Author Richard Sheen
Phew – the roller coaster ride continues. European asset managers will be busy trying to make sense of the unexpected outcome of the recent UK General Election which resulted in a hung Parliament and a weakened Conservative minority Government. There had been an initial perception that these changes in the political landscape might result in a softening of the UK approach to the Brexit negotiations with the City and businesses becoming more vocal in demanding that their concerns are listened to and that a full on “hard- Brexit” is going to be more difficult to achieve. Certainly there has been much recent discussion of a potential transitional arrangement.
Political opinion, however, remains very much divided and it seems that asset managers are continuing to progress their contingency planning for the “worst-case” scenario. The UK regulator, the FCA, has sent letters to several of Britain’s largest asset management companies requesting detailed information about their Brexit contingency plans. It has been reported that firms such as Fidelity, Legal & General Investment Management, Columbia Threadneedle and M&G are planning to ramp up their European operations. A renewed period of political instability in the UK is not expected to assist the near term economic outlook which presents additional concerns for managers.
All of this is to be contrasted with improved growth in the Eurozone and the election of an ardently pro-EU centrist President in France apparently keen to attract financial services businesses to Paris. To compound matters, the European Securities and Markets Authority (ESMA) has recently issued a set of principles designed to address the potential “regulatory and supervisory arbitrage” resultant from Brexit – and more specifically the “risk” that UK firms seek to minimise the transfer of substantive operations to the EU by relying on outsourcing or delegation of certain functions to UK entities. This move is designed to address a concern that some EU national regulators might permit the use of letterbox companies in order to attract UK managers.
Notwithstanding Brexit, the asset management industry remains vulnerable to the unabated raft of EU and UK regulatory change (more below) and the continuing squeeze on profit margins in part resultant from greater competition from low cost providers, client pressure but also the impact of the cost of compliance with toughening regulatory standards and new technology spend. Much publicity surrounded the news that Vanguard is launching an on-line platform for the distribution of its range of low cost funds direct to the public in the UK and the potential impact this might have on price competition between managers.
One of the biggest concerns has been how managers adapt their processes to comply with the rules under MiFID II which come into force in January 2018. One particular recent concern has been a recent statement by ESMA that all shares in non-UCIT funds should be considered automatically “complex”. The Association of Investment Companies is pushing back on this but if this view is maintained this position could impact upon the retail distribution of investment trust and other closed-ended listed investment company shares. Whilst complex financial instruments can be sold to retail investors without advice, distributors and platforms must assess the background of such investors before allowing them access to these products.
Firms are also digesting the FCA’s final report of its asset management market study. Arguably the FCA’s final report is not as onerous nor as sweeping as the industry had feared, but with the publication of a consultation paper, a future market study into investment platforms and the possibility of a CMA investigation into investment consultancy services there is plenty more to come. Some industry commentators have noted that the implementation of the proposals will likely reduce fees and increase operational and compliance costs, further eroding fund managers’ revenue margins. These pressures could convert into further M&A activity and market consolidation particularly in the active management space.
Finally a round up on fundraising activity over the last few months.
Fund raising activity for private funds continues to reflect a fragmentation of the market with the most successful fund raises being undertaken in relation to fashionable niche asset classes or by substantial established asset managers.
However, there is a trend towards increasing allocations to private equity style investment mandates (that is to say mandates which are characterised by long term holding periods and active improvement of assets). This increase in allocation looks set to continue and appears to be fuelling further fund raising activity by established managers. It has been recently reported that a number of managers are intending to raise their largest ever funds over the next twelve months with three managers accounting for in excess of €6 billion.
For listed funds, the year so far has seen strong secondary fundraising activity for listed investment companies with a reported £5 billion of new money raised. The focus continues to be on income producing funds and real asset strategies with infrastructure, real estate and lending amongst the most popular asset classes – a trend that began around 2012 and seems to be continuing. There have been around 8 new IPOs of listed funds on London. Recent deals announced include Residential Secure Income, a REIT, which is planning to raise up to £300 million from investors to acquire new social housing properties with inflation-linked returns.
Cross-jurisdictional AIFMD guides 2017
Author: Imogen Garner
There are two methods which allow the marketing of alternative investment funds (AIFs) in the EU by alternative investment fund managers (AIFMs). The first method is a marketing “passport” which has been introduced by the Alternative Investment Fund Managers Directive (AIFMD) to allow AIFs to be marketed to professional investors across the EU subject to certain conditions being met. The second method allows AIFs to be marketed in a specific member state in accordance with that member state’s private placement regime, subject to certain conditions being met.
