Covid-19 has brought challenges across all businesses, whether large or small, and in all sectors. Regulators are no exception: there was a noticeable hiatus or slowdown in Financial Conduct Authority (FCA) enforcement activity (bar urgent matters) from March 2020 through to the end of the summer, no doubt as the FCA sought to focus on the priorities raised by the impact of the virus, as well as its own internal challenges in dealing with the same.
There has been a significant uptick in activity from September 2020 onwards, however, with the FCA now seeking to recover ground and produce finalised outcomes, before their year-end at the end of March, close to matching in number those of the prior year. In this article, we look at the FCA's enforcement activity over the past 18 months or so and identify the emerging trends from the FCA's current focus.
The 2020/2021 year so far
Since 1 April 2020, the FCA has issued so far in the 2020/2021 year around 150 Final Notices imposing fines in 12 cases (nine firms and three individuals) totalling around £241m. Of those fines, the largest (around £97m from the FCA and the Prudential Regulation Authority combined) was imposed on Goldman Sachs for risk management failures as the arranger, initial purchaser and underwriter of Malaysian bond transactions. These figures compare with the total of around 210 Final Notices in 2019/2020, imposing fines in 15 cases (12 firms and 3 individuals) totalling £224m.
These data show that, while the number of FCA Final Notices so far this year are not as many as for 2019/2020, the FCA has already issued more Final Notices imposing penalties and of a higher overall total penalty sum this year than those imposed for the whole 2019/2020 year.
Enforcement themes and trends
From a review of the FCA Final Notices over the past 18 months or so, six main themes have emerged. None of these are new, indicating that the FCA remains concerned that its credible deterrence is still not driving home the changes in behaviour that it expects, meaning that further action by it is required. Those recurring themes are:
- treating customers fairly;
- risk management;
- anti-money laundering;
- client money and assets / safeguarding;
- market disclosures; and
- market abuse and other market misconduct.
Treating customers fairly
Enshrined in Principle 6 of the FCA's Principles for Business and the regulators's treating customers fairly (TCF) outcomes, this continues to be a significant focus for the FCA, justifying substantial penalties where it considers that failings have occurred. TCF failures can occur at the start of the customer journey or during the customer relationship.
There have been four recent cases of TCF failures at the start of the customer journey, namely:
- Product sales. Standard Life Assurance and Prudential Assurance Company were fined £30.8m and £23.9m respectively for selling non-advised annuities without effective systems and controls to ensure that customers were informed in a clear, fair and not misleading way that they may be able to get a better annuity rate; for example, if they were eligible for an enhanced annuity, on the open market. The FCA took into account that both firms voluntarily agreed to conduct past business reviews of non-advised annuities in order to provide redress for any customers who may have suffered loss; and
- Product advice. The Financial Page group of companies and five individuals (although references to the Upper Tribunal are pending) were fined a combined total of £2.2m for outsourcing their SIPP (self-invested personal pension) switching advisory service without proper supervision (and without having regulatory permission to provide pension transfer advice). Also in the context of SIPP transfers, LJ Financial Planning was fined £108,000 for limiting its advice to the suitability of the SIPP wrapper, without providing any advice (nor considering) the suitability of the underlying investments within that SIPP wrapper. The FCA also found that both the Financial Page group of companies and LJ Financial Planning had failed properly to manage conflicts of interest by, respectively, customers investing in investments or transferring their pensions to SIPP wrap platform providers, in which they, or their employees or outsourced providers had financial interests.
There have, in addition, been recent cases of TCF failures during the customer relationship:
- As part of its consumer protection and competition objectives, the FCA has been looking at how UK funds charge for their fund management activities. In particular, the regulator has been looking closely at what it terms "closet tracker" or "closet index" funds. These are funds that look like and charge fees similar to active funds, but are managed in a way that is more similar to passive funds, which traditionally attract a much lower fee. The FCA has previously reminded the industry that firms are required to communicate fund investment objectives and policies in a fair, clear and not misleading way and has conducted reviews of a sample of funds in the market and worked with the industry to make voluntary redress payments where appropriate. The FCA has, now, issued its first enforcement outcome as a result of those reviews. Henderson Investment Funds Limited has been fined £1.9m for its inadvertent failure to reduce its fees for retail investors, when it reduced the level of active management of its funds (and reduced its fees for its institutional investors).
