The FSA’s report was the result of its review of the processes and procedures for ABC across all business lines – a so-called “thematic” review. The main purpose of the review was to assess how effectively the firms visited addressed the risk of becoming involved in bribery and corruption.
As with the review of commercial insurance broking, the following key areas were assessed during the course of the review:
- Governance and the provision of information to company management
- The methods used to identify and assess bribery and corruption risk
- Applicable policies and procedures that were in place or to be implemented shortly
- How the company conducted due diligence on its relationships with third parties
- The payment controls in place and rules on gifts and hospitality
- Staff recruitment, vetting and remuneration structures
- The provision of training and raising of ABC awareness within the company
- Incident reporting (including the availability of whistleblowing hotlines and how companies recorded and dealt with incidents).
In other words, they covered broadly the same areas as the Government recommends in developing “adequate procedures” for the purpose of the Bribery Act 2010. Of interest to most businesses will be the methodology used by the FSA in assessing firms’ ABC frameworks. The FSA required details of the policies and procedures in place and of third party relationships and the countries in which the firms operated, along with copies of risk assessments, relevant Board and Committee minutes and audit reports, lists of payments made to overseas third parties, gifts and hospitality registers, relevant suspicious activity reports (SARs) and details of remuneration structures and training material. They also examined due diligence on third parties to ensure the business case for using them was fully understood and the risk assessed and appropriately documented. Finally, interviews were conducted with: staff in key roles; any ABC “champions”; those responsible for ABC at an operational level; and staff from accounts, risk assessment, human resources, compliance and internal audit departments.
The FSA noted a lack of action taken in response to their 2010 review. The report acknowledges that some firms had made considerable efforts to improve and implement ABC policies and procedures and had clearly been spurred on by the Bribery Act. However, the FSA was concerned at the “slow and reactive” approach adopted by many, and concluded that most firms had more work to do to get an adequate ABC control framework in place. It was clear that many firms had started the process of reviewing and implementing ABC policies and procedures, but that few had reached the stage of responding to any issues identified as a result, or of checking that the systems it had put in place were functioning properly and were being renewed and updated appropriately.
Particular failings that the FSA highlights include:
1. A lack of understanding regarding what exactly “bribery and corruption” entails
This meant that when staff were tasked with completing questionnaires or participating in interviews relevant to the risk assessment process, they were not necessarily sufficiently aware of the underlying issues and the reasons for conducting the assessment. This points to a lack of awareness raising and explanation sufficiently early in the process: training on bribery and a firm’s policies and procedures once in place are of course necessary in order to ensure effective implementation, but if people are not clear what you are talking about at the start of the process, the risk assessment is unlikely to be thorough.
2. The wrong people conducting the risk assessment
The FSA also warned of adopting too “collaborative” an approach by relying on staff in individual business units to make their own assessment of the bribery risks in their area, given potential conflicts of interest which might lead to the downplaying of the level of bribery and corruption risk to which such staff were exposed. The FSA’s view complements the Government’s guidance on the Bribery Act, which recommends that senior management should have responsibility for the process and that those conducting the assessment, design and implementation of controls need to be suitably skilled and experienced. This is also relevant to rule SYSC 5.1.1R which requires firms to employ people with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them. Some of these problems were caused by a lack of resources or a failure to concentrate available resources in the higher-risk areas. The FSA seem to hint at an expectation that investment banks with resources to staff a money laundering and compliance team ought to be able to empower compliance specialists to oversee the ABC systems and controls.
3. Lack of records justifying and documenting actions taken
Further problems were created by companies failing to tailor their policies and procedures to their own risk profiles or to keep proper records of what they were doing. This latter criticism could be seen as something of an “own goal” by firms who are spending time and resource in developing or improving their ABC controls, but who are not ensuring they get the full benefit by documenting the steps they took and the rationale behind them. This is potentially concerning both in the context of rule SYSC 9.1.1R (which requires firms to keep records sufficient to enable the FSA to monitor compliance with their rules) and in the context of the Bribery Act and the corporate offence of failing to prevent bribery; the “adequate procedures” defence is only available to corporates who can prove their procedures were adequate. A complete document trail that explains and supports the procedures in place is therefore essential.
4. Due diligence
The monitoring and due diligence conducted on third party relationships also gave cause for concern. Due diligence is particularly important given the broad definition of an ‘associated person’ in the Bribery Act, the fact that the Government’s guidance makes this one of its six key principles of developing “adequate procedures”, and the FSA’s expectation that there are sufficient policies and procedures in place to assess and mitigate the risk that third parties acting on the firm’s behalf engage in corruption.
The ambit of the FSA does not stretch to enforcing the Bribery Act (although many of the concepts discussed in its report could be applied equally to those addressed by that Act). However, corrupt conduct in firms authorised under the Financial Services and Markets Act 2000 (“FSMA”) comes under the auspices of at least two of the FSA’s statutory objectives:
(1) Reducing the extent to which it is possible for a financial business to be used for a purpose connected with financial crime; and
(2) Maintaining market confidence.
The FSA’s rules and principles also contain concepts relevant to the prevention of bribery and corruption, including:
Principle 1: A firm must conduct its business with integrity
Principle 2: A firm must conduct its business with due skill, care and diligence
Principle 3: A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems
Principle 11: A firm must disclose to the FSA appropriately anything relating to the firm of which the FSA would reasonable expect notice (which may ultimately require firms to self-report to FSA where they discover a problem in their controls or, worse, a bribery issue; in the latter case, self-reporting to the SFO may also be advisable on the basis that FSA will likely pass on any relevant information to the SFO and by self-reporting the firm may obtain greater benefit and more generous treatment from the SFO).
FSMA-authorised firms must therefore go beyond the Bribery Act and accompanying guidance when reviewing and amending their ABC policies and procedures, to consider relevant FSA rules and principles, to avoid any gaps in their systems and controls, and so as to be able to demonstrate that they have addressed the requirements of them as FSA regulated firms.
The FSA states its intention, alongside (from next year) the Financial Conduct Authority, to continue to focus on ABC issues in this sector and beyond to ensure firms are meeting their legal and regulatory obligations. More than the SFO (responsible for investigating and prosecuting offences under the Bribery Act), the FSA has the staff and resources to do so. Therefore, even though “adequate procedures” are not a requirement under the Bribery Act (so that a failure to have them is not an offence), for FSA regulated firms, it may as well be and we may see far more enforcement against firms for failing to have adequate bribery controls than prosecutions for offences under the Bribery Act.
Conversely, FSA guidance on adequate anti-bribery controls – such as those contained in the thematic review and elsewhere, including their Guide for firms on preventing financial crime (which is due to be amended in light of the findings in this report) – should not be seen as relevant only to FSA-regulated firms. The recommendations provided by the FSA in this area could usefully be looked at by businesses in all sectors, as providing practical examples of good and poor practice, particularly in the context of due diligence and payment controls.