A Review of Financial Services Enforcement and Investigation in the UK 2021

In the past 12 months, the Enforcement Division of the UK Financial Conduct Authority (FCA) has demonstrated a remarkable consistency in pursuing its key priorities. The move into lockdown in 2020 led to a rationalisation of its caseload and an apparent slowdown in activity. Since then, a succession of significant outcomes have been published, many related to long-standing priority areas, including treating customers fairly, financial crime and anti-money laundering, as well as non-financial misconduct.

In this article, we will explore the themes emerging in each of those areas in more detail. Before doing so, we note a couple of additional points of interest that cannot be covered in detail in this short review. Most notably, the FCA has generated a number of market conduct related outcomes this year: action was taken against an individual for spoofing, a form of market manipulation, and action was taken or warning of action given against three issuers for a variety of failings in relation to market announcements.

Those published outcomes are only the tip of the iceberg: the FCA’s Market Oversight Division continues to pursue significant numbers of preliminary investigations in response to suspicious transaction and order reports or unusual market activity detected using its own systems. These can be challenging for firms to respond to and carry the risk of full-blown investigation if the response does not alleviate the FCA’s concerns.

Further, largely below the radar is the FCA’s continued use of early intervention powers, with firms asked to seek voluntary variations or restrictions on their permissions or have these imposed involuntarily to address supervisory concerns or while those concerns are remediated. Early interventions offer a quicker route than enforcement proceedings and are arguably more effective at addressing ongoing concerns. We expect they will continue to prove attractive to regulators as they look to manage increasing caseloads in the wake of the covid-19 pandemic.

Although the focus of this article is on the FCA, in respect of dual-regulated firms, the Enforcement and Legal Directorate of the Prudential Regulation Authority (PRA) is increasingly active in promoting the PRA’s agenda. It continues to work alongside the FCA in some matters but is developing an increasing and interesting body of casework of its own.

Whether firms are deemed to have treated customers fairly looks set to be another key focus of FCA enforcement activity in the years ahead.

The fair treatment of customers has always been central to the FCA’s mission: one of the FCA’s three operational objectives is to secure an appropriate degree of protection for consumers, and the requirement for firms to treat their customers fairly is one of the FCA’s high-level Principles for Businesses (the Principles). Treating customers fairly (TCF) has been the subject of substantial thematic work over the past 15 years.

Even prior to the covid-19 pandemic, the FCA prioritised supervisory and enforcement initiatives concerning TCF. The FCA has made it clear that it expects firms to embed TCF into their culture and has taken enforcement action where it feels this has not occurred. In the past year alone, it has fined Lloyds Banking Group and Barclays a combined total of £90 million for failings in how they treated customers who had fallen into arrears on their debt repayments.

However, the devastating effects of the covid-19 pandemic on many customers’ finances have further heightened the importance of this. In the past few months, the FCA has repeatedly emphasised that TCF will be one of its priorities. In its Business Plan for 2020/21, the FCA said that two of its five areas of focus will be on ensuring that ‘the most vulnerable are protected’ and that it will ‘seek to ensure consumers and small firms are treated fairly’.

So where can we expect to see the FCA’s attention focused, and what does it expect from firms?

Retail customers in financial difficulty

A key focus of the FCA will be on how retail banks deal with individuals who have fallen into financial difficulty. The FCA acted quickly at the outset of the pandemic to seek to mitigate the financial impact of covid-19 on retail customers, putting in place a range of emergency measures that allowed customers to benefit from payment holidays, interest-free overdrafts and various other forms of relief.

However, although those measures may have bought customers valuable time, it did not remove the need for customers to eventually repay their borrowings. Now, the FCA’s focus is likely to turn to how retail lenders deal with situations where customers find this problematic.

From past guidance and enforcement cases, it’s clear that the FCA has high expectations in this area. Where a customer has unsustainable debt, firms will be expected to obtain a detailed understanding of their specific circumstances. This is an exercise that requires time and skill, so firms will be expected to have enough staff – sufficiently skilled and trained – to assess the customer’s situation and consider what is a fair outcome for them.

To satisfy itself that customers are being treated fairly, the FCA assesses whether firms’ senior management and boards have received high-quality management information on customer outcomes and have considered fully how the processes, procedures and culture of the firm have contributed to this. The enforcement actions against Lloyds Banking Group and Barclays show that the FCA is prepared to act where it feels this has not occurred.

