A Crash Course on UK Financial Regulatory Authorities: FSMA, FCA, PRA, FPC and more

Technology and digital services have played a growing role in traditional segments of the industry. With increased processing of online payments, more organisations are subject to regulation, and the explosion of mobile banking has changed rules across the board. 

Companies are obligated to offer their services and products in a safe and secure environment while adhering to the best business practices. It’s critical to understand the rules, regulations and regulators in order to stay up to date. In this post, we’ll help you understand these regulators, their roles, and how to engage and stay compliant with the organisations.

The FSA, FSMA and the other FSA

Before we jump in, we should clear up an acronym confusion about historic agencies. The current regulatory system is built upon standards codified in 2000 by the FSMA (Financial Services and Markets Act 2000) — although this act has now been superseded by newer legislation. 

A notable outcome of the FSMA was the creation of the Financial Services Authority (FSA), a body that was responsible for regulating the UK’s financial services industry up until 2013. It was the passage of the Financial Services Act 2012 (also known as the FSA) that paved the way for the replacement of the FSA (Financial Service Authority) with the three organisations we will discuss here — the FCA, PRA and FPC. This is important to keep in mind if looking at older documents. 

With that out of the way, let’s get started. 

1. Financial Conduct Authority (FCA)

The FCA is responsible for regulating the financial services industry in the UK. It has three key roles, including:

• Protecting consumers in the market
• Enhancing market integrity
• Promoting fair competition

The FCA has powers to enforce its mandate, including making rules, executing them, and investigating cases. It also has the power to raise fees for its services. This is necessary because the body doesn’t receive the government’s funding.

The FCA regulates over 59,000 financial services and markets in the UK to provide a fair market for businesses, individuals, and the economy as a whole. The U.K.’s Treasury and Parliament are responsible for controlling the FCA.

Engaging with the FCA

Before setting up a business in the UK, all financial services must be authorised and registered by the FCA. The process takes about 6 to 12 months, and you must pay a fee. Firms must meet the body’s regulatory standards to be approved.

Once your business is in operation, every activity is subject to the FCA’s scrutiny. Your firm must be:

• Responsive to all FCA requests
• Timely in regulatory reporting
• Prompt in responding to supervisory notifications
• Available to engage with publications and provide information

The FCA pays supervisory visits to firms, and you should always be ready for them. There are three types of visits:

• Virtual visit: This is usually a 2-hour conference call, and you will be given a 6-week notice before the call.
• Surgery: Your firm will be invited to FCA’s offices or another suitable venue for a meeting on different topics.
• Actual visit: The FCA team can also visit your firm, and this can be announced or unannounced.

You must always be prepared for these visits. For example, all your documents must be in order, including having all requested documents for the meeting. You should also have a risk management strategy to reduce the impact of such visits.

Meeting the FCA rules

A big part of the FCA’s mission is to prevent money laundering. It’s important to report such cases quickly to the FCA. All firms must adhere to AML compliance regulations, including appointing reporting officers and performing risk assessments.

Firms must treat their customers fairly and avoid engagements or activities that might stifle competition. In regards to cyber security, the FCA expects all firms to protect the sensitive information they hold. In case of any incident, firms should reach out to the FCA through their appointed supervisors or directly.

2. Prudential Regulation Authority (PRA)

The Bank of England controls the PRA, which is responsible for regulating banks, credit unions, building societies, insurers, and major investment firms. The body also works closely with the FCA to create a conducive regulatory environment for businesses within the UK.

The main objects of the PRA include:

• Promoting safety and ensuring the soundness of the firms it regulates.
• Ensuring the correct level of protection for policyholders — this mostly applies to insurers.

The PRA supervises overs 1,500 firms according to their needs and their impact on the UK’s economy. This supervision is essential to protect the UK’s economy should such companies fail.

Understand the PRA rulebook

The PRA rulebook provides rules for different parties. The rules are separated into:

• Banking and investment rules. These rules are for CRR and non-CRR firms.
• Insurance rules. These are rules for Solvency II and non-Solvency firms.
• Other rules. This category covers rules for non-authorised persons.

These rules and regulations set policies and standards that firms must meet to stay compliant. Insurance firms must provide adequate protection to policyholders, while financial firms must always strive to be safe and sound. Generally, firms must continually meet the Threshold Conditions while limiting risks. Bear in mind that firms authorised by the PRA are also subject to the FCA regulations.

On matters of cyber security, PRA-regulated firms are expected to report incidents to the body. The authority encourages insurers to assess and monitor their systems, including conducting testing procedures. All dual-regulated firms are supposed to contact the PRA when reporting incidents.

3. Financial Policy Committee (FPC)

The Bank of England also controls the FPC, which is responsible for identifying, monitoring, and removing risks within the UK financial system. It also has a secondary objective of supporting the economic policy of the government.

The body has the power to implement new guidelines and regulations to meet its mandate. For instance, the committee can introduce new standards for people seeking to qualify for mortgages. Also, it can limit the percentage of mortgages that lenders can grant to borrowers with very low down payments.

The FPC also works with the PRA every year to design and conduct stress tests for banks in the UK. These tests are designed to evaluate the viability of major banks in the event of an economic scenario that dips their profits. Banks that perform poorly are usually required to increase their funding to mitigate losses.

The FPC and cyber risks

Cybercrime is an increasing risk. Back in 2017, cyber threats may have cost up to $600 billion globally — a number that rose to $1 trillion in 2019. Attacks have only increased with the shift towards remote working in 2020.

Suggested reading: If you want to learn more about changes to cyber security best practices, check out our blog — Four Cyber Security Trends to Watch in 2021.

Regardless of the type of cybercrime, all threats affect the public confidence and trust in the financial system, which the FPC is mandated to protect.

The FPC encourages firms to use the CBEST penetration testing framework and develop cyber resilience action plans for the management of cyber threats. It offers several recommendations for firms to build operational resilience:

• Firms must carry out regular testing to assess the efficacy of their systems.
• Companies must have clear arrangements for responding to incidents.
• Financial services should map out their operations and services for effective security planning.

Keep in mind that the FPC is responsible for the entire UK financial system. It has powers to direct financial regulators to take action on specific policies. It also has the authority to make recommendations to any firm to manage risks, which might pose a threat to financial stability.

Final thoughts

Navigating the complex regulatory architecture of the UK financial sector requires a comprehensive understanding of the rules. Financial firms and institutions are expected to adopt measures that ensure operational resilience while protecting their customers and leveraging fair business practices.

The evolving nature of financial services has compelled firms to invest heavily in technology to simplify their operations and bring services and products closer to customers. This has exposed them to more risks and also increased their regulatory obligations. Failing to manage such risks and to adhere to set rules can result in hefty fines from the FCA, PRA, or the FPC.

At Six Degrees, we understand that this can be a challenge. Through our consulting and compliance services, we aim to help financial services make actionable cyber security decisions to ensure operational resilience while staying compliant. We help you understand the rules laid down by regulatory agencies in regards to security. If you want help better understanding any of these requirements, or improving your compliance planning, get in touch — we’d be happy to help. 

Suggested reading: If you want advice on how to best discuss cyber security best practices within your organisation, check out our free resource — Board Presentation Toolkit: Cyber Security and Threat Management.