Proposed Regulatory Framework for Third Party Financial Technology Services in ADGM

CONSULTATION PAPER NO. 7 OF 2020 PROPOSED REGULATORY FRAMEWORK FOR PROVIDING THIRD PARTY FINANCIAL TECHNOLOGY SERVICES IN ADGM 25 November 2020

2 Consultation Paper No. 7 of 2020 Contents Introduction........................................................................................................................... 3 Who should read this paper?................................................................................................ 3 How to provide comments.................................................................................................... 3 What happens next?............................................................................................................ 4 Comments to be addressed to:............................................................................................. 4 Background ......................................................................................................................... 5 Legislative Framework ......................................................................................................... 5 Definition of new Regulated Activity...................................................................................... 5 General Regulatory Obligations............................................................................................ 6 Managing Operational Risk.................................................................................................. 6 Prudential Requirements...................................................................................................... 8 Professional indemnity insurance......................................................................................... 9 Wind down......................................................................................................................... 10 Conduct of Business.......................................................................................................... 10 Data Protection.................................................................................................................. 12 Anti-Money Laundering/Countering the Financing of Terrorism (“AML/CFT”)....................... 12 Authorisation and Supervision Fees ................................................................................... 13 Transitional Arrangements ................................................................................................. 13 Proposed Amendments...................................................................................................... 13

3 Consultation Paper No. 7 of 2020 Why are we issuing this paper?

1. The Financial Services Regulatory Authority (“FSRA“) of Abu Dhabi Global Market (“ADGM“) has issued this consultation paper to seek views on the proposed regulatory framework for the new Regulated Activity of Providing Third Party Services (“PTPS”).
2. This paper sets out a regulatory framework that facilitates FinTech firms working collaboratively with other financial institutions. Such Third Party Service Providers (“TPPs”) do not hold their customers’ assets but instead help assists the access, processing and transfer of customers’ information held at those other financial institutions. The framework also defines requirements for TPPs to manage their prudential and conduct risks.
3. In other jurisdictions, the growth of TPPs has been facilitated by the introduction of Open Finance frameworks. Under such frameworks, customers have more control over how their data is accessed, processed and transferred by financial institutions. For example, Open Banking as set out under PSD2 lets customers access their payment account information and initiate payments through TPPs’ services. Such control lets customers better exploit the value of their data.
4. While Open Finance will play an important role in the future of financial services, it is currently in a nascent stage and there is no generally agreed global model on how to implement it. The proposed regulatory framework lays a strong foundation on which to build an Open Finance strategy to support business growth and financial innovation in the digital economy.
5. Unless otherwise defined, capitalised terms used in this paper have the meanings attributed to them in the Financial Services and Markets Regulations 2015 (“FSMR”) or the Glossary (“GLO”). Who should read this paper?
6. This Consultation Paper should be of particular interest to all entities aspiring to undertake the Regulated Activity of Providing Third Party Services, their potential customers, financial institutions that may interface with TPPs and professional advisers. How to provide comments
7. All comments should be made in writing and sent to the address or the email address specified below. If sending your comments by email, please use the Consultation Paper number in the subject line. If relevant, please identify the organisation you represent when providing your comments. Introduction Introduction

4 Consultation Paper No. 7 of 2020 8. The FSRA reserves the right to publish, including on its website, the comments you provide, unless you expressly request otherwise at the time of submitting those comments. Comments supported by reasoning and evidence will be given more weight by the FSRA. What happens next? 9. The deadline for providing comments on the proposed framework is 7 January 2021. After receiving your comments, we shall consider whether any modifications are required to the proposals and the Board of ADGM and the FSRA will then proceed to enact the proposals in their final form. 10. You should not act on these proposals until final rules and guidance are issued by the FSRA. We shall issue a notice on our website when this happens. Comments to be addressed to: Consultation Paper No. 7 of 2020 Financial Services Regulatory Authority Abu Dhabi Global Market Square Al Maryah Island PO Box 111999 Abu Dhabi, UAE Email: consultation@adgm.com

