SMCR+ View – December 2024

For our last SMCR+ View of 2024, we leave you with a festive gift...the non-financial misconduct (“NFM”) guidance promised by the end of Q4 2024 will now be published in Q1 2025. We had heard mutterings that this would be the case, but the FCA have confirmed this officially now in their response to the Treasury Committee Chair's letter (relating to progress made following the Sexism in the City inquiry) that the final policy statement is due “early in 2025” (I can’t imagine we’re the only ones having deja vu...). Other nuggets from this suggest (i) that the FCA will be engaging with outliers from the FCA’s NFM survey, and (ii) that we will get some movement on the FCA and the PRA’s next steps on D&I in Q2 2025 (although in the PRA’s letter it states “during 2025” so let’s see whose timeline is more realistic...). It is worth noting the letter from the PRA also touches on remuneration matters and the City Minister’s response is also here.  

In the meantime, we have yet another bumper addition to cover all the end of year activities, including key findings on the first batch of Consumer Duty Board Reports, AI and financial services, updates on the FCA’s enforcement consultation, key enforcement actions, and much more.

Enjoy and we hope you all have a very restful end to the year and look forward to speaking with you more in 2025!

1. FCA findings on Consumer Duty Board Reports

The FCA has published key findings of good and bad practices following its thematic review into 180 firms’ approaches to completing the first annual Consumer Duty board report. This is of interest to this audience given associated Board level obligations and senior Consumer Duty Champions. There are interaesting findings around overreliance on compliance/Consumer Duty teams and a lack of clear stakeholder contributions. There is also evidence of positive Board challenge and requests for further information, as well as clear demonstrations of allocating responsibility for follow-up actions which the FCA said outlined that some Boards were not simply “rubber stamping” the report. For a comprehensive summary of the key findings see the most recent Consumer Duty View– this also covers the FCA’s review of firms’ approaches to complaints, which similarly recognised good and bad practices.

If you have any questions on the Consumer Duty more generally, please contact Penny Miller (Partner) or Amy Sumaria (Managing Associate).

2. FCA enforcement consultation – round two

You will likely all have seen that the FCA has published its revised proposals (CP 24/2, Part 2) in response to feedback on its (controversial) original proposals, with a commitment to engage extensively with the industry. The FCA plans to make a final decision by Q1 2025. The revised proposals include some significant changes, including: (i) the impact of an announcement on the firm will form part of the FCA’s public interest test and be central to any decision to announce an investigation and name a firm;  (ii) firms will receive a copy of any draft announcement with 10 business days’ notice to make representations and a further two days' notice of publication after the FCA’s decision; (iii) potential for an announcement to disrupt public confidence as a new factor; and (iv) no proactive announcements of ongoing investigations when the revised proposals come into effect.

In the recent deluge of updates, the House of Lords Financial Services Regulation Committee has published its written evidence, as well as an uncorrected transcript, including a response from the FCA. As if that wasn’t enough, the Bank of England has also updated its procedures for its Enforcement Decision Making Committee, reflecting new and expanded regulatory powers introduced by FSMA 2023. And finally, following the Upper Tribunal’s recommendations, the FCA has also revised its disclosure process in regulatory enforcement cases to ensure a broader approach, committing to disclose all relevant material unless doing so would be disproportionate, not in the public interest, or otherwise inappropriate. It is a time of change in relation to regulatory enforcement and disclosure practices so for more updates relating to the FCA’s latest consultation please sign up to Financial Markets Disputes View.

Please contact Emma Sutcliffe (Partner) or Thomas Makin (Managing Associate) if you’d like to discuss any of this further.

3. AI: financial stability and governance

The regulators are not yet done engaging with the machine as AI’s role in financial stability and economic growth has been called out in this speech by the Bank of England. As financial institutions increase their use of AI, particularly generative AI, the Deputy Governor has raised the question of whether the technology-agnostic approach relied on to date will continue to be sufficient in the face of risk management and governance and the Bank of England seems to be considering whether (i) practical guidance on what ‘reasonable steps’ mean for Senior Managers within the context of AI systems would be helpful given existing guidance is based on a time when autonomous decision-making technology such as AI was not widespread, and (ii) whether specific responsibility for AI is required in order to create an incentive for meaningful accountability for AI deployment and oversight within firms (something discussed in the PRA and FCA’s joint discussion paper in 2022 and the subsequent PRA and FCA feedback statements). 

