Is your business Brexit-ready?
With Halloween come and gone, and the latest “final” leave date with it, certainty on Brexit seems as remote as ever. In the wake of this latest anti-climax, it might seem tempting for firms to put Brexit preparations on the back burner. But that could be a costly mistake.
The threat of a no-deal departure may have receded for now, but could still return if a ‘deal’ of some kind has not been finalised by the end of next year. Barring the highly unlikely eventuality of the Lib Dems winning December’s election and revoking Article 50, the present uncertainty looks set to continue.
Under the circumstances, it’s hard for the FCA to be too definitive in the Brexit guidance it offers regulated financial services businesses in the UK. In the following blog, we review some of the key strands that have so far emerged.
Preparing for Brexit
The European Union (Withdrawal) Act 2018 will translate current EU legislation into UK law from the moment we withdraw. From that point onwards, however, the UK government has the power to amend this legislation as it deems that circumstances require it. This creates something of a moving target for both regulator and regulated. The FCA has set out its position on legislative change on a page on its website first published last year.
When it last updated its guidance on Preparing your firm for Brexit, on 11 September this year, the FCA focused on issues around passporting, data sharing, and preparing customers for how Brexit might affect them. It also set out how it intends using the temporary transitional power granted it by the Treasury to apply a degree of flexibility in enforcing post-Brexit requirements. The regulator’s proposed transitional provisions specifically exclude a range of regulated firms and individuals – including those subject to the MiFID transaction reporting regime and those subject to EMIR reporting obligations.
In a press release issued on 11 October, the FCA returned with some urgency to the MiFID and EMIR reporting requirements that will face affected firms from day one, stressing that they should be ‘as prepared as possible if there is a no-deal exit, and be aware of what they need to do.’
With the possibility of an imminent no-deal Brexit seemingly very much front of mind, the FCA’s latest press release also reiterated that this would immediately end passporting, with obvious implications for EEA firms operating without UK authorisation, as well as for any affected UK firms yet to provide against this eventuality. However, EEA firms can register for the three-year Temporary Permission Regime and will need to do so very soon if they haven’t already, and some EEA regulators have put transitional arrangements in place of their own, To qualify for some of these, firms may need to register before the withdrawal date.
The FCA has stressed that it expects firms to consider in detail how Brexit could affect the various categories of customers and stakeholders with whom they interact. Having done so, firms are then expected to communicate ‘clearly’ with customers ‘in good time’ and ‘taking care to avoid confusion with multiple messages which could change over time.’
If that sounds like a tall order, given the current political chaos, the regulator concedes that ‘continued uncertainty around Brexit may cause tension between the timeliness and clarity of your communications.’ On which basis, we can probably assume that the crucial consideration is being able to show that you have been through the relevant thought processes and endeavoured to act appropriately under the circumstances.
Data sharing after Brexit
Whatever the outcome of the current Brexit negotiations, the regulatory position on data sharing will not look dramatically different after departure, as GDPR was transposed into UK law in the form of the Data Protection Act 2018.
The UK government has already confirmed that it regards EEA data protection law as adequate. So there will be no impediment to the flow of personal data from the UK to the EEA. The issues arise in respect of data travelling in the opposite direction.
The high probability that UK data protection law will ultimately satisfy the EU is complicated by the fact that the EU has stated that taking a decision on the adequacy or otherwise of the UK data protection regime does not form part of its contingency planning. This creates the prospect of an interim during which UK firms receiving data from EEA entities would need to establish an alternative legal basis on which to do so, pending a formal decision from the EU.
The FCA has stressed that UK firms whose business involves inward data flows from within the EEA should make contingency plans taking account of a) the extent to which their business depends on this (e.g. because of where customers or data centres are located) and b) what risks they would face if no central solution has been found at the time of departure. A key point of reference here is the ICO’s guidance on data protection and Brexit.
Sector by sector
We can help
In the meantime – with time potentially in very short supply – if you’d like immediate practical assistance with the process of preparing your firm for Brexit, Thistle’s expert team can help.