It’s September and we’re “back to school”, so here’s another SMCR+ View. Nothing new to update you on in terms of timing for the SMCR review Consultation Paper, but the FCA’s Annual Report for 2024 confirms that it will be before the end of the year…
This SMCR+ View is quite Final Notice heavy, and it also covers some interesting points on the FCA’s expectations in relation to financial crime and Money Laundering Reporting Officers (“MLROs”). As ever, please let us know if you found this helpful, or if there is anything more we can be doing!
1. FCA Speech – Financial Crime and the Role of MLROs
It began with a spark in a bakery…Likening financial crime to the Great Fire of London, the FCA in a recent speech outlined its actions and expectations in relation to fighting financial crime, which is a priority in its three-year strategy. The FCA looks at this through two lenses: (1) hosing down fires when they ignite (the FCA has charged 21 individuals with financial crime offences this year - the highest number in any single year, including against firms who turn a blind eye to suspicious activities - see the Final Notice against PwC below) and, (2) stopping them breaking out in the first place.
In relation to (2), the FCA emphasises the importance of firms having the right systems and controls. At the FCA there is a dedicated financial crime function tasked with identifying potential red flags at firms. One flag is a high turnover of MLROs which echoes the FCA's previous concerns flagged by us in November 2021’s SMCR+ View where firms with high MLRO turnover were urged to assess underlying causes, such as cultural issues or lack of support, to ensure robust anti-money laundering frameworks were in place. Other ‘red flags’ include frequent changes to a firm's registered name, and significant post-authorisation service changes. The FCA points to the 5 reviews of firms’ financial controls it has carried out since April 2023 (including a Dear CEO letter and four areas of focus for reducing and preventing financial crime published earlier this year) which share good and poor practices and which MLROs would be well advised to consider given this remains a ‘hot topic’ (excuse the pun…) for the FCA.
If you have any questions, please contact Amy Sumaria (Managing Associate) or Cherie Spinks (Of Counsel).
2. Duty to Prevent Sexual Harassment
As many of you will know the new legislative duty to prevent sexual harassment will come into force for firms on 26 October 2024. It introduces a new, positive obligation on employers to take 'reasonable steps' to prevent sexual harassment of their employees in the course of their employment. We are doing a huge amount of work with firms on what this means, how it feeds into broader risk management and also the SMCR and the obligations on individuals, particularly given the FCA proposals on non-financial misconduct (the final rules of which we’re still expecting this year). In particular, a number of firms are using this new duty as a springboard to re-educate and reinforce the messaging around non-financial misconduct more broadly within the workplace.
We are doing a lot of training for firms and their employee populations on this from an employment risk and regulatory perspective. Do get in touch with Andrea Finn (Partner) or Amy Sumaria (Managing Associate) for more information.
3. FCA Report on UK Payment Accounts Access and Closures
For banks and account providers, the FCA has published a report outlining its findings from work carried out in relation to UK payment account access and closures, which follows on from the report on debanking published last year (as covered in September 2023’s SMCR+ View). Governance and Consumer Duty are a key focus, with the FCA highlighting its expectation that firms collect and record adequate and accurate data on account access decisions to inform appropriate management information on the Duty. Internal governance, policies and procedures should also detail reasons for rejecting applications or terminating accounts and ensure that these do not result in direct or indirect discrimination. The FCA has also asked Senior Managers/senior individuals, to sign attestations confirming they have not denied, suspended or terminated payment accounts based on customers' political beliefs or lawfully expressed views and that their systems and controls support this assurance. This is especially interesting given that the FCA previously highlighted that they would consider enforcement action against Senior Managers in cases of serious systemic misconduct for account closures.
We have generally observed that, prior to the SMCR, the FCA often required attestations from senior individuals, but in the advent of the SMCR these started to fall away. However, the requirement for attestations by Senior Managers seems to have had a resurgence – this, of course, presents the risk that the FCA will be able to take action, arguably more easily, for a Senior Manager misleading the FCA/failing to properly diligence in order to provide the attestation/a lack of transparency than for fundamental breaches of the underlying regulatory requirements. What does this mean? Senior Managers need to be taking reasonable steps in relation to these attestations and they must be confident that the information included is accurate.
