SMCR+ View - February 2025

Without wanting to sound too much like the FCA's COO in her latest culture speech, we hope you are all well, dodging the flu, and have had a great start to 2025. This is a super-sized edition as we try to get ahead of the FCA releasing its final rules on non-financial misconduct (NFM), expected in Q1 2025, but referred to here as being expected "shortly". On the broader SMCR review and D&I next steps we are in an unsatisfactory holding pattern with the FCA saying that it "will publish a consultation paper [on the SMCR] in due course" and that it is (still) considering its next steps on D&I with the PRA. Another potential change from the review was buried in a recent FCA handbook notice, which noted proposals to reduce the burden of criminal records checks, in response to the feedback to DP23/3. The FCA has also added that it is thinking about how its D&I work dovetails with the UK government's own agenda in respect of workers' rights, gender action plans, and disability and ethnicity pay gaps which, to a trained eye, means it looks like these next steps aren't coming any time soon. While we all patiently wait...this edition covers a bigger section on culture, NFM, amongst other items.

1. FCA and PRA's Letters to the UK Government

The FCA and PRA have sent letters to the PM, Chancellor and Secretary of State as part of the ongoing dialogue around growth and the roles of the regulators. These are worth reading - they note the 2025 plan to "make the SMCR more flexible" and also say that they are going further with reducing the regulatory burden by removing "the need for a Consumer Duty Board Champion now the duty is in effect" (something a lot of firms will be delighted by, we're sure). The PRA also notes its  work with the FCA and HMT on the SMCR and that it will be making changes to "reduce bureaucracy and increase flexibility in the Senior Managers Regime" in 2025 (no timeline in these Dear CEO letters for banks/designated investment firms and UK deposit takers, unfortunately).

Another letter from the FCA, this time to the Treasury Committee, touches on the FCA's enforcement reforms (see our December SMCR+ View for more on the FCA's second consultation paper). Something particularly interesting, we think, is the FCA's specific reference to the fact that although its enforcement portfolio has decreased by one third, it has "increased" its  use of Skilled Persons Reviews in 2023/2024 by 84% on the previous year and in Q1 2024/2025 it commissioned 14 further reviews. These are not insignificant supervisory tools and we support a number of firms with Skilled Persons Reviews and we'd be happy to discuss the support we can offer further.

Please contact Emma Sutcliffe (Partner), Amy Sumaria (Managing Associate) or Tom Makin (Managing Associate) if you'd like to discuss in more detail.

2. FCA - Culture, non-financial misconduct and D&I with a warning shot for wholesale brokers 

Aside from this FCA speech's slightly exhausting analogy of culture being like a cough or cold, there are some key reminders for firms in here. Notably, the FCA reiterates its view that the root cause of many firms' failings is poor culture and governance. It clearly acknowledges its 'growth' mandate from the UK Government and have said that this will involve more risk taking, which requires better decision making. Better decision making, in the FCA's view, requires inclusive cultures that prevent groupthink, which make people feel psychologically safe and allow them to challenge, learn and speak-up. The FCA acknowledges that there will be isolated incidents, singular "bad apples", but with around nine incidents of NFM reported a day (as per the FCA's survey of wholesale brokers, banks and insurers in 2024) it considers  that this isn't always the case with a suggestion that some firms are turning a blind eye to NFM like discrimination, bullying, sexual harassment and harassment. These firms risk creating a "breeding ground for even bigger problems" which fundamentally undermine the FCA's statutory objectives, hence the FCA's persistent interest in this area.

There's been a particular warning shot aimed at wholesale brokers in the FCA's Dear CEO letter here where the FCA has stated that it will be proactively engaging with 'outlier' firms from the NFM survey data (something we expected it would do, but think could be unfair for some firms based on the different approaches we know firms took in responding to the survey, given the different data available to them etc). The FCA will, as part of its engagement, be looking at:

i. policies and procedures in place for reporting NFM concerns, including evidence of firms encouraging a good 'speak up' culture and giving staff confidence that they will be treated appropriately if they raise concerns;

ii. management of NFM cases by firms once they are reported by staff; and

iii. processes for ensuring that fair outcomes are reached.

