Welcome to The MPAC Group, the UK's leading corporate compliance and regulatory advisory firm.

We have achieved this respect by working closely with our clients to meet their corporate regulatory, financial or legal obligations.

We believe client satisfaction is a function of people, solutions and delivery. At MPAC, our team of experts is comprised of experienced compliance officers, money laundering reporting officers (MLROs), senior regulators, qualified actuaries, lawyers and accountants from the financial sector delivering a wide array of services targeted to help our clients navigate through various corporate landscapes. Please take a look at how MPAC can help your business grow.

Attend our "Roles of Compliance Officer,
and Money Laundering Reporting Officer Workshop".

Attend our "Client Money and Assets Workshop"


Securities Token Offering (STO)

It's what we have been talking and writing about for a long time now… a mainstream Security Token Offering (STO). The week saw the issue of a €100m debt issue by a subsidiary of Soc Gen Paris; fully subscribed by the bank itself. Actually it was a covered bond called an OFH (obligations de financement de l'habitat). The bank says it was a live, experimental issue to test the backend systems amongst other things. Interesting as to whether this will cause other major institutions to speed up their offerings, live and/or experimental?

The opportunities for the issuer to reduce operations costs are potentially significant and can also increase liquidity in such issues - so we watch the first OFH with interest. If you want to talk about how we can help in you launching your own STO or need help in being regulated in any way to participate in the new world order of distributed ledgers and crypto, please do contact us. We are working in many areas of this sector and be delighted to help.

Should you need any additional information, advice or assistance, please do not hesitate to contact us on +44 (0) 20 3056 0956 or email us on info@mpacgroup.co.uk

GDPR- What's in Store in the Regulatory Enforcement Backdrop?

The ICO published its Regulatory Action policy late last year, the high level guidance on how it will apply GDPR enforcement powers going forward. The ICO has said that it will update the Policy to reflect any amendments to legislation, including any implementation of an updated e-Privacy Regulation, which was anticipated to occur towards the end of this year/start of 2020; but this is dependent upon the final settlement between the EU and the UK post-Brexit being confirmed.

There have been no data breach penalties imposed under the new GDPR regime by the ICO as yet. However, recent enforcement actions and penalties in cases initiated under the 1998 DPA have resulted in maximum fines of £500,000 being imposed on Facebook and Equifax which indicate that the Commissioner will impose heavy fines under the new regime in the near future.

To put some context on this, in the case of Lloyd v Google LLC regarding a Safari workaround, the class of affected users was estimated at different times as comprising in the region of 4-5 million people; with a suggested tariff of £750 per claimant, Google's potential liability would be between £2-3 billion. In another action, CNIL (French Data Regulator) imposed €50m fine on Google as a result of users not giving informed consent; this is under appeal by Google. So these give some indication of the potentially significant fines and claims to come with the added dimension of specialist litigation funding coming into play in the large class actions.

Should you need any additional information, advice or assistance, please do not hesitate to contact us on +44 (0) 20 3056 0956 or email us on info@mpacgroup.co.uk

ESMA Q&A - MiFID II - Reverse Solicitation

ESMA has recently updated its Q&A on MiFID II and MiFIR investor protection and intermediaries. One of the key questions addressed is whether under Article 42 of MiFID II the reverse solicitation rule allows a firm, within the context of a one-off service to a client, which has sold/has had the opportunity to sell a product or service under this rule, to offer again products/services from the same category? The short answer is No. The reverse solicitation exemption is based on the proviso that the product/service is marketed at the client's own exclusive initiative and can only be applied to the specific/product service provided.

When a one-off investment service is provided to a client, the third country firm must not sell to that client (without establishing a branch as required under local law) a product/service from the same category, unless it is requested to do so by the client at its own exclusive initiative and only at the time that the client asks for an investment product/service.

In the course of a transaction, the firm may offer the client another product/service of the same category as the one requested by the client but not at a later stage- unless the client specifically requests it on its own initiative. So, for example, if the client contacts the third county firm to buy an equity, the firm could market other equities from the same stock exchange sector to the client. However, the firm would not be entitled to market additional equities to the client one month later- unless this was to be carried out via a branch.

Should you need any additional information, advice or assistance, please do not hesitate to contact us on +44 (0) 20 3056 0956 or email us on info@mpacgroup.co.uk

Ransomware - Regulatory Considerations

Traditionally, Ransomware was intended to generate money for the perpetrator with operational disruption a necessary bi-product. Payment of the ransom usually entailed obtaining a decryption key via which compromised files could be restored and the disruption mitigated. Newer iterations of Ransomware (e.g. Ryuk and LockerGoGa)have tended to maximise operational disruption rather than financial distortion and been more targeted and malicious to the affected entity as a whole. Ransomware as a Service (Raas) has been on the increase and offers broader access and a profit sharing model which aligns the interests of the developers and users who have acquired it.

