The Financial Conduct Authority (FCA) have just published their 2017/18 Business Plan, setting out their objectives, sector priorities, risk outlook, ongoing activities and the sectors who will come under closer scrutiny in the coming year. The plan also provides information on how the FCA will continue to meet their 3 main operational objectives: –
- Protecting Consumers
- Promoting Competition
- Enhancing Market Integrity
This article will give you a summary overview of the information and objectives laid out in the business plan and offer some guidance on the sectors that are still a cause for concern for the regulator. Due to the extensive content and information in the plan, not all priorites, objectives and sectors are covered here, so it is essential for regulated firms to take the time to read the full plan.
The FCA have detailed numerous priorities in their plan, including cross-sector priorities and those dedicated to specific sectors. Across all sectors, the regulator will continue to look at the culture and governance of firms and continue reviewing the regulatory framework that governs remuneration, with their existing Remuneration Codes seeking to ensure greater alignment between risk and individual reward and support positive behaviours and a strong and appropriate conduct culture within firms.
They aim to look into how new technology can improve the efficency of anti-money laundering (AML) processes and will again focus on the treatment of existing customers, with direct priorities for vulnerable customers, affordability assessment and addressing their needs.
Specific priorities include continuing to review the debt management sector, ensuring that they are fit for purpose and fully compliant, as well as starting an exploratory piece on the motor finance industry. Pensions and retirement plans will be reviewed, along with the pricing practices of general insurance and assessing how effectively competition is working in the wholesale insurance market.
Foreword and Introduction
The FCA Chairman, John Griffith-Jones, opens the plan with a foreword that speaks to the emerging risks that the regulator may need to respond to in the future and the challenges to the market outside of the FCA’s control. He mentions international events, demographic changes and of course Brexit and says “while we cannot control them, we cannot afford to ignore them.”
The plan’s introduction is given by the Chief Executive Andrew Bailey, who references the simultaneous publication of the FCA’s Sector Views and mission document and refers to the impact and consequences of the UK leaving the EU. He also discusses the business plans’ strong emphasis on consumer vulnerability and their forthcoming ‘Consumer Approach’ document and implementing the Markets in Financial Instruments Directive II (MiFID II), which he says will “allow [the FCA] to introduce major reforms to improve resilience and strengthen integrity and competition in wholesale markets.”
Part of the FCA’s role includes identifying and assessing emerging and future risks that may have an impact on their existing priorities and objectives, and to the financial system as a whole. This requires continuous focus and monitoring of the medium and long-term trends that may influence the financial sector.
With many of the long-term trends, the actual risks are still unclear and are likely to emerge and change with the progression of time, which means setting objectives and policies as and when accurate assessments can be made. In this business plan, the FCA have therefore focused on the short-medium term trends and emerging risks that can be assessed and predicted to a certain degree.
The regulator assesses emerging risks by using 4 key areas: –
- Macroeconomic – large-scale and/or general economic factors (e.g. inflation, unemployment or economic stability)
- Social and Environmental – changes to environment (e.g. land, energy use or natural resources) and social effects (e.g. workplace, community or demographics)
- Technological – how firms deliver products/services & how consumers acces them (e.g. advancements in technology, digital impact or systems)
- Firms and Consumers – the regulated businesses themselves along with the consumers using the financial services
Across these four areas, the FCA have identifed several trends and factors that could pose a risk to the financial market and/or influence the behaviour of those participating in the market.
Such risks include: –
- Continuing Low Interest Rates – pension funds, banks and insurance firms could find that lower investment incomes affect their overall profitability and as a result, take more risks in other areas to offset the fall.
- Rising Inflation & Low Income Growth – this could have a dual effect with some househods defaulting on debts due to the increased strain of rising inflation and a low income growth, which in turn puts pressures on lenders. Low income growth along with an increase in zero-hour contracts and variable incomes, could also see savings reduced and access to financial services limited.
- Aging Population – it is projected that by 2040 nearly 1:7 people will be over 75, which poses risks for retirement income, pension products and an increasing number of vulnerable customers, with the elderly more prone to scams and needing more assistance when using financial products/services.
- Cyber Crime & Money Laundering – as technology advances, so do the risks of cyber-attacks and financial crime. Inadequate controls and systems could see information used inappropriately, consumers affected (directly or indirectly) and market integrity compromised.
- Outsourcing – as technology becomes a larger factor in the operation of businesses and with so many consumers relying on digital and mobile solutions, outsourcing to FinTech firms is increasing, along with the risk of reduced oversight and the resulting non-compliance.
- Known Consumer Behaviours – there is an increasing expectation on firms to identify and assess their needs, circumstances and sometimes behaviour of their customers, optimally resulting in suitable products and fair services. However, with growing numbers of vulnerable customers and financial pressures, firms must find the right balance between their responsibilities to consumers and making a profit.
Outcomes and Issues
A large part of the FCA 2017/18 business plan focuses on the cross sector and sector specific priorities, the issues within these areas and the activities and aims to address and resolve these issues. As this portion of the plan is extensive and applies to all firms in the majority of cases, it is important to read the plan and utilise the information relevant to your business type and activities. We have provided a brief overview of this area within the article.
