The Financial Services and Markets Act 2000 (FSMA)
FSMA is the primary UK statute governing the financial services sector in the UK, defining the role and purpose of the regulatory authorities. FSMA has subsequently been significantly amended following the financial crisis of 2008–09 to introduce changes (such as the UK Senior Managers Regime and bank ring-fencing requirements) to enhance the resilience of the UK financial services sector. FSMA is also undergoing significant amendments following the UK’s exit from the EU (Brexit) (please see ‘EU Directives and Regulations’ below).
FSMA makes it a criminal offence to undertake regulated activities by way of business – or (in broad terms) to promote financial services or products – in the UK unless duly authorised or exempt. The list of regulated activities that a bank may undertake is set out in the FSMA (Regulated Activities) Order 2001. Exclusions exist, which (in broad terms and subject to conditions) permit wholesale activities to be undertaken in the UK by foreign banks without obtaining authorisation.
Separate UK legislation governs the provision of payment services (the Payment Services Regulations 2017) and the issuance of electronic money (the Electronic Money Regulations 2011).
EU Directives and Regulations
A significant proportion of UK banking regulation is derived from EU directives and regulations, reflecting the UK’s historic position as a member of the European Union until January 2020.
The UK left the EU on 31 January 2020, and the post-Brexit implementation period ended on 31 December 2020 (IP Completion Date – IPCD). Prior to the IPCD, FSMA and the secondary legislation and regulators’ rulebooks made under it implemented a number of European law directives into UK law. The other key source of UK legal requirements for UK banks was European regulations that were directly applicable, including:
Post-IPCD, EU law ceased to apply in the UK: the EU regulations referred to above and other EU-derived legislation were incorporated into UK law as they applied on the IPCD and amended to render them fit for purpose in their new context under the EU Withdrawal Act 2018. This is colloquially referred to as “onshoring”.
The UK government passed legislation in 2023 (the Financial Services and Markets Act 2023 (FSMA 2023)) to repeal and replace retained EU-derived regulation and legislation, as part of a wider programme of reforms known as the Edinburgh Reforms. One goal of the Edinburgh Reforms is to return to the historic approach, or the so-called comprehensive FSMA model of regulation, under which the UK Parliament and HM Treasury have responsibility for the overall objectives and scope of financial services regulation in the UK, and the regulators have the primary responsibility for drafting the rules that deliver those outcomes. A key part of this process was the enactment of FSMA 2023, which empowers the repeal of retained EU-derived regulation and legislation and, where necessary, its replacement by domestic law and regulation over a multi-year implementation period.
Regulators
The UK operates a “twin peaks” system of financial regulators, with two principal regulators that each have their own rulebook: the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). In addition, the Bank of England (BoE) acts as the resolution authority, and has the primary regulatory responsibility for dealing with failed banks.
The PRA is the prudential regulator for banks, and the FCA regulates banks’ conduct. The PRA has a statutory objective to promote the safety and soundness of the institutions it regulates, with a view to ensuring the stability of the UK financial system. The FCA’s strategic objective is to ensure that the UK’s financial markets function well. The FCA is responsible for regulating a wide variety of regulated firms and activities, including investment services, payment services, retail lending and insurance distribution.
The BoE also operates a Financial Policy Committee, which is the UK’s macroprudential regulator responsible for the regulation of the broader UK financial system from a macroeconomic perspective. The Financial Policy Committee has power to make recommendations to the FCA and PRA in certain cases.
Regulated Activities
Section 19 of FSMA prohibits persons from carrying on regulated activities by way of business in the UK, unless duly authorised or exempt.
Regulated activities include deposit-taking. This is triggered if money received by way of deposit is lent to others, or if the conducting of any other activity of the person accepting the deposit is financed out of the capital of, or interest on, money received by way of deposit.
Lending is generally not regulated in the UK, with the exception of various activities relating to home finance and consumer credit activity. A number of activities relating to securities, derivatives and fund units are also regulated, including dealing, advising, portfolio management and custody, as is insurance distribution.
The UK operates a universal banking regime, meaning that (with limited exceptions for ring-fenced banks) banks can obtain authorisation to conduct any financial services except for writing insurance and the management of funds (each of which is reserved to specific classes of regulated entity). A firm authorised for deposit-taking is also permitted to provide payment services and issue e-money.
EU Providers
Pre-IPCD, EU providers benefited from so-called “passporting” rights under various EU directives, enabling them to provide services or establish branches in the UK. Post-IPCD, passporting rights ceased to apply and EU firms now require a UK licence in order to continue undertaking regulated business in the UK, or they will need to operate outside the territorial scope of the UK regulatory regime.
Application Process
A bank looking to establish itself in the UK must obtain authorisation by applying for a so-called Part 4A Permission under FSMA, which will permit it to take deposits and conduct any other regulated activities within the Permission. The application is made to the PRA and FCA (the PRA acts as lead regulator), and requires the submission of extensive and detailed information about the institution, including the completion of a permissions table that sets out in detail the permissions applied for (per type of activity and client type). It is advisable for the applicant to liaise with the PRA in the pre-application phase.
In addition to the application forms, an applicant firm must also provide the following:
The application will be reviewed by, and subject to the approval of, both the PRA and the FCA.
In reviewing an application for authorisation, the FCA and the PRA will assess the applicant against the threshold conditions for authorisation, which include the following requirements:
The PRA and FCA must make a decision on the suitability of the applicant within a six-month period beginning on the date on which they receive a complete application form. The regulators also have the power to request further information, which resets the start of the six-month period, meaning that the licensing period, in practice, can extend to up to a year.
The application fee is non-refundable regardless of the outcome; if successful, the bank must then pay an annual fee to either the FCA or the PRA, the cost of which varies based on what type of bank the applicant is looking to set up and the revenue the bank generates. Retail consumer banks also need to pay fees levied by the Financial Ombudsman Service (FOS) and the Financial Services Compensation Scheme (FSCS). Licences granted to banking institutions are theoretically indefinite, albeit with the caveat that the PRA has the power to suspend the licence at any point, and to impose fines if the bank fails to comply with the regulatory framework.