Vulnerable customers

Within the body of retail customers, the FCA is particularly concerned about how firms deal with vulnerable customers. Vulnerable customers are those who, owing to their personal circumstances, are especially susceptible to detriment.

Customers can be vulnerable for several reasons, including their physical and mental health, the impact of life events such as a bereavement and their financial capability and resilience. Vulnerability is not static: customers may go from being non-vulnerable to vulnerable and vice versa.

Perhaps counter-intuitively, a relatively large proportion of customers could be considered vulnerable at any given moment. Research conducted by the FCA in October 2020 found that 27.7 million individuals – or over half of all UK adults - displayed signs of vulnerability.

Those who are vulnerable can suffer from a range of harm, including financial exclusion (eg, not having access to appropriate financial products), difficulty in accessing services (eg, lack of access to the internet or branches), increased likelihood in falling victim to a scam, overindebtedness and buying inappropriate products or services.

The FCA has provided guidance on the actions firms should take to treat vulnerable customers fairly. This involves embedding a mindset around the fair treatment of vulnerable customers at all stages of customers’ interaction with the firm, from the product design and set-up to customer communications and service, along with continuous evaluation of whether the needs of vulnerable customers are being met.

The FCA’s new chief executive, Nikhil Rathi, has said that the FCA will have a ‘special focus on vulnerable customers’ as the country recovers from the covid-19 pandemic. Given that the pandemic has led to a steep increase in the number of individuals with characteristics of vulnerability, firms will be expected to take meaningful and proactive steps to ensure vulnerable customers are treated fairly – or will likely face enforcement action.

SME lending

Another area of future focus is likely to be on the fair treatment of small and medium-sized enterprises (SMEs). The FCA’s own Business Plan refers to one of its five areas of focus being the fair treatment of ‘consumers and small firms’. This is for two reasons.

First, following the 2008 financial crisis, several UK banks were alleged to have mistreated SME customers who struggled to repay their debts. This led to the FCA appointing skilled persons to undertake reviews, firms establishing complaints and compensation schemes and a large amount of parliamentary and press scrutiny.

Second, the covid-19 pandemic has had a heavy financial impact on many SMEs, leading to a huge proportion of SMEs taking out additional lending, often through government-backed loan schemes. Although lenders were praised for setting up and processing those loans with relative speed, at some point those debts will need to be repaid, and attention will turn to how banks manage their collection process fairly.

The challenges here are significant not only in terms of the volume of debt to be repaid (CityUK predicts that SMEs will have approximately £100 billion of unsustainable debt) but also the potential mismatch between the expectations of customers and those of firms. A survey conducted in May 2020 found that 43 per cent of businesses that had accessed government guaranteed loan schemes said they do not expect to repay the debt, either because they do not think they will be able to or because they do not believe that the government will pursue the debt.

Lending to corporates is not a regulated activity; therefore, Principle 6, the obligation to treat customers fairly, does not apply. However, the FCA has made it clear that it expects firms to act appropriately in respect of SMEs. Firms must nominate a senior manager to be responsible for SMEs, and the FCA has endorsed the Lending Standards Board (LSB) guidance for dealing with business customers as representing a proper standard of market conduct.

Firms should, therefore, ensure that their dealings with SMEs are guided by the LSB’s code, as well as lessons from previous cases. This will include having triggers to identify and act when SMEs are in financial difficulty, communicating in a sympathetic and transparent manner with the customer, considering appropriate forbearance and refinancing options and not seeking to extract other advantages from a customer’s difficulty.

Although the unregulated nature of SME lending makes enforcement action against firms more difficult for the FCA, it is not impossible. More straightforward for the FCA is enforcement action against senior managers, as senior managers’ obligations under the Senior Managers and Certification Regime (SMCR) also extend to unregulated activities.

Similarly, short of formal enforcement action, the FCA has a variety of tools at its disposal should firms be perceived to have mistreated SMEs – from requiring skilled persons reviews to attestations from senior managers.

TCF on new frontiers?

Although the FCA’s primary focus to date has been on treating customers fairly in credit markets – mortgage and unsecured lending, lending to SMEs, etc – there is the potential for the FCA to consider TCF in other contexts as well; for instance, during the covid-19 pandemic, an increasing number of consumers have taken to trading directly in the equity markets or investing in cryptocurrencies.

The FCA is concerned about the potential for consumer harm where investment decisions are initiated not by advice from a professional adviser, but following exposure to (potentially misleading) online financial promotions or adverts or high-pressure sales techniques. There is a significant risk in this context that individuals unwittingly purchase higher risk products that may not be suitable or reflect their risk tolerance.