As you’d expect there is a financial crime thread running through this report which is also worth noting and flagging to relevant internal stakeholders. The FCA expects banks to continue to engage with stakeholders to continuously review and improve their practices.
If you have any questions, please reach out to Alex Ainley (Partner) and Amy Sumaria (Managing Associate).
4. Other updates
We’ve summarised below some of the other key updates from an SMCR perspective:
FCA Annual Report 2024: This includes interesting data confirming that in 2023/24, the FCA used its s.166 (Skilled Person Reports) powers in 83 cases (a 76% increase on the previous year). Topics covered include Consumer Duty, controls and risk management frameworks, financial crime, corporate governance and senior management arrangements, including culture, adequacy of advice, adequacy of systems and controls, client money and client asset arrangements, principal oversight of appointed representatives, and market abuse. The sector with the highest number of reviews (20) was the retail banking and payments sector, followed by retail investments (19). Across the sectors, four reviews related to governance and individual accountability. The Report also confirmed that on 31 March 2024, the FCA had 188 open enforcement actions, investigating 341 individuals and 162 firms.
We have fantastic experience supporting firms where they are or may be facing s.166 reviews. We can help firms in selecting their skilled person and with ensuring appropriate scoping and disclosure (a ‘shadow’ s.166 role), advising firms with their engagement with the skilled person as the review progresses, undertaking quasi/mock s.166 internal reviews to the same/similar standard as a s.166 review where firms consider this to be beneficial ahead of any formal regulatory engagement and in engaging with the PRA and/or FCA in relation to the output of a review. If you’d like to speak to us about our offering and the work we’ve done on this matter then we’d love to come and speak to you more about this. Please contact Emma Sutcliffe (Partner), Thomas Makin (Managing Associate) and Amy Sumaria (Managing Associate).
UK Listing Rules: Something to think about for Boards – one of the significant changes brought in by the new rules, which came into force on 29 July 2024, is around Board effectiveness and governance. Under the new rules, all listed companies must ensure their Boards are equipped to handle their responsibilities with particular focus on IT and cyber risk expertise. We’ve done a lot of work with listed and regulated entities on Board skills assessments and effectiveness reviews and a number are thinking about how to drill down into these technology focussed skills further. If you’d like to discuss then do reach out to Amy Sumaria (Managing Associate). Additionally, the new rules require boards to confirm on an initial listing that the company has taken reasonable steps to establish adequate procedures, systems, and controls to meet their obligations. You can find our full briefing on these new rules here.
ECB Speech on Operational Resilience: This emphasised the importance of operational risks for banks, likening it to the flexibility of a sliver birch tree that bends without breaking in strong winds (we’re not joking, there is a reference to trees in this speech…). The key takeaway is the need for robust contingency plans to handle operational disruptions like cyberattacks and IT failures. This isn’t just about investing in state-of-the-art IT infrastructure and systems and processes, but also investing in people - ensuring that both Board members and employees have the necessary expertise in IT and cyber risks. This has clearly come to the fore because of the recent Crowdstrike issue (we have some helpful resources on that here) and (from a UK perspective) firms should be mindful of the Abarca Final Notice (covered here in SMCR+ View) which demonstrates the impact material disruptions can have for Senior Managers. Interestingly, the ECB flagged that lacking the necessary IT expertise could undermine the board's collective suitability (and shows the focus of regulators here and abroad given the UK listing rule requirements also!).
If you have any questions on these updates, please reach out to Penny Miller (Partner) or Amy Sumaria (Managing Associate).
5. Enforcements
We’ve included a summary of the key enforcement actions for this month, two of which have a key focus on failings in providing accurate and full disclosure to the FCA…
A. Upper Tribunal Decision – Mr Kalaris
Way back in 2022, the FCA published a Decision Notice against Saranac Partners Limited, which related to its decision to refuse Saranac’s application to approve Mr. Thomas Llewellyn Kalaris as SMF 1 and SMF 3 due to concerns about his fitness and propriety. The FCA found that during interviews related to two separate investigations, Mr Kalaris failed to be open and cooperative and provided untrue and misleading evidence. Saranac referred this decision to the Upper Tribunal (“UT”).