Under Section 178 of FSMA, any person intending to acquire or increase their level of control of a UK-headquartered bank must provide written notice of such to the PRA (no requirement applies to foreign banks with a UK branch). Prior to the acquisition taking place, the PRA requires a 60-working-day window to elapse, or approval to be given before the 60 working days is up, before the transaction can be completed. In this context, the meaning of “control” is defined as shareholding and/or voting rights.
This requirement is triggered by the acquisition of a holding that equates to 10% or more of the total shareholding or voting rights in a UK-authorised person, or a parent of that authorised person, or a share or voting power that would enable the exercise of significant influence over the authorised person. A person’s “control” includes indirectly held voting power and is aggregated with the control of another with whom they are acting in concert.
An increase in control is deemed to have occurred whenever the percentage shareholding or voting rights crosses the 20%, 30% or 50% threshold, or if the authorised person becomes a subsidiary as a result of the acquisition. Likewise, a reduction in shareholding or voting rights at those same thresholds triggers a reporting requirement to provide the PRA with written notice. Failure to comply with either of these obligations is a criminal offence.
In assessing an application, the PRA will consider a number of factors, including:
There are no restrictions on the foreign ownership of banks in the UK, subject to applicable financial sanction requirements at a UK, EU or United Nations level.
The Companies Act 2006 provides the general basis for the general duties of directors of UK companies. Regulated firms are subject to additional requirements, reflecting the need for high-quality governance in the banking sector.
PRA Fundamental Rules and FCA Principles
These establish high-level standards with which banks must comply, designed to protect the interests of customers and the wider economy as a whole. In particular, the PRA Fundamental Rules include requirements that a firm must have effective risk strategies and risk management systems (Fundamental Rule 5), and that a firm must organise and control its affairs responsibly and effectively (Fundamental Rule 6).
PRA Rulebook
These high-level requirements are supplemented by the General Organisational Requirements part of the PRA Rulebook, which implements a number of more detailed organisational requirements under the European regulatory framework set out in the revised Capital Requirements Directive (CRD IV) and the recast Markets in Financial Instruments Directive (MiFID II), each as onshored in the UK. These include requirements for:
The FCA and PRA rules are also supplemented by the UK onshored version of EU Delegated Regulation 2017/565 as regards organisational requirements and operating conditions for investment firms, which imposes more detailed requirements around the compliance, risk and internal audit functions, outsourcing and the management of conflicts of interest.
Senior management and personnel are required to be not only sufficiently experienced in their field, but also of sufficiently good repute, in order to ensure the prudent and sound management of the bank. The bank must ensure that it has two employees who qualify as such, and that at least two of these individuals are independent in their formulation of ideas and the bank’s policies.
Diversity must also be taken into account when selecting management members. Regulators must be notified of the composition of the management team, and changes made to it. Management must have adequate access to information about the bank’s operations, and the effectiveness of the bank’s operations must be monitored and periodically assessed, with steps taken to remediate problems.
The UK framework includes added requirements for significant firms, such as obligations to have a separate chair and CEO, and to have separate board risk, nomination and remuneration committees.
Further requirements apply to UK banks that are UK listed or subject to the UK ring-fencing rules under the UK Corporate Governance Code’s principles of good governance, as overseen and maintained by the Financial Reporting Council.
Senior Managers and Certification Regime (SMCR)
This regime was implemented in March 2016 in the wake of the financial crisis, as a response to a perceived lack of personal accountability among individuals working in the financial sector. The SMCR aims to encourage responsibility among employees at all levels, and to improve conduct and encourage clear demarcation of responsibility. It is broken up into three separate regimes.
Senior Managers Regime (SMR)
This focuses on individuals performing defined senior management functions (including executives, the chief risk officer, the head of the finance function, the heads of key business areas and the head of compliance). They must obtain approval from the regulator to perform senior management functions at their firm, regardless of whether they are physically based in the UK or overseas. Firms must assess whether senior managers are fit and proper to perform their roles both at the outset (including by taking references) and thereafter.
Senior managers are also subject to the “duty of responsibility”, which requires them to take reasonable steps to prevent breaches of regulatory requirements in their area(s) of responsibility from occurring or continuing. Each regulator sets out a list of prescribed responsibilities that must be allocated among the senior managers, with the intent that senior managers are accountable to the regulators for those responsibilities. UK banks are also required to maintain a management responsibility map describing the firm’s management and governance arrangements, including reporting lines and the responsibilities of senior staff.
Certification Regime
This focuses on individuals who are deemed by the regulator to pose a threat to the firm or its customers, by the nature of their role (certified persons). Examples of roles that are denoted as such include individuals who give investment advice or bear responsibility for benchmarks. Certified persons are not “pre-approved” by the regulator, but instead their employers must seek certification that they are fit and proper both at the start of their employment (including by taking references) and annually on a rolling basis.
Conduct Rules
High-level expectations of all staff involved in the running of the bank are set by the Conduct Rules, which apply to senior managers, certified persons and almost all other employees of the firm, with the exception of those who perform ancillary functions.
UK remuneration requirements have been set in accordance with the EU provisions set out under CRD IV and V, subject to limited additional restrictions implemented following the financial crisis of 2008. The requirements are set out in the Remuneration Codes of the PRA and FCA, and apply differently depending on the nature of the firm and its activities. UK banks are subject to both the PRA and FCA Remuneration Codes.
Remuneration Codes
Groups in the UK must apply the Remuneration Codes to all their regulated and unregulated entities, regardless of their geographic location. Subsidiaries of UK banks in third countries must also apply the Remuneration Codes to all subgroup entities, including those based outside the UK. The Remuneration Codes also apply to UK branches of third-country firms.
Code Staff
Some requirements of the Remuneration Codes apply universally to all employees, such as those limiting variable pay or termination payments, whereas others only apply to staff classified as “Code staff”. Code staff are employees who are either senior managers or “material risk takers”, individuals engaged in control functions, and any individual whose total remuneration places them in the same remuneration bracket as senior managers. If an individual is classified as Code staff but satisfies the requirements for the “de minimis” concession, certain requirements of the Remuneration Codes can be relaxed. The de minimis concession is satisfied by an individual who has variable remuneration that does not exceed GBP44,000 in a performance year, and where variable pay does not make up more than one-third of the individual’s total annual remuneration.
