by Matthew Nunan, Michelle M. Kirshner, Martin Coombes, and Chris Hickey
The UK Financial Conduct Authority (“FCA”) continues to show a desire to take action in sectors of the financial services industry where there has been traditionally less supervisory oversight and to push the importance of firm’s internal governance and oversight structures. Enforcement cases are often used as a way to convey key messages to such sectors, and an important Final Notice[1] was published on Monday 23 November 2020 when the FCA imposed a fine of nearly £3.5m on TFS-ICAP Limited for breaches of Principle 2 (due skill, care and diligence), Principle 3 (reasonable care in organising and controlling its affairs responsibly and effectively) and Principle 5 (proper standards of market conduct) of the Authority’s Principles for Businesses.
Although many of the issues in the Notice are specific to the facts in question, there are a number of themes underlying them which are of more general application to regulated firms. With today’s very broad application of the Senior Managers and Certification Regime (“SMCR”) and accompanying conduct rules it is important that firms and Senior Managers are aware of the messages in the Notice and consider whether their control frameworks meet the regulatory expectations in this area.
The key themes are set out below, together with some suggestions on practical steps firms can take to address the issues raised.
Risk Identification Should Drive Control Design
The FCA expects firms to consider the specific risks within their business, given the sector of the market in which they operate, execution methods and any firm-specific issues which have arisen.
- Risks considered must include conduct as well as operational, reputational, prudential and any other relevant risk type. The risks identified should then flow through into the design and implementation of the control framework, and controls must be reasonably designed to prevent and detect each type of risk crystallising.
The obligation to assess risk lies not only with Risk and Compliance Departments but also with the business units.
- Those involved in day-to-day execution of the firm’s strategy are better placed than any others to properly understand what might go wrong.
- Business unit senior managers will be expected to own the risks inherent within their areas of the firm and to satisfy themselves that controls are appropriate.
- In extreme cases, where they are not satisfied that risks are adequately managed or mitigated, they will be expected to stop executing business.
- For firms who outsource compliance or rely on off-the-shelf policies or training programmes, a key message is that the FCA is likely to expect a firm to go beyond simply adopting generic material or processes.
- The firm should consider the particular risks it faces and tailor the generic product to be specifically relevant to its business.
Where allegations of misconduct, arise the efficacy of controls should be revisited and where necessary, enhanced.
- Firms will be expected to read-across from different areas. Where an issue arises in one section of the business, firms should ensure they have both a process in place and a record to show that they have given positive thought to whether the same issue might be arising elsewhere.
- Equally, good practice would suggest firms should have a process whereby management are alerted to any signs that controls are not operating as intended or otherwise need improving so that they can remediate in a timely fashion (i.e. before issues are raised with regulators).
Managers may wish to ensure that any common industry practices are carefully considered, recognising that although rules may not have drastically changed, standards and regulatory expectations have, especially post-financial crisis.
- The work of the FICC Market Standards Board can be very helpful in understanding the expected industry standards.
- Arguments such as ‘everyone else does it’ or ‘that’s just how the market operates’ will not prevent action being taken – in fact, the opposite may be true.
- Where misconduct is common within a sector of industry, a failure by a firm to recognise it as such, may be seen as a failure of oversight and management.
Governance Structures and Documentation of Key Decisions Are Crucial Parts of Reasonable Oversight Processes
Governance and oversight must be about more than just delivering financial performance and results. Structures and processes are required to ensure risk is properly managed, conduct is appropriate, delegation and oversight mechanisms work and culture meets expectations.
- The Notice links inadequate governance structure to inadequate oversight and management in what should be taken as a clear message to Senior Managers looking for statements regarding how they should execute their functions and meet the Senior Manager Conduct Rules.
Any governance structure which cannot produce evidence of its consideration of risk will struggle in the face of the regulatory scrutiny that follows any kind of incident.
- Sometimes the issue is one of failure to document or record discussions that have actually taken place, and the best fix can be to put in place a structure that makes recordkeeping easier.
- However, if management meet too infrequently, with limited agendas and focus only on profitability, it will be difficult for them to show that they adequately discharged the full breadth of their responsibilities.
Conduct Risk Management and Robust Internal Reviews Are Also Key in Meeting Senior Manager Responsibilities
Firms and Senior Managers must ensure that they have in place all the steps they need to tackle allegations of misconduct. A failure to have a process to manage the risk of misconduct – often called conduct risk – has been deemed by the FCA to be a breach of Principle 3, and therefore could in post-SMCR terms be a breach of a Senior Managers Conduct Rule.
- Processes must be in place for handling allegations of misconduct whatever the source, recognising that different sources may involve different considerations (e.g. anonymity or confidentiality).
- Processes should cover robust investigations and notifications to control functions and management so that risks can be properly addressed.
- It is prudent to make good records where issues are deemed not to be made out or it is determined that no action is required. In these circumstances demonstrating that a robust review has taken place will be crucial when showing that issues were not ignored.
- It can be particularly useful to use past incidents – proven or not – as scenarios in future training. This allows training to target real or probable issues and also allows management to set out how they expect individuals to react to real-life situations.
Footnotes
[1] FCA Final Notice, TFS-ICAP, 23 November 2020 (https://www.fca.org.uk/publication/final-notices/tfs-icap-2020.pdf) (PDF 302 KB)
Matthew Nunan and Michelle M. Kirshner are partners, and Martin Coombes and Chris Hickey are associates, at Gibson, Dunn & Crutcher LLP.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.