Insights

INSIGHTS

Our compliance insights reflect the real issues we see across our client base, from governance and oversight to culture, controls, and regulatory change. Articles draw on our consultants’ experience with wholesale banks, asset managers, brokers, platforms, and other financial services firms, focusing on practical implications rather than restating the rulebook. You can use these pieces to brief senior management, inform board discussions, or support training and awareness across compliance and risk teams.

Browse below or filter by topic to find compliance insights that support your specific governance and regulatory needs. To learn more about our consultancy, visit the About Leaman Crellin page. In addition, these articles explore themes such as conduct and culture, compliance frameworks, supervisory engagement, and emerging regulatory priorities. New content is added regularly, so you can return to this page or subscribe to our newsletter to stay informed about key developments and practical compliance guidance.

We always welcome additional expert commentary so please get in touch if you’re interested in sharing your views or content around a particular topic.

To receive these articles direct to your inbox, you can register to receive our newsletter.

Latest compliance insights

Understanding FCA and PRA Fee Blocks

What Are Fee Blocks?

Fee blocks are the regulatory mechanism by which the FCA and PRA allocate their annual funding requirements across authorised firms. In essence, both regulators group firms undertaking similar regulated activities into distinct fee blocks. Each firm then pays fees according to the blocks it occupies based on its permissions.

The FCA allocates its Annual Funding Requirement (AFR) across these fee blocks. Each block groups firms conducting broadly similar regulated activities. Consequently, fee blocks exist for deposit acceptors, insurers, fund managers, investment firms, mortgage intermediaries and numerous other categories. Meanwhile, the PRA operates a simpler structure with seven fee blocks covering deposit acceptors, insurers, Lloyd’s participants and designated investment firms.

FCA Fee Block Structure

The FCA’s fee block architecture comprises several main categories. Most notably, the A blocks cover most authorised firms. These include A.1 for deposit acceptors and A.3 and A.4 for general and life insurers respectively. Similarly, A.7 covers fund managers whilst A.10 relates to firms dealing as principal. Meanwhile, investment and home finance intermediaries occupy A.13, A.14 and A.18. General insurance distributors fall within A.19.

Importantly, firms can occupy multiple fee blocks simultaneously. For example, a wealth manager might appear in A.7 for fund management and A.13 for investment advice. In this way, each permission triggers allocation to the corresponding block.

Additional fee blocks serve specialist sectors. Specifically, the B blocks cover recognised investment exchanges and benchmark administrators. The C blocks relate to collective investment schemes. Consumer credit firms occupy either CC1 or CC2 depending on permission type. Finally, the G blocks capture payment services and e-money institutions.

PRA Fee Block Categories

The PRA maintains seven fee blocks. First, A0 represents the minimum fee block for smaller firms. Next, A1 covers deposit acceptors including banks and building societies. Fee blocks A3 and A4 apply to general and life insurers respectively. The Lloyd’s market occupies A5 for managing agents and A6 for the Society itself. Finally, designated investment firms dealing as principal fall within A10.

Notably, dual-regulated firms pay fees to both regulators. In these cases, the FCA charges £1,000 minimum for such firms whilst the PRA charges £600. This contrasts with the £2,000 minimum for FCA-only firms.

How Fee Allocation Works

Both regulators assess the supervisory costs for each fee block. They then allocate their total budget proportionally. Specifically, the FCA divides its Annual Funding Requirement based on anticipated regulatory activity within each sector.

Firms pay fees calculated using tariff data. This measures business scale through metrics like annual income, funds under management or mortgage numbers. In practice, the regulator divides the block’s allocation by total tariff data. This produces a rate per unit which then multiplies against each firm’s individual tariff.

Importantly, thresholds exist within most blocks. Firms below the threshold pay only minimum fees. Typically, FCA aims for around 35 to 45 per cent of firms to fall below these thresholds. This approach prevents smaller firms subsidising larger competitors.

Why Correct Fee Block Classification Matters

Incorrect fee block allocation creates multiple compliance risks. Most obviously, firms in wrong blocks pay incorrect fees. Under-allocation means potential regulatory action for underpayment. Conversely, over-allocation wastes money and distorts internal budgeting.

Furthermore, the regulators determine fee blocks from stated permissions. Permissions must accurately reflect actual business activities. Consequently, discrepancies trigger supervisory attention beyond just fees. Indeed, the FCA and PRA view permission accuracy as fundamental to proper regulation.

Additionally, wrong classifications affect more than current fees. They also influence Financial Services Compensation Scheme levies and Financial Ombudsman Service charges. Therefore, multiple levy calculations flow from fee block placement. As a result, errors compound across all charges.

Moreover, business changes necessitate permission reviews. Launching new products or services may require additional permissions. These then determine to which new fee blocks a firm is allocated.

Checking Your Fee Block Allocation

The Financial Services Register provides the starting point. This public register shows all firm permissions. Therefore, review your entry regularly. Then compare stated permissions against actual business activities.