Principles Applicable to Pay
Under the Remuneration Codes, various principles are applicable to an employee’s pay (“remuneration”, covering all forms of salary and benefit payments, including in-kind benefits). A bank must set an appropriate ratio between fixed and variable pay. At least 50% of variable pay should be in equity, equity-linked or equivalent instruments, and at least 40% of variable pay (or 60% where variable pay is particularly high) must be deferred and vested over a period of four to seven years. Banks are also required to adjust non-vested deferred amounts to reflect performance outcomes.
Limits are also placed on guaranteed bonuses, which should be exceptional and limited to new staff, and on contract termination payments, to ensure these do not reward failure.
Finally, banks must also implement policies and procedures to ensure that Code staff do not engage in personal investment strategies that undermine the principles of the Remuneration Codes, such as insurance or hedging against the risk of performance adjustment.
Proportionality Rule
The requirements in the Remuneration Codes are subject to a proportionality rule, which provides that, when establishing and applying the total remuneration policies for its Code staff, a firm must comply with the requirements in a way and to an extent appropriate to its size and internal organisation, and the nature, scope and complexity of its activities. The expectations of the PRA and FCA regarding firms’ application of the proportionality rule is based on their “relevant total assets”, divided into three levels.
The UK is a member of the Financial Action Task Force (FATF), which is an international, intergovernmental task force (not a formal international body) set up and funded by the G7 and other members to combat money laundering and terrorist financing.
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLR)
This is the primary legislation governing AML requirements in the UK, and is supported by extensive non-statutory guidance given by the Joint Money Laundering Steering Group, which sets out what is expected of banks and staff in relation to the prevention of money laundering and terrorist financing. The principal elements of the MLR are requirements to conduct risk assessments associated with money laundering and terrorist financing, and to apply risk-based customer due diligence policies, controls and procedures, calibrated to the type of customer, business relationship, product or transaction, and taking into account situations and products which by their nature can present a higher risk of money laundering or terrorist financing; these specifically include correspondent banking relationships, and business relationships and occasional transactions with politically exposed persons.
The FCA requires firms to give overall responsibility for their AML operations to a director or senior manager, who is responsible for being aware of the money laundering risks and taking steps to effectively mitigate them. A Money Laundering Reporting Officer must also be appointed, as the keystone of the firm’s AML procedures.
In January 2020, the UK government enacted the Money Laundering and Terrorist Financing (Amendment) Regulations 2019, which was the legislative instrument designed to implement the EU’s Fifth Anti-Money Laundering Directive (5MLD). The UK, in fact, has opted to exceed the requirements set out under the EU legislation, as part of its push to maintain its role as a world-leading financial centre.
The updated regulations extended the scope of the persons subject to the MLR, extended the customer due diligence requirements, created bank account portals that can be accessed by financial intelligence units and national regulators, and created a system of registration for crypto-asset businesses. The EU introduced a sixth AML directive ((EU) 2018/1673), which was to be implemented by EU member states by 3 December 2020. The UK chose not to transpose this directive into national law, on the basis that the vast majority of its requirements were already part of existing UK legislation.
In July 2022, the Money Laundering and Terrorist Financing (Amendment) (No 2) Regulation was enacted, with a view to updating and strengthening the existing UK AML legislation. Among other things, the Regulation allows the FCA to object to an acquisition or change in control of crypto-asset firms, and to publish notices relating to such objections; it also allows the FCA and HMRC (the UK’s tax authority) to publish notices of refusals to register applicants for MLR registration.
The FSCS
The FSCS is the UK compensation fund available to customers of a majority of UK financial services firms. Its purpose is to provide a backstop in case of the failure of a regulated financial institution, paying compensation up to certain limits when the institution in question is unable to pay claims against it, or is likely to become unable to do so. It is the UK’s depositor compensation scheme, but also covers other classes of regulated business, including insurance and investment business.
The failure of a bank, the insolvency of an insurer or the provision of negligent advice causing loss to a consumer by a financial adviser are all examples of potential justified causes for making a claim for compensation. The extent to which a claimant will be compensated in the event of a successful claim varies depending on the nature of the claim.
The regulatory rules applicable to the FSCS’s depositor protection arrangements are largely set out in the Depositor Protection module of the PRA Rulebook. This provides that the FSCS must pay compensation in respect of an eligible deposit with a defaulted UK bank or foreign bank with respect to its UK branch deposits. Additionally, the FSCS must pay compensation to FSCS eligible customers of e-money institutions, authorised payment institutions, small payment institutions, and credit unions (in respect of e-money) where a bank holding such firms’ safeguarded funds has failed. For protected deposits, including retail deposit accounts, compensation is capped at GBP85,000, subject to a higher cap of GBP1 million for certain temporary high balances (such as a balance associated with home sales and purchases). Certain classes of depositor are ineligible for compensation, including banks, investment firms, insurance undertakings, financial institutions and certain funds.
To support the need for the FSCS to be able to make rapid payouts in respect of banks in default, the depositor protection rules are supplemented by extensive requirements to ensure that banks can provide the FSCS with the requisite information to make compensation payments. These are centred around the so-called Single Customer View, which is a dataset made available to the FSCS to enable it to identify clients and their claims in order to be able to identify and fund compensation payments.
The FSCS primarily operates under Part 15 of FSMA, which sets out the governance of the scheme, as well as the capacity of the FCA and PRA to make rules in relation to the FSCS. The scheme is officially managed by Financial Services Compensation Scheme Ltd, operating as a guarantee-limited company.
The scheme is principally funded via fees and levies charged to participating firms. These costs include the management expenses levy (broken up into yearly base cost running fees, and specific costs for particular funding classes) and the compensation costs levy, which is primarily a result of the costs incurred by the FSCS in paying out compensation.
Firms participating in the scheme are typically allocated into one or more funding classes, determined on the basis of the regulated activities they perform. The amount each firm is obliged to pay is based on which of these funding classes they have been placed in, up to a maximum amount per funding class each year. If a firm were to fail, and there was insufficient funding available from the other institutions in that funding class, the costs would be pooled across all the funding classes through a mechanism known as the FCA retail pool.
Duty of Confidentiality
The UK does not have a specific statutory regime regulating banking secrecy, but instead relies on the common law duty of confidentiality between the customer and bank, born from their contractual relationship. Common law provides that the bank has a duty of confidentiality to the customer, as an implicit term of the contract.
