A snapshot from last year

2024 was a year that started with a bang when in February the FCA announced a shift in its approach to enforcement policy which included its name and shame proposal. This proposal created waves throughout the industry and, unusually, also in government.  As the year came to a close, a revised version of the proposal was published and the consultation on what might be the final shape of that remains open until the early part of 2025. While we wait on the FCA’s final decisions on what ‘name and shame’ will look like, it is possible to observe that there has been a distinct change of emphasis and perspective from the regulator’s enforcement team over the course of the last 18 months or so. 

Fewer formal investigations, more early interventions

Notably, fewer enforcement investigations are being opened and more use is being made of early intervention style supervisory tools such as voluntary requirements and skilled person (or section 166) reviews. While it is likely that Southwark Crown Court will remain a busy hub for FCA actions against those it suspects of offences such as insider dealing, misusing inside information, and ‘finfluencing’ without the right authorisations, it is also likely that we will see a continued overarching focus from the regulator on failures in relation to the requirement for firms to take reasonable care to organise and control their affairs responsibly and effectively with adequate risk management systems.  Failings against this foundational requirement often give rise to consequential failings relating to financial crime, failings in the integrity of key individuals and the non-financial conduct of individuals, and a failure to deliver good outcomes for consumers.

Educational messages

With the key regulatory objective of the value of enforcement decisions in delivering educational messages to the markets in mind, I have looked through some of last year’s most significant enforcement outcomes and turned some of the findings into practical hints and tips. It is a clear expectation of the regulator that Decision Notices and other educational messages that it delivers to the market are used by firms as tools of reflection and self-correction. With no names mentioned, I have organised some of the key messages around these central themes:

  • governance and oversight;
  • financial crime; and
  • consumer duty.

Hints and tips

Governance and oversight:

  • Know your regulatory landscape: Understand the firm’s business and the range of different rules and requirements that might be applicable to it. This might include not just the FCA’s Handbook, but other rules and requirements such as those relating to market abuse, listings, money laundering, financial sanctions, and the requirements of company law. Be sure to understand, consider and comply with all of that which applies to a firm’s business.

 

  • Experience: Ensure that senior management have the relevant skills, experience and capability. Without the requisite experience a senior management team risks failing to implement control frameworks correctly or effectively and to understand the seriousness of non-compliance.

 

  • Delegation: Ensure that persons to whom decision-making authority is delegated (which may include committees or senior managers) are acting in accordance with delegated responsibilities. It is a risk that failures or non-compliant behaviours, for example of executives, could be attributed to the board.

 

  • Enabling properly informed decisions: Provide all the management information (MI) necessary to enable the making of properly informed decisions. Do not ignore or try to hide or conceal material or otherwise highly relevant information in the context of any decision making (including board or shareholder decision making). The outcome of any related decisions could be regarded as misleading, the content of relevant documents to have been misleading, false or deceptive, and relevant persons (perhaps shareholders, the regulators, or the markets more widely) to have been misled.

 

  • Clear reporting lines: Have clear roles and responsibilities around all policies, processes and controls, document them carefully and ensure consistent understanding of them throughout the firm. Ensure that those who have responsibility are identifiable and that they receive appropriate MI to be able to perform their roles and duties effectively.

 

  • Mind the gap: When reviewing policies and procedures look out for gaps, weaknesses and inconsistencies that could make them unclear and / or difficult for staff to follow. Keep policies and procedures as clear and consistent as possible and ensure that staff are trained on and able to use them correctly. Shortcomings in policies, procedures, process maps and the like, can easily lead to both human and systems errors down the line.

 

  • Listen to staff at all levels: It is possible that junior staff can recognise and understand risks, and these should, if noticed, be effectively communicated to more senior levels for investigation and rectification as appropriate. Where junior members of staff have recognised and sought to escalate concerns and risks to more senior levels these should be investigated and appropriately dealt with.

 

  • Instructing external lawyers: For external legal advice to be deemed as properly given advice it is vital to ensure that any external lawyers have been fully informed with complete and accurate information. Instructions to counsel should comprehensively detail and refer to all material and relevant facts and information. Without this evidence, it is possible that any suggestions that external legal advice has been relied upon by the board will fail. 

 

  • Understand how things work: Systems and technology in use by a firm, and that would include AI going forward, should be understood by the firm, both in terms of workings and in terms of output. Insufficient understanding is likely to lead to significant issues arising. Specific care is needed around certain technologies which can bring significant benefits but also amplify certain risks, some of which have the potential for market wide implications. These technologies need to have appropriate, business suitable, systems and controls around them to ensure that errors are recognised, understood and managed.

 

  • Making analytical analysis: When making assessments or analyses, make them fully, systematically, and coherently. And, importantly, document them.

 

  • Keeping records: It is important to maintain full, accurate and up-to-date records. A lack of records could render a firm’s efforts to comply with regulatory requirements ineffective and could support a conclusion that there have been failures to take reasonable care to comply with applicable regulatory obligations.

 

  • Integrity: Integrity is important. Failures to comply with regulatory obligations that involve a lack of integrity are likely to attract a higher level of financial penalty to maximise deterrent effect. Certain regulatory requirements positively mandate integrity. 

 

  • Grow, grow, grow: Growth is fantastic but if a firm is growing fast then it must make sure that its policies, procedures and controls grow and adapt with it. If a firm is unable to align its control frameworks with a growing business, then it could face voluntary requirements, for example a requirement not to take on any new business, until its controls have been appropriately improved and are fit for purpose.

