Welcome to the UKGI weekly regulation update service for Aviva ABC brokers

Context

The FCA has published the 10th edition of the Regulatory Initiatives Grid, which is accompanied by the usual spreadsheet format of the Grid and the Minutes of the April 2026 meeting of the Financial Services Regulatory Initiatives Forum (FSRIF).  The FSRIF meeting Minutes noted the discussions of the preliminary 10^th edition, the Grid’s narrative foreword, and noted the Forum’s agreement of the topics to be included in the Grid and that it is appropriate.  The Grid features 135 live initiatives, a similar number to the previous edition of the Grid.

Key points to note and next actions

There are 25 multi-sector/cross-sector initiatives, seven of which are new.  Those of more relevant interest are:

• An ongoing review of FCA requirements following the introduction of the Consumer Duty, with further planned engagement with stakeholders in Q2 2026.  The FCA will also provide more details on a work plan for retiring non-Handbook materials in due course.
• A re-stated commitment to consulting on Client Assets Sourcebook improvements (specific Chapters in CASS are not mentioned) including broadening reconciliation rules to allow the use of records from sources that were not envisaged when the rules were introduced, and recognising scenarios where an external statement may be ‘receipted less frequently’.  The Grid indicates that there is a planned Handbook Notice in Q2 2026.
• New initiatives to make changes introduced by the Data (Use and Access) Act, in relation to sharing personal information when preventing, detecting and investigating scams and frauds, and ‘right to rectification’ updates.
• The planned Consultation on the application and requirements of the Consumer Duty, including through distribution chains, in H1 2026.
• Stakeholder engagement planned in Q2 2026 to consult on delivering reforms to the AR regime.
• The implementation of regulators’ first phase of SM&CR rule changes, to be completed by Q3 2026, and Regulators’ Consultations on a second phase of SM&CR reforms in Q3/Q4 2026.
• New Financial Crime Guide updates to keep the Guide up to date, with a Consultation planned for Q3/Q4 2026.

In relation to consumer credit, there are the recent Treasury plans to reform the Consumer Credit Act 2024, on which the Government will legislate when Parliamentary time allows, and the ongoing FCA review of the CONC 3 ‘financial promotions’ rules.  The FCA will aim to publish a Policy Statement in H2 2026 on the simplification of the CONC 3 rules. The FCA will also collate stakeholder feedback on the relevant Discussion Paper, and if it determines that there is a case for making any changes to its rules and guidance it will consult in the normal way.

For insurance and reinsurance, there are 17 initiatives in the Grid, four of which are new.  They include:

• One new initiative in relation to funeral plans, with a planned post-implementation review to examine evidence on firms’ adaptation to the new regime, outcomes for consumers and other relevant factors to determine whether the regime is delivering good outcomes.  The publication of the review is planned for Q4 2026.
• The Pure Protection Market Study final report is now due to be published in Q3 2026.
• The current ‘Simplifying the insurance Rules’ Consultation will likely lead to a Policy Statement in Q4 2026.
• A Consultation in the summer of 2026, following subject expert group engagement, about a UK captive insurance regime, with likely implementation mid-2027.

Context

The FCA has again updated its ‘Alert for firms: fake FCA communications’ web page, this time with details of fake FCA text messages.

Key points to note and next actions

The FCA has received reports of scam text messages claiming to be from the FCA.  These messages may warn of a data breach and include an 0800 number to call.  If firms call the number, they may be asked to share bank account details.

Some of these texts are designed to look like they come from the same sender the FCA uses for MyFCA one-time passcodes to login to a firm’s account.

Remember:

• Genuine MyFCA authentication messages will not include an 0800 number.
• The FCA will never ask for a firm’s bank details, PINs or passwords.

If firms receive a message like this, they should not respond or share any information.

Context

The FCA has published its response to the Treasury’s Policy Statement on Consumer Credit Act 1974 (CCA) reform, which was also published on 18th May.  Reform of the CCA is an important step towards a more flexible regime that supports effective competition and innovation, while maintaining appropriate consumer protection both now and in the future.

The proposals set out a framework that places greater emphasis on FCA rules and guidance rather than prescriptive requirements set out in legislation.  This is a theme in keeping with other recent Treasury publications which will impact the FCA (e.g., the Treasury’s AR regime proposals and SM&CR regime proposals).

