The FCA's 2025 New Year resolutions
30 January 2025

Originally published by Thomson Reuters © Thomson Reuters on 29/01/2025
Well, here we are again with another look back at an eventful year for financial services (when is it never). After 14 years of a Conservative rule, the Labour government took the helm in July 2024, with Keir Starmer signalling "difficult decisions" and a growth agenda. Chancellor of the Exchequer, Rachel Reeves, delivered her first Mansion House speech - outlining a series of financial services reforms aimed at boosting investment, growth (of course) and competitiveness in the UK economy (see our briefing here). Coming two years after the so-called Edinburgh Reforms (see our briefing here), it appeared to be a mixture of continuity and change.
In November 2024, Donald Trump modestly celebrated the "greatest political movement in history" and signalled significant change to the regulation of the digital assets sector in the U.S.
It was all change as well for EU institutions, with elections at the European Parliament, new EU Commissioners, and a new legislative cycle. We said a fond farewell to the European Commissioner for Financial Stability, Financial Services and the Capital Markets Union, Mairead McGuiness, and said hello to Maria Luís Albuquerque. It wasn't just a change in personnel that appeared to be in the works - a report by Mario Draghi on boosting competitiveness and another by Enrico Letta indicated significant change may be on the way. It is perhaps time to say goodbye to the EU Capital Markets Union and hello to the EU Savings and Investments Union.
2024 also saw the finalisation of key EU legislation, including the EU Banking Package, the EU MiFID II/MiFIR review, the Corporate Sustainability Due Diligence Directive and the EU AML package. Many firms are heading into 2025 with implementation plans and repapering exercises in relation to these initiatives.
So, what should firms be looking out for in 2025? Let's take a look at our crystal ball.
The FCA has long been alerting firms of the need to regularly look at their regulatory permissions to ensure they are up-to-date and removed where they are not being used. This is intended to prevent consumers wrongly believing certain products and services firms offer are "FCA-regulated", as well to reduce the risk of consumers being defrauded by criminals. A 2021 "use it or lose it" exercise stressed that a regular review of permissions by firms helps to provide assurance of threshold conditions being satisfied and that firms are meeting their obligations under the SM&CR.
The FCA was given powers to allow for a quicker process for removing or varying Part 4A FSMA permissions (i.e. without relying on a firm's application or consent, or waiting for 12 months) where certain conditions are satisfied. The FCA will usually provide notifications and warnings to the firm before proceeding with cancellation. Its 2024 consultation paper on a new enforcement guide indicated increased use of intervention powers (e.g. "use it or lose it") to prevent consumer harm.
Recent data shows doubling in the number of firms that have had their authorisation cancelled by the FCA.
We can expect to hear more on this.
This is a bit of a cheeky one because we know that Nikhil's term runs out on 30 September this year. Nevertheless, we expect a bigger shake up at the regulator. Nikhil's tenure has not always been a successful one and, notwithstanding the change of administration at government level, the relationship between the Government and the regulator is yet to get back on a firm footing. (As seen by the recent information requests posed to the regulator by the House of Lords' Financial Services Regulation Committee in relation to the Committee's inquiry into the regulator's secondary competitiveness and growth objective.) Any incumbent will need to reset the regulatory relationship between the FCA, the industry and government, promoting UK growth and competitiveness which maintaining strong consumer protection. All while boosting morale and maintaining professionalism at the regulator. Could this signal a drop in policy initiatives not "core" to these objectives (D&I? Name and shame?). Changes are almost guaranteed.
The EU Digital Operational Resilience Act (DORA) will apply from 17 January 2025, imposing a range of requirements on financial entities to ensure that they can stay resilient in the event of an operational digital disruption. Financial entities are expected to have addressed gaps between DORA requirements and existing arrangements, but there is some indication that the implementation date will arrive without the industry being fully ready. That is, regulators are aware that “everything will not be perfect on day one” and that the implementation will be necessarily progressive.
It seems many financial entities will not have completed the contractual remediation exercise needed to ensure that arrangements with ICT third-party service providers meet DORA requirements. Financial entities also need to have their registers of ICT third-party providers’ contractual arrangements available for competent authorities early in 2025, which is proving to be challenging. Similarly, we are still waiting for the final version of the regulatory technical standards on sub-contracting, leaving the industry unable to progress their DORA implementation in this key area.
