Auditing FCA/PRA regulated firms: Auditors’ reporting obligations – Quick Reference Guide

Recent regulatory activity and enforcement outcomes have highlighted the obligations on auditors to make reports to regulators in certain circumstances.  Given the web of relevant provisions, the number of bodies potentially requiring notification, the client confidentiality overlay and the pressures to which busy professionals are subject, keeping track of who should say what to whom in the context of the audit can be challenging and decisions on reporting (or not) may require careful judgment, a robust support framework and a clear audit trail.  Questions may be asked in the context of enquiries and investigations long after the event (and sometimes with the benefit of hindsight) when memories of what was known to whom and when will have faded.

We set out below (1) a ‘Quick Reference Guide’ to serve as a high level checklist for auditors to have front of mind with regards to their reporting obligations when carrying out audits of regulated firms; (2) potential red flags that might trigger an obligation to report to one or more regulator; and (3) some considerations to bear in mind when determining whether to report.  Many scenarios will not be straightforward and so this high level guidance is intended to act as a reminder and prompt so that specialist advice can be sought where appropriate.

1. Auditors’ reporting obligations:  Quick Reference Guide

• Do you need to make a SAR? Under the Proceeds of Crime Act 2002 (‘POCA’) auditors may commit an offence if, in the case of the MLRO they fail to report a SAR to the NCA, or in the case of any other auditor they fail to report a suspicion to the MLRO, where (1) they know or suspect or have reasonable grounds for knowing or suspecting that another person is involved in money laundering or terrorist financing, (2) the information on which their knowledge or suspicion is based, or which gives reasonable grounds for such knowledge or suspicion, came to them in the course of business in the regulated sector, and (3) they can identify, or the information they have may assist in identifying, the person suspected of money laundering or the whereabouts of the laundered property.  The threshold for reporting a suspicion is low, and fact specific.  The test involves asking not just if you have a suspicion (the subjective test) but if you ought to have a suspicion (the objective test).   Our ‘red flags’ list below might assist firms and individuals in their considerations as to whether submitting a SAR might be appropriate.

• Are you under an obligation to report to the FCA?:  Depending on the circumstances, auditors may have an obligation to report to the FCA pursuant to Principle 11, SUP 15 and/or under the FSMA 2000 (Communications by Auditors) Regulations 2001 (the 2001 Regulations), as well as having personal obligations to report where they are subject to the FCA’s COCON rules:

(i)  Principle 11 requires that an audit firm which is authorised must, as with any other authorised firm, “deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice” and this may include matters in respect of both regulated and unregulated activities.  Chapter 15 of the FCA’s Supervision Handbook sets out rules and guidance in relation to matters which a firm must or should consider self-reporting in accordance with Principle 11.  Given the obligations relate to self-reporting these are less likely to be triggered by an audit of a regulated entity but consideration should be given to the potential impact on the auditor such as a matter that could have a significant adverse impact on the auditing firm’s reputation.

(ii)  The 2001 Regulations impose an obligation on auditors of authorised firms, who are or were appointed as a result of a statutory provision to report to the FCA if, in summary, one of the following tests is satisfied:

• the “Relevant Requirement Test” which requires that there is (or may be) or has (or may have) been (a) a contravention of a “relevant requirement” (which includes any breach of requirements which relate to the firm’s permission to conduct regulated activity) and also any criminal offence that could be prosecuted by the FCA or PRA such as insider dealing), and (b) that contravention may be of “material significance” to the exercise of the FCA’s functions in relation to the audited entity; or
• the “Threshold Conditions Test” which requires that the auditing firm has information of material significance to the FCA’s determination of whether the audited firm continues to satisfy the Threshold Conditions.

For the purposes of both the Relevant Requirement Test and the Threshold Conditions Test, the FRC’s International Standard on Auditing (UK) 250 provides some guidance on determining whether a matter might be of “material significance” to the relevant regulator, in particular highlighting that it does not have the same meaning as materiality in the context of the audit of financial statements.  The FRC also provides examples of “relevant requirements” or matters of concern which require “particularly close consideration” when considering whether a duty to report potentially arises.  The duty to report may arise in circumstances where there may have been a rule breach by the firm or where matters arise that may have a detrimental effect on the firm’s fitness and propriety such as serious misconduct committed by senior individuals.

