SMCR+ View - January 2024

We hope you had a lovely festive period and feel ready and energised for 2024. Following December's bumper instalment of SMCR+ View is this bountiful edition to launch the new year! There's a lot to cover including a new Senior Manager enforcement, one FCA and two SRA non-financial misconduct cases which will be of interest to firms, a Dear CEO letter for wealth management and stockbroking firms and Dear Board letters to investment based crowdfunding platforms and peer-to-peer lending platforms, as well as a section on the new Economic Crime and Corporate Transparency Act 2023 given it will be advisable for firms to map their 'senior management' (which unhelpfully doesn't have the same definition as under the SMCR!).

As always, please do reach out with any feedback on how these updates could be made more helpful, and we'll note them down as our New Year's resolutions!

1.    PRA - Senior Manager enforcement (yes, another one!)

We have a new SMF-related PRA Final Notice to start off 2024. This Final Notice relates to the former CEO of Wyelands Bank Plc (the Bank), Mr Hunter, who held the SMF 1 (CEO), SMF 2 (CFO) and SMF 4 (CRO) roles; he's been fined approximately £118,808 and was found to have breached the Individual Conduct Rule 2 (due skill, care and diligence), Senior Manager Conduct Rule 1 (control the business of the firm effectively), and Senior Manager Conduct Rule 2 (compliance with the regulatory system). The Bank was also censured in April last year (see here).

The PRA found breaches of the above Conduct Rules because, amongst other things, Mr. Hunter failed to:

• submit certain matters to the Board for consideration and approval as required by the Bank's internal governance framework (Terms of Reference, etc) - showing the importance of drafting these documents carefully and then following them closely;
• verify the accuracy of statements he made to the PRA in letters submitted to the regulator - this has similarities to the Decision Notice of Mr. Staley;
• ensure that responsibilities were clearly apportioned for particular matters; and
• ensure that there were adequate systems and controls in place for particular matters, that certain regulatory returns were submitted to the PRA, and that there was formal/appropriate record keeping as per the Bank's obligations.

Our key takeaways are that (i) as per the Mr Abarca case last year, it was brought by the PRA and not the FCA, (ii) the PRA found a breach of the Conduct Rules, but not the Duty of Responsibility - perhaps indicating the regulators are keener to go for the 'lower hanging fruit' of a Conduct Rule enforcement rather than trying to enforce against the Duty of Responsibility, (iii) it's the first Final Notice in respect of Senior Manager Conduct Rule 1, (iv) the breach of Senior Manager Conduct Rule 2 is in part related to a lack of appropriate records and if you read across to the Wyelands Bank Plc Final Notice this appears to be because of the use of WhatsApp for certain business activities and the firm having no formal record keeping policies or procedures in place to manage/retain such messages, and (v) there are similarities in parts of this to the 2023 Mr. Staley Decision Notice regarding accuracy of communications provided to the regulator (referred to the Upper Tribunal).

Our final takeaway is that Mr. Hunter, also undertook to not perform a role for a regulated firm as part of his settlement with the PRA. The penalty was also intriguing - going through its usual process the PRA reached a fine of £108,008 and then increased this by 10% for "deterrence", as if the additional £10,800 would really be enough to make someone more careful but rather is perhaps at risk of undermining this otherwise important message.

For more on this please contact Amy Sumaria (Managing Associate) and Thomas Makin (Managing Associate).

2.     FCA and Solicitors Regulation Authority (SRA) - non-financial misconduct cases

This week the FCA published a Final Notice in respect of Mr. Paul Ulliott whereby he has been banned from financial services following his conviction for handling stolen goods (including four silver tankers, a pair of swan candlesticks (!), a set of silver salt and pepper shakers, and silver chamber sticks, amongst other things). The FCA determined Mr. Ulliott lacked fitness and propriety and said his conviction "demonstrates a clear and serious lack of honesty and integrity". The FCA noted that they considered (i) the relevance and materiality of the offence and(ii) the severity of the risk posed by Mr. Ulliott to consumers and to confidence in the UK financial system. Mr. Ulliott has not referred this to the Upper Tribunal.