Although regulators should not expect firms to fully comply with DORA at inception, regulators expect firms to prioritise certain areas. This includes establishing key governance aspects, identification and categorisation of ICT third-party service providers with a “plan” for contractual remediation, establishing processes and procedures for identification and reporting of ICT-related incidents, and, as noted above, the register of information.
Needless to say, it will not be all plain sailing.
Payment for Order Flow (PFOF), the practice whereby brokers receive payments from third parties for directing client order flow to them as execution venues, was always controversial as policy. It has meant slightly different things in the UK over a decade or so. The discussion in the US on the topic seems to have died down (possibly due to a small electoral change in direction). The EU Retail Investments Strategy and MiFID Reforms have, however, seen a strengthening of PFOF limitations in very specific retail base cases. Given the UK is now looking hard at its competitive international position, this looks like an area that could be reviewed and around the edges (certain markets / certain clients / certain workflows etc) reviewed – if only through increased FCA dialogue with the market.
With anticipated guidance due in Q1 2025 on vulnerable customers, we expect greater scrutiny from the regulator on vulnerable customers more generally. The obligations that rest on firms under the Consumer Duty give rise to increased requirements on firms to consider how their products and services could be used by customers who fall on the spectrum of vulnerability. One area of challenge for firms is the issue of economic abuse, where an individual is under the coercive control of another leading to detrimental outcomes for the individual. This a complex area, but there is already a financial abuse code. The FCA's Guidance on the Fair Treatment of Vulnerable Customers recognised domestic abuse (including economic control) as a life event which can create vulnerability. A May 2024 FCA blog referred to firms' obligations under the Consumer Duty and noted that financial abuse can involve the manipulation of financial products and services (such as loans taken out in the victim-survivor’s name and the takeover of a bank account). A March 2024 portfolio letter to lenders stated that the FCA was looking at how financial abuse could arise in light of the cost-of-living crisis.
Watch this space on this area.
We noted that 2023 was a big year for AI with an AI Safety Summit , the AI National Strategy and the finalisation the EU AI Act. We also noted that in October 2023, UK regulators published a feedback statement to their joint discussion paper on AI and machine learning. We hoped that 2024 would give financial services greater clarity on what the regulators' expectations are around firms' use of AI and how the regulators would implement the Government's cross cutting principles that it expects sectoral regulators to be responsible for. Following the UK Government’s AI White Paper, the Bank of England and the PRA published a response to AI Principles set out in the Government White Paper. The FCA published an AI Update. In November 2024, the Bank of England and the FCA carried out a third survey of artificial intelligence and machine learning in UK financial services. Building on from the 2019 and 2022 surveys, the 2024 survey set out information on AI use by BoE and/or FCA-regulated firms, and also included a section on generative AI’s growth. In September 2024, the Bank of England also announced that it was establishing an Artificial Intelligence Consortium to serve as a platform for public-private engagement on AI. One of the aims would be to inform the BoE's approach to addressing risks and challenges and promoting the safe adoption of AI. Although guidance could have been clearer, regulators have provided the industry with food for thought.
We said that 2024 would see a raft of rules come into force from the FCA on sustainability labels and anti-greenwashing and that the FCA is playing catch up compared to its international counterparts. At the EU level, sustainable disclosure requirements regime has already been in place (Sustainable Finance Disclosure Regulation and the Taxonomy Regulation). We noted that the Australian regulator has commenced a number of enforcement actions for greenwashing practices and argued that the FCA/UK could follow suit.
In 2024, the FCA's ESG labelling system for UK funds, as well as an anti-greenwashing rule came into force. The new rule at ESG4.3.1R requires all firms to ensure that any reference to the sustainability characteristics of a product or service is: consistent with the sustainability characteristics of the product or service; and clear, fair and not misleading. Under FCA guidance, firms need to ensure that their sustainability related claims are: correct and capable of being substantiated; clear and presented in a way that can be understood; complete (i.e. not hiding important information); and fair and meaningful in relation to any comparison to other products or service. While we have not seen any enforcement action yet, it does not mean it cannot happen.
