Managing Cyber Security (Level 3)

Correct: Under CASS 7.16, firms must perform external reconciliations as often as necessary to ensure their records are accurate, with a mandatory minimum frequency of at least once a month. Since the firm is performing these every three weeks, they are meeting the minimum requirement, though the auditor must still verify that this frequency is appropriate for the firm’s specific transaction volume and risk profile.

Incorrect: Suggesting that external reconciliations must always match the frequency of internal reconciliations is incorrect as the FCA allows for different cycles based on the nature of the records being compared. The strategy of requiring a specific regulatory waiver for a three-week cycle is unnecessary because the interval already falls within the standard monthly maximum allowed by the CASS sourcebook. Focusing on a mandatory 24-hour completion window after internal reconciliations misrepresents the rules, which focus on the frequency of the performance rather than a strict sequential time limit between internal and external processes.

Takeaway: Firms must perform external client money reconciliations as often as necessary, but at least monthly, to ensure record accuracy.

Correct: The FCA expects firms to maintain robust systems and controls to detect market abuse and conduct failings. A random sampling of alerts without a risk-based triage or periodic tuning of the lexicon results in an ineffective surveillance framework. This approach risks ignoring high-risk indicators or clusters of suspicious activity that do not fall within the arbitrary 10% sample, thereby failing to mitigate compliance risk effectively.

Incorrect: The strategy of requiring a 100% manual review by a Senior Manager is an impractical and non-existent regulatory standard that ignores the scale of modern financial communications. The idea that the PRA must pre-approve surveillance software under the SM&CR is a misunderstanding of the regime, which focuses on individual accountability rather than technical product certification. Focusing only on notifications to the Information Commissioner’s Office shifts the audit focus to data protection administrative tasks rather than the core compliance objective of detecting market misconduct.

Takeaway: Surveillance systems must employ risk-based alert disposition to ensure that potential regulatory breaches are identified and investigated effectively.

Correct: This approach aligns with FCA expectations by combining preventative controls, such as pre-approval and restricted lists, with detective controls like independent reconciliation. It ensures that potential conflicts are identified before execution and that the compliance function can verify the accuracy of staff disclosures against external data sources, fulfilling the requirement to take all reasonable steps to prevent conflicts from adversely affecting clients.

Incorrect: Relying on quarterly self-certification is a weak, retrospective control that does not prevent market abuse or conflicts at the point of trade. The strategy of a blanket prohibition on all ‘buy’ list securities may be overly restrictive and fails to address conflicts arising from ‘sell’ orders or non-equity instruments. Opting for a one-time acknowledgement during onboarding is insufficient as it lacks the ongoing monitoring and periodic reinforcement required to manage evolving compliance risks effectively.

Takeaway: Effective conflict management requires a combination of preventative pre-clearance and independent detective monitoring to ensure regulatory compliance and market integrity.

Correct: The FCA Consumer Duty requires firms to move beyond process-driven compliance and proactively monitor the actual outcomes experienced by retail customers. Under the monitoring obligation, firms must use management information (MI) to identify whether they are delivering the four outcomes: Products and Services, Price and Value, Consumer Understanding, and Consumer Support. This data-driven approach allows firms to identify foreseeable harm and take remedial action where necessary, which is a core expectation of the Duty.

Incorrect: Focusing only on increasing the sample size for technical accuracy checks is a traditional compliance approach that fails to address the Duty’s requirement to evaluate actual outcomes and consumer understanding. The strategy of relying on the absence of formal complaints is flawed because a lack of complaints does not necessarily equate to good customer outcomes or the absence of foreseeable harm. Choosing to conduct a one-time external audit of product governance provides a snapshot in time but does not satisfy the regulatory requirement for ongoing, proactive monitoring of customer results.

Takeaway: Firms must implement outcome-focused management information to proactively monitor and evidence that they are delivering good results for retail customers.

Correct: The FCA Consumer Duty requires firms to ensure a reasonable relationship between the price paid and the benefits received. Benchmarking against competitors is insufficient on its own because it does not account for the intrinsic value of the specific product. Firms must perform a substantive assessment of whether the product provides fair value to the specific target market based on its features, quality, and performance.

