Latest news with #FCA
The Independent
2 hours ago
- Business
- The Independent
Brother and sister guilty of £1m insider trading over Jet2 and Daimler shares
A former research analyst at the investment firm Janus Henderson has been found guilty of insider trading after making around £1m during the Covid lockdown, along with his sister. Redinel Korfuzi and his sibling Oerta Korfuzi were charged by the Financial Conduct Authority (FCA) with conspiracy to commit insider dealing and money laundering, between January 2019 and March 2021, and were found guilty at Southwark Crown Court after pleading not guilty. Mr Korfuzi was accused of using confidential information gathered during his work to place a particular type of complex trade, called Contracts for Difference (CFDs), through accounts owned by his sister and two other co-defendants. In this manner, Mr Korfuzi made £963,000 in around six months and was 'was at the absolute centre' of matters, said the prosecutor, benefitting from share price changes of at least 13 companies including Jet2, Daimler and THG. Their trading was detected by FCA market monitoring systems, despite Mr Korfuzi's apparent efforts to hide his involvement. The brother and sister were also convicted of money laundering, with the FCA saying they received money from the proceeds of crime, with more than 176 cash deposits totalling over £198,000. The source of that money was unrelated to charges of insider dealing. Insider trading is punishable by up to ten years in prison, but these charges predate a rule change increasing that time, meaning the pair face a maximum of seven years and/or a fine. For money laundering, a fine and/or up to 14 years imprisonment is the maximum. His Honour Judge Milne told the pair on Thursday: 'These are serious matters of which you've been convicted and the sentences will reflect that.' Steve Smart, joint executive director of Enforcement and Market Oversight at the FCA, said: 'We are committed to fighting financial crime and protecting the integrity of our markets. Those who use inside information to unlawfully make profits should be aware that we will identify them and bring them to justice.' Mr and Ms Korfuzi are set to be sentenced on 4 July and the FCA are also to apply for confiscation orders to recover the proceeds of crime. The jury cleared their two co-defendants, Rogerio de Aquino - Mr Korfuzi's personal trainer - and Dema Almeziad - Mr Korfuzi's partner - of both charges. Their accounts were also used to place trades but they said in statements they had been 'hoodwinked' and 'duped'. Ms Almeziad's lawyer Roger Sahota said in a statement: 'This case should never have been brought. There was no evidence that Ms Almeziad knew anything about insider dealing and it is wrong to expect ordinary people to understand or spot complex financial conduct that even professionals struggle with.' Janus Henderson was not involved in the case or accused of wrongdoing.
Finextra
4 hours ago
- Business
- Finextra
Mitigating cyber-risks in outsourcing: Contract strategies for compliance and protection
0 This content is contributed or sourced from third parties but has been subject to Finextra editorial review. A clear and present danger In recent years, several prominent UK businesses have faced significant technology and cybersecurity challenges and the consequences of data protection breaches. For example, in October 2023, the Financial Conduct Authority (FCA) fined Equifax over £11 million for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US. The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime. As reported by Finextra on 15 May, NatWest's head of cyber security has revealed that the Bank faces 100 million cyber-attacks every month. That incident brought into sharp focus the risks and vulnerabilities which can arise where a customer outsources the handling of sensitive data, and the serious regulatory consequences faced by UK firms if they fail to ensure the safeguarding of sensitive information. Rules are rules Aside from principles of good business sense, obligations in relation to security and data protection are imposed on customers looking to outsource IT services to third parties via a range of regulatory and quasi-regulatory/industry measures. Regulatory measures in the UK include the requirements in the UK GDPR relating to security and data processor contracts, as well as more financial services-specific rules such as the FCA Operational Resilience regime, the FCA and PRA rules on material outsourcing and use of cloud, and the incoming FCA rules on use of Critical Third Party suppliers. Businesses operating in the EU (and by