The duty of confidentiality from a bank to its customer broadly covers all information about the customer that is held by the bank. The case of Tournier v National Provincial and Union Bank (1924) established that the duty expressly covers the credit or debit balance of the customer’s account, all transactions made through the account, and the securities given in respect of the account.
This duty of confidentiality also extends beyond the lifetime of the account, continuing to apply after it is no longer active or even after it is closed. It further extends to information that is held by the bank about the customer that is from a source other than the customer’s own account, if the acquisition of this information was an indirect result of the customer holding that account.
Exceptions
The bank’s duty to the customer is not absolute; there are a number of exceptions to the duty established in Tournier that allow a bank to divulge information in certain circumstances. Information may be disclosed by the bank if the customer has provided their express or implied consent to the disclosure, if the bank is legally compelled, if there is a public duty, or if the disclosure would protect the bank’s own interests.
If a customer has agreed, however, to express terms in their contractual relationship with the bank to permit disclosure in particular situations, then this agreement would take precedence over Tournier. Regulators also have some additional specific powers in relation to compelling bank disclosure; the FCA has statutory powers to require certain disclosures, as does HMRC in respect of tax. Likewise, if there are reasonable grounds for suspicions of money laundering or terrorist financing, banks may be compelled to co-operate in providing information under AML and CTF legislation.
When the FCA or PRA requires a disclosure to be made by a bank to its investigators as part of an ongoing investigation, it is subject to a statutory obligation of confidentiality with respect to the information, subject to limited “gateways” permitting disclosure in certain circumstances.
Breaches
As the duty of confidentiality is a common law regime, rather than a statutory one, a breach of contract or a breach of common law is the potential result of a bank failing to observe the customer’s rights. The customer may seek an injunction, even pre-emptively, in order to prevent a breach, or to restrain or avoid a repetition of something previously disclosed. The customer may then also seek damages potentially for a breach of contract, presuming that there are express confidentiality provisions, or for a common law breach of the duty of confidentiality.
The Basel Accord
As a member of the G20, the UK has implemented the Basel Accord. The principal legislation implementing the Basel Accord is CRD IV (as implemented in the UK) and the UK CRR, which apply the Basel Accord to all banks. In 2022, the PRA implemented many of the remaining reforms under the Basel III package, including the Net Stable Funding Ratio, which came into force on 1 January 2022. As part of these reforms, the PRA migrated a number of requirements in the CRR into the PRA Handbook. In November 2022, the PRA published a consultation paper on the final Basel III standards (which the PRA refers to as Basel 3.1), which are expected to apply in the UK from 1 July 2025 and focus on credit, market and operational risk. The PRA is expected to issue two near-final policy statements on the Basel 3.1 standards by the end of 2023 and by mid-2024, respectively.
All authorised banks are subject to PRA Fundamental Rule 4, requiring institutions to hold and maintain adequate financial resources. UK banks are additionally subject to detailed risk management, capital and liquidity requirements that do not apply to non-UK banks, with the exception of some risk management requirements, which apply at branch level.
Risk Management
A bank must be able to identify, manage, monitor and report actual or potential risks through adequate risk management policies and procedures and risk assessments. Specific risks that a bank must plan for include credit risk, market risk and liquidity risk, but also less apparent sources of risk such as operational risk, residual risk, group risk and reputational risk.
A bank must establish and maintain an independent risk management function implementing its policies and procedures and reporting to or advising senior personnel accordingly. The risk control arrangements should (where appropriate considering the bank’s size, nature and complexity) include a chief risk officer (CRO) and a board-level risk committee.
Among other things, the CRO should be accountable to the board, be fully independent of business units, have sufficient stature and authority to execute the responsibilities, and have unfettered access to any part of the bank’s business that impacts its risk profile. The CRO is expected to report to the chief executive, chief finance officer or other executive directors.
A risk committee should be headed by a non-executive director and be composed mainly of non-executive directors. The risk committee oversees and challenges the bank’s risk monitoring and management, and advises the board on risk strategy and oversight. A bank’s internal control mechanisms and procedures must permit verification of its compliance with rules adopted under CRD IV and the UK CRR at all times.
Capital Requirements
The UK CRR imposes capital requirements on UK banks in the form of risk-weighted asset and leverage requirements.
Risk-weighted asset capital requirements oblige a bank to maintain regulatory capital ratios by reference to a bank’s “total risk exposure amount”, which weights the accounting value of a bank’s assets and credit exposures according to their potential to suffer loss.
Regulatory capital comprises Tier 1 capital (comprising Common Equity Tier 1 (equity) and Additional Tier 1 (equity-like hybrid capital instruments)) and Tier 2 capital (deeply subordinated debt). Common Equity Tier 1 capital is the highest-quality capital, generally comprising ordinary share capital and reserves. Additional Tier 1 capital is the next level of quality of capital, comprising perpetual subordinated debt instruments or preference shares that must automatically be written down or converted into CET1 if the bank’s CET1 ratio falls below a specified level. In practice, the PRA generally expects that this level is at least 7%. Tier 2 capital is capital that is of an insufficient quality for CET1 or AT1, and comprises subordinated debt or capital instruments with an original maturity of at least five years, meeting specific criteria.
The Pillar 1 minimum capital requirements that currently apply to UK banks under the UK CRR require the following:
These are supplemented by buffer requirements. Pillar 2A captures those risks against which banks must hold capital and that are not eligible under the Pillar 1 regime. This includes the combined buffer, formed of a capital conservation buffer of 2.5% of the total risk exposure amount, a countercyclical buffer (currently set at 2%), a buffer for global and other systemically important institutions, and a systemic risk buffer for banks that are subject to UK ring-fencing requirements. Pillar 2B, or the PRA buffer, takes into account a bank’s ability to withstand severe stress, alongside perceived deficiencies in its risk management and governance framework, as well as any other information deemed relevant by the PRA.