Next, your annual fee invoice lists allocated fee blocks. The FCA issues invoices through its Online Invoicing System each Spring. The invoice details each block and corresponding tariff data. Accordingly, check these match your permissions and activities.

Additionally, the FCA Handbook contains definitive fee block definitions. Specifically, FEES 4 Annex 1A specifies which permissions trigger which blocks. Therefore, cross-reference your permissions against these rules. The Handbook also details tariff bases for each block.

Steps When Changes Are Needed

First, identify all required permission changes. Map current activities against current permissions. Then note discrepancies. Determine which permissions require variation, addition or removal.

Next, apply through Connect for FCA permission changes. The system handles Variation of Permission applications. Prepare supporting documentation explaining the business rationale. Bear in mind that applications adding fee blocks incur charges. Very roughly you can expect 50 per cent of relevant authorisation fees for new block entry.

Importantly, timing matters significantly. Applications must reach the FCA by 31 March to affect the following year’s fees. Meanwhile, the PRA deadline falls in February. Missing these dates means paying fees for the full coming year regardless.

Furthermore, dual-regulated firms coordinate with both regulators. PRA permission changes often require parallel FCA variations. Therefore, ensure consistency across both applications. Otherwise, misalignment creates complications.

Additionally, monitor fee implications during the process. New fee blocks mean additional charges. Calculate projected costs before applying. Then budget accordingly. Remember minimum fees apply per block in many cases.

Finally, update internal records once approved. Amend compliance manuals and procedures. Brief relevant staff on permission changes. Also ensure tariff data collection covers new activities. Ensure you submit accurate data when regulators request it.

Ongoing Monitoring Requirements

Review permissions annually as minimum practice. Business evolution often outpaces permission updates. Therefore, regular audits catch discrepancies early. Conduct reviews before tariff data submission deadlines each year.

Meanwhile, track regulatory developments affecting fee blocks. The FCA and PRA consult on fee changes annually. These consultations appear in Spring. Changes may affect block definitions or tariff bases. Accordingly, stay informed through policy statements.

Furthermore, document the review process thoroughly. Record permission assessments and conclusions. Maintain evidence of business activity verification. This documentation proves diligence if questions arise later.

Finally, consider external reviews periodically. As independent assessments provide fresh perspectives that internal teams can sometimes overlook. This is a service that the team at Leaman Crellin provides.

Conclusion

Fee block classification represents more than administrative housekeeping. Accuracy ensures proper regulatory funding whilst avoiding compliance breaches. Clearly, permissions must reflect reality. Regular reviews prevent drift between permissions and activities.

Fortunately, both regulators provide clear guidance on fee blocks and classifications. Use their handbooks and fee schedules. Proactive management prevents problems.

Moreover, the annual cycle provides natural review points. Tariff data submission and fee invoicing prompt permission checks. Therefore, build reviews into compliance calendars. Make verification routine rather than reactive.

Ultimately, correct fee block placement benefits everyone. Regulators receive appropriate funding for supervision. Firms pay fair shares based on actual activities. The system functions when participants maintain accuracy.

2026 Regulatory Priorities

As the new year approaches, compliance officers yet again face a year ahead of regulatory change. The convergence of technological innovation, operational resilience requirements, and enhanced accountability frameworks presents both challenges and opportunities. This article examines the critical regulatory priorities and provides practical guidance on preparing your firm for the year ahead.

Basel 3.1 Implementation

Time to Finalise Your Approach

The Prudential Regulation Authority (PRA) has confirmed Basel 3.1 standards implementation will commence on 1 January 2027, following a 12-month delay from the original 1 January 2026 date. This provides critical breathing space, but compliance officers must help their business heads to resist complacency and use this period strategically.

The PRA’s near-final rules enhance UK market competitiveness through reduced capital requirements for SME lending and infrastructure projects. Whilst the implementation date has moved, the nature of these changes demands immediate action.

Practical implications

The delay affects immediate data submission deadlines, which can also be treated as paused. However, firms should continue working through the potential capital impact of Basel 3.1 rather than standing still.

The Bank of England will conduct a Bank Capital Stress Test in 2025 involving the UK’s largest and most systemic institutions. Results will inform capital buffer settings at both firm and system-wide levels.

What to do now

  • Review your capital models against the near-final rules.
  • Identify where reduced SME and infrastructure capital requirements might benefit your portfolio strategy.
  • Ensure your data infrastructure can support the new reporting requirements when they activate in 2027.
  • Consider whether the delay creates opportunities to enhance your approach rather than simply postpone work already underway.

Operational Resilience and Third-Party Risk

Beyond Box-Ticking

March 2025 marked a watershed when firms were required to demonstrate their ability to remain within impact tolerances for all important business services during severe disruptions. The PRA emphasises that operational resilience must become a key board consideration for any business expansion, signalling a fundamental shift from tactical compliance to strategic risk management.

