Understanding FCA Handbook SYSC 13.7 and its Importance for Appointed Representatives Using Microsoft 365

The Financial Conduct Authority (FCA) Handbook is a set of rules for financial firms in the UK, ensuring they operate safely and fairly. SYSC 13.7, part of this handbook, mandates firms to have robust risk control systems. This section is vital for Appointed Representatives (ARs)—firms or individuals conducting regulated activities for principal firms—who must adhere to these rules.

SYSC 13.7 is part of the FCA Handbook.

Why Regulatory IT Compliance is Critically Important

Cases investigated by the FCA often included multiple instances of non-compliance across the FCA Handbook, not just SYSC 13.7. The FCA do look at how data and technology is managed as part of wider operations within a regulated entity. Recent cases that involved breaches of SYSC 6.1 and/or 13.7 include:

    • In November 2022, the FCA fined GAM International Management Limited £9.1 million for failing to manage conflicts of interest fairly and to ensure the proper and prudent management of its funds1. The FCA found that GAM had breached SYSC 1.1R, SYSC 6.1.4R, SYSC 10.1.3R, SYSC 10.1.7R, and SYSC 13.7.1R, among others.
    • In March 2022, the FCA fined Rathbone Investment Management Limited £8.6 million for failing to comply with the client money rules and for misleading the FCA during an The FCA found that Rathbone had breached SYSC 6.1.1R, SYSC 6.3.6R, SYSC 6.3.9R, and SYSC 13.7.1R, among others.
    • In January 2022, the FCA fined Jupiter Investment Management Group Limited £2.8 million for failing to ensure that certain of its funds were accurately priced, and for failing to have adequate systems and controls to prevent and detect pricing errors3. The FCA found that Jupiter had breached SYSC 6.1.1R, SYSC 6.3.8R, SYSC 13.7.1R, and SYSC 13.7.2R, among others.

Source: 2022 fines | FCA

These are just three examples out of many, and the combined total of fines for these three SMEs was £20,500,000.

Key Concepts of SYSC 13.7

The key areas for Appointed Representatives to consider in relation to SYSC 13.7 are:

  1. SYSC 13.7 Detailed Requirements:
    • Risk Policies and Procedures: ARs must have policies to manage risks effectively, ensuring the principal firm’s compliance.
    • Control Systems: ARs should implement control systems that identify, manage, and mitigate risks.
  2. Microsoft 365 Configuration:
    • Security Features: Multi-factor authentication, data encryption, and security audits in Microsoft 365 protect financial data.
    • Access Controls: Manage user access and permissions to ensure only authorised personnel handle sensitive information.
    • Audit and Monitoring: Utilise compliance and monitoring tools to track user activities and detect risks.
    • Data Management: Implement data retention policies and use Microsoft 365’s backup and recovery solutions to maintain data integrity.

Real World Application of SYSC 13.7

How should SYSC 13.7 be considered in relation to Microsoft 365 and SYSC13.7 can be as simple as security steps when their colleagues access core systems, like email, to labelling data appropriately.

For example, an Appointed Representative that uses Microsoft 365 to manage client data should configure multi-factor authentication and consider encrypting emails, to ensure compliance with SYSC 13.7.  They should also ensure that documents and emails a have appropriate system labelling to identify data as regulated.

By ensuring continuous monitoring and regular updates to security settings can be challenging. However, using Microsoft 365’s compliance centre helps maintain oversight.  Compliance centre requires appropriate user licencing, another area where Appointed Representatives often expose themselves to regulatory risk: the Business Standard licence does not provide the level of compliance management required for Appointed Representatives.

Best Practice for SYSC 13.7

To ensure that regulatory IT compliance is embedded into what you do as an Appointed Representative, consider:

  • Regular Training: Ensure staff are trained on using Microsoft 365 securely.
  • Continuous Improvement: Regularly review and update risk management policies and Microsoft 365 configurations.
  • Engage Experts: Consult IT experts to optimise Microsoft 365 settings for compliance.

How Bentlebury Can Help with Regulatory IT Compliance

Bentlebury already assist a portfolio of appointed representatives  ensure regulatory IT compliance to meet the requirements of the FCA and their Principal Firms. We offer:

  • Regulatory IT Compliance Reviews
  • Fractional Regulatory IT Compliance Services
  • Fractional Regulatory IT Compliance and IT Management Services

If you are an Appointed Representative looking for support or a Principal Firm looking to add value to your proposition contact us for a no-obligation conversation.

NB This article provides opinion, not advice. Always check with your Principal Host and/or Compliance Team for matters on regulatory compliance.