extension their relevant suppliers) must now also comply with the requirements of the EU Digital Operational Resilience Act (DORA) and its requirements in relation to critical IT services providers. Regulatory measures carry the added risk of sanctions and penalties from the relevant enforcement agencies if they are breached. Non-regulatory, but nonetheless important, requirements which impact many financial services business include the Payment Card Industry Data Security Standard (PCIDSS) which impose requirements on the security of card data, and the information security requirements of ISO27001. Get it in writing The typical provisions which a customer can try to include into contracts to meet its regulatory obligations, and otherwise to guard against (or at least provide some form of recourse in the event of) cyber and data infringements, can be grouped into two main types: (1) contract standards; and (2) rights and remedies. Contract standards Set out the general standards to which a supplier must conduct its business and provide their service(s) - for example in compliance with all laws and regulations, with professional skill and care and in accordance with good industry practice. standards to which a supplier must conduct its business and provide their service(s) - for example in compliance with all laws and regulations, with professional skill and care and in accordance with good industry practice. Set out any specific requirements which the supplier must meet which are intended to address particular cyber and data concerns, for example: Detailed security provisions, including compliance with the customer's own information and systems security policies Warranties of compliance with any information provided by the supplier pre-contract as part of the customer's due diligence process. Early warning requirements related to suspected cyber incidents or data breaches. Specific clauses designed to meet the requirements of the UK GDPR including: to exercise sufficient technical and organisational measures to protect data against unauthorised access, to notify data breaches in good time, and controls on the export of data outside of the UK/EEA. Compliance with specific industry standards including PCIDSS and ISO27001 Regular conduct of security testing and the provision of results to the customer (this can be a source of debate - a customer may want the right to conduct its own testing (including penetration tests) but suppliers can be reluctant to give this, especially over systems used for multiple customers, and so a right to see the results of the supplier's own internal or third party testing may be the best which can be achieved). An obligation to rectify any detected weaknesses after testing. Restrictions against use of sub-contractors and/or AI systems without the customer's consent. Requirement to use at least 'industry – standard' cybersecurity measures such as firewalls, malware blockers etc. requirements which the supplier must meet which are intended to address particular cyber and data concerns, for example: Rights and remedies Making sure that the supplier's liability for losses which might be suffered due to a cyber or data breach are not excluded out of hand, or caught by a general exclusion of 'indirect or consequential' liability. Potentially no or separate/higher liability caps for issues such as breach of confidentiality, security, or data protection requirements. It is now not uncommon to have 'supercaps' for data liability (although suppliers may not accept uncapped liability given the potentially large data protection regulatory fines). Indemnities for issues such as security or data breach Audit rights for the customer (and also its regulators) - which would extend to the supplier's sub-contractors. Definite termination rights in the event of a cyber or data related breach A right to remove supplier personnel or sub-contractors or the service if there are any concerns. Prevention is always better than the cure, and the only sure-fire way to avoid cyber and data issues is to make sure that, practically, the appropriate measures and behaviours are put in place by suppliers. However, a well-drafted contract will make it clear what a supplier is required to do, meet any regulatory requirements for terms which must be included, provide the customer with various rights and remedies (ideally to try and catch and avoid problems before they escalate), and otherwise provide the customer with a potential claim for damages for breach of contract, or indemnity rights should the supplier fail to comply with the relevant terms and the customer suffers loss or liability as a result.
