There has been a dramatic increase in regulatory reporting obligations, in step with an increase in investigations and enforcement actions. This shifting regulatory focus brings both risks and opportunities for firms: reputationally, operationally and financially. UK firms operating in the retail and wholesale sectors need to be aware of the trends and ensure that they have appropriate arrangements in place.
In order to identify market risks and institutional shortcomings, regulators need timely and accurate data from financial services firms. There has been a dramatic increase in regulatory reporting obligations, in step with an increase in investigations and enforcement actions in which firms’ governance, systems and controls that are designed to meet these obligations are being scrutinised.
This shifting regulatory focus brings both risks and opportunities for firms: reputationally, operationally and financially. There have been significant regulatory interventions and fines in both the retail and wholesale sectors, which amplify the need for UK firms operating in these areas to be aware of the trends and ensure that they have appropriate arrangements in place.
Culture and governance
A firm’s risk culture is ultimately shaped by the core values, expectations and behaviours set by its board and senior managers. With the extension of the senior managers and certification regime (SMCR) to all authorised firms, there has been a shift to more integrated governance arrangements to ensure more effective oversight of every area within a firm. A greater emphasis on individual accountability and clear reporting lines means that the Financial Conduct Authority (FCA) is likely to continue to make investigations and enforcement action against individuals, and senior managers in particular, a top priority.
One potential unintended consequence of the SMCR is that it may foster a culture where individuals are reluctant to take personal responsibility for dealing with issues they have identified due to fear of disciplinary action. Equally, SMCR may open the floodgate to a high number of whistleblowing investigations and a general trend towards increased whistleblowing in financial services, along with a growing appetite among employees to litigate against firms.
In addition, a firm’s leadership may prioritise revenue and profit over good conduct, adopting a “wait and see” approach or weighing the cost of operationalising compliance against the cost of non-compliance, such as the cost of regulatory fines and remediating reputational damage. A lack of clear communication with respect to business purpose, strategy, vision and values means that this information can become lost and fail to reach all levels of staff (see box). This could result in inadequate, incomplete or uninformative management information being fed back up to the firm’s leadership.
Other potential issues that could negatively affect a firm in relation to culture and governance include the following:
- A failure to harness the full power of artificial intelligence to collect data or perform root cause analysis, which could otherwise help to predict the firm’s overall engagement with culture and conduct.
- Inadequate incentive and remuneration structures, such as high bonuses and commissions, 100% variable pay and rewarding high sales or volume targets, could act as key drivers of poor culture and conduct.
- A lack of communication around how, when and where issues should be escalated could result in a culture where employees do not speak up, or are unsure about what to do when they spot poor behaviour. A lack of timely and appropriate remedial action by management could also foster a poor “speak up” culture.
- A lack of challenge, both from and among the board, as well as from key stakeholders, increases the risk of poor decision making, and corrective action not being taken.
- A lack of clarity on what staff members are responsible for could result in unclear decision making and “passing the buck” when things go wrong.
Culture and governance enforcement
Recent enforcement cases illustrate the FCA’s continued focus on culture and governance, and the types of issues that it has challenged. For example, on 29 May 2019, the FCA fined R Raphael & Sons plc, an independent bank, a total of £775,100 for breaches of Principle 2 (due skill, care and diligence) and Principle 3 (management and control) of the FCA’s Principles for Businesses (the Principles), and related provisions of chapter 8 of the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook. The breaches related to a technology incident in which customers were unable to use prepaid and charge cards. The FCA found, among other things, that the technology incident had resulted from flaws in the firm’s governance of outsourced services and outsource service providers. The Prudential Regulation Authority also fined Raphael over £1 million in connection with this matter.
The FCA’s 29 October 2018 fine of over £5 million on Liberty Mutual Insurance Europe, an insurance underwriter, concerned similar findings in relation to the firm’s oversight of a third-party service provider which, among other things, dealt with complaints handling for the firm.
On 30 July 2019, the FCA fined Standard Life Assurance Limited over £30 million for breaches of Principle 3 (management and control) and Principle 6 (customers’ interests) in connection with shortcomings in the firm’s sale of annuities to certain non-advised customers. The FCA found, among other things, that Standard Life had failed to put in place adequate systems and controls to mitigate the risk that its financial interests were prioritised above fair customer outcomes and to monitor the quality of calls between its call handlers and non-advised customers. In addition, insufficient management information was produced to enable the firm’s senior management to identify relevant failings.
On 13 May 2019, the Upper Tribunal found that Mr Andrew Tinney, a former Chief Operating Officer of the Wealth and Investment Management (Wealth) division of Barclays Bank plc, had failed to act with integrity in breach of Statement of Principle 1 ( UKUT 0227 (TCC)). Mr Tinney had received a document from an external consultancy firm which contained critical findings about the culture within a US branch of Wealth. The Upper Tribunal concluded that, when drafting a note to be sent to Barclays’ senior management in response to an anonymous email alleging that a “Wealth cultural audit report” had been suppressed, Mr Tinney had been reckless as to whether the note would give the impression that the document did not exist and whether it would provide accurate information about the involvement of the consultancy in the cultural audit. This decision underlines the need for internal transparency, especially with senior management, when dealing with potential issues raised regarding a firm’s culture.