Non-financial misconduct (NFM) also remains a topic of interest for the SRA, as regulator of solicitors in-house, as well as in private practice. This recent case, referred by the SRA to the Solicitors Disciplinary Tribunal (SDT), provides interesting insights into how another regulator is looking at NFM. This is, of course, an area of increasing focus from the FCA with the expected introduction this year of the FCA's final rules and guidance on NFM. In this case it was found that the Respondent breached Principle 2 (act with integrity) and Principle 6 (behave in a way that maintains the trust the public places in you and in the provision of legal services) of the old 2011 SRA rules (updated in 2019), after the Tribunal found a number of allegations to be proved including that the Respondent* slapped and/or touched Person A [a paralegal] on the buttocks and/or stated 'is that sexual harassment?' or words to that effect*. This case involved misconduct both in the office and at the firm's Christmas party (an external venue) but was sufficiently proximate to the individual's practice. The SDT found that the Respondent's conduct was aggravated by the fact the Respondent had taken advantage of his position of seniority and power over the Applicant, who was in a vulnerable position given her age, sex and junior status as a paralegal. These decisions by the SRA and SDT are increasingly common, and this case is one of several recent examples.

Also of interest from the legal profession was this recent case where a partner at a law firm agreed to be removed from the Roll, including for giving his employer misleading information about the nature and extent of his relationship with a colleague. He was found to have breached current SRA Principle 2 (public trust and confidence), Principle 5 (act with integrity) and paragraph 1.4 of the Code of Conduct for Solicitors ("You do not mislead or attempt to mislead your clients, the court or others, either by your own acts or omissions or allowing or being complicit in the acts or omissions of others (including your client)").

On January 17, as part of the Sexism in the City inquiry, FCA CEO Nikhil Rathi gave oral evidence to the Treasury Committee. The transcript isn't available yet but some headlines today suggest that the CEO indicated that ahead of publishing their final rules, the FCA may consider getting firms to notify the FCA of "controversial" NDAs relating to NFM. The transcript is expected next week, so expect to see more in the next edition of SMCR+ View.

If you have any questions on these cases or the FCA's proposed approach to NFM, please contact Andrea Finn (Partner) and Amy Sumaria (Managing Associate) or (in relation to solicitors, including in-house solicitors) Michelle Allison (Managing Associate).

3.      FCA - Dear CEO Letter - wealth management and stockbroking firms

In November the FCA published a Dear CEO letter setting out its expectations of, and supervisory priorities for, wealth management and stockbroking firms. Primarily, the letter focused on fighting financial crime and embedding the Consumer Duty. The FCA indicated that this is a higher risk sector of the financial services industry, given the number of consumers and assets under management. We are also aware that the FCA issued certain firms with a request for information at the end of 2023. It follows this Dear CEO letter and is in line with the FCA's statement that their supervision under the Consumer Duty is "shifting to become more assertive, intrusive, proactive and data driven".

The Dear CEO letter outlines the FCA's expectations that firms ensure SMF 16s and SMF 17s have the required experience, skills and independence and are not simply carrying out a tick box compliance exercise or outsourcing responsibility to third parties. We are aware there are related questions to this in the FCA's request for information. Amongst the FCA's detailed Consumer Duty related expectations was the reiteration that embedding the Consumer Duty into the day-to-day culture of the firm must remain a key focus. The letter also flags the FCA's wider expectations for firms in this industry, including D&I and NFM and, particularly, that firms are taking decisive and appropriate action against discrimination, bullying and sexual harassment. We note that the request for information also includes a question on non-financial misconduct.

If you have any questions, particularly around the request for information, then please reach out to Penny Miller (Partner) and Amy Sumaria (Managing Associate). For a deeper-dive on the Consumer Duty you can  to Consumer Duty View here.