Financial crime:

  • Robust frameworks: Anti-money laundering frameworks must be robust in their compliance with applicable regulations. Effective formal procedures will be required for checking and monitoring the completeness and accuracy of data feeds and reconciliations. Review processes will need to be regular and thorough. Oversight of these frameworks must be similarly robust and any deficiencies that are observed should be remedied within acceptable time frames.

 

  • Know your risks: Significant advantages, such as faster onboarding processes, can come with higher risks. A firm must understand the flip-side of its attractions and these could be risks which require additional controls to be applied to them. An inadequate assessment of risk will likely lead to inadequate policies, procedures and controls.

 

  • Check for adequacy: Have good systems in place for checking and testing that systems and controls are working as well as they should be. Failures to check and monitor can allow issues to run on for lengthy periods of time before they are detected and might indicate wider failings. Relevant monitoring must occur at suitably regular intervals.

 

  • Good MI: Appropriate MI should be generated and recorded to support systems and controls, and any exceptions arising, that are in place. Without adequate systems and controls, substantial and lengthy remediation programmes are likely to become necessary.

 

  • Don’t delay: Deficiencies, inadequacies or errors that go unnoticed or unremedied for lengthy periods risk allowing potentially significant numbers of transactions to go missed and/or unmonitored and are indicative of systemic weaknesses in a firm’s policies, procedures and controls.

 

  • Remediation: Any errors, failures or issues flagged up by monitoring systems should be subject to effective review, investigation and efficient remedy. Actions should be comprehensively tracked and followed to completion. Delays in effecting fixes and resulting backlogs will likely increase the possibility of a firm being used for the purposes of financial crime.

Consumer Duty:

  • Value: When looking at costs and fees, make a full, clear and documented assessment of how they will be justified. Consider whether the costs or fees, are fully justified in the context of the value expected from the related goods or services and these goods and / or services are genuine and valuable. Keep clear and current records of goods and services provided and value received.

 

  • Vulnerability: Firms should implement vulnerability policies, procedures and controls to ensure that vulnerable customers are provided with the support that they need. Customers with characteristics of vulnerability, which might include financial difficulties, must have due regard paid to their interests and information needs, and be treated fairly, and communicated with in ways that are clear, fair and not misleading. Firms need to understand the nature of vulnerabilities that their customers might have and tailor the support that they offer accordingly. The regulator will not look favourably on poor customer journeys that are to the detriment of customer mental wellbeing, have failed to take account of individual circumstances, have caused distress and upset, have led to customers feeling unsupported, or have caused additional financial concerns or difficulties for customers. Examples of good customer journeys might include the consideration of personal circumstances, a tailored range of solutions which are sustainable for the customer, fees and charges that have been clearly explained and are fair, and reviews of the arrangements put into place to check that they are working.

 

  • Communications: Standard or ‘one-size fits all’ style documentation should be avoided in communications with customers. A firm’s communications with its customers should demonstrate that it has taken adequate steps to understand the individual circumstances of its customers including, for example, financial concerns, relationship issues, bereavement and health issues.  The tone of customer communications is important and should be professional, positive, and should show evidence of appropriate empathy, a willingness to honour agreed actions and to find appropriate solutions.

 

  • Remove requirements that could make things worse: Think carefully about procedural steps that might make things worse for consumer outcomes. There are many notable examples of this in the context of customers in financial difficulty including mandatory payments required to unlock forbearance measures, the application and accrual of interest and arrears payments, the proposal of unsustainable repayment arrangements, and the taking of disproportionately heavy-handed actions (such as default notices and the recording of adverse information on credit records for low arrears balances) in cases where there was room for the rehabilitation of a credit account. Staff incentive schemes that have the wrong focus have also fallen foul of the regulator’s attention. Consider incentivising for example, the obtaining of a full understanding of customer circumstances, in priority to incentivising short calls with customers.

 

  • Staff training:  Deliver thorough, effective, clear and appropriate training to staff at all levels to equip them to engage appropriately with customers, to identify customers who are indicating vulnerability markers, to consistently follow relevant guidance and processes, and to be able to obtain enough information to deal with customers appropriately. A lack of suitable, detailed and specific, staff training is a recognised root cause of poor consumer outcomes.

 

  • Complaints: Identify, record and action customer complaints carefully to ensure that customers are not deprived of regulatory protections which might include the ability to refer a matter to the Financial Ombudsman Service. Ensure that suitable MI is collated on the root causes of complaints so that they can be effectively addressed, and measurable and meaningful improvements can be made to service levels going forward.

 

  • Consider the whole journey: Look at the customer journey holistically and not just single point in time customer interactions.

Key messages about learnings, deterrence and aggravating factors

The regulator expects that firms are reading and learning from educational information such as published final notices and decisions, good and bad practice identification reports, reminders, and sector reviews. These publications are distributed for the purpose of creating a market wide awareness of important issues and often call for firms active within certain markets to make specific improvements. If firms have not read these types of information, and implemented suitable changes into their operations, this will likely be regarded as an aggravating factor in any case where a firm gets into deep water in relation to the same issues that have previously been subject to regulatory scrutiny and had relevant learning disseminated in relation to. 

In terms of positive steps that a firm can make towards creating a robust and favourable compliance history, these are many, and include self-identifying weaknesses, taking steps to proactively remedy deficiencies, and implementing ‘lessons learned’ reviews. Additionally, in cases where issues have been identified and require some form of remedy, there are good tips to be made around early and proactive notifications to the regulator, appointing external consultants or skilled persons to assist with the identification and remedy of issues, effecting fixes and enhancing, complying with voluntary requirements, and proactively implementing customer redress schemes.

Ultimately, the key to success is good oversight, governance and leadership.