Incorrect: Relying solely on competitor benchmarking fails to address the intrinsic value of the product’s specific benefits to the consumer. Simply reducing the headline fee does not guarantee fair value if the underlying benefits or service quality are also diminished. The strategy of relying on disclosure alone is inadequate because the Consumer Duty moves beyond transparency to require firms to proactively deliver good outcomes, regardless of whether costs are disclosed in regulatory documents.

Takeaway: Under the Consumer Duty, firms must demonstrate fair value by assessing the price against the specific benefits provided to the consumer.

Correct: Under the SM&CR, firms are legally required to certify that individuals performing ‘Significant Harm Functions’ are fit and proper at least once a year. Relying solely on initial recruitment checks is a significant regulatory failure because the firm must proactively ensure and document the ongoing competence, honesty, and integrity of these individuals on an annual basis.

Incorrect: The strategy of seeking prior regulatory approval for certified staff is based on a misunderstanding of the regime, as the FCA only pre-approves Senior Managers, while the firm itself is responsible for certifying other staff. Focusing on the Management Responsibilities Map as a tool for listing every employee under Conduct Rules is incorrect, as this document is intended to show the governance structure and the responsibilities of Senior Managers rather than a full staff directory. Choosing to house the administration of Conduct Rule breaches within Human Resources is a matter of internal organizational design and does not inherently constitute a regulatory breach, provided the firm meets its reporting obligations to the regulator.

Takeaway: Firms must perform and document an annual fitness and propriety assessment for all individuals within the Certification Regime to ensure ongoing compliance.

Correct: A robust compliance risk assessment must be proactive and outcome-focused, particularly under the FCA Consumer Duty. By evaluating the entire product lifecycle and focusing on consumer outcomes alongside traditional inherent risk and control analysis, the firm can identify risks before they crystallize. This approach aligns with the requirement for firms to act to deliver good outcomes for retail customers and ensures that the risk assessment is dynamic enough to handle complex new product offerings.

Incorrect: Relying solely on historical data fails to account for new regulatory shifts or risks inherent in new product types that have not yet resulted in breaches. Simply using static metrics like headcount or volume ignores the qualitative nature of conduct risk and the specific complexities of financial instruments. The strategy of depending entirely on front-office self-assessments lacks the independent challenge required for an effective three lines of defense model and may overlook systemic compliance gaps that the first line is not trained to identify.

Takeaway: Effective compliance risk assessments must combine quantitative metrics with qualitative, forward-looking analysis of consumer outcomes and regulatory change.

Correct: In the United Kingdom, the ‘twin peaks’ model divides regulation between the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). Firms that engage in activities such as deposit-taking or insurance are dual-regulated. The PRA, a subsidiary of the Bank of England, focuses on the prudential supervision (safety and soundness) of these firms, while the FCA supervises their conduct of business and ensures markets function well.

Incorrect: The strategy of assuming the firm remains solely under the Financial Conduct Authority ignores the regulatory trigger of deposit-taking, which necessitates Prudential Regulation Authority oversight for prudential matters. Suggesting the Bank of England manages retail conduct directly is a misunderstanding of the framework, as conduct remains the remit of the Financial Conduct Authority regardless of the firm’s size. Focusing on the Financial Policy Committee for day-to-day operational risk is incorrect because that committee is responsible for macro-prudential oversight of the UK financial system as a whole rather than individual firm supervision.

Takeaway: Dual-regulated UK firms must satisfy the Prudential Regulation Authority for financial soundness and the Financial Conduct Authority for conduct and market integrity.

Correct: Under the FCA’s CASS rules, firms are required to keep records of their internal and external client money reconciliations for a minimum of five years. This requirement ensures that the firm can demonstrate compliance and reconstruct the position of client money in the event of an insolvency or a regulatory inquiry by the FCA.

Incorrect: Relying on digitisation and secondary backups is a good operational practice but does not address the fundamental regulatory failure to meet the five-year retention mandate. The strategy of switching to an alternative method of reconciliation is incorrect because the alternative method carries more stringent oversight requirements and does not reduce the mandatory five-year record-keeping duration. Focusing only on the frequency of external reconciliations is a procedural change that fails to rectify the underlying breach of the record retention rules specified in the CASS sourcebook.

