Three Clear Messages From The FCA To Principal Firms & Regulatory Hosts For 2024
Fingerprint | Communications Compliance
Communications Compliance Platform - for Regulated Businesses, Principals, Reg Hosts, Consultants and Outsourced CCOs.
The FCA is watching any company that works within the Appointed Representative (AR) Regime, very closely.
Last August, they released new guidance in their Policy Statement PS22/11 outlining that Principals should apply enhanced oversight over their AR network “including ensuring adequacy of systems and controls, sufficiency of resources and monitoring AR growth.”
Now, they’ve released a new publication on their data findings on the AR Regime, with many lessons to be learned. We recommend reading the ‘Improving the Appointed Representatives regime through greater use of data’ publication in full to understand the regulator’s thoughts on the market, and what moves they will be making within this space in 2024.
We also hosted a Deep Dive Into The AR Regime webinar recently with several key industry figures, where we talked about the FCA’s publication and what this means for the Principal Firm market. You can watch that here.
It’s clear that the FCA have a close eye on Principal Firms and Regulatory Hosts. The latest publication mentions that the FCA have set up a dedicated AR department to monitor the 2,900 Principals and 35,000 ARs in the market. They have already sanctioned a number of Regulatory Hosts who have not followed their guidance and do not have the proper systems and controls in place to oversee their ARs. We at Fingerprint believe this is just the beginning…
So, we wanted to give our own thoughts on the publication and our key takeaways on what this means for the Principal Firm market. We also reached out to Shazana B. (Independent Compliance Consultant) and Sarah Jackson, MCSI DipPFS (Senior Manager of Regulatory Consulting at DWF Law) to get their take on the situation.
Scroll down to read what advice Fingerprint, Shazana and Sarah have given around what best operational practice looks like for Principals, and how they can ensure compliance with the FCA’s latest expectations.
Here are three main takeaways from the FCA’s publication:
Key Takeaways:
1. Further Separation of Principal Firms and Regulatory Hosts
The FCA started to separate Principal Firms and Regulatory Hosts in their Policy Statement PS22/11 last year when they began collecting data from Principal Firms:
“We proposed to require principals to notify us of an intention to begin providing regulatory hosting services, and to require all existing principal firms to notify us if they already provide regulatory hosting services. This will ensure that we are aware of all firms that use this business model."
It’s clear they followed through on this proposal, and in their latest publication, the FCA reveal that they are paying special attention to Regulatory Hosts in the market now:
“A ‘regulatory host’ is a principal firm that typically carries out little or no regulated activity in its own principal capacity. Instead, it oversees the use of its permissions by ARs. There may be additional risks where principal firms operate a regulatory host model. Our new data requirements mean we now know which firms operate this model and we have focused our supervisory attention here, with one regulatory host ceasing business, another agreeing to stop recruiting ARs, and others reviewing and amending their approaches to overseeing their ARs.”
This separation of Principals and Regulatory Hosts is understandable, along with the increased scrutiny on Regulatory Hosts specifically. Most Principal Firms conduct regulated activity themselves, so they already have systems and controls set up within their own firm to manage risk and satisfy regulatory requirements. This means that they likely have a good understanding of what good compliance looks like and how to set up these systems and controls within their AR network to monitor their activity too.
However, Regulatory Hosts typically don’t carry out regulated activity themselves. Instead, their business model relies on effectively selling a regulated status to their ARs. The responsibility is placed on the Regulatory Host (the regulated entity) by the FCA to ensure that their AR network have the proper systems and controls in place to conduct all activity in line with regulations.
We know that there are many Regulatory Hosts who take on this responsibility well. We work with several who ensure that their AR network have stringent compliance policies and procedures in place, and implement regulatory technology to support this, to meet the regulator’s requirements.
But we also know that there are some Regulatory Hosts who have weaker oversight over their ARs. There are some who don’t have a good understanding of their AR network’s compliance procedures and who don’t ensure that appropriate systems and controls are put in place. These firms usually charge a lower fee to their ARs that reflects their level of service.
The FCA acknowledged the harm of the Regulatory Hosting model in Chapter 4 of their Policy Statement PS22/11 last year:
"Some regulatory hosts underinvest in the oversight of their ARs and apply a light-touch approach both to minimise the costs of oversight and to attract ARs;
There are inherent conflicts of interests in this model arising from the fact that the regulatory host is reliant on fees paid by the AR as a main source of income, and that these cannot be effectively mitigated; and
A lack of expertise and knowledge and experience in the relevant markets which hinders the principal's ability to effectively oversee the ARs, particularly where the ARs cover different and varied markets and business models."
