Mapping Your Corporate FCA and other Regulatory Universe
Mapping your corporate FCA and other regulatory universe is a critical step towards ensuring full compliance and operational resilience within your organisation. This involves identifying and documenting the people, processes, technology, facilities, and information necessary to deliver each critical operation, as outlined in the FCA Handbook (SYSC 15A.4 Mapping) stated as “SYSC 15A.4.1 R A firm must identify and document the people, processes, technology, facilities and information necessary to deliver each of its important business services. This must be sufficient to allow the firm to identify vulnerabilities and remedy these as appropriate.”
To navigate this complex regulatory landscape, the Financial Services Regulatory Initiatives Forum provides a Regulatory Initiatives Grid, a tool to help financial services industry stakeholders understand the regulatory pipeline. This grid is instrumental in planning and preparing for upcoming regulatory changes, ensuring that your organisation remains ahead of compliance requirements.
Operational resilience is another key area, where the FCA expects firms to be proactive in managing risks related to outsourcing and third-party service arrangements. This includes meeting the operational resilience requirements under SYSC 15A.2, where firms are expected to notify the FCA of any failure to meet an impact tolerance.
The requirement of clear mapping is found in the Outsourcing and Operational Resilience pages of the FCA website “We expect your firm to be operationally resilient by having a comprehensive understanding and mapping of the people, processes, technology, facilities and information necessary to deliver each of your important business services. This includes people and other dependencies such as third parties. Your firm should assess the risks and controls in place to ensure it is operationally resilient.”
The FCA’s focus on compliance, culture, and evolving regulatory expectations underlines the importance of adopting a nurturing role within your organisation. This involves engaging with tools such as the 5 conduct questions (5CQ) to foster a compliance-first culture.
Understanding and adhering to the rules and regulations is essential for FCA authorised and regulated firms. Resources and guidance, such as those provided by Gerald Edelman for FCA Regulated Businesses, can offer an easy-to-understand way of navigating this regulatory universe.
Where you include other regulators like the Information Commissioner’s Office (ICO) you are required to map your business and identify controls for any data storage, processing or other control. The ICO states on their website under ‘Records of processing and lawful basis’; “Why is this important? It’s a legal requirement to document your processing activities. Taking stock of what information you have, where it is and what you do with it makes it much easier for you to improve your information governance and comply with other aspects of data protection law (such as creating a privacy notice and keeping personal data secure). It is a clear way to show what you are doing in line with the accountability principle and we may require you to provide these records to us. Your processing won’t be lawful without a valid lawful basis so you must justify your choice appropriately.”