![Logo[1].jpg](https://static.wixstatic.com/media/94cd04_f19ec68826ff46fe9ef76eb000435b8e~mv2.jpg/v1/fill/w_238,h_121,al_c,q_80,usm_0.66_1.00_0.01,enc_auto/Logo%5B1%5D.jpg)
Regulatory Horizon for 2018
2018 promises to be a bumper year for compliance. I can hear what you are thinking, you’ll be muttering, “Isn’t it always?” Seriously, this year promises to be more important than any since 2014 when the FCA took over regulation of consumer credit.
We’ll start the year with elements of MiFid coming into force along with the Payment Services Directive. At the same time we’ll be feverishly working on becoming GDPR compliant in order to meet the May implementation date and to avoid, as best as possible, a major shock to the business.
We’ll also have the Senior Managers and Certification Regime come into force for non-banking firms and new rules in relation to staff incentives as well as creditworthiness assessments – expect changes to the way in which many of us work!
Remuneration and Staff Incentives
The FCA recently held a consultation on Staff incentives, remuneration and performance management in consumer credit in early October and are due to release a Policy Statement and Finalised Guidance in Q1 of 2018 – this will be our new rules in relation to remuneration and staff incentives.
The consultation came off the back of a themed review by the FCA where they identified a number of issues and “high risk” incentives which they are looking to ban. The FCA informed us of these “high risks” during the consultation process and, therefore, we have a very clear idea of what the new rules will ban. Do note, you should not wait for the rules to come into force before you comply. The FCA have made it very clear what they believe to be non-compliant incentive schemes and can take action under PRIN and COBS now. So what incentives should you avoid?
The FCA has highlighted certain practices it considers to be high risk in relation to incentives:
100% variable pay – where salary is made up purely of, for example, commission payments
Disproportionate reward from marginal sales / collection – where bonus targets may encourage staff to mis-sell to gain a sale
Accelerators or stepped payments
Incentives linked to the terms of finance
Product bias
Incentives for sale of finance
Variable salaries that change based on volume measures – where salary is linked directly to sales
Volume based measures to determine whether incentives are paid – where salaries are only paid if targets are met
Competitions or promotions
Incentive schemes for managers linked to team performance
Incentives for sales of non-financial products – common among secondary brokers
For more information you can read our article, Staff Incentives and Remuneration for Consumer Credit Firms: A Quick Guide to the FCA's Consultation.
The new rules will include that you have a process in place to review the impact that incentives have. This will likely include a proper risk review of the impact your incentives have on the conduct of your team. We’re lucky to be able to see the effect of a range of incentives and remuneration packages throughout different firms in our sector and, while we completely agree with the “high risk” areas identified by the FCA we also see the following issues:
Incentive schemes which exclude staff following receipt of one complaint, or one poor call score. While in itself this is not a major issue it becomes counterproductive if the agent learns of their exclusion prior to month end
Incentive schemes where only one member of staff can “be the winner” as this is often perceived as too difficult to win and therefore loses its impact.
Creditworthiness Assessments
The FCA are proposing changes to the rules and guidance on assessing creditworthiness including affordability, in consumer credit, to clarify their expectations of firms.
This applies to consumer credit lenders, peer-to-peer platforms, and trade bodies representing these firms.
The FCAs research findings have confirmed that most firms do consider affordability in some form, and appear to have implemented relevant processes, the majority of which appear appropriate. However, practices were found to vary considerably, given the challenges in assessing affordability in light of a customer’s financial situation. There was evidence of both under-compliance with the rules but also of firms having procedures which may be unnecessarily costly or restrictive.
In light of this, they are seeking to amend the rules and guidance to clarify what they expect of firms in assessing creditworthiness.
Early indications show the FCA are looking for firms to have a twofold creditworthiness assessment comprising both risk (to the lender) and affordability (for the customer):
Credit risk is the risk to the lender that the customer will not repay the credit. (Lender-focused test)
Affordability is about how difficult it may be for the customer to repay. (Borrower-focused test)
In short, the FCA are proposing the following changes to CONC:
CONC 5.2 and 5.3 and CONC 6.2
Combined in a new CONC 5.2A, covering both the initial assessment by lenders and post-contractual credit increases (5.2A.4R)
CONC 5.2.1R
Minor changes to scope of creditworthiness rules (5.2A.2R); clarifying that creditworthiness comprises credit risk and affordability (5.2A.9R); elaborating on the meaning of affordability (5.2A.10R)
CONC 5.2.2R
Single test of creditworthiness (5.2A.4R) applying to all relevant agreements with some limited exceptions (5.2A.2R)
CONC 5.2.2R, 5.2.3G and 5.2.4G
Clarifying the meaning of proportionality and the factors to be taken into account by firms when deciding on the extent and scope of an assessment and the types and sources of information to use or verify (5.2A.19R to 5.2A.23G)
CONC 5.2.5R and 5.2.6G
Clarifying the obligation to assess potential impacts on a guarantor (5.2A.31R and 5.2A.32G)
CONC 5.3.1G
Clarifying the meaning of affordability (5.2A.10R) and the role of income and expenditure information (5.2A.13R to 5.2A.18G); clarifying that income for these purposes must be the customer’s own (5.2A.14R); elaborating on the assumptions to be used for open-end agreements and running-account credit (5.2A.24R to 5.2A.28G)
CONC 5.3.2R and 5.3.3G41
Elaboration of requirements relating to firms’ policies and procedures for creditworthiness assessments (5.2A.33R and 5.2A.34G); clarifying expectations in relation to verification of information (5.2A.21 and 22G)
CONC 5.3.4R
Pawnbroking carve-out becomes an exception where certain conditions apply (5.2A.2R)
CONC 5.5
Moved to new CONC 5.5A covering assessments by P2P platforms (to parallel requirements on lenders); expanded to include post-contract credit increases under P2P agreements (5.5A.5R)
SM&CR
As of 2018 the relevant section of The Bank of England and Financial Services Act 2016 will be fully implemented by the FCA. This essentially means the Senior Managers and Certification Regime will apply to all firms regulated by the FCA, including consumer credit firms.
