FCA and PRA enforcement themes and trends 2023: a shake-up

Both regulators appear to be reflecting on their approach to enforcement looking for new ways to deter, investigate and punish wrongdoing. There are signs of shifts in the enforcement priorities of both regulators in terms of how investigations are run, or will be run in the future, and the focus of those investigations. This article considers the main themes around which the FCA’s and PRA’s enforcement actions have centred over the last 12 months and looks at how those trends may carry forward into 2024.

Overview of enforcement activity in 2022/23

For the first time ever, the total fines imposed by the PRA during 2023 outstripped the FCA’s total fines by a significant margin. By the end of 2023, the PRA had imposed just over GBP87 million in fines, whereas the FCA had imposed fines of almost GBP53m (not including sums firms paid to the Financial Services Compensation Scheme in lieu of a fine in connection with incorrect pension transfer advice provided to customers).

However, the bulk of the PRA’s total fines imposed in 2023 consists of one very large fine of just over GBP87m. The FCA’s highest fine imposed during 2023 was relatively modest in comparison, at just over GBP17m, with the average fine imposed being quite modest, at just over GBP6.5m. One in four FCA enforcement cases concluded in 2023, the FCA opted to impose public censures in lieu of fines, one of which would have been a fine of GBP72m. In three of these cases, the decision to waive that fine was based on the poor financial state of the firms in question, and in the other case the decision was based on the steps taken by the firm to pay redress to customers.

The overall level of FCA enforcement action taken in 2023 dropped: in 2023, the FCA took enforcement action in 25 cases (excluding enforcement action taken in relation to the FCA’s threshold conditions), whereas in 2022, the FCA took enforcement action in 34 cases. Looking at who is most frequently targeted by FCA enforcement action, it is a fairly balanced split between action against individuals and firms, whereas PRA enforcement activity is heavily skewed towards firms. Brokers (26%) and retail banks or lenders (22%) are the firms that have most frequently found themselves to be the subject of enforcement action in 2022 and 2023.

The majority of enforcement action taken against individuals in 2023 resulted in prohibition orders and was imposed for personal misconduct. The most common topics that led to enforcement action being taken against firms in 2023 was pension transfer advice, financial crime, systems and controls issues and governance and oversight failings.

Common underlying issues

Looking beyond the headline topics that have led to enforcement action, two issues stand out as the most prevalent sources of regulatory concern:

• Policies and procedures featured in 88% of cases where enforcement action was taken in 2022 and 2023, either because firms lacked adequate policies and procedures in a particular area, or because the relevant policies and procedures that did exist were not complied with.
• Escalation failings feature in 71% of cases where enforcement action was taken in 2022 and 2023, either because firms lacked clear and effective escalation processes, or because they did not follow them in practice, resulting in senior management, and, in some cases, the regulators themselves, not receiving information that they needed to oversee the business.

Besides these two recurrent issues, in more than half of all cases, the regulators found that the firm had been aware of the issues that led to enforcement action but had not taken sufficient or timely steps to address them. This includes cases where the firm ignored or failed to address “red flag” indicators, as well as where an internal review, such as an audit, or external review, such as an FCA-commissioned skilled person review, highlighted an issue that should have been resolved but was not.

Related to this issue is the adequacy of firms’ record keeping. In 46% of enforcement cases that were completed in 2022 and 2023, the regulators identified record-keeping deficiencies. These failings covered a broad range of records, including records of key business and governance activities, as well as the use of personal devices and encrypted messaging apps. This latter issue is one that has recently risen sharply on the regulators’ agendas (see “Use of non-approved communication platforms” below”).

Firms’ resourcing was cited as an issue in just under half of FCA and PRA enforcement action taken in the last two years and is an issue that the regulators are likely to continue to focus on, especially in the current economic climate where firms look to control and cut costs. Shortcomings often arise where firms experience rapid growth but investment in control functions fails to keep pace with the growth of the business, or when firms go through cost-cutting exercises and cut too deeply into essential functions.

Investigations and interventions

It is increasingly through supervisory tools, rather than formal enforcement action, that firms are feeling the effect of FCA interventions. Alongside conduct of enforcement investigations, there will often be close scrutiny from FCA supervisors who are seeking to fully understand the causes and the consequences of the events that led to enforcement investigations.

FCA early intervention

The scope of the FCA’s intervention powers can be very broad and includes requirements for a firm to take positive action, such as to put in place particular controls, as well as restrictions on taking particular action, such as ceasing to take on new clients.

