With the advent of 2015, some people have talked about New
Year's resolutions but frankly I still had one enforcement case from the
Financial Conduct Authority (FCA) from 2014 I was keen to review.
The case concerns a general insurer, Stonebridge, selling a
range of accidental protection products offering cash compensation. The FCA imposed a fine of £8.4 million as a
result of the breaches identified.
(Click here to read the full details of
the case.)
The business involved outsourcing sales process to a number
of third party companies. The products
were sold in the UK and in a number of European countries (France, Germany,
Italy and Spain) over the phone on a non-advised basis. Names of potential clients were obtained from
a range of business partners which were remunerated when sales were made. These business partners were not involved in
selling the products.
The case results from the breaches of FCA principles
concerning the fair treatment of customers (Principle 3) and appropriate
systems and controls, including appropriate risk management (Principle 6). The case provides a number of interesting
lessons about the interaction of risk management and regulation.
1. Fines
may become a small component of the cost to firms of regulatory enforcement
In this case and in addition to the fine, the company
committed to undertake a range of voluntary measures. This includes a review of past business sold
in the UK and European countries and compensation where losses arise as a
result of the failings identified in this case.
In addition to that, the company has replaced its executive
management team, has ceased distribution of all products in the UK and European
countries and has undertaken a comprehensive review of its governance
structure, including new terms of reference and risk management framework.
2. The
FCA is applying UK requirements to non-UK operations
This is intentionally blunt!
In more subtle phraseology, the enforcement notice makes a distinction
between the failure “to pay due regard to the interests of customers in the UK and treat them fairly” (my
emphasis) and the failure to implement adequate systems and control which
applies to the entire business, including European business. The FCA identified significant failures which
included inadequate management information, executive and board oversight and
compliance oversight.
3. The
importance of proactively managing the process
I have already written on the importance of proactively managing the enforcement process and contrasted two
different responses to technical breaches (here and here). This case provides an alternative
perspective.
The starting point seems to be an FCA review of a sample of
sales calls during March and April 2012, an action presumably arising from the
FCA’s ongoing supervision of Stonebridge.
The enforcement case ends up covering sales all around Europe, post-sale
cancellation and the company’s systems and controls.
When confronted with the initial findings from a regulator,
there may be a temptation to challenge the findings. This would be appropriate up to a point.
An alternative approach would be to accept the
substance of the findings and consider how the underlying events could have
happened from a risk governance perspective.
This would require reviewing governance arrangements through the
company, the risk management framework and the effectiveness of the oversight
provided by the second line of defence.
Hindsight is always a powerful tool but it seems that this course of
action could have been more effective in limiting the potential consequences.
Finally, this case also illustrates other failures such as
controls of outsourcing and a skewed sales incentive mechanism.
You can subscribe to future posts here.
This post has been added to the page FCA enforcement in
this blog which links all the enforcement cases I have reviewed.
No comments:
Post a Comment