Key points to note and next actions

The FCA intends to consult on the key elements of the consumer credit framework previously set out in legislation, where it has the powers to do so, considering the whole consumer credit process.  Its approach will be underpinned by the Consumer Duty – which sets out expectations for firms to deliver good outcomes for consumers.

As part of its policy development, the FCA will consider existing consumer rights and protections, including for example, cancellation and withdrawal, and termination of agreements, including early settlement.  Any proposals would be supported by evidence, including a cost benefit analysis and stakeholder feedback.

The FCA will continue to work closely with the Treasury, Government, Parliament, consumer bodies and other stakeholders as the reform programme develops, and it will communicate openly about its emerging approach and next steps in due course.

The Treasury’s announcement states that:

• Changes will mean consumers will receive clearer information when using credit cards, loans and overdrafts – helping them make smarter financial decisions.
• Reforms support innovation and growth, giving firms the freedom to develop new products while maintaining strong consumer protections.

The key Treasury Policy Statement reforms make transitional provisions for the transition from the current CCA provisions to the new reformed regime, and in summary are:

• To repeal most of the information disclosure requirements from the CCA, and to recast these into FCA rules (where appropriate and subject to any FCA consultation).
• To repeal the sanctions of unenforceability and disentitlement to interest from the CCA and for these provisions to fall away, relying on the FCA regulatory regime and the existing FCA supervisory and enforcement toolkit.
• To retain criminal offences.  The options of repealing, retaining, or repealing all except specific offences (e.g., those that relate to minors and canvassing off trade premises) were considered.

The definition of ‘individuals’ for consumer credit purposes will be retained.

Context

The FCA has published a ‘regulatory guide for credit brokers’, aimed at smaller credit brokers (generally, firms with fewer than 10 people), to help them understand and implement the FCA’s expectations in a way that is proportionate to their business.  This includes firms authorised as ‘Limited Permission’ credit brokers (which could include motor dealers, dentists or gyms) or ‘full permission’ credit brokers (which could include firms whose main business is introducing customers to lenders or brokers).  This guide is also relevant for Appointed Representatives (ARs).

Key points to note and next actions

This guide explains The FCA’s requirements and expectations, and where they derive from. It also includes case studies to illustrate good practice, and a glossary.  The sections of the guide are as follows:

• Section 1: Running your credit broking business – the basics
• Section 2: Promoting your business and finding customers
• Section 3: Dealing with customers
• Section 4: Making sure the right people are in the right roles
• Section 5: What checks your business needs to have in place
• Section 6: Handling complaints when things go wrong
• Section 7: Updating us
• Section 8: How we supervise firms
• Section 9: Using appointed representatives

This guide is part of a pilot to support small firms to navigate the FCA’s requirements. The FCA will welcome feedback on whether firms find it helpful.

Context

The FCA has published its latest Authorisations Division service quality metrics, covering January to March 2026.  The FCA reports its Authorisations metrics quarterly to provide greater transparency of its performance.  This is the second quarter the FCA is reporting against its new targets. Some of these reduced timelines will be reflected in proposed statutory deadlines consulted on by the Government and some reflect the FCA’s own new, faster targets.

Key points to note and next actions

• The performance against targets this quarter, including the new targets where they apply, show seven metrics are green, two are amber and two are red. 
• The red and amber metrics are due to some cases relating to New Firm Authorisations and Payment Services/E-Money Authorisations and Variations being determined after the applicable deadline where it was deemed necessary to spend more time reaching a decision. One case also missed the Change in Control deadline due to an operational error. 
• Against the old targets and using the previous RAG (red, amber, green) rating levels, the metrics would measure nine green, two amber, and no red.
• 97.6% of applications across all metric areas were determined within the deadlines, including new deadlines as reported. When considering our existing statutory deadlines only, 99.2% of cases were determined within the deadline.

Context

Fast‑growing and innovative solo-regulated (so only authorised and regulated by the FCA) financial services businesses can now apply for more support to help them grow.  Solo-regulated firms can apply to be part of the ‘solo-regulated cohort’ of firms using the FCA’s Scale-up Unit.