In late 2021, the FCA changed its internal governance in relation to its statutory decision-making powers, including on using own-initiative intervention powers to impose a requirement on a firm or to vary a firm’s permissions. These changes allowed certain powers to be exercised under executive procedures, which streamlined and internalised a lot of the decision making in this area. Before these changes, the exercise of the FCA’s unilateral powers, such as own-initiative variation of permissions or own-initiative requirements, had been subject to the jurisdiction of the Regulatory Decisions Committee (RDC), the body that remains the decision maker in contested enforcement cases and is quasi-independent, operating separately from the rest of the FCA.

The FCA was very open about its intentions when making these changes. They were intended to enable the FCA to be more robust and assertive in the decisions it makes and to be able to intervene earlier and respond more quickly when it identifies potential harm. The FCA received significant push-back while consulting on these changes, particularly in relation to a concern that the FCA was prioritising speed and efficiency at the risk that this might adversely impact the fairness and objectivity of relevant decision making. Nonetheless, the FCA pushed ahead with the changes and almost two years later the practical effects are becoming evident.

The FCA now has an interventions team within its enforcement division, which works closely with the FCA’s Supervision, Policy and Competition Division to “proactively identify and respond to concerns about firms or individuals that present a risk of ongoing harm or loss to consumers or market integrity”.

The interventions team uses a variety of tools to take early and swift action, including:

• Voluntary imposition of requirements (VREQs).
• Directions
• Voluntary undertakings.
• Own-initiative requirements (OIREQs).
• Own-initiative variation of permissions (OIVOPs).

The FCA typically seeks to use its statutory powers, such as VREQs and OIREQs, when it identifies significant concerns with a firm’s risk management or controls, or where it has otherwise identified a serious risk of harm to consumers or markets. Historically, the FCA has used the OIVOP power less frequently and it will be interesting to see if this changes in the future with the FCA adopting an increasingly interventionist approach.

In 2022/23, the first full year that the new decision-making processes have been in place, the FCA reported the highest number of open interventions cases since 2019/20, representing an 18% increase on the previous reporting period. The number of open VREQ intervention cases has increased by 95% since 2019/20 and the number of open OIREQ interventions has shot up by 183% in the same period. This trend can be expected to continue and may even accelerate.

Traditionally, the imposition of an OIREQ or VREQs on a firm would remain a private matter. Most firms prefer to avoid negative publicity and would often agree to the imposition of, for example, a VREQ on the understanding that the requirement was not published. This was often a compromise that the FCA would agree to because, in the absence of an agreement with the firm, the FCA would be required to make an application for an OIREQ before the Regulatory Decisions Committee, which would take longer and introduced litigation risk into the process.

However, now that the internal decision- making process for VREQs and OIREQs is the same at the FCA, this dynamic is no longer a consideration. Consequently, the default assumption for the FCA seems to be that a requirement should be public, especially where the fact of publication supports the FCA’s objective of consumer protection. The FCA does retain discretion in this matter and could choose to keep a requirement private if, for example, it considered that publication would cause disproportionate detriment to a firm.

Traditional FCA enforcement

The FCA maintains a healthy number of open enforcement cases. As at 31 July 2023, it had 562 open enforcement cases relating to 224 separate investigations. However, this is the lowest number of open enforcement cases since 2017/18 and 14% fewer than when the number of open enforcement cases peaked in 2018/19, not long after Mark Steward had taken the helm as the FCA’s Director of Enforcement and Market Oversight.

This downward trend may continue. The FCA appointed new co-Directors of Enforcement and Market Oversight in 2023 and they may opt for a different strategy from the previous one of opening high numbers of new cases, with a view to closing some after an initial diagnostic investigation. Instead, they may adopt a more selective approach to enforcement referrals and organise investigative resources accordingly. During the first four months of 2022/23, the FCA closed 54 investigations. If this pace continues, it will soon result in a significant reduction in the FCA open enforcement caseload.

The number of retail conduct cases has increased significantly over the last five years, which is likely due to the high number of pension transfer advice cases that the FCA has opened. Conversely, the dominance of enforcement cases with financial crime issues as the primary focus has reduced.

Doing the right thing

Therese Chambers’ speech on “Do the right thing”, delivered in the summer of 2023, shortly after her appointment as co-director of Enforcement and Market Oversight at the FCA, made quite an impact. The speech set out the FCA’s expectations of how firms should respond when things go wrong, especially when it comes to remediation exercises and customer redress.

For example, the speech referred to a firm that managed to avoid a fine altogether as a result of the steps it had taken to “put things right” through a customer redress scheme. However, the speech caused a stir with its comments on privilege and lawyers using “aggressive diversionary tactics” to “block” investigations. These comments garnered significant attention from the legal profession and the FCA subsequently issued a response clarifying that they were not intended to criticise legitimate claims to legal privilege.