Third-party risk management continues to evolve rapidly. The PRA explicitly highlights concerns about the financial health of suppliers, requiring firms to be “mindful” and conduct robust ongoing diligence on material third parties. Critically, this extends to intra-group providers, challenging traditional assumptions about the safety of internal arrangements.

For many firms, the intersection of operational resilience with cybersecurity threats creates compound risks. Geopolitical uncertainty intensifies threats to operational resilience, particularly for firms operating across borders.

Practical implications

Your important business services framework should now be embedded in decision-making processes. When your firm considers new business lines, geographic expansion, or technology changes, operational resilience implications must feature in board papers. The days of operational resilience as a compliance project are over. It is now a strategic governance requirement.

On third-party risk, the PRA’s focus on supplier financial health requires more sophisticated monitoring. You cannot simply conduct annual reviews of service delivery quality. You need real-time awareness of your critical suppliers’ financial stability, particularly in the current economic environment.

What to do now

Audit your board papers from the past six months. Are operational resilience considerations explicitly addressed in expansion proposals? If not, work with your governance team to embed this requirement.

For third-party risk, identify your critical service providers and establish quarterly financial health monitoring. Consider credit ratings, financial statements, and market intelligence.

For intra-group arrangements, apply the same rigour you would to external providers. Corporate structures provide less protection than you might assume during stress events.

Digital Operational Resilience Act (DORA)

Preparing for Convergent Standards

Whilst DORA is an EU regulation, its influence extends beyond the European Union’s borders. ESMA has designated cyber risk and digital resilience as a Union Strategic Supervisory Priority for 2026, with enhanced coordination across EU supervisors on ICT risk management requirements.

UK firms with European operations must align their approaches with DORA requirements, which took effect in January 2025. Even purely UK-based institutions should monitor DORA implementation, as regulatory expectations around digital resilience are converging internationally. The Financial Conduct Authority’s (FCA) emphasis on operational resilience creates complementary pressures that elevate cyber and operational risk management to boardroom priorities.

Practical implications

If you operate in both UK and EU jurisdictions, you face dual regulatory expectations. The smart approach is to adopt the higher standard across your entire operation rather than maintaining separate frameworks. This reduces complexity and positions you well for future UK regulatory developments, which are likely to align with international standards.

What to do now

Map your current operational resilience framework against DORA requirements. Identify gaps, particularly around ICT third-party risk management, incident reporting, and digital operational resilience testing.

Even if DORA doesn’t directly apply to your firm, treating it as a benchmark ensures you’re ahead of UK regulatory evolution.

Liquidity Framework Review

Positioning for Regulatory Change

The PRA will review the liquidity supervisory framework in 2026, with consultations on regulatory reporting changes expected. This responds to lessons from the March 2023 banking stress and acknowledges the Bank of England’s evolving operating framework.

Compliance officers should prepare for potentially significant changes to liquidity monitoring and reporting obligations. International coordination through the Basel Committee on Banking Supervision suggests that any UK reforms will align with global developments in liquidity risk supervision.

Practical implications

The 2023 banking turmoil demonstrated that traditional liquidity metrics don’t always capture emerging risks, particularly around concentrated funding sources and rapid deposit outflows enabled by digital banking. The PRA’s review will likely result in enhanced reporting requirements and potentially new metrics focused on behavioural aspects of liquidity risk.

What to do now

Review your liquidity risk management framework with fresh eyes. Where are your funding concentrations? How quickly could you access contingent liquidity? What are your exposures to non-bank financial institutions, which the PRA has specifically flagged as a concern?

Don’t wait for the consultation to strengthen your frameworks. You can conduct reviews now based on the known weaknesses that emerged in 2023. When the consultation arrives, you’ll be responding from a position of strength rather than scrambling to comply with new requirements.

Artificial Intelligence Governance

Moving from Innovation to Accountability

The FCA and PRA are intensifying their focus on artificial intelligence and machine learning deployment within financial services. The PRA maintains a specialist Fintech Hub and has established an AI Consortium for public-private engagement, signalling the centrality of AI governance to 2026 priorities.

Many compliance officers are facing the challenge of enabling innovation whilst managing emerging risks. Key considerations include algorithmic decision-making transparency, ethical deployment of machine learning models, and bias detection and mitigation strategies.

Practical implications

The regulatory focus on AI represents a significant expansion of compliance remits into technology governance territory. You need frameworks for human oversight of algorithms, mechanisms to explain and audit algorithmic decisions, and clear governance structures for AI system deployment.

This isn’t about blocking innovation. It is about ensuring responsible innovation that aligns with regulatory expectations around customer protection and market integrity.

What to do now

Conduct an AI inventory across your firm. What AI or machine learning systems are currently deployed? Which are in development? For each system, document: the business purpose, the decision-making role (advisory versus determinative), the oversight mechanisms, and the bias testing approach.

Establish an AI governance committee if you don’t have one, with representation from compliance, risk, technology, and business functions.

Create approval frameworks for new AI deployments that ensure regulatory considerations feature from the design stage, not as an afterthought.

