On 31 January, Brexit became a reality and financial services firms now have less than nine months to finalise and implement their Brexit preparations.
In some firms, vast financial resources and management time have already been expended on Brexit changes, and a well-developed governance framework is in place to support the decision making of the firm and its senior managers. There may be much more to do, but senior managers in these firms should be able to point to a raft of data, systems and controls to demonstrate to the Financial Conduct Authority and the Prudential Regulatory Authority that they are taking reasonable steps.
But not all UK financial services firms are in such a good place. And, paradoxically, those with the least to do may end up, unwittingly, the most exposed and the last to be ready. There’s a risk that this is also true of UK firms which have never exercised EEA passporting rights and firms (such as Article 3 MIFID exempt wealth advisers) which never enjoyed such rights. For these firms:
- Brexit projects may have been set up in the immediate aftermath of the 2016 referendum, which rated the impact of Brexit as low and that little needed to be done;
- board and management committee minutes may lack granularity or demonstrate little engagement on Brexit issues beyond concluding that the firm only has a UK footprint and is not passporting across the EEA; and
- senior managers may have little or no other documented evidence to demonstrate that they have assessed Brexit in a comprehensive way, or considered any potential economic risks of Brexit.
In some cases, this approach may lead to a false sense of security. Besides assessing their own Brexit dependencies, firms should ask themselves whether any of the firm’s key service providers and counterparties (or indeed their material outsourced service providers) have material Brexit dependencies (for example, if they operate in the UK on a branch or services basis). This is especially important in sectors, such as asset management and wealth management, where complex networks of outsourcings and delegations may mean that the Brexit risks and dependencies are not immediately obvious.
Where there is a third party Brexit dependency or sensitivity, a review and repapering exercise should be carried out. Firms should ask themselves:
- will the agreement with the provider or counterparty automatically terminate if their passporting rights are lost?;
- are there regulatory change clauses which give the counterparty excessive discretion to alter the services in the event of Brexit?;
- are boilerplate clauses (for example clauses covering force majeure and transfer of business to another firm) commercially acceptable?; and
- if there is a failure in supply, will continuity of services be assured, including ultimately an ability to take outsourced services back in house?
In our view this exercise should not be confined to the legal function. Operations personnel may have knowledge of changes which have occurred since, for example, the 2016 referendum which have created Brexit dependencies. Firms should also engage with their counterparties to discuss actual or possible Brexit dependencies as these may not always be obvious from a cold read of agreements. Senior managers should also oversee this work and make sure that the engagement is appropriately documented in order to protect their own position, post-SMCR.