Crypto Insight
4 hours ago
- Business
- Crypto Insight
Bitget secures Georgia license as part of Europe expansion
Bitget has received regulatory approval from Georgia to operate as a digital asset exchange and custodial wallet provider within the Tbilisi Free Zone (TFZ). In a Thursday announcement, the company said its users in Georgia can now access Bitget's full range of services, including spot trading, futures and copy trading, all within a fully compliant, locally regulated environment. Bitget has been expanding in Europe since the European Union's Markets in Crypto-Assets Regulation (MiCA) began taking effect in 2024. Through its affiliate Archax, it holds authorization from the UK's Financial Conduct Authority. It is also registered with Italy's Organismo Agenti e Mediatori and is listed as a virtual asset service provider (VASP) in Poland, Bulgaria, Lithuania and the Czech Republic. 'As Europe moves toward the MiCA implementation, Georgia stands out as a key market providing regulatory clarity, tax advantages and real user adoption,' said Gracy Chen, CEO of Bitget. Chen highlighted that users also benefit from improved security measures such as proof of reserves and a dedicated protection fund. Georgia marks Bitget's latest expansion in Europe thanks to a favorable business climate and supportive regulatory framework. The Georgian government engages with businesses when shaping crypto-related laws and provides grants to blockchain and crypto companies through the Georgian Innovation and Technology Agency. Bitget Wallet launches QR crypto payments in Vietnam Building on its broader push to expand globally across multiple business lines, Bitget Wallet has introduced national QR payment support as part of its global PayFi initiative, with Vietnam becoming the first market to go live. The new feature allows users to make crypto payments using VietQR, Vietnam's national QR standard. The integration enables users to pay with stablecoins such as USDt and USDC, supporting multiple blockchains, including Ethereum, Tron, Solana, Base, TON and BNB Chain. Future updates will also introduce auto-swap functionality, allowing payments using any token without manual conversion. Jamie Elkaleh, chief marketing officer at Bitget Wallet, told Cointelegraph that 'users in Vietnam have already used Bitget Wallet to pay with stablecoins for everyday expenses like food, groceries and retail items simply by scanning VietQR codes.' In collaboration with licensed partner AEON's crypto payment framework, Bitget Wallet now enables stablecoin payments through more than 55 banks and payment institutions supporting VietQR, including VietinBank and Vietcombank. Over 2 million merchants nationwide accept the standard, spanning large retailers to small businesses. Vietnam's regulatory environment for crypto has been evolving. On Saturday, the National Assembly approved the Law on Digital Technology Industry, which formally recognizes crypto assets and sets the stage for the regulated development of the sector. Coming into effect on Jan. 1, 2026, the law defines crypto and virtual assets separately, and introduces cybersecurity and Anti-Money Laundering requirements aligned with global standards. Source:
Times
10 hours ago
- Business
- Times
AI developing faster than market regulator can make rules, FCA warns
Ever-faster artificial intelligence trading 'bots' may make it harder for regulators to monitor markets and prove when rules are being breached, the boss of the City regulator has warned. Nikhil Rathi, chief executive of the Financial Conduct Authority (FCA) since 2020, said the rising use of AI in the financial world meant that 'clean markets' could be more difficult to achieve in the future. 'What will clean markets mean in the future with more autonomous agents operating, trading at phenomenal speeds across the globe, and how can you prove abuse in that environment? I think that's something that's going to hit us in the next few years,' he said. A 'clean market' is one in which prices are set by genuine supply and demand forces, not by cheating or manipulation. In a clean market every participant — whether that is big banks, hedge funds or retail investors — play by the same rules, have timely access to accurate information and cannot secretly distort prices through tricks such as insider trading, spoofing orders or spreading false rumours.
Yahoo
19 hours ago
- Business
- Yahoo
PS21/3: Are UK firms really ready?