Consumer Duty

Wholesale Firms Cannot Assume Exemption

Whilst the Consumer Duty primarily targets retail customers, the FCA has clarified its application to wholesale firms. FCA CEO Nikhil Rathi’s letter to the Chancellor addressing the Consumer Duty’s application to wholesale markets underscores that compliance officers in wholesale firms cannot assume blanket exemption.

The FCA’s 2026 priorities include consultations on amendments addressing how the Duty applies across distribution chains and proposals to limit its application to business conducted with UK customers only. These developments require wholesale firms to maintain vigilant monitoring of Consumer Duty evolution.

Practical implications

The boundary between wholesale and retail is not always clear-cut, particularly in distribution chains. If your wholesale products ultimately reach retail customers through intermediaries, you may have Consumer Duty obligations even though you don’t directly serve retail clients.

The FCA’s emphasis on distribution chain responsibilities means you cannot assume that duties stop at the point of sale to a wholesale counterparty.

What to do now

Map your product distribution chains end-to-end. Where do your products or services ultimately end up? If there’s any retail customer exposure, even indirect, assess your Consumer Duty obligations.

For firms in distribution chains, establish clear communication channels with your counterparties about respective Consumer Duty responsibilities. Document how you’re ensuring good customer outcomes, even where you’re several steps removed from the end customer.

CASS 15 and Payments Safeguarding

The 7 May 2026 Deadline

The FCA’s new safeguarding rules under CASS 15 take effect on 7 May 2026 for payment service providers and e-money institutions. These introduce daily fund reconciliations (on each reconciliation day) and significantly enhanced transparency and governance requirements.

This represents the most significant change to client money protection in the payments sector for many years. The shift from monthly to daily reconciliations fundamentally changes operational requirements and creates new pressure points in firms’ processes.

Practical implications

Daily reconciliations demand robust automated processes. Manual reconciliation approaches that suffice for monthly cycles will not scale to daily requirements without creating unsustainable operational burdens and error risks. Firms must also prepare comprehensive resolution packs, which are effectively wind-down plans that enable rapid customer fund returns in insolvency scenarios.

Beyond the technical requirements, CASS 15 introduces a new governance framework. Firms need a CASS oversight function, clear escalation procedures, and board-level accountability for safeguarding.

The annual audit requirement means your CASS arrangements will face independent scrutiny.

What to do now

If you’re in scope for CASS 15, you should be in implementation mode already. As 7 May 2026 is imminent in regulatory terms.

Conduct a gap analysis against the final rules published by the FCA. Focus particularly on: your reconciliation processes and whether they can scale to daily frequency; your segregation arrangements and whether they meet the enhanced requirements; your resolution pack and whether it contains all required information; and your governance framework and whether you have clear CASS oversight accountability.

If you’re behind schedule, engage with the FCA proactively. They would rather know about implementation challenges in advance than discover non-compliance in May 2026.

SMCR Streamlining

Efficiency With Continued Accountability

The FCA and PRA are streamlining the Senior Managers and Certification Regime (SMCR). making it more efficient and outcomes-focused whilst reducing administrative burdens.

The PRA plans to finalise revised rules for banks on streamlining material risk-takers’ remuneration requirements, including reducing bonus deferral periods.

The FCA continues to refine certification requirements and is reviewing client categorisation rules to ensure greater alignment across its Handbook.

Practical implications

The streamlining creates opportunities to eliminate unnecessary processes whilst maintaining robust governance frameworks.

However, the fundamentals of individual accountability remain unchanged. The regime’s core principle that senior individuals should be clearly accountable for their areas of responsibility is not being diluted.

What to do now

Review your SMCR processes for unnecessary complexity. Are you collecting information that adds little value? Are your handbooks and statements of responsibilities clearer than they need to be, or have they accumulated layers of belt-and-braces drafting?

The regulatory streamlining gives you permission to simplify. So take advantage of it. However, ensure that simplification doesn’t compromise the quality of your accountability frameworks. Documentation, attestations, and fitness and propriety assessments remain fundamental to demonstrating compliance.

Transaction Reporting

Preparing for Regime Changes

The FCA has published proposals to improve the UK transaction reporting regime, aiming to remove unnecessary burdens for firms whilst maintaining high regulatory standards. ESMA has launched parallel consultations on streamlining transaction reporting requirements across EU markets.

For firms operating across multiple jurisdictions, the divergence between UK and EU approaches requires careful monitoring. The UK is pursuing reforms tailored to its market structure, whilst the EU focuses on harmonisation across member states. These differing priorities may result in materially different reporting requirements.

Practical implications

Transaction reporting changes affect your data infrastructure and reporting systems.

Unlike rule changes that affect front-office behaviour, reporting changes require technology builds. These often have long lead times, particularly if you’re dependent on vendor solutions that need to be updated across multiple clients.

What to do now

Monitor the FCA’s transaction reporting proposals and assess the likely impact on your systems.