The more firms show that they can address these issues in a timely and effective way, the less likely it is that the FCA will feel the need to reach for the most severe end of its enforcement toolkit. Doing the right thing in this context would include proactively undertaking a root cause analysis that really seeks to understand why things went wrong and to fix the problems not just where they arose but also in areas where similar problems might foreseeably arise in the future. In addition, firms should identify and address any consumer or market harm that resulted. Finally, where appropriate, firms should ensure that relevant individuals are held to account, including consideration of adjustments to compensation.

PRA enforcement

The PRA has its lowest level of open enforcement cases since 2018, but it achieved its highest annual total of fines, of over GBP87 million (the bulk of which was attributed to a single fine of over GBP87 million). Earlier in 2023, the PRA also broke new ground by taking enforcement action against a senior manager for failing to take reasonable steps to discharge their regulatory obligations. This was the first enforcement case to tackle this point since the introduction of the senior managers and certification regime (SMCR) back in 2016.

The PRA does not disclose specific details of its ongoing enforcement investigations, but it has said that they involve issues including operational risk and resilience, governance and risk controls, regulatory reporting and self-reporting.

Future approach to enforcement

Looking ahead, there will likely be significant changes to the FCA’s and the PRA’s approach to enforcement activity. In May 2023, the PRA consulted on proposed changes and clarifications to its approach to enforcement.

The PRA’s proposals included two significant proposals. Firstly, the introduction of an early account scheme, to encourage subjects of investigations to provide detailed factual accounts of relevant facts at an early stage of an investigation in order to expedite the PRA’s fact-finding process in return for a higher discount on any fines imposed. Secondly, changes to the way that the PRA calculates fines that are imposed on firms which, if implemented, would see the PRA break away from the revenue-based formula that it and the FCA have used for many years, and replace it with a system that would vary the size of fine according to a firm’s category and the severity of the breach. This change is likely to result in higher fines in most cases.

The PRA’s enforcement team seems increasingly keen to tackle cases independently of its counterpart division at the FCA. Since 2021, 71% of enforcement action taken by the PRA has related to standalone cases, where the PRA has taken enforcement action without the FCA also doing so at or around the same time and in relation to the same or similar facts.

The FCA has faced a series of challenges and criticisms from the Upper Tribunal in the last year, where the Upper Tribunal has criticised the FCA’s investigation and enforcement processes. In one case, the Upper Tribunal awarded partial costs to two individuals, finding that the FCA had acted unreasonably, although the FCA has been granted permission to appeal that decision (Seiler and Whitestone v FCA [2023] UKUT 00270 (TCC). The Upper Tribunal’s recent criticisms of the FCA may be a consequence of the FCA having taken on more ambitious and complex cases in the last few years, which have proved more difficult to bring and defend. It remains to be seen whether this criticism will result in the FCA reverting to more conventional and safer cases, especially those that it is confident of winning if challenged before the Upper Tribunal.

Financial crime 

Across the FCA’s open enforcement case portfolio there has been a decrease in the number of open cases that are being pursued on a purely regulatory basis. In contrast, the number of cases being pursued on a criminal basis remains steady and there has been an increase in the number of dual-track cases, where criminal and regulatory cases are investigated concurrently before a decision is taken by the FCA to take action through one of those routes. This suggests there has been no diminution in the FCA’s focus on criminal conduct. It may also suggest that the FCA is less quick to close criminal investigations or is delaying taking decisions on dual-track cases until quite far into the investigation.

There is a continuing reduction in the number of FCA investigations that are primarily focused on financial crime; based on figures for 2022/23, these now represent only 8% of the FCA’s open case portfolio (excluding cases relating to unauthorised business), down from a high of 20% in 2017/18. This may reflect a belief held by the FCA that it has done a lot of work over the last few years to convey its key messages, from a financial crime perspective, particularly in relation to anti-money laundering (AML) systems and controls. But this reduction in the number of open enforcement cases is only part of the picture.

Consistent with the FCA’s increasing use of its supervisory intervention powers, in 2022/23 the FCA opened 613 financial crime supervision cases, an increase of 65% compared with 2021/22. This is likely to have a few consequences. Firstly, supervisory action is often a precursor to enforcement action, so a surge in supervisory activity may drive increased levels of enforcement action in the future. Secondly, consistent with the FCA’s increased use of early interventions, firms can expect to see increased use of compulsory and voluntary variations of permission in relation to financial crime issues (see “FCA early intervention” above). These variations can have significant business effects for a firm, such as limiting its ability to onboard particular types of customers. It can also present further enforcement risks if the firm does not have systems and controls in place to ensure that it complies with the variation of permission.