The Financial Stability Board has also published a report on the implications of AI for financial stability, with a particular focus on how AI could inflate specific vulnerabilities in the sector and consequently the associated risks relating to third-party dependencies and service provider concentration, market correlations, cyber-risks, and data quality and governance. The Bank of England and FCA’s report on the third survey of AI and machine learning in financial services flags that a third of all AI use cases involve third parties, with the top three third-party providers accounting for 73%, 44%, and 33% of all reported cloud, model, and data providers respectively. This is something for your relevant senior managers to consider who have responsibility for operational resilience, cybersecurity and risk management, amongst others. Of further interest, the report stated 84% of firms have an accountable person for their AI framework and 72% reported their executive leadership were accountable for AI use cases.

In early 2025, the Bank of England and the FCA will publish results of a joint survey on how financial services are using AI and machine learning, looking at the impact of AI on financial stability and how they plan to monitor potential risks. This is in parallel to the FCA seeking input on the future of AI in the financial services (deadline for responses is 31 January 2025).

For more information or to discuss any questions, please reach out to Amy Sumaria (Managing Associate) and for broader AI updates please sign up to AI View.

4. Enforcements

We’ve included a summary of the key enforcement actions for this month and the key takeaways and lessons coming from them.

A. Upper Tribunal – Mr Staley

The Upper Tribunal (Tax and Chancery Chamber) has published its decision on applications relating to Mr Staley’s challenge of the FCA’s Decision Notice published last year. A pre-trial review is listed for 30 January 2025 with the substantive hearing scheduled to begin on 3 March 2025.

B. Final Notice – Mr Käärmann

The resounding lessons learned from this Final Notice? Open your post, and, if in doubt, tell Compliance. In this Final Notice against Kristo Käärmann the FCA fined Mr Käärmann £350,000 and found him in breach of Senior Manager Conduct Rule 4 (disclosure to the regulators). This was off the back of Mr Käärmann failing to tell the FCA of a significant financial penalty imposed on him by HMRC and a determination by HMRC that he had deliberately failed to notify it of Capital Gains Tax he was obliged to pay on a large share disposal in 2017. The FCA are clear in this notice that it expects self-notification by Senior Managers of any matters that may be significant to their fitness and propriety, which includes matters that may have an adverse impact on their reputation and/or that of their firms. It was also clear that it does not want to hear this information from third parties. Mr Käärmann’s failure to disclose the information to his firm meant that it was unable to comply with its own Principle 11 obligations. The FCA determined he was careless, as opposed to deliberate or reckless because he wrongly believed that it was a personal matter that was not relevant to his professional life and regulated role. A stark reminder of the scope of the fitness and propriety requirements. The FCA has reiterated that material adverse findings from, and/or penalties imposed by, a regulatory and/or statutory body (such as HMRC) will always be something that requires disclosure to the FCA.

C. Final Notice – Mr Harris

This really does not help firms in terms of drawing the line as to what does and does not amount to a lack of integrity, but it is quite the story! The FCA has issued Final Notices against Ari Harris and the firm for which he was sole director as SMF 29 (Limited Scope), Reed Motors Ltd. This follows Mr Harris who, following a conviction of grievous bodily harm and being sentenced to three years in prison, applied (via the firm) for an additional approved person on grounds that he was on “business abroad”. In a call with the FCA, Mr Harris failed to mention he was in prison at the time...! Mr Harris deliberately failed to notify the FCA of his offence, conviction and custodial sentence, providing false and misleading information to cover up the fact that he was in prison. Naturally, the FCA withdrew Mr Harris’ approval to perform the SMF 29 role, imposed a ban on him and found the firm to be lacking in fitness and propriety, cancelling its Part 4A permission.

D. Final Notice – Mr Mackey

The FCA has issued a Final Notice against Leigh Mackey, withdrawing his SMF 3 approval and imposing a prohibition order after finding him to have breached Individual Conduct Rule 1 (honesty and integrity) and Individual Conduct Rule 3 (open and cooperative with the regulator), and to lack fitness and propriety. Mr Mackey was the sole director of an insurance broker for the construction sector and used funds due to insurers to support the firm’s operating costs and to pay for personal living expenses. Over the four-year period, the firm submitted regulatory reports stating it had carried out the required client asset audits, which Mr Mackey has admitted the firm failed to carry out.

E. Final Notice – Mr Cooke and Mr Buchan

The FCA has issued Final Notices against Martin Cooke and Craig Buchan, both SMF 27 of MedDen Financial Services LLP and SMF 17 and SMF 16 respectively, imposing fines and a prohibition order. The FCA had previously imposed an asset requirement on the firm, meaning it could not diminish the value of its own assets and safeguarding the assets for the benefit of the customers who were owed redress for financial loss suffered due to financial advice they had received. The day after the requirement was imposed, Cooke and Buchan withdrew funds for their own benefit and subsequently failed to report the breach. The FCA found the pair are not fit and proper to perform any regulated activities due to the serious nature of the breach, as well as breaching Individual Conduct Rule 1 (honesty and integrity).

