The EU Cybersecurity Act On the 27th June, ENISA, the EU Agency for cyber security adopted itsnew mandate under the European Cybersecurity Act. The Act, furtherincreases the important role that ENISA plays in ensuring effectivecybersecurity across the EU and driving innovation and co-operation.Under its new mandate ENISA will be developing a CybersecurityCertification Framework aimed at ICT products and services, ultimatelyaddressing two distinct challenges affecting industries today

1. The emergence of different cyber security certification schemesthat do not align to any overarching framework and thereforestruggle to be sustained or valued in the market, and;

2. Lack the support and governance to ensure a strong coverage ofcyber security requirements across multiple industries, whether it’ssupporting smaller SME’s that provide ICT products and services tolarge organisations, or the security of IoT affecting critical nationalinfrastructure.

Organisations should keep a close eye to the development of thisframework and seek to embed this change within their vendormanagement and risk assessment frameworks.

Operational resilienceOn 5th June 2018 the Prudential Regulation Authority (PRA), FinancialConduct Authority (FCA) and Bank of England issued a joint discussionpaper on operational resilience, highlighting the increased regulatoryfocus.

The authorities are expected to publish a consultation paper in Q4 thisyear, reaffirming their approach to resilience and providing somefurther clarity on some of the key principles outlined in the discussionpaper. However, the authorities are already holding some firms to thestandards set out in the discussion paper, and European and USregulators are also exploring a similar direction. Capital Markets firmstherefore need to start responding to this now, if they haven’t already.

Capital MarketsRegulatory Guide 2019

Conduct riskSenior leaders across the financial services industry continue to facechallenges to ensure that conduct risk is a living and breathing riskdiscipline embedded into the ways of working across key businessfunctions.

Revenue concerns - Front office face a challengingmarket to deliver revenue growth and may be lessreceptive to demonstrating best-in-class outcomes if thismay impact revenue

Un-scalable solutions - Legacy solutions to monitor andreport on conduct risk, such as COI (conflicts of interest)registers, product inventories, best execution controls,etc. may not be scalable and tailored to meet theevolving needs of the business

Shifting priorities - Increasing commercial, regulatoryand internal initiatives will impact the firm’s commitmentto continuously improve on delivering good conductoutcomes and behaviours

Silo mentality and culture change - Different businessfunctions at the local and global level lack consistentunderstanding of conduct risk and practical tools toidentify, mitigate and report conduct concerns in a waywhich is efficient and embedded into BAU

Increased cost of failure - Failure to adequately manage conduct risk will result in negative financial,reputational and client outcomes, however firms mustfind the balance between the cost of change vs. the costof failure

Sustainability - Ensuring conduct risk managementcontinues to operate in an evolving ecosystem past thefirst 12-18 month honeymoon period requires C-suitelevel commitment and desk-level managementpersistence

But what does being resilient really mean, and how should organisationsrespond? We believe that operational resilience cannot be achieved inisolation, and is a factor of existing capabilities across the organisation.These capabilities need to work in concert to allow an organisation tooffer resilient services to its customers and other interested parties.

Key areas of focus are:

p Ensure clear ownership and accountability for operationalresilience, which includes understanding the critical people,processes and systems that underpin a resilient service. The Boardshould actively weigh up the costs of operational failures against the financial cost of being resilient.

p Design operational processes and locations to support resilienceduring disruption. This includes areas such as Incident and crisismanagement, and business continuity planning.

p Manage Business and IT change in a way that supports resilientoutcomes and resilience is a standard part of the change process.

p Ensure technology systems, processes, data and infrastructureare sufficiently resilient to maintain service during disruption, andsupport fast and effective recovery.

p Put adequate Information Security capabilities in place to protectagainst adverse cyber security events.

p Understand and manage resilience risk relating to third-partysuppliers and partners, with suppliers assessed on how theymanage risk at the point of selection as well as on an on-going basis.

p Put in place an organisational culture that values behaviourssupporting resilient outcomes, and people with sufficient skills andknowledge to maintain resilience.

Firms must make resilience a part of everyday BUA and Change activitythrough training and the use of scenarios to assess the readiness of theorganisation to respond to resilience events and attacks.