The Senior Managers and Certification Regime is essentially made up of three aspects, each covering different groups of people. The Senior Managers Regime covers board members and other senior managers requiring regulatory approval. This is the closest to the current approved person’s regime as we know it.
Firms must, therefore, establish which senior managers the regime applies to. As mentioned, we don’t know how this will look for consumer credit firms until the FCA release the results of their recent consultation but for the current regime the FCA have created a number of “significant management functions” (SMF) with any person undertaking these roles needing to be approved. The main SMFs which would apply are Compliance, Head of Internal Audit, Chief Finance, Chief Risk, Director and Executive Director.
These senior managers have new responsibilities including a legal responsibility to take reasonable steps to prevent breaches from occurring in their area of responsibility. Upon certification senior managers become personally responsible for compliance in their area and firms must provide a statement of responsibilities for each senior manager upon application. This statement must be continually kept up to date and re-sent to the FCA whenever a change in senior manager’s responsibilities occurs within the firm. The firm must also provide the FCA with a “responsibilities map” outlining managers and departmental responsibilities, again this must be kept up to date. In fact, you are required to give one of your senior managers the responsibility to keep these documents up to date, and this should be included within the document!
The Certification Regime covers any ‘Significant Influencer Functions’ as well as any other staff judged to be able to cause ‘significant harm’ to the firm or its customers. It asks firms to identify staff who may cause “significant harm” to customers and certify them as fit and proper at induction and at least annually thereafter. Together with the senior managers there are requirements around gaining references and criminal record checks.
The Conduct Rules apply to senior managers and certified staff, they apply two tiers of rules a summary of which is in the image below:
Preparations should be well underway to ascertain who is captured and how your firm will be set up to comply.
GDPR
The big change of 2018 is the new General Data Protection Regulation which replaces the Data Protection Act 1998. It is a root and branch change of the current data protection legislation meaning it is impossible to cover all of the requirements in this article. However, we’ll give it a go!
The first thing to note is that the 8 principles are now replaced by 6 principles and 8 rights. The 6 principles are actually not significantly different from the current data protection principles so the change to concentrate on are the 8 rights that data subjects now have.
They include the right to be informed - meaning that we have to provide data subjects with a fair processing notice at the point we obtain their data or at the point we first contact the data subject. This has very specific content requirements including informing the customer where their data was obtained from, in some circumstances you must inform the customer who you may send the data to, their right to complain to the ICO, which of the eight rights apply and how to initiate these rights. If you need to have a data protection officer their details must be included within the notice as well.
Data subjects also have the right to access, similar to today’s right under section 40 but now we are unable to charge for subject access requests and must respond within thirty days. Subjects, in certain circumstances, get the right to be forgotten, right to object, right to restrict, right to rectification, right to portability and rights in relation to automated profiling and decision making.
The above rights do not always apply, often they do not apply where the data is processed as it is “necessary for the performance of the contract or legal obligation” so it is a good idea to understand the legal basis upon which you process your data fields. We are helping firms to justify, in their new data protection policies, why the data fields they process are necessary for the performance of the contract or legal obligation – do note the word necessary as they do not mean “useful”.
For more information on the rights please do not hesitate to Contact Us.
Aside from the rights there are several other key requirements, the first to consider is changes to consent. Where data is processed on the basis of consent you need to have the data subject’s permission in a clear, positive and informed manner. The upshot is that tick boxes must no longer be pre-ticked and the data subject should be able to fully understand what will happen to their data at the point of giving consent. Be aware that some data you process is likely to be processed on the basis of consent, any data held for marketing must be consented as is any data in relation to medical information.
There are new rules in GDPR around how you handle relationships with suppliers, so you’ll need to update all of your SLAs to include specific clauses which are now a requirement under GDPR. Equally you need to have processes in place to report breaches “as soon as possible” with the aim of reporting within 72 hours. You are required to report breaches to the ICO and “high risk” breaches to the data subjects themselves.
There are other requirements in relation to DPIAs and privacy by design – you can read more about Privacy by Design on the ICO website.
Throughout the first quarter of 2018 the article 29 working party is working away at providing guidance in a number of areas including DPO’s, breach reporting and implementation of the eight rights.