In determining risk-weighted assets, the bank’s assets and liabilities are divided into the trading book and non-trading book. In determining capital requirements in the non-trading book, banks may follow the standardised or (with PRA approval) internal ratings-based approach. Capital requirements in the trading book comprise counterparty credit risk and market risk, position risk, equity risk, commodities risk, foreign exchange risk, and risk associated with options and collective investment schemes. As with the non-trading book, the rules contemplate a variety of methods of calculating risk-weighted asset requirements. The risk-weighted asset requirement also includes a metric for operational risk.
Leverage Ratio
Unlike the risk-weighted assets ratio, the leverage ratio is non-risk sensitive. The leverage ratio requires that a bank’s Tier 1 capital exceeds 3.25% of its total assets and off-balance-sheet exposures. The PRA has also issued firm-specific countercyclical buffer requirements and additional leverage ratio buffer requirements for certain banks.
MREL
The BoE also regulates the minimum requirement for own funds and eligible liabilities (MREL), broadly following the revised EU Directive 2014/59 on bank recovery and resolution (EU BRRD); it has also implemented the Financial Stability Board’s standards on total loss-absorbing capacity (TLAC) through the MREL framework. The BoE has issued a policy statement establishing its approach to MREL. The quantum of the MREL requirement depends on the resolution strategy of any given bank, which in turn depends on its size and the nature of its activities. The largest UK banking groups are expected to issue MREL that broadly equate to either twice their risk-weighted asset or twice their leverage capital requirements, whichever is higher. In December 2021, the BoE published a revised MREL Statement of Policy, which sets out its MREL framework and has applied since 1 January 2022.
Liquidity Requirements
All UK banks are subject to liquidity requirements implementing the Basel III liquidity coverage ratio, which came into force in January 2015. They are designed to ensure that banks hold a buffer of unencumbered, high-quality, liquid assets in order to meet modelled outflows in a 30-day stress test scenario. The presumption in this scenario is that the institution’s management will be able to take suitable actions to correct the course in that period.
High Quality Liquid Assets (HQLA) are cash or assets that can be converted into cash quickly with limited or no loss in value. An asset can be deemed an HQLA for the purposes of the liquidity requirements if it is unencumbered and meets the minimum liquidity criteria, and if the firm is able to demonstrate that it can be quickly converted into cash if required. HQLA are divided into Level 1 and Level 2 assets, based on their likely liquidity. Level 1 assets include only the most liquid – including cash – central bank reserves, and certain securities that have the backing of a sovereign government or a central bank.
There is no limit on the quantity of Level 1 assets a bank can hold, as these are preferable from a regulatory perspective. Level 2 assets include particular government securities, covered bonds, corporate debt securities and residential mortgage-backed securities. A firm must hold no more than 40% of its total liquid asset pool in Level 2 assets. Under the UK CRR, except for periods deemed to be crises, a UK bank must maintain a liquidity buffer equal to at least 100% of its anticipated net liquidity outflows over a 30-calendar-day stress period, where the total net outflows must not exceed the total HQLA pool over the period of the stress testing upon the bank.
The requirements also compel UK banks to regularly report their liquidity data to the PRA, with retail funding reports and systems and control questionnaires being reported quarterly, marketable assets and funding concentration reports being reported monthly, mismatch reports and pricing data being reported weekly, and the underlying liquidity of the bank being reported daily. Liquidity requirements apply on a solo and consolidated basis. The PRA can waive the application of the requirements on a solo basis, but is unlikely to do so other than in relation to subgroups of institutions authorised in the UK. UK banks are, therefore, generally not able to rely on liquidity from non-UK subsidiaries to satisfy UK liquidity requirements.
The UK has implemented the Financial Stability Board Key Attributes of Effective Resolution Regimes. A bank incorporated in the UK may be wound up under the general insolvency law applicable to UK companies, or wound up or resolved under the special resolution regime (SRR) under the Banking Act 2009. The UK regulatory framework also provides for recovery and resolution planning to enhance the resilience and resolvability of UK banks and banking groups: the MREL requirement described in 8.1 Capital, Liquidity and Related Risk Control Requirements also supports resolution by ensuring that firms have sufficient capital or liabilities available for recapitalisation in resolution, where appropriate.
Insolvency
Banks have special protections from insolvency proceedings, with only the BoE, PRA or the Chancellor of the Exchequer being able to apply for the court order required under Section 94 of the Banking Act. The application to the court would be made on the basis that the bank is either unable to pay its debts or is likely to become unable to do so, and that the winding-up of the institution would be just and equitable. In order for the application to be made to the court in the first place, the PRA must be satisfied that the trigger conditions of failure or likely failure have been met, and the BoE must be satisfied that it is not reasonably likely that the situation will be reversed. Separately, the Chancellor of the Exchequer can apply on the grounds that the winding-up of the bank would be in the public interest.
Recovery and Resolution Planning
Consistent with the requirements of the EU BRRD (as implemented in the UK), UK banks are required by the PRA to produce and maintain recovery plans, along with resolution packs, in order to reduce the risk that the failure of a UK bank could threaten the broader market or require government intervention in the form of taxpayer money being used for a bailout.
The PRA and BoE introduced a resolvability assessment framework for major banks in 2019, which supplements the recovery and resolution framework by requiring banks to undertake an assessment of their resolvability, submit it to the PRA and publish a summary of the assessment thereafter. Banks submitted their resolvability disclosures to the PRA by October 2020 and made them public by June 2021. In June 2022, the BoE published the results of the first assessment of resolvability, with the next assessment due to take place in 2024.
Resolution
The SRR gives the UK authorities powers to resolve a failing bank (or banking group company). It consists of five stabilisation options:
It also includes a modified bank insolvency procedure that facilitates the FSCS in providing a prompt payout to depositors or a transfer of their accounts to another institution, and a bank administration procedure, for use where there has been a partial transfer of business from a failing bank.
The SRR tools may only be deployed in the following circumstances:
In exercising the stabilisation powers, the resolution authority (generally the BoE, although temporary public ownership is reserved to HM Treasury) is required to have regard to a number of resolution objectives, including ensuring the continuity of banking services, depositor and client asset protection, financial stability and the need to avoid interfering with property rights.
On entry into resolution, the SRR requires the BoE to write down equity and write down or convert other capital instruments into common equity. The BoE has discretion to select the appropriate resolution tool to apply to resolve the bank. The main resolution tools are:
Nationalisation is also provided for within the SRR framework as a last resort.