Fast forward nearly two years, and we have the UT decision, where they agreed with the FCA that Mr Kalaris had not been candid in his answers to three of the questions asked by the FCA and that one of his answers was dishonest. The UT also noted that Mr Kalaris had not shown any signs of remorse, and he reiterated that he had acted entirely appropriately and had been entirely open and honest with the FCA. The FCA has now published a Final Notice to Saranac Partners Limited and Mr Kalaris confirming its refusal of the application.
A key reminder for Senior Managers is that failing to be open and cooperative is multi-faceted – it can involve proactive dishonesty, providing incorrect information and also the omission of information of half-truths which serve as a smokescreen and a distraction. Failing to also acknowledge ones mistakes/failings is also problematic and ill-advised as is evident from the UT’s decision.
B. FCA Final Notice – PwC
In its first fine of an audit firm, the FCA has fined PricewaterhouseCoopers LLP (“PwC”) £15 million for failing to report its reasonable belief that its client, London Capital & Finance plc (“LCF”) might have been involved in fraudulent activity during PwC's audit of LCF's 2016 accounts. During this audit, PwC encountered significant issues, including LCF’s failure to provide basic information, aggressive behaviour from LCF’s senior management, and the provision of inaccurate and misleading information. Despite these red flags, and its reasonable belief that LCF might be involved in fraudulent activity, PwC did not report its suspicions to the FCA as required under the Reporting Regulations applicable to auditors.
Whilst the FCA recognised that PwC was not involved in the misconduct, and as an auditor is not responsible for fully investigating the suspected fraud, the FCA noted that auditors of regulated firms, by the nature of their work, have a unique insight into how those firms are run and managed, and therefore play an important role in maintaining the integrity of the financial system by promptly reporting any suspicions of fraud or other significant issues. The FCA specifically flags that speed of reporting is vitally important given the potential consequences of consumer harm and financial crime. PwC’s failure to report deprived the FCA of critical information that could have influenced its regulatory actions and potentially mitigated the financial harm to LCF’s bondholders.
Whilst specific to auditors, this serves as a reminder to firms to ensure any potential suspicious activity is considered, including any activities in relation to their clients, and those Suspicious Transaction and Order Reports (“STORs”) are filed.
C. FCA Final Notice – Mr Williams
The FCA has issued a Final Notice against Luke Williams, barring him from performing any function related to regulated activities and finding a severe lack of honesty and integrity. This one, like many FCA Final Notices is pretty clear cut and probably isn’t going to help firms draw a line as to what amounts to a lack of integrity….Mr Williams was an employee of a bank, and through his position dealing with customer telephone calls, passed on details of security information he received from customers to his co-conspirators, who then impersonated the individuals to arrange unauthorised payments from their account. This resulted in £1.2 million of losses (although the potential loss could have been £2.3 million).
D. Upper Tribunal Decision – Mr Ashraf
Another UT decision agreeing with the FCA, which relates to the FCA’s refusal to approve the application of Mr Ashraf as a qualified adviser for Ashraf Wealth Management Limited. Prior to this application, Mr Ashraf worked as an Appointed Representative under two Principal firms. Both of these arrangements were terminated following internal investigations which identified breaches in relation to non-compliance with internal procedures. The FCA concluded that this demonstrated a pattern of non-compliance, and Mr Ashraf had not demonstrated he would be able to comply with all regulatory requirements should his application be approved. The UT was satisfied that the FCA’s decision was reasonable and therefore dismissed the reference.
Whilst this relates to Appointed Representatives and Principal firms, this flags that compliance with internal procedures is something that should be considered when reviewing fitness and propriety of individuals, and that potentially lower-level non-compliance can have a magnified impact on individuals and firms in the future. In particular, we often see individuals who have a pattern of low-level misconduct, and there is an inherent risk of this escalating into something bigger (as we’ve seen with the likes of the Adoboli case).
If you have any questions on any of the enforcement actions mentioned above, please reach out to Emma Sutcliffe (Partner) and Thomas Makin (Managing Associate).
.jpg?crop=300,495&format=webply&auto=webp)