Key points to note and next actions

• The FCA’s Scale-up Unit provides tailored support to firms, helping them navigate regulation so they can scale sustainably. The unit is now open to solo-regulated firms to apply.
• The unit offers a dedicated point of contact and practical support to help navigate regulatory processes, develop innovative products and understand the impact of policy changes.
• The FCA provides information about the eligibility criteria for solo-regulated firms and how to apply to the Scale-up Unit.
• Applications for FCA solo-regulated firms to join the Scale-up Unit are open from 20th May to 22nd June 2026, and must be made online.
• The FCA has published a copy of the application form to help firms prepare.

Context

The FCA is seeking views on the Terms of Reference for a Claims Management Market Study.  The Market Study ToR are accompanied by a Market Study Notice.  The Study is being undertaken to gather evidence to understand the root causes of practices the FCA has observed by firms in the claims management market and how they impact competition and consumer outcomes.  This includes practices the FCA has observed by FCA-regulated claims management companies (CMCs) and lead generators, as well as legal professionals regulated by the Solicitors Regulation Authority (SRA) and other legal regulators. The FCA will be working closely with the SRA as it carries out the market study.

The FCA has also published a blog by Alison Walters, FCA Director of Consumer Finance, titled “Is the claims management market working?”, in which she outlines key concerns in the claims management market, highlighting poor practices by some firms and the actions taken to address them.  This provides a useful backdrop to the proposed Market Study.

Key points to note and next actions

The study will inform whether interventions are needed to promote effective competition, support customer choice, and ensure the claims management services market serves consumers in the way the FCA expects.

The work will focus on claims management services provided in relation to financial services and financial products claims, and housing disrepair claims.

The FCA plans to focus on:

• Consumer journey.
• Pricing-related harms.
• Business model incentives.
• Risks created by low financial resilience in CMCs.
• Incentives created by the regulatory landscape.

The FCA plans to issue information requests to firms from June 2026, and expects to share early findings and consult on potential proposals later in 2026.  If the FCA finds the market is not working well, it will consider its next steps, which may include: 

• using its competition, regulatory, supervisory and enforcement powers; and
• making recommendations to the Government or other bodies, such as the SRA.

Comments should be provided by 19th June 2026, by e-mail to claimsmanagementmarketstudy@fca.org.uk.

Context

The FCA has published a joint statement it has issued with the PRA and the Bank of England.  The statement relates to frontier AI models and cyber resilience.  The statement points out that AI continues to evolve rapidly, and that ‘frontier’ AI models represent a step-change in capability, with significant implications for cyber security and operational resilience.  ‘Frontier AI’ models are AI models that can perform a wide variety of tasks and match or exceed the capabilities present in today’s most advanced models.

The statement points out that this note is not intended to introduce new expectations; rather, it brings together and reinforces existing messages to support firms as the operating environment becomes more complex.

Key points to note and next actions

Under the heading ‘Why frontier AI matters for firms’, the statement explains that the cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost. 

Under the heading ‘What this means for regulated firms’, there is commentary under several sub-headings:

• Governance and strategy
• Identification and risk management of vulnerabilities
• Managing risks from third parties
• Protection
• Response and Recovery

The Government and UK financial authorities will continue to actively monitor frontier AI developments and engage with industry through the Cross Market Operational Resilience Group (CMORG).

Firms should keep up to date with relevant publications in this space by CMORG and the National Cyber Security Centre (NCSC), the UK’s technical cyber authority. For example, firms can watch CMORG’s Frontier AI Risk Mitigation Webinar from 14th May 2026.  In addition, the NCSC continues to publish practical guidance on how firms should consider and manage the risks from frontier AI. This includes:

• Preparing for a ‘vulnerability patch wave’, National Cyber Security Centre.
• Why cyber defenders need to be ready for frontier AI, National Cyber Security Centre.
• 10 questions to ask when using AI models to find vulnerabilities, National Cyber Security Centre, NCSC vulnerability management.

Context

The FCA has updated its AI Lab web page with details of its re-opened AI Input Zone.

Key points to note and next actions

• The FCA is reopening the AI Input Zone to ask for views and examples to inform a good and poor practice publication on AI later this year.
• The FCA is keen to hear specific examples of what stakeholders feel ‘good’ looks like in terms of safe and responsible AI development, and what can be learned from and improved.
• This component of the AI Lab is part of wider evidence gathering that will help shape our future regulatory approach.
• The FCA is asking for responses to the questions by 19th June 2026.