Remuneration and incentive structures are still a key focal point for the FCA, who believe many of the schemes in place do not reward employee behaviours that act in the long-term interests of their customers. A lack of accountability from Senior Managers is another area that the FCA have been pushing for some time, with the the Senior Managers Regime (SMR) being implemented from 7th March 2016, which looks at the most senior employees within firms and makes them personally accountable for conduct and risk as well as having to undertake fitness and propriety checks.
Financial crime and money laundering feature heavily in the business plan, with the FCA looking for outcomes that will ensure appropriate safeguards, controls and procedures for preventing financial crime, whilst still allowing firms to operate efficiently and within the regulatory compliance system. Some of the issues faced by the regulator and market in this area include: –
- The possibility of weaker checks and due diligence measures on new clients in order to maximise profit and growth
- Firms facing higher costs from the implementation of digital tools to help reduce the risk of cyber-attacks and financial crime
- Consumers becoming more vulnerable and prone to scams, with emphasis on the pension sector
2016 saw the implementation of the FCA’s Annual Financial Crime Report, helping the regulator to assess the controls and measures put into place by regulated firms and to gain insight into the nature of the financial crime risks affecting the financial services industry. The FCA is also due to become responsible for reviewing the quality of AML supervision carried out by professional bodies in the UK. There are several bodies who are currently responsible for the oversight and compliance on the money laundering regulations and the FCA’s appointment as quality reviewer of these organisations will help to ensure consistency and quality.
With regards to the priorities for the treatment of existing customers, the FCA’s outcomes include: –
- More transparent and detailed renewal information in the relevant sectors
- Preventing and removing the barriers customers face when changing products/services or exiting existing products
- Firms expected to understand and consider their customers’ interests and needs and to actively engage with them to provide a good service
The issues in this area include current and future economic conditions and uncertainty with the UK leaving the EU, which could see firms focus more on growth and profit than consumer interests and larger numbers of consumer with debt having little or limited access to credit. Rising interest rates and low income growth could also put a strain on both firms and their customers.
The FCA intend to continue their strict review of the debt management sector, ensuring that the key controls and measures are in place to create a fair and transparent environment for their customers, with emphasis on those with vulnerabilities. They will also be focusing on the high-cost short-term credit sector as well as overdraft providers.
The FCA will continue to help smaller firms to comply with the regulations through the delivery of their ‘Live & Local’ programme, which continues through 2017/18 and of course the ongoing supervisory role, for which the FCA define 3 specific aspects: –
- Pillar 1 – ongoing proactive supervision of the firms that present most risk to the FCA’s objectives
- Pillar 2 – event-driven, reactive supervision of actual or emerging risks
- Pillar 3 – thematic work that focuses on risks and issues affecting a number of firms across the market
The FCA directly protect millions of UK consumers and help to make the market transparent and accessible, however part of their ongoing activities will also include the education of consumers about protecting themselves and ensuring that they are informed before making decisions and aware of fraud and scams.
Vulnerable customer awareness and assessing affordability are key areas that are ongoing for the FCA and are included in large sections of the business plan. With such detailed and focused work in this area, the regulator expects firms to have robust and adequate controls and measures in place for the identification, assessment and management of those considered vulnerable.
Whilst this article is quite extensive, it is only a brief overview of the 102 page document published by the FCA. It is essential that regulated firms and those associated with the financial services industry, take the time to read the plan and use the information provided to review and improve existing controls, measures and systems.
Click to read the full FCA 2017/18 Business Plan.
Following on from last month’s blog article “Beginner’s Guide to the General Data Protection Regulation (GDPR)“, this week we are looking at some of the conditions and rights that will apply under the new legislation and how firms can best prepare for their new obligations.
Lawfulness of Processing Conditions
The onus is on a firm’s processors and/or controllers to identify and evidence their legal and/or contractual basis for processing, prior to carrying out any processing.
Once a legal basis has been established for processing data, this must be recorded and evidence of the determination retained. The processing of personal data is only considered as being lawful where one or more of the below Article 6 clauses apply: –
- (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes
- (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- (c) processing is necessary for compliance with a legal obligation to which the controller is subject
- (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person
- (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
The GDPR allows member states to introduce more specific provisions for clauses (c) and (e).
Article 6 also speaks to the continued transparency of the information provided to data subjects for the collection, processing and storage of personal data. Such information must be provided to individuals at the point their personal data is collected and must be clear and transparent as to the collection of data, use or intended use and reliance on consent to process.
With an individuals right to withdraw consent being a part of the GDPR, it it even more inportant for firms to ensure that they are collecting data in a clear, easily accessible and transparent manner.
Article 3 of the GDPR sets out the territorial scope of the regulation for those processing data and is considered one of the biggest changes to the current data privacy laws.
Jurisdiction and territorial scope in the current Data Protection Act (DPA) is somewhat ambiguous, however the GDPR makes it clear that the regulation applies to the processing of personal data of data subjects who are in the EU, regardless of whether the processing takes place in the EU or not. The regulation also applies to the processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law and/or where the processing activities are related to: –
- The offering of goods or services to EU citizens (irrespective of whether a payment is required)
- The monitoring of a data subjects behaviour as far as their behaviour takes place within the EU
The conditions for consent have been stengthened in the GDPR, with the onus on firms to demonstrate that they have obtained the data subjects consent in a clear, intelligable and transparent manner. Consent notices must be jargon free and easily accessible with the right to withdraw and purpose for data processing made clear. All consent must be able to be verified, which means keeping records of the consent given.