Political riskThe UK faces significant election risk in the second half of 2019 andearly 2020. With a working majority of just one seat (at the time ofwriting) and deadlock within the Commons, the Prime Minister is likelyto face an election in any of the following scenarios:

1. A successful renegotiation election – The PM successfully passesa renegotiated withdrawal agreement and calls an election for adomestic mandate

2. A no-deal snap election – The PM’s renegotiation fails, an electionis held advocating a no-deal Brexit in electoral alliance with theBrexit Party

3. A government collapse - The PM advocates a no-deal Brexit after afailed renegotiation; the Government loses a vote of no confidencein the Commons, initiating an election

Given the volatility of current polling and the uncertainty around thecontext of any imminent election, the prospect of a Labour victory islikely to be under-priced by market commentators.Policy detail highlights the prospect of a transformational agenda.Positions include:

1. Increasing income tax to 50%, corporation tax to 26%, andintroducing wealth taxes

2. Nationalisation of utilities including the water and energy networkat sub-market value

3. Introducing a state-backed, not-for-profit, National InvestmentBank to compete with traditional lenders

With the political environment so volatile and an election likely in 2019,political risk should remain high on the agenda for UK business.

IBORThe rate often described as the “world’s most important number” is setto disappear. Following the much publicised LIBOR rigging scandal andconcerns about the volume of underlying transactions for IBORs,regulators announced that banks would no longer be compelled tosubmit LIBOR data post 2021. The importance of this should not beunderestimated - IBORs are systemically important, having beenreferenced in trillions of contracts across complex financialinstruments as well as consumer products for decades. Alternativerates have been identified, but they are structurally different, meaningthat the switch goes beyond a one-for-one administrative change.Given this, there is no one size fits all approach to the transition andfirms must set up programmes now. The effort required is dependenton the organisation’s size, scale and geographic footprint, andorganisations must be flexible to respond to the latest marketdevelopments. The impact is likely to be multi-faceted and touch allparts of the organisation. We feel that the major impacts will be onupdating curves and models, managing changes in valuations, riskmeasurements, hedging, the balance sheet and more. It is alsoimportant to look back when assessing the impacts. A large number ofcontracts that reference IBOR extend beyond 2021 and renegotiation islikely to be costly and resource intensive. Compounding this issue isthat fact that fallback provisions are mostly inadequate and do notoften envisage a situation where IBORs are permanently discontinued.

As well as financial risk, organisations must also be able to identify andmitigate legal, conduct and reputational risks associated with sellingIBOR-linked products, knowing that IBORs will no longer be availablethroughout the life of the contract. Given all these changes, client andinternal education is hugely important. With a 2021 deadline andseveral industry unknowns, it is tempting to kick the issue into the longgrass. However, given the complexity of the transition and increasingliquidity in products reference alternative rates with associated marketshare implications, this would be unwise.

About Baringa PartnersBaringa Partners is an independent business and technologyconsultancy. We help businesses run more effectively, navigateindustry shifts and reach new markets.

We use our industry insights, ideas and pragmatism to help eachclient improve their business.

Collaboration is central to our strategy and culture ensuring weattract the brightest and the best. And it’s why clients love workingwith us.

Baringa. Brighter together.

Baringa’s Finance, Risk and Compliance TeamBaringa’s Finance, Risk and Compliance Team specialises in helpingfirms understand and respond to the strategic, financial andoperational implications of new regulation and to enhance riskmanagement. A trusted advisor to risk, compliance and treasuryleaders, Baringa Partners’ capabilities and credentials span banking,insurance, asset management, capital markets, commodities andwholesale energy.

For more information please contact: risk@baringa.com or StuartCook (Partner) on +44 796 811 1631 or Chris Dominy (Partner) on+44 784 190 1375.

Baringa Partners LLP, 3rd Floor, Dominican Court, 17 Hatfields, London SE1 8DJT +44 (0)203 327 4220 F +44 (0)203 327 4221 W www.baringa.comE risk@baringa.com

Update on key timings and trendsYour guide to critical regulatory milestones, analysisof hot topics and emerging regulatory trends

Climate change riskParis Agreement in December 2015, 106 laws and policies have beenintroduced worldwide.

The PRA was the first regulator to set standards for climate riskmanagement. Policy Statement 11/19 was released in April 2019requiring banks and insurers to take a strategic approach to “managingthe financial risks from climate change, taking into account currentrisks, those that can plausibly arise in the future, and identifying theactions required today to mitigate current and future financial risks." Inaddition it sets expectations in a number of areas includinggovernance, risk management, scenario analysis, and disclosures.Firms are required to have initial plans and updated seniormanagement function (SMF) forms in place by October 15th 2019. Thepolicy set out in PS11/19 has been designed in the context of theexisting UK and EU regulatory framework and will not be affected inthe event that UK leaves the EU with no implementation period inplace.