We described how 2023 saw the introduction of the Consumer Duty, the FCA's flagship policy initiative intended to improve the standards of financial products and services being delivered to retail clients in the UK. We noted how the focus in 2024 was the deadline of 31 July 2024 for closed book products, i.e. those products that are no longer actively sold or marketed to retail clients. While we noted that it would take some time before we saw enforcement action taken as a result of a breach of the Consumer Duty, we expected further pointed and fairly specific warnings to firms in specific sectors as to what the FCA's expectations are under the Consumer Duty. The FCA provided plenty of this in 2024 with the following: FCA review of Consumer Duty implementation; a speech from Sheldon Mills, executive director of consumers and competition; FCA findings from a multi-firm review of payment firms' implementation of consumer duty; a review of firms' implementation of the price and value outcome rules under the Consumer Duty; and sector specific letters on Consumer Duty and closed products in May 2024.
We argued that 2023 was the year that the FCA finally set out in writing what it considers as non-financial misconduct. In its proposals around diversity and inclusion (FCA CP23/20), the FCA also included its draft handbook text setting out what amounts to non-financial misconduct. We argued that the regulator itself has had limited success in bringing action against individuals for non-financial misconduct.
In November 2024, the FCA issued a Warning Notice indicating it would be taking action against Crispin Odey. It argued that while holding Senior Management Functions, Odey breached Individual Conduct Rule 1 of the FCA’s Code of Conduct (requirement to act with integrity). In October 2024, the FCA published the results of a survey on how firms record allegations of non-financial misconduct. There has also been further examples of FCA enforcement action resulting in the withdrawal of SMF approval for misconduct carried out outside of work and for lack of openness with the FCA. In December 2024, the House of Commons Treasury Committee published the letters from regulators concerning its "Sexism in the City" inquiry, which provided information on progress made against its recommendations. The FCA confirmed it had prioritised work on the link between non-financial misconduct and its rulebook, with a final policy statement on non-financial misconduct planned for early 2025.
In 2023, the US, UK and Switzerland (amongst others) experienced significant bank failures, with the two most prominent failures involving firms with large UK subsidiaries. As explained by PRA CEO, Sam Woods, the post-crisis regulatory regime seeks to respond to bank failures via: micro prudential supervision and regulation (i.e. ensuring firms have adequate financial resources and risk management); resolution policy (i.e. ensuring that failure of a bank is well managed and prepared for); and international coordination between relevant stakeholders to contain such events. For many, the bank crises in 2023 brought challenges that the pre-existing regulatory framework had not factored in, namely the role of social media and digitalisation of financing in accelerating the speed and impact of bank crises. Since these events, a number of publications, communications have been issued by regulators around the world. BCBS published a second paper on the banking failures in October 2024, assessing whether specific aspects of the Basel liquidity standards performed as they should during the turmoil and argued that liquidity supervision may need to evolve. An October 2024 FSB report titled "Depositor Behaviour and Interest Rate and Liquidity Risks in the Financial System: Lessons from the March 2023 banking turmoil" looked into the following areas: the role of technology, social media on depositor behaviour; and the impact of digitalisation on banks’ and authorities’ planning and execution of a resolution. It noted that the speed of deposit runs had implications for liquidity risk management practices and liquidity supervision, adding that more rapid reaction from bank managers, supervisors and central banks in response to deposit outflows may be needed. The report also noted the potential for the rapid spread of information through social media, stressing the importance of effective communication strategies.
We noted that work had been underway in the UK to establish outsourcing requirements and operational resilience obligations for financial services firms and that firms were turning their attention to the EU rules under DORA. The framework focuses on strengthening the financial sector's resilience to information and communication technology third parties. We argued that 2024 would be the year when DORA stops being an exploration and the serious work starts, with raft of regulatory and implementing technical standards expected. A number of delegated acts covering DORA have been published in the Official Journal. This includes delegated acts on: the criteria for the classification of ICT-related incidents and cyber threats, materiality thresholds and details of reports of major incidents; the content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions; and ICT risk management tools, methods, processes.
And with that, let's crack on with 2025.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.