What's on the Regulatory Horizon?
Your horizon scanning has never been as important as it is right now, a time when we have significant and numerous regulatory changes afoot. There is no time like the present to review the recent changes and to look ahead at what is coming up over the next seven months.
A simple and easy way to stay up to date with the upcoming key changes is to sign up to our compliance insights e-alerts. We email our loyal subscribers every month with key updates (unless there is more urgent news, in which case we'd email you straight away).
Dear CEO
In September 2017 the FCA released a “Dear CEO” letter aimed at addressing the manner in which some firms were dealing with complaints. It resulted from a study conducted by the FCA where they found examples of non-compliance with the requirements set out in DISP as well as general poor practice relating to the way firms handle complaints.
The main concerns were:
a failure to provide to customers the required information about the Financial Ombudsman Service – this included failing to provide details of the complainant’s right to refer to the Ombudsman if they remain dissatisfied
a failure to provide a clear explanation, to the complainant, of the outcome of the complaint and why this outcome had been reached
a lack of management controls in place to analyse and remedy any root causes of complaints or systemic problems
Pre-action Protocol for Debt Claims
On the 1st October 2017 a new pre-action protocol came into force. This protocol is specifically for debt claims made by a business (including sole traders) against any individual or business. Previously, those seeking to make a debt claim followed the general principles set out in the Practice Direction Pre-Action Conduct and Protocols. The aim of the new protocol is to encourage early communication between the parties and, if possible, resolution and settlement outside of the courts, with the effect that court proceedings would be a last resort.
Part 3 of the protocol sets out that prior to commencing proceedings, a creditor should send the debtor a Letter of Claim. There are requirements about the content of this letter. It must include full details of the amount and basis of the debt. If the debtor doesn’t respond within 30 days, the creditor may start court proceedings. The 30 day delay is, from a process perspective, one of this biggest changes businesses and solicitors need to make.
The letter before claim (LBC) needs to be sent by post and must contain certain key information such as the amount of debt, whether charges and interest are accruing, the fact that a copy of the agreement may be requested (where the contract has been made in writing), details of how the debt can be paid, if instalments are being offered why the offer is unacceptable and, if the debt has been sold, where the debt has been assigned to and who the original creditor was. We are not interpreting this to mean that should the debt have been assigned multiple times, each assignment needs to be listed. What is important is that the debtor understands who the original creditor was and the role of the party bringing the claim.
An up-to-date statement of account or wording indicating that a statement is available must also be included. Amongst some other terms, a “reply form” must also be included which has attracted a lot of criticism from both the debt advice sector and creditors.
For more information read our previous post: The Pre-Action Protocol - An Update
Remuneration and Staff Incentives
The FCA recently held a consultation on Staff incentives, remuneration and performance management in consumer credit consultation in early October and are due to release a Policy Statement and Finalised Guidance in Q1 of 2018 – this will be our new rules in relation to remuneration and staff incentives.
The consultation came off the back of a themed review by the FCA where they identified a number of issues and “high risk” incentives which they are looking to ban. The FCA informed us of these “high risks” during the consultation process and, therefore, we have a very clear idea of what the new rules will ban. Do note you should not wait for the rules to come into force before you comply. The FCA have made it very clear what they believe to be non-compliant incentive schemes and can take action under PRIN and COBS now. So what incentives should you avoid?