4.     FCA - Dear Board letters - Loan-based Peer-to-Peer Lending platforms and Investment-based crowdfunding platforms

The FCA published two Dear Board letters on 15 January 2024. One for Loan-based Peer-to-Peer Lending platforms (P2P Firms) and one for Investment-based crowdfunding platforms (Platforms). In both, the FCA are clear that in any future supervisory engagement, they will consider whether the Board and Senior Managers have taken appropriate action in relation to the harms identified. The closing lines of the letters outline Boards' responsibilities for ensuring senior managers are accountable in delivering on the requirement for relevant firms to be compliant with regulatory expectations and requirements. The FCA also state that they will increasingly use data provided through regulatory returns and supplemented by direct information requests and intelligence, to assist in identifying outlier firms that pose a heightened risk of harm.

For both portfolios, the FCA are focusing on financial promotions and the Consumer Duty. Regarding the latter, both letters state that where the FCA see the need to they will intervene assertively. For P2P firms the FCA goes even further and says that they will be confident in using formal tools, for example to restrict business activity and seek redress for investors.

For Investment-based crowdfunding platforms the FCA's focus is on trading venue perimeter guidance, public offer platform, and financial resilience. For P2P Firms the focus is on wind-down plans, their triggers, and liquidity monitoring. In respect of the latter, firms must complete a Self-Certification Attestation (a formal statement that the firm will take, or has taken, any action required by the FCA). This must be signed by the most appropriate senior individual(s) who have the necessary oversight. The FCA are clear that they use attestations to ensure that firms and senior individuals are clearly accountable for taking the required actions. P2P Firms must identify and report to the FCA the accountable senior individuals.

If you have any questions, please contact Amy Sumaria (Managing Associate).

5.      Bank of England (BoE) - SMCR for Financial Market Infrastructures?

The BoE has published a 2023 annual report on its supervision of financial market infrastructures (FMIs). The report sets out its supervisory and policy focus over 2023, as well as its future priorities. The BoE confirms that they will take forward work on SMCR for central counterparties (CCPs) and central securities depositories (CSDs), following FSMA 2023 legislating the creation of a high-level framework for SMCR for CCPs and CSDs. However, this would require secondary legislation and the report confirms that HM Treasury is considering the broader SMCR Review/Call for Evidence before taking further action. This reinforces the position we mentioned in December's SMCR+ View.

We are doing a significant amount of work on the SMCR Review/Call for Evidence so please contact Penny Miller (Partner) and Amy Sumaria (Managing Associate) if you'd like to discuss further.

6.      FCA - increase in whistleblowing reports for asset managers

Figures reported in the press and apparently released by the FCA via a Freedom of Information Request suggest that the FCA has seen an increase in whistleblowing reports relating to asset managers. The FCA apparently received 172 whistleblows from January to October 2023, a rise from 120 in 2022 and 110 in 2021. Reports of sexual harassment at asset management firms have also increased to 8 in 2023, from none in the preceding two years. Additionally, concerns related to corporate culture have also increased, with 20 reports in 2023, compared to 12 in 2022 and 9 in 2021. Whistleblowing disclosures by asset managers to the FCA have also increased, reaching 71 in 2023, up from 62 in 2022 and 56 in 2021. So it seems thinks are moving in one direction.

7.      Unwrapping the Economic Crime and Corporate Transparency Act

Not a particularly festive gift from the Government, but on Boxing Day (26 December 2023) the senior manager attribution test  under the UK's Economic Crime and Corporate Transparency Act 2023 (the Act) came into force. A firm will now commit fraud and other economic crimes if "any senior manager" commits those crimes whilst discharging their role or in the course of work. It's important to note that the definition of "senior manager" under the Act unhelpfully doesn't align with the definition of a senior manager under the SMCR and is broader in its remit, so there is going to be work for SMCR firms in determining who is categorised as a senior manager for these purposes (although there may be scope to borrow from the SMCR also). For non-SMCR firms, the application of the SMCR to firms and the roles it is designed to captured may be a helpful starting point for identifying "senior managers" under the Act.

