to organisations to assess what is appropriate considering the volume and sensitivity of the data and the state of the art of security technology. This is an ongoing obligation and should be kept under periodic review. As part of a good compliance culture organisations should ensure that those they share personal data with also meet their obligations on data security.
When sharing personal data, whether to a group company or third party, it is also important to remember that personal data can be freely transferred around the European Economic Area (the EU and Iceland, Lichtenstein and Norway). However, transfers outside these jurisdictions will need to have safeguards in place to ensure the data is given adequate protection after it is transferred. Such protections include:
- adequacy decisions – where the EC determines that a country’s data protection laws meet the GDPR standards - The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection;
- standard contractual clauses (“SCCs”) – these are contracts that can be entered into between parties to provide certain protections. The clauses were drafted by the EC and in order to remain effective, cannot be amended. As such, they may not always be appropiate depending on the facts of any sharing relationship. Of note, the Court of Justice of the EU will opine on the validity of SCCs in early July, so their days may be numbered;
- binding corporate rules (“BCRs”) – these are a means for intra-group transfers but which require regulatory approval when a group can evidence compliance. To date this has been a slow and expensive process and so the number of approved BCRs remains very low (approximately 130); and
- certain ‘derogations’ – which include one-off, low volume transfers, although organisations will need to have made an assessment of this and informed their local regulator that they will be undertaking the data transfer.
GDPR compliance is important as data protection regulators are very active and have extensive powers to stop an organisation from sharing personal data and can issue significant fines of up to the higher of (i) EUROS20 million; and (ii) 4% of an organisation’s global turnover. In the UK, the Information Commissioner’s office is currently reviewing a consultation on its Data Sharing Code of Practice (the “Code”). Once this is finalised and published, the Code will become a statutory tool which organisations will be bound to consider as part of their data sharing compliance obligations.
FCA and HMRC enter into a Collaboration Agreement
The FCA and HMRC recently entered into a collaboration agreement which will enable HMRC (the supplying authority) to put the services of designated or other officers of HMRC at the disposal of the FCA (the subscribing authority), for the purposes of the FCA exercising its functions.
The agreement came into effect on 1 May 2020. It will significantly increase the FCA’s investigation capability as it can draw on the resources and experience of HMRC.
Increase in Dear CEO Letters and Skilled Persons reports
It has recently been reported that the number of Dear CEO letters issued by the FCA and the PRA increased by 20% in 2019, which is a new record (based on analysis from advisory firm BDO). Dear CEO letters form part of the supervisory toolkit and where they were quite rare a few years ago, we are seeing a significant increase in their use. Recent Dear CEO letters have addressed non-financial misconduct, warned about fair treatment of corporate customers raising equity finance and considered treatment of business interruption insurance claims.
This seems to indicate that the regulators see these letters as an effective tool to raise firms’ awareness of high risk/high priority issues and where the FCA’s supervisory focus will be.
The FCA has referred to Dear CEO letters in the context of Final Notices where it has indicated that a Dear CEO letter puts firms on notice of the FCA’s concerns in relation to a particular issue. Firms need to pay attention to these as they show the FCA supervisory (and likely enforcement) direction of travel.
It is worth noting that there has also been an increase in s.166, or skilled persons reports ordered by the FCA. A skilled persons report is part of the supervisory toolkit, which enables the regulator to obtain a view from a third party (skilled person) about aspects of a firm’s activities if they are concerned or want further analysis. The cost of the skilled person’s review falls on the firm.
Analysis from Duff & Phelps indicates that skilled person reports have risen by 68% over 2019/2020 compared with 2018/2019. The most common area of focus for the reviews was financial crime which demonstrates the priority the FCA is placing on this area.
Contact usFor more information on the topics we have discussed or other topics of interest, please visit our website at www.ropesgray.com. Also, if Eve, Rosemarie or Rohan can help you navigate any of these areas, please do not hesitate to contact any of us. You can also subscribe to this series wherever you regularly listen to podcasts, including on Apple, Google and Spotify.