Where the individual gives consent in the form of a written declaration where there are also other matters being noted, that consent has to be clear and easily distinguishable. It should stand apart from the other matters being discussed in the content and ensure that the data subject knows they are giving consent for their data to be processed and stored.
As part of the GDPR, data subjects will have the right to withdraw their consent at any time, which will in no way affect the lawfulness of processing based on consent before its withdrawal. Firms must make sure that an individual can withdraw their consent as easily and as clearly as they can give it.
Processing of Special Categories Personal Data
Referred to ‘sensitive personal data‘ under the DPA, the GDPR lists ‘special categories’ as personal data that can or may reveal: –
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic or biometric data for the purpose of uniquely identifying a natural person
- Data concerning health or a natural person’s sex life or sexual orientation
Processing of special category personal data is strictly prohibited, unless the data subject has given explicit consent to the processing of such personal data for one or more specified purposes. The processing of special category personal data is permitted where that processing is: –
- necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject
- necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
- carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
- related to personal data which are manifestly made public by the data subject
- necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
- necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
- necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
- necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy
- necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
The Right to Erasure
Also known as ‘The Right to be Forgotton’, data erasure entitles the data subject to have the data controller erase their personal data and cease any further processing and/or dissemination of the data. It could also see any related third parties forced to cease processing the data as well.
Article 17 of the GDPR states that data subjects have the right to request erasure where: –
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6 or point (a) of Article 9, and where there is no other legal ground for the processing
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2)
- the personal data has been unlawfully processed
- the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
- the personal data has been collected in relation to the offer of information society services referred to in Article 8(1)
If personal data has been made public and there is a valid request to erase, data controllers will be obligated (within reason of costs and taking account of available technology) to take reasonable steps to inform all other known controllers of the individuals valid erasure request.
The data subjects right to erasure and the data controllers obligation to inform third party controllers does not apply to the extent that processing is necessary for: –
- exercising the right of freedom of expression and information
- compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3)
- archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing
- the establishment, exercise or defence of legal claims
Sanctions, Penalties and Compensation
Under the GDPR, firms who breach the regulations will be looking at much greater penalties than under the DPA. Fines can be up to 4% of the annual global turnover or €20 Million (whichever is greater), which far exceeds the ICO £500,000 maximum fine under the DPA.
Records of Processing
Under the GDPR, it will be mandatory to keep strict and transparent records of all processing activites. Such records must be in writing, including in electronic form and must be available to the supervisory authority on request.
Each processing record must contain all of the following information: –
- the name and contact details of the controller
- any the joint controller (where applicable)
- the controller’s representative (where applicable)
- the data protection officer
- the purposes of the processing
- a description of the categories of data subjects and of the categories of personal data
- the categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organisations
- transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards (where applicable)
- where possible, the envisaged time limits for erasure of the different categories of data and a general description of the technical and organisational security measures referred to in Article 32(1)
Each processor and, where applicable, the processor’s representative must maintain a record of: –
- all categories of processing activities carried out on behalf of a controller
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting (and where applicable, the name and contact details of the controller/processor’s representative and the data protection officer)
- the categories of processing carried out on behalf of each controller
- transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards (where applicable)
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1)
The above obligations do not apply to an enterprise or organisation employing less than 250 people, unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
In our next GDPR article, we will be looking at how firms need to audit, review and update their existing DPA measures and controls and how implementing the GDPR should be approached.
For the first time, the Financial Conduct Authority (FCA) have published their Sector Views document alongside their annual release of their business plan, mission objectives and fee consultation paper.
What are Sector Views?
The FCA advise that “they need a view of how the financial system works as a whole, as well as within its individual sectors and markets. To develop this view, they divide the system into sectors and monitor them continuously.”
2017 is the first year that the regulator has published their Sector Views document, which looks at the issues and developments in each sector, as seen by the FCA. This enables them (and now us), to see how each sector is performing, where the issues lie, what the issues are and to bring together a collective view of the system as a whole.
The FCA hs advised that they will continue to publish the Sector Views on an annual basis, approximately 3 months after their Board has approved the content.
Which Sectors are Included?
The financial system as regulated by the FCA and therefore the Sector Views, cover all the markets regulate by the FCA and are grouped into 7 sectors: –
- Retail Banking
- Retail Lending
- General Insurance and Protection
- Pensions and Retirement Income
- Retail Investments
- Investment Management
- Wholesale Financial markets
How is the Data Gathered?
The FCA hold a vast amount of information, research and external input data, which is analysed by sector and market experts to provide insights, facts and patterns concerning each sector and the financial system as a whole. The existing information held by the regulator is also supplemented with additional research, insights and data from external sources, such as independent economic forecasts and social media, through to the views of their own Statutory Panels.