We have just updated two guides concerning the AIFMD.
Both guides cover 15 EU jurisdictions – Austria, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal, Spain, Sweden and the UK.
The first guide considers whether the AIFMD marketing passport is working in practice and is a useful tool for managers as it illustrates the significant differences across jurisdictions.
The second guide looks at the requirements that non-EEA managers face when marketing non-EEA alternative investment funds to professional EEA investors.
Should you wish to receive a copy of the updated guides please contact Imogen Garner.
FCA publishes asset management market study: not quite an earthquake but beware of the aftershocks
Authors: Richard Sheen, Imogen Garner and Simon Lovegrove
On June 28, 2017, the FCA published its long awaited final report on its asset management market study. The final report, which is over 100 pages long plus five annexes, confirms some of the findings set out in the FCA’s interim report published on November 18, 2016, in particular the FCA’s assessment regarding competition in the asset management industry, communications with investors and practices in the investment consultancy sector generally.
In summary the FCA found that
- Evidence suggests that there is weak price competition in a number of areas of the asset management industry. This has a material impact on investment returns for investors through the charges they pay for asset management services.
- Despite a large number of firms operating in the market, the FCA’s sample of firms showed the asset management industry has seen sustained, high profits over a number of years.
- Investors are not always clear what the objectives of funds are, and fund performance is sometimes reported against an inappropriate benchmark.
- There are a wider range of investors in the institutional market. This includes many small pension schemes which rely heavily on the advice of consultants. The FCA found concerns about the way the investment consultant market operates.
The FCA proposes numerous remedies but one of the key points to note is that their implementation will take place in a number of stages so the feel of the final report is not quite the seismic shock the asset management industry originally feared. Overall the remedies can be split into three groups.
Final remedies that do not require further consultation
- Recommendation that HM Treasury considers bringing investment consultants into the regulatory perimeter.
- Recommendation to the Department for Work and Pensions to remove barriers to pension scheme consolidation and pooling.
- Recommendation to both industry and representatives to agree a standardised disclosure of costs and charges to institutional investors, asking an independent chair to convene relevant stakeholders to develop this further and working with stakeholders to consider whether any other actions are necessary.
- Launching a market study into investment platforms shortly.
Remedies that the FCA is consulting on alongside the final report
The final report sets out the regulator’s overall proposals but the accompanying consultation paper (CP17/18: Consultation on implementing asset management market study remedies and changes to Handbook (CP17/18)) provides the much needed detail on key proposals that are designed to
- Strengthen the duty on fund managers to act in the best interests of investors.
- Require fund managers to return any risk-free box profits to the fund.
- Facilitate switching investors to cheaper share classes.
- Proposals to reject the undertakings in lieu of a market investigation reference.
Remedies for which the FCA gives its initial views on the proposals in the final report and plans to publish detailed consultations at a later stage
- Costs and charges disclosure to retail investors to be consulted on later this year.
- Benchmarks and performance reporting to be consulted on later this year.
- Convening a working group on objectives and consulting on any rule changes at a later stage, subject to the outcome of the working group.
In addition, the FCA states that it will publish its decision later this year on whether to refer the market for investment consultancy services to the Competition and Markets Authority.
The FCA consultation
As mentioned earlier CP17/18 is worth scrutinising as it contains many of the FCA’s key proposals. Like the FCA’s final report it is quite a chunky document being some 78 pages long. The deadline for comments on the FCA’s proposals is September 28, 2017.
The FCA states that the proposals in CP17/18 complement other domestic and European work in the asset management sector including the recast Markets in Financial Instruments Directive and the Packaged Retail and Insurance based Investment Products Regulation. Importantly, where the FCA feels that these initiatives will address concerns, the regulator is not taking any further action.
Single all-in fee
As initially proposed in its interim report the FCA has said that it is going ahead with plans to introduce a single all-in fee to increase the visibility of all charges taken from the fund and impose more discipline on overspend relative to charging estimates. In the final report the FCA notes that most asset managers preferred the current ongoing charges figures becoming an actual charge, with the manager providing an estimate of any implicit and explicit transaction costs. However, mindful that MiFID II comes into place on January 3, 2018, the regulator has said that further work needs to be carried out and it will consult on proposals later this year.
Grouping of remedies in the consultation
The remedies in CP17/18 can be grouped into the following issues
- Moving investors into better value share classes.
- Risk-free box profits.
The changes that the FCA is proposing are intended to strengthen the rules requiring authorised fund managers (AFMs) to act in the best interests of their investors. Changes are also proposed to the governance structure of AFMs.
