Good risk management is not just about good ideas

One might say that this is stating the obvious and that it is understood that implementation also matters.  A recent FCA enforcement case against Moneybarn would suggest that it is not so obvious after all.

Moneybarn is a lender that provides motor finance for used vehicles to ‘non-standard’ customers.[1] The case against them related to the regulatory expectations for treatment of and communication to customers that fall into financial difficulties, i.e. the exercise and communication of appropriate forbearance by the lender.  Here, we seek to tease out the implications of this case for the risk management activities of FCA regulated business.

1.  Appropriate policy design

As one would expect, policies need to cover the appropriate ground.  This can include articulating the appropriate range of options (in this case, for customers forbearance and resolution), the considerations that would be taken into account and the governance that would apply to different options. 

It is worth noting that in this enforcement case, it appears that the FCA had no obvious concerns about the relevant policies and procedures reviewed.  

2.  Implementation

The challenge is how these policies and procedures are translated in the business, e.g. whether the call scripts are consistent with the policies.  In some case, this means that calls would be far from “linear”.  Customer service agents will have to consider a range of options and guide the customer.  This would have implications for training and tools available for customer service agents. 

The FCA notes that “from the review of the sample the use of any other forbearance options”, other than clearing their arrears over a short period of time, “despite the fact that policies and procedures referred to other available options”.   

3.  Monitoring and assurance

There is usually a combination of first line monitoring and oversight by 2^nd and 3^rd line functions.  To some extent, who provides assurance becomes less important than whether assurance is provided.

It is important to recognise that assurance should be provided about the processes and about the outcomes.  Where the nature of the issue involves considering customers’ individual circumstances in response to financial difficulties, then it is important to evidence that the range of options set out in the policy have been delivered.   This is more challenging to monitor than following a process. 

It is interesting that in this enforcement note there are no references to assurance or to the role of 2^nd and 3^rd line functions.

4.  Regulatory relationship management

The FCA initial engagement starts with a seemingly low-profile review of a “limited number” of files and call records leading to a visit in July 2016 to assess forbearance and termination practices.  There were then several interactions with the FCA in September 2016 and January 2017, leading to a formal request for imposition of a requirement in June 2017 and eventually enforcement action.  One must wonder if a more proactive engagement with the FCA would have prevented the escalation to enforcement.

It is usually noted that proactive engagement with the FCA and the issues raised would have been expensive.  Hindsight may be a powerful tool but it is not clear that the cost of the proactive engagement would have been unlikely to exceed the enforcement costs, which ended up being very substantial – the fine of £2.7m, the impact on senior management’s time, and the £30.3m of compensation paid to customers potentially affected by these failings. 

This post is part of the materials discussed in episode 3 of RegNut Podcast.   If you found this post of interest, subscribe to RegNut.  You can also subcribe to the blog and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

---

[1] Non-standard customers are those that cannot access finance from mainstream lenders because they have a poor or no credit history or past problems with credit due to unemployment, ill health or other adverse events.

Operational Resilience

By Shirley Beglinger, Advisory Board Member, Crescendo Advisors

In today's interconnected financial world, "organisational resilience" must be taken to mean much more than just "a fully tested disaster recovery plan". Regulators are requiring boards to see beyond the walls of their own firm and identify its position in the economic, IT and service-delivery ecosystem with an emphasis on important services provided. This is a completely different perspective on risk.  Boards and CROs need to reconsider many tried and tested risk methodologies and metrics.

In reviewing the drivers of potential operational disruption, the CRO may identify several which are difficult or expensive to address. "Reliance on legacy infrastructure" for example will likely lead to a lengthy boardroom discussion of the expense and dangers of IT integration projects. Supply chains and data sharing quickly lead to the realisation that even if the firm's own arrangements are top-notch, there are probably other firms in their ecosystem who may not have the same level of preparedness.

Having identified potential sources of disruption, the board must then quantify potential costs (internal and external) and assess the ability to recover from severe and plausible scenarios of operational disruption and compare these with the firm's stated tolerance for operational disruption. Where necessary, remediation plans must be put in place.