5 Consultation Paper No. 7 of 2020

1. ADGM’s strong emphasis on the sound regulatory supervision of FinTech developments has led to firms expressing interest in working with financial institutions in the UAE and the broader region to provide additional services to the customers of those financial institutions. These firms do not hold or control client funds, but instead provide services to help those customers manage their funds held at the financial institutions, using technology to access, process and transfer information.
2. Firms providing such services are referred to as TPPs because they act as a third party intermediary between their customers and their customers’ financial institutions. This third party relationship is separate from and does not affect customers’ existing relationship with their financial institutions.
3. The FSRA is taking definitive steps to put in place a regulatory framework in ADGM for TPPs, as the demand and take-up of the services provided by TPPs will increase. In particular, TPPs are likely to play an increasingly important role in the provision of payment services. This approach is intended to provide the industry with a common set of baseline requirements, and to prescribe additional requirements that are calibrated to and commensurate with the nature, scale and risks of the specific type of services provided.
4. In doing so, the FSRA has had regard to comparable regulatory frameworks and developments in other jurisdictions, including the European Union (“EU”), Australia and Singapore. Definition of new Regulated Activity
5. We propose defining the Regulated Activity of Providing Third Party Services (“PTPS”) in FSMR (see Annex A) as “accessing, processing and transferring Specified Information at the request of a customer” in order to encompass the provision of all types of third party services. Specified Information would be set out in a Schedule, so that it may be expanded straightforwardly to cover any new types of information should the need arise. Initially, and based on current demand, the types of Specified Information handled by TPPs would be:  information relating to a Payment Account held by the customer at another financial institution; and  information required to initiate a Payment Transaction on behalf of the customer with respect to a Payment Account held by the customer at another financial institution. Background Legislative Framework

6 Consultation Paper No. 7 of 2020 Exclusions 6. The scope of the Regulated Activity would exclude services traditionally considered as participation in collaborative networks or those provided via an outsourcing arrangement, including the following.  The access, processing and transfer of Specified Information as part of participation in a multilateral payment and securities settlement systems (e.g. the UAE Funds Transfer System, ADX’s clearing, settlement and depository systems)  Providing technical services that allow for access, processing and transfer of Specified Information in the absence of a relationship with the customer to whom the Specified Information relates (e.g. vendors of banking systems and platforms)  The access, processing and transfer of Specified Information in physical form (e.g. printing of account statements by a third party printer) Client Assets/Relevant Money 7. Importantly, the Regulated Activity will prohibit TPPs from holding Client Assets or Relevant Money. A TPP with a business model that requires holding Client Assets or Relevant Money should seek authorisation to engage in the appropriate Regulated Activity. Q1. THE FSRA INVITES COMMENTS ON THE PROPOSED DEFINITION OF THE REGULATED ACTIVITY OF PROVIDING THIRD PARTY SERVICES AND ASSOCIATED EXCLUDED ACTIVITIES. General Regulatory Obligations 8. As Authorised Persons, TPPs would be required to comply with all existing, relevant requirements in the Rulebooks and all new requirements that would also be put in place to address the specific risks posed by TPPs. An overview of those new requirements is found in Appendices 1 to 5. Managing Operational Risk 9. The largest risks facing TPPs and their customers are operational risks, primarily arising from the incorrect execution of payment instructions and the loss of customer data through poor systems, procedures and handling. TPPs could also pose contagion risk if in the course of their operations, their systems unexpectedly cause damage to the systems of other financial institutions (e.g. as a vector for a cyber-attack). Most of these risks are technological, given the nature of TPPs’ business models. The identification, management and mitigation of operational risks is critical to guarantee confidence in and the security of TPPs’ ongoing operations. Interfacing systems – the Digital Lab 10. A key operational risk for TPPs lies in their systems that connect to customers and to other financial institutions, i.e. their “interfacing systems”. Failures in interfacing systems could have a serious impact because they could compromise other financial institutions systems or customers’ data.