Context

The FCA has published a blog by Charlotte Clark, FCA Director of Cross-Cutting Policy and Strategy, outlining the FCA’s expectations of firms in supporting customers in challenging times, , through the Consumer Duty and its rules on protections for borrowers in difficulty.

Key points to note and next actions

• The FCA expects firms to have embedded the Duty and to monitor outcomes actively, identifying where consumers are at risk of harm in a rapidly changing environment.
• In relation to products and services, firms must check that products and services still meet the needs, characteristics and objectives of their target market as circumstances change.
• In relation to price and value, firms must regularly review whether customers still receive fair value as circumstances change.  Firms should keep monitoring outcomes for higher-risk customer groups and act if they find that a product no longer offers fair value.
• In relation to consumer understanding, customers may need clearer, more timely and more prominent information to make effective decisions. Some may be experiencing payment difficulties for the first time and may not know what support is available. Firms should test communications (including digital journeys and scripts) to make sure customers understand key terms, the consequences of inaction and the support available.
• In relation to consumer support, the Duty requires firms to keep support accessible and effective as customers’ needs change.
• The FCA will continue to engage with firms to deliver good outcomes for customers, and urges firms to keep in mind that, for those customers who hold multiple products with the same firm, firms may need to adopt a holistic view across those products to make sure they are delivering good outcomes.

In summary, firms should:

• check that their current approach remains appropriate in the current environment and make changes where it does not; and
• take timely action and retain clear evidence of the impact on customer outcomes where firms identify that foreseeable harm may be caused.

Context

The FCA has published a speech delivered by Nikhil Rathi, FCA Chief Executive, at the FCA’s Financial Crime Conference.  Rathi introduced the speech by stating that financial crime is changing rapidly, that it is more technologically enabled, and more organised than ever before.

Key points to note and next actions

• Financial crime is more organised, technologically advanced and interconnected than ever, making it a threat to national security and economic stability.
• The response to financial crime must be system wide. This includes better information sharing, smarter use of technology and deeper collaboration across firms, regulators, government, and law enforcement.
• The scale and speed of financial crime mean we cannot defend against every threat equally, and must prioritise where we focus our collective effort.
• Rathi explores the new threat landscape, and the need for a changing approach to the changing threat: “shared responsibility for shared security”.

Context

The FCA has published a web page warning 17-to 25-year-old drivers about ‘ghost broking’ scams, where “bogus insurance policies” are sold through social media and messaging platforms.  The FCA has quoted new research which has revealed that half (49%) of young drivers have bought insurance through social media or messaging apps. With 4 in 10 (39%) not confident in spotting the signs of a fake policy, the FCA states that “…thousands could be paying for cover that doesn’t exist.”

Key points to note and next actions

• Almost half of those polled (45%) said they generally trust products or services bought through social media.
• Young drivers may be at greater risk due to cost of living pressures – with 1 in 7 (15%) saying they find it difficult to fit insurance into their monthly budget.
• To avoid being the victim of a scam or fraud, the FCA is urging young drivers to: 
  • Be wary of offers that sound too good to be true.
  • Avoid deals only available through social media and messaging platforms. Genuine sellers should have a legitimate website, phone number and address. 
  • Use the FCA Firm Checker to confirm the firm is authorised. Drivers should check the firm’s contact details match those listed on Firm Checker to make sure they are dealing with the genuine firm.

Context

FOS has published its latest Ombudsman News e-mail, in which FOS highlights a number of recent issues.

Key points to note

The publication covers:

• FOS’ joint consultation with FCA on modernising the redress system;
• a blog by the FOS Chief Operating Officer, Marc Harris, about AI and the impact on consumer complaints;
• the changes to the FOS award limits, ; and
• the FOS Plans and Budget for 2026/27.

Earlier weekly updates have commented on all these issues.

Context

FOS has announced that, following a company-wide vote, Dementia UK – the UK’s specialist dementia nursing charity – was chosen to be supported over the next two years.  This announcement follows the conclusion of support for Sands from 2024 to 2026.

Key points to note

• The new partnership will help the charity – via their dementia specialist Admiral Nurses – to continue to provide free, expert advice, support and understanding to help families care for their loved ones, and work towards a day where no one has to face dementia alone.
• The Financial Ombudsman’s employee-led Giving Something Back Committee, which is responsible for coordinating and championing opportunities to work with charity partners, will lead fundraising initiatives over the next two years.
• As part of the partnership, Dementia UK will provide workplace training and support for carers and vulnerability training for staff serving affected customers.