F. Final Notice – Mr Pryke

This Final Notice has been issued to Philip Pryke, a pension transfer specialist performing the CF30 (customer), CF1 (director) and CF10 (compliance oversight) functions, who advised 986 customers to transfer out of their defined benefit pension scheme. Mr Pryke’s actions being contra FCA guidance, he was found in breach of Statement of Principle 1 for acting recklessly and without integrity and banned from carrying on any regulated activity.

G. Final Notice – Mr Fenech and Ms Dunne

The FCA has issued Final Notices against Richard Fenech and Heather Dunne, the sole director of Financial Solutions Midhurst Limited (FSML) and the appointed representative, respectively. Mr Fenech was responsible for overseeing Ms Dunne who failed to act with due skill, care and diligence when providing pension transfer advice, advising almost all of her clients to transfer out of their defined benefits pension schemes. Both individuals failed to act with integrity as a result of their dishonest provision of a backdated appointed representative agreement to the regulator. They have been banned from working in financial services for lacking the required fitness and propriety and both fined. Mr Fenech and Ms Dunne have referred the FCA’s decision to the Tribunal.

H. Final Notice – Metro Bank plc

Metro Bank has been fined £16,675,200 for breaches of Principle 3 (management and control), relating to its financial crime systems and controls, including those relating to money laundering. The Final Notice acknowledged that “comparably less senior grades” raised the risk and the issue of the bank’s failure to put adequate systems and controls in place to manage “bad data”. While individual staff members investigated and attempted to escalate the issue to more senior staff and committees in 2017 and 2018, the concerns raised did not result in the issues being addressed. All in all, it took over four years to resolve the issue. SMF 16/17s with responsibility for financial crime systems and controls will have a particular interest in this matter based on the money laundering risks element. The notice highlights the importance of effective escalation processes, consistent and quality management information, and effective challenge and oversight of those implementing financial crime systems and controls.

I. Final Notice – Macquarie Bank Ltd

This Final Notice saw the FCA fine Macquarie Bank Ltd, London Branch £13,031,400 for control failings that allowed a client-dealing certified employee, Travis Klein, to record over 400 fictitious trades in 20 months costing the bank an estimated USD 57.8 million to unwind. The FCA considered that the bank had failed to address systems and controls issues in an effective and timely manner and as a result the regulator imposed the fine for breach of Principle 3 (management and control). In addition, Mr Klein was found in breach of Individual Conduct Rule 1 and has been banned from financial services for lacking the requisite fitness and propriety. Mr Klein would have also been fined £72,000 if his application for serious financial hardship had not been successful.

If you have any questions on any of the above enforcement actions, please reach out to Emma Sutcliffe (Partner) or Thomas Makin (Managing Associate) .

5. Regulatory communications: portfolio letters and “Dear Executive” letters

It's not just been the man in the big red suit that’s delivering lots of post this month, the regulators have sent another flurry of portfolio and executive letters with their specific concerns and relevant expectations relating to the specific portfolios. Senior Managers and Boards will want to review and consider what is relevant to their organisations and take reasonable steps to complete any required subsequent steps.

TL;DR – the broad focus areas for many firms include Consumer Duty, financial resilience, operational resilience, financial crime and fraud, and sustainable finance. Almost all the letters explicitly call out the FCA's intent to evaluate whether Senior Managers are carrying out their responsibilities under the SMCR appropriately.

FCA Dear CEO letters – strategy for retail banks and building societies in 2025: This letter and this letter respectively outline the FCA’s priority areas (which broadly align for both portfolios), including: implementing and delivering on the Consumer Duty, careful risk management to avoid issues relating to resilience or business interruption, improvement of systems and controls relating to financial crime, and clear, fair and not misleading practices in sustainable finance.

FCA Dear CEO letter – strategy for non-bank mortgage lenders and mortgage third party administrators in 2025: This letter reminds firms of their responsibilities under Principle 11 (to deal with the regulator in an open and honest way), for both regulated and unregulated activities, as some seek to diversify their funding sources. Other priority areas include financial resilience, treatment of customers in financial difficulty, the Consumer Duty, operational resilience, financial crime and fraud, and sustainable finance.

FCA Dear CEO letter – strategy for lifetime mortgage providers in 2025: This letter outlines that the FCA will engage with firms on their cultures and controls in priority areas (Consumer Duty, financial resilience, operational resilience, financial crime and fraud, and sustainable finance). Effective culture and controls include robust leadership and people management that fosters a culture of integrity and consumer focus, as well as comprehensive risk management. The regulator reminds the firms of their Principle 11 obligation - to deal with the regulator in an open and honest way.

