Systematic risk/Market risk meaning

Background The initial iteration of the MCC‑AI appeared in September 2023 ahead of the EU AI Act, setting out a systematic route for sourcing AI. Following the EU AI Act’s formal entry into force on 13 June 2024, the Commission has updated the model clauses to better match regulatory expectations. The latest release comprises: a comprehensive edition for high‑risk AI systems a streamlined variant for non‑high‑risk AI systems a commentary detailing how to tailor and apply the clauses Why should companies get acquainted with the MCC-AI? The MCC‑AI offers a practical framework for businesses buying or supplying AI services, by setting a shared baseline of obligations. The clauses foster alignment between parties on core compliance areas — transparency, risk management and accountability — consistent with the EU AI Act. By tailoring MCC‑AI clauses to their circumstances, contracts and operations, organisations can speed up negotiations, cut legal ambiguity and show they are prepared for regulation. This is especially useful in a...

In this issue: Beyond Brexit UK, EU and international regulators and bodies Authorisation, approval and supervision Prudential requirements Operational resilience Complaints, compensation and claims management Financial crime and sanctions Consumer credit, mortgage and home finance Conduct requirements Investigations, enforcement and discipline Regulation of capital markets Regulation of derivatives Sustainable finance and ESG Banks and mutuals Investment funds and asset management UK MiFID II EU MiFID II Regulation of insurance Payment services and systems Fintech and cryptoassets LexTalk®Financial Services: a Lexis®Nexis community Dates for your diary Financial Services Enforcement Database Daily and weekly news alerts Intraday news alerts Beyond Brexit FCA updates guidance on the financial services contracts regime, temporary permissions regime and leaving SRO or CRO The Financial Conduct Authority (FCA) has refreshed its guidance covering the temporary permissions regime, the financial services contracts regime, and how firms...

What is the background that has led to the proposed legislation? The existing legal framework in Great Britain (GB) – the Medical Devices Regulations 2002, SI 2002/618 (the UK MDR) – sets out only high-level, limited rules on post-market surveillance (PMS). The practical detail on how manufacturers must carry out PMS and meet vigilance duties is instead provided through guidance. This has resulted in variations in how different manufacturers undertake PMS for devices in GB. The draft PMS Regulations are intended to curb these differences by codifying, in legislation, PMS obligations that are more stringent, prescriptive, and proportionate to risk for medical devices placed on the market or put into service in GB. PMS denotes the mandatory system requiring manufacturers to monitor and document the real-world use of medical devices by patients, safeguarding ongoing health and safety once regulatory certification has been achieved and products distributed to the market. It obliges manufacturers to take a proactive, systematic approach to gathering data so that any necessary corrective or preventative safety...

Practice Note This Practice Note is aimed at in-house counsel. It sets out a concise overview of work allocation. The core idea is that deploying resources must be intentional and methodical, and that legal functions should resist the belief that they must personally shoulder every legal risk; with appropriate frameworks and support, others within the business can handle risk just as well. In the end, no legal department will ever be staffed with enough lawyers to operate solely as executors. Two models for resourcing legal work are the ‘chute’ and the ‘portal’. Under the chute model, all items with a legal element across the organisation are channelled straight to lawyers, who wait for the flow to arrive. Over time this becomes unsustainable, because the volume demands an ever-growing number of lawyers to keep pace with the workload, as the illustration below suggests. Relying on lawyers purely for execution is neither realistic nor a scalable design...

A data protection impact assessment (DPIA) is exactly what it sounds like—an evaluation of how a particular project or process may affect data protection for impacted individuals. This Practice Note sets out: what a DPIA is whether DPIAs are mandatory, and if so who should carry out the assessment, and how It also covers how DPIAs relate to privacy impact assessments (PIAs) and data protection by design and default (DPbDD). Precedent: Data protection impact assessment—DPIA aligns with the UK GDPR. See also Precedent: Data protection impact assessment—DPIA—short form, based on an Information Commissioner’s Office (ICO) template. ICO guidance on DPIAs is available in two places: Data protection impact assessments and Data Protection Impact Assessments (DPIAs). What is a data protection impact assessment? A DPIA is a practical mechanism to help you: spot and reduce data protection risks in new initiatives, and uphold individuals’ reasonable expectations of privacy Typically, a DPIA is undertaken...

Under the UK GDPR Certain firms must name an individual to serve as their data protection officer (DPO). This Practice Note explains when a DPO is mandatory to meet UK GDPR requirements, and weighs the benefits and drawbacks of appointing a DPO on a voluntary basis. It also considers who should act as the firm’s DPO, the DPO’s responsibilities, and the risk of conflicts of interest. It should be read alongside the DPO appointment decision tree. For further detail on accountability and governance under the UK GDPR, see Practice Note: The UK General Data Protection Regulation (UK GDPR)—Accountability and governance. This Practice Note is grounded in the UK GDPR and the following guidance: Information Commissioner’s Office (ICO) guidance: UK GDPR guidance and resources, Accountability and governance, Data protection officers Guidelines on DPOs issued by the Article 29 Data Protection Working Party and later endorsed by the European Data Protection Board (EDPB guidance on DPOs)—although EDPB guidance is no longer directly relevant to, or binding under,...

1 Project summary Project information Project name [ Insert name ] Project owner [ Insert name ] Project overview [ Outline the project, eg new CCTV system for a car park ] 2 Details of proposed surveillance camera system 2.1 Identify why your deployment of surveillance cameras requires a DPIA Systematic and extensive profiling Public monitoring Denial of service Data matching Tracking Risk of harm Automated decision-making Large-scale use of sensitive data Innovative technology Biometrics Invisible processing Targeting children/vulnerable adults Special category/criminal offence data Other [ Please specify ] 2.2 Timescale and status of surveillance camera deployment Is this a proposal for a fresh deployment or an enlargement of an existing surveillance camera system? New deployment Expansion of existing system Which data protection regime will you be processing under? UK...