7 Consultation Paper No. 7 of 2020 11. In order to address and mitigate this risk, we propose that TPPs be required to connect to ADGM Digital Lab1. The connection will be designed in such a way that only those Application Programming Interfaces (“APIs”)2 that are compliant with the standards set out in Annex F of the FSRA’s Guidance – APIs in ADGM (“API Guidance”)3 would be able to connect. Applicants to become authorised as TPPs may receive an in-principle approval without establishing such a connection, but connecting to the Digital Lab would be a necessary condition for the granting of a Financial Services Permission (“FSP”) for appropriate authorisation. This would ensure that applicants have met minimum technical standards for competency before they are authorised and allowed to serve customers. 12. On an ongoing basis, an authorised TPP would be required to maintain a connection to the Digital Lab and to provide an annual independent review of their interfacing systems. These requirements would ensure that the interfacing system is performing appropriately and would let the TPPs’ compliance be monitored as part of ongoing supervision. The TPP would be required to test any changes it makes to its interfacing systems in the Digital Lab for compliance before putting them into production. 13. In addition to connecting to the Digital Lab, we propose that TPPs would have to attest that their interfacing systems are secure both prior to commencing operations and on an annual basis. This attestation would be accompanied by a report by a qualified independent third party4 that audits the personnel, procedural and technical controls put in place by the TPP and provides an assessment of these controls’ adequacy. This is similar to the existing requirements for Authorised Persons conducting a Regulated Activity in relation to virtual assets, who must conduct an annual verification/audit of their core systems. Interfacing systems - standards and testing 14. We intend to develop the appropriate technical standards and automated processes for testing interfacing systems in collaboration with industry participants to ensure they are fit for purpose. Such standards will be necessary to ensure that the process of testing those systems is clear and appropriate. 15. We propose establishing a coordinating committee led by the FSRA and comprising TPPs and financial institutions to develop an acceptable set of technical standards for interfacing systems. The standards would cover, amongst other things:  how TPPs would connect to each other;  the information that can be exchanged;  how such information would be secured;  the service levels that would be acceptable for TPPs and financial institutions; and  how to automate the process for conducting such tests.

1 The Digital Lab is a digital platform that allows financial institutions, FinTechsand the FSRA to collaborate on new digital innovations. As part of the Digital Lab, firms can list their technological solutions and expose them for testing from a business model and technology risk point of view. 2 APIs allow different systems to interface with each other through a pre-defined protocol that sets out allowable actions and expected responses. The FSRA has issued guidance to firms to encourage a standardized approach to creating, maintaining and governing APIs. 3 https://www.adgm.com/documents/legal-framework/guidance-and-policy/fsra/adgm-fsra-guidance-on-api-14102019.pdf 4 Such a third party would need to have an appropriate track record in providing similar audits in either the UAE or a comparable jurisdiction

8 Consultation Paper No. 7 of 2020 Management of technology and data risk 16. Beyond interfacing systems, other TPP systems could also pose operational risks. For example, TPPs would need to ensure strong user access controls are in place to prevent sensitive customer data from being extracted by a malicious insider threat (e.g. a rogue systems administrator). Such risks cannot be addressed through the Digital Lab, as each TPP will have different internal systems and processes. 17. We propose providing further guidance to TPPs on the management of technology and data risks. The guidance would set out the FSRA’s expectations on how TPPs should meet the obligations in the General Rulebook (“GEN”), primarily those under GEN 3.3, to put systems and controls in place to ensure that its affairs are managed effectively and responsibly. Compliance with the guidance would be taken into account as part of the ongoing supervisory process when assessing the risk profile of a TPP. This guidance would be issued separately, following the launch of the framework. Q2. THE FSRA INVITES COMMENTS ON THE PROPOSED MEASURES TO ADDRESS OPERATIONAL RISKS BY REQUIRING CONNECTIONS TO THE DIGITAL LAB, REGULAR ATTESTATIONS OF THE SECURITY OF INTERFACING SYSTEMS AND THE ESTABLISHMENT OF AN INDUSTRY COORDINATING COMMITTEE. Prudential Requirements Categorisation of TPPs 18. We propose treating TPPs as Category 4 firms in terms of the Prudential – Investment, Insurance Intermediation and Banking Rules (“PRU”) as they would be prohibited from holding Client Assets and Relevant Money and therefore pose less risk from a prudential perspective. As such, TPPs would be required to meet only the requirements in PRU for capital resources, operational risk and group risk purposes and would not be subject to other requirements such as those for liquidity risk, supervisory review and evaluation and disclosure. Capital Requirements 19. We propose requiring a base capital requirement (“BCR”) for TPPs only where the TPP accesses, processes or transfers information that leads to a transaction. Such TPPs would be required to meet a BCR of $50k. 20. Furthermore, we are proposing not to impose ongoing Expenditure Based Capital Minimum (“EBCM”) requirements on TPPs as the risks and any associated unexpected losses that such capital requirements are intended to address5 may be mitigated through other means, including the use of professional indemnity insurance (“PII”). Unexpected losses could arise from the need to reimburse customers following a dispute or from unexpected system behaviour and these can be addressed through PII, which would provide the TPP with sufficient funds to address potential disputes.