In relation to the key issue of scope, the remedies that the FCA proposes will apply to all UK-authorised firms that carry out the function of an AFM for collective investment schemes that are authorised and domiciled in the UK, as well as UK UCITS management companies managing EEA UCITS schemes. But they will not apply to UCITS management companies domiciled in the EEA that are accessing the UK market through the UCITS management passport, nor to full-scope Alternative Investment Fund Managers that operate UK funds, or market funds domiciled in the EEA in the UK. The FCA is also not calling into question the role of the depositary of an authorised fund.
The FCA proposes a new value for money rule which requires an AFM to assess whether value for money has been provided to fund investors. This assessment must take place on an ongoing basis and must be formally documented at least once a year. The FCA proposes that the assessment must consider at least the following points: economies of scale, fees and charges, shares classes, quality of services and transparency.
In terms of increasing the accountability of the AFM board, the FCA states that when the senior managers’ regime and certification regime is extended to almost all financial services firms it will propose a new prescribed responsibility to ensure that asset management firms comply with the obligation to act in the best interests of investors. This new prescribed responsibility will be allocated to the chair of the AFM board and will include assessing value for money in accordance with the regulator’s rules. The chair of the AFM board will also be responsible for taking ‘reasonable steps’ to ensure that the AFM and its board adheres to the rules. As a senior manager the chair of the AFM board will need to be preapproved by the FCA.
The FCA also proposes a rule that will require AFMs to appoint a minimum of two, and at least 25% of the total board membership, independent directors to the AFM board who meet certain specified requirements. Such requirements include a proposal that independent directors are not eligible for reappointment to the same AFM board until five years since the end of their last appointment have lapsed. Other eligibility criteria include that the individual may not
- Have been an employee of the AFM or of a company within the AFM’s group or remunerated by them for any role other than as an independent board member. This includes participating in any share option or performance-related pay scheme of the AFM or the AFM’s group.
- Have been an employee of the AFM or of another company within the fund group within the five years before their appointment.
- Have received any sort of remuneration from the AFM group within the five years before their appointment. Also, they may not have had any sort of material business relationship with the AFM or with another company within the AFM’s group within the last three years.
- They may not have been an employee of any portfolio manager the AFM has delegated to within the five years before their appointment, or have had any material business relationship with that portfolio manager within the last three years.
However, the FCA is not proposing to introduce a rule which limits the number of AFM boards on which a nonexecutive director may serve. It has also left it to the AFMs themselves to decide whether an independent director should be appointed as chair.
Moving investors into better value share classes
The FCA’s proposals are divided into two issues, investors in pre-RDR classes that no longer pay trail commission and investors in pre-RDR classes that continue to pay trail commission.
In relation to those investors who do not pay trail commission, the FCA proposes to clarify and re-issue the previous guidance contained in Finalised Guidance 14/4 on dealing with hard-to-reach unitholders. It also proposes to clarify that the AFM can undertake a mandatory conversion, if the following conditions are met
- The power to undertake a mandatory conversion must be set out in the prospectus in line with Collective Investment Schemes sourcebook (COLL) 4.2.5R(5)(d).
- The AFM must have made all reasonable attempts to inform unitholders to enable them to give alternative instructions.
- The AFM is satisfied on reasonable grounds that the change will not result in detriment to investors.
The power to undertake a mandatory conversion must also be exercised in accordance with the client’s best interests rule (COBS 2.1.1R(1)).
The FCA’s current position is that trail commission arrangements entered before 2012 can continue under certain conditions. The FCA is not taking steps to introduce an end date for trail commission legacy business although it states in CP17/18 that “it may consider it in the future”. In the meantime the FCA has said that it is exploring the issue in more detail and welcomes any information that firms may provide that will help it understand the magnitude of the issue and the number of investors affected.
Risk-free box profits
The FCA is aware that some AFMs operate a managers’ box which is a mechanism whereby the AFM, using its own capital, stands between the fund and those investors who are entering or leaving the fund, rather than the investors transacting directly with the fund. In dual-priced funds there is a difference between the price investors pay to buy units in the fund and the price to sell units. The FCA’s concern is whether AFMs might be profiting unfairly from box management.
In CP17/18 the FCA acknowledges that there is currently no explicit rule in COLL that allows profits to be made from box management, although the language used in COLL 6.2.9G implies that the manager could keep risk-free box profits.