(iii) Individual Conduct Rule 3 requires that senior managers and employees subject to the FCA’s COCON rules must be open and cooperative with the FCA, PRA and other regulators.  Auditors should therefore be mindful of their personal responsibilities to the regulator when carrying out audits and considering any potential ‘red flags’ which might give rise to reporting obligations.

• Do you have any other external reporting obligations?  For example the FRC’s International Standards of Auditing (UK) 250 (as revised) provide that if the auditor has identified or suspects non-compliance with laws and regulations, the auditor must determine whether law, regulation or relevant ethical requirements require the auditor to report to an appropriate authority outside the entity. For any audit concerning a public interest entity, where that entity does not go on to investigate the matter raised with them by the auditor (where permissible), the auditor must inform the authorities responsible for investigating such irregularities.  Appropriate authorities outside the entity might include the SFO, CPS, the police, the FCA, the PRA, OFSI, the Takeover Panel, Lloyd’s and/or HMRC, for example.

2. Potential ‘red flag’ indicators

Potential red flag indicators that might give rise to the above reporting obligations include:

• A transaction in connection with an audited firm becomes the subject of an FCA or other formal enquiry or investigation.
• Unexpected complexity and risk in conducting the audit by comparison to initial expectations when scoping and agreeing the engagement. 
• Unusually obstructive behaviour by the client firm resulting in serious delays or inability to obtain the information required (contrary to expectations).
• Unreasonable pressure from the client to complete the audit whilst basic or significant information remains outstanding.
• An auditor becomes aware of information indicating an individual may have committed a criminal offence, for example in connection with a share transaction.
• The behaviour of senior individuals at the client firm gives rise to concern regarding their integrity or competence to conduct the business for which they are responsible.
• Significant discrepancies in documents provided or between internal documents and market facing materials.
• IT systems failures or weaknesses that could cause significant detriment or risk of significant detriment to the firm’s operational resilience, the business, its employees and/or its customers.
• Lack of access to certain employees or information being funnelled through one individual or a small group of individuals without good reason.
• Indication of a lack of knowledge, skills and/or experience of staff who manage the affairs of the business such that it might impact the firm’s ability to meet the “fit and proper” test relevant to the suitability threshold.
• Multiple instances that individually may not give rise to a red flag but collectively might be considered particularly serious.

3. Considerations to bear in mind when determining whether and what to report

Auditors should consider internal governance including how they manage internal communications between colleagues when conducting an audit of a regulated firm, as some communications may become disclosable to a regulator or other third party for example in the event of an investigation or in the context of litigation.  Additional care may be needed when determining whether and what to report. Points to bear in mind include:

• Legal privilege: Confidential communications between external or internal legal counsel and members of the audit team for the purposes of seeking or giving legal advice (for example in relation to concerns raised during the audit or suspicions relating to potential financial crime) may be legally privileged and protected from disclosure.
• Loss of privilege: The protection afforded to privileged communications may be lost in certain circumstances, such as where they are circulated too widely, so think carefully about who is included in communications and be particularly alive to the risks of forwarding emails.
• Record-keeping: Ensure that clear records are made of decision-making, such as whether to make a report, including with regards to the information available and the factors taken into account.  It can be difficult to reconstruct after the event the rationale for steps taken or, importantly, not taken.
• Tipping off and prejudicing an investigation:   Two key offences under POCA that apply to entities in the UK regulated sector are:  ‘tipping off’ and ‘prejudicing an investigation’; the first relates to disclosing a SAR (or information about that report); the second relates to disclosing an investigation is being contemplated/carried out.  Where there are concerns around money laundering, communications with the client (i.e. the firm being audited) must be approached with caution.
• Internal policies: Ensure actions are consistent with internal policy and procedure.
• Seek advice: In case of doubt seek advice from relevant in-house professionals and consider whether external advice would be appropriate.

We provide support to advisers and service providers in navigating their professional and regulatory obligations so please get in touch if you would like to discuss.