Takeaway: UK firms must retain CASS reconciliation records for at least five years to comply with FCA record-keeping standards for client assets.

Correct: A risk-based executive summary is essential for effective governance as it allows the Board and its committees to focus on high-priority issues and strategic threats. Including an assessment of compliance culture aligns with the FCA’s focus on the Senior Managers and Certification Regime (SM&CR) and the Consumer Duty, where the ‘tone from the top’ and cultural health are critical indicators of future compliance performance.

Incorrect: The strategy of providing raw, unedited data is counterproductive because it overwhelms the committee with noise and prevents them from exercising effective oversight. Relying solely on business line managers to interpret regulations removes the necessary expert challenge and independent perspective that the compliance function is required to provide under UK regulatory standards. Focusing only on confirmed breaches is a reactive approach that fails to address the proactive risk management and ‘no surprises’ culture expected by the Financial Conduct Authority and the Prudential Regulation Authority.

Takeaway: Effective board support requires synthesized, risk-prioritized reporting that provides actionable insights into both regulatory trends and organizational culture.

Correct: Under CASS 7, a firm must ensure that a bank has provided a written acknowledgment (a trust letter) before it starts using an account to hold client money. This letter is a critical legal safeguard because it confirms the bank has no right of set-off against the firm’s own liabilities. Combining this with daily reconciliations ensures that the firm maintains the correct amount of segregated funds and identifies discrepancies immediately, which is a core requirement for UK investment firms.

Incorrect: Relying solely on a third-party’s annual audit report is insufficient because it does not verify the specific legal status of the firm’s accounts or the ongoing accuracy of the firm’s own segregation records. Simply conducting monthly reconciliations is inadequate under FCA expectations for most investment firms, as it allows too much time for shortfalls to persist undetected. The strategy of pooling client and firm funds in a single account is a fundamental breach of the CASS segregation rules, which require client money to be kept strictly separate from the firm’s own money at all times.

Takeaway: Robust safeguarding requires formal legal trust acknowledgments from banks and frequent, accurate reconciliations to ensure the continuous segregation of client assets.

Correct: Under the UK implementation of MiFID II and the FCA’s Conduct of Business Sourcebook (COBS 11.2A), firms must take all sufficient steps to obtain the best possible result for their clients. Internal audit must evaluate whether the firm’s governance and monitoring frameworks are robust enough to detect if conflicts of interest, such as receiving research services, are compromising execution quality. The firm must be able to demonstrate through data that its choice of venue consistently serves the client’s best interests despite any commercial relationships.

Incorrect: The strategy of recommending immediate termination of a service agreement is premature and oversteps the auditor’s role, as the venue might still be providing the best execution despite the conflict. Relying solely on generic disclosures is insufficient because the FCA requires firms to actively manage conflicts and demonstrate execution quality, not just disclose the existence of a relationship. Focusing only on a 10% manual review threshold is incorrect because the FCA does not mandate specific percentage-based sampling; instead, it expects a risk-based and effective monitoring program tailored to the firm’s specific business model.

Takeaway: Best execution requires proactive monitoring and evidence-based justification of venue selection to ensure client outcomes are not compromised by conflicts of interest.

Correct: Under FCA Principle 11 (Relations with regulators), a firm must deal with its regulators in an open and cooperative way. This includes a requirement to disclose to the FCA appropriately anything relating to the firm of which the FCA would reasonably expect notice. A systemic pricing issue discovered during a regulatory inquiry is a material matter that the FCA would expect to be disclosed proactively, regardless of whether it was specifically asked for in the initial data request.

Incorrect: The strategy of only providing specifically requested data fails to meet the spirit of being open and cooperative as required by the regulatory framework. Simply recording the issue in an internal risk register without external notification ignores the firm’s duty to provide the regulator with notice of significant matters. Opting to delegate the disclosure decision to external auditors is inappropriate because the firm’s management and the Board hold the primary responsibility for regulatory engagement and compliance with the Principles for Businesses.