The letter also states the FCA will conduct "targeted work" to assess how firms manage their brokers, and they will expect firms to have suitable controls to detect misconduct. Material weaknesses in firms' frameworks will result in FCA actions - e.g. restrictions on firms and enforcements against firms or individuals...

Other areas of focus in this Dear CEO letter are (i) remuneration arrangements and particularly how they are used as an effective disciplinary tool by firms in addressing misconduct, including NFM, (ii) business oversight and a focus on effective risk and control oversight frameworks, and (iii) financial resilience with a focus on ensuring firms subject to the FCA's liquidity review, have acted on their feedback and implemented good practices. The FCA wants all CEOs (SMF 1s) to have discussed this letter with directors/the Board and agreed actions/next steps by the end of March 2025.

For an overview of the rest of the portfolio letters from the start of the year, please see section 5 below, and if you have any questions or would like to discuss how we can support your firm, please reach out to Penny Miller (Partner), Andrea Finn (Partner), or Amy Sumaria (Managing Associate). 

3. AI- looming regulation and stability against risk

In recent months, the focus on AI within the financial services sector has intensified, with notable considerations for Senior Management particularly in light of the FCA and PRA's previous papers (DP5/22 and FS2/23 on Artificial Intelligence and Machine Learning and the FCA's AI Update) on the topic which highlighted that regimes such as SMCR would be relevant as firms seek to develop and deploy AI. AI is specifically called out in these Dear CEO letters to international banks and designated investment firms and UK deposit takers where the PRA noted that firms' risk management, governance and controls being tested by technological changes, including the increasing use of AI. According to the PRA, firms vary in their ability to proactively identify, monitor and risk manage emerging or novel risks, especially the increasingly complex interactions between risks. As such, the PRA wants senior management and Boards to ensure that they have robust governance, risk management and controls frameworks in place that are adaptive and resilient. Firms should leverage stress and scenario analyses to inform risk management, strategy and business planning. Boards also need to be considering where risk culture might be the root cause of material weaknesses in the control environment.

Industry reports by UK Finance indicate that financial institutions are increasingly investing in generative AI to enhance operational efficiency and many firms are strengthening their AI governance and risk frameworks including examining how accountabilities and risk ownership affect the roles of senior executives (e.g. Chief Information/Data Officers, and COOs). The Global Financial Innovation Network (GFIN) has also emphasised the transformative potential of AI in financial services and references accountability and governance. The Financial Stability Institution's report discusses the challenges of implementing AI in the financial sector. It specifically references the board and senior management of firms being ultimately accountable for AI use cases and there needing to be a clear allocation of roles and responsibilities across the entire AI life cycle. There's also reference to how explainability and transparency are key to supporting senior management and the board in their oversight. Another area we know a number of firms are focussed on (which is referenced in this report) is  ensuring that the Board and senior management are sufficiently experienced and familiar with AI to effectively oversee it and provide challenge to AI-driven decisions and assess their broader impact on firm's strategy.

Finally, there's also been the Treasury Committee's call for evidence in relation to AI in financial services (submissions deadline 17 March) - whilst there are no specific questions relating to senior management / governance, this may be something senior executives want to consider and feed into.

To discuss any questions, or for more information, please reach out to Amy Sumaria (Managing Associate) and for broader AI updates please sign up to AI View.

4. FCA and PRA - Consultation Papers on Operational Incident Reporting and Third-Party Reporting (CP 24/28 and CP 17/24)

Something worth flagging from December is the FCA's consultation paper on operational incident and third-party reporting. The proposals are split into two parts: (i) those relating to operational incident reporting; and (ii) those relating to third-party reporting. Whilst the proposed requirements in relation to (i) are widely applicable to firms authorised by the FCA, the proposals in (ii) will only be applicable to Enhanced SMCR firms as well as banks, PRA designated investment firms, Solvency II firms (amongst others specifically referenced). The PRA and the Bank of England have published their parallel consultation paper here. This once again shows the FCA looking to attach certain new requirements to the largest solo-regulated firms. The consultation closes on 13 March 2025 and the FCA plan to issue their Policy Statement in H2 2025.