- Treatment of customers in financial difficulty. The FCA has been looking closely for some time at firms' treatment of customers in financial difficulty. With the challenges imposed on consumers and businesses as a result of the Covid-19 pandemic and the clear guidance that the FCA promptly issued when the pandemic struck (and continues to issue) that lenders must treat borrowers in financial distress as a result of Covid-19 with forbearance, we can only assume that more enforcement action in this area will follow. Of the three recent fines imposed by the FCA in this area (all relating to failures pre-Covid), the harshest fine was imposed on the Lloyds Banking Group of £64m for its perceived failures in its historical treatment of mortgage customers in payment difficulties or arrears. Fines were issued for similar perceived failings of Barclays (£26m) and Moneybarn (£2.7m) for, respectively, their perceived insufficient consumer credit and loan recovery forbearance. Again, the FCA reiterated the importance of those engaging with borrowers in financial difficulties or arrears truly understanding their customers' unique personal circumstances, including what they can truly afford to repay and when and whether they are vulnerable customers. For all three firms, significant back-book redress exercises were undertaken, in addition to receiving financial penalties, to compensate customers who may have suffered loss.
Principle 3 of the FCA regime requires a firm to take reasonable care to organise and controls its affairs responsibly and effectively, with adequate risk management systems. The PRA has a similar Fundamental Rule 5. What can amount to adequate risk management systems – or, more importantly, a failure to have adequate risk management systems – is one of the regulators' favourite tools to assess regulatory compliance where something goes wrong. And in those circumstances, it is very easy to apply hindsight: something has gone wrong, so there must have been inadequate systems and controls, including risk management systems, to prevent the situation from arising.
Inadequate risk management systems have led to substantial fines in two recent cases. The first (involving penalties from both the FCA and the PRA totalling £1.9m) was in the context of the FCA's continued focus on the effectiveness of outsourcing arrangements. The FCA's rules are clear that, where the outsourcing of regulatory functions to third parties occurs, then the regulated entity retains regulatory responsibility for any breaches in the performance of those regulatory functions.
The Final Notices issued by the FCA and the PRA to Raphael & Sons Plc makes it clear that, where there is an issue with an outsourced service provider that does not otherwise amount to a regulatory rule breach, the regulators will seek to hold the outsourcer responsible for inadequate risk management systems. The rationale being that, if there is an issue with an outsourced service provider, then the risk of that issue occurring should have been managed and overseen by the regulated entity and systems been put in place to manage that risk (should that risk eventuate).
That was precisely the issue faced by Raphael & Sons, which had outsourced services critical to the operation of its prepaid cards and charge cards to third parties, including the processing of payment transaction requests. Unfortunately, the card processor suffered a technology incident, which meant that a significant number of Raphael's payment cardholders were unable to use their cards to make payments. The timing was particularly unfortunate as the outage occurred on Christmas Eve. The FCA and PRA did not hold Raphael responsible for the IT incident itself. But the regulators considered that it should have ensured that the card processor had adequate business continuity and disaster recovery arrangements in place – or at least assessed whether what was in place was within its own risk appetite and tolerance levels to make outsourcing appropriate.
The second recent FCA enforcement action in the context of risk management systems was the total £97m fine cumulatively imposed by the FCA and the PRA on Goldman Sachs as the arranger, initial purchaser and underwriter of Malaysian bond transactions. The company, the subject of the bonds, was at the centre of allegations of embezzlement. There was no suggestion that Goldman Sachs had any knowledge of or involvement in the fraud itself. Instead, the regulators looked closely at the processes by which Goldman Sachs took on its role in the bond transactions, given they involved clients and counterparties in jurisdictions with higher financial crime risk, and determined that they did not go far enough to manage that risk.
Central to the adequacy of any risk management systems is the FCA's continuing focus on anti-money laundering (AML) compliance, in the fight to combat financial crime and the FCA's operational objective of protecting and enhancing the integrity of the UK financial system. When the FCA identifies any weaknesses in a firm's AML due diligence and monitoring procedures, it will take action, even where no actual money laundering is identified. Skilled persons are often appointed (under s166 Financial Services and Markets Act 2000) to review a firms' AML procedures and report to the FCA.