Takeaway: FCA Principle 11 requires firms to proactively disclose significant matters that the regulator would reasonably expect to be notified about.

Correct: Under the FCA’s Consumer Duty, firms are required to support customers in a way that enables them to pursue their financial objectives without facing unreasonable barriers. Internal auditors must evaluate if fraud controls, while necessary for security, have become ‘sludge practices’—excessive friction that prevents customers from making timely decisions or accessing their own money. This ensures the firm is acting to deliver good outcomes and avoiding foreseeable harm, which is a core requirement of the Duty.

Incorrect: The strategy of implementing rigid, percentage-based blocks may protect capital but fails to account for individual customer needs and could create unreasonable barriers to legitimate transactions. Simply updating legal terms to shift liability does not address the firm’s obligation under the Consumer Duty to act in good faith and support customers in avoiding fraud. Focusing only on operational cost savings ignores the fundamental requirement to deliver good outcomes for retail customers and may lead to under-resourced fraud support functions that fail to meet regulatory expectations.

Takeaway: Internal auditors must ensure fraud controls protect customers without creating unreasonable barriers that lead to foreseeable harm under the Consumer Duty.

Correct: According to the Money Laundering Regulations 2017 and FCA guidance, firms must apply Enhanced Due Diligence (EDD) when dealing with Politically Exposed Persons. This mandatory requirement includes obtaining senior management approval for the relationship, taking adequate measures to establish the source of wealth and source of funds, and conducting enhanced ongoing monitoring of the business relationship to identify any suspicious activity.

Incorrect: The strategy of applying simplified due diligence is incorrect because PEP status automatically necessitates enhanced due diligence regardless of the jurisdiction’s perceived stability. Relying solely on a third-party introducer for all due diligence tasks is insufficient as the firm retains ultimate responsibility for ensuring the adequacy of the checks and must verify the source of wealth. Choosing to perform only a one-time sanctions check at onboarding fails to meet the regulatory expectation for continuous monitoring and the specific risk-based assessments required for high-risk clients.

Takeaway: Firms must apply enhanced due diligence, including senior management approval and ongoing monitoring, for all business relationships involving Politically Exposed Persons.

Correct: Under the UK Market Abuse Regulation (UK MAR) and FCA guidance, firms must maintain effective arrangements to detect and report suspicious activity. A risk-based calibration ensures that the surveillance system is appropriately tuned to the firm’s specific trading profile and risk appetite, reducing noise while maintaining sensitivity. Furthermore, a quality assurance process is essential to provide oversight and ensure that the compliance team’s decisions to close alerts are accurate, consistent, and well-reasoned.

Incorrect: The strategy of increasing thresholds solely to reduce volume is flawed because it may lead to the firm failing to detect actual instances of market abuse, thereby breaching regulatory requirements for effective monitoring. Simply conducting outsourcing of the alert clearing process does not address the underlying issue of system calibration or the lack of internal oversight and governance. Choosing to move to a manual review process is generally considered inadequate for modern investment firms with high trade volumes, as it lacks the systematic coverage and real-time detection capabilities of automated surveillance systems.

Takeaway: Effective trade surveillance requires both technical calibration of monitoring systems and robust governance through quality assurance of alert dispositions.

Correct: Evaluating the alignment between risk appetite and surveillance parameters ensures that the monitoring system is calibrated to detect the specific risks the firm faces. Testing lexicon-based alerts against actual behavior patterns provides the auditor with evidence of whether the controls are functioning effectively in practice, which aligns with FCA expectations for proactive and risk-based surveillance under the Senior Managers and Certification Regime (SM&CR).

Incorrect: Relying solely on employee attestations is insufficient because it depends entirely on self-reporting and lacks independent verification of actual conduct. Simply comparing volumes against industry averages is a flawed strategy as it does not address the qualitative effectiveness of the firm’s specific controls or its unique risk profile. Focusing only on technical blocks on corporate devices ignores the significant regulatory risk posed by employees using personal devices for business communications, which is a primary concern in recent enforcement actions.

Takeaway: Effective communications monitoring requires aligning surveillance technology with behavioral risks and verifying that controls detect actual policy breaches.