To discuss, or for a summary on the requirements, please reach out to Amy Sumaria (Managing Associate).

5. PRA -Remuneration - SS 2/17

We touched on the PRA/FCA's remuneration updates in December 2024, but we specifically want to focus in this edition on the proposed updates to Supervisory Statement 2/17 on Remuneration. Here it is proposed specifically that the SMF 4 (CRO) is "actively involved" in the design of the MRT identification policy and its implementation as well as considering whether certain individuals should be MRTs.

Something we've found of particular interest is the proposal that firms break down the responsibilities of Senior Managers into key component tasks with these tasks to be reflected in relevant Statements of Responsibilities (SoRs). It suggests that these tasks should also include material or urgent actions requested by the PRA to address a firm's key risks, included for example in a Periodic Summary Meeting (PSM) letter. (We find this particularly interesting as we don't believe that many firms specifically update their Senior Manager's SoRs based on their PSM letters). The PRA goes on to say that in calculating variable remuneration, firms should consider responsibilities as they are set out in SoRs and the PRA expects firms, in making such calculations, to adequately consider the success or failure of SMFs against their responsibilities, including how they have addressed supervisory concerns expressed in PSM letters. This elaborates on the new proposed rules in 11.4 of the Remuneration Chapter of the PRA's Rulebook. A reminder that this consultation closes on 13 March 2025.

For more information or to discuss any questions, please reach out to Andrea Finn (Partner), Tair Hussain (Partner) or Amy Sumaria (Managing Associate).

6. For MLROs: more guidance

The FCA's thematic review on Money Laundering Through the Markets (MLTM) has underscored the critical importance of robust systems and controls, particularly in transaction monitoring and suspicious activity reporting, to effectively mitigate financial crime risks. This is definitely one for firms' MLROs (SMF 17s) to consider further and reflect on in relation to their firm's current practices. Something else that might be of interest also is the EBA's fourth report on NCA's approaches to AML/CFT supervision of banks.

7. FCA introduces criminal background checks for owners and controllers

The Financial Action Task Force previously recommended that the FCA require controllers and beneficial owners of financial institutions to obtain criminal background checks from the Disclosure and Barring Service (DBS) (or equivalent for persons outside of England and Wales). The FCA consulted on this in 2024 and its final rules took effect from 17 January 2025. These require that those giving notice of an intended acquisition or increase in control over a regulated firm to confirm that a criminal record check has been undertaken on all relevant controllers in the six months preceding the notification being submitted. This will also be applicable when firms are making applications for authorisation or registration with the FCA.

8. Enforcements

We've included a summary of the key enforcement actions for this month.

A. FCA Final Notice - Arian Financial LLP:

The FCA has issued a Final Notice against Arian Financial LLP, imposing a fine of more than £250K for failing to implement adequate systems and controls against financial crime. This enforcement action underscores the critical importance of robust risk management systems. This one will be of particular interest to MLROs (SMF 17s) and those holding prescribed responsibility (d) for financial crime.

B. FCA - Criminal charges including fraud:

The FCA has charged Mr John Dance (SMF 27 and SMF 16) with nine criminal offences, including fraud and money laundering, related to his role at WealthTek LLP. This highlights the FCA's increasingly rigorous approach to tackling financial misconduct and protecting customer interests. Mr Dance allegedly misappropriated £64 million from client accounts to fund personal ventures, including horseracing and property investments. Mr Dance was granted conditional bail and will next appear at Newcastle Crown Court. The FCA also published this relating to Mrs Lisa Campbell, also charged with multiple criminal offences including fraud by abuse of position and providing false / misleading information to the FCA to conceal her wrongdoing.

C. Court of Appeal - Mr Markou:

In a recent Court of Appeal decision, the FCA successfully appealed the Upper Tribunal's ruling concerning Mr Markos Markou, a director and chief executive of a mortgage broker firm (see SMCR+ View - May 2023 for more background on the UT's decision). The Court upheld the FCA's decision to ban Mr Markou from financial services and imposed a reduced fine of £10,000 (originally £25,000). The Court upheld the ban because Mr Markou was considered to be reckless, and his recklessness demonstrated his lack of integrity thus justifying the FCA's prohibition order.