5 Capital requirements are imposed on financial institutions for three reasons: (i) Commitment to entry: to deter applicants who cannot commit adequate resources to support their business model; (ii) Buffer: to absorb unexpected losses and allow the firm to continue as a going concern; and (iii) Liquidation: to provide for an orderly winding down if the firm ceases operations

9 Consultation Paper No. 7 of 2020 21. In proposing the appropriate capital requirements for TPPs, we have had regard to other international jurisdictions’ approaches, including in particular the approach in the EU. Q3. THE FSRA INVITES COMMENTS ON THE PROPOSED CAPITAL REQUIREMENTS FOR TPPS. Professional indemnity insurance 22. We are proposing additional requirements on PII coverage for TPPs, beyond the requirements placed on other Category 4 Authorised Persons. PII is an important component of the proposed regulatory framework for TPPs that protects TPPs against unexpected operational risk events that lead to losses for customers. In turn, the TPP would be expected to use its PII coverage to obtain funds to reimburse the customer, should reimbursement be expected. Cyber and Data Security Coverage 23. TPPs are strongly encouraged to include cyber and data security in their PII coverage. Cyber-attacks, software failures and data leaks are the most likely types of unexpected operational events that a TPP will face. At this time we note that there are a limited number of PII underwriters in the UAE and not all of those offer such coverage so we are not proposing that such coverage be mandatory at this point. As the TPP sector grows we shall continue to monitor the state of development of the PII market and shall consider periodically whether cyber and data security coverage should be made mandatory. Transaction limits 24. We propose requiring TPPs to put limits in place on their customers’ transactions that are in line with their PII coverage, subject to a minimum PII level of $150k. Such limits will ensure that the TPP has sufficient coverage to reimburse their customers in the event of disputes. Additionally, the minimum PII level would ensure that TPPs have sufficient funds to deal with rapidly increasing volumes of customers and transactions when they start operations. TPPs would be responsible for managing their customer transactions within this coverage, e.g. through imposing limits on the number or value of transactions or both. 25. TPPs will be required to ensure that the total value of the transactions they process in a rolling 30-day window does not exceed their remaining PII coverage, subject to a minimum PII level of $150k. The value of a transaction would be determined by the transaction type. If the transaction leads to a payment being initiated, the value of the transaction would be the same as the value of the payment, while all other transactions would be treated as a nominal value of $1. This rolling window would give customers a reasonable period to bring the matter to the attention of the TPP where an operational risk event occurs that leads to losses for them. Remaining PII coverage would be calculated by subtracting total outstanding claims from total PII coverage.

10 Consultation Paper No. 7 of 2020 Comparable Guarantees 26. Given the relative nascence of the PII market for TPPs in the UAE, it may be challenging for TPPs to obtain PII coverage. We would like to solicit views on whether the use of comparable guarantees such as bank guarantees would be a viable alternative to PII. Wind down 27. In the event that a TPP were to cease operations, whether in short order or over an extended period, we believe that the relationships of TPP customers with their financial institutions would be unaffected, given the supporting role that TPPs play in the arrangement between the other two parties. We acknowledge that this might inconvenience customers, but we believe that it would not cause serious disruption as they could continue to use their financial institutions’ services directly and, if desired, establish a new relationship with another TPP. Q4. THE FSRA INVITES COMMENTS ON THE PROPOSED REQUIREMENTS FOR PII AND THE AVAILABILITY AND SUITABILITY OF COMPARABLE GUARANTEES AS AN ALTERNATIVE OR SUPPLEMENT TO PII. Conduct of Business Conduct of Business Rulebook (“COBS”) 28. We propose requiring that TPPs meet certain, appropriate obligations analogous to those set out in COBS that pertain to the revised Money Services regulatory framework in Chapter 19 (“COBS 19”). However, as TPPs fall outside that framework, it could be confusing to reference the proposals in COBS 19. In order to aid TPPs we propose adding a new Chapter 20 (“COBS 20”) to house these obligations, building on and complementing COBS 19. The most significant proposed obligations are:  Record keeping - TPPs would be obliged to record all information requested by or transferred on behalf of customers 6. This would facilitate investigations should there be incorrect or unauthorised payments (e.g. arising from neglect or fraud) by ensuring accurate records are kept;  Client agreements - TPPs would have to include key information in their client agreements, such as the information will be provided by the TPP to other parties, how the TPP will require consent and any redress the customer would have in the event of a failed transaction or inappropriate transfer of information. This would ensure that customers are accurately informed of the risks involved and their rights of redress before signing up for the TPP’s services  Consent - where TPPs must ensure that they only access, process or transfer information where they have obtained consent from their customers or if it is necessary for compliance with any regulatory or legal obligation7. Such consent could be obtained directly from the customer or via a third party mechanism such

