What are the 3 operational objectives of the FCA?
- Secure an appropriate degree of protection for insurers
- Protect and enhance the integrity of the UK financial system
- Promote effective competition in the interests of consumers in the markets for regulated financial services and services provided by recognised investment exchanges on certain regulated activities.
From April 2014 the FCA took over some activities from the Office of fair trading including…?
- Lending or brokering credit, whether or not secured on land;
- Being a credit reference agency or providing credit information services
- Debt collection and debt administration services; and
- Carrying out activities in relation to contracts for the hire of goods.
In terms of FCA, PRA, PRC and FPC who has power over whom?
FPC / PRC both committees in the bank of England
FPC has formal powers of direction over the PRA and the FCA where such powers have been granted by HM treasury
PRC - powers over PRA
List the regulated activities under the Regulated Activities Order 2001
AEIO MAD
Accepting Deposits
Effecting or carrying out contracts of insurance as principle
Issuing electronic money
OTFs
MTFs
Arranging a mortgage or other home finance transaction
Dealing in, arranging deals in or managing investments
what does the information commissioners office oversee?
- The data protection act
- The general data protection regulation (GDPR)
- The freedom of information act
- The environmental information regulations
- The privacy and electronic communications regulations
Who must data processors notify before carrying out any data processing?
The relevant national authority
What must data protection comply with?
European data protection principles e.g. processing data fairly and lawfully, and using data for specific and legitimate purposes
What will firms outside the EU have to do if they want to target customers inside of the EU ?
Meet GDPR
A data controller must provide certain information to individuals about whom they hold personal data what is this?
Data controller must disclose their identity, details of the data they hold and what they plan to do with it
what measures must be put in place in reference to GDPR?
Technical and organisational measures to protect personal data against accidental loss/ destruction, unauthorised access or other unlawful processing.
In terms of GDPR what written agreements must be made and entered into by whom?
Enter into written agreements to ensure that data processors act only on the data controller’s instructions and comply with the same security obligations that are imposed on data controllers under the applicable national legislation.
Under GDPR what measures must data processors put iin place?
- Implement technical and organisational security measures
- Protect personal data
- Keep a register of data processing activities
- Comply with the rules relating to the transfer of personal data outside of the EU
- Comply to restrictions on their ability to engage sub-processors
What must consent around GDPR be?
Specific
Customer silence or inactivity to tick boxes is no longer sufficient
When consent is gained for GDPR what is it valid for?
Valid only for the stated purpose for which it was collected and not for any other purpose.
Once consent is given what does the data subject have the right to do?
Withdraw the consent at any time
What is a fair processing notice?
Info organisations are required to give data subjects:
- grounds of data
- period of retention
- mechanism of export (if exported outside of the EU)
- source of the data
must also give their rights/ right to complain/ right to withdraw data
What is data subject rights?
- right to have data transmitted to themselves or another data controller
- to require controller to erase the data in some circumstances
- right to request more info on processing through a subject access request
If a data participant requests information on data/ uses their rights how long do organisations have to respond?
Within one month
Can data controllers charge a fee for data requests?
Generally no
if there is a data breach whom must be notified and within what timeframe?
ICO within 72 hours
Individuals to whom the personal data relates without undue delay.
What must organisations maintain in terms of a data breach?
A data breach register
When can data be exported outside the EEA?
Only when the recipient non-EEA country is either deemed by the European Commission to offer adequate data protection safeguards, or a valid export mechansim has been put in place
If data is breached what can fines be? - certain important provisions
20 million EUROS or 4% of global annual turnover whatever is the greater
If data is breached what can fines be? - other provisions
10 million EUROS or 2% of global annual turnover whatever is the greater
-
MiFID/ MiFID II/ MiFIR32
-
UCITS Directive/ AIFMD/ Additional30
-
UK Regulation49
-
Regulation of Pension Funds10
-
FCA Objectives and High Level Standards30
-
Regulation of Investment Exchanges23
-
FCA Business Standards21
-
Client Agreements25
-
Identifying Client Needs4
-
Dealing and Managing6
-
Use of dealing comission7
-
Investment research5
-
Packaged products4
-
Reporting5
-
Client Assets Source Book CASS6
-
Client Money rules4
-
FCA Supervision and Redress15
-
Financial Crime39
-
From Book25