Financial penalties

The level of fines imposed on firms by the FCA for financial crime related failings fell significantly in 2022. The FCA imposed fines on seven firms for financial crime failings in each of 2021/22 and 2022/23, but the average fine value in 2021/22 was GBP71m, compared with only GBP19.5m in 2022/23. Overall, the total value of fines imposed on firms for financial crime failings has fallen from GBP495.5m in 2021/22, including a court imposed fine following a criminal prosecution, to GBP137m in 2022/23, representing a 72% drop. This largely reflects the fact that fewer fines were imposed on larger financial institutions in 2022/23, whose higher revenues drive larger fines under the FCA’s current penalty calculation methodology.

Uplifts were applied to all of the fines imposed by the FCA between October 2022 and October 2023 in relation to financial crime issues, to reflect what the FCA considered to be aggravating factors. These uplifts ranged from 10% to 40%. Fines were also increased in just over half of all cases to ensure that the penalty acted as a sufficient deterrent to the firm in question and to other firms.

The aggravating factor most commonly cited in FCA final enforcement notices over the last couple of years, is a firm’s failure to follow the FCA’s financial crime related guidance. A key mitigating factor has been the proactive implementation of significant remediation exercises; sometimes these have been allied with the voluntary cessation of specific types of business or onboarding of particular classes of customers, while remediation is implemented.

Common failings

Common failings identified by the FCA in its financial crime enforcement actions in the past couple of years include:

• Inadequate investigation or escalation of red flags or staff concerns.
• Inadequate policies, procedures and guidance.
• Inadequate communication of policies and procedures.
• Failure to follow a firm’s own procedures
• Inadequate customer due diligence (CDD), enhanced due diligence and ongoing customer monitoring.
• Inadequate transaction monitoring.
• Failure to adequately implement remediations.
• Insufficient prioritisation of financial crime prevention.

Unsurprisingly, failings relating to policies and procedures still feature prominently, and the challenges of getting CDD and transaction monitoring right, particularly in mass market businesses, also remains a significant issue. This is often allied to problems with resourcing and the timely implementation of remediation in relation to identified risks.

Emerging risks

One area of potential emerging risk is sanctions. This has been an area of increased focus by the FCA following firms’ need to respond to the imposition of widespread sanctions following Russia’s invasion of Ukraine. The FCA is using an increasingly data-led approach to supervise firms proactively in order to ensure that they have appropriate sanctions systems and controls. This includes using synthetic data, provided by the Office of Financial Sanctions Implementation (OFSI), to test firms’ sanctions screening processes.

In September 2023, feedback on the FCA’s review of firms’ sanctions systems and controls was published. It identified a number of concerns, including:

• Poor governance and inadequate management information.
• The use of global systems and policies that were insufficiently tailored to the UK’s sanctions regime.
• Poor understanding of outsourced sanctions screening processes.
• Under-resourcing and backlogs.
• Poor calibration of screening tools.
• Poor customer due diligence and “know your customer” checks.

Taking note of and reacting appropriately to guidance such as this is all the more important in an enforcement climate where a failure to follow FCA guidance is the most commonly cited aggravating factor in financial crime related enforcement notices.

The FCA is particularly concerned about firms not reporting suspected sanctions breaches to it on a timely basis or, in some cases, at all. It has made it very clear that it expects any such breaches to be reported to the FCA as well as to the OFSI. Nikhil Rathi, CEO of the FCA, has stated that, while the OFSI is the primary enforcer of the UK sanctions regime, the FCA will also consider it appropriate to bring regulatory enforcement cases if it identifies material weaknesses in firms’ sanctions systems and controls.

Culture, governance and individual accountability  

The approach to enforcement in the area of culture and governance in 2023 has not been what most people might have predicted.

Senior managers

Both the FCA’s and PRA’s approach to enforcement investigations into senior managers and certified persons remains relatively modest. As of October 2023, the FCA had only 39 senior managers and 10 certified persons and conduct rule staff under investigation, while the PRA had 11 senior managers and certified persons under investigation. However, the FCA still had 92 legacy cases involving individuals who were subject to the previous approved persons regime.

At the end of 2023, only two senior managers have faced enforcement action since the introduction of the SMCR. The first was in 2017 and the second was announced in April 2023. The latter relates to enforcement action taken by the PRA against a senior manager for failing to take reasonable steps to discharge their regulatory obligations. A third enforcement case against a senior manager is being challenged before the Upper Tribunal and concerns issues relating to that senior manager’s integrity.

