Entities-based regulation meaning

FCA and PRA senior management arrangements, systems and controls requirements The Financial Conduct Authority’s (FCA) expectations for senior management arrangements, systems and controls are outlined in the Senior Management Arrangements, Systems and Controls sourcebook (SYSC) within the FCA Handbook, as set out in SYSC. For the Prudential Regulation Authority (PRA), equivalent obligations appear across sections of the PRA Rulebook and in PRA Supervisory Statements (SSs). This checklist offers a mapping of the requirements in the various SYSC chapters alongside the corresponding senior management arrangements, systems and controls provisions contained in the PRA Rulebook and SSs. The mapping links each SYSC chapter to the parallel PRA materials. Details of the entities within the scope of SYSC are summarised in SYSC 1.1A.1G, and set out in full in SYSC 1 Annex 1 and in the relevant SYSC chapter...

This checklist outlines matters a potential buyer (and its advisers) ought to weigh up when acquiring the share capital or business assets of a firm authorised by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA) under the Financial Services and Markets Act 2000 (FSMA 2000), or authorised or registered by the FCA under the Payment Services Regulations 2017, SI 2017/752 (PSRs 2017). It is designed to help purchasers compile a due diligence questionnaire and to flag other central elements of the transaction. It is not exhaustive and additional considerations may arise. Due diligence Authorisations and licences Review the Financial Services Register for the target’s FCA or PRA authorisation under FSMA 2000 and the scope of permissions attached to that authorisation, or for FCA authorisation or registration under the PSRs 2017; also confirm the authorisations and permissions of any group entities. Verify that activities undertaken by the target (and any group members) align with the permissions recorded on the Financial Services Register... ...

Employers engaging a recruitment agency or executive search (‘headhunting’) service should consider the implications of: the Employment Agencies Act 1973 (EAA 1973) and the Conduct of Employment Agencies and Employment Businesses Regulations 2003, SI 2003/3319 (as amended) (Conduct Regulations 2003) the Equality Act 2010 (EqA 2010), which includes specific rules on discrimination by recruitment agencies Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) Conduct regulations-agency's general obligations For the purposes of the Conduct Regulations 2003, a recruitment agency is treated as an ‘employment agency’. For activities excluded from the scope of the EAA 1973, see Employment agencies and employment businesses-Scope of the legislation. A recruitment agency is subject to the following overarching obligations: a broad ban on charging work-seekers fees for finding them work; this does not stop the agency charging for ancillary services such as transport, accommodation, CV writing, photographic services, or training it must...

In this issue: Tax Economic Crime and Corporate Transparency Environmental, social and governance Partnerships Financial services regulation Daily and weekly news alerts Dates for your diary Trackers Useful information Tax HMRC confirms availability of capital-raising exemption from 1.5% stamp duty and SDRT charge. HMRC has updated its Stamp Taxes on Shares Manual (STSM053100) to state that the relief from the 1.5% stamp duty and SDRT for capital-raising covers share issues made for non-cash consideration, with no consideration, or where consideration is paid directly to a different party. See: LNB News 10/04/2024 25. Economic Crime and Corporate Transparency Registrar of Companies and Register of Overseas Entities (Fees) (Amendment) Regulations 2024, SI 2024/454. These Regulations revise the dates on which transitional provisions for changes to Registrar of Companies’ fees apply, correct typographical errors, and remove obsolete references to regulations within the Register of Overseas Entities (Delivery, Protection and Trust Services) Regulations 2022, SI 2022/870. They...

In this issue: UK NSI Act UK mergers UK competition policy EU mergers EU antitrust EU Foreign Subsidies Regulation New and updated content Daily and weekly news alerts Caselex UK NSI Act Government consults on proposed reforms to the NSI Act 2021 mandatory notification regime The UK Government has launched a consultation on proposed revisions to the National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021, which determine the scope of mandatory filings under the NSI Act. This follows the 2024 statutory review of the NARs and engagement through the 2023 Call for Evidence. The Government sets out targeted adjustments intended to keep the regime proportionate and effective at capturing national security risks in sensitive parts of the UK economy, whilst ensuring that the vast majority of transactions remain outside its reach. Key proposals include: New standalone mandatory notification areas: creating two separate categories for...