Stats & Issues
The Sector Views document published statistics, facts and figures based on areas such as borrowing, mortgages and banking. Whilst the amount of data presented in the document is too vast to provide here, we have detailed just a few of the stats quoted by the FCA.
Read the Sector Views
The published document is far too extensive and complex to detail in this post and as it carries a wealth of information specific to each sector, we would suggest taking a while to read the document and using the content to improve and inform your own firm and employees. The PDF version of the Sector Views can be downloaded from the FCA Website.
What is the GDPR?
EU Directive 95/46/EC of the European Parliament was adopted in 1995 and stipulated that each EU member state must develop and implement their own law to meet the EU standards for handling and processing personal data. In accordance, the UK enacted The Data Protection Act 1998 (DPA) to ensure that British law complied with the 1995 directive.
However, back in January 2012, the European Commission proposed the General Data Protection Regulation (GDPR) that would apply to all EU member states and provide consistency and standardisation on the processing and using of personal data. This proposal was formally approved by the European Parliament in April 2016 and is a regulation rather than a directive, and will therefore supersede existing national data protection laws.
The GDPR imposes stricter penalties and has broader definitions and comes into effect in the UK on the 25th May 2018 and the UK government have already confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR, meaning all firms who currently have obligations under the DPA, will need to comply with the GDPR.
The General Data Protection Regulation (GDPR) has a lot of similarities with the UK’s current Data Protection Act and so firms will not necessarily need to start again when devising and implementing policies, procedures and measures. However, there are of course also new and different regulations that will need to be addressed.
Under the current DPA, personal data is defined as: –
Data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
The GDPR definition of personal data is somewhat broader but also more specific: –
Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive Personal Data
The current DPA defines sensitive personal data as: –
Personal data consisting of information as to the racial or ethnic origin of the data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, his physical or mental health or condition, his sexual life, the commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Whereas the GDPR replaces the term sensitive personal data with ‘special categories of personal data’ and advises: –
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies.
Although criminal convictions, offences and court proceedings are not specifically named in the GDPR definition of special categories of personal data, they are referred to in Article 10, where the regulations advise that processing shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects and any comprehensive register of criminal convictions shall be kept only under the control of official authority.
The 8 Data Protection Principles are highly recognised among firms who have obligations under the DPA and whilst the GDPR Principles differ slightly, their meaning and interpretation are not dissimilar.
To see each Principle in its entirety, visit the ICO website for the current DPA Principles and/or navigate to Article 5 of the new regulations for the GDPR Principles.
Fail to Prepare – Prepare to Fail
Whilst May 2018 may seem like a long way off yet, those firms who have gone through the FCA authorisation process and encountered the new FCA regulations, will know that you can never start preparing too early! The GDPR will apply to all ‘controllers’ and ‘processors’ and whilst the definitions of each are generally the same as under the current UK DPA, there are some specific legal obligations that will apply to both, along with new compliance areas that firms must develop, implement and evidence.
Our team will be publishing a number of articles over the coming months regarding the GDPR, helping firms to understand the new regulations, their obligations and preparation guidance. Our next article will look more in-depth at areas of the GDPR that must be complied with, including: –
- Lawfulness of Processing Conditions
- Conditions for Special Categories
- The Right to Rectification
- The Right to Erasure
- Sanctions, Penalties and Compensation
The Financial Conduct Authority (FCA) has made it very clear that all regulated firms must have a structured and robust approach when it comes to dealing with vulnerable customers. However, with the exception of handbook modules CONC 8.2 and CONC 2.10, which refer to the vulnerabilities of debt and mental health only, there are no defined requirements stating what a firm must do.
Occasional Paper No.8, which was published back in 2015, provided firms with a clearer idea of what the regulator considered was a vulnerability and gave generic suggestions for compliance programs, measures and controls. But with so many firms making up the financial services and consumer credit sectors, a vast array of approaches ensued, leading to continued vulnerable customer failings in the industry.
Vulnerable Customer Definitions
Know Your Compliance have created numerous documents and packages aimed at helping firms to identify, assess and deal with vulnerable customers in an ethical and compliant way. In order to develop these products, our team use 2 specific definitions of vulnerable: –
- Customers who are unable, for whatever reason, to make an informed decision at the time of dealing with them – customers falling into this category include those with language barriers, hearing difficulties, those with mental health issues, suffering from bereavement, learning difficulties or the elderly. These customers may struggle to make a decision on whether the service or product you are providing is in their best interests.
- Customers whose welfare (financial, mental or physical) could be put at risk through choosing the service or product you offer – these customers include anyone who is going to be put at detriment from taking up your offer. This could be financially, if taking out a loan or setting up a payment plan causes them additional financial stress. Your firm and staff have a duty of care to ensure that you do not cause undue stress to customers who may be in vulnerable situations. Many customers do not know that they are vulnerable and so do not think to disclose this information during contact with you.
Being vulnerable does not always mean that a customer should not be sold a product or service (i.e. most people will need car insurance or a mortgage), however it does mean that extra care and attention must be paid to ensure that the product/service being offered is suitable, clear and made easy to understand.