The regime carries with it a number of ancillary powers to enable the transfer of property, to stay default and other rights, and to take other action supporting resolution. Because these potentially affect property and other rights, the framework includes a number of safeguards, including a “no creditor worse off” provision designed to ensure that creditors and other stakeholders in the process are no worse off as a result of the resolution than they would have been had the bank been put into liquidation at the point of the resolution.
Insolvency Preference
Consistent with the requirements of the EU BRRD (as implemented in the UK), the UK insolvency framework includes depositor preferences. These prefer covered deposits (deposits protected by the FSCS). Eligible deposits (deposits by persons eligible for FSCS coverage over the FSCS limit) and deposits made by natural persons and micro, small and medium-sized enterprises that would be eligible deposits if they were taken in the UK are subordinate to covered deposits but rank ahead of other senior claims.
The Financial Services and Markets Act 2023
Following a consultation on the optimal structure for UK financial services post-Brexit, FSMA 2023 is intended, over its staggered implementation period, to create the legislative and institutional architecture to support a move away from onshored EU legislation towards the historic approach taken under FSMA, whereby primary responsibility for regulation is delegated to the UK regulatory authorities, subject to the oversight of Parliament.
FSMA 2023 establishes a framework to revoke retained EU law relating to financial services, and will enable HM Treasury and the UK financial services regulators to replace it with legislation and, more commonly, regulatory rule sets designed specifically for the UK, to deliver the comprehensive FSMA model of regulation. Outside the post-Brexit agenda, FSMA 2023 also will make a number of other changes that reflect ongoing international developments (eg, critical outsourcing), and deals with some gaps in the existing UK regulatory framework (eg, around approval of financial promotions).
Depositor Protection
In April 2023, the BoE published a statement setting out areas it has identified as requiring improvement to ensure positive outcomes for depositors whose bank is subject to a bank insolvency procedure. The areas include implementation of electronic transfers of covered balances to depositors following a bank insolvency, improved infrastructure to support the redirection of a depositor’s payments when the depositor moves banks, and ensuring sufficient operational support and capacity at alternative banks for displaced depositors. The BoE has stated it is working with other UK authorities on these areas and updates will be published in due course.
“Strong and Simple” Initiative
The PRA is seeking to mitigate the “complexity problem” that arises when the same prudential requirements are applied to all firms, and aims to achieve this through its “strong and simple” initiative that seeks to simplify the prudential framework for non-systemic domestic banks. The PRA’s consultation on the scope of this simpler regime, and the liquidity and disclosure requirements under it, closed on May 2023, with consultations on other aspects of the regime expected in the first half of 2024.
Remuneration
In February 2023, the PRA consulted on simplifying the remuneration rules that apply to material risk takers at small firms, which were introduced under CRD V. The PRA has proposed that the rules relating to performance adjustment (malus and clawback) as well as buyouts should not apply to smaller firms. A policy statement is expected to be published in early 2024. The PRA has also confirmed it will be removing the cap on variable remuneration from its Remuneration Code, effective from 31 October 2023.
AML and CTF
HM Treasury is consulting on reforms to the AML and CTF supervisory system. This consultation builds on HM Treasury’s 2022 review of the UK’s AML and CTF regulatory regime, which set out alternative models of AML and CTF supervision.
The Economic Crime Levy was introduced by the Finance Act 2022. Entities supervised under the MLR will be required to pay the levy if their UK revenue exceeds GBP10.2 million a year. First payments are expected to be made in the financial year from 1 April 2023 to 31 March 2024.
Diversity and Inclusion
The PRA is consulting on proposed further diversity and inclusion requirements to apply to banks, and in some cases to third-country branches. The proposals include requirements to develop a diversity and inclusion strategy setting out how the bank will meet its objectives and goals, collect, report and disclose data against certain characteristics, and set targets to address under-representation. There is also a proposal to require some UK banks and third-country branches to set targets for under-represented demographic groups in board and senior leadership positions, such as under-represented ethnicities.
Consumer Credit
In December 2022, the UK government consulted on reform to the UK consumer credit regime, which applies to banks and other providers of consumer loans, with a view to its modernisation, restructuring to follow the FSMA model of regulation and alignment with the FCA Consumer Duty regime, which came into force in 2023. The government is undertaking policy development to produce more detailed proposals, with a view to publishing a second stage consultation in 2024.
Supervision of Climate-related Risk
In addition to their international engagement and initiatives, the BoE and the PRA have in recent years started considering climate-related risks and their potential impact on UK financial stability. In particular, the BoE is committed to ensuring that the UK financial system is resilient to the risks from climate change and has made a ten-part pledge to advance the climate agenda across its strategic priorities.
In June 2022, the Basel Committee issued its principles for the effective management and supervision of climate-related financial risks. The PRA has included climate change in its core supervisory approach from 2022 and aims to supervise firms in line with its expectations. In October 2022, the PRA published a “Dear CEO” letter regarding, among other things, a thematic review on the PRA’s supervision of climate-related financial risk. The PRA expects firms to continue improving their compliance and risk frameworks by incorporating climate considerations in their governance and risk management processes.
Furthermore, in October 2021, the BoE published a Climate Change Adaptation Report, which considered climate risks and regulatory capital regimes.
In March 2023, the BoE and PRA published a report which identified a number of gaps in how the existing UK regulatory capital framework deals with climate-related risk. In the report, the BoE confirmed it will be considering whether any changes are required to the macroprudential framework to mitigate climate-related risks.
Climate-related Disclosures
The UK government announced in 2020 that UK financial institutions (including banks) will be required to make mandatory climate-related disclosures compliant with the Task Force on Climate-related Financial Disclosures (TCFD) recommendations by 2025. Some of these disclosure requirements are expected to come into force sooner than that, and firms should be prepared to update their client-facing documentation in line with the new requirements in due course.
In November 2023, the FCA published a Policy Statement outlining the new sustainability disclosure requirements (SDR) and investment label regime. The new SDR requirements aim to protect UK consumers and ensure that trust is not eroded in sustainable investment products as a result of greenwashing. The FCA’s anti-greenwashing rule and guidance will come into force on 31 May 2024, with in-scope firms expected to comply with the naming and marketing rules by 2 December 2024. While many of the proposed SDR requirements are not yet applicable to banks, the general “anti-greenwashing” rule will apply to all UK-regulated entities and “reiterates existing rules to clarify that sustainability-related claims must be fair, clear and not misleading”. The regime is expected to be expanded in the future, and the prudent approach would be for UK banks to monitor developments in this space.