From a regulatory perspective, this gives rise to the question of what qualifies as a "personal data breach" under GDPR ? The impact of the Ransomware attack could amount to a Confidentiality breach (unauthorised or accidental disclosure or access), an Integrity breach (unauthorised or accidental alteration) or an Availability breach (accidental or unauthorised loss of access or destruction). Notification to the supervisory authority (ICO) is required within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals (Article 33 GDPR).

Regarding whether payment of a ransom is legal, in the case of Masefield AG v Amlin Corporate Member Ltd (The Bunga Melati Dua), the English Court of Appeal ruled that "there is no universal morality against the payment of ransom..and there is no evidence before the court of such payments being illegal anywhere in the world." Other considerations are whether the provisions of the Terrorism Act 2000 may apply and if there is reasonable cause to suspect that the ransom money will/may be used for the purposes of terrorism or if economic sanctions provisions are implicated.

Should you need any additional information, advice or assistance, please do not hesitate to contact us on +44 (0) 20 3056 0956 or email us on info@mpacgroup.co.uk

FCA Publishes Dear CEO Letter on its Expectations of Firms' Approvals of Financial Promotions

On 11th April 2019, the FCA published a Dear CEO letter outlining its expectations on how firms approve financial promotions. This Dear CEO letter follows the FCA's previous letter of 9th January 2019 to CEOs of all regulated firms which sought to remind firms of the importance of complying with the rules on financial promotions when authorising communications from unauthorised persons, in particular that promotions approved must be fair, clear and not misleading. Since then, the FCA has identified a number of examples where due diligence on financial promotions has fallen below the standard expected.

The FCA emphasised that if an authorised firm provides an "S21 approval" of a financial promotion issued by a firm that is not authorised or for a product that is not regulated, it will require the authorised firm to show that it has assessed the promotion is fair, clear and not misleading. COBS 4.2.4G outlines the factors that should be considered. Retail investments promising high returns through complex structures are particularly difficult to present in a manner consistent with these rules. The FCA drew on the promotion of mini-bonds and other unlisted securities as an example. Promotions involving such products to retail clients are typically restricted to high net worth individuals, sophisticated investors, or those who have confirmed they are not investing more than 10% of their assets in non-readily realisable securities in accordance with COBS 4.7.7R(3). The firm that approves or communicates such direct offer financial promotions has responsibility for ensuring this restriction and the rules on the appropriateness of the investment are complied with.

The FCA also sought to remind firms of the following rules on financial promotions:

  • COBS 4.10.2R(1) - Before a firm approves a financial promotion for communication by an unauthorised person, it must confirm that the financial promotion complies with the financial promotion rules;
  • COBS 4.10.2R(2) - If a firm becomes aware the financial promotion no longer complies with the rules, it must withdraw its approval;
  • COBS4.10.1G - A firm that communicates or approves a financial promotion must have put in place adequate systems and controls to comply with the financial promotion rules; and
  • COBS 4.5.2R(2) - Firms must ensure that information is accurate and always gives a fair indication of any relevant risks when referencing any potential benefits.

Should you need any additional information, advice or assistance, please do not hesitate to contact us on +44 (0) 20 3056 0956 or email us on info@mpacgroup.co.uk

Standard Chartered Bank Fined £102.2 million by the FCA for AML Failures

On 9th April 2019, the FCA published a Decision Notice (from 5th February 2019) issuing a fine to Standard Charted Bank ("SC") of £102,163,200 for anti-money laundering ("AML") breaches under the Money Laundering Regulations 2007 ("MLRs"). It is the second largest penalty for AML failings ever imposed by the FCA. The fine follows investigations into two of SC's higher risk business areas: its UK Wholesale Bank Correspondent Banking business and its branches in the United Arab Emirates ("UAE"). The FCA concluded that SC had failed to maintain appropriate risk-based policies and had failed to apply UK equivalent AML and counter-terrorist financing procedures in its UAE branches as required by the MLRs.

Moreover, the FCA investigations revealed failures in SC's internal assessments of the adequacy of its AML controls, its approach to identifying AML risks and escalation of such risks when identified. Examples of the failings that the FCA identified include:

  • opening an account with 3 million UAE Dirham in cash in a suitcase (just over £500,000) and failing to investigate properly the origin of funds; and
  • failing to conduct sufficient checks on a customer exporting a product that could have a military application.