The FCA proposes that AFMs will be permitted to retain any profits made from holding positions between pricing points when using their own capital. However, an AFM will be required to pass ‘risk-free’ box profits (i.e. profits generated by netting off transactions) to the fund. AFMs will also disclose their policy on operating a manager’s box and how any profits will be treated in the prospectus. COLL 6.6.4R requires a depositary to take reasonable care to ensure that the AFM manages the scheme in accordance with COLL 6.2. The FCA considers that the impact of COLL 6.6.4R is that depositaries will oversee compliance with its proposed rule changes.
Extending the proposals to other retail investment products
The FCA also sets out for discussion its views on extending the consultation proposals to other types of investment products including unit-linked funds, with-profits business, pensions and closed-ended investment companies. In relation to the latter the FCA states that investment trusts will not be in scope of its proposed COLL rules on AFMs to consider value for money. However, some narrow elements of the FCA’s proposed governance remedies already exist, for example listed investment companies are subject to an ‘independence rule’ (Listing Rule 15.2.11R to 15.2.19R). Also, the regulator notes that MiFID II will introduce, from January 3, 2018, product governance requirements for MiFID II scope products which may include investment trusts. The FCA states that it will consider the impact of MiFID II with regard to fund governance issues for investment companies.
Industry association reaction
The Alternative Investment Management Association has published a response to the FCA’s asset management market study:
“While our industry has not been the primary focus of this study, we do of course support the goals of increased transparency and better alignment of interests between fund managers and investors that are at its core. As our own research has found, alternative asset managers actively discuss with institutional investors about how to deliver the best possible value for money. Dynamic fee structures which include high watermarks, hurdle rates, rebates and differentiated fees according to the size of investments or the length of lock-up periods show that the industry is receptive to investor requests for ever-closer alignment. We look forward to working with the FCA on the next steps in this process.” – Jack Inglis, CEO, AIMA.
The Investment Association has also responded:
“Our industry looks after pensions and investments for millions of UK households, helping them to lead more prosperous lives into retirement. With this role comes significant responsibility. We strongly support the FCA’s objective of ensuring our industry serves its customers in a competitive, accountable and transparent manner.
‘Many of the key recommendations work with the grain of European legislation already in the pipeline to introduce more clarity and transparency for consumers. We will work closely with the FCA as it looks further into the detail of how to present costs and charges in the clearest way for savers and how it will develop more independent oversight of investment funds in a way that is effective and proportionate.
‘We welcome the regulator’s recognition of the industry’s work to date on developing a consistent and transparent disclosure code for charges and costs which can be built on further with consumer groups. The FCA has listened to our calls to make it easier for savers to switch between share classes, which we welcome.
‘Asset managers compete every day to attract clients and investors and are focused on delivering the best outcomes for them. Our priority now is to have a meaningful dialogue with the regulator about the implementation of the recommendations, to ensure savers are getting the best possible deal. A pragmatic timetable is key to achieving this, given the major regulatory changes already in the pipeline and the preparations for Brexit.”
Arguably the FCA’s final report is not as onerous nor as sweeping as the asset management industry had feared. However, with the publication of the consultation paper, a future market study into investment platforms and the possibility of a CMA investigation into investment consultancy services there is plenty more to come. As the title of this note states, the FCA final report was not quite an earthquake but beware of the aftershocks.
The FCA approach to cyber-risk
Author: Simon Lovegrove
Cyber-resilience is not just an information technology issue but a regulatory issue that should be high on the agenda of the senior management team of an asset manager.
In his Chairman’s foreword to the FCA Business Plan 2017/18 John Griffith- Jones warned the financial services sector that among the increasing risk areas the regulator had identified one in particular stood out – cyber-resilience.
As recent events have shown, cyberattacks are increasing in scale and sophistication. However, whilst news and media attention in the UK has focused on the cyber-attack on the National Health Service (UK NHS), cyber-risk is something that has been on the regulatory radar for some time. The reason for this is that the FCA has seen a significant increase in cyber-attacks reported by firms over the past couple of years. Financial crime statistics from the UK Office for National Statistics suggest that there were 2.11 million victims of cybercrime and 2.5 million incidents of bank and credit account fraud in 2015/16 alone. However, it is not just financial institutions that have been targeted. In February 2017 the internal systems of the Polish Financial Supervision Authority were compromised in an attempt to infiltrate Polish banks with malware. In the UK the FCA has seen attempts to use the FCA brand in phishing campaigns against the UK financial sector.
Why is cyber-risk a regulatory issue?
Often cyber-resilience is thought of as solely an IT issue. However, this perspective is flawed as financial institutions’ resilience to cyber-attacks has significant implications for markets and consumers thereby linking it to both the FCA’s and PRA’s statutory objectives. From an FCA perspective the linkage is to both its strategic objective (to ensure that the relevant markets function well) and two of its operational objectives (the protection of consumers and the protection of financial markets).