The authors had expected the number of enforcement investigations under the SMCR to rise as more individuals and firms came within its scope. But this has not happened. In fact, the regulators have fewer open cases against senior managers and certified persons in 2023 than they did in 2021, indicating a more cautious approach to opening enforcement investigations in this area than anticipated.

However, the regulators have not held back from criticising senior management in enforcement findings made about firms. In 83% of enforcement cases involving firms that were published between January 2022 and October 2023, the FCA and PRA attributed firms’ failings to inadequate oversight by one or more members of their senior management teams. Many enforcement cases also included criticisms about senior management in relation to escalation, or the lack thereof, and ineffective governance bodies.

There have also been some interesting comments from the regulators about senior management’s reliance on internal and external advisers and other third parties, specifically about the circumstances in which it may or may not be reasonable for a senior manager to rely on something or someone to help to discharge their own personal regulatory obligations.

Culture and incentives

Significant failings at firms will often have a cultural issue as an important driver and poor culture, often in pockets of a firm’s business, can create an environment where inappropriate behaviour and standards are either tolerated or become the norm. Firms should be aware that regulators often also perceive these issues as indicative of a problem with the firm’s speak-up culture or its approach to creating a safe place to work. Often, with the benefit of hindsight, it becomes apparent that poor behaviour within a certain team or area was known about, but the firm’s culture did not enable individuals to challenge the behaviour or escalate their concerns at an early stage.

Both the PRA and FCA are also concerned about the role of incentives in shaping a firm’s culture, especially its risk culture. The events surrounding the collapse of Archegos Capital Management have caused both regulators to focus on risk management and risk culture. Both of these themes feature strongly in current enforcement and supervisory activity. For example, in December 2021 the FCA and PRA sent a joint Dear CEO letter identifying findings that emerged from the work they had done investigating this matter. The messages in that letter relating to risk culture and risk management were particularly stark, suggesting that important lessons learnt from the 2008 global financial crisis had not been fully embedded. A lot these messages have been repeated and amplified in 2023; for example, in the PRA’s Final Notice against a firm in relation to the Archegos collapse, portfolio letters and a Dear CEO letter.

In particular, the regulators are concerned about:

• Poorly defined and understood boundaries between the three lines of defence.
• Risk functions lacking sufficient standing and influence within firms.
• Poor understanding of client business and risk profiles.
• Cultures that fail to adequately balance considerations of risk against commercial

This is expected to be an important area of continuing focus for firms and both regulators.

Code of Conduct breach reporting

According to the latest data, out of the firms that are obliged to report breaches of the Code of Conduct to the FCA, only a small fraction report any such breaches. Out of the 42,000 firms required to file REP0008 returns to the FCA in 2022, just 769 firms, or 1.8%, reported a total of 4,164 breaches.

However, the number of Code of Conduct breaches that firms have identified and reported to the FCA has been increasing steadily in line with the expansion of the SMCR. The FCA received 36% more breach notifications in 2022 than in 2021, even though these dates did not coincide with a significant expansion of the SMCR. These reports, together with the disclosures that firms must make to the FCA under Principle 11 of the FCA’s Principles for Businesses, give the FCA an insight into the types of misconduct that firms are identifying and tackling.

The FCA continues to rigorously scrutinise firms’ assessments of whether an individual’s conduct is in breach of the FCA’s Code of Conduct, especially in borderline cases or where firms have not adequately documented the rationale for their decisions.

Non-financial misconduct

The FCA has ramped up its focus on non-financial misconduct in the financial sector, after this topic hit the headlines again in the summer of 2023. This prompted a fresh wave of public correspondence and statements made by the FCA on its approach to taking action in relation to non-financial misconduct. More recently, these statements have focused on the adequacy and timeliness of steps taken by firms, and the FCA, to escalate, investigate and address allegations of non-financial misconduct at firms.

The FCA has taken action against six individuals for non-financial misconduct, one of which was not publicised due to the individual’s circumstances, for sexual or violent offences committed outside the workplace.

As at October 2023, the FCA had four live non-financial misconduct investigations in relation to a mixture of firms and individuals. An additional investigation was conducted and then closed with no public action being taken by the FCA.

The most common forms of non-financial misconduct reported to the FCA between 2021 and 2023 are bullying, harassment and physical aggression (43%), and sexual misconduct (21%). The FCA and PRA also launched their long-awaited consultations on diversity and inclusion (D&I) in financial services, which include new guidance about non-financial misconduct.

The FCA plans to clarify formally how non- financial misconduct should be interpreted in light of the FCA’s Code of Conduct, fitness and propriety standards and also the suitability threshold condition for firms. The FCA also proposes to provide guidance to firms about how they should disclose non-financial misconduct in regulatory references and how to draw the line between private and professional conduct. The consultation closed in December 2023. The final requirements are unlikely to be published much before November 2024 and following that there will be a twelve-month grace period for firms to implement the requirements.