In order to meet their regulatory reporting requirements, firms must have in place a robust reporting infrastructure of policies, processes, systems and controls. Regulators are demanding greater accuracy, alignment and consistency in regulatory filings data. Among other issues, firms may have:
- Inadequate or ineffective systems and controls as a result of: poor governance over regulatory reporting; a lack of ongoing testing and monitoring; and poor quality technology infrastructure or processes.
- Weak and poorly articulated processes so that staff cannot clearly understand when regulatory reporting issues should be escalated, and to whom. Firm cultures can also sometimes compromise the effectiveness of processes if the right expectations are not embedded throughout the organisation.
- A tick-box approach to compliance, which runs the risk of gaps in their reporting. Regulators are shifting their focus to obtaining meaningful data assurance, so firms must also shift their approach.
- Inadequate monitoring of the completeness, accuracy and timeliness of reporting, preventing them from taking corrective action.
- Insufficient record-keeping, which limits the firm’s, and regulators’, access to key information to monitor compliance and keep track of key decision making, as well as retain corporate knowledge when individuals leave the firm.
- Inadequate investment and implementation of digital regulatory reporting tools that could otherwise: reduce errors, operational costs, and the volume and frequency of reporting; and increase the transparency and visibility of data.
Regulatory reporting enforcement
The FCA has emphasised the importance of effective systems and controls, and has shown that it will take action for failings even if no misconduct or detriment has occurred. This clearly demonstrates the need for firms to get their regulatory reporting right first time, and the potential consequences if they do not.
On 28 March 2019, the FCA fined Goldman Sachs International (Goldman) over £34 million in connection with breaches of relevant provisions of Supervision Manual (SUP) 15 and 17, and Principle 3 (management and control). During a ten-year period, Goldman had failed to report accurately over 204 million transactions in accordance with SUP 17.4.1 EU and an estimated 9.5 million transactions in accordance with SUP 17.1.4R. The FCA found that the firm had failed to organise and control its affairs responsibly with adequate risk management systems in relation to its compliance with the FCA’s transaction reporting requirements implemented in accordance with the Markets in Financial Instruments Directive (2004/39/EC) (MiFID). Among other things, Goldman had failed to take reasonable care to ensure that it had sufficiently comprehensive controls and processes to detect or prevent transaction reporting errors on a timely basis, and to maintain the accuracy and completeness of relevant counterparty reference data.
A fine of over £27 million that the FCA imposed on UBS AG on 19 March 2019 concerned similar issues. The FCA found that UBS had breached various provisions of SUP 15 and 17, and Principle 3 (management and control) in connection with its failure to, among other things, have in place adequate systems and controls to manage changes affecting transaction reporting processes, and to undertake adequate testing to ensure the completeness and accuracy of transaction reports.
On 29 April 2019, the FCA fined Linear Investments Limited (Linear), a firm offering brokerage services, £409,300 for breaches of Principle 3 (management and control). The FCA found that Linear had failed to maintain an appropriate control environment to detect and report potential instances of market abuse. Among other things, Linear had only a limited manual oversight process in place internally and had relied on post-trade surveillance undertaken by brokers. When Linear’s business model changed and the volume of trading processed by the firm increased significantly, it had failed to adapt its systems and controls sufficiently quickly and effectively to ensure that it had adequate arrangements in place to identify potential market abuse.
Looking to the future
The FCA has consistently stressed that firms must take reasonable steps to ensure that they have systems and controls in place that are tailored to their activities and designed to ensure accurate and complete data reporting. For example, Market Watch 59, published in April 2019, focuses almost entirely on recurring reporting errors under the Markets in Financial Instruments Regulation (600/2014/EU) and the importance of complete and accurate transaction reports. The FCA also highlights the fact that it has publicised enforcement actions taken by it in relation to other firms’ governance and reporting failings, which firms should use as learning points. Firms are expected to take the opportunity to ensure that they can fully detail their activities and are regularly checking their systems and controls so that any problems are detected and remedied promptly.
n practice, a strong focus on governance, regulatory reporting and individual accountability, together with increasing financial penalties, means that the onus will largely be on the board and senior managers of a firm to drive better behaviour and conduct throughout the organisation.
Training and competence
With the increasing complexity of regulatory reporting, firms should place great importance on developing and maintaining effective employee training and competence arrangements. There is likely to be an increased demand for more specialised skill sets to provide specific analysis, end-to-end implementation and test cycles. Firms should guard against:
- A lack in quality and frequency for specific role-based training; for example, some smaller firms are only beginning to source and train personnel to meet these needs as the market develops.
- A failure to keep up with industry knowledge through information sharing, such as through industry working groups and trade associations, which may cost firms down the road.
- Poor record-keeping, which may result in firms repeating past mistakes. It can also mean that firms lack clarity on what competencies an individual needs for a particular role and how that individual has demonstrated those competencies.
On 13 March 2019, the Financial Conduct Authority (FCA) took into account inadequate training of staff in its decision to fine The Carphone Warehouse Limited over £29 million for, among other things, breaching Principle 3 (management and control) and Principle 9 (customers: relationships of trust) of the FCA’s Principles for Business. The FCA found that the firm’s training of sales consultants was inadequate to equip them properly to give suitable advice to customers.
This article first appeared in the November 2019 issue of PLC Magazine.