The FCA rules
Some of the key FCA principles and rules pertinent to cyber-resilience are
- Principle 3 of the Principles for Businesses – a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
- Principle 11 of the Principles for Businesses – a firm must deal with its regulators in an open and cooperative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice.
- SYSC 3.1.1 – a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.
- SYSC 3.2.6 – a firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.
- SUP 15.3.1 – a firm must notify the FCA immediately it becomes aware, or has information which reasonably suggests, that any of the following has occurred, may have occurred or may occur in the foreseeable future: (i) the firm is failing to satisfy one or more of the threshold conditions; (ii) any matter which could have a significant adverse impact on the firm’s reputation; (iii) any matter which could affect the firm’s ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm; or (iv) any matter in respect of the firm which could result in serious financial consequences to the UK financial system or to other firms.
What is the FCA looking for?
Following the recent cyber-attack on the UK NHS, the FCA established a cyber-resilience web page, where it summarised its requirements in the following terms:
“Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritize their information assets – hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.”
Further “soft” guidance has been given in a speech1 by Nausicaa Delfas, the FCA Executive Director. One of the key points in her speech was that firms had to get the ‘basics’ right. Many firms believe that they are, but the regulator feels that the reality is different pointing to the 2016 Verizon Data Breach Investigations Report that found that ten vulnerabilities accounted for 85 per cent of successful breaches in an analysis of 2,260 data breaches and 64,199 security incidents from 61 countries.
Firms conducting rigorous patch management and getting ‘cyber-basics’ right are key for the FCA which argues that firms properly implementing schemes such as ‘Cyber Essentials’ or the ‘10 steps to cyber security’ could eliminate about 80 per cent of the cyber-threat they face. The FCA also wants firms to consider specific cyber-risks, urging them to carry out robust and comprehensive risk assessments focussed on the impact of a distributed denial-of-service (DDoS) attack on their systems.
Whilst accepting that some IT concentration may be inevitable (with iCloud for example) the FCA is also looking for firms to consider concentration risk when subscribing to a given service. In relation to outsourcing to the ‘cloud’ and other third-party IT services, the FCA issued finalised guidance2 last year which illustrated ways in which the regulator’s rules could be complied with.
Awareness and education are also critical components for firms. In her speech Nausicaa Delfas discussed the need for firms to stop using a staff “policy” as the sole baseline for security training on the basis that staff view this as a corporate piece of paper that is easily forgotten. The FCA has been impressed with firms that have adopted approaches that have taken staff on a journey and have helped them become security focused individuals. Such approaches have included: introducing fake phishing scams, educating staff who click on them, rewarding those who avoid/spot attacks, and taking further action on those who persistently do not.
Nausicaa Delfas also mentioned in her speech that there was a role for non-executive directors who should be able to satisfy themselves that their firm is managing cyber-risk effectively. The Institute of Directors specifically calls for non-executive directors to satisfy themselves “that systems of risk management are robust and defensible.”
Chapter 5 in Part 1 and Chapters 6 and 10 in Part 2 of the FCA’s Financial Crime: A Guide for Firms (the Guide) outline the FCA’s requirements for data 2 FCA Finalised Guidance 16/5 – Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services (July 2016). security and include examples of good and poor practice.
Chapter 5 of the Guide covers
- Five fallacies of data loss and identify fraud.
- Case study – protecting customers’ accounts from criminals.
- Case study – data security failings.
In terms of governance the FCA states in the Guide that firms should be alert to the financial crime risks associated with holding customer data and have written data security policies and procedures which are proportionate, accurate, up to date and relevant to the day-to-day work of staff. Adding to this, the Guide sets out the following selfassessment questions
- How is responsibility for data security apportioned?
- Has the firm ever lost customer data? If so, what remedial actions did it take? Did it contact customers? Did it review its systems?
- How does the firm monitor that suppliers of outsourced services treat customer data appropriately?
- Are data security standards set in outsourcing agreements, with suppliers’ performance subject to monitoring?
In terms of controls the Guide states that the FCA expects firms to put in place systems and controls to minimise the risk that their operation and information assets might be exploited by thieves and fraudsters. Internal procedures such as IT controls and physical security measures should be designed to protect against unauthorized access to customer data. The FCA also supports the Information Commissioner’s position that it is not appropriate for customer data to be taken off-site on laptops or other portable devices which are not encrypted. Self-assessment questions on controls include
- Is your firm’s customer data taken off-site, whether by staff or third parties?