Market conduct and surveillance

Market conduct related enforcement activity has been more varied than other areas.

Market abuse investigations

The FCA has decreased the number of enforcement investigations into market abuse, with the number of open cases falling since 2018/19. Insider dealing accounts for 82% of the ongoing investigations, while 26% of cases closed by the FCA in 2022/23 concerned market abuse. Three individuals have challenged the FCA’s findings that they committed market abuse, before the Upper Tribunal. These cases are yet to be heard.

On the criminal front, the FCA started 2023 by charging five individuals with conspiracy to commit insider dealing and money laundering. It is also involved in a number of trials that are scheduled for early 2024.

Reporting and surveillance

The volume of suspicious transaction and order reports (STORs) received by the FCA in 2022 was at its lowest level since 2016, when the Market Abuse Regulation (596/2014/ EU) that gave rise to the requirement to make those reports was introduced part-way through the year.

In addition to continuing to scrutinise the quality of STORs that are filed by firms, the FCA has shown interest in, and, in some cases, concern over, how firms handle STORs internally. It has raised concerns about firms sharing information about STORs too widely within their organisations, rather than limiting this information to those who need to know. The FCA has also raised questions about what firms do if they file STORs linked to suspicious activity involving clients, including whether firms are reviewing client relationships in light of STORs, or even exiting client relationships entirely, or whether they take no action unless prompted to do so by the FCA.

Since 2018, the FCA has fined five firms and three individuals a total of more than GBP19.5m for various failures in their market abuse surveillance arrangements. These include: implementing and using inadequately calibrated surveillance systems, unclear allocation of responsibilities relating to the operation of surveillance controls, inadequate testing of surveillance systems before and after deployment, lack of guidance or training for staff who review surveillance alerts, incomplete market abuse risk assessments and lack of senior management oversight of surveillance activities.

In each enforcement case, the FCA has highlighted that firms have not learned from the shortcomings highlighted in previous cases or from relevant FCA guidance.

Retail and consumers 

With the exception of enforcement action taken against firms and individuals in relation to some quite specific failings relating to defined benefit pension transfer advice, the FCA has not taken any enforcement action against a retail firm for retail issues in well over a year. However, over the last two years, 57% of skilled person reviews commissioned by the FCA have been into retail firms. The findings from these reviews do not always lead to enforcement investigations but it may be indicative of a wave of enforcement activity in relation to retail conduct in the next couple of years, based on findings from those skilled person reviews.

New consumer duty

The consumer duty is probably the most significant reform programme that has been led by the FCA since it was established. It binds together, under one body of work, a lot of the most important interventions of the FCA in the retail markets.

There has been an intensification of supervisory activity in this area, initially devoted to tracking the status of firms’ implementation programmes. The FCA has undertaken an extensive outreach programme to ensure that expectations have been clarified and to highlight areas where continuing focus is required. Taking into account the significance of the initiative, firms should expect this level of supervisory scrutiny to continue over the next couple of years.

The new consumer duty, as implemented, does not contain a private right of action, at least not for now. However, there remains a significant enforcement risk for firms that fail to embrace the consumer duty as the FCA is likely to act swiftly to take action against firms that have failed to implement and embed the consumer duty in their operations.

The consumer duty will likely become the main tool used to investigate serious examples of consumer detriment, although these enforcement outcomes are unlikely to materialise for a couple of years yet. More likely in the meantime are investigations into firms’ failure to properly implement the new requirements and this is an area where the FCA is likely to exercise its early intervention powers.

An interesting feature of the new duty is the extent to which the FCA holds senior managers to account in relation to the heightened expectations for senior managers who identify issues in the distribution chain and their responsibility to ensure this comes to the attention of the FCA in certain circumstances (Senior Managers Conduct Rule 4). This is a feature that firms will want to keep an eye on.

De-banking

The issue of “de-banking” is a convergence of the consumer duty and financial crime risk, and it attracted a lot of public and political attention in 2023. Over the summer of 2023, the FCA conducted an expedited review of the reasons for the closure of accounts by retail banks, seeking data from 34 banks. The outcome of this initial review was that the FCA did not identify any instances where an individual had been refused an account or had an account closed due to their political views.

However, the FCA recognised that its review had been conducted at speed and it will be conducting further work in this area to validate its conclusions and better understand the data that was provided to it, including focusing on cases where bank accounts were said to have been closed due to reputational risk. The FCA wants to better understand what firms are treating as falling with the definition of “reputational risk” and whether that raises any concerns from a regulatory perspective.

