The Summer Edition: Learning from the mistakes of others: a close examination of recent FCA enforcement cases

The topic of regulatory enforcement is never far from the news headlines. It is a few months since our last post about enforcement trends and the hot-topic of the name and shame proposals, which have now reached their conclusion with the recent publication of the FCA’s revised Enforcement Guide (more details on this in a new post yet to come). It is also a few months since our last digest of enforcement cases, which looked at enforcement trends and the importance of good governance, and there have been more decisions since that digest that are worth a closer look. There has also been press reporting of the recent opening of an enforcement investigation into Consumer Duty breaches at a wealth and asset management firm. In short, it is time to catch up with what has been going on in the enforcement space. 

“Goodbye” name and shame and “Hello” new Enforcement Guide

A new version of the FCA’s Enforcement Guide was published earlier this month. Lighter by a reported 250 or more pages than its predecessor, liberated of obsolete and replicated content, it should make for a more agile enforcement capability for the regulator and something that is easier to grapple with and understand for regulated firms. 

On the name and shame point, the FCA will not be naming firms under active investigation prior to a verdict save in ‘exceptional circumstances’. There are three sets of circumstances which might be considered exceptional, and these include those where there is suspected unauthorised or criminal activity, those where there has already been some form of public disclosure, and those where an anonymous announcement is made (for example, to warn the public or educate firms about a kind of conduct that is under scrutiny). 

Learnings from recent enforcement decisions

Information derived from the FCA’s enforcement decisions can help to educate the regulated community about issues that the FCA is focusing on, why and how. The FCA intends its enforcement work to encourage wider compliance and expects that regulated firms are looking into the information that it puts out via its enforcement decisions and learning from, and adjusting their conduct and operations, accordingly. 

Financial crime is once again a central theme of recent decisions. It is an issue of international significance and doing its bit to tackle this global scale problem is part of the FCA’s operational remit to pursue the objective of protecting and enhancing the integrity of the UK’s financial system. Financial services firms are a prime target for bad actors. It is imperative that firms have effective systems and controls to identify and mitigate the risk of their business being used to facilitate financial crime and that they act with due skill, care and diligence to adhere to the systems and controls that they have in place. Time and again, failings in this space are detailed in the FCA’s enforcement decisions, and so it is top of the list in the key observations below.

Key observations

The key observations that follow are extracted from recent enforcement decisions. These are the failings that have recently resulted in financial services firms being investigated and sanctioned by the regulator. 

Financial crime

• The FCA’s ability to detect, investigate and prevent market abuse and reduce financial crime is data critical. Transaction reporting is an integral part of the FCA’s ability to capture relevant data and so any failures on the part of firms to submit timely, complete and accurate transaction reports will be considered as serious breaches.

• Firms must have adequate systems and controls to identify and mitigate the risk of a firm being used to facilitate financial crime. Firms must also exercise due skill, care and diligence in applying policies and procedures, and assessing, monitoring and mitigating the risk of financial crime. Failings in these key requirements increase the risk of a firm being used to facilitate financial crime and will be considered as serious breaches by the FCA.

• Some of the systems and controls failings observed include failing to understand when reliance can be placed on another firm’s due diligence, failing to document risk assessments, failing to document the rationale for standard due diligence measures being waived, failing to set out adequate processes and procedures for due diligence, failing to have adequate processes and procedures for client categorisation, transaction monitoring failings, and failures to identify suspicious transactions. 

• Some of the due skill, care and diligence failings include failing to conduct due diligence prior to onboarding, failing to identify risks prior to commencing operations, failing to gather the information needed to understand the purpose and nature of transactions, failing to undertake and document risk assessments prior to onboarding, failing to complete enhanced due diligence despite relevant risk indicators, failing to sufficiently engage external compliance consultants, failing to assess clients against relevant categorisation criteria and failing to inform clients of their categorisation, failing to conduct or adequately conduct transaction monitoring, and failing to recognise red flags.