Engage with your technology and data teams early. Don’t wait for final rules.

If you use third-party reporting vendors, open dialogue with them about their implementation timelines.

For firms with both UK and EU operations, map the diverging requirements and consider whether you’ll need dual reporting systems or whether you can find a common approach that satisfies both regimes.

2026 Regulatory priorities

Regulatory priorities in 2026 demands that compliance officers adopt strategic perspectives extending beyond technical rule-following. Firms that embed regulatory requirements into business strategy, treating compliance as a competitive differentiator rather than a cost centre, will continue to thrive in this environment.

The convergence of operational resilience requirements, technological innovation governance, and enhanced accountability frameworks creates opportunities for compliance functions to drive business value. Proactive engagement with regulatory developments, robust governance frameworks, and strategic resource allocation will separate leaders from laggards.

As regulatory complexity intensifies, the role of specialist compliance advisors becomes increasingly valuable. Firms should assess whether their internal capabilities require augmentation through expert consultancy support, particularly for transformational projects like Basel 3.1 implementation, operational resilience framework enhancement, or CASS 15 preparation.

The regulatory priorities for 2026 are clear. Success depends on moving beyond awareness to action. Conducting gap analyses, strengthening frameworks, and embedding regulatory requirements into strategic decision-making. The firms that act decisively now will navigate 2026’s regulatory challenges with confidence.

Leaman Crellin provides regulatory compliance consulting services to financial services businesses, helping clients navigate UK and international regulatory requirements. Our team of former regulators and industry professionals delivers practical, business-focused compliance solutions tailored to your organisation’s needs, including SMCR, transaction reporting, third-party risk management frameworks, operational resilience planning, and CASS compliance advisory. Get in touch with us today.

Financial Crime – When Things Are Not Right 

Why financial crime controls fail when firms do not act 

The FCA’s £44 million fine against Nationwide Building Society reinforces a core regulatory message. Financial crime controls only protect firms when they drive action. 

Between 2016 and 2021, weaknesses in Nationwide’s financial crime systems meant risks were not identified or managed effectively. Although the firm knew some accounts operated outside expected use, it did not respond quickly enough. Consequently, significant harm followed and the FCA intervened. 

This case offers clear lessons for all regulated firms. 

Controls Must Trigger Action 

Most firms have AML policies, procedures, and risk assessments. However, the FCA continues to focus on how those controls operate in practice. 

Nationwide identified personal accounts used for business activity. That behaviour sat outside its risk assumptions. However, controls did not adapt, and risks increased over time. 

For example, one customer received 24 fraudulent COVID-19 furlough payments totalling £27.3 million. Earlier intervention could have reduced this exposure. 

Controls that do not trigger challenge or escalation do not work. 

Knowing Is Not Enough 

Identifying a financial crime risk is only the starting point. What matters is how firms respond. 

When activity changes, firms must reassess risk. They must also consider whether controls remain effective. If they do not, firms must strengthen them quickly. 

Delay creates regulatory exposure. Therefore, the FCA expects timely remediation once issues are known. 

This applies across AML, fraud, sanctions, and transaction monitoring. 

Oversight Drives Effectiveness 

Strong financial crime controls rely on effective oversight. Boards and senior management must receive clear, meaningful Management Information (“MI”). 

However, MI must highlight risk trends and unresolved issues. It must also support challenge and accountability. 

Someone must own the issue. Someone must drive remediation. Without this, weaknesses persist and regulators take notice. 

A Practical Review Approach 

This enforcement action should prompt firms to perform a targeted sense check. 

  • Changes in customer behaviour trigger review. 
  • Transaction monitoring remains effective. 
  • Known control weaknesses close promptly. 
  • Governance and MI support challenge. 

A well- structured, concise review reinforces assurance and demonstrates proactive financial crime oversight. 

At Leaman Crellin, we support firms with: 

Key Takeaway 

Financial crime controls must evolve as risks change.  When something does not look right, firms must act. Waiting increases harm, cost, and regulatory scrutiny.  The FCA’s message is clear. Awareness without action is not enough. 

FCA CP25/37: Proposed Changes to CASS 6 and CASS 7 and What Firms Need to Do Next

The Financial Conduct Authority (FCA) has published a Consultation Paper CP25/37, which proposes targeted amendments to the Client Assets Sourcebook (CASS). These changes address longstanding operational challenges and introduce clearer expectations for firms that hold client money or safe custody assets. While not a comprehensive rewrite of the regime, the proposals will require firms to update processes, governance documentation and consumer disclosures.

The consultation is open until 27 January 2026, with the FCA expected to publish a final policy statement afterward. Firms that engage early will be better placed to implement the new requirements.

Why CP25/37 matters for CASS regulated firms

The FCA’s proposals focus on four key themes:

  • Reducing avoidable CASS breaches.
  • Updating rules to reflect modern market practices.
  • Strengthening protections for retail clients under the Consumer Duty; and
  • Improving consistency across record keeping and reconciliations.