A backlog of checks due to staffing shortages, however this is caused, is no excuse. The main failing identified by the FCA, leading to the £38m fine against Commerzbank, was not the firm's AML client take-on processes themselves, but the significant backlog of existing clients being subject to timely refreshed know-your-customer checks. This was the case even though Commerzbank itself identified and went about increasing staff in this area. The FCA considered that the measures were taken too late and effected too slowly.
Client money and assets, and safeguarding
The protection of client money and assets has been a focus of the FCA for a number of years now, with the regulator increasingly impatient at continued issues found in the industry. The latest casualty is Charles Schwab UK, which was fined a total of £9m for its outsourcing of the firm's safeguarding services, including record keeping and reconciliation, to its US parent. The FCA considered that that did not comply with the CASS (Client-Assets Sourcebook) rules or its Principle 10.
The fundamental issue here was that the arrangements were such that the UK business' transaction records and reconciliations were the same as the US parent's transaction records and reconciliations and not separately done for and held by the UK entity. Equally, the UK client money and the US client money were held in one pool and not separated between different accounts – and the firm did not have a CASS resolution pack during part of the period the subject of the FCA's action.
The FCA's concern was that, in the event of the UK firm's insolvency, the appointed insolvency practitioner would need to obtain those books and records from the third-party US parent, would not be able easily to identify the client assets and client money owing to the UK firm's customers, and would not be able easily to access those funds. This concern is consistent with the FCA's current work with payment services and e-money firms to develop wind-down plans (similar to CASS resolution packs) in an effort to streamline the identification and payment out of safeguarded funds by an insolvency practitioner in the event of a firm's insolvency.
Although not subject to the same detailed rules as CASS, the safeguarding of customer funds by payment services providers and e-money issuers is starting to go down the same route. The Final Notice issued to Premier FX (although no fine was ultimately imposed due to the firm's insolvency), together with the "Dear CEO" letter issued to issuers and acquirers in July 2019, shows that the FCA is seeking significantly further to improve standards in this area. Further enforcement action can only follow.
One of the other areas where we are likely to see increased enforcement action, given the impact of the Covid-19 pandemic on most businesses, is in the context of listed companies disclosing material changes in financial performance. While the change in financial performance was not Covid‑related, the FCA recently fined Cathay International and two individuals a total of £665,000 for their delay in disclosing a material change in the company's financial performance (as well as providing inaccurate information to the FCA about their forecasting procedures in breach of Principle 11).
And it is not just financial performance disclosures that are in focus. We have seen an uptick in the FCA issuing information requests concerning share dealing, which may or may not indicate regulatory breaches, that it has picked up using its market monitoring capabilities. Where inappropriate behaviour is identified (even if not market abuse but only non-compliance with regulatory disclosure obligations), then enforcement action is clear to follow.
Recent examples of the FCA's activities in this area include Asia Research and Capital Management, which was fined £873,000 for its short selling disclosure failures, and £45,000 for an individual who failed to comply with their obligations under the Persons Discharging Managerial Responsibilities notification regime.
Market abuse and misconduct
And, if the FCA picks up any actual market abuse or other market manipulation (for example, via its in‑house market surveillance algorithm system, which the FCA has described as "a source of regulatory sunshine"), one can be sure that the FCA will take action – criminal if it can. There have been a number of enforcement actions finalised in this space during the Covid-19 pandemic, including fines for washing (£15.4m for Tullet Prebon and £52,500 for an individual), printing (£3.4m for TFS-ICAP) as well as the more traditional forms of market manipulation (for example, spoofing) for profit. These are in addition to the public censure for Redcentric (which also secured a compensation agreement for members who were impacted by the false and misleading statements about the company's financial position, and in respect of which criminal charges against 3 former directors are pending) and the ongoing investigation into Carillion and three of its former directors.
Osborne Clarke comment
Whatever hiatus or slowdown in FCA enforcement activity there might have been early on in the pandemic, the FCA is certainly picking up its tools again. Businesses may well have struggled financially or operationally with the pandemic, supervision and control over employees may have been more difficult with remote working, and the FCA may well have focussed on supporting firms to minimise the risk of failure and the impact of that on markets and consumers. But we can be sure that, with the vaccine roll-out and the hope we all hold of getting back to some form of normality soon, the FCA will not show any let up or leniency towards inappropriate behaviour that comes to light.