In June 2019, the European Commission published guidelines onreporting climate change-related information under the Non-FinancialReporting Directive 2014/95/EU. The guidelines are a part of theCommission’s Sustainable Finance Action Plan published in March 2018that aims to reorient capital toward sustainable investment, managefinancial risks arising from climate change, and foster transparencyand a long-term view in financial and economic activities. Theguidelines list criteria for 67 economic activities and establishstandards on taxonomy, EU green bonds, and benchmarks.

Overall, we are seeing momentum building among policy makers,investors, banks, insurers and companies in the real economy – both inthe UK and across the globe. We advise that companies act now tounderstand and prepare for the uncertain impacts of climate changeby developing comprehensive strategies and implementation plans toenhance their strategic resilience.

... continued

Q1 2019: CCP RRP proposal is expected to be finalised in the first half of 2019Q1 2019: ESMA is expected to publish guidance on performance feesQ1 2019: FCA is expected to feed back on the results of its multi-firm review on payment for researchQ1 2019-Q4 2020: Euro risk free rates working group is expected to develop and launch a Euro risk free rate term structure

StructuralReform

StructuralBanking Reform /Recovery &Resolution

p BRRDp FSB Bank Recovery &

Resolution Planningp UK Bank Recovery &

Resolution Planning

Conduct UK p FAMRp SMCRpWholesale conduct

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2020+

FinancialRegulation

Capital p Basel III p CRD V / CRR IIp FRTBp Creditor Hierarchy

Directive p TLAC (UK)

Q3 2019: EBA is expectedto publish a report to theCommission on the EUimplementation of Basel III

Brexit 31.10.19: UK exits the EU (in case of no extension agreed by EU27 members)p UK exits EU

MarketStructure

Trading p CCP RRPp CMUp EMIRp IBOR Reformp MiFID II

Capital MarketsRegulatoryDevelopmentsTracker 2019The timelines reflect a number of key regulatory themesin the shape of both guidance and requirements thatwill be affecting the capital markets sector in 2019 andlooking forward to 2020. It is important that firmsconsider the potential impacts on their business. Thetimeline covers themes such as the Basel III, Cyber &Operational Resilience, EMIR, MiFID II and climatechange.

Baringa’s Finance, Risk and Compliance team specialisesin helping firms understand and navigate the spectrumof regulatory milestones and challenges as well asprovide insight and solutions addressing key industrytrends. We are unique in our ability to bring togetherthese skills within a single team, combining capabilitiesto bring the very best advisory and delivery services toour clients.

AbbreviationsAMLD V Anti-Money Laundering Directive VBCBS Basel Committee on Banking SupervisionBoE Bank of EnglandBRRD Bank Recovery and Resolution DirectiveCCP Central CounterpartyCCP RRP Central Counterparties Recovery and Resolution ProposalCDS Credit Default SwapsCMA Competition and Markets AuthorityCP Consultation PaperCRD/R Capital Requirements Directive/RegulationCSD Central Securities DepositoryEBA European Banking AuthorityEC European CommissionECB European Central BankEMIR European Market Infrastructure RegulationESAs European Supervisory AuthoritiesESG Environmental, Social and Governance ESMA European Securities and Markets AuthorityESTER Euro Short-Term Rate EU European UnionFAMR Financial Advice Market ReviewFCA Financial Conduct AuthorityFPC Financial Policy CommitteeFRTB Fundamental Review of the Trading BookFSB Financial Stability BoardGSIB Global Systemically Important BankHMRC Her Majesty's Revenue & CustomsHMT Her Majesty's TreasuryIBOR Inter Bank Offered RateICT Information and Communication Technology IRB Internal Ratings-BasedLCR Liquidity Coverage RatioLIBOR London Inter-Bank Offered Rate MiFID/R Markets in Financial Instruments Directive / RegulationMREL Minimum Requirement for Own Funds and Eligible LiabilitiesPRA Prudential Regulatory AuthorityRTS Regulatory Technical StandardsSFTR Securities Financing Transactions RegualtionSI Systematic InternaliserSMCR Senior Managers Certification RegimeSONIA Sterling Overnight Index Average SSM Single Supervisory Mechanism TCFD Task Force on Climate-related Financial Disclosures TLAC Total Loss Absorbing Capital

For more information please contact:

risk@baringa.com or Stuart Cook (Partner) on +44 796 811 1631 or Chris Dominy (Partner) on +44 784 190 1375.

