Sizing up the FCA’s Business Plan – Data, Culture, Outsourcing and Innovation

At the end of April 2018, the Financial Conduct Authority (FCA) released its 2018/19 Business Plan. The Business Plan is always the FCA’s Big Indicator of what it intends. But there’s always a risk only the compliance or regulatory affairs function in bigger firms will read it. So, while it may not be a masterclass in compelling writing, we strongly recommend all regulated firms, whatever size, take the time to read it – and reflect and discuss its content to establish a strong grounding in the emerging regulatory landscape. So what caught our eye in this year’s plan?

Culture, culture, culture

Continuing its focus on organisational culture remains the top priority for the FCA in the coming year. The regulator aims to complete plans to widen and deepen the reach of its Senior Manager and Certification Regime(SM&CR), which extends regulatory accountability and responsibility within firms, by completing its plans to extend it to all firms covered by the Financial Services and Markets Act 2000 (FSMA).

The FCA is also preparing to shine a stronger light on firmscultures by consulting on the development of a public register of all SM&CR-approved people. They will also be looking closer at the remuneration arrangements in firms across the economy to find potential or actual harm from the remuneration schemes of firms that are not subject to their Remuneration Codes. This means other and smaller firms need to consider carefully how they are allocating responsibility and determining the criteria for compensation and reward. The FCA has already signalled this on consumer credit. Now this could be coming to a firm like you.

Yet again the FCAs making it clear no firm is too small to have comply with its regulations. And, as we have said on many occasions, the FCA is interested in firms complying both with the spirit andthe letter of their regulations. So, all firms should work on the basis that the regulator has a continuing deep and systemic interest in both how they operate and why; it isnt enough to cite compliance with the specifics of the regulations; increasingly the regulator is keen to understand howthe regulations are encoded in your firms DNA, the ways you work and the outcomes you are looking to deliver. Wise smaller firms will be contemplating how they develop their policies proportionately in the light of such a declaration of intent from the FCA.

Data, data, data

We also see data management as a key focus in the coming year. Data should be front of mind for all regulated financial services firms currently with the imminent enforcement of the General Data Protection Regime (GDPR)at the end of the month. It bears repeating that the 25th May deadline marks the startof the regime and a continued requirement for all companies to solicit, manage, store and delete personal data more rigorously and carefully. In addition to this change, two other areas will receive increased regulatory focus in the coming year: big data and cyber-security.

Big data

The FCAs focus on data comes from a simple underlying fact: as with many other parts of our economy, financial services firms increasingly aredata companiesand many of the newer, tech driven firms feel more data and tech than FS-focused. Personal data is at the heart of the development, delivery and marketing of new financial products and services, be they variations of traditional high street products or innovative new tech-based app services.

While the regulator clearly supports these developments, it is alive to the potential risks data, big and small, brings in terms of the speed, quality and access of new financial products and services and the potential for product failures and access inequalities. To address these concerns, in the coming year the FCA plans to work with firms through its Innovate programme and by extending its regulatory sandbox to better understand the possibilities and potential economic challenges big data approach generates nationally and internationally.

Big data also features in another FCA priority around the treatment of existing customers. Focusing on the retail general insurance market, where it has been looking at the types of systems and data firms use to decide the final consumer pricing, the regulator plans to assess whether it needs to act to ensure future insurance pricing practices support a customer-centric approach in this market.


As we have commentedelsewhere, the increasing incidence of hacks and data breaches has thrown an unflattering spotlight on businesses’ cyber-security arrangements for storing and protecting our data – and challenged the trust essential for the effective working of economies. No hack or breach is too small not to matter, if there are fundamental personal, professional and financial consequences to customers.

Cyber-security is front of mind for the FCA as it will focus on cyber-security arrangements in both high andlow impact firms. High impact firms can expect a substantive review of their cyber-security arrangements and processes. Remember “high impact” is not determined by firm size (i.e. large firm equals high impact) but the type and amount of data you hold, use and share. Small firms using large quantities of personal data, particularly sensitive data, should consider the ramifications of this position carefully.

Lower impact firms can expect a regulatory interest via a thematic review into the harms the FCA has identified for these companies. Pleasingly, the regulator is also planning to provide support and guidance to these firms through additional information on how to improve their resilience. However, remember, there’s no such thing as a free lunch so firms should expect an increase in the FCA’s expectations of lower impact firms regarding the rigour of their data management.

It’s worth pointing out that cyber-security is also at the heart of another FCA 2018/19 priority around management of wholesale financial markets, as cyber-attacks are increasing in this marketplace, eroding their integrity and performance.

Outsourcing – out of sight and mind…?

To become operational quickly, increase agility and reduce overheads, many new firms are outsourcing customer-facing and support functions to third party suppliers. However these firms are also working on the assumption their third party suppliers are compliant and manage client’s risks as if they were there own.  As some firms are finding in the GDPR preparations, such assumptions may not bear out in reality.

The increasing use of outsourcing arrangements is drawing FCA attention and over the coming year, they will be looking to conduct thematic reviews on outsourced services and core infrastructure provision to increase its understanding of both across different sectors. They will also focus on how firms use third parties, their concentration in the market and the potential harm that results.

To the future and (possibly) beyond!

Many firms we work with are exploring the possibilities of new technologies to develop new markets, for innovative and compelling new financial products and services. This is an exciting frontier; at times, seemingly unfettered by specific regulation. The acceleration in technologies and development is posing new challenges for the FCA as it tries to balance healthy economic development and mitigate potential risks. So, in the coming year they will continue their work analysing regulation through a range of new technologies including: advanced Natural Language Processing (NLP) technologies and semantic language models, automated evaluation and detection of misleading advertising, and reviewing firms’ use of data, including machine-learning analysis of big data pools, algo-trading and wider artificial intelligence.

Again, firms may have the opportunity to shape FCA thinking but need to be thinking themselves about how the landscape could be affected by the FCA’s understanding and views on these fast-emerging areas. This is always a two-way street.

If the issues raised in the FCA’s Business Plan have raised questions for you, please contact usto discuss how you can prepare, respond, and thrive in the changing regulatory landscape.

May 2018