Context

FSCS has announced the publication of its May 2026 ‘Spring’ Outlook, which is accompanies by a statement from Martin Beauchamp, the FSCS Chief Executive.  The forecast sets the FSCS levy at £247m for 2026/27, the levy being the total amount payable by firms.  This figure is £95m lower than the November 2025 forecast.

Key points to note

• In 2025/26 FSCS recovered £34m from the estates of failed firms and relevant third parties, with performance in 2025/26 exceeding the annual average for the previous five years. These recoveries help offset the levy paid by financial services firms.
• FSCS expects to pay £267m in compensation to customers during 2026/27.  This is £27m lower than the early forecast set out in our November 2025 Outlook.
• The 2026/27 levy forecast also reflects higher surpluses carried forward from the previous year. This was driven in part by:
  • A shift towards higher volumes of lower-value advice claims, alongside fewer higher-value pensions and SIPP operator claims;
  • A higher proportion of Section 27 claims where no compensation has been due;
  • Credit union failures remaining steady, however with fewer affected members resulting in lower-than-expected compensation costs; and
  • Lower insurance costs from historic failures.
• Taken together, these factors, alongside strong recoveries and continued cost-efficiency, have contributed to the levy now expected to be £95m lower than the FSCS November forecast.
• The levy for the General Insurance Provision class has decreased from £113m to £88m. No new firm failures are currently expected in this class in 2026/27.  The reduction in the forecast levy is partly driven by a higher opening balance. FSCS anticipates lower costs from historic failures as the scheme continues to progress outstanding claims from legacy insurance estates.
• There remains no requirement for firms in this class to pay provider contributions to the General Insurance Distribution class in 2026/27.
• In his statement, Beauchamp discusses his reflections on 2025/26, ‘Readiness, resilience and confidence’, and looking ahead to 2026/27.

Context

The ICO has provided a report and advice to the Department for Science, Innovation and Technology by writing to the Rt Hon Ian Murray MP, Minister for Digital Government and Data, and The Lord Livermore, Financial Secretary to the Treasury.  The advice relates to the application of, and potential exclusions from, Regulation 6 of the Privacy in Electronic Communications Regulations (PECR).  Regulation 6, alongside the UK GDPR, governsthe use of storage and access technologies such as cookies, scripts and tags for the purposes of online advertising.

Alongside the advice, the ICO is also sharing findings from its public call for views, results from its citizen juries and a cost‑benefit analysis assessing the impacts of the proposed approach outlined in the advice to government. 

Key points to note

• The blog which introduces the report sets out the importance of online advertising as a key component of the UK’s digital economy.
• With a clear ‘growth’ agenda driving this work and output, the ICO carried out a review to understand where the Regulation 6 consent (or ‘cookie consent’) requirements in PECR are preventing the development and adoption of more privacy-preserving forms of online advertising.
• Within the current framework, most commercially viable online advertising requires consent whenever information is stored on, or accessed from, a user’s device, even where the risks to people’s privacy are relatively low.
• To address this challenge, the ICO analysed a range of online advertising activities and considered which ones pose a lower risk to people’s privacy and could therefore be delivered without Regulation 6 consent.
• The work shows how Regulation 6 could be amended to allow certain low risk forms of online advertising to operate without consent, while continuing to require consent for advertising that involves intrusive tracking and profiling people over time and across services.
• Privacy risks are lower where advertising is based on the context of the content being viewed, rather than information about a person’s past online activity. The ICO’s user research indicates that this approach is closely aligned with people’s expectations and could provide a viable alternative to behavioural advertising for online services whose users don’t consent to more intrusive tracking.
• It is important to remember that nothing has changed at this stage. The existing PECR rules still apply, and organisations must continue to comply with them.
• The ICO’s guidance on the use of storage and access technologies provides further clarity on the current legislative framework and our expectations for compliance.

Context

The ICO has published a blog by Ian Hulme, ICO Interim Executive Director for Regulatory Supervision, about how firms can protect themselves from AI-powered cyber threats.  With similar messages to those in Nikhil Rathi’s speech at the FCA’s recent Financial Crime Conference, Hunter points out that cyber criminals are increasingly using artificial intelligence (AI) to carry out attacks that are faster, more advanced and harder to detect.  As the data protection regulator, the ICO can provide clear expectations and practical support, but all organisations must take proactive steps to prepare themselves for emerging threats.