Of course, there are benefits to the Regulatory Hosting model too, such as a quicker and more cost-effective route to market for financial firms. But the FCA sends a clear message with this latest publication – Regulatory Hosts, who operate a business model that effectively sells a regulated status to their AR network without the need for their ARs to go through direct regulation, will be under intense scrutiny.
To uphold the integrity of the UK market, the FCA will ensure that Regulatory Hosts have effective oversight over their AR network and implement stringent systems and controls within their ARs to ensure they follow regulatory requirements.
Our opinion? Although no new guidance has been published yet, we wouldn’t be surprised if the FCA releases a different set of requirements for Principals and Regulatory Hosts in the future because of the different nature of their business models. We also wouldn’t be surprised if some Regulatory Hosts start charging higher and more appropriate fees to ensure that they can deliver appropriate oversight across their AR network.
What do Shazana and Sarah say?
Shazana Begum (Independent Compliance Consultant) says:
"The latest FCA publication in September 2023, reiterates the FCA’s initiative on being a data led regulator to spot and stop harm faster. It is also poignantly timed nearly a year after the rules came into effect and serves a reminder for the action required within the rules.
The publication gives the latest figures on ARs and Principals - standing at 35,00 and 2,900 respectively - a marked reduction to the numbers since the HM Treasury Call to Evidence in December 2021, where the numbers stood at 40,000 AR’s and 3,600 Principals.
This really shows how the rules have impacted the Principal and AR regime landscape and that it is an FCA priority due to the harms it has created."
Sarah Jackson (Senior Manager of Regulatory Consulting at DWF Law) says:
"DWF still receive enquiries from the industry about how to support new firms looking for a regulatory home – we believe that there is still a place in the industry for the AR model, but with the level of complaints made about or against AR firms, there is potential for the 'regulatory host' model to cease. Principal firms need to understand the business that their ARs are undertaking and must have sufficient resource to monitor their AR populations.
With the industry population of c.2,900 principal firms, and a total of c.35,000 ARs, there needs to be an improvement in oversight and governance controls. The key cause of harm is "poor principal oversight", which may occur as early as the onboarding stage when the principal may not be carrying out sufficient or appropriate due diligence on potential new ARs.”
2. A Clear Benchmark On Acceptable AR Oversight – 1 Full Time Employee Directly Overseeing 5 ARs
In their Policy Statement PS22/11, the FCA outlined that Principals must “apply enhanced oversight of their ARs”. Now, the FCA have given a clear figure as an industry average of what acceptable oversight over an AR network looks like – having 1 full time employee directly overseeing 5 ARs:
“When we review principal firms, we look for reassurances that they oversee their ARs adequately. There have been examples where this is clearly not the case. We have seen principals with no clear process or structured plans for how they oversee their ARs or where monitoring activities are not carried out in sufficient depth, if at all. In these cases, we have required the firms to take a range of actions to address our concerns, for example implementing stronger systems and controls and stopping AR recruitment.
Figure 8 shows over 70% of principals that reported to offer regulatory hosting services have at least one full-time equivalent (FTE) employee performing direct oversight for every 5 ARs in their network. While this is representative of responses we received from regulatory hosts only, it provides an opportunity for all principals to compare themselves against peers. Again, there were some outliers that reported lower levels of principal oversight, and we have challenged these principal firms on whether they can effectively perform their oversight functions with limited resources.
More than 72% of principals have at least 1 FTE performing direct oversight per 5 ARs."
Recommended by LinkedIn
The FCA have also released data on Principal Firm size in the market as measured by the size of their AR network. They revealed that in August 2023, 38 Principals had 100-249 ARs and 27 Principals had over 250 ARs in their network:
So, if you work for one of the Regulatory Hosts or Principal Firms who have a large AR network, do you have a sufficient number of Account Managers to directly oversee your ARs? For Regulatory Hosts with over 250 ARs in your network, do you have at least 50 Account Managers conducting direct AR oversight?
The acceptable industry benchmark has been set now. If you don’t have the right number of Account Managers to oversee your AR network, then the regulator may knock on your door next. It’ll be very easy for the FCA to use their data and target Regulatory Hosts by size and number of ARs per Account Manager to determine who to investigate next.
In fact, the FCA have already started handing out sanctions:
“Since our new AR department started, our supervisory engagement has resulted in principals terminating their relationships with over 1300 ARs (figures from 1 July 2022 to 31 Aug 2023). Twelve firms have applied for the imposition of requirements (VREQs) to restrict how they carry out their business, and there have been many more informal interventions.”
For large Regulatory Hosts and Principals, if you have more than five ARs under one Account Manager, it is vital to turn to technology to help your existing team oversee a large AR network through the assistance of automation (see next section).
