Investigations and enforcement - how the UK regulators are holding senior management to account

Enforcement actions against senior management

The action taken against the former Swinton executives, for failing to recognise and take reasonable steps to prevent the risks of a culture that pushed for high sales of monthly add on insurance without sufficient regard to customers’ interests, is one of the few examples of senior management being held to account under the FCA’s Statements of Principle for Approved Persons (APER) 5-7 for failing to take reasonable steps to manage and control and ensure the compliance of the business for which they are responsible effectively. While there has always been a steady stream of enforcement action for breaches of the APER Statements of Principle 1-3, which apply to all individually approved persons and require individuals to act with integrity, due care and skill and to observe proper standards of market conduct, the FCA has proved less successful in bringing action against senior management for failing to take reasonable steps under APER Statements of Principle 5-7, particularly in the larger firms, with a few notable exceptions (including Christopher Willford, Peter Sprung, Peter Cummings and Yohichi Kumagai).

There is no doubt that for some time the FCA has had a greater determination to hold management to account and I have seen that when matters are referred for investigation the FCA now routinely considers whether there may be circumstances to suggest personal culpability of senior management. While this may have led to more investigations being commenced against individuals, it does not seem to have translated into the flurry of cases many had expected from its tough words. This will be partly due to the fact that these cases tend to be harder fought than those brought against the firms as the consequences for an individual are severe and to the difficulties in establishing the personal responsibility for the misconduct which is easier to establish where the firm is small or where there has been dishonesty or deliberate misconduct.

The FCA was also dealt a significant blow to its approach to senior management misconduct and establishing a precedent when an Upper Tribunal decision directed it to drop its case against Mr Pottage of UBS. The Tribunal found that, while there were failings in the firm’s compliance with relevant standards, Mr Pottage had taken reasonable steps and the FSA had not satisfied the Tribunal that Mr Pottage’s standard of conduct was “below that which would be reasonable in all the circumstances” (as set out in APER 3.1.4G). This case did however establish a precedent as to the type of actions required of an incoming CEO in order to meet APER Statement of Principle 7 and, in particular, that where a control failure is identified in one area of a business, the CEO is expected to assess the “wider implications” of that failure to the business as a whole.

The Swinton fines demonstrate how the FCA is able to establish senior management failings where there have been cultural and control failings at a firm, the firm having been fined in July 2013 for breach of the Principles for Businesses 3, 6 and 7. The FCA found that:

• The CEO, Peter Halpin, had breached APER Statement of Principle 7 for failing to adequately respond to compliance warnings and ensure that the management information (MI) was fit for purpose, as well as to ensure that adequate controls were put in place to properly monitor whether customers were being treated fairly and to recognise the risk that the directors’ share scheme might give rise to a culture in which the pursuit of profit might negatively impact upon treating customers fairly (TCF).
• The Finance Director, Anthony Clare, who also had responsibility for running Swinton’s commercial division, was in breach of APER Statements of Principle 6 and 7 for amongst other issues missing indications that there were compliance problems with the products and failing to realise that the impact of decisions on the way the product was developed increased the risk that customers would be treated unfairly.
• The Marketing Director, Nicholas Bowyer, had breached APER Statement of Principle 6 as he failed to ensure that the products were designed and marketed in a way that was TCF as well as failing to recognise that he had a personal responsibility to consider TCF in every element of his role as a director.

In particular, the actions stressed the failings of management to learn the lessons from earlier FSA enforcement action against Swinton for PPI mis-selling and not therefore considering the wider implications of those failings for the sale of its add-on policies.

It remains to be seen whether these cases will be followed with other actions; recent enforcement cases against firms have not included action against senior management although it is possible that relevant individuals may be under ongoing investigation - the Swinton firm fine predated the action against the former executives by over a year.

No-one can doubt the deterrent effect and the importance of senior management responsibility for the actions of the firms they manage. It is essential for public confidence in the financial sector and for ensuring the regulatory objective that customers’ interests are placed at the heart of the businesses for which they are responsible. However, it is also essential that the regulators find the appropriate balance between holding them to account where there is individual personal culpability and fixing them with strict liability for a firm’s failings which will ultimately have the undesired effect of discouraging applicants for senior management positions in financial services fearful they will be made the scapegoat if things go wrong.

