Prudential regulation

Application of the SMCR to firms in the temporary permissions regime

On 7 January, the PRA published a note clarifying the PRA’s and PFCA’s proposals for the application of the Senior Managers and Certification Regime (SMCR) to firms in the temporary permissions regime (TPR). The note includes a set of Frequently Asked Questions (FAQs) on how the two sets of proposals would apply to dual-regulated, EEA firms currently operating in the UK via an establishment passport through a branch (‘EEA branches’).

Currently the SMCR is applied as follows:
  • EEA branches - SMCR applied solely by the FCA for SMF17 (MLRO) and SMF21 (EEA branch senior manager function).
  • Third-country branches - SMCR applied by both by the PRA & FCA.
The PRA proposes to apply its SMCR requirements for third-country branches to EEA branches that enter into the TPR. Therefore, all firms in the TPR will be required to, at least, have one individual who will be treated as if (s)he was approved to perform the Head of Overseas Branch function (SMF19) function, which is mandatory for all third-country branches, while the firm is in TPR (known as a ‘deemed TPR approval’).

In addition, where the PRA Rulebook requires third-country branches to have other SMFs (e.g. Chief Risk (SMF4) or Chief Operations (SMF24) functions and an EEA branch currently has individuals performing these roles, they will require a deemed TPR approval. In order to obtain deemed TPR approval for individuals who will be performing PRA SMFs while their firms are in the TPR, firms will be able to submit, for all relevant individuals, either:
  • Part 4A application accompanied by full SMF application(s) before the UK’s exit date (Route 1); or
  • streamlined ‘TPR SMF application’ (to be published shortly) within 12 weeks of entering into the TPR (Route 2).
 Regulatory transactions: changes to notification and application forms - PS2/19

On 17 January, the PRA published a Policy Statement (PS2/19) setting out the final rules and forms to Consultation Paper (CP) 21/18 ‘Regulatory transactions: Changes to notification and application forms’. The PRA received no responses to the CP and therefore the proposed rule changes came into force on 19 January 2019.

The PS is relevant to all PRA-authorised firms as well as firms that have a qualifying holding, or that intend to acquire a qualifying holding in a PRA-authorised firm.

Could a cyber attack cause a systemic impact in the financial sector?

On 21 December, the Bank of England published its Quarterly Bulletin including an article on whether a cyber attack could cause a systemic impact in the financial sector. The article also evaluates the link between systemic and cyber risk within the financial sector and the common feature of the existing definitions for systemic risk and to test how applicable it is for cyber risk. The article concludes:
  • There is not a uniform view of the link between cyber risk and systemic risk: some assume a direct link whereas others query the connection.
  • Beyond nation states, the vast majority of independent cyber attackers are currently unlikely to have the capability to systemically impact the financial sector.
  • The financial sector has a large number of environmental features which are conducive to a systemic cyber compromise.
  • There are no current examples of systemic cyber risk crystallising and impacting the real economy but this does not prove an absence of risk.
  • There is a credible case to link cyber risk to systemic risk in the financial sector.
Its recommendations for future consideration include:
  • Further development of the intelligence-led approach to cyber security.
  • Policy responses that seek to cut through sectoral, geographical and public/private boundaries.
  • Organisations should accept that compromises are likely to happen and therefore prioritise response and recovery activities.
  • Undertake further studies to better understand the relationship between data integrity and authenticity, trust in financial services and the potential for real-economy impact via a cyber attack.
  • A specific focus on risks associated with third-party dependencies.
[email protected]