- If so, what levels of security exist?
- How does the firm keep track of its digital assets?
- How does the firm dispose of documents, computers, and imaging equipment such as photocopies that retain records of copies?
- How are access to the premises and sensitive areas of the business controlled?
- When are staff access rights reviewed?
- Is there enhanced vetting of staff with access to lots of data?
- How are staff made aware of data security risks?
Chapter 5 of the Guide reflects the contents of an FSA report that was published in 2008 which set out the findings of a thematic review into how financial services firms were addressing the risk that customer data may be lost or stolen and used to commit financial crime. Despite its age the FSA report is still worth reading.3
Chapter 6 of the Guide primarily focuses on controls and includes discussion on access rights, data backup, lap-tops and disposal of customer 3 The FSA report can be found at www.fsa.gov.uk/pubs/ other/data_security.pdf. data. Chapter 10 of the Guide covers the small firms’ financial crime review and includes coverage of data disposal.
Reporting a cyber incident to the FCA
Under Principle 11 of the Principles for Businesses4 a firm must report material cyber events to the FCA. Firms may consider an incident material if it
- Results in significant loss of data, or the availability or control of its IT systems.
- Impacts a large number of victims.
- Results in unauthorised access to, or malicious software present on, its information and communication systems.
The Hedge Fund Standards Board (HFSB) has on its website some useful materials on cyber-security. In particular it has a cyber-security memo that sets out at a high level
- Cyber-risk management tools.
- A framework to identifying an asset manager’s digital ‘crown jewels’.
- A list of practical steps/’quick wins’.
- An overview of regulatory expectations.
- Information concerning the development of an ‘incident response plan’.
The HFSB states on its website that it also runs table-top cyber-attack simulation exercises with its members so that the responses to realistic cyber- 4 A firm must deal with its regulators in an open and cooperative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice. attack scenarios can be explored. The website contains the results of the HFSB’s first cyber-attack simulation, dated January 2016, noting that key insights included
- Confusion over responsibilities can prevent an effective response. Managers should not consider cyber-security as just an “IT” issue, given the legal, compliance, investor relations and reputational issues involved.
- Certain types of cyber-attacks may exceed a manager’s internal response capabilities. Managers should be prepared to quickly access external legal and IT expertise.
- Preparation in advance, through a cyber security incident response plan, is important. This planning establishes responsibilities, preidentifies external resources and speeds decisions should there be an actual incident.
Cyber-resilience is not just an IT issue but a regulatory issue that should be high on the agenda of the senior management team of an asset manager. The senior management team, who are involved in the risk decisions on how to generate revenue, also need to be discussing how to protect critical information and revenue streams and the enabling business processes and systems. These discussions are not just information technology discussions but broader risk discussions surrounding threats, likelihood and tolerance. The leadership team’s understanding of the risks, threats and impacts need to be clear and routinely updated.
Processes need to be managed holistically which means, among other things, clear policies and standards, good management information and a sensible approach to cyber-compliance. Some formal means of oversight, perhaps through the establishment of a cyber-risk governance committee, might also be needed that leads on the firm’s cyber-strategy, monitoring and reporting of risks and threats, and resiliency initiatives.
Staff training is also key given that many cyber-attacks exploit people and/or processes by using social engineering (for example sending emails with tempting but malicious links). However, such training needs to be innovative, taking staff on a journey which helps turn them into security focused individuals.
Finally, a plan needs to be in place as to how a firm will respond to a cyberattack and the firm then has to ensure that it rehearses it. If it does not, an incident is unlikely to go well.
Legally speaking, can Article 50 be revoked?
Author: Simon Lovegrove
With the UK general election leading to a hung Parliament there have been inevitable questions about Brexit. In this article we step outside the politics and ask whether Article 50 can be legally revoked.
On June 9, 2017, the UK woke up to the news that the general election result was a hung Parliament with no political party gaining an overall majority in the House of Commons. The official election results were
- Conservatives – 318 seats
- Labour – 261 seats
- Scottish Nationalist Party – 35 seats
- Liberal Democrats – 12 seats
- Democratic Unionist Party – 10 seats
- Others – 13 seats
The target number of seats for any party to form a Government in the UK is 326 seats in the House of Commons. At the time of writing it appears likely that the Conservatives with 318 seats will be forming a minority Government with the support of the Democratic Unionist Party (DUP). The DUP has worked with previous Conservative Governments although it will not be in a formal coalition. Theresa May has said that she will remain as Prime Minister.