Types of Vulnerability
When asked about customer vulnerabilities, most people will recite the same few types: in debt, mental illness, elderly etc. However, it is essential for firms and their staff to realise that there are many types of vulnerabilities and they are not always easy to identify. The 3 below are not always considered to be vulnerabilities, but you can see how they quickly become so what thought about in the right way.
- Young/Inexperienced – being young and/or inexperienced is seldom classed as a vulnerability. However, if you consider a teenager purchasing their first car insurance policy – it would be wrong to assume that they have already been given the ‘what’, ‘why’ and ‘how’ of the insurance by family or friends. They could easily be talked into purchasing insurance ‘add-ons’ or extras without fully understanding if they actually need them.
- Hard of Hearing – loss of hearing may be common as people age, but that doesn’t necessarily mean that the person on the other end of the phone wants you to know that it has happened to them! Missing the odd word or not catching the drift of the conversation is a major vulnerability, especially when it comes to the purchase of financial products/services.
- Stress/Anxiety – is stress really a type of vulnerability or is it just an overused word in today’s society? Stress and anxiety affect people differently, so what encourages one person could debilitate another. Not being able to focus, lack of concentration, confused thoughts – these are all very real factors of stress and could easily affect someone’s decision making process.
Identifying Vulnerable Customers
All firms should have training in place for staff to enable them to identify vulnerable customers. It is not always easy to do this, however there can be specific signs if you really look.
If staff are dealing with customers on the phone or face to face, there are often signs of vulnerabilities. These can include: difficulty in hearing or asking to repeat often; displaying a lack of understanding or confusion; language barriers; long pauses or delays in answering; mentioning a vulnerability (e.g. recent bereavement or physical illness); showing signs of indecisiveness; fidgeting or lack of concentration.
When corresponding with customers by letter or email, vulnerabilities are not as clearly identified as verbal or physical ones, but can include: language barriers identified by the grammar, spelling or general format of text; customer asking a lot of questions or showing misunderstanding of areas already explained; mentioning in writing a vulnerability; confusion over what has been offered or discussed.
What Should Firms Do?
This article is far too short to define all of the ways in which a firm can make itself compliant and vulnerable customer aware; however a few simple starting points are: –
- Have a standard approach and a well defined vulnerable customer policy which states the firms objectives, approach, controls and measures.
- Use effective measures, controls and tools for identifying, assessing, dealing with and monitoring vulnerable customers, including audit checklists, procedure documents, staff support aids, effective systems, clear reporting lines, relevant materials (e.g. braille, large print, audio options, touch phone, key facts document etc).
- Employ an effective and ongoing training program for all staff (especially new starters). Defining what a vulnerability is, how they can be identified and how to deal with them.
- Where sales are conducted via the phone, have robust call monitoring audits and monitoring programs to ensure staff are following your procedures and meeting your objectives.
- Assess staff frequently using quizzes, workshops, tests and 1:2:1 coaching sessions. Ensuring that staff understand and can utilise the vulnerable customer training information is essential to remaining compliant.
- Use your Audit & Monitoring procedures to assess your existing vulnerable customer controls and measures and ensure that they remain effective, compliant and suitable.
- Ensure that all products, services and written materials (including website content) is clear, well defined and easy to understand.
- Offer multiple ways for customers to communicate with your firm, including phone, email, website, in writing (inc braille, large print), Skype, face-2-face etc.
- Be proactive and ensure that staff are always taught to listen to their customers.Any person can be vulnerable – it is not always possible to see or hear a vulnerability, but with the right products, approach and measures, a company can ensure that its responsibility to its customers is always a top priority.
Know Your Compliance have developed industry leading, effective and compliantVulnerable Customer Products that are available on our website and include Bitesize Manuals, Interactive Dashboards, Policy & Procedures, Audit Checklists, Training Packages and Staff Assessments.
Phrases like Treating Customers Fairly (TCF) and Vulnerable Customers were once seen by Consumer Credit firms as optional extras in their compliance portfolio, without real structure or objectives when it came to their control and governance.
The TCF policy was originally introduced back in July 2006 by the Financial Services Authority (FSA) with the aim of giving confidence to consumers when dealing with the Financial Services industry. Pressure was put on FS firms by the FSA, to integrate the TCF ethos and outcomes into their business processes and culture, with greater emphasis on those in the banking, insurance and mortgage sectors. However, after the banking crisis in 2008/2009 and apparent lack of transparency and customer focus, it was announced by the Chancellor in June 2010 that changes in the way that Financial Service organisations were regulated, were imminent.
By April 2012, the FSA has been disbanded and replaced by the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA), who were tasked with bringing transparency, customer confidence and ethical trading back to the UK Financial Services industry. In April this year, the FCA took their governance role even further, by replacing the Office of Fair Trading (OFT) and taking over regulation of the Consumer Credit regulated firms as well.
It has become apparent that TCF will continue to remain central to the FCA’s expectations when it comes to how firms conduct themselves and their business. The past 12 months has seen a surge in media coverage on TCF related issues and breaches, which will only seek to tighten the grip that the FCA has on it’s 50,000+ newly acquired Consumer Credit firms; who will find themselves under intense scrutiny to get this important area of compliance right.
