With the advent of 2015, some people have talked about New Year's resolutions but frankly I still had one enforcement case from the Financial Conduct Authority (FCA) from 2014 I was keen to review.
The case concerns a general insurer, Stonebridge, selling a range of accidental protection products offering cash compensation. The FCA imposed a fine of £8.4 million as a result of the breaches identified. (Click here to read the full details of the case.)
The business involved outsourcing sales process to a number of third party companies. The products were sold in the UK and in a number of European countries (France, Germany, Italy and Spain) over the phone on a non-advised basis. Names of potential clients were obtained from a range of business partners which were remunerated when sales were made. These business partners were not involved in selling the products.
The case results from the breaches of FCA principles concerning the fair treatment of customers (Principle 3) and appropriate systems and controls, including appropriate risk management (Principle 6). The case provides a number of interesting lessons about the interaction of risk management and regulation.
1. Fines may become a small component of the cost to firms of regulatory enforcement
In this case and in addition to the fine, the company committed to undertake a range of voluntary measures. This includes a review of past business sold in the UK and European countries and compensation where losses arise as a result of the failings identified in this case.
In addition to that, the company has replaced its executive management team, has ceased distribution of all products in the UK and European countries and has undertaken a comprehensive review of its governance structure, including new terms of reference and risk management framework.
2. The FCA is applying UK requirements to non-UK operations
This is intentionally blunt! In more subtle phraseology, the enforcement notice makes a distinction between the failure “to pay due regard to the interests of customers in the UK and treat them fairly” (my emphasis) and the failure to implement adequate systems and control which applies to the entire business, including European business. The FCA identified significant failures which included inadequate management information, executive and board oversight and compliance oversight.
3. The importance of proactively managing the process
I have already written on the importance of proactively managing the enforcement process and contrasted two different responses to technical breaches (here and here). This case provides an alternative perspective.
The starting point seems to be an FCA review of a sample of sales calls during March and April 2012, an action presumably arising from the FCA’s ongoing supervision of Stonebridge. The enforcement case ends up covering sales all around Europe, post-sale cancellation and the company’s systems and controls.
When confronted with the initial findings from a regulator, there may be a temptation to challenge the findings. This would be appropriate up to a point.
An alternative approach would be to accept the substance of the findings and consider how the underlying events could have happened from a risk governance perspective. This would require reviewing governance arrangements through the company, the risk management framework and the effectiveness of the oversight provided by the second line of defence. Hindsight is always a powerful tool but it seems that this course of action could have been more effective in limiting the potential consequences.
Finally, this case also illustrates other failures such as controls of outsourcing and a skewed sales incentive mechanism.
You can subscribe to future posts here.
This post has been added to the page FCA enforcement in this blog which links all the enforcement cases I have reviewed.