6 These record keeping requirements would encompass all the requirements set out in the proposed COBS 19.8.1 and impose further ones, taking into account that TPPs may need to keep track of information. 7 This is more restrictive than the ADGM Data Protection Regulations, which allow for additional bases under which data can be shared (e.g. for contractual obligations or for protecting the vital interests of the client).

11 Consultation Paper No. 7 of 2020 as the UAEPass or another TPP. The TPP would need to specify how it intends to obtain consent, as several different models for obtaining consent exist8. Liability and dispute resolution 29. The actions of TPPs may, in some instances, give rise to a dispute between their customers and those customers’ financial institutions. For example, a customer may claim that a Payment Transaction initiated by a TPP was done so without appropriate authorisation; a prolonged dispute between the TPP, the customer and the customer’s financial institution could leave the customer and the intended recipient of the payment potentially suffering losses as they would not have certainty over the state of the payment of the funds available to the customer. 30. Providing clarity to all parties on dispute resolution would improve the outcomes for all, with the guiding principle being to ensure that customers are reassured that they will not be left worse off should an unauthorised or fraudulent transaction occur. As part of this, customers need to know who they should approach in the event of a dispute and who would reimburse them if that should be appropriate. In turn, TPPs and the customers’ financial institutions would need to know who should investigate the dispute and who should be liable for reimbursing customers for any related losses suffered. 31. We propose therefore requiring TPPs to incorporate a dispute resolution mechanism into the contracts they have with their customers. Such clarifications would ensure that customers know who to approach should a dispute occur and, after investigation, where responsibility lies for making the customer whole should the TPP be found to be at fault. The following are the key terms that would be included in the relevant contractual provisions.  For customers - the customer’s financial institution should be primarily responsible for dispute resolution. A customer should contact its financial institution in the event of a dispute and TPPs would be required to forward on any such disputes to the relevant financial institution for further investigation. If the TPP were to be found to be at fault (e.g. by submitting materially incorrect information for the payment), it would be required to reimburse the customer.  For TPPs and customers’ financial institutions - the customer’s financial institution should be responsible for investigating the dispute. In turn, a TPP must be able to prove to the customer’s financial institution that its actions were authenticated, accurate and in accordance with its policies for providing TPP services. If the TPP were to be unable to prove this, it would be required to reimburse the customer. If the customer’s financial institution has already reimbursed the customer, the TPP would be required to reimburse the customer’s financial institution. Q5. THE FSRA INVITES COMMENTS ON THE PROPOSED CHANGES TO COBS. Q6. THE FSRA INVITES COMMENTS ON THE PROPOSED DISPUTE RESOLUTION PROCESS.

8 This could range from a per-request model, where the customer affirmseach request individually, to an omnibus model, where the customer would only need to provide consent once at the start of its relationship with the TPP.