Correct: The FCA’s SYSC 10 rules require firms to maintain effective organizational and administrative arrangements to prevent conflicts from adversely affecting client interests. In the context of personal account dealing, moving from a manual, reactive process to a proactive pre-clearance and automated surveillance model provides the necessary preventative and detective controls to mitigate risks like front-running and ensure the firm is acting in the client’s best interest.

Incorrect: The strategy of updating definitions for connected persons and external interests focuses on different conflict types and fails to address the immediate risk of trading misconduct identified in the audit. Relying on increased sanctions and training is a secondary control that influences behavior but lacks the technical oversight needed to detect specific trading overlaps in real-time. Choosing to enhance client disclosures is considered a last resort under FCA rules and does not replace the firm’s primary obligation to manage and prevent the conflict through robust internal controls.

Takeaway: Firms must prioritize robust preventative and detective controls, such as pre-clearance and automated monitoring, to manage specific conflicts like personal account dealing.

Correct: A standardized reporting framework ensures that the Board receives consistent, granular, and actionable data. By including logs of regulatory interactions and the status of remediation, the Board can monitor the firm’s relationship with the FCA and the effectiveness of the compliance function. This structured approach supports the SM&CR requirement for senior managers to exercise reasonable steps in their oversight duties and provides a clear audit trail for governance effectiveness.

Incorrect: The strategy of relying solely on external consultancies for monthly reviews can undermine the internal compliance function’s accountability and may not be sustainable for long-term governance. Opting for verbal-only reporting is a significant failure in governance as it prevents the Board from performing longitudinal trend analysis and leaves the firm without a robust record of what was reported and challenged. Choosing to have the Board review every piece of regulatory correspondence is an inefficient use of non-executive time that risks information overload and blurs the line between executive management and oversight responsibilities.

Takeaway: Effective governance requires structured, data-driven reporting that enables the Board to monitor regulatory relationships and track the resolution of compliance failures.

Correct: The FCA’s Consumer Duty requires firms to ensure that communications are likely to be understood by the specific customers they are intended for, which necessitates testing with a representative sample of the actual target market. Under the SM&CR, the relevant Senior Manager (SMF) is accountable for ensuring the firm’s culture and processes deliver these outcomes. Testing only professional clients fails to account for the retail investors and those with characteristics of vulnerability who may require different levels of clarity to make informed decisions.

Incorrect: The strategy of focusing only on professional clients, even with a larger sample size, fails to address the specific needs and literacy levels of the retail segment which forms the majority of the firm’s base. Relying solely on a lack of complaints is an insufficient reactive measure, as the Consumer Duty mandates proactive monitoring and evidence of positive outcomes. Choosing to delegate the assessment of clarity to external legal counsel is inappropriate because the firm cannot outsource its regulatory accountability, and technical legal accuracy does not guarantee consumer understanding.

Takeaway: Consumer Duty requires proactive, representative testing of communications to ensure they support informed decision-making across all target market segments.

Correct: Mapping regulatory requirements to the product lifecycle ensures that the compliance function identifies specific obligations under the FCA Handbook and the Consumer Duty. This proactive approach allows the firm to mitigate risks of non-compliance and consumer harm before the product is launched, aligning with the requirement for a robust compliance risk assessment.

Incorrect: The strategy of updating high-level statements is a generic step that lacks the granular detail needed for a robust risk assessment of a specific new product. Implementing surveillance systems before completing a risk assessment is premature and may lead to misaligned monitoring priorities. Relying on insurance coverage addresses the financial impact of risks rather than identifying and mitigating the underlying compliance failures.

Takeaway: Effective compliance risk assessments require a detailed mapping of regulatory obligations against specific business activities to prevent consumer harm and ensure compliance.

Correct: Under CASS 7, firms must perform internal reconciliations as often as is necessary to ensure the accuracy of their records, which for high-volume firms typically necessitates a daily frequency. Furthermore, CASS 10 requires firms to maintain a CASS Resolution Pack that is accurate and capable of being retrieved within 48 hours to assist an insolvency practitioner; a failure to update this pack after a significant change in custody arrangements represents a major compliance breach.