While no board member wishes to explain to the regulator why their firm was the first domino in the ecosystem to fall over, such far-reaching change needs to be carefully managed.  To implement these requirements firms will benefit from a pilot that enables them to develop an understanding of the steps that would be required.  This will be less disruptive and more beneficial than a firm-wide initiative.

However, the need to scale up means that firms will need to identify or acquire in-house "resilience capabilities". A key aspect of the output from a successful pilot project would be to identify exactly what capabilities are required and how they can best be embedded within the firm's business.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

Monitoring the Risk and Business Impact of AI-Based Solutions

AI-based solutions can shape how financial services businesses make money, whether the business model is the same or not. For an existing financial services business, the motivations may vary and range from efficiency to expanding the business. There would be project risk as with any development, but leaving that important consideration aside, it is worth bearing in mind that AI-based solutions would also impact the risk profile of the business. This may or may not be the original intention, but it becomes more likely. The key implication is that implementing an AI-based solution would require a radically different risk oversight approach by the business.

Standard computer algorithms which are not AI-based can—and do—solve complex problems. The main feature of such algorithms is that the problem is somehow defined and an algorithm developed to solve it which will produce the same answer as long as the same inputs are provided. So a credit-scoring mechanism calibrated to capture a certain type of client gives you just that.

The answers offered by an AI-based system may change over time. New data is used to reassess the underlying relationships and recalibrate the relationship between the target variable and the potential explanatory variables. This “learning” can also happen in a standard programme when there is a process of recalibration. The difference is that in the case of AI, learning would happen on a real-time basis—that’s the essence of AI.

Alternatively, with AI a target variable may not have been defined. That’s not as unusual as it might sound. For example, algorithms assessing a loan or credit card underwriting may fall in this category because there is no single rule to predict a borrower’s likelihood of repayment. New data can lead to a certain recalibration or can be used to identify new relationships between certain data. For example, over time an AI-based system might identify that outstanding debt is a better predictor of the likelihood of borrower repayment than repayment history and penalise someone with a relatively good track record of timely repayments.

The first type of AI-based solution is called “supervised machine learning” and the second one “un-supervised machine learning”. The key difference is the extent of autonomy that goes with the learning.

Consider the potential impact on conduct risk of AI-based tools. One of the expectations from Treating Customers Fairly (TCF) with respect to product governance is that they are designed to meet the needs of identified consumer groups and are targeted accordingly. This requires a clear business strategy, including identification of the target market through a combination of qualitative and quantitative research and oversight of the business to ensure that it is aligned with initial expectations of customers and business generated. Take the example of automated investment services covered in a recent FCA review. These providers would rely on some type of AI-based solution, whether supervised or unsupervised machine learning. The possibility of capturing different customers or the advice generated being different from what was envisaged cannot be ruled out. The challenge is how to put in place a monitoring approach which ensures that outcomes and risks which arise are consistent with the expectations in the business plan.

Something similar can apply from the perspective of credit risk, impacting the quality of the portfolio and performance. Suppose you have been targeting retail customers with a specific risk rating for a credit card business. If you roll out an AI-based solution to enhance the efficiency of product underwriting, you would need to have in place mechanisms to ensure that the credit quality of the portfolio is consistent with your expectations—or else change those expectations. Both options are fine. You may want to keep your target credit rating constant and seek more volume, or perhaps you see AI-based solutions as a more robust tool to support decision making and, in a controlled manner, can relax your target rating. Regardless of your choice, you would need to put in place a credit risk monitoring approach that is suited to the new AI-based solutions, as well as ensure that the business understands the portfolio implications of “learning” that is at the core of an AI-based solution system.

The salient point to take away is that the roll-out plan of AI-based tools may focus on the launch. However, the greatest challenge may well be the need to provide for the ongoing and timely monitoring of the AI-based tools and their integration in business governance and risk management, which I will cover in the next post.

An FCA Enforcement Case Or an Example of Board Maturity?

The FCA issued an enforcement action recently against the CEO of Barclays –– as a result of the CEO’s attempt to identify a whistle-blower.  (Click here for the FCA enforcement notice and here for a short summary of the facts of the case.) There have been impassioned comments about the appropriateness of the FCA’s response, i.e. a fine imposed on the CEO. However, I would like to focus on something else.  