The FCA has highlighted certain practices it considers to be high risk in relation to incentives:
100% variable pay – where salary is made up purely of, for example, commission payments
Disproportionate reward from marginal sales / collection – where bonus targets may encourage staff to mis-sell to gain a sale
Accelerators or stepped payments
Incentives linked to the terms of finance
Product bias
Incentives for sale of finance
Variable salaries that change based on volume measures – where salary is linked directly to sales
Volume based measures to determine whether incentives are paid – where salaries are only paid if targets are met
Competitions or promotions
Incentive schemes for managers linked to team performance
Incentives for sales of non-financial products – common among secondary brokers
For more information you can read our article: Staff Incentives and Remuneration
The new rules will include that you have a process in place to review the impact that incentives have. This will likely include a proper risk review of the impact your incentives have on the conduct of your team. We’re lucky to be able to see the effect of a range of incentives and remuneration packages throughout different firms in our sector and, while we completely agree with the “high risk” areas identified by the FCA we also see the following issues:
Incentive schemes which exclude staff following receipt of one complaint, or one poor call score. While in itself this is not a major issue it becomes counterproductive if the agent learns of their exclusion prior to month end
Incentive schemes where only one member of staff can “be the winner” as this is often perceived as too difficult to win and therefore loses its impact
Creditworthiness Assessments
The FCA are proposing changes to the rules and guidance on assessing creditworthiness including affordability, in consumer credit, to clarify their expectations of firms. This applies to consumer credit lenders, peer-to-peer platforms, and trade bodies representing these firms.
The FCA's research findings have confirmed that most firms do consider affordability in some form, and appear to have implemented relevant processes, the majority of which appear appropriate. However, practices were found to vary considerably, given the challenges in assessing affordability in light of a customer’s financial situation. There was evidence of both under-compliance with the rules but also of firms having procedures which may be unnecessarily costly or restrictive.
In light of this, they are seeking to amend the rules and guidance to clarify what they expect of firms in assessing creditworthiness.
Early indications show the FCA are looking for firms to have a twofold creditworthiness assessment comprising both risk (to the lender) and affordability (for the customer):
Credit risk is the risk to the lender that the customer will not repay the credit. (Lender-focused test)
Affordability is about how difficult it may be for the customer to repay. (Borrower-focused test)
In short, the FCA are proposing the following changes to CONC:
CONC 5.2 and 5.3 and CONC 6.2
Combined in a new CONC 5.2A, covering both the initial assessment by lenders and post-contractual credit increases (5.2A.4R)
CONC 5.2.1R
Minor changes to scope of creditworthiness rules (5.2A.2R); clarifying that creditworthiness comprises credit risk and affordability (5.2A.9R); elaborating on the meaning of affordability (5.2A.10R)
CONC 5.2.2R
Single test of creditworthiness (5.2A.4R) applying to all relevant agreements with some limited exceptions (5.2A.2R)
CONC 5.2.2R, 5.2.3G and 5.2.4G
Clarifying the meaning of proportionality and the factors to be taken into account by firms when deciding on the extent and scope of an assessment and the types and sources of information to use or verify (5.2A.19R to 5.2A.23G)
CONC 5.2.5R and 5.2.6G
Clarifying the obligation to assess potential impacts on a guarantor (5.2A.31R and 5.2A.32G)
CONC 5.3.1G
Clarifying the meaning of affordability (5.2A.10R) and the role of income and expenditure information (5.2A.13R to 5.2A.18G); clarifying that income for these purposes must be the customer’s own (5.2A.14R); elaborating on the assumptions to be used for open-end agreements and running-account credit (5.2A.24R to 5.2A.28G)
CONC 5.3.2R and 5.3.3G41
Elaboration of requirements relating to firms’ policies and procedures for creditworthiness assessments (5.2A.33R and 5.2A.34G); clarifying expectations in relation to verification of information (5.2A.21 and 22G)
CONC 5.3.4R
Pawnbroking carve-out becomes an exception where certain conditions apply (5.2A.2R)
CONC 5.5
Moved to new CONC 5.5A covering assessments by P2P platforms (to parallel requirements on lenders); expanded to include post-contract credit increases under P2P agreements (5.5A.5R)
SM&CR
As of 2018 the relevant section of The Bank of England and Financial Services Act 2016 will be fully implemented by the FCA. This essentially means the Senior Management and Certification Regime will apply to all firms regulated by the FCA, including consumer credit firms.