The FCA is also conducting a separate review in relation to the treatment of UK politically exposed persons, on which it expects to report back in June 2024.

The FCA has said that it will take supervisory action and, potentially, enforcement action if it identifies that a bank has acted in breach of its legal or regulatory obligations in relation to the provision, or closure, of accounts, including under the consumer duty. With regard to the consumer duty, the FCA’s concerns include how banks withdraw services in a way that avoids or limits foreseeable harm to the customer, whether affected customers receive good outcomes, whether particular groups of customers are disproportionately affected and the treatment of vulnerable customers.

Operational resilience

There has been a notable shift in the FCA’s use of skilled persons reports and their particular areas of focus. Financial crime and governance are issues that have featured extensively in enforcement action in recent years, but the proportion of FCA skilled person reviews that focused on these issues decreased significantly from 45% in 2021/22 to 30% in 2022/23. Now, just over a third (36%) of skilled person reviews commissioned by the FCA in 2022/23 related to controls and risk management frameworks, making it the area that was most frequently the subject of skilled person reviews.

Managing business transformation projects

In line with the authors’ predictions last year, in 2023, the FCA and PRA announced a number of significant enforcement actions relating to operational resilience issues. Both regulators imposed significant fines on a bank and a senior manager in relation to a major operational incident relating to a large IT migration project that had a significant impact on the bank’s services to its customers. Action was also taken against a firm in relation to a significant cyber security breach. Collectively, the fines imposed on the firms in these actions totalled almost GBP60m.

Statements made by the FCA and the PRA in the relevant final notices provide a window into their current expectations in this area. In particular, they highlighted weaknesses in implementing outsourcing and third-party arrangements, including not conducting adequate due diligence to understand a critical third party’s capability to deliver a major project. In that case, the fact that the third party was another group entity did not alter the regulators’ expectations in relation to the outsourcing. They also identified governance failings and concerns relating to business continuity and incident management. The regulators considered that the firm did not have adequate plans to deal with a multiple incident scenario of the scale that was experienced.

This was also the first case where action was brought against a senior manager, who had responsibility for the IT migration and the key outsourcing arrangement connected to it, for breach of a Senior Manager Conduct Rule and a failure to take reasonable steps to discharge their regulatory obligations.

Cyber security

The appropriate consideration and management of intragroup arrangements was also a prominent theme in a recent FCA final notice relating to a significant cyber security breach. The FCA criticised the fact that reliance was placed on group-level risk management arrangements without properly considering whether they satisfied the regulatory obligations of the UK subsidiary, particularly where the parent company was headquartered outside of the UK.

The FCA also criticised the fact that an intragroup outsourcing arrangement was not subjected to the same level of scrutiny as would have been applied to a third-party outsourcing arrangement. It highlighted that the intragroup arrangement affected the firm’s ability to respond to a data breach, including its ability to properly understand and manage the incident, provide accurate reports to regulators, or provide accurate public statements and updates to potentially affected customers.

Use of non-approved communication platforms

In addition to the ongoing enforcement activity in the US in relation to employees’ use of non-approved communications platforms, there has now been some enforcement activity in the UK. In one PRA case, the PRA found that certain of the firm’s senior management and external parties regularly exchanged messages about the firm’s transactions and business on a messaging application, on both firm-issued and personal mobile phones. These messages were not stored centrally and the PRA held that this hindered the board and risk function of the firm in their ability to exercise effective scrutiny and oversight of the firm’s business. It also meant that the firm did not have sufficient records to enable the PRA to supervise the firm effectively and to carry out its investigation, in breach of specific PRA record-keeping rules.

Ofgem also issued a fine against a firm in 2023, on the basis that its traders’ use of instant messaging breached record keeping requirements under the Regulation on Wholesale Energy Market Integrity and Transparency (1227/2011/EU). Ofgem took the view that, while the firm had policies prohibiting the use of instant messaging apps and had put in place training, it had taken inadequate steps to monitor compliance with the policies that were in place. The authors anticipate that the use of non-approved communications platforms will continue to feature in future FCA and PRA enforcement actions.

Financial resilience

Financial resilience is under increased scrutiny from both the FCA and PRA, particularly following the bank failures that occurred in 2023. From an enforcement perspective, there have been two significant cases relating to firms’ management of risk exposures. The PRA imposed its highest ever fine against a bank that it found to have inadequate controls in place to manage significant exposures to a large hedge fund that had failed. In a separate case, the PRA brought its first action against a bank for having inadequate controls to ensure that it complied with the large exposure rules in relation to a number of counterparties.