One of the most revealing aspects of FCA enforcement cases is how the issue comes to the FCA’s attention. Typically, FCA supervision or thematic work would identify serious shortcomings in a firm that lead to enforcement action. This one was rather interesting because there was none of that. 

There was an internal investigation of the anonymous letters by Group Compliance which was formally closed on 9 January 2017. The FCA explained that “early in 2017”, the Board became aware of the CEO’s attempt to identify the whistle-blower and that after conducting its own investigation, the Board decided to refer the CEO to the FCA. Can you imagine this ten or twenty years ago? Unlikely, I would say.

There are a number of interpretations one could advance. However, I am inclined to see this as evidence of the significant progress made in corporate governance in recent years and of the maturity boards can achieve in the appropriate environment. I can guess that it may not have been easy for Barclays’ board to refer the CEO to the regulator, but who said that being a board director would be easy?

If you found this post of interest, you may want to subscribe and receive further posts by email. See the box on the right-hand side of the screen or click here. 

Conflicts of Interest: Connecting Enforcement and Supervision

The FCA announced enforcement action against a commercial broker and a fine of £4 million in late 2017 as a result of failures associated with the broker’s management of conflicts of interest. The details of the case are here.

Conflicts of interest can be anywhere, and firms are well aware of that. However, there is a qualitative difference between the conflict of interest that an individual might have with, say, a supplier, and what the FCA identifies as an ‘inherent conflict of interest’ in the business model or ownership structure. This is the risk that commercial intermediaries must manage.[1] It is not static, and it changes as intermediaries take up other activities where they act as an agent of the insurer.

The FCA has also undertaken a thematic review of commercial insurance intermediaries focusing on this issue. (It published the results in 2014 here.) The FCA evidence included a survey of small and medium enterprises (SMEs).[2] This suggests that many SME customers do not fully understand the intermediary’s role and how it may have changed in recent years. For example, four of five SME customers expect an intermediary to get quotes from two insurers, which is not consistent with how intermediaries operate, in particular for micro SME customers (fewer than nine employees).

There are wider messages from this enforcement action for the practical management of inherent conflicts of interest. To begin with, there should be a regular process to identify conflicts of interest.  This might be challenging but following the sources of revenue would enable a robust identification of conflicts and of the impact of changes in the business model.

While a policy on conflict of interest is a regulatory requirement, it needs to be comprehensive enough to enable staff in the business to actually manage conflicts of interest. This would require specific guidance articulating how to deal with customers, including what information to collect, what checks to undertake, and the production of meaningful management information.

Business arrangements such as ‘preferred facilities’ are not ruled out but must be managed and monitored carefully, taking into account links to brokers’ remuneration, how the firm presents itself to SMEs, the existence of ‘Chinese walls’ and customers’ (probably limited) understanding of the intermediary’s role.

Any quality reviews by the first line should be designed with a view to oversee how inherent conflicts of interest have been identified, managed and mitigated. The process should be risk based, i.e. always applying the same degree of checks to all brokers is unlikely to be appropriate.

Last but not least, as ever, culture is a factor. If statements from senior management do not recognise and support the need to manage inherent conflicts of interests, don’t expect much of the above to be in place.

The FCA will usually say something about how the case was discovered, by either supervisory activity or internal review. I was puzzled that the FCA was rather vague on this occasion. On reflection, I suspect (but cannot be certain) that there may be a dependency with the FCA’s thematic review on conflicts of interest mentioned earlier. If that’s the case, it is useful for firms to understand the potential consequences of being unprepared for a thematic review when invited to participate.

---

[1] This risk is not exclusive to commercial intermediaries. It exists in other parts of financial services and has also been covered in other FCA enforcement activities.

[2] Businesses with fewer than 250 employees.

Risk Assurance: The Challenge Ahead

I wrote about risk assurance a while ago (here). More recently, I have had a chance to talk with a few people in banking and consulting about it, and to reflect further on the subject.

By way of background, my working definition of risk assurance is a structured activity undertaken by the risk function (second line) which is aimed at evidencing that risk management is embedded in the business. Feel free to comment on this definition.