If you have any questions on any of the above enforcement actions, please reach out to Emma Sutcliffe (Partner) and Thomas Makin (Managing Associate).

9. Regulatory communications- portfolio letters and "Dear Executive" letters

An absolute deluge of Dear CEO letters so far this year... We've outlined the key ones below. As ever, Senior Managers and Boards will want to review and consider their obligations and take reasonable steps to meet expectations within the timeframes prescribed. Any questions, do just ask!

FCA Dear CEO letter - supervisory strategy for benchmark administrators: This letter underscores the critical importance of benchmarks in the financial system and updates on governance, data quality, and resilience, reflecting on progress since the 2020, 2022, and 2023 communications. The FCA identifies governance risks, including decisions impacting UK-regulated activities being made outside of the UK management body, inadequate documentation, and insufficient risk management frameworks. The FCA expects benchmark administrators to ensure effective oversight in compliance with Benchmarks Regulation (BMR), ensure all governance arrangements are well-documented and supported by comprehensive risk management frameworks. Additionally, where part of larger global organizations, the management body should be involved in strategic decisions impacting the UK-regulated activities to foster positive change.

FCA Dear CEO letter - custody and fund services supervision strategy: This letter reflects on the sector's evolution and external risk environment since the last letter in March 2022. The FCA identifies key areas of risk, including the heightened cyber threat environment, technological innovations, and the sector's readiness for market changes. In relation to operational resilience, the FCA has said specifically that it wants to see strong ownership of operational resilience by the Board and that Board's should review and approve annual operational resilience self-assessments as required. The FCA is expecting Boards to seek relevant technical expertise where prudent to assure themselves of self-assessments' adequacy. Further, in relation to change management (a hot topic for many firms) the FCA emphasises good governance being a key area contributing to successful programmes.

FCA Dear CEO letter - strategy for Credit Reference Agencies (CRAs) and Credit Information Service Providers: This letter outlines the FCA's strategy for the next two years, focusing on embedding the Consumer Duty, enhancing consumer support and understanding, ensuring price and fair value, improving operational and cyber resilience, and assessing firms' financial resilience. The FCA highlights the need for CRAs and CISPs to navigate operational and cyber threats effectively, maintain high standards of personal data protection, and support consumers in resolving data disputes efficiently. The letter also references the Credit Information Market Study (CIMS), expecting firms to contribute to industry-led remedies and the establishment of a new Credit Reporting Governance Body (CRGB).

PRA Dear CEO letter - Insurance supervision 2025 priorities: This letter outlines the PRA's priorities for the sector in 2025, including ensuring the successful implementation and embedding of Solvency UK reforms, focusing on operational resilience, addressing funded reinsurance, monitoring cyclicality in the general insurance market, enhancing liquidity resilience, planning for solvent exits, and managing climate-related financial risks. Specifically, the PRA highlights the importance of boards and executives considering operational resilience when planning major change programmes, making strategic business decisions, or engaging in new third, or in some case fourth-party relationships; stating also that new investments in IT infrastructure, software applications and third-party arrangements should be resilient by design.

PRA Dear CEO letter - UK deposit takers supervision - 2025 priorities: This letter outlines the PRA's priorities for UK deposit-takers in 2025, which we have already referenced above in respect of AI and the SMCR review. However, one more point to note is reference to the fact that the PRA will continue to engage with the SMF responsible for model risk management to assess and monitor implementation of changes.

Other letters with less of a focus on governance, senior management, culture etc, but of relevance to CEOs include:

• FCA Dear CEO letter - supervision strategy for Data Reporting Services Providers (DRSPs) - here

• FCA Dear CEO letter - supervision strategy for trading venues: here

• FCA Dear CEO letter - Contracts for Difference (CFD) strategy: here

• PRA Dear CEO letter - international banks supervision - 2025 priorities: here (referenced above in relation to AI)

• FCA Dear CEO letter - priorities for payments portfolio firms: here (more on this can be found in Payments View - Flash Update)

• FCA Dear CEO letter - portfolio strategy for Claims Management Companies (CMCs): here (note the FCA's references to senior management in this).