3. RegTech & Automation Is The Key To Effective Oversight Over A Large AR Network
How do you improve AR oversight to satisfy the FCA if you have more than five ARs under one Account Manager?
Hiring more staff seems to be the immediate answer, but this comes at a high cost and leaves your Regulatory Hosting business potentially unprofitable. Can your business afford to hire one full time member of staff to oversee five ARs? Do you charge your ARs enough to make a profit running on this model? Or would you need to completely rethink your prices and charge extortionately higher fees at the risk of losing your existing AR network and collapsing your business?
The bigger question here is: What is the key to running a profitable Regulatory Host business in light of these new expectations from the FCA?
The answer lies in technology and automation, which increases team efficiency and allows your existing Account Managers to monitor more ARs without increasing staff numbers. Investing in the right RegTech will help your team oversee more ARs, more effectively, in less time. The right RegTech will automate a lot of work throughout the ongoing compliance monitoring process over your ARs, allowing a small team to oversee a large AR network.
Our message to Regulatory Hosts is this: If you have a large AR network without sufficient Account Managers to oversee them, then invest in RegTech to help your existing team effectively oversee your AR network and satisfy the FCA. Or you may be out of business soon.
Sarah Jackson (Senior Manager of Regulatory Consulting at DWF Law) says:
“Principals have a number of software options available to them. Such tools can maintain a well-managed schedule of oversight during the year to ensure nothing is overlooked, something that can easily happen when workloads are stretched due to either increased workloads generally or a lack of resource.”
Fingerprint provides a holistic communications monitoring platform to Regulatory Hosts and Principals to help them gain effective communications oversight over their AR network and ensure their ARs meet the FCA’s communication monitoring requirements. Our multi-client platform is designed for you to have communications oversight over your entire AR network in one unified platform, with only one login needed, with all investigation and reporting tools included.
You can read our case study to learn how our compliance service provider client uses Fingerprint to provide a market-leading communications monitoring service to 200 clients using a team of only a few Account Managers.
What Do Principals & Regulatory Hosts Need To Do Now?
Read the latest FCA publication to get a clear understanding of the market and Policy Statement PS22/11 to understand what the FCA expects from your firm.
There are many new rules and changes Principals must comply with as outlined in the Policy Statement, including:
Review the current systems and controls that you’ve implemented within your AR network. If needed, approach a Compliance Consultant to understand how to improve oversight over your network. If you have more than five ARs under one Account Manager, then look to invest in RegTech to improve oversight quickly without needing to hire more staff members – this should be your number one priority to avoid FCA sanctions.
What advice do Shazana and Sarah have for Principals and Regulatory Hosts?
Shazana Begum (Independent Compliance Consultant) says:
“All Principals and particularly Regulatory Hosts, who will likely be getting more FCA interaction, should immediately review their oversight of their ARs and ask themselves the following questions:
Do you have sufficient resources to effectively monitor and oversee your ARs? To the level of oversight comparable to that of an employee?
Does your oversight method use both human and regtech to ensure sufficient oversight and adequate record keeping? This is in particular to larger networks.
Are you having regular interaction with your ARs via calls, email, meetings, and not just leaving it to an annual review?
Are you monitoring all the activities of your AR, not just the activity deriving from the permissions they are using so that you can effectively look at risk management in a more holistic way?”
Sarah Jackson (Senior Manager of Regulatory Consulting at DWF Law) says:
“An immediate improvement would be to complete the annual assessment of the principal's AR population. This will help identify any ARs about whom the Principal doesn't know very much, either as a firm generally or about the business it undertakes. In turn, this will help develop the principal's plans for oversight during the next 12 months.
With the Covid restrictions behind us, principals should consider carrying out in-person visits to their ARs. This will provide the principal with an overall impression of AR quality and conduct, particularly if they have an office location that a retail consumer could visit.
Principals could increase the level of ad hoc monitoring conducted – instead of preparing client files in advance, the cold review of a current-state client file may be more revealing in terms of AR quality and business conduct.
As part of the T&C arrangements in place, the principal might consider implementing a RAG status of each AR, ensuring greater focus and monitoring activities are in place for the higher risk ARs.”
Now is not the time to turn a blind eye to the FCA’s increased scrutiny on the Principal Firm industry – get your house in order now, or risk losing your reputation in the industry and your business itself.
Get in touch with us through our website or send Kieran Holmes a message if you need a solution to gain communications oversight over your entire AR network in one place, to ensure your AR network comply with FCA communication requirements.
Do you have any thoughts about the FCA's latest publication and what this means for Principal Firms, Regulatory Hosts and the Appointed Representative regime? If so leave us a comment below as we'd love to hear what you think!