The important thing about risk assurance is that it matters because it contributes to shifting (or to maintaining, if you wish) the appropriate risk culture in the business. What do I mean by this? I hope we can all agree that the appropriate risk culture in financial services is one that includes the following:

• the business takes into account risks in decision making and can evidence that, including compliance with regulatory requirements; and
• the risk function provides the parameters for taking into account risk in decision making (risk appetite framework, stress testing, etc) and aggregate risks.

Truly achieving that is a challenging journey that takes time. Many insurers and banks started the risk management journey as a result of regulatory requirements—Solvency 2 or Basel. In practice, this has meant that sometimes risk functions have taken up activities like approvals that belong to business functions. Risk assurance will generate evidence about how risk management operates in practice. It will also help to shift the focus of the risk function—and, in turn, the business—in the appropriate direction.

I have worked with a number of clients to implement programmes of risk assurance. Interestingly, these engagements have turned out to be rather different because they must reflect the starting point for the business. In one case, the risk function was well resourced, and the focus was planning. In another case, the focus was a combination of up-skilling and evidencing through pilot risk reviews that the activity can add value.

Leaving aside the considerations associated with implementation, it is important that there be a shared perspective about the overall aim of risk assurance, i.e. ‘integrated assurance’. This reflects two simple observations:

• internal audit functions already provide assurance about the overall control environment;
• from a Board perspective, assurance is assurance, regardless of which team/line of defence provides it.

In other words, the aim would be to develop a risk-based assurance plan which covers deliverables by 2LOD and 3LOD in such a way that the Board can understand where independent assurance has been provided.

I would be interested to hear your thoughts.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

Brexit - implications for insurers

The European Commission has issued today a note setting out the practical implications for insurers as a result for Brexit.  There are specific impacts for group internal models, branches, intermediaries and reinsurers.  For the full document, follow this link.  

I would be happy to discuss further the implications for your company.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

Risk Reviews: Not 'a Bridge Too Far'

The role of a Chief Risk Officer (CRO) and her team in the context of a three-lines-of-defence model in financial services can be best described, in my view, as ‘to protect and enable’ (click here for an earlier post on the subject).   Consistent with that, financial services supervisors in the UK and EU refer to the oversight role that the CRO's team provides. 

There are many issues and considerations in embedding effective risk management in financial services businesses.  At one level, oversight requires the CRO’s team to develop the appropriate engagement with the business to provide support, to challenge and to ensure that risk management features ultimately in decision making.  This may result in recommendations for senior management. 

On its own, this is unlikely to be adequate to evidence appropriate and effective oversight for two reasons.  Firstly, the rationale for covering certain business areas or aspects would not be evident.   Secondly, there may be overlaps with the areas reviewed by Internal Audit. 

The answer is not to restrict the engagement between businesses and the CRO’s team.  Instead, the CRO should put in place a programme of risk review which is coordinated with Internal Audit to avoid overlaps or underlaps.

A structured programme of risk reviews requires consideration of the risks to which the business is exposed and their materiality, as well as business cover.  For example, it would not be sensible to cover just one business area, even if that is the main source of risk. 

The key aspect of the development of a programme of risk reviews is identifying a number of potential reviews that map into a grid of risks, materiality and business areas.  The list of reviews is then whittled down in discussions with the CRO and the leadership team to a programme that is consistent with the scale of the business and the maturity of the CRO’s team.

The Board (or a Risk Committee) should review the proposed programme of risk reviews.  Some businesses require a combined submission from Internal Audit and the CRO to identify a complete assurance landscape.  The CRO’s team should then plan the reviews, including setting out terms of reference agreed upon with the business and delivering them throughout the year.  The CRO should also provide regular reports to the Board about the findings of the various reviews and management delivery of recommendations.

Overall, a programme of risk reviews complements Internal Audit’s activities because of the involvement of the CRO’s team on a real time basis in key business processes such as business planning and product development.  Experience suggests that overlaps with Internal Audit can be avoided and that performing these reviews enables the CRO team to get even closer to the business and embed risk management ― ‘to protect and enable’.   

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Is the Governance Map Also the Territory?