This situation is further complicated by the fact that those individuals are often using appbased platforms offered by regulated firms to enact their investment choices. There is clear potential for a mismatch between the expectations of consumers and the actual obligations on firms to treat them fairly where those platforms are used to invest in products such as cryptocurrencies (currently unregulated).

Nevertheless, the FCA expects regulated firms to embed TCF across all of their business activities – both regulated and unregulated. Organisations must give specific thought to what this looks like in the context of investments into novel products by a new type of investor using innovative platform technology, if they wish to minimise the risk of retrospective enforcement action on the point.

One area of focus relevant to all firms within the regulated sector is the effort to combat financial crime and strengthen the sector’s defences against money laundering. This leads to enforcement risk for firms, both where risk has crystallised and where concerns relate to deficiencies in a firm’s systems and controls but no suspicious activity is alleged.

This focus plays through into a high number of live investigations: 65 AML enforcement investigations were underway at the time of the most recent annual report. Many of those result from skilled person’s reports commissioned by the FCA where the specialist supervisory team’s own work has identified concerns. Reports focused on financial crime accounted for 27 per cent of all skilled persons reports required by the FCA for the last full year reported.

Recent cases

This enforcement activity has given rise to a succession of public actions against firms for regulatory breaches of the Principles or the Money Laundering Regulations, or both. The Principles relied on in this context are most often the obligation to conduct business with due skill care and diligence under Principle 2 or to take reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems under Principle 3.

Within the past year, the most notable case of this sort has been the £37.8 million fine imposed on the Commerzbank AG London branch in June 2020 for breaches of Principle 3.

Several key themes that emerge from that outcome are also central to earlier outcomes and the FCA’s current caseload.

• The timeliness and adequacy of know-your customer (KYC) and customer due diligence, both at onboarding and in conducting periodic refreshes of the information held: the FCA rightly regards this as fundamental to a firm’s ability to assess and manage the risks associated with clients and apply appropriate ongoing monitoring to client relationships. In the Commerzbank case (as in previous cases), there were particular issues with identification and verification of beneficial owners and politically exposed persons and a significant backlog of periodic refreshes of KYC information held.

• The effectiveness of automated transaction monitoring systems and the handling of potentially suspicious transaction alerts generated by those systems: FCA outcomes have identified widespread failings with the scope or coverage of such systems. Another common concern is firms’ ability to manage the volume of alerts generated and process these effectively, owing to a lack of resources or of adequate training and guidance for staff reviewing alerts. As transaction monitoring systems become more sophisticated, the FCA has turned its attention to the extent to which those systems are tailored to the particular business and activities of the firm and its clients.

The Commerzbank case also reflects the FCA’s concern in this context to see that the entity operating in the United Kingdom is able to meet the standards applicable in this jurisdiction. Demonstrating appropriate tailoring and ownership can be particularly challenging where key processes are outsourced or standards are set at a global or regional level.

The FCA’s historic AML penalties are often accompanied by restrictions being placed on the business and activities of the subject firm until the firm completes remediation of the relevant processes. In the case of Commerzbank, the firm voluntarily adopted such restrictions prior to action being taken, a factor that the FCA took as mitigating the breach.

The Commerzbank case was followed in October by the action taken by the FCA against Goldman Sachs for its involvement in 1MDB, with the PRA and other agencies in the United States, Singapore and Hong Kong. The FCA’s notice was based on breaches of Principles 2 and 3 and imposed a penalty of £48.3 million. This was dwarfed by the global penalty of US$2.9 billion, reflecting the relatively limited role of the UK-based entity.

There are some key takeaways from the FCA’s notice that firms should have in mind to reduce enforcement risk.

• The notice focused on the importance of firms using the data available to them to identify and manage risks arising from intermediaries. Firms must be satisfied that the information is available and presented to decision makers in a way that enables them to understand the financial crime risks.

• Firms can expect to be criticised if their record-keeping does not enable them to demonstrate how financial crime risks are assessed and managed.

• The standard of scrutiny required depends on the risks involved, and particular care is needed for large transactions involving counterparties or geographies that have been identified as presenting a higher financial crime risk.

Criminal proceedings for systems and controls failures

Failure to comply with the Money Laundering Regulations can be a criminal offence as well as a regulatory breach. It has been commonplace for investigations to be opened on a dual track, with both regulatory and criminal breaches in scope. Despite this, until 2021, no criminal prosecutions had been brought, with the criminal side of investigations being dropped in favour of regulatory proceedings.

