In a recent speech, Director of Enforcement and Market Oversight at the FCA, Mark Steward, discussed a number of topics, including an update on recent enforcement cases and how the FCA will conduct AML investigations. We discuss the AML aspects separately here.
For these purposes, we wanted to focus on potential takeaways for Senior Managers as part of their increased accountability arising from the Senior Managers and Certification Regime (SM&CR). Specifically, the speech identifies two key themes for Senior Managers to address as part of their SM&CR implementation project. These are:
- The importance of avoiding foreseeable harm; and
- Ensuring Senior Managers receive thorough, relevant and adequate Management Information (MI) in a timely manner.
Whilst neither will surprise anyone, the speech is a helpful reminder to Senior Managers to consider how best to address these and to recognise the FCA's determination to implement and (likely) enforce the new regime.
Mark Steward referenced a number of recently concluded investigations, including:
- Tesco Bank: Fined £16,400,000 for failing to exercise due skill, care and diligence in protecting personal current account holders from a cyber-attack. Mark Steward stated that this incident was "wholly foreseeable" as there had been a specific warning about this type of cyber attack 12 months previous.
- Carphone Warehouse: Fined £29,107,600 for mis-selling the 'Geek Squad' mobile phone insurance and technical support product. The FCA considered there to have been red flags arising from the number of complaints and cancellations about the 'Geek Squad' policy. This was, in effect, held to have been an implicit warning which made the particular breaches foreseeable.
This speech gave more than a brief nod to the SM&CR. Specifically, Mark Steward stated:
- "In each of these cases, senior management was either invisible or lacking influence because there had been little or no escalation or management data was insufficient to alert senior management that problems had not only arisen, they were persisting without solution."
- "While these cases involve conduct that predates the senior managers’ regime, these cases signal that in any assessment of ‘reasonable steps’, escalation and senior management sight lines over problems that are not being solved effectively will be an issue."
Evidently, the FCA is starting to set out how it will approach investigating Senior Managers in a SM&CR world. With this in mind, we advise each Senior Manager to ask:
- Do I receive sufficient information to be confident that the processes I am responsible for are working as intended?
- Are the staff I am responsible for sufficiently trained to recognise and report on potentially important and/or systemic issues? Are there the processes in place to do this effectively? Is the culture of the team such that issues would be raised and not disguised?
- What systems and controls are in place to ensure information received has been properly acted on? For sufficiently important matters, are there, for example, multiple lines of defence in my area of responsibility?
For larger firms, there will be a hierarchy of managers. As a Senior Manager, you would want to satisfy yourself that lower and middle management are sufficiently trained to recognise and escalate systemic issues. Senior Managers will want to review the processes for passing information 'up the line'.
The warning is clear (and unsurprising) – a lack of MI and/or failure to prevent foreseeable harm may leave the Senior Manager(s), and as an extension, regulated firms, in significant trouble. What is of most interest is the FCA already foreshadowing how they may frame these investigations in a SM&CR world.
Accordingly, Senior Managers should take action now to ensure these points are covered as part of their SM&CR implementation project. They should also (out of self-interest) check their employment contracts and D&O policies to make ready to defend themselves in the event of FCA enforcement action.
If you would like to discuss the contents of this article or any aspect of your implementation of SM&CR, please contact Aaron Osborn.