Incorrect: The strategy of maintaining monthly reconciliations with quarterly manual checks is insufficient because it does not address the immediate risk of ledger inaccuracies in a high-volume environment. Relying solely on an outsourced provider’s audit reports is inappropriate as the firm retains ultimate regulatory responsibility for its own CASS RP and internal record accuracy. Opting to reclassify assets under Title Transfer Collateral Arrangements as a means to avoid compliance is a significant conduct risk and may not be legally or commercially appropriate for the firm’s client base.

Takeaway: Firms must align reconciliation frequency with transaction volume and ensure the CASS Resolution Pack reflects current operational structures.

Correct: The FCA’s SYSC rules require that the compliance function operates independently of the business units it monitors, which is best achieved through a direct reporting line to the Board or a relevant committee. This structure ensures that the Head of Compliance can provide objective challenge to senior management without fear of reprisal or undue influence from operational leaders like a COO.

Incorrect: Integrating the function into the first line of defense risks blurring the distinction between operational management and independent oversight. Aligning compliance bonuses with firm profits creates a significant conflict of interest that could discourage the reporting of regulatory breaches. Restricting the function to an advisory-only role fails to meet the FCA requirement for the compliance function to monitor and regularly assess the adequacy of policies.

Takeaway: The compliance function must maintain independence from business lines by having a direct reporting line to the Board.

Correct: The FCA has increasingly emphasized the importance of holistic surveillance, which involves integrating different data sources to gain a complete picture of market activity. By correlating trade alerts with communication data, such as emails or Bloomberg chats, firms can better identify the ‘intent’ behind a trade, which is a critical component in proving market abuse. This integrated approach allows compliance teams to see if a suspicious trade was preceded or followed by relevant discussions, providing the necessary context that siloed systems often miss.

Incorrect: Relying on increased random sampling while keeping systems independent fails to address the need for contextual analysis and often results in fragmented oversight. The strategy of focusing only on high-frequency traders ignores the risk posed by manual or lower-volume desks where significant insider dealing or price manipulation can still occur. Choosing to allow front-office desks to perform the primary review of their own alerts creates a fundamental conflict of interest and undermines the independence required for an effective three-lines-of-defence model.

Takeaway: Effective market abuse detection requires integrating trade surveillance with communications monitoring to provide context and identify the intent behind suspicious transactions.

Correct: Under the UK’s Consumer Duty and SM&CR, the Board requires meaningful management information to assess whether the firm is delivering good outcomes for retail customers. A thematic analysis of root causes allows the Board to move beyond raw data and understand the underlying systemic issues that could lead to foreseeable harm. This qualitative insight is essential for the Board to challenge the executive team and ensure the firm’s risk appetite is appropriately calibrated to protect consumers and maintain market integrity.

Incorrect: The strategy of presenting a raw log of regulatory notifications fails to provide the Board with an assessment of how those changes specifically impact the firm’s unique risk profile or business model. Relying on external auditors to validate the primary risk assessment is inappropriate as it shifts the fundamental responsibility for risk management away from the firm’s own governance structure and the relevant Senior Management Functions. Focusing only on training completion and filing deadlines provides a narrow, compliance-by-checklist view that ignores the substantive conduct risks and outcome-based monitoring required by modern UK regulation.

Takeaway: Effective Board support requires compliance to provide thematic, insight-driven reporting that enables senior management to identify and mitigate systemic conduct risks.

Correct: Under the FCA’s CASS 6 rules, a firm must ensure that any third party holding client assets provides a written acknowledgment. This letter is a fundamental safeguarding requirement because it provides legal certainty that the custodian has no right to use client assets to offset the firm’s own corporate liabilities or debts. Without this specific legal protection, client assets could be at risk in the event of the firm’s or the custodian’s insolvency.

Incorrect: Focusing only on credit ratings is a valid part of counterparty risk management but does not fulfill the specific regulatory requirement to legally ring-fence assets. Relying solely on the custodian’s internal control reports provides general assurance about their environment but fails to confirm the specific legal status of the firm’s client assets. Choosing to prioritize system integration and straight-through processing improves operational efficiency and reconciliation speed but does not provide the necessary legal protection against third-party claims or liens.

