What’s the connection between good governance and the Investment Firms Prudential Regime?

IFPR looks to streamline prudential requirements for investment firms, shifting the focus away from the risks a firm faces and towards the potential harm it poses to consumers and markets. It covers a wide range of obligations, including capital requirements, liquidity requirements, governance, remuneration, reporting, and the Internal Capital Adequacy and Risk Assessment (ICARA).

The rule changes require all investment firms to have robust governance arrangements, including:

  • clear organisational structure and lines of responsibility;
  • effective risk identification and management processes; and
  • adequate internal controls, including administration and accounting procedures.

Risk mitigation is at the core of IFPR for which a firm’s management body is ultimately responsible. The management body, and any risk committee that has been established (now mandatory for larger firms), must determine the nature, the amount, the format, and the frequency of the information on risk that they are to receive. Ignorance is not a defence for senior executives overseeing prudential obligations. If senior managers are not receiving sufficient information to discharge their oversight responsibilities then they must demand change.

The good governance models we see employed start with ensuring that everyone in the process understands their role in the identification, management and mitigation of risk. This includes the non-executive directors sitting on the Risk Committee. It is highly unlikely that this would be achieved with off-the-shelf e-learning courses. Every business is different and effective training programmes are tailored to each firm’s business model and the inherent risks that it faces.

What are some of the most common financial crime trends you’re currently noticing?

Phishing scams are on the increase and becoming more sophisticated over time. Phishing is a cybercrime in which a target is contacted by email, telephone or text message by someone posing as a legitimate institution to lure them into providing sensitive data or payment. It can often be difficult to distinguish a phishing email from a legitimate one. However, there are some established red flags that firms can share with employees to mitigate the risk of falling victim to this crime.

Sanctions screening has historically been a relatively consistent aspect of a firm’s anti-money laundering controls. Yet, in recent months there has been a significant uptick in global sanctions targeting Russia and other countries involved in the invasion of Ukraine. This has stretched the resources of financial crime teams as they scramble to identify and respond to frequent sanctions updates. Many firms will have gone years without having a client sanctioned and the internal and external escalation processes would have been untested in those cases. Events like this show the importance of well-documented and up-to-date policies and procedures.

Cryptocurrency is the talk of the town and global regulators have been quick to identify the potential for it to be used in financial crime as the primary regulatory risk. There have been well-publicised difficulties with UK crypto firms obtaining authorisation from the FCA in recent months. The FCA is reportedly unimpressed with the high number of financial crime red flags missed by crypto firms, whilst representatives of crypto firms said the regulator had been slow to approve applications and was often unresponsive.

How have these changed recently?

The increase in remote working during the COVID-19 pandemic certainly saw a spike in reports of phishing attempts. We can only speculate as to the cause. Perhaps employees who would once turn to each other to discuss an odd email in the office are less likely to from home? Or perhaps fraudsters saw an opportunity for a wider victim pool as people spend more time in front of their screens during global lockdowns? Whatever the reason, it shows little sign of slowing down so firms are looking to enhance their cyber security to defend themselves and their employees from this financial crime.

The increase in global sanctions was directly linked to Russia’s invasion of Ukraine. Some months down the line, we continue to see new names added to global sanctions lists whilst the invasion remains ongoing. It is not just the sanctioned entities that are impacted. We are becoming aware of delays to payment processing whilst compliance checks are carried out on payments. Firms can suffer issues with cash flow and frustration from clients as they continue to navigate the banking system in compliance with global sanctions.

Crypto regulation is still very much in its infancy. In the UK, the FCA recently launched a series of ‘crypto-sprints’. The objective of the events is to seek industry views around the current market and the design of an appropriate regulatory regime. Hopefully, this initiative will foster a productive working relationship between the regulator and practitioners, leading to an effective regulatory framework.

Whereas MiFID II captures investment firms, MiCA seeks to regulate: (i) issuers of crypto assets and stablecoins, (ii) crypto exchanges (think multilateral trading facility (MTF) for Bitcoin and such like); and (iii) wallet providers.

Now we’re on the subject of crypto regulation, what are the key features of the proposed Markets in Crypto assets Regulation (“MiCA”) that practitioners should be aware of?

The MiCA borrows heavily from the second Markets in Financial Instruments Directive (MiFID II). Therefore, practitioners who are familiar with MiFID II will have a head start in navigating the MiCA regime. Whereas MiFID II captures investment firms, MiCA seeks to regulate: (i) issuers of crypto assets and stablecoins, (ii) crypto exchanges (think multilateral trading facility (MTF) for Bitcoin and such like); and (iii) wallet providers.