Baringa Partners LLP, 3rd Floor, Dominican Court, 17 Hatfields,London SE1 8DJ T +44 (0)203 327 4220 F +44 (0)203 327 4221W www.baringa.com E risk@baringa.com

Theme Sub-theme Regulation

Q4 2019: Implementation date for the revised GSIB assessment

methodologyQ4 2019: Expected

delegated act implementing the FRTB as a reporting requirement

01.01.22: Implementation of the internal model output floor01.01.22: Implementation of the revised Standardised Approach for

Credit Risk01.01.22: Implementation of the revised approach to Operational Risk

01.01.22: Implementation of the finalised leverage ratio framework and G-SIB leverage ratio buffer

01.01.22: Implementation of the revised IRB framework01.01.22: BCBS deadline for the revised market risk framework to be implemented

Q2 2019: Earliest likely date for a political agreement by EU institutions on the Level 1 text of the CRD V/CRR II package Q2-Q3 2019: Earliest likely date for secondary rulemaking to begin following a political agreement by EU institutions on a Level 1 text for theCRD V/CRR II package

Q1 2019: Potential application date forcreditor hierarchy directive Q1-Q2 2019: FSB expected to conduct areview of the technical implementationof TLAC

Securities p SFTR Q2 2020: Application of reporting requirements for credit institutions and investment firms l Q3 2020: Application of reporting requirements for central securities depositories and central counterpartiesQ4 2020: Application of reporting requirements for insurers and investment funds l Q1 2021: Application of reporting requirements for non-financial counterparties

Q4 2019: Earliest likely applicationdate of revised BRRDQ4 2019: BoE will consult on a newdisclosure and assurance frameworkfor bank resolvability

Q1 2019: PRA rules on Operational Continuity in Resolution become applicableQ1-Q2 2019: FSB will publish the results of its thematic peer review on bank resolution planningQ1-Q4 2019: UK banks will be required to submit the first round of resolvability self-assessmentsQ1-Q4 2019: BoE will launch a pilot of its approach to cyber stress testing, with a focus on paymentsQ1-Q4 2019: BoE will begin public disclosure of UK banks' resolution plans and its own assessment of UK banks' resolvability

01.01.22: Deadline for the BoE tocomplete work to make the UKresolution framework fully resolvable

09.05.19:Category 4

firmssubject toclearing

obligationfor CDS

21.06.19:Category 3firmssubject toclearingobligationfor CDS

01.09.19: Initial marginrequirements for firmsexceeding the EUR 750

bn threshold to bephased-in

Disruption andinnovation

p Fintechp Regtechp Crowdfunding

Q1 2019: EU Commission is expectedto publish a report on best practicesfor regulatory sandboxes

Q2 2019: FCA will publish its finalised rules on crowdfunding, to address areas of concern, especially for loan-based crowdfundingQ2 2019: EU Commission Expert Group will asses unjustified regulatory obstacles to financial innovation, and whether the currentregulatory framework fosters financial innovation and the scaling up of innovative start-upsQ2-Q4 2019: EBA is expected to report on emerging technology risk and give guidance for prudential supervisors

EU / Global p AMLD V

10.01.20: Directive will come into force,bringing virtual currency exchanges andcustodian wallet providers into it

SustainableFinance

p Climate Changep Green Bondsp Credit Rating p Sustainability Ratingsp Corporate

Governancep TCFD report

Q1 2019: EC technical expert group is expected to provide an EU classification system for climate change mitigation activitiesQ1 2019: ESAs are expected to collect evidence of undue short-term pressure from capital markets on corporationsQ1 2019: FCA expected to consult on how workplace personal pension schemes consider ESG and climate change risks and opportunities and relevant non-financial factorsQ1-Q2 2019: EC is consideringincorporating climate risks into firms' riskmanagement policies and potentialcalibration of banks' capital requirementsunder CRR/CDR