The failings occurred in the UK Wholesale Bank Correspondent Banking business from November 2010 to July 2013 and in the UAE branches from November 2009 to December 2014. SC qualified for a 30% discount by accepting the FCA's findings, reducing the penalty from £145,947,500.

The full Decision Notice is available here.


We are aware that the FCA has recently been active in fining some large investment banks, such as Goldman Sachs International and UBS AG for their Transaction Reporting ("TR") failings under MIFID I for the period 2007 to 2017.

The FCA is starting to turn its attention to Investment Firms' Transaction Reporting Obligations ("TRO") under RTS 22 and MIFIR with effect from 3rd January 2018. There is ongoing dialogue between the FCA and Investment Firms ("IFs") which are using their Matched Principal Brokerage ("MPB") permission. It would appear that IFs are not following either the RTS 22 rules or the relevant ESMA TR guidance (2016-1452) in their MIFIR reporting of MPB trades, irrespective of the class of MIFID Financial Instrument.

MPAC Group is currently assisting a number of its clients to undertake a review of their current MPB TR arrangements under RTS 22 and MIFIR to ensure that TRs are accurate both in detail and completeness of content.

In view of the errors which have been uncovered as a result of the mis-reporting of such trades, there is a potential secondary unintended consequence, relating to the generation of an excessive number of Market Abuse surveillance alerts, thus creating unnecessary work for already hard pressed compliance departments.

In the event that your Investment Firm is engaged in Matched Principal Broking activity, whether as an operator of an Organised Trading Facility (OTF) or just as an Investment Firm, and you wish to undertake a quick review of a sample of trades undertaken as an MPB, please contact either Toby Campbell-Gray or Philip Buckingham on 020 3056 0956 for an initial discussion on how MPAC Group might be able to assist your firm to ensure it is compliant with its MIFIR and RTS 22 TRO.

HMRC Launches First Criminal Investigations Into New Offence of Failure to Prevent the Facilitation of UK Tax Evasion

We all know that the 2015 Panama Papers shone lights in various parts of the financial sector and beyond, and that the authorities in various jurisdictions would likely react in some ways upon those who were deemed to have evaded tax. For the UK, one of those ways was making it a corporate criminal offence to evade tax (not avoid, evade) - this being under the Criminal Finances Act 2017.

Recent freedom of information requests to our HMRC have revealed that they haven't opened that many criminal investigations with the number being less than 5. Expect this number to rise once HMRC gains more practice and obtains success in the Courts

To remind you, the corporate offence applies to all 'relevant bodies' (any corporate bodies and partnerships wherever incorporated or formed) rather than individuals. Effectively, it means that businesses can be made liable for actions of 'associated persons', such as employees, agents and sub-contractors. So if you are a group holding company or within a group structure the long arm of the law will hold your senior management (thus board of directors or equivalent) to account for allowing tax evasion to occur within the group whether or not any tax evasion was suspected or not. The only defence is that the firm has reasonable prevention procedures in place.

Is your firm covered by having the ability to understand where such risks could occur within the firm or group (recognition), have governance arrangements and procedures/processes to manage the risk (detection) and the ability to report it (report and monitoring)?

Should you need any additional information, advice or assistance, please do not hesitate to contact us on +44 (0) 20 3056 0956 or email us on info@mpacgroup.co.uk

UBS AG Fined £27.6 Million by the FCA for Transaction Reporting Failures

On 18th March 2019 the FCA issued a Final Notice against UBS AG ("UBS") and fined it £27,599,400 for failures in relation to 135.8 million transaction reports between November 2007 and May 2017. The FCA concluded that UBS failed to provide complete and accurate information for roughly 86.67m reportable transactions. In addition, it reported 49.1m transactions to the FCA, which were not, in fact, reportable.

UBS was found to have failed to take reasonable in organising and controlling its affairs effectively in relation to transaction reporting. Failings included UBS' change management processes, its maintenance of the reference data used and its testing of whether transactions reported were accurate and complete. UBS qualified for a 30% discount in the overall penalty after agreeing to resolve the case which reduced the fine from £39,427,795.

The full Final Notice is available here.

Should you need any additional information, advice or assistance, please do not hesitate to contact us on +44 (0) 20 3056 0956 or email us on info@mpacgroup.co.uk

MPAC is proud to be a member of the

Graduate Compliance Internship

The MPAC Group works closely with financial services providers to advise them on all aspects of their regulatory obligations. We provide retained and advisory compliance support to our clients, ranging from start-ups that require authorisation advice to established brokers, corporate finance advisers, electronic money institutions, payment services firms and asset managers

We are looking for an intern to assist and support members of the MPAC team on various client projects and tasks.

Click here for more information