The Senior Managers and Certification Regime is essentially it is made up of three aspects, each covering different groups of people. The Senior Managers Regime covers board members and other senior managers requiring regulatory approval. This is the closest to the current approved person’s regime as we know it.
Firms must, therefore, establish which senior managers the regime applies to. As mentioned, we don’t know how this will look for consumer credit firms until the FCA release the results of their recent consultation but for the current regime the FCA have created a number of “significant management functions” (SMF) with any person undertaking these roles needing to be approved. The main SMFs which would apply are Compliance, Head of Internal audit, Chief Finance, Chief Risk, Director and Executive Director.
These senior managers have new responsibilities including a legal responsibility to take reasonable steps to prevent breaches from occurring in their area of responsibility. Upon certification senior managers become personally responsible for compliance in their area and firms must provide a statement of responsibilities for each senior manager upon application. This statement must be continually kept up to date and re-sent to the FCA whenever a change in senior manager’s responsibilities occurs within the firm. The firm must also provide the FCA with a “responsibilities map” outlining managers and departmental responsibilities, again, this must be kept up to date. In fact, you are required to give one of your senior managers the responsibility to keep these documents up to date, and this should be included within the document!
The Certification Regime covers any ‘Significant Influencer Functions’ as well as any other staff judged to be able to cause ‘significant harm’ to the firm or its customers. It asks firms to identify staff who may cause “significant harm” to customers and certify them as fit and proper at induction and at least annually thereafter. Together with the senior managers there are requirements around gaining references and criminal record checks.
The Conduct Rules apply to senior managers and certified staff, they apply two tiers of rules a summary of which is in the image below:
Preparations should be well underway to ascertain who is captured and how your firm will be set up to comply.
GDPR
The big change of 2018 is the new General Data Protection Regulation which replaces the Data Protection Act 1998. It is a root and branch change of the current data protection legislation meaning it is impossible to cover all of the requirements in this article. However, we’ll give it a go!
The first thing to note is that the 8 principles are now replaced by 6 principles and 8 rights. The 6 principles are actually not significantly different from the current data protection principles so the change to concentrate on are the 8 rights that data subjects now have.
They include the right to be informed, meaning that we have to provide data subjects with a fair processing notice at the point we obtain their data or at the point we first contact the data subject. This has very specific content requirements including informing the customer where their data was obtained from, in some circumstances you must inform the customer who you may send the data to, their right to complain to the ICO, which of the eight rights apply and how to initiate these rights. If you need to have a data protection officer their details must be included within the notice as well.
Data subjects also have the right to access, similar to today’s right under section 40 but now we are unable to charge for subject access requests and must respond within thirty days. Subjects, in certain circumstances get the right to be forgotten, right to object, right to restrict, right to rectification, right to portability and rights in relation to automated profiling and decision making.
The above rights do not always apply, often they do not apply where the data is processed as it is “necessary for the performance of the contract or legal obligation” so it is a good idea to understand the legal basis upon which you process your data fields. We are helping firms to justify, in their new data protection policies, why the data fields they process is necessary for the performance of the contract or legal obligation – do note the word necessary as this does not mean “useful”.
For more information on the rights please do not hesitate to Contact Us.
Aside from the rights there are several other key requirements, the first to consider is changes to consent. Where data is processed on the basis of consent you need to have the data subject’s permission in a clear, positive and informed manner. The upshot is that tick boxes must no longer be pre-ticked and the data subject should be able to fully understand what will happen to their data at the point of giving consent. Be aware that some data you process is likely to be processed on the basis of consent, any data held for marketing must be consented as is any data in relation to medical information.
There are new rules in GDPR around how you handle relationships with suppliers, you’ll need to update all of your SLAs to include specific clauses which are now a requirement under GDPR. Equally, you need to have processes in place to report breaches “as soon as possible” with the aim of reporting within 72 hours. You are required to report breaches to the ICO and “high risk” breaches to the data subjects themselves.
There are other requirements in relation to DPIAs and privacy by design – you can read more about these on the ICO website.