Q2 2019: PRA is expected to publish its supervisory statement on the management of financial risks from climate changeQ2 2019: EC technical expert group is expected to report on an EU standard for green bondsQ2 2019: A delegated act on the content of the prospectus for green bond issuance isexpectedQ2 2019: EC technical expert group is expected to report on the design and methodologyof the low-carbon benchmarkQ2 2019: ESMA is expected to assess practices in the credit rating market and to includeESG information in its guidelines on disclosure for credit rating agenciesQ2 2019: EC is expected to carry out a study on sustainability ratings and market researchQ2 2019: Expected revision of guidelines for companies on how to disclose non-financialinformation in relation to climate-related data Q2 2019: EC is expected to assess potential measures to promote corporate governancemore conducive to sustainable financeQ2 2019: TCFD expected to publish an updated report to the FSB

Q3 2019: EC to report on progress made on actions involving credit rating agenciesQ3 2019: EU classification system for climate change and sustainable activities isexpected to come into effectQ3 2019: TCFD expected to publish a report on implementation progressQ3 2019: PRA is expected to publish a report and survey results on the UK bankingsector's response to climate-related financial risks

Resolvability p Non-PerformingLoans

Q2 2019: Regulation on prudential backstops fornon-performing loans enters into force

01.01.21: EU's directive to expedite collateral enforcement and facilitate secondary markets ofnon-performing loans becomes applicable (except several provisions on credit servicers)

Q3 2020: EU legislation on CCP RRPs is anticipated to take effectacross the EU

30.07.20: Open-access requirements for exchange traded derivativesto apply to several major trading venues previously exempted

01.09.20: End of phase-in for initial marginQ4 2021: FCA announced that by end-2021 they would no longerseek to compel or persuade panel banks to submit LIBOR quotes

Q2 2019: First legislative proposal to amend EMIR is expected to be finalised in the first half of 2019Q2 2019: CCP supervision proposal is expected to be finalised in the first half of 2019Q2 2019: Euro risk free rates working group is expected to provide recommendations on contract, protocol and regulatory amendmentsQ2-Q4 2019: A SONIA term rate is expected to be available 30.04.19: Updated transitional transparency calculations for derivatives, exchange-traded-commodities and exchange-traded notes, structuredfinance products and emission allowances, large in scale and size specific to the financial instrument thresholds for bonds to be published

Q4 2019:Dailypublicationof ESTER isexpected tostart

Q3 2019:Expected startdate of theSONIA term ratedaily publication

01.03.19: Updated liquidity assessment for equities to be published01.03.19: Deadline for firms to undertake their first assessment of SI thresholds and comply with SI obligations for ETCs, ETNs, SFPs, securitised derivatives, emission allowances and derivatives

Q4 2019: UK government’s Fintech Delivery Panel will publish a set of industry standards that willsupport Fintech firms by providing them with a consistent understanding of what financial servicesfirms will need from them before entering into partnership arrangementsQ4 2019: EBA is expected to publish a report/opinion on regulatory technologies

Data protectionand innovation

p Big Datap Cloud Service Providers

Q1 2019: ESAs will explore the need for guidelines on outsourcing to cloud service providers Q1-Q4 2019: EBA is expected to publish a report on financial exclusion and big data

CyberResilience

p Cyber & OperationalResilience

p IT Risk

Q1 2019: EBA is expected to publish guidelines on IT management and security for regulated entitiesQ1 2019: EBA is expected to publish a report/opinion on legislative improvements for IT management and securityQ1-Q3 2019: BoE and the PRA are expected to publish further details on the upcoming Cyber and operational resilience stress-testing pilot approachQ1-Q4 2019: Financial Policy Committee (FPC) stated in its June 2018 Financial Stability Report that it would launch a pilot stress-test, focused on payments, in 2019Q1-Q4 2019: ECB is expected to publish maturity-based expectations for Cyber and operational resilience of SSM banksQ1-Q4 2019: G7 expected to publish a statement on cyber-risk red team testing

Q4 2019: EBA is expected to publish Guidelines on ICT and securitymanagement, including expectations on resilience testing

Q1 2019: FCA is expected to conduct outcomes testing on automated adviceQ1 2019: CMA expected to publish its decision on its investment consultants market investigationQ1 2019: FCA will publish a report for consultation on its approach to market integrityQ1-Q4 2019: HMT and FCA to undertake review of FAMR outcomes

Q2-Q4 2019: SMCR extension expected to come into effect for solo-regulated firms