In June 2023, the International Sustainability Standards Board (ISSB) published its first two new standards in IFRS S1: General Requirements for Disclosure of Sustainability-related Financial Information, and IFRS S2 on Climate-related Disclosures. The UK government has since planned to establish a framework to assess the suitability of these standards for application within the UK and aims to make endorsement decisions on the first two standards by July 2024. The FCA has also announced its intention to update its climate-related disclosure rules to reference the ISSB standards.
Smarter Regulatory Framework
On 29 June 2023, the Financial Services and Markets Act 2023 (FSMA 2023) received Royal Assent. FSMA 2023 is the cornerstone in the largest programme of change to UK financial services regulation since the reform package that followed the 2008 global financial crisis.
FSMA 2023 followed a two-year HM Treasury consultation on the future of the UK regulatory framework, with a particular focus on how UK financial services regulation should be structured following the UK’s exit from the European Union (EU) (Brexit). The outcome of this consultation process was the so-called “smarter regulatory framework” (SRF). The SRF is ambitious, and while most attention has been paid to its approach to the repeal and replacement of retained EU legislation (REUL) its ambit extends beyond post-Brexit reform.
Out with the old…
The UK left the EU on 31 January 2020, following the ratification of a withdrawal agreement by both the EU and the UK, which entered into force on 1 February 2020 (the Withdrawal Agreement). Under the terms of the Withdrawal Agreement, EU law continued to apply to and in the UK during an implementation period, which ended on 31 December 2020 at 11pm UK time (the IP Completion Date, or IPCD). Following IPCD, EU law ceased to apply in the UK, and EU regulations and other EU-derived legislation were incorporated into UK law as they applied at IPCD in a process colloquially known as “onshoring.” “Onshoring” of EU regulations and legislation was only ever intended to be a stopgap solution to minimise disruption while the UK established an independent system of regulation reflecting its position outside of the EU.
Over a multi-year implementation period, FSMA 2023 allows for the repeal of REUL, and where necessary, its replacement by “homegrown” law and regulation. The approach to the repeal and replacement of REUL will vary – for example, the European Long Term Investment Fund (ELTIF) regime is to be repealed without replacement in recognition of the fact that no ELTIFs were ever established in the UK. Areas where REUL has materially affected UK financial services regulation will require more careful consultation before repeal and possible replacement.
HM Treasury has identified 43 core areas of REUL in the scope of its initial programme of repeal and replacement, known as the Edinburgh Reforms. HM Treasury will deliver the programme by splitting REUL into “tranches”. As outlined in the HM Treasury policy paper published on 11 July 2023, “Building a Smarter Financial Services Regulatory Framework: Delivery Plan”, the government expects to have made significant progress on the first two tranches by the end of 2023. Key areas of initial focus are the replacement of the prospectus regime for public offers of securities and the securitisation regime. The Financial Services Regulatory Initiatives Forum’s Regulatory Initiatives Grid will be updated to keep stakeholders informed about progress with the programme of repeal and replacement of REUL.
…in with the new
The UK government’s overarching goal with the repeal and replacement of REUL is the return to a so-called “comprehensive FSMA model” of regulation. The original FSMA model of regulation was introduced at the turn of the millennium with the passing of the Financial Services and Markets Act 2000 (FSMA 2000), which overhauled existing financial services regulation in the UK and concentrated policymaking and rule-implementation powers with the UK Parliament, HM Treasury and the then regulator, the Financial Services Authority (FSA). In the two decades between the enactment of FSMA and Brexit, the original FSMA model of regulation was eroded as the EU’s appetite to regulate financial services expanded, most notably in reaction to the global financial crisis. EU-derived legislation and regulation became the driving force in UK financial services regulation.
The return to the comprehensive FSMA model of regulation will re-concentrate power back in the UK and into two layers. In the top layer, the UK Parliament and HM Treasury will have responsibility for overall policy objectives, direction and scope of financial services regulation. In the second layer, the regulators, namely the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) will be responsible for drafting, implementing and enforcing rules that deliver those policy objectives.
One key aspect of FSMA 2023 that marries the dual goals of revocation of REUL and implementation of the comprehensive FSMA model of regulation is the establishment of the new Designated Activities Regime (DAR). The DAR will be used initially to allow for the FCA and HM Treasury to regulate activities which were previously regulated under EU law, and then following Brexit, under REUL, such as short selling and certain derivatives activities. HM Treasury has also indicated that the DAR may also be used more widely in the future and is intended to be a dynamic mechanism which HM Treasury and the regulators can use to manage risks of emerging market activities without bringing those activities squarely into the UK’s regulatory perimeter.
The SRF is not limited to revoking and replacing REUL – its overarching goal is the establishment of an advanced and globally competitive financial services system in the UK. Non-EU derived regulation is also being scrutinised for areas in need of reform. HM Treasury is currently consulting on a package of near-term reforms to the ring-fencing regime, which aim to make the homegrown UK ring-fencing regime nimbler and more adaptable. The proposals are wide-ranging and include amending the core deposits threshold over which a bank would be subject to ring-fencing requirements from GBP25 billion to GBP35 billion, as well as lifting the prohibitions on ring-fenced banks establishing operations outside of the UK and European Economic Area.
Competitiveness and Hyper-regulation – Opposing Trends in UK Financial Services Regulation?
The SRF’s stated goal is to create an agile system of financial services regulation that delivers for industry and consumers alike. What this will mean for firms remains to be seen. How fast, and how far, the UK Parliament, HM Treasury and the regulators will be willing to go will also likely be influenced by the continued emergence of two divergent trends in UK financial services regulation.
Competitiveness through deregulation?
The first trend is a drive towards reducing undue regulatory burdens to allow for a more adaptable and globally competitive financial services sector in the UK. This is supported by FSMA 2023’s introduction of a secondary competitiveness and growth objective for the FCA and PRA. Now, when performing their regulatory and supervisory work, the FCA and PRA should aim to facilitate (subject to their primary objectives) the international competitiveness of the UK economy (particularly the financial services sector) and the growth of the UK economy in the medium to long term.