One of the financial crisis’s lessons for regulators has been discovering the ‘accountability firewall’ of collective responsibility which prevents actions against individuals even if they are approved for specific roles.  This was one of the lessons from the UK Parliamentary Commission on Banking Standards from 2013.

UK regulators have been tasked with the challenge of breaking down that ‘firewall’ for both banks and insurance.  The UK has had a regime of approved persons for some time.  The PRA and the FCA have been consulting on proposals aimed at strengthening the accountability of senior management.  For insurers, this is referred to as the Senior Insurance Managers Regime (SIMR).

The proposals may well increase the scope of senior managers, and will strengthen conduct requirements that apply to them.  It seems to me that the most innovative (and, dare I say, revolutionary) aspect of the proposals is the requirement that firms produce a ‘governance map’.   As with all good ideas, it is simple.  The regulator identifies a set of responsibilities and then asks firms to map them to senior managers who are subject to regulatory approvals and sanctions.  

The list of responsibilities is long.  For example, the list for insurers is as follows:

1.       ensuring that the firm has complied with the obligation to satisfy itself that persons performing a key function are fit and proper;

2.       leading the development of the firm’s culture and standards;

3.       embedding the firm’s culture and standards in its day-to-day management;

4.       production and integrity of the firm’s financial information and regulatory reporting;

5.       allocation and maintenance of the firm’s capital and liquidity;

6.       development and maintenance of the firm’s business model;

7.       performance of the firm’s Own Risk and Solvency Assessment (ORSA);

8.       induction, training and professional development for all the firm’s key function holders;

9.       maintenance of the independence, integrity and effectiveness of the whistleblowing procedures, and the protection of staff raising concerns;

10.   oversight of the firm’s remuneration policies and practices.

For banks, there is no direct equivalent to 7 even if there is an ICAAP.   However, the list includes the following additional responsibilities:

1.       funding is also mentioned in 5. above as well as an additional responsibility in respect of the bank’s treasury management functions;

2.       developing a firm’s recovery plan and resolution pack and overseeing the internal processes regarding their governance;  

3.       managing the firm’s internal stress-tests and ensuring the accuracy and timelines of information provided to the PRA and other regulatory bodies for the purpose of stress testing; 

4.       safeguarding the independence of and overseeing the performance of the compliance function, internal audit and risk function respectively; these are three different responsibilities.

There are some interesting differences between banking and insurance.

The overall message is rather simple: there is an individual presumption of responsibility in the event of a breach.  In those cases, the relevant individual will need to demonstrate that he took reasonable steps to prevent the breach in the relevant area. 

Firms’ senior managers will spend time discussing the mapping of responsibilities.  This may well be the easy part.  Undoubtedly, the challenge for senior managers will not be the map, but the territory, i.e. how to manage the relevant responsibility.  For some responsibilities there will processes, teams and awareness within the company to ensure that something happens; think of item 7 above, the ORSA.  In other cases, the challenge will be determining which business function will assume the relevant responsibility and what approaches, processes and resources will be needed as evidence that reasonable steps were taken.  What should be done to prove that ‘firm’s culture and standards’ are developed and embedded?  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

The Three Lines of Defence: An Enforcement Perspective

Much has been written about the three lines of defence model, including whether there are really three lines of defence (or any other number) and whether the concept is dead.  I personally regard the three lines of defence as a mechanism to clarify roles and responsibilities and underpin the risk management activities of different functions in financial services.

This week there was good evidence that the concept is alive and well.  The FCA issued a penalty to Aviva Investors for failure to manage the conflicts of interests between itself and clients, and between different clients (full paper here). 

From a risk management perspective, there were a couple of interesting lessons:   

1.  The increased size of compensation paid as part of the enforcement case relative to the size of the regulatory fine; in this case the fine was £17.6m and the compensation to eight funds was £132m. 

2.  The FCA has drawn an explicit parallel between failures of the three lines of defence model and Principle 3 which requires that an authorised firm “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”  

The articulation of the case looks at the performance of each line of defence and articulates the observed failures which provides a useful checklist.  