• It may assist some firms to engage third-party compliance consultants to help them to resource the skills and experience that they need to ensure that they can properly assess their risk. A firm must engage consultants based on full and complete instructions for the engagement to be considered adequate. 

• Firms should always scrutinise client business that looks complex, opaque, implausible, or to have no obvious business rationale, and carefully assess whether what they observe is suggestive of financial crime. 

• A firm’s risk assessment should consider its risks and evidence its methodology around the full spectrum of risks that it faces including customer risk factors, products and service line risk factors, jurisdictional and geographical risks and transactional risks. A firm’s risk assessment should evidence an understanding of how to undertake risk assessments, an ability to identify and differentiate risks, consideration of the National Risk Assessment and its specificity to the firm’s own business, risk appropriate due diligence requirements, and relevant red flags. 

• The compliance team that a firm deploys to effect its financial crime strategy should be appropriately resourced and have clear lines of communication to senior management. At the senior management level there should be sufficient levels of control, experience, scrutiny and challenge, to mitigate the financial crime risks faced by a firm. What is appropriate in terms of resources will depend on the nature of a firm’s business and the specific risks that it faces, but will include the experience and seniority of, and not just the volume of, relevant personnel. 

Systems and controls

• Systems and controls (of all kinds, not just financial crime related ones) need to be tailored to the scale and nature of a firm’s business. This means that they need to be adequate, effective and appropriate, in context. It is not possible to ‘buy them off the shelf’ and there is no ‘one size fits all’.

• A firm may need to have adequate, appropriate and effective controls to deal with a stress or shock situation (what a stress or shock situation might be, will be firm dependent, it could be a technology issue such as a systems outage, or it could be a market issue, such as a period of unusual volatility). Depending on a firm’s business model and operating situation the controls needed may well need to accommodate different time zones and other factors that could impact a firm’s ability to handle a novel situation.

• The controls that a firm puts in place should be clearly drawn and communicated to all relevant stakeholders who should be trained on and familiar with them.

Dishonesty

• Dishonesty in any form, including the making of false statements and other criminal offences, will render a person not fit and proper to perform functions in relation to regulated entities because they call in to question a person’s honesty and integrity which are highly important factors in the FCA’s assessment of fitness and properness.

• The FCA will consider the seriousness and relevance of an offence in the light of the risk posed to consumers and to confidence in the UK’s financial system. Criminal convictions, either in the UK or overseas, will go straight to a person’s honesty and integrity and likely to a regulatory finding of not fit and proper to perform any functions in relation to regulated activity. The FCA’s objective is to protect the consumers of and the integrity of the UK’s financial system. 

• Behaviour that is deliberate, calculated, and designed to evade the attention of the regulator (including the use of false names and false identifications), will have serious consequences. Recent examples have included operating unauthorised regulated activities and the misappropriation of customer funds to support extravagant lifestyles. 

Hints and tips for individuals

• Senior individuals holding positions of influence, culturally and functionally, in regulated firms must expect to be held accountable for their conduct and competence. They should be able to demonstrate high standards of integrity, probity and leadership. Buzz words for senior figures in regulated firms include honesty, independence, expertise, experience and reputation. Senior leadership figures can have a significant impact on the firms that they lead and, in some cases, can influence the wider markets. For these reasons the FCA will look to drive-up high standards for senior individuals as part of its work to meet its objectives of protecting consumers and protecting and enhancing the integrity of the financial system.

• Integrity is a highly valued characteristic. Individuals who behave in ways that fall below the standards expected of them are likely to have their integrity called into question and may fail to meet the fitness and propriety requirements. Examples of behaviour that has been called into question include using positions of influence to frustrate appropriate processes, showing disregard for governance, and causing breaches of regulatory requirements. The FCA considers that these kinds of behaviour can lead to poor culture environments and have the potential to put consumers and the markets at risk.