Why Implementing Treating Customers Fairly Is Difficult
Despite far reaching and widely accessible information being available about TCF and it’s 6 outcomes, there are still a surprising number of firms, coming under the FCA’s regulatory umbrella, who are not 100% sure of how to relate the outcomes to their own business objectives and procedures. The generic description of ‘treating a customer fairly’, is a far cry from the FCA’s interpretation of its own 6 Outcomes.
The main sticking point seems to be that the TCF policy and each outcome places the emphasis on the customer and how they are to be treated and protected, which is of course the FCA’s main objective. However, to ensure that this objective is met, it is essential to provide the firms integrating TCF into their framework, with the tools and information to achieve this, whilst still ensuring that they can remain active and competitive within the market.
The FCA have not actually set any specific standards on how the TCF ethos and outcomes should be implemented into a business or how they can be assessed, which makes standardisation and conformity extremely difficult.
Understanding The 6 TCF Outcomes
So how can you match up a set of outcomes aimed at numerous, differing sectors and industries, with the objectives and processes set out in your own organisation manifesto?
We have provided our take on these outcomes and how to make them relevant to a compliance based organisation. Although each of the outcomes relates specifically to the ‘consumer’; for business and compliance purposes, you should also assume that each outcome also relates to regulators, clients, auditors and 3rd parties as well.
For example, the procedures and assessments used to evidence your implementation and commitment to outcome 1 would not only be requested by, and applicable to, the consumer dealing with your organisation, but also to regulators auditing your commitment to the TCF Policy, clients/potential clients who want to ensure that they are working with a TCF focused organisation and 3rd parties who only work on behalf of TCF centric firms.
The values and culture of TCF relate as much to clients as they do to consumers (customers) when you consider sectors such as debt collection; having the customer (debtor) on one hand and the client (creditor) on the other. Both need to be considered in the implementation of the TCF outcomes.
Outcome 1: Consumers can be confident that they are dealing with firms where the fair treatment of customers is central to the corporate culture:-
Anybody assessing your organisation and more specifically your commitment to the TCF policy, should be able to look at any area of the business, from employee knowledge and actions, through to business processes, and see how you have thought about, shared, discussed, trained on, implemented, reviewed, assessed and recorded the Treating Customers Fairly policy, ethos and outcomes.
The key words for this outcome are transparency and evidence. The only way to instil confidence in anybody is to provide consistent and ongoing proof that you are doing exactly what you say you are doing, so simply advocating TCF or talking about what you do is not enough. You need to be able to evidence what you do at a moments notice and in every area, to show that complete consideration and due diligence has been given to the implementation of TCF into your business.
Outcome 2: Products and services marketed and sold in the retail market are designed to meet the needs of identified consumer groups and are targeted accordingly.
This outcome is based on defining who your products/services are made for, aimed at and beneficial to. Emphasis is placed on ‘designed to meet the needs’ which speaks strongly to not miss-selling your product/services with the overall aim of ‘just getting the sale’. Originally designed for products such as mortgages and insurance policies, this outcome now applies to the consumer credit industry as well and so must also fit the needs of all.
A well publicised area related to this outcome is the Payday Lender sector, who have been heavily criticised and penalised for targeting consumers with high interest, short-term loans without performing adequate checks on the suitability of the products versus the vulnerability of the consumer. To embed this outcome into your processes, you need to define who your client/customer base is, evidence how you have identified who they are, record how you have accessed them (opt-in mail etc.) and that all targeted marketing is appropriate and ethical.
Less than a week ago, the FCA published their findings on investigations it had made into the consumer credit industries advertising standards, where they noted that 108 of the 500 adverts examined were deemed to be in breach of the FCA’s rules. Marketing and advertising materials should be clear, fair and not misleading, however the FCA were deeply concerned about a number of sector adverts, *which included breaches such as:-
- targeting young audiences with promotions for products that consumers must be over the age of 18 to use, such as distributing branded colouring-in sheets with their pamphlets for high-cost, short-term loans,
- claiming that their product would help repair credit ratings,
- claiming a product will clear a customer’s debt, when in fact it is just substituting one debt for another.
Outcome 3: Consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale.
This outcome seems quite straightforward, however there is a lot more to it than originally meets the eye! Many consumer/client relationships in the financial services and consumer credit industries can span several years and so the ‘during‘ reference in this outcome is one that needs to be addressed, assessed and implemented with full consideration.
When carrying out an internal audit on your organisation’s TCF implementation, assessment questions relevant to this outcome should include things like:-
- “Is customer written communication clear, concise and easy to understand? (letters, emails, SMS etc.)”,
- “Are any charges, interest or fees clearly defined, appropriate and applicable?”
- “Do you confirm all sales information in writing?”.
There are obviously many more, but these are just 3 examples. The focus here is on all information (verbal and written), to be clear, concise, free from jargon and relevant to the person who is receiving it.
All forms of communication prior to, during and after the point of sale should seek to ensure that the customer knows what they are signing up to, they know how it benefits them or how it is essential for them and they have the necessary information, such as telephone numbers and email addresses to follow up with your organisation should they have any further questions or issues.
Outcome 4: Where consumers receive advice, the advice is suitable and takes account of their circumstances.