1. Weaknesses in the first line of defence 

• unclear split of responsibilities between first and second line of defence 
• failure to implement appropriate controls  
• lack of system to capture the relevant information 
• weaknesses in management information produced 
• culture focused on performance together with performance management that often overlooked the importance of risk and controls  

2.  Weaknesses in the second line of defence  

• inadequate compliance monitoring 
• inadequate compliance resource and capability 

3.  Weaknesses in the third line of defence  

• unclear process to accept the risk associated with control weaknesses 
• dependency on strategic change projects without adequate consideration of whether they address the findings and support the closure 
• lack of testing of the closure of audit issues

Intuitively this characterisation of systems and controls around the three lines of defence is not new; in my view, rather, it is the explicit recognition in an enforcement case that is new.

You can subscribe to future posts here.

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page FCA enforcement.

Is It FCA Supervision or Enforcement?

One of the observations in my latest post about enforcement (here) was that fines can become a relatively small component of the cost of regulatory enforcement.  This observation was made in a context where, in addition to the fine, the firm had agreed to a number of specific measures which included replacing its executive management team and a comprehensive review of its governance structure. 

This week I came across an even better example of the blurring line between formal enforcement and where a firm agrees with the supervisor to a set of measures.  The Times reports that the London office of Deutsche Bank has been put on ‘enhanced supervision’ (here). 

Enhanced supervision is a new power acquired by the FCA, the use of which is articulated in a paper from June 2014 (here).  It explains that the application of enhanced supervision is not enforcement, although that may follow.  Enhanced supervision requires the firm’s Board to formally commit to remediation measures.  The paper sets out a comprehensive list of indicators of the failures that would lead to enhanced supervision:  

• “the observation of numerous or specially significant conduct failings or repeated failings that when examined individually might not be considered serious  
• “occurrence of failings in several business areas, as this is an indicator of wider cultural issues within the firm 
• “a poorly functioning Board, for example failing to challenge executives or take a lead in considering conduct  
• “evidence of control areas such as Risk, Compliance and Internal Audit being poorly managed, under-resourced or unable to make their voices heard at Board level 
• “evidence of weak risk management (we may consider the PRA’s findings in relation to prudential risk management), or 
• “evidence of other weaknesses in the way in which the Board and senior management influence key cultural factors, for example ‘tone from the top’, pay and incentives and their adherence to the organisation’s values.” 

There has been no formal statement from the FCA about this case. 

Perhaps the main point arising from this development is the further recognition that formal enforcement may not necessarily be the most effective tool from the point of view of meeting supervisory objectives and that fines may not be the most effective deterrent.  

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases reviewed.

FCA Enforcement: Going Global

With the advent of 2015, some people have talked about New Year's resolutions but frankly I still had one enforcement case from the Financial Conduct Authority (FCA) from 2014 I was keen to review.  

The case concerns a general insurer, Stonebridge, selling a range of accidental protection products offering cash compensation.  The FCA imposed a fine of £8.4 million as a result of the breaches identified.  (Click here to read the full details of the case.)

The business involved outsourcing sales process to a number of third party companies.  The products were sold in the UK and in a number of European countries (France, Germany, Italy and Spain) over the phone on a non-advised basis.  Names of potential clients were obtained from a range of business partners which were remunerated when sales were made.  These business partners were not involved in selling the products. 

The case results from the breaches of FCA principles concerning the fair treatment of customers (Principle 3) and appropriate systems and controls, including appropriate risk management (Principle 6).  The case provides a number of interesting lessons about the interaction of risk management and regulation.

1.  Fines may become a small component of the cost to firms of regulatory enforcement

In this case and in addition to the fine, the company committed to undertake a range of voluntary measures.  This includes a review of past business sold in the UK and European countries and compensation where losses arise as a result of the failings identified in this case.  

In addition to that, the company has replaced its executive management team, has ceased distribution of all products in the UK and European countries and has undertaken a comprehensive review of its governance structure, including new terms of reference and risk management framework.

2.  The FCA is applying UK requirements to non-UK operations

This is intentionally blunt!  In more subtle phraseology, the enforcement notice makes a distinction between the failure “to pay due regard to the interests of customers in the UK and treat them fairly” (my emphasis) and the failure to implement adequate systems and control which applies to the entire business, including European business.  The FCA identified significant failures which included inadequate management information, executive and board oversight and compliance oversight.   