That changed recently when criminal charges for breaching the Money Laundering Regulations were brought against Natwest. By bringing those charges, the FCA has made good on long-standing public statements that such action would follow where an investigation uncovered sufficiently serious failings, reflecting the Director of Enforcement and Market Oversight’s view that where the FCA has been given statutory powers, it should use them.

The impact of the decision to bring criminal proceedings remains to be seen and is subject to significant uncertainty:

• the matter is ongoing and, given current delays in the criminal justice system, may take some time to conclude, at least if Natwest chooses to contest the case;

• it is a defence to have taken all reasonable steps and exercised all due diligence to avoid committing the offence, so the court will likely have to consider how this test should be interpreted; and

• whereas the approach to financial penalties for regulatory breaches is set out in a published policy, there are no sentencing guidelines in place and no directly applicable precedents for any sentencing court to follow.

In reaching the decision to charge, the FCA will have determined that the evidential test for prosecution is met and that doing so is in the public interest. In reaching this view, it seems likely that the FCA judges that the real threat of criminal proceedings will focus the minds of senior management at other firms on ensuring that any gaps or deficiencies in their financial crime systems and controls are identified and addressed.

Recent years have seen the FCA emphasise the need for firms to identify and address examples of non-financial misconduct (NFM) within their organisations. This feeds directly into a broader regulatory focus on culture dating back to the 2008 financial crisis.

Since then, there has been a growing recognition of the link between a culture in which harassment, bullying or other poor behaviour by individuals goes unchallenged, and business decisions that result in harm to consumers, the market and the reputation of the sector as a whole. Put bluntly, the finest and most robust systems and controls can be undermined if the right behaviours are not embedded with the firm that contains them.

The FCA brought enforcement action in this area in November 2020, prohibiting three individuals from working in financial services on the grounds that they were not fit and proper: all had been convicted of significant non-financial criminal offences while working in the sector. A fourth individual is taking his case to the Upper Tribunal. Questions remain, however, around the relevance of such conduct to the assessment of individuals’ suitability to work in the sector where it falls short of amounting to a criminal offence. Firms must also consider the steps they should be taking to foster a working environment in which staff feel secure in calling out such behaviour (via whistle-blowing and other speak up channels) and where allegations are managed appropriately. The FCA’s approach to NFM continues to develop, and it is important that firms understand its evolving expectations in this area.

What is non-financial misconduct?

Despite extensive discussion of the subject, there is no regulatory definition of non-financial misconduct (NFM). For the purposes of this article, we have chosen to define NFM as misconduct that is not directly related to the performance of an individual’s role, but that may have an impact both on the integrity, fitness and propriety of the staff member concerned (under relevant regulations) and on the culture of a firm more broadly.

Definition notwithstanding, NFM can still be difficult to identify in practice. For example, tolerance (or even encouragement) by the senior management function (SMF) of a culture of bullying or harassment involving junior or new staff members in its business area would have a direct impact on the work environment experienced by those employees. This would then, arguably, be relevant to a regulator’s assessment of that SMF’s fitness and propriety. Such a culture might also discourage staff from challenging or reporting examples of financial misconduct they encounter in the organisation.

NFM might also occur outside the work environment, for example, during after-work drinks, in a way that continues to reverberate once people return to the office. This is, however, where the line between work and private life can become more difficult to discern.

The Court of Appeal’s judgment in Ryan Beckwith v The SRA in November 2020 maintained that concepts such as integrity and maintaining trust in a profession will only be damaged by actions in an individual’s private life where this conduct ‘realistically touches on [their] practise of the profession or the standing of the profession.’ Although this decision involved a different regulator (the Solicitors Regulation Authority) and a different regulatory scheme (the SRA Handbook), it is a cogent illustration of the difficulties that can arise in this context.

The FCA’s approach

In September 2018, former Executive Director of Supervision at the FCA, Megan Butler, stated in a letter to the Women and Equalities Committee of the House of Commons that ‘we view sexual harassment as misconduct which falls within the scope of our regulatory framework.’ This was the first time that the FCA has explicitly indicated that this type of behaviour might have regulatory implications.

This was followed a couple of months later by a speech by Executive Director of Strategy and Competition at the FCA, Christopher Woolard, in which he asserted that the way firms handle allegations of NFM is potentially as relevant to the regulator’s assessment of them as their handling of any other type of misconduct would be.