Not all firms who are regulated by the FCA will be providing advice to their customers, however the majority will and it is essential that any advice given is in the best interests of the customer and NOT solely the organisation’s best interest.
This outcome relies heavily on the assumption that all staff working in a role that sees them directly or indirectly giving advice to customers, are fully trained, have access to the necessary information essential to their role as an advisor, have clear reporting lines laid out for them and have a program of continuous professional development for their learning and training needs.
Although these six outcomes form part of the Treating Customers Fairly policy, it would be remiss for an organisation not to include the Vulnerable Customers aspect in this outcome’s implementation. Ensuring advice is suitable and takes into account a customers’ circumstances is essential in vulnerable situations. Training is definitely the key to this outcome, alongside good records management to show that anyone in an advisory position is up-to-date with their product/service knowledge and has been thoroughly trained on the TCF outcomes.
Where advice is given, there will always be an element of risk and so having a robust complaints procedure is another must to satisfy the criteria of outcome 4. The FCA do give some guidelines on complaints procedures, but many of those regulated by the FCA will follow the guidance of the Financial Ombudsman Service (FoS) in this area.
Outcome 5: Consumers are provided with products that perform as firms have led them to expect, and the associated service is of an acceptable standard and as they have been led to expect.
Simply put, you need to be delivering on what your organisation has advertised and promised that it provides. Your products/services need to ‘do exactly what they say on the tin’ and customers should not be getting any surprises once the business relationship starts or after it ends.
This involves constant quality management and auditing of the products and/or services that you are offering and measuring them against a set of business objectives that aim to match the product/service with the customer. Self-assessment questionnaires are one of the best ways to ensure that clients and customers are happy with what you are providing them with and that it is performing to the agreed expectation. There are only a handful of people who will actually pick up the phone and tell you that they are not happy, the rest will simply walk away and tell others that your products/services do not do what you say they do.
Audit, assess, measure, review and then do it all again – constantly.
Outcome 6: Consumers do not face unreasonable post-sale barriers imposed by firms to change product, switch provider, submit a claim or make a complaint.
The final outcome is quite explanatory and we all know what kind of post-sale barriers it speaks of. Putting yourself in the shoes of a client or customer when implementing these outcomes into your business, is an effective way of seeing the solution from a different perspective. How many times have you bought a product or service and been greeting with the most helpful, dedicated and knowledgeable salesperson alive! They are happy to stay on the phone for hours with you, just making sure that you are getting the best deal and then BAM! They have made their sale, you have signed up to whatever they are selling and the deal is done.
The next thing there is a problem with the product or you need to change some information they hold about you or the service doesn’t suit your lifestyle any more. Only when you call up customer service there is no more Mr Nice Salesman willing to talk for hours and make your every wish his command. You are faced with Mrs Grumpy who acts as though you have ruined her day by calling and that it is just too much trouble for you to change you mind now. Or worse still, you can only contact the company by email between 3.00pm and 4.00pm on days when it is warmer than 70 degrees before 11am!
I exaggerate of course, but we have all been faced with some kind of barrier post-sale and it is essential to look at your own after care team and ensure that they are equipped to deal with the issues coming through to them, they are staffed adequately to keep wait times to a minimum, you have clearly outlined your internal complaints procedure and the customer has easy access to this and that you are providing several options for how to contact you, all of which are manned by real people.
What Should You Have In Place To Ensure the TCF Policy?
We have given many examples in the above outcome analysis, of areas and processes that can be used within your organisation to embed and ensure the TCF ethos, but it is not enough to just cover each outcome, because they all overlap and there are also gaps, because the TCF policy itself and the 6 outcomes originally defined by the FSA are guidelines. A culture that the regulator wants Financial Services and Consumer Credit organisations to embed into the fabric of their very business DNA, and as with any culture, it is open to interpretation.
Until the time (and it may well come), when the FCA creates a handbook for TCF and gives rules to be adhered to as oppose to generic outcomes to be considered, it is the responsibility of each organisation to interpret the TCF policy in it’s own way and to insert the outcomes into the foundations of it’s business strategy.
Each TCF outcome can and should relate to every aspect of your business and the end result should be you, standing in the virtual shoes of your customers and clients and asking yourself “is this TCF compliant?”
Don’t forget to check out KYC’s recent addition to our TCF Compliance products, the much sought after TCF Interactive Dashboard.
* source https://www.fca.org.uk/news/consumer-credit-firms-must-raise-advertising-standards
Have you ever had that sinking feeling the day before an audit from a client? The wave of panic as you run around at the eleventh hour trying to collate and create evidence to prove you have a diverse and robust compliance program, that your staff training regime is second to none and that your business continuity plan was fully tested just last week!
That sinking feeling comes from the fact that you are not ready for the audit; and by ‘not ready’, I don’t just mean ‘not prepared’! I mean that you should not have invited the client to audit your adherence to regulatory laws and rules or even tendered for their work in the first place!
Not really! Not when you consider the implications and consequences of forging ahead within the financial services and consumer credit industries without the proper adherence to or regard for the compliance standards that have been laid out across the globe by regulators, laws and governing bodies such as the FCA, ICO, PCI, HIPAA, FISMA, CCA, FDCPA – the list goes on, but you get the message.