These changes will impact reconciliations, due diligence, client money interest handling and retail client disclosures.

Client money interest: clearer rules that reduce avoidable breaches

Summary: The FCA proposes a new election for early interest and conditional permission for firm owned interest to be paid into a client bank account.

Under current rules, interest credited to a client bank account before it becomes due and payable creates operational challenges. Removing and later reinstating the interest can increase insolvency risk, while leaving it in the account may result in a regulatory breach.

CP25/37 proposes a new election that permits firms to treat early interest as unallocated client money from the moment it is received, provided the interest will become due and payable to clients at a specified point within one month of receipt. When the firm can identify the portion belonging to clients or the portion belonging to the firm, it must allocate or remove those funds promptly and no later than the next business day.

This new treatment removes ambiguity and provides a compliant method for managing early interest.

Firm owned interest paid into a client account

Where banks insist on crediting firm owned interest to a client bank account, the firm currently breaches CASS even when it has taken reasonable steps to prevent this.

Under the proposals, a firm may accept such payments only if it has:

  • Requested in writing that the bank directs the payment to a firm account; and
  • Removed the firm owned interest from the client account by the next business day.

Due diligence records: updated retention requirements across CASS 6 and CASS 7

Summary: Firms would only need to retain due diligence records for five years from creation or modification, not five years after the relationship ends.

CASS 6 and CASS 7 currently require firms to retain initial due diligence on custodians and banks until five years after the relationship ends. In long standing relationships this can result in persistent breaches when old records cannot be sourced.

CP25/37 proposes that firms retain these records for five years from the date the record is created or last modified. This applies to both:

  • Due diligence on custody service providers under CASS 6.3; and
  • Due diligence on banks and qualifying money market funds under CASS 7.13.

This amendment improves proportionality and ensures record keeping requirements align with wider CASS principles.

External custody reconciliations: modernisation and clear conditions for exceptions

Summary: Euroclear IFS would be formally recognised, and new exceptions allow firms to reconcile less frequently when statements cannot be obtained.

Firms frequently rely on Euroclear’s Investment Funds Service (IFS) for fund unit holdings. But currently require a modification to reconcile against IFS data. The FCA proposes to formally permit the use of IFS records as an external reconciliation source. Subject to contractual undertakings that cover daily and monthly reconciliations and prompt notification of discrepancies.

This modernises CASS 6 and supports more efficient reconciliation processes.

Exceptions to the monthly reconciliation requirement

The FCA acknowledges that fund managers and third parties sometimes cannot provide monthly statements, either temporarily or on a structural basis.

CP25/37 introduces two scenarios in which firms may reconcile less frequently:

  • Temporary disruption arising from circumstances inherent to the asset, for example insolvency proceedings, delisting’s or complex corporate actions.
  • Structural refusal by a third party to provide statements monthly despite reasonable efforts by the firm to obtain them.

Firms must document all attempts to obtain the required information, adjust their systems and controls to mitigate the risk of less frequent reconciliations and conduct an annual review of the situation.

This approach avoids recurring breaches while maintaining robust oversight.

Consumer Duty: explicit requirements for interest retention and the lending of retail custody assets

Summary: Firms must ensure certain CASS permissions for retail clients meet Consumer Duty expectations, including fair value and client understanding.

The FCA proposes amending CASS 7.11 to allow firms to retain interest on retail client money only if:

  • The client has been notified in writing; and
  • The arrangement is compatible with the Consumer Duty, including the fair value and consumer understanding outcomes.

This change ensures that interest practices for retail clients reflect the Duty’s emphasis on good outcomes.

Lending retail clients’ custody assets under CASS 6.4

The consultation introduces a separate rule for retail clients when safe custody assets are used for securities financing transactions. Firms would be required to:

  • Obtain express prior consent on specified terms.
  • Restrict use of the assets to those agreed terms; and
  • Ensure the arrangements and consent process are compatible with the Consumer Duty.

If assets are held in an omnibus account, firms must either obtain consent from every retail client whose assets may be used, or operate controls that ensure only consenting clients’ assets can be included. Aside from the direct consequences of an agreed transaction, firms must not use retail clients’ assets for their own account or the account of any other person.

Consumer Duty excluded from the CASS audit

Although the Duty is embedded within these rules, the FCA proposes that the CASS auditor will not be required to test firms’ Consumer Duty compliance. Duty related assurance must therefore be addressed through firms’ internal governance rather than the statutory CASS audit.

Wider Handbook changes with indirect relevance to CASS

The FCA also proposes retiring legacy Treating Customers Fairly material and modernise references to Principles 6 and 7 across many parts of the Handbook.

Although not CASS amendments, firms may need to update client facing materials, governance documents and policy language that reference these older frameworks.