These secondary competitiveness objectives mark a return to pre-global financial crisis thinking, where the then regulator, the FSA, was required under FSMA 2000 to “have regard” to maintaining the competitive position of the UK. In the wave of post-crisis reforms, the international competitiveness “have regard” requirement was abandoned. When articulating the post-crisis reforms, HM Treasury specifically addressed the competitiveness requirement, noting:
“There is a strong argument that one of the reasons for regulatory failure leading up to the crisis was excessive concern for competitiveness leading to a generalised acceptance of a ‘light-touch’ orthodoxy, and that lack of sufficient consideration or understanding of the impact of complex new financial transactions and products was facilitated by the view that financial innovation should be supported at all costs.” (HM Treasury, “A new approach to financial regulation: judgement, focus and stability”, Cm 7874, July 2010)
While the (re)introduction of the competitiveness and growth objectives is striking, the actual approach the FCA and PRA will take in facilitating international competitiveness remains to be seen.
Although pre-dating the enactment of FSMA 2023 and the adoption of the new secondary objectives, the general trend towards simplifying, where possible and prudent, regulatory burdens can also be seen in the prudential arena. The PRA and FCA have abolished the so-called “bonus cap”, the cap on variable remuneration paid to in-scope staff at banks, building societies and the largest investment firms.
Also notable are the PRA’s proposals for its “Strong and Simple Framework”. The PRA is currently consulting on a raft of measures that aim to solve the “complexity problem” facing smaller banks and building societies in the UK by introducing a simpler prudential regime for in-scope firms. A simpler prudential regime for smaller banks and building societies would be a welcome change. As Sam Woods pointed out in his Mansion House speech of 16 October 2023 (the Mansion House Speech), it is striking that Penrith Building Society (a domestic operation with total assets of GBP130 million) is subject to largely the same prudential requirements as HSBC (which has establishments in 62 countries and total assets of USD3 trillion) – a more flexible regime is necessary.
Hyper-regulation
However, in some areas the UK financial services sector remains closer to being ‘hyper-regulated’. This is particularly apparent in the intensifying focus on consumer protection, and in particular the Consumer Duty. From 31 July 2023, the Consumer Duty applied in the UK to all new and existing products and financial services. The Consumer Duty comprises:
The most striking of these is the requirement that firms ensure that their products provide fair value to retail customers. The FCA has made it clear that it does expect this requirement to have a material effect on the retail banking sector, writing in its Dear CEO letter “Implementing the Consumer Duty in the Retail Banks and Building Societies sector” that “firms should not underestimate the new requirements of the [Consumer] Duty about fair value, the enhanced extent of our interest in this, or the high expectations we now have of the rigorous and balanced analysis with which firms should be able to support their assessments of fair value” (Dear CEO letter, 3 February 2023). Questions around fair value for retail customers are becoming even more acute as the cost-of-living crisis in the UK continues.
The regulatory burden that this places on UK banks and building societies is immense. The scale and scope of these requirements raise difficult questions about how comfortably this sits alongside the goals of the SRF and the regulator’s new secondary competitiveness objectives. To borrow Sam Woods’ example from the Mansion House Speech, while the UK’s existing prudential requirements almost certainly subject Penrith Building Society to undue regulatory burdens, it is likely that among the keener challenges facing Penrith Building Society this year has been implementing the onerous, and sometimes unclear, requirements of the Consumer Duty. Potential moves towards economic regulation are of particular concern.
There are also other signs of a trend towards increased regulation. The FCA and PRA are both currently consulting on how to boost diversity and inclusion in the financial services sector, with proposals including requiring firms to develop strategies on diversity and inclusion for their staff, collect and report data on certain characteristics and set targets to address under-representation. On the prudential side, we expect to see a reappraisal of the supervision of overseas firms following the failures of Credit Suisse and Silicon Valley Bank (SVB). It is notable that Sam Woods’ Mansion House Speech praised the subsidiarisation of SVB’s UK operations. That SVB UK was a subsidiary, and not a branch, was instrumental in limiting the impact of the failure of its US-based parent on the UK subsidiary and allowing for SVB UK to be successfully resolved through a speedy sale to HSBC UK. The Mansion House Speech hinted towards an increased regulatory focus in this area, including the possible reintroduction of capital and liquidity requirements for branches, as well as growing pressure to subsidiarise larger international branches.
Good Fences Make Good Neighbours: EU and UK Market Access and Co-operation Post-Brexit
The precise relationship between the UK and EU financial services sectors remains in flux following Brexit. There are limited signs of détente. On 26 March 2021, technical negotiations on the text of a Memorandum of Understanding (MoU) establishing a framework of regulatory co-operation for financial services between the EU and UK concluded, and while it took over two years for the European Commission to adopt the MoU, on 27 June 2023 the final text of Memorandum of Understanding was signed. The MoU commits the UK and EU to “jointly endeavour to pursue a robust and ambitious bilateral regulatory co-operation in the area of financial services”.
Relations remain strained in other areas. An ongoing bone of contention between the EU and the UK post-Brexit has been equivalence. The EU legislative framework confers preferential treatment on non-EU actors in a number of areas, based on the concept of equivalence. One might have expected that the UK would have benefited from equivalence, starting from the position of an integrated regime for financial services with the EU, as was the case immediately post-IPCD. Such an expectation failed to anticipate the use of equivalence as a political tool to further domestic interests. The UK has generally granted equivalence with respect to EU market participants, whereas the EU has generally not granted equivalence to the UK, with some notable exceptions including the European Commission’s extension of the equivalence decision on UK central counterparties until 30 June 2025. The MoU does encourage “transparency and appropriate dialogue” in the process of adoption of equivalence decisions, but this has yet to translate into any solid commitments from the EU.
A key potential area for development which will also be of note to UK banks that offer cross-border services into the EU is the potential impact of the proposed amendments to the Capital Requirements Directive (CRD VI). CRD VI will require non-EU firms providing core banking services, including lending, into the EU to establish a branch. While CRDVI is not yet finalised, it appears bound to have a major impact on the cross-border provision of banking services from the UK, and elsewhere, to EU clients from 2025.