By Lynne Carreiro, Managing Director (U.S.), and Rachel Aldridge, Managing Director, Regulatory & Compliance Solutions (UK)
The UK officially exited the European Union on 31 January 2020, but the Implementation Period did not expire until 31 December of that year. As such, it’s been just a year and a half since passporting and other avenues of easy access to the EU from the UK have officially changed.
Financial services firms in the UK and Europe have borne the brunt of Brexit’s impact, but U.S.-based firms are far from immune. London and the Channel Islands have been long-time favorite jurisdictions for American funds seeking a stepping stone into European markets, leaving foreign firms asking the question: Is the UK still a valuable point of entry into European financial markets?
Luxembourg, Amsterdam and Dublin have all gained popularity as alternative launch points, but there is still a place for the UK in helping U.S. managers access the European capital pool—so long as they understand the changes.
Here are the three that, in our view, rank as the most important:
- Regulatory changes
- Data management
- Talent allocation and requirements
In this article, we’ll explore the wide-ranging implications of Brexit for U.S.-based firms looking to market funds in the UK and Europe and the changes they must navigate to stay on the right side of regulators.
Marketing funds in Europe
Firms that market across the EU from a UK-based subsidiary face the biggest potential impact as regulatory permissions have shifted away from the EU umbrella. When the UK was part of the EU, UK-based firms could export and market their products in Europe without needing additional licenses or authorization by way of the “passporting” system.
Since Brexit, the UK has been trying to secure an equivalence agreement with the EU, whereby UK financial firms could regain EU market access on the condition that their regulatory regimes are equivalent. To date, the UK has been unable to negotiate equivalence.
At present, there are two pathways to marketing funds in the EU for UK-based firms:
- NPPR: National Private Placement Regimes (NPPR) will be familiar to U.S. firms already, as it’s the process non-EU firms must follow to obtain approval for marketing funds in an EU member state. (The UK has its own NPPR as well.) Pre-Brexit, many American firms established an office in the UK in part to bypass the need for NPPR, as they could use passporting to gain entry to EU jurisdictions without having to obtain separate approval from each EU Member State.
In effect, NPPR means gaining a jurisdiction-specific license to market in each EU Member state (of which there are currently 27). This may sound like the preferred option, but firms should proceed with caution. The definition of marketing activities, like “reverse solicitation” for example, varies wildly by jurisdiction. Add in the fact that each European country has its own NPPR, and some are easier to decipher than others. If you are contemplating marketing into several jurisdictions, prepare to invest significant time in outlining your regulatory plan.
- Third-party AIFM: For funds marketing to multiple jurisdictions, hiring a third-party alternative investment fund manager (AIFM) is a solution that, while it has attendant monetary costs, is significantly easier to manage for non-EU Firms. Non-EU managers can establish funds managed by a third party or “host” AIFM. A sub-delegation agreement can be made between an EU AIFM and a UK AIFM, enabling U.S. firms to retain their access to the EU via the UK without having to navigate NPPR.
New cross-border regulatory compliance rules have necessitated a review of data repositories, even for UK-based firms. If you’ve used a regulatory host or third-party AIFM, the loss of passporting means you can no longer operate in the EU without taking appropriate steps toward data privacy.
Data privacy laws differ slightly between the UK and Europe, though American firms can effectively extend EU GDPR rules to both, as the UK now has an adequacy agreement with the EU. (The UK’s data protection system is the Data Protection Act 2018.)
What does this mean for American firms? In essence, EU data must remain within the EU. If it leaves EU borders—as when it’s transferred to the UK or the U.S., for example—firms must follow specific data security measures to avoid penalties. Additionally, any potentially sensitive data about an EU citizen (like their contact information, for instance) must be protected per GDPR guidelines.
It’s easy to get into trouble with data privacy because borders don’t exist online, particularly in the cloud.
Here are a few ways to keep data security top of mind:
- Understand where sensitive data resides and who will manage it. The more you know, the less likely your firm will unintentionally violate regulations
- You must self-report breaches to the FCA or ESMA within 72 hours of occurrence. Train internal stakeholders on what qualifies as a breach. The term “breach” may make you think of stolen or compromised files, but it could be as simple as sending an Excel attachment containing sensitive information or failing to adequately protect email communication with an EU-based vendor
- Automate processes whenever possible. For example, regular exports containing sensitive data can be automatically dropped to an SFTP instead of being sent manually via email, which is less secure
- If data management gets overwhelming, hire an expert team. IQ-EQ’s cybersecurity experts can help by auditing your processes and ensuring compliance.
Talent allocation and requirements
If you opt to establish an office in the UK, rules around talent allocation are much stricter than in the States. Firms must ensure the right talent is in place, in the right locations.
Regulatory requirements stipulate that stakeholders with specific titles must reside in-country for an office to earn its residency. In other words, your Chief Risk Officer can’t sit in New York and qualify as the CRO for an EU- or UK-based firm. Key employees must be physically located where their offices sit.
Further, under the Senior Managers and Certification Regime (SMCR), there is very real potential for American employees to get inadvertently involved in the UK’s regulatory environment or to be viewed as senior personnel, regardless of their location. Any person declared to be senior management, corporate directors, or certification staff under an FCA regime is subject to FCA scrutiny, even if they live and work in the U.S.
For example, you must notify the FCA of seemingly unrelated offenses, like involvement in employment litigation. In the FCA’s view, unethical behavior outside the firm may translate to unethical regulated behavior.
Post-Brexit, it is more important than ever to understand where regulations differ when marketing funds in the UK and Europe. Contact our expert team for guidance on how to structure your fund as compliance rules continue to evolve.