On 2 June 2025, the CJC released its concluding report on the examination of litigation funding. You can access the report here: Review of Litigation Funding Final Report. Purpose of the review The review was initiated in response to the Supreme Court’s ruling in PACCAR v Competition Appeal Tribunal [2023] UKSC 28, which determined that some third-party litigation funding agreements (LFAs) were, in substance, damages-based agreements (DBAs), thereby calling their enforceability into question. The Government asked the CJC to advise on several matters, including: the implications of the PACCAR v Competition Appeal Tribunal [2023] UKSC 28 ruling the broader framework for the regulation of litigation funding the effectiveness and operation of current funding mechanisms in practice potential reforms to the litigation funding regime as a whole Final recommendations Responding to these issues, the report sets out 58 recommendations for litigation funding, aimed at enhancing effective access to justice, ensuring fair and proportionate regulation of third-party litigation funding,...

This Practice Note sets out the essentials of Regulation (EU) 2024/2847, the EU Cyber Resilience Act (CRA): its background, timeline, aims, and how it aligns with other EU laws. For details on the CRA’s scope or core duties for economic operators, see the following Practice Notes: The EU Cyber Resilience Act—scope and classification of products The EU Cyber Resilience Act—obligations, compliance and enforcement Regulation (EU) 2024/2847, known as the CRA, is the first EU measure to set mandatory cybersecurity requirements for ‘products with digital elements’ across the EU. From December 2027, products that do not satisfy these requirements cannot be placed on the EU market. Accordingly, compliance will be crucial for market entry for both hardware and software. Manufacturers, importers and distributors will have extensive cybersecurity responsibilities and risk significant fines for non-compliance. The CRA was published in the Official Journal of the EU on 20 November 2024, entered into force on 10 December 2024, and applies in full from 11...

Data security sits at the heart of the EU General Data Protection Regulation (EU GDPR). The sixth data protection principle—integrity and confidentiality—requires you to adopt suitable technical and organisational measures so that personal data is processed with appropriate security, including: protection against unauthorised or unlawful processing accidental loss, destruction, or damage This Practice Note reflects Data Protection Commission (DPC) guidance on personal data breaches under the EU GDPR, and also draws on guidance from the European Data Protection Board (EDPB). Data security requirements Article 32 puts practical detail behind the GDPR’s integrity and confidentiality principle. You must implement appropriate technical and organisational measures to achieve a level of security proportionate to the risk, taking into account: the nature, scope, context, and purpose of processing the risk of varying likelihood and severity for the rights and freedoms of data subjects Where appropriate, your security measures should include: the pseudonymisation and encryption of...

The general prohibition Under section 19 of the Financial Services and Markets Act 2000 (FSMA 2000), no person may undertake regulated activities in the UK unless they are authorised or fall within an exemption. This is referred to as the general prohibition. For guidance on the territorial reach of this restriction, see Practice Note: Territorial scope of the prohibition. Under FSMA 2000, s 31, an authorised person is one who: has been granted permission by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA) under FSMA 2000, Pt 4A to carry on specified regulated activities; or is a Gibraltar-based person with a Schedule 2A permission to carry on one or more regulated activities. Please note that this latter provision, inserted by section 22(1), (2) of the Financial Services Act 2021, is not yet in force...

This [ insert document name ] has not been sanctioned by an authorised person in line with section 21(2)(b) of the Financial Services and Markets Act 2000...

This [ insert document name ] has not obtained approval from an authorised person, as required under section 21(2)(b) of the Financial Services and Markets Act 2000...

Module four of the EU Standard Contractual Clauses This Precedent provides a template for ‘module four’ of the EU Standard Contractual Clauses (also referred to as the Model Clauses or SCCs) introduced by Commission Implementing Decision (EU) 2021/914 (the 2021 EU SCCs). It is tailored for the transfer of personal data: from a data processor subject to the EU’s General Data Protection Regulation (EU) 2016/679 (EU GDPR) whose only or main establishment in the EU, for EU GDPR purposes, is in Ireland to a data controller based outside the EEA that is not subject to the EU GDPR both where the EEA processor merges personal data received from the third country controller with personal data it collects in the EEA, and where the EEA processor does not The terms of this 2021 EU SCCs module differ slightly depending on which of these scenarios applies, and this Precedent indicates which clauses can be omitted or should be kept accordingly. As noted in...