The FCA made the management of NFM a key focus for its supervision of firms and senior management. NFM should now be considered as part of fitness and propriety assessments, senior managers are expected to take reasonable steps to identify and remediate NFM within their business areas, and firms must put in place processes to manage complaints about NFM made by staff, including speak-up lines and other whistle-blowing procedures.

From an enforcement perspective, we have seen very little concluded enforcement activity from either regulator. Enforcement investigations into NFM remain rare; a freedom of information request reported in January 2021 indicated that the FCA has opened only five investigations into NFM under the SMCR in the past five years. We have yet to see a concluded FCA or PRA enforcement action against an individual concerning NFM that had not already resulted in a criminal prosecution.

In some respects, this is not surprising. Investigations into non-criminal NFM are challenging to mount. They often involve sensitive issues and require careful handling. There is also a technical question on whether and when NFM might constitute a breach of the FCA’s Individual Conduct Rules rather than simply going to an individual’s fitness and propriety.

Although the FCA does not yet appear to be making wide use of enforcement to tackle NFM, it features prominently as part of supervisory discussions with firms. NFM and whistle-blowing are increasingly seen as a bellwether of deeper cultural issues within firms. By making NFM a regulatory issue, something that is within its remit to police, the FCA can put pressure on firms to tackle and root out this type of behaviour and improve speak-up and listen-up environments as part of a broader culture focus.

This means that most investigations into allegations of NFM are being conducted by firms. Regulators appear more focused on assessing firms’ ability to identify, manage and resolve such complaints than on interrogating the allegations themselves.

Issues for firms

Tackling NFM at an organisational level raises several specific issues for firms. First is the ability to identify such complaints in whatever context they are made. The most obvious route for a complaint concerning NFM to come to an organisation’s attention is via whistle-blowing channels; however, not every whistle-blowing complaint will concern allegations of NFM. Conversely, NFM allegations may also be made outside this context. Whatever route is taken, such claims will inevitably be sensitive and require appropriate triage. Managers must be trained to recognise this type of complaint and understand how to escalate it. A clear protocol for response should be in place.

Difficult questions can also arise around notification. Significant allegations involving senior managers may require immediate notification under Fundamental Rule 7 or Principle 11. SUP 15.3.11 obliges firms to notify the FCA immediately when they become aware, or have information that reasonably suggests, that a significant rule breach (including of the Code of Conduct Rules (COCON)) may have occurred.

Given that claims NFM has occurred characteristically present themselves as bald allegations requiring further investigation to substantiate, balancing regulatory transparency and fairness to the individuals involved may prove challenging. Where claims of NFM involve certified members of staff, fitness and propriety certificates may be due for renewal while an allegation is under investigation. This can put a firm in a difficult position in terms of whether to renew and risks prejudging the outcome of that enquiry.

The investigation must be supervised closely. Management of the information flow to and support for the whistle-blower or complainant is key. If those individuals do not feel their complaint has been taken seriously or investigated properly, this will have a significant impact on the willingness of other members of staff to speak up.

Promoting the psychological safety of the wider staff population is key. This may mean reorganising teams where the person under investigation and the person making an allegation work together – a particular challenge where teams are already under-resourced or more senior staff or leaders are implicated.

The team conducting the investigation must be independent – and seen as such. The more senior the member of staff under investigation in this context, the more important this is. They may also require specialist interview training: in sensitive cases, a very different tone and approach will be required to encourage witnesses to speak openly, whereas a more relaxed style may encourage people to share uncomfortable experiences.

The current requirement to conduct interviews remotely only compounds the difficulties teams investigating NFM face. Interviewees are likely to be under considerable personal stress and should be offered additional pastoral support throughout the investigation process.

Building an effective and robust structure for investigating NFM (and other) complaints is likely to be an investment worth making. Both regulators now expect firms to be able to address and remediate complaints about poor conduct effectively. There is significant risk of either a skilled person or a third-party review if the FCA or the PRA loses confidence in a firm’s ability to manage this type of enquiry.

Where the FCA or the PRA have persistent concerns, there are enforcement investigations into the adequacy of firms’ operation of whistle-blowing systems and controls, with the FCA and the PRA publishing a voluntary requirement in early 2021 requiring a firm to make improvements in this regard. There remains a real risk of enforcement action for firms that have inadequate management of whistle-blowing complaints (including those involving NFM).