Compliance is starting to become a word that is so over-used that it is in danger of becoming a nuisance. As new regulators have taken over in the UK and more and more compliance and security breaches occur worldwide, the term ‘compliance’ is everywhere, and any term that becomes over-used, can and will eventually end up being ignored or overlooked as it’s saturation levels peak.
Looking At Compliance A Different Way
There are millions of organisations who consider compliance to be a part of their organisation and industry, but ‘compliance’ in itself is a very vague term and what it means to one sector differs greatly from what it means to another. For the purpose of this article, I am using compliance as a term, not just a word, with the assumption that it covers any area of business that involves following a set of standards, rules, laws or even guidelines. Examples range from information security and data protection, through to treating customer fairly and PCI compliance.
The question at the start of this topic is “Do You Have Double Compliance Standards?” – so what do I mean by that?
Answering honestly, if you work in an industry where compliance is a part of what you do, has there ever been a time (even once), when you, a colleague, a manager, a senior manager or a director, referred to compliance as a negative? Comments such as “Compliance costs so much and takes so much time, I wish we didn’t have to bother”, “I hope the auditor doesn’t want to see too much evidence because we haven’t been recording everything”, “Why are these regulators so strict, don’t they know we’ve got a business to run”, “Cancel the compliance training this week, we are behind on target and that is more important”. I could literally go on all day with this list, but I don’t need to as I can guarantee that everybody reading this will remember some situation when compliance was a pain in the backside.
I also bet that if the next client or regulator who audits you comes along and just brushes the surface of your compliance program, doesn’t really go too deep and agrees with you that the rules and regulations are a little overwhelming and that what you are doing on the surface seems to be okay – you would be more than a little relieved.
But what you should be is insulted, outraged! You should feel cheated if every single client and auditor through your door does not pore over your paperwork, systems and processes with a fine tooth comb; actually looking for gaps and areas that need to be improved, because that is the very culture that the compliance industry needs to insist upon and and start to cultivate. If we do not assess our peers against the same standards and expectations that we have for ourselves, the sanctity of security and fair treatment will go down hill very rapidly.
Every Cause Has An Equal Effect
THIS SECTION IS THE SINGLE MOST IMPORTANT THING THAT YOU WILL READ TODAY
Let’s go back to the section where the client or regulator lets you off the hook with your compliance audit and just treats it as a tick box exercise. You may be relieved, excited that your organisation has been awarded with whatever certificate or licence you were being assessed for; jubilant that you just secured that high profile client by achieving a green light from their auditor.
Are you still excited and jubilant when you realise that the big, new client is part of the healthcare industry and somewhere in their databases are copies of your private medical records?
How about the regulatory auditor who just gave you the green light. Did you know that his next audit is with your bank?
Not everybody works in an industry dictated by compliance, but I guarantee you that everybody is a customer of such an industry and your personal, private and sensitive information is out there, in the hands of the very people who 5 minutes ago you were grateful to for not doing their job thoroughly. It may seem like a harsh explanation, but when you really think about it – it is the truth. Compliance can be a pain when businesses think about it in terms of the money that have to spend, the (wo)man hours they lose to it, the extra effort, training, procedures that it necessitates. But you would be one of the first people to be up in arms if you found out that your doctor, bank, hospital, insurer, mortgage provider, had these same thoughts.
When you cut corners, look for the quickest or cheapest way through or put compliance at the bottom of your list – I guarantee you that a company somewhere who is holding information about you, is doing exactly the same!
What Compliance Should Be
The truth is that compliance is not just ‘another’ part of your company or another box that you have to tick. It cannot and should not ever be a section of what you do in your organisation, it should be everything that you do.
There is NO organisation trading today, no matter how big or small, who can guarantee that they are 100% compliant in all areas. I know this because it is physically impossible! Every company on Earth has people at it’s core and people by the very definition of being human, make human errors. It is an unavoidable fact of life and it happens each and every day. What a company can and should be able to do however, is assure you that they are working 100% of the time towards being compliant in every area and that they have the adequate systems, controls, training, internal audits, compliance teams, processes, policies and risk assessments in place to ensure this.
The old stigma that has been surrounding compliance for the past few years needs to change and it has to start with you. It doesn’t matter if you are at the top or the bottom of the organisation in which you work, what matters is that you think about your businesses compliance in exactly the same way as you think about your own information or the way you want to be treated by the businesses with who you have a relationship.
I guarantee you that when you start putting compliance at the top of the agenda, build everything else (included your revenue) around your commitment to compliance, your company will soar, because every cause has a like effect and you will forge yourself a reputation among clients, regulators and customers of being a company who puts those in a working relationship with you first.
This is what great organisations are built on – not how much money you brought in last month or how many sales you made yesterday. Being able to have compliance audits at the drop of a hat and not even break a sweat because you know, with 100% certainty that at any given point, you are doing everything possible to ensure compliance. You should be challenging those clients or 3rd party organisations (such as suppliers or agents) who do not want to see your compliance evidence, who do not look deeper than the surface during audits, so that raising the standards or compliance starts with you and filters throughout every industry dominated by it.
DEMAND COMPLIANCE NOT JUST OF OTHERS, BUT OF YOURSELF