Setting the scene to Brexit
The general election result is less than a year after the UK’s referendum on EU membership which took place on June 23, 2016. Inevitably questions were raised as to how the general election result will impact Brexit, including whether Brexit could be revoked or suspended.
What happens next to Brexit, whether the “hard Brexit” advocated by Prime Minister May is softened, will be a matter for the politicians which is outside the scope of this article. From a legal perspective the debate regarding whether or not Article 50 can be revoked has been rumbling for some time.
The text of Article 50 of the Treaty on European Union (TEU) provides that:
- Any Member State may decide to withdraw from the Union in accordance with its own constitutional requirements.
- Member State which decides to withdraw shall notify the European Council of its intention. In the light of the guidelines provided by the European Council, the Union shall negotiate and conclude an agreement with that State, setting out the arrangements for its withdrawal, taking account of the framework for its future relationship with the Union. That agreement shall be negotiated in accordance with Article 218(3) of the Treaty on the Functioning of the European Union. It shall be concluded on behalf of the Union by the Council, acting by a qualified majority, after obtaining the consent of the European Parliament.
- The Treaties shall cease to apply to the State in question from the date of entry into force of the withdrawal agreement or, failing that, two years after the notification referred to in paragraph 2, unless the European Council, in agreement with the Member State concerned, unanimously decides to extend this period.
- For the purposes of paragraphs 2 and 3, the member of the European Council or of the Council representing the withdrawing Member State shall not participate in the discussions of the European Council or Council or in decisions concerning it. A qualified majority shall be defined in accordance with Article 238(3)(b) of the Treaty on the Functioning of the European Union.
- If a State which has withdrawn from the Union asks to re-join, its request shall be subject to the procedure referred to in Article 49.
On March 29, 2017, the UK submitted its letter to the EU Council’s President Donald Tusk formally notifying him of the UK’s intention to withdraw from the EU pursuant to Article 50(2) of the TEU. Importantly, until a withdrawal agreement is concluded between the EU and UK or the negotiating period in Article 50(3) of the TEU expires, the UK remains a member of the EU.
The problem with Article 50
The problem with Article 50 is that it does not specify one way or the other as to whether or not a Member State can revoke an Article 50 notification once it has been submitted. In addition, Article 50 has never been used before.
On May 29, 2017, it was reported in the press that a legal challenge in Ireland on whether Article 50 could be revoked was dropped. The papers were originally lodged in the High Court of Dublin earlier this year in a bid to seek a ruling on the issue from the European Court of Justice. But the claim was ultimately dropped given the length of time the legal challenge would take and the costs involved.
House of Lords
In the UK the House of Lords has been conducting a number of inquiries into Brexit. The Lords’ Constitutional Committee looked into the invoking of Article 50. In relation to a revocation of an Article 50 notification the Lord’s Constitutional Committee summed up the position:
“It is unclear whether the UK could, after triggering Article 50, unilaterally choose to withdraw its notification of withdrawal from the EU (thereby stopping the two year countdown to withdrawal). The House of Lords European Union Committee concluded in 2015 that “There is nothing in Article 50 formally to prevent a Member State from reversing its decision to withdraw in the course of the withdrawal negotiations. The political consequences of such a change of mind would, though, be substantial.” Others argue that once triggered, Article 50 may not be unilaterally revoked by the member state concerned, although it could be reversed by the unanimous agreement of all EU member states.
Participants at our seminar were also divided on this point. As one noted, “there is nothing in Article 50 itself one way or another; it does not say that you can retract or, once invoked, that you cannot retract. So it is left to the lawyers to have those enjoyable disputes to sort it out.” Should any attempt by the UK to unilaterally withdraw its notification under Article 50 be disputed by another member state, the matter would be decided by the European Court of Justice.”
Their Lordships concluded:
“It is unclear whether a notification under Article 50, once made, could be unilaterally withdrawn by the UK without the consent of other EU member states. In the light of the uncertainty that exists on this point, and given that the uncertainty would only ever be resolved after Article 50 had already been triggered, we consider that it would be prudent for Parliament to work on the assumption that the triggering of Article 50 is an action that the UK cannot unilaterally reverse.”