Key points to note

By investing in cyber resilience and ensuring appropriate security measures are in place, firms can build public trust and confidence in how their organisation protects the personal data they hold. The ICO’s five practical steps to strengthen resilience to AI-powered threats are:

• Know what you’re up against – horizon scanning and understanding potential threats is the foundation of effective security. The main AI-powered risks facing organisations include AI-enhanced phishing, deepfake social engineering, automated vulnerability scanning and exploitation, AI-powered malware, credential stuffing and password attacks, data poisoning, and indirect prompt injection attacks.
• Get the basics right and layer your defences.
• Restrict access points
• Improve detection, monitoring and incident response.
• Protect personal data.  Measures could include data minimisation and storage limitation, data audits, staff awareness, AI governance, encryption, and pseudonymisation.

Context

The ICO has reminded firms that businesses across the UK have until 19th June to make sure that their complaints handling procedures can meet the requirements of the new legal requirements for data protection complaints.  From that date, all organisations will be legally required to handle data protection complaints under the Data (Use and Access) Act 2025.  With just four weeks remaining, the ICO is urging businesses, particularly small and medium-sized enterprises, to read its guidance now and take the straightforward steps needed to comply.

In the financial services sector, UKGI’s view is that all data protection complaints are likely, in essence, about the provision of, or failure to provide, a financial service, which will bring them within FCA complaint handling requirements.  The timescales are broadly similar or longer to those under current FCA regulation so firms should be able to deal with data protection complaints within their existing complaints handling procedures.

Key points to note

• All businesses must have new complaints process in place next month
• The guidance offers support to businesses to be prepared for commencement date
• Having a clear complaints process supports customer trust and good day-to-day relationships

The new law means organisations must:

• give people a clear way to raise a data protection complaint;
• acknowledge it within 30 days of receipt;
• without undue delay, take appropriate steps to investigate and keep people informed; and
• tell the complainant of the outcome.

The ICO’s guidance, published in February following a public consultation that received more than 85 responses, is already available and sets out everything organisations need to know. It explains what businesses must, should and could do to comply, and includes practical tips for each stage of the process.

UKGI’s complaint handling procedures and register will be updated to include commentary on data protection complaints, and will be available on its compliance manual by the end of May.

Context

The Prime Minister’s Office has published the background notes to the King’s Speech, delivered on 13th May 2025, which include some detail and background to a new Enhancing Financial Services Bill (see pages 34 to 36).  Although the Bill itself is yet to be published, there is useful commentary online in relation to the main impacts of the Bill from law firms Herbert Smith Freehills Kramer and Norton Rose Fulbright LLP.

Key points to note

• The Bill is intended to deliver key aspects of the Leeds Reforms, modernise regulation of the financial services sector, and make consumer protections under the financial services redress scheme consistent and appropriate to the digital age.
• The Bill comments on reforming FOS, consolidating the Payment Systems Regulator (PSR) within the FCA, enabling the expansion of credit unions, updating the bank ring-fencing regime, and reforming the SM&CR by:
  • removing the Certification regime from FSMA (i.e., removing it from legislation);
  • reducing the number of senior management functions that require regulatory pre-approval; and
  • streamlining the Conduct Rules.

Context

OFSI has imposed a £165,000 monetary penalty on Deutsche Bank AG London Branch (DBLB) for breaches of the Russia financial sanctions regime.  Between June and July 2022, DBLB processed two payments totalling £635,618.75 to an entity wholly owned by a designated person. 

Key points to note

This is the second OFSI monetary penalty case resolved through settlement, demonstrating how proportionate and effective enforcement outcomes can support the rapid communication of compliance lessons to industry.  It also underlines the importance of firms maintaining effective sanctions controls, particularly where ownership and control structures determine whether restrictions apply. 

Key lessons for firms include the importance of: 

• maintaining suitably robust sanctions screening systems and processes, commensurate with their level of exposure to sanctions risk;  
• having strong onboarding procedures and regular, risk‑based customer reviews especially in higher risk jurisdictions; and
• complete, detailed, and prompt voluntary disclosure of potential breaches to OFSI.

A 45% discount was applied, reflecting voluntary disclosure and settlement.