FCA Dear CEO letter – expectations for Self-invested Personal Pension (“SIPP”) Operator: This letter follows the 2023 letter to firms and outlines additional areas of focus. The FCA will be engaging firms who have yet to meet expectations on (i) redress schemes as part of the Financial Ombudsman Service cases, (ii) the handling of pension scheme money and assets and proper record maintenance, including adequate oversight by Senior Managers, and (iii) the improvements needed to implement the Consumer Duty. The FCA have repeated their statement that it will use the SMCR to engage directly with accountable individuals on specific areas of concern.

FCA Dear CEO letter – supervisor strategy for credit rating agencies (“CRAs”): This letter includes the regulator’s view on the sector’s key risks, expectations and a summary of the intended work. While there has been some progress from CRAs in response to previous letters in 2022, the FCA highlights (i) concerns about the visibility of non-UK interdependencies and the role of control frameworks in overseeing and mitigating risk, (ii) risks relating to ratings processes and methodologies, which the board should ensure comply with the UK CRA Regulation, and (iii) operational resilience, including business continuity, disaster recovery, and the role of technology and cyber risks. We note, CRAs are not subject to the SMCR.

PSR Dear CEO letter – APP fraud: This letter to tech firms on APP fraud enabler data outlines the regulator’s proposal to publish data on firms that are most commonly reported as enabling contact between fraudsters and victims which results in an APP fraud payment.

If you would like to discuss any of the letters in more detail, please get in touch with Penny Miller (Partner) or Amy Sumaria (Managing Associate).

6. Other updates

We’ve summarised below some of the other key updates from an SMCR perspective:

PRA inventory: A reminder that the PRA has an inventory of supervisory statements and documents assigning responsibility and outlining relevant expectations for Senior Managers – no updates this November or December but here is a link to the last updated version from November 2023.

Credit unions – PRA annual assessment: In the PRA’s 2024 assessment, the regulator has identified two key risks which will be driving their supervisory engagement of credit unions over the next year – operational resilience and disorderly failure and corporate governance. Having outlined their expectations in a letter in March 2024, the PRA expects boards to be able to provide evidence of progress or ongoing compliance. The letter should also be read alongside the Dear CEO letter to UK deposit takers, with an updated version due to be published in January 2025.

For MLROs – FATF Money Laundering National Risk Assessment Guidance: The FTAF has published guidance on the money laundering national risk assessment which is required by financial institutions (Regulation 18, Money Laundering Regulations) and will be practically helpful for SMF 16/SMF 17s seeking to comply with the MLRs and broader industry guidance. The guidance covers assessment preparation and set-up, assessing and understanding risks, and post-assessment actions.

For consumer credit firms and non-bank mortgage lenders – FCA financial resilience review: The regulator published its findings after conducting a review assessing firms’ approach to financial resilience and possible consumer harm from weaknesses in financial resilience. Overall, the FCA identified room for improvement in risk governance and risk management, noting most firms had an underdeveloped approach to identifying, assessing, monitoring, and managing risks, while some firms had an inadequate approach to identify risks relevant to their business, and there was a general lack of stress testing and wind-down planning. Firms are expected to assess their financial resilience and refer to the FCA’s finalised guidance on assessing adequate financial resources. One for the CFOs....

Remuneration reforms: The PRA and FCA have proposed amendments to make the regime for dual-regulation firms more effective and simpler. The proposal includes reducing the number of individuals subject to the remuneration rules, simplifying the approach to identifying material risk takers (MRTs), having variable remuneration more aligned with risk-taking outcomes and individual responsibilities, and aligning deferral of variable remuneration with international practice. For more information or to discuss any questions, please reach out to Tair Hussain (Partner) .

For life insurance firms - FCA multi-firm review: Following the September 2023 portfolio letter to the life insurance sector, the FCA has published findings from a multi-firm review of the bereavement claims process. The review outlines the regulator’s expectations of life insurances firms concerning the process and confirms it intends to further engage and identify compliance gaps as part of its monitoring. The review explicitly calls out the FCA’s expectations of SMFs to consider the review and take steps to ensure compliance. If you would like to discuss, please reach out to Jonathan Thorpe (Partner).

Proposed changes for UK insurance special purpose vehicles: The FCA is proposing to remove the requirement for UK insurance special purpose vehicles to comply with SYSC 3.2.8R and to allocate the SMF 16 compliance oversight function.

If you have any questions on the updates or would like to discuss the support we can offer your team, please contact Penny Miller (Partner) or Amy Sumaria (Managing Associate).