What firms should consider now

Firms should begin assessing how CP25/37 affects their CASS environment and plan ahead for implementation. Key actions include:

  • Reviewing the operational impact of the new interest rules.
  • Reviewing retention and completeness of due diligence records.
  • Evaluating the use of Euroclear IFS or other reconciliation sources.
  • Updating disclosures and consent processes for retail clients under CASS 7.11 and CASS 6.4.
  • Assessing how the Consumer Duty requirements influence internal governance and monitoring; and
  • Preparing to update policies, procedures, MI and training.

The FCA intends for the CASS changes to take effect three months after the final rules are made.

Conclusion

CP25/37 demonstrates the FCA’s focus on simplifying the Handbook while preserving strong client protection standards. The proposed amendments reduce unnecessary breaches, improve clarity and strengthen safeguards for retail clients under the Consumer Duty. Firms that act early will be better prepared for implementation and will benefit from improved efficiency and clearer expectations.

If you would like support assessing the impact of CP25/37 on your firm’s CASS arrangements, our team is available to help.

ESMA 2026 Work Programme: What Regulated Firms Need to Know

ESMA has published its 2026 Annual Work Programme, setting out its regulatory priorities for the year ahead. Here’s what matters for your firm’s planning, with UK comparisons where relevant for cross-border operations.

Three Major Consultations Already Launched

ESMA has launched three consultations it describes as “landmark” reforms. These consultations are already open:

Integrated Funds Reporting

ESMA plans to consolidate multiple reporting requirements for investment funds. If you manage UCITS or AIFs, review these proposals carefully. The FCA is pursuing similar simplification through its retail fund regime reforms, but timelines and scope differ.

Transaction Reporting Streamlining

ESMA intends to reduce burdens in transaction reporting while maintaining market oversight standards. UK firms should note the FCA is also reviewing its transaction reporting regime, though approaches may diverge.

Investor Journey Simplification

ESMA will streamline disclosure requirements across the investor journey. Compare this with the FCA’s Consumer Duty requirements, which take a principles-based approach to similar outcomes.

Action: Respond to these consultations if they affect your business. Check whether you need different approaches for UK versus EU operations.

New Supervisory Responsibilities Taking Effect

Consolidated Tape Providers

ESMA will authorise and supervise CTPs in 2026. If you’re considering becoming a CTP, engagement with ESMA should begin now. The UK has similar proposals for bond and equity consolidated tapes but on different timelines.

ESG Rating Providers

ESG ratings regulation takes effect from July 2026. If you provide ESG ratings or rely on them for investment decisions, build compliance frameworks now. The FCA plans to consult on ESG ratings rules but has not yet set implementation dates.

Action: ESG rating providers need authorisation applications ready. Users of ESG ratings should assess how regulatory oversight affects your due diligence processes.

European Green Bond External Reviewers

ESMA will oversee external reviewers under the EuGB framework. If you provide these services, prepare for ESMA supervision.

DORA Critical Third-Party Oversight

ESMA will jointly supervise critical ICT third-party service providers with other ESAs. If you’re an ICT provider to financial services firms, assess whether you meet criticality thresholds.

Action: ICT service providers should review DORA designation criteria. Financial firms should confirm their critical providers are preparing for ESMA oversight.

Digital Assets and Technology Focus

ESMA’s programme prioritises the ESMA Data Platform rollout and AI-powered supervisory tools. ESMA will develop frameworks for digital assets.

Compare with UK: The FCA is consulting on cryptoasset regulation during 2025, with policy statements expected in 2026. UK timelines may move faster than EU frameworks. The FCA’s AI Lab offers testing opportunities not currently available through ESMA.

Action: Firms developing digital asset services should track both ESMA’s framework development and the FCA’s crypto consultations. Consider UK market entry if faster regulatory clarity suits your business model.

Sustainable Finance Intensifies

ESMA’s 2026 programme includes substantial sustainable finance work:

  • Consultation on ESG ratings provider rules
  • ISSB standards implementation
  • Continued greenwashing supervision focus

The FCA maintains sustainable finance commitments but with less prescriptive frameworks post-Brexit.

Action: Fund managers should strengthen greenwashing risk assessments. ESMA’s supervisory focus on sustainable investment funds continues to intensify. Don’t assume existing disclosures remain adequate.

Data Collection Integration

ESMA plans to integrate supervisory data collection under AIFMD and UCITS. This affects how you submit regulatory data.

Compare with UK: The FCA is discontinuing three regular data returns affecting 16,000 firms. Summer 2025 consultations will propose further reductions. UK and EU data obligations are diverging.

Action: Investment managers operating cross-border should prepare for different data collection systems. ESMA’s integration may require system changes even as FCA reduces reporting burdens.

Capital Markets Reforms

Savings and Investments Union

ESMA supports the EU’s shift from Capital Markets Union to Savings and Investments Union. This represents structural change to European capital markets.

Compare with UK: The FCA focuses on targeted reforms—new prospectus regimes, PISCES for private company markets, and wholesale markets review. UK maintains structural continuity while enhancing specific market segments.

Action: Assess whether the EU’s broader structural reforms create opportunities your firm should pursue, or whether UK targeted reforms better suit your business model.