Takeaway: Firms must obtain a formal acknowledgment letter from custodians to legally protect client assets from liens and rights of set-off under CASS rules.

Correct: Under the UK Market Abuse Regulation (UK MAR), firms are required to maintain effective arrangements, systems, and procedures to detect and report suspicious orders and transactions. This mandate explicitly includes the monitoring of order cancellations and modifications, as these are key indicators of manipulative behaviors such as layering or spoofing. A system that ignores non-executed order activity fails to capture the full scope of potential market manipulation and does not meet the regulatory expectations for comprehensive surveillance.

Incorrect: The strategy of using manual risk-based sampling for communications is often acceptable under the principle of proportionality, provided the firm can demonstrate the approach is effective for its specific risk profile. Focusing only on the compliance department’s role in triaging alerts describes a standard operational workflow that ensures technical expertise is applied before formal escalation. Choosing to deliver training via standardized annual online assessments is a common industry practice that satisfies the general requirement for staff awareness, even if more frequent or tailored methods might be considered best practice.

Takeaway: UK MAR requires surveillance of both executed trades and unexecuted orders, including cancellations, to effectively detect and report market manipulation.

Correct: Under the FCA’s Conduct of Business Sourcebook (COBS), firms must take all sufficient steps to obtain the best possible result for their clients. When a conflict of interest is present, such as an ownership stake in a venue, the firm must be able to demonstrate that this does not result in detriment to the client. Regular benchmarking and documented justification are essential to prove that the chosen venue remains the most effective choice for achieving best execution and that the conflict is being managed effectively.

Incorrect: Choosing to mandate immediate diversification regardless of execution quality might lead to worse outcomes for clients if the alternative venues lack the necessary liquidity for illiquid stocks. The strategy of simply revising disclosures is insufficient under the Consumer Duty and COBS, as firms must actively manage and mitigate conflicts rather than just disclosing them. Focusing only on delegating to a third-party provider does not absolve the firm of its regulatory obligation to oversee its execution arrangements and ensure they remain fit for purpose.

Takeaway: Firms must use data-driven benchmarking to justify venue selection when potential conflicts of interest could influence execution decisions.

Correct: Under the Investment Firm Prudential Regime (IFPR) and MIFIDPRU 7, firms must maintain an Internal Capital and Risk Assessment (ICARA) that reflects their current risk profile. The Basic Liquid Assets Requirement (BLAR) must be met with high-quality liquid assets, such as cash or government bonds, rather than illiquid trade receivables. Promptly updating the ICARA and notifying the Financial Conduct Authority (FCA) of potential breaches is a core requirement under the Principle for Business 11. This ensures the firm remains viable or can undergo an orderly wind-down as per the prudential framework.

Incorrect: The strategy of reclassifying trade receivables as liquid assets fails because the FCA strictly defines eligible core liquid assets to ensure they are available during stress. Relying solely on group-level capital surplus without updating the individual subsidiary’s ICARA ignores the requirement for each regulated entity to demonstrate its own financial adequacy. Pursuing a waiver for the Fixed Overhead Requirement is not a viable regulatory path as these requirements are fundamental pillars of the IFPR framework. Focusing only on future funding while delaying the recognition of current overheads in regulatory returns constitutes a breach of reporting integrity and transparency standards.

Takeaway: UK firms must maintain eligible liquid assets against their Fixed Overhead Requirement and update their ICARA immediately when material financial changes occur.

Correct: The approach integrates cross-functional assessments with outcomes-based metrics to ensure the policy is effective across different business lines. Board-level approval by the Consumer Duty Champion aligns with SM&CR accountability requirements. This ensures the policy is not just a document but a functional framework for delivering good outcomes.

Incorrect: Implementing a detailed procedural manual with fixed scripts fails to address the unique and evolving needs of individual vulnerable customers. The strategy of adopting high-level principles without specific internal thresholds leads to inconsistent application across the firm. Focusing only on retrospective file reviews is a reactive measure that fails to prevent foreseeable harm during the policy development stage.

Takeaway: Policy development must combine senior management accountability with measurable outcome metrics to ensure consistent firm-wide compliance with the Consumer Duty.