Another indication of the regulators’ current vigilance around the soundness of firms is an increased focus on compliance with client asset requirements. The proportion of skilled person reviews commissioned by the FCA in this area in 2022/23 doubled over the prior year, suggesting more FCA scrutiny on client asset requirements as an area of supervisory focus and potential future enforcement activity.

Horizon scanning

A number of current ongoing trends give a good indication of what firms can expect the regulators to focus on in 2024 and beyond. As new developments such as artificial intelligence (AI), digital assets and sustainability disclosures become more mainstream, so too does the expectation that firms will stay abreast of the associated evolving risks. All the while, firms must also retain focus on the perennial risks that are likely to be subject to regulatory scrutiny, early intervention or enforcement action, such as financial crime, operational resilience and individual accountability.

AI and digital channels

The government continues to promote the UK as an incubator for AI development and both the FCA and PRA are interested in the opportunities and risks associated with AI. The FCA, in particular, aims to be a data-led regulator and expects firms to both harness the benefits and mitigate the risks of embedding AI into their businesses. It encourages firms to innovate and harness the potential benefits of AI; for example, by using AI to tackle fraud and money laundering, to bridge the advice gap, or to hyper-personalise products.

At the same time the FCA is concerned about the risks posed by the big technology companies and the concentration of data and services in only a few of these increasingly powerful businesses. It will also be monitoring the potential for manipulation and exploitation of customer behavioural biases, in line with the principles underpinning the new consumer duty.

It has been suggested in Parliament that there should be a bespoke SMCR-type regime for the most senior individuals who manage AI systems but this is yet to be considered by the FCA and PRA. The joint feedback statement published in October 2023 suggests that there are no plans to create a bespoke regime, but it did contain a reminder that the existing SMCR regime will apply to some activities relating to the development and use of AI by firms. This will be particularly relevant to senior managers who are responsible for managing risk and operations.

Digital assets

In February 2023, the Treasury published the outcome of its consultation on a future financial services regulatory regime for cryptoassets. This was followed, later in the year, by a series of publications on specific aspects of the UK’s future cryptoasset regulatory framework: feedback from industry on the February feedback, an update on plans to regulate fiat-backed stablecoins, and a response to the Treasury’s consultation on managing the failure of systemic digital settlement asset firms.

In addition to these developments, which finally seem to be gathering pace, albeit in relation to limited aspects of the crypto economy, the FCA finalised a new regime applicable to financial promotions relating to cryptoassets. The new regime took effect from 8 October 2023 and within the first 24 hours of the new regime, the FCA had issued 146 alerts. It has since published guidance on common issues it has identified. The FCA has warned that it will consider taking enforcement action where firms are in breach of the new regime, including, in the most serious cases, criminal prosecution.

Greenwashing

On 28 November 2023, the FCA introduced a package of measures aimed at clamping down on greenwashing, including a general anti-greenwashing rule and labelling and disclosure requirements. The new anti-greenwashing rule is an explicit rule on which to challenge firms, even though the FCA can already rely on its Principles for Businesses, and it comes into effect in May 2024.

The FCA has also been taking action more broadly on this issue. For example, as current chair of the Global Financial Innovation Network co-ordination group, the FCA participated in a “TechSprint” exercise, the object of which was to develop a tool or solution that could help regulators to tackle the risk of greenwashing in financial services. It has also published the results of its review into how authorised fund managers are embedding the guiding principles in environmental, social and governance matters (ESG) and sustainable investments funds, which highlights good and poor practices that the FCA has identified.

Fraud prevention

In the area of financial crime, fraud prevention seems to be creeping up the enforcement agenda. The FCA has invested in a new fraud team that is tasked with delivering an internal fraud framework for assessing firms’ anti-fraud systems and controls. It hopes that this will improve its ability to assess firms and identify where it needs to intervene. The same team is developing a data dashboard, which is expected to help the FCA to identify and assess firms that may be outliers in tackling fraud.

The FCA has also been working with the National Economic Crime Centre to develop a multi-agency Fraud Targeting Centre. It has also been working with the UK Financial Intelligence Unit so that it can access the suspicious activity reports (SARs) database. Over 900,000 SARs were submitted between 2021 and 2022 according to the National Crime Agency SARs Annual Report 2022.

The FCA sent a letter to payment firms in March 2023, which included key messages relating to firms’ fraud prevention systems and controls. This is all the more significant against the backdrop of the new requirements for mandatory authorised push payment fraud reimbursement being imposed on banks and payment companies by the Payment Services Regulator. 

*This post is based on an article “FCA and PRA Enforcement Action: Trends and Predictions” which first appeared in the January/February edition of PLC Magazine. A copy of the full article is available here and on the PLC Magazine website.