Supervisory Approach Evolution

ESMA plans to harmonise supervisory practices across member states and enhance risk-based supervision.

Compare with UK: The FCA is reforming its supervision model to focus on fewer priorities with greater depth. The FCA will take more flexible approaches for firms demonstrably doing the right thing.

Action: EU-supervised firms should expect more consistent treatment across member states. UK-supervised firms may see relationship-based supervision if they demonstrate strong compliance cultures.

Timing Considerations for 2025/26

Q2 2025: ESMA consultation responses due for integrated reporting, transaction reporting, and investor journey reforms

July 2026: ESG ratings regulation takes effect

Throughout 2026: CTP authorisations, DORA critical third-party oversight implementation, green bond reviewer supervision begins

UK Timeline Differences: FCA crypto consultations (2025), policy statements (2026), authorisation gateway opening (likely 2026-27). Advice Guidance Boundary Review reforms including “targeted support” (2025-26).

What This Means for Your Compliance Planning

If you operate EU-only: Focus on ESMA’s three consultations, ESG ratings compliance, and data integration changes. Budget for system updates to accommodate new reporting frameworks.

If you operate UK-only: ESMA’s programme still matters if you have EU clients or counterparties. Your service providers may face ESMA oversight under DORA.

If you operate cross-border: Plan for regulatory divergence. ESMA pursues harmonised, prescriptive frameworks. The FCA favours principles-based regulation. You’ll need dual compliance approaches in several areas, particularly sustainable finance, crypto assets, and fund regulation.

For all firms: Respond to relevant consultations. Regulatory frameworks are being reshaped now. Input during consultation stages is more effective than adapting to final rules.

Three Priority Actions

  1. Review the three ESMA consultations – integrated reporting, transaction reporting, investor journey. Respond if they affect your business.
  2. Assess ESG ratings exposure – whether as provider or user. July 2026 deadline approaches quickly.
  3. Map cross-border differences – particularly for crypto assets, sustainable finance, and fund management. UK and EU timelines and approaches are diverging.

Leaman Crellin provides expert regulatory compliance consulting services to financial services firms. We help clients navigate UK and international regulatory requirements. Our team of former industry leaders and regulatory professionals delivers practical, business-focused compliance solutions. We tailor these to your organisation’s needs. Contact us to discuss how we can support your regulatory compliance strategy.

Top Tips for Strengthening Your Market Abuse Risk Assessment 

Why firms must be ready for rapid regulatory scrutiny 

Regulators are asking for market abuse risk assessments more frequently and with less notice. Firms that cannot produce a clear, current, and defensible assessment risk uncomfortable questions about governance, culture, and control effectiveness. Below we outline the themes that matter most today and what regulators increasingly expect to see. 

Cover the full risk landscape 

A credible assessment must reflect the real breadth of risk across your business. Market manipulation and insider dealing remain central, but today’s regulators look much more widely. 

Your assessment should consider governance, employee competence, training frequency, personal account dealing controls, and how new products or clients change your risk profile. 

Scenario analysis remains valuable. Enforcement actions and court judgments continue to be useful sources of emerging behaviours. 

Ensure information walls still work in a digital environment 

Information walls are now predominantly electronic. Regulators increasingly expect firms to treat information walls as a specific risk area with clear oversight. 

Reviews should cover access controls, removal of permissions, identification of wall crossers, and physical access checks. 

Refresh anti collusion and communication controls 

Collusion risk continues to evolve across digital communication channels. Strong frameworks include reviews of chat room access, closure of unused rooms, controlled creation of new groups and alignment with e comms surveillance. 

Keep your assessment dynamic and action oriented 

A static annual risk assessment is no longer sufficient. Regulators expect a document that evolves with your business and tracks real change. 

Committees should receive regular updates and minutes should evidence senior challenge and clear ownership of actions. 

Demonstrate how you identify and investigate issues 

Surveillance should avoid de minimis thresholds, capture near misses, evidence follow up with individuals and show meaningful analysis rather than automated closure. 

Go beyond mitigation and consider risk avoidance 

Policies should specify when repeated STORs on a client become unacceptable, set escalation criteria and define when to exit a client relationship. 

Draw clear boundaries between market abuse and financial crime 

Staff must understand the difference between STORs and SARs, and teams should communicate where relevant to avoid risk blind spots. 

Final thought

A market abuse risk assessment is a living document that must remain current and defensible. Investing in it now ensures readiness for short-notice regulatory requests. 

Explore our resources at the links below:

 

Quick Links

Contact Us

Services

  • Wholesale Banks
  • Hedge Funds
  • Investment Platforms
  • Wholesale Brokers
  • Private Banks
  • Retail Intermediaries
  • Privacy Policy
  • Website Terms

Registered Office

17 West Grove

Hersham

Walton on Thames

Surrey

KT12 5PF

  • VAT No: GB 312074350
  • Company No: 11719050

Copyright © 2025 by Leaman Crellin Limited. All Rights Reserved