The Financial Conduct Authority's (FCA) operational resilience rules were introduced three years ago with a clear message: financial firms must be able to withstand disruptions and keep essential services running no matter what happens. On paper, the industry has had plenty of time to prepare. In reality, some firms are still racing against the clock, realising too late that compliance is about more than just paperwork. With only days left, the question remains: who's truly ready, and who's cutting it fine? Operational resilience isn't a new concept, but it has taken on greater urgency in recent years. From cyberattacks and IT failures to third-party outages, financial institutions face increasing risks that can bring services to a halt. Customers expect 24/7 access to their money; businesses need smooth payment flows; and regulators are watching closely. PS21/3 was introduced to make sure firms aren't just reacting to disruptions, they're prepared in advance. Yet, as the deadline looms, gaps in resilience planning are becoming more apparent. Some firms have treated compliance as a tick-box exercise, failing to integrate resilience into their broader strategy. Others have struggled with the sheer complexity of mapping critical business services and setting realistic impact tolerances. The FCA has been clear: firms need to justify their decisions with evidence, not assumptions. Simply hoping a competitor can pick up the slack during a disruption isn't enough. Every firm must know exactly how long it can sustain an outage before harm is caused and prove that they can recover within that timeframe. One of the biggest challenges for firms has been managing third-party dependencies. Today's financial ecosystem is deeply interconnected, with banks, payment providers and fintech firms all relying on external vendors for core services. What happens when those vendors fail? The CrowdStrike outage in 2024 was a stark reminder of how dependent financial firms are on third-party providers. Some businesses had contingency plans in place; others found themselves blindsided, unable to function until their suppliers restored service. The FCA has made it clear that firms cannot outsource responsibility for resilience. Even if a third party is delivering a key service, the regulated firm is still accountable for ensuring its stability. For payment providers and e-commerce businesses, this challenge is even greater. Many operate across multiple jurisdictions, juggling various payment rails, processors and alternative payment methods. Ensuring that these providers meet resilience standards and can keep transactions flowing even in times of disruption, is essential. Beyond financial institutions themselves, merchants also have a stake in operational resilience. If a payment provider or acquiring bank fails to meet FCA standards, businesses relying on them could face service outages, lost revenue and customer frustration. Merchants must be proactive in selecting financial partners that take resilience seriously. This means working with payment providers that have robust contingency plans, failover mechanisms and diverse payment routing capabilities. A provider with a single point of failure is a business risk; one that many merchants cannot afford to take. As resilience becomes a key factor in financial partnerships, businesses need to demand transparency from their providers. How do they handle service disruptions? How quickly can they switch to backup systems? What safeguards are in place to keep payments running? These are the questions that should be asked before an outage occurs, not after. With the deadline fast approaching, firms that are still scrambling must prioritise key actions in the coming days. While long-term resilience requires a continuous effort, there are still urgent steps that can be taken to ensure compliance by 31 March: Verify that all important business services have been identified, and impact tolerances are clear. Every service should have a defined maximum tolerable outage time, backed by data. Run final scenario tests. Stress-testing resilience plans under 'severe but plausible' conditions can expose vulnerabilities that need last-minute fixes. Strengthen third-party oversight. Ensure that suppliers have their own resilience frameworks in place, and that they align with FCA expectations. Review and update recovery strategies. Response teams should know exactly what to do when disruptions occur, minimising downtime and customer impact. For firms that planned ahead, this period is about fine-tuning and reinforcing resilience strategies. For those that delayed preparations, it's a race to prove that they can meet regulatory standards, before the FCA starts asking tough questions. While 31 March marks the official compliance deadline, operational resilience isn't a one-time task, it's an ongoing expectation. The FCA has made it clear that financial firms must continue refining their resilience strategies, conducting regular reviews, and adapting to new risks. Beyond regulatory pressure, firms that invest in resilience stand to gain a competitive advantage. Customers trust institutions that can deliver seamless services, even during crises. Payment providers that can guarantee uptime will attract more business. Merchants will prioritise financial partners that won't leave them stranded when disruptions strike. Those who see resilience as more than just a compliance burden, but rather as a core pillar of their operations, will be the ones that emerge stronger in the long run. For financial services, resilience isn't just about surviving disruptions, it's about thriving despite them. Azimkhon Askarov is Co-CEO & Partner at "PS21/3: Are UK firms really ready?" was originally created and published by Electronic Payments International, a GlobalData owned brand. The information on this site has been included in good faith for general informational purposes only. It is not intended to amount to advice on which you should rely, and we give no representation, warranty or guarantee, whether express or implied as to its accuracy or completeness. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content on our site.