3.  The importance of proactively managing the process

I have already written on the importance of proactively managing the enforcement process and contrasted two different responses to technical breaches (here and here).   This case provides an alternative perspective.  

The starting point seems to be an FCA review of a sample of sales calls during March and April 2012, an action presumably arising from the FCA’s ongoing supervision of Stonebridge.  The enforcement case ends up covering sales all around Europe, post-sale cancellation and the company’s systems and controls. 

When confronted with the initial findings from a regulator, there may be a temptation to challenge the findings.  This would be appropriate up to a point.  

An alternative approach would be to accept the substance of the findings and consider how the underlying events could have happened from a risk governance perspective.  This would require reviewing governance arrangements through the company, the risk management framework and the effectiveness of the oversight provided by the second line of defence.  Hindsight is always a powerful tool but it seems that this course of action could have been more effective in limiting the potential consequences.

Finally, this case also illustrates other failures such as controls of outsourcing and a skewed sales incentive mechanism.

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases I have reviewed.

Financial Conduct Authority Enforcement: The Sum and the Parts

In previous posts I have covered the lessons for risk management from a number of enforcement cases from the UK Financial Conduct Authority (FCA) (e.g. here and here). 

An alternative approach is to capture summary data about all fines and assess their evolution over time.  This is what NERA – National Economics Research Associates – have been doing for a number of years.  The latest paper of this series is available here.  (Full disclosure: I worked at NERA several years ago.)

The latest report from NERA evidences the overall increase in FCA (and FSA) enforcement in the last two years.  Total fines to firms have increased from £59 million in 2011-12 to about £420 million in each of the last two full financial years.  The typical fine is also getting larger with the median fine increase from £1.4 million in 2011-12 to £5.6 million in 2013-14.  

There were also some other interesting observations:

• The overall number of cases against firms does not necessarily predict the total fines.
• While five out of the 10 top fines against firms relate to LIBOR market manipulation, the others cover “classical” issues such as client assets, unsuitable investments and mis-selling.
• The total of fines against individuals (as opposed to firms) has diminished from £19.9 million in 2011-12 to £3.9 million in 2013-14.  A similar trend is observed for number of cases pursued against individuals.

There are two points that I would like to consider.

1.    The impact of the FCA revised penalty framework

The increase in FCA fines against firms may be influenced by the reliance on the revised penalty framework.  It is summarised in five steps:

• Step 1: removal of any financial benefit derived directly from the breach  
• Step 2: the seriousness of the breach 
• Step 3: mitigating and aggravating factors
• Step 4: an increase to the result from the above steps to reflect an adjustment for deterrence 
• Step 5: settlement discount

This applies to conduct that took place since 6 March 2010.  Given the lead times for enforcement cases, this framework is probably starting to bite in earnest now and fines could stay at the current higher level and even increase further.  It will also be interesting to read in the enforcement notices how economic considerations shape the regulator’s view about the size of any financial benefit derived by the company from the breach.

2.    The decline in enforcement cases against individuals

NERA also wonders if this decline is consistent with the regulatory ambition of using enforcement to provide a “credible deterrent”.  

One possible reason for the decline in enforcement against individuals is the targeted diversion of resources to other investigations such as LIBOR and currency manipulation.  In this case, the decline would be reversed in the not-so-distant future. 

An alternative is to consider whether the change reflects the view that enforcement against firms provides a more efficient “credible deterrent”.  If this were the case, then the decline of enforcement action against individuals would not be reversed.  I have not come across evidence to support this claim but here are two arguments to consider:  

• A stronger deterrent effect is provided by the overall size of the fines, which tend to be larger for firms, than personal accountability.  
• Enforcement cases related to individuals tend to reveal individuals’ determination to breach the rules rather than weaknesses in risk management.  There may be a more limited scope for improvement in risk management while providing an effective service to customers.

I would be interested in your thoughts about the likely impact of the FCA revised penalty framework and the decline in enforcement cases against individuals.

You can subscribe to future posts here.