12 Consultation Paper No. 7 of 2020 Data Protection 32. TPPs control a large amount of personal data and so must ensure that such data is protected. As entities registered in ADGM, TPPs would be subject to the Data Protection Regulations 2015 (“DPR”)9, which set out obligations for data controllers to follow when processing personal data. However, TPP’s customers and their financial institutions may be based outside ADGM and so would be subject to different data protection regulations. This could lead to a potential mismatch between how TPPs treat their customers’ data and how the customers’ financial institutions treat their customers’ data. 33. The FSRA proposes to provide TPPs with guidance that TPPs are expected to comply with the relevant data protection regulations in other jurisdictions when dealing with customers based outside ADGM. This is particularly important as recent data protection￾related legislation has increasingly had an extra-territorial dimension that may cause significant challenges for any firms processing data, including TPPs. Such guidance would ensure that TPPs’ customers based outside ADGM would be afforded the same protection as other persons in that jurisdiction. . Anti-Money Laundering/Countering the Financing of Terrorism (“AML/CFT”) Applicability of AML Rulebook 34. We will require TPPs to comply with all requirements set out in the Anti-Money Laundering and Sanctions Rules and Guidance Rulebook (“AML”). While TPPs may pose lower AML/CFT risks than other financial institutions because they do not hold Client Assets or Relevant Money, they are an important player in monitoring for AML/CFT activities. By the nature of the services they provide, TPPs should be able to detect potentially suspicious behaviour that might involve other financial institutions. 35. The FSRA considers that TPPs would generally be able to rely on the Customer Due Diligence (“CDD”) performed by the financial institutions with which their customers have relationships. However, as TPPs may be serving customers from multiple jurisdictions, the depth and intensity of both CDD and AML/CFT supervision more generally for financial institutions in those jurisdictions could be less robust than would be acceptable to the FSRA. As such, a TPP should only place reliance on the CDD performed by financial institutions in a jurisdiction where the TPP has assessed that the standard of AML/CFT supervision in that jurisdiction is at least comparable to that in ADGM. The TPP would be required to seek the FSRA’s agreement with their assessment of comparability prior to accepting customers from those jurisdictions. CDD data portability 36. We propose placing a general obligation on Authorised Persons and Recognised Bodies operating in or from ADGM to share their CDD information with other Authorised Persons and Recognised Bodies at the request of the latter group, i.e. “data portability”, with any such request being limited to customers that have business relationships with both the provider and the recipient of that information and being subject to the explicit consent in writing of those customers. A request could only be made for the purpose of conducting CDD and, in order to prevent additional confidential and proprietary information from

9 The DPR is currently being updated. The consultation document can be found at https://www.adgm.com/legal-framework/public￾consultations#consultation-paper-no.-20201219

13 Consultation Paper No. 7 of 2020 being transferred, this obligation would be restricted to CDD information that has been provided to the Authorised Person or Recognised Body by the person subject to CDD. An Authorised Person or Recognised Body making such a request would only be allowed to request such data once every twelve months. This will reduce the cost and time taken by authorised entities to conduct CDD and so make the financial sector in ADGM more efficient. Q7. THE FSRA INVITES COMMENTS ON TPPS BEING OBLIGED TO COMPLY WITH ALL REQUIREMENTS IN AML AND ON THE PROPOSAL TO ALLOW FOR CDD DATA PORTABILITY Authorisation and Supervision Fees 37. We propose that TPPs would be subject to authorisation and supervision fees as set out in FEES 2.2, i.e. an initial authorisation fee of $5k and an annual supervision fee of $5k thereafter, the latter pro-rated for the first part of the calendar year of operation. Transitional Arrangements 38. Certain firms that provide Third Party Services in ADGM may be operating in the RegLab10 at the time that the regulatory framework for TPPs is implemented. Such firms would be given a grace period of up to twelve months to put in place the necessary systems, controls and processes to comply with the TPP regulatory framework from the point in time at which the TPP regulatory framework is implemented. When a firm is judged to be compliant with the requirements in those areas it would automatically leave the RegLab and take up an FSP for PTPS. 39. In the period leading up to the implementation of the TPP regulatory framework we shall continue to allow new firms that offer TPP services to enter the RegLab, subject to them applying and meeting the admission criteria. However, once the TPP regulatory framework has been finalised, new firms would generally not be allowed to provide TPP services through the RegLab and would ultimately have to seek authorisation under the TPP regulatory framework to provide those services. Q8. THE FSRA INVITES COMMENTS ON THE PROPOSAL FOR A TRANSITIONAL PERIOD FOR FIRMS OPERATING IN THE REGLAB.

10 The RegLab is a tailored regulatory regime for FinTech participants. It is designed to foster innovation within the UAE financial services markets by taking into account the unique business model and risks of the FinTech participant and customising the te st boundaries and regulatory requirements accordingly. This lets the participant develop and test its FinTech proposition in a safe environment without facing undue regulatory burden.

14 Consultation Paper No. 7 of 2020 RO SED AMENDMENTS AND REGULATIONS  Annex A Financial Services and Markets Regulations 2015 (FSMR)  Appendix 1 Prudential – Investment, Insurance Intermediation and Banking Rules (PRU)  Appendix 2 Conduct of Business Rulebook (COBS)  Appendix 3 Glossary (GLO)  Appendix 4 Anti-Money Laundering and Sanctions Rules and Guidance (AML) PROPOSED AMENDMENTS PROPOSED AMENDMENTS AND REGULATIONS PROPOSED AMENDMENTS AND REGULATIONS PROPOSED AMENDMENTS AND REGULATIONS