We are doing a huge amount of work in this space, including helping firms scope their "senior manager" populations, and will be doing a webinar on 6 February 2024 to cover the key requirements of the Act, practical steps firms need to be taking and answering your burning questions.

We are also developing a Toolkit to help guide firms through the additional obligations arising from the Act, which also introduces a new offence of Failure to Prevent Fraud. The Toolkit will contain practical resources, templates, and guidance on how to comply, with a menu including (the following amongst many other things!)

• Senior manager briefing - focused guidance covering key points for Boards and senior managers
• Scoping tool to help you identify your senior managers under the Act - this will be sector-specific
• Training module for senior managers on the new Act (30 mins) - we will prepare a pre-recorded session, or we can deliver it live
• Policy wording - to ensure that your financial crime policies appropriately cover the requirements of the Act
• Standard contractual clauses - to ensure that the requirements of the Act are covered in your contracts with relevant third parties

If you'd like to discuss any of the above in more detail, including the full contents of the Toolkit, please do get in touch with Camilla de Silva (Partner) and Jon Malik (Supervising Associate).

8.     PRA sets governance and risk management priorities for International Banks

This month the PRA issued a letter to CEOs of international banks and investment firms, outlining the supervisory priorities for the year ahead. Key priorities outlined in the letter are broken down into four areas -- risk management and controls, financial resilience, operational resilience, data risk.

Of interest is the opening paragraphs to the letter which underscore the importance of robust governance, risk management, and controls to navigate the increasingly complex financial landscape. The PRA calls for a proactive approach to risk identification and mitigation, emphasizing the need for a sound risk culture, diversity and inclusion, and strong succession planning. In particular, the PRA state that Senior Managers must continue to lead the risk culture of firms - they and Boards must continuously challenge current thinking and understand that previously improbably events could be possible. They reference firms considering novel risks from the growing use of "new technologies" (think AI - an area where we are doing a lot of work and would be happy to discuss the governance related considerations).

If you'd like to discuss, please contact Penny Miller (Partner) and Amy Sumaria (Managing Associate).

9.      DSAR and FOI requests - a strategy for managing regulatory disclosures and protecting personal data

We have heard about a number of issues arising in respect of Data Subject Access Requests (DSARs) and Freedom of Information (FOI) requests submitted to the PRA and FCA, which is particularly concerning when they involve personal data shared by firms. Perhaps you have had direct experience of former or current employees submitting DSARs to the regulators, which may have caused issues? This is an area which we believe requires consideration in the context of sharing information with the regulators and we would welcome the opportunity to discuss with firms.

We are in the process of drafting and submitting a Freedom of Information Request to better understand the scope of DSARs received by the FCA and PRA.

If you have experience of information being released by the FCA or PRA in response to a DSAR or FOI, or would like to discuss this issue further then please let me (Amy Sumaria (Managing Associate)) know. Whilst firms have limited control over the regulator's disclosure decisions, we consider that there are internal measures which can be taken to best protect the firm.

10.   FINMA - Report calls for enhanced executive accountability and proposes a senior managers regime

Following events relating to Credit Suisse last year, the Swiss Financial Market Supervisory Authority (FINMA) has called for the establishment of a senior managers regime to enhance personal accountability among executives. FINMA previously raised the issue in March 2023 and has more recently highlighted the limitations of its current supervisory capabilities in a report published December 2023 which advocated for expanded powers including the ability to impose fines and publish enforcement proceedings regularly. The report outlines how, despite using all the tools in its arsenal, FINMA could not rectify the strategic and risk management deficiencies of Credit Suisse. The proposal of a senior managers regime, akin to the UK's SMCR, would clearly allocate responsibilities and allow for direct and swift action in relation to senior individuals. FINMA has also suggested that such a regime could serve as a deterrent against misconduct and facilitate the imposition of targeted sanctions.   

From the UK regulators' perspective, this report adds to the PRA's sentiment that the SMCR is praised abroad (see here).

If you have any questions, please reach out to Andrea Finn (Partner) and Amy Sumaria (Managing Associate).

