GDPR compliance is now front and center

The delayed introduction of UK manager compliance rules means firms can now focus on General Data Protection Regulation.

Private fund managers in the UK were gearing up for a 2018 regulation marathon but a year-end turn of events dealt them a small reprieve.

The Financial Conduct Authority said in December that the deadline for compliance with the Senior Managers & Certification Regime – the UK equivalent of the US Compliance Rule – will be pushed back a year to 2019. It said it wants to ensure the requirements, which currently apply to banks, are proportionate in their application to firms such as private fund managers.

Simply put, the SM&CR means firms must document and assign specific responsibilities to individual managers, who could then be held personally liable if something within their remit goes wrong.

The delay is particularly good news for the UK firms that are caught by the second Markets in Financial Instruments Directive and which have, in the six months since June, dedicated heavy resources to ensuring compliance by the January 3 deadline, perhaps at the expense of later regulation.

Firms now have no excuse not to turn their attention to the General Data Protection Regulation. The EU legislation comes into force on 25 May, is one of the biggest data protection rules ever conceived, and will impact any fund manager that has clients in the bloc, regardless of where they are based. Preparation among firms is patchy, according to several industry sources.

“We’ve experienced mixed levels of engagement and consequently mixed stages of preparedness, with some struggling to meet its requirements. There is definitely a sense of combat fatigue,” Ian Manson, managing director at fund services firm Duff and Phelps, tells pfm.

This sentiment may have triggered the FCA’s decision to push back the launch of the SM&CR, according to Gurpreet Manku, assistant director general at the British Private Equity and Venture Capital Association. She says the FCA knew firms had a lot on their plate with MiFID II, and that GDPR needs to be the priority now.

The requirements of the regulation are extensive and varied, relating not only to policies around the protection of electronically stored information – including measures to fend off cyberattack – but also how firms obtain, maintain and dispose of personal data, regardless of its form.

Firms that have relationships with external service providers are faced with the added complication of having to renegotiate contracts to ensure that the same level of protection is applied to data transferred to third parties. It is a mammoth task, and it’s not hard to see why some firms are still underprepared.

The financial penalties for non-compliance with the regulation are high – 4 percent of global turnover or €20 million, whichever is higher. But the reputational risk of non-compliance is even greater. As one lawyer put it, if the financial cost of a breach doesn’t put you out of business, the reputational damage will. The FCA has given firms a compliance lifeline. They are advised to grab it with both hands.