The European Parliament has taken a fairly hard line as regards the possibility of the UK revoking its Article 50 notification on the basis that it could possibly be used as a negotiating tactic. A European Parliament resolution of April 5, 2017 noted that a revocation notification should be subject to conditions set by the EU 27: “whereas a revocation of notification needs to be subject to conditions set by all EU-27, so that it cannot be used as a procedural device or abused in an attempt to improve on the current terms of the United Kingdom’s membership”
The European Parliament briefing note on Article 50 TEU: Withdrawal of a Member State from the EU discusses revocation further:
“Some have proposed the use of the Article 50 procedure to force a renegotiation of a Member State’s membership of the EU. In this context, the question could be posed as to whether – once a Member State has notified the European Council of its intention to withdraw from the EU, and a withdrawal agreement has been negotiated – it can, depending on the results of the negotiations, unilaterally revoke its notification and suspend the withdrawal procedure. Most commentators argue that this is impossible or at least doubtful, from a legal point of view. Indeed Article 50 TEU does not expressly provide for the revocation of a notice of withdrawal and establishes that, once opened, the withdrawal process ends either within two years or later, if this deadline is extended by agreement.”
“Furthermore, it should be noted that the event triggering the withdrawal is the unilateral notification as such and not the agreement between the withdrawing state and the EU. The merely declaratory character of the withdrawal agreement for cancellation of membership derives from the fact that the withdrawal takes place even if an agreement is not concluded (Article 50(3) TEU).”
Interestingly, the European Parliament briefing note adds:
“This does not mean, however, that the withdrawal process could not be suspended, if there was mutual agreement between the withdrawing state, the remaining Member States and the EU institutions, rather than a unilateral revocation.”
A further discussion of revocation can be found in the European Parliament briefing note, UK withdrawal from the European Union. It states that:
“One important question is whether a notification under Article 50 TEU can be withdrawn once it has been triggered. Article 50 TEU is silent on this matter. Although the Vienna Convention on the Law of Treaties provides that a notification of intention to withdraw from a treaty ‘may be revoked at any time before it takes effect’, the special arrangements of the TEU take precedence.”
“There is wide agreement that the withdrawal process could be suspended if all the other Member States agree to this, as the Member States are the ‘masters of the Treaties’. The European Council, perhaps on condition that the new decision to revoke the notification is taken in conformity with the constitutional requirements of the withdrawing Member State, could therefore decide by consensus to accept any revocation of the Article 50 TEU notification, although the agreement of other EU institutions could possibly also be required. Some commentators have suggested, at least theoretically, two other scenarios if the withdrawing state and the rest of the Member States reached an agreement that the former will not in the end leave the EU: either the future relationship between the EU and the withdrawing Member State, following the ending of the negotiations, merely reaffirms the application of the Treaties to that state; or, the parties could agree to extend the negotiations indefinitely and, possibly, insert a protocol into the Treaties to confirm that the notification of withdrawal under Article 50 has been revoked.”
“By contrast, the unilateral revocation of an Article 50 notification appears much more problematic. Some commentators argue that a Member State cannot unilaterally revoke its notification to leave the EU (in the sense of legally compelling the rest of the Member States to accept this revocation). The event triggering withdrawal proceedings is a Member State’s unilateral notification under Article 50(2) TEU, effectively starting a countdown to the deadline (which may be extended if the European Council, together with the withdrawing Member State, so agrees), by which the withdrawal process must end, unless a concluded withdrawal agreement provides otherwise (Article 50(3) TEU). For this reason, as well as in order to prevent any abuse on the part of the withdrawing Member State – for example, stalling the negotiations by withdrawing the notification, then renotifying and re-starting the two-year period, thus bypassing the agreement of the other Member States – the possibility of a unilateral revocation of the notification at a later date is thought by these commentators to be legally doubtful.”
“Others, however, believe that the unilateral revocation of an Article 50 withdrawal notice is legally possible, if made in accordance with the national constitutional requirements of the withdrawing Member State. In this scenario, if the withdrawing state decided to stop the exit process, the other Member States would not be legally able to force that state to leave the EU. A state expresses its ‘intention’ to withdraw, and an intention may be withdrawn. Any other situation would amount to an expulsion from the EU, which would not have been the purpose of the drafters of Article 50. However, some commentators specify that this unilateral revocation is possible under certain constraints, notably if the Member State has genuinely and in good faith taken a new decision not to withdraw from the EU (a decision which must not be about the rejection of a specific agreement).”
“The Court of Justice of the EU (CJEU) might be called upon to rule on such a revocation’s compatibility with the Treaties; as it is a matter of interpretation of EU law, the CJEU would be the ultimate interpretative authority on the issue.”
Financial institutions will be watching carefully how the politics of Brexit unfold in the next couple of days particularly as negotiations were to formally begin on 19 June. The European Parliament papers suggest that the withdrawal process under Article 50 of the TEU could be suspended if there is agreement among Member States. Unilateral withdrawal is more problematic and may involve the CJEU. Whilst important legal questions, both are significantly greater political questions.