11.   FCA - Consultation Paper - Payments to data providers and forms for Data Reporting Services Providers including Policy Statement for the framework for UK consolidated tape

The FCA published this Consultation Paper in December - see the heading of this section for the name of the paper (it's too catchy to repeat...). The paper summarises the feedback received in relation to the UK Consolidated Tape regime and sets out the FCA's final position in relation to the regime's framework. It includes a section on governance in relation to Consolidated Tape Providers (CTP), including a requirement for a CTP to establish a consultative committee composed of a representative range of users and data producers and to maintain clear apportionment of significant responsibilities among its senior management to make sure that there is accountability for decisions taken in relation to the CTP's operations. The FCA does note that the SMCR will not apply to CTPs.

If you have any questions, please reach out to Tom Harkus (Managing Associate).

12.   BoE, PRA and FCA Report on 2023 annual CBEST thematic review

This report will be useful for SMF 24s, Chief Information Security Officers, Chief Information Officers, Chief Operation Officers, Chief Risk Officers and cyber specialists, according to the regulators. Cast your minds back to February 2023, and you may remember that we flagged the FCA's and PRA's letter sharing the regulators key findings from their 2022 CBEST assessments (this is testing which focusses on a firm's security controls and capabilities when faced with a simulated cyber-attack). Last year we only saw a very high-level summary. This year, we have been treated to the full 2023 CBEST thematic report, which includes the regulators' findings and lessons learned from 2023. There were six thematic findings relating to: identity and access management, staff awareness and training, security configuration, network security, incident response and security monitoring and data security. Under each of these key findings are examples of good practice identified, as well as additional recommendations and guidance from the National Cyber Security Centre.

The regulators indicate that they may use the themes identified to structure future supervisory interaction. The report suggests that firms may find it beneficial to consider and embed these findings into their own cyber strategy and / or framework.

We would recommend the relevant SMFs formally consider this report and whether any follow-up actions are needed.

If you have any questions, please reach out to Penny Miller (Partner) and Amy Sumaria (Managing Associate).

13.   Lending Standards Board - Inclusion Report on increasing access to finance for ethnic minority led businesses

If you've got this far, well done! This penultimate point is about the Lending Standards Board (LSB) has published its latest inclusion report on increasing access to finance for ethnic minority led businesses. The aim of the report is to encourage financial institutions to develop a more inclusive lending standard in order to better serve the UK's multi-ethnic business communities, with the LSB highlighting that focus in this area should be about unleashing untapped potential by financial institutions, rather than viewing this purely as a matter of inclusion. The report highlights the barriers faced by ethnic minority led businesses in requesting and accessing finance, as well as setting out good practice guidance for firms seeking to address these barriers. The guidance includes topics such as engagement, communications and data, and recruitment. The LSB has published previous inclusion reports, including on the accessibility of business banking for those with disabilities, and how firms can meet the needs of the deaf community and those with hearing loss, which may be of interest from a Consumer Duty perspective given the focus on vulnerable customers.

D&I continues to be a hot topic for regulators and industry bodies and it is important that firms have regard to their legal obligations as well as regulatory / other expectations. Please do reach out to Andrea Finn (Partner), Fiona Bolton (Partner) and Amy Sumaria (Managing Associate) with any questions you may have.

14.   EBA - Final Report - Guidelines on assessing adequate knowledge and experience of management or administrative body of credit servicers under Credit Servicers Directive

To wrap up yet another bumper edition of SMCR+ View, the EBA's Final Report on guidelines for assessing adequate knowledge and experience of management or administrative body of credit servicers under the Credit Servicers Directive. A credit servicer's management or administrative organ (Organ) must have adequate knowledge and experience to conduct the business in a competent and responsible manner. The guidelines cover criteria to assess the collective knowledge and experience of the Organ, on the basis of the individual knowledge and experience of the members. Where shortcomings are identified these must be rectified with training, for example, or replacing the member. A lot of this has hallmarks of guidelines we've seen before. The guidelines do not apply to credit institutions.