Behaviours that can make things worse

There are certain behaviours and actions that can make things worse for any firm that finds itself subject to, or likely to be subject to, enforcement investigations. Here are some of the factors that have made things worse for the firms subject to recent enforcement decisions:

• A failure to act on the FCA’s guidance to industry. Regulatory guidance can be communicated to industry in various formats including dedicated webpages, newsletters, user packs, guidance, reporting forums, and industry events. In some areas, there are highly relevant forms of regulatory guidance that firms should be familiar with. For example, in the financial crime space, guidance from the Joint Money Laundering Steering Group regularly cites good and bad practice, thematic reviews, and regulatory notices. These sources of information are purposed to deliver important messages to industry and the FCA expects firms to be aware of them.

• A failure to learn from the lessons of past enforcement actions in respect of similar failings. The decisions resulting from enforcement investigations are intended to assist firms to reflect on and learn from the mistakes of others in similar situations and as a guide to firms as to the steps needed to address similar failings and so improve their operations and regulatory compliance. 

• A failure to bring breaches to the notice of the FCA quickly, effectively and completely. In some cases, even a short time in delaying informing the regulator about a breach, may be too long.

• A poor supervisory history with evidence of past failures and past breaches will aggravate a further breach, as will a failure to sufficiently explain past breaches or to rectify them. A firm that continues with behaviours or conduct that the FCA has noted as of concern is likely to make things worse in terms of the regulatory response.

• A failure to provide the FCA with accurate information or providing the FCA with inaccurate information will be an aggravating factor. A firm that is under regulatory scrutiny should deal with the FCA in an open and co-operative way, inform the FCA of all relevant facts, respond fully to requests for information, address substantive issues that are raised by the FCA, and demonstrate that problems are being handled in a suitable manner.

Behaviours that can improve the situation

Just as there are some behaviours that can make things worse, there are other behaviours that can improve outcomes for firms that are subject to, or likely to be subject to, enforcement investigations. Here are some of the factors that could help to drive more positive outcomes:

• Taking steps to ensure that similar problems do not arise in the future such as commissioning an independent review and acting on the recommendations of that review

• Reassuring the FCA by indicating a willingness and a readiness to organise operations in such a way as to remediate the issues that have resulted in supervisory action being taken. For example, implementing revised systems and controls, or dealing effectively with complaints and effecting a redress initiative.

Closing thoughts

As in the previous edit of this brief, the conclusion is that the key for all financial services firms is good oversight, good governance and good leadership. These outcomes are driven by good culture. To close, some extracts about the importance of culture from a recent speech by the FCA:

• ‘As a conduct regulator, the FCA’s objectives are to protect consumers, ensure market integrity, and support the UK’s economic growth and competitiveness. But time and again, when we investigate failures of consumer protection or market conduct, what do we find? The same root cause: failings in culture and governance. That is no coincidence. Because it is culture that drives conduct. Culture that shapes decisions and actions at every level.’

• ‘When respect, integrity and accountability are woven into the fabric of an organisation, they act like a social immune system – catching bad behaviour early and stopping it from spreading.

But as with any immune system, it needs to be actively maintained. And senior leaders have a vital role to play.’ 

• ‘…toxic cultures, left unchecked, can cause lasting damage – for employees, consumers, firms, markets and the wider economy. The good news? A healthy culture, like a healthy immune system, can stop harm in its tracks and spread benefits far and wide. So my question of you is: what kind of culture are you spreading? Confidence or complacency? Integrity or indifference?’  

You can read more thought-leadership like this by subscribing to our monthly financial services regulation update by clicking here and you can meet our financial services experts by clicking through to our financial services team page here.

• Culture drives conduct and decision-making, which directly impact outcomes for consumers, markets, and our economy. For this reason, culture will continue to be a regulatory concern. • It is vital that the informed, responsible risk-taking required for long-term economic growth is built on a strong foundation of healthy firm cultures. • The FCA is actively working with stakeholders to drive up culture and conduct standards

https://www.fca.org.uk/news/speeches/culture-contagious