Like MiFID II investment firms, these crypto actors would be required to meet minimum capital requirements. For example, a crypto MTF would need to be capitalised at a minimum of €150k under the proposals.

As well as striving to enhance financial stability in the crypto assets space, MiCA also introduces conduct of business requirements to offer protection to consumers. Crypto-asset white papers would have to be “fair, clear and not misleading”. Crypto-asset service providers must strive to obtain the “best possible result” when executing orders for crypto assets on behalf of third parties. Issuers of asset-referenced tokens would be required to implement procedures for handling complaints. Again, these selected conduct-related examples illustrate that the influence of MiFID II on the development of MICA has been pervasive. Added to this are requirements for crypto-asset providers to implement systems and controls to detect potential market abuse perpetrated by their clients.

When is MICA likely to enter into force? Is there anything crypto-asset services providers can do now to prepare for its implementation?

It is mooted that MiCA will enter into force in 2024. By reviewing the requirements in MiCA as early as possible, existing entities that could be subject to its authorisation requirements have an opportunity to put themselves in a strong position. Those who are familiar with implementing other major EU regulatory packages such as MIFID II, the European Markets Infrastructure Regulation (EMIR) and the Alternative Investment Fund Managers Directive (AIFMD) appreciate the importance of getting off to a good start in developing regulatory change programmes. The time and resources required should never be underestimated, particularly where achieving compliance is heavily dependent on technology. Furthermore, starting early helps the senior management of a business forward project capital and cost requirements. This is key to avoiding nasty surprises, enabling a crypto-asset business to face the future with confidence.

MiCA is perhaps the most notable regulatory initiative emanating from the EU that will not have been contributed to by UK policymakers. How is the regulatory landscape for crypto assets evolving in the UK in comparison?

In March 2022 the Bank of England’s (BoE) Financial Policy Committee (FPC) published a report entitled “Financial Stability in Focus: Crypto assets and decentralised finance” that provides insights into the possible trajectory of regulatory reform in this area.

From a macroprudential perspective, the FPC observes that there is “limited interconnection” between the UK financial system and crypto assets at present. Nevertheless, the FPC acknowledges that disruptive and traditional finance are likely to become increasingly intertwined. Accordingly, the FPC is keen that gaps do not emerge or widen in the regulatory perimeter that could pose a threat to financial stability. The FPC cites some initiatives that have already been taken by UK authorities to address some of the macro and micro-prudential risks posed by crypto assets. For example, the FCA references the Dear CEO Letter published by the Prudential Regulation Authority (“PRA”) on 24th March 2022 concerning the treatment of crypto-asset exposures by banks and investments firms that fall within its remit. Furthermore, the FPC considers the implications of conduct and financial crime risks in its analysis. For instance, measures taken by UK financial regulators to hinder efforts to use crypto assets as means of circumventing HM Treasury’s Russia sanctions were welcomed by the FPC.

In our view, lawmakers should take care to ensure that crypto-asset regulation in the UK is not comprised of a patchwork quilt of initiatives. Plainly, such a landscape would be difficult for their intended subjects to navigate. Moreover, this is liable to creating exactly the types of gaps that the FPC hopes can be kept to a minimum. At the root of this is an apparent contradiction at the heart of UK policymaking. One month the Chancellor of the Exchequer announces a crackdown on crypto-asset promotion, the next he is extolling the benefits of making the UK a “crypto hub”. Regulation will always lag technological innovation (although it can sometimes encourage it too – Regulation National Market System is often credited with fuelling the growth of high-frequency trading in the US). Still, poorly conceived regulation that merely reacts to present demands or fears is likely to lead to suboptimal outcomes – for both the regulator, the regulated and the consumer. The well-documented difficulties that crypto-asset providers have experienced in seeking anti-money laundering registration with the FCA exemplifies this point. The FCA’s aims are laudable: it is using the tools at its disposal to try and cover a perceived legislative gap to protect consumers from unscrupulous actors. Nonetheless, this approach risks forcing legitimate actors offshore. UK consumers would likely still find these actors. Is this desirable?

So much to ponder! Finally, what can firms do if they are struggling to stay on top of all this change?

Engaging a high-quality consulting firm to assist with regulatory change management can really pay dividends. This is especially the case in crypto assets. Ever greater financialisation has resulted in the most liquid cryptocurrencies becoming underlyings for exchange-traded derivatives and contracts for difference. It has also led to regulatory concepts governing traditional investments gaining influence in disruptive sectors. Consequently, seasoned investment compliance professionals can help crypto-asset firms build an optimal governance and control framework. This will become critical to meeting the challenges posed by the fast-evolving regulatory environment.