New ways of achieving senior management responsibility

The FCA has recognised that its enforcement record against individuals is limited and made it clear that it finds bringing cases against individuals difficult and complex. It has also expressed frustration that individual accountability under the current regulatory regime is, in its view, unclear or confused and so limited its ability to take action against senior bankers for the decisions which led to the crisis. The use of attestations and the introduction of the senior management regime for banks are ways in which the regulator is seeking to overcome its perceived difficulties, and I discuss these in more detail below.

Attestations

Attestations are a requirement from the regulators to a named senior individual at a firm to personally attest that a certain set of affairs exists or certain action has been taken. In this way, the individual making the attestation is personally assuming responsibility for its accuracy. In the words of Martin Wheatley, Chief Executive of the FCA, these are seen as a means of “crystallising the idea of personal accountability” and the FCA has confirmed that it sees them as a key part of its approach to senior persons. In the past couple of years I have seen the regulators making increasing use of these as a supervisory tool. While they may not yet have been relied on in an enforcement action against senior management, although they have been referenced in actions against firms (see the October 2013 Rabobank fine), I do not think it can be long before the FCA brings its first case against an individual for an incorrect or inadequate attestation.

Concerns were raised in a letter by the FCA Practitioner Panel in April 2014 over their increasing use running the risk of “skewing the prioritisation of risk at firms” and the need for legal support in responding to them and agreeing the terms. This led to a response in August 2014 from Clive Adamson, Director of Supervision at the FCA, seeking to explain the FCA’s expectations and the purpose they seek to achieve which he explained was “to ensure that there is clear accountability and senior management focus on those specific issues where we would like to see change within firms, often without on-going regulatory involvement”. To address the concerns raised over their use, the FCA responded by issuing revised internal guidance and supporting materials for supervisors, emphasising the importance of clarity and transparency and also strengthened its governance processes to ensure that all attestations are signed off at Head of Department level and receive a review by a central quality assurance function similar to the process followed for skilled person reviews.

It appears that the implementation of these measures may have led to a slow down in the number of attestations being required by supervisors. However, they are still an important regulatory tool and must be taken seriously by management, which in my view should include the following steps:

• Any request for an attestation should be considered carefully and where there are concerns over its scope or terms these should be discussed with the regulator.
• It is essential that appropriate enquiries are carried out and that these are documented to show that reasonable steps were taken to provide the response and ensure its accuracy.
• If necessary, caveats can be included to explain the basis for the response and any limitations (or in some cases the regulator may accept a response in stages).
• Above all, it is paramount that the individual attesting is aware of their responsibilities and the personal consequences of providing incorrect information or an inadequate enquiry; this is of course true of responses to all regulatory correspondence.

An incorrect attestation, in addition to providing evidence of a failure to carry out reasonable steps to ensure the business is compliant (APER Statement of Principle 7), might also amount to breach of APER Statement of Principle 1 (the requirement to act with integrity) or APER Statement of Principle 4 (the requirement to be open and co-operative with the regulator).

The new senior managers regime for banks

The consultation paper introduced by the PRA and FCA in July 2014 on “Strengthening accountability in banking: a new regulatory framework for individuals” heralds a new and tougher approach towards senior management in the banking sector. It is expected that the regulators will follow this by publishing policy statements with the final rules by the end of 2014.

The new regime includes significant changes which the regulators consider will make it easier for them to bring enforcement action against banks’ senior management where failings are identified within the business. In introducing the proposed new regime, the regulators have commented that: “The clearer individual responsibilities coupled with enhanced enforcement powers for the regulators should give senior management a robust set of incentives and deterrents. This should improve corporate governance and encourage individuals to behave appropriately and accept greater responsibility for their actions.”

The new rules of conduct which the consultation paper seeks to introduce do not differ significantly from the current Statements of Principle for Approved Persons (APER) other than the addition of a specific TCF principle (similar to the Principle 6 for firms) and a specific principle for senior management on appropriate delegation and ensuring that the discharge of the delegated responsibility is overseen effectively. The most significant changes that it introduces in terms of holding individuals to account are the extension of the application of the new rules of conduct to almost all bank staff (although some of the rules are reserved to senior management) and the reversal of the burden of proof for senior management so that they can be held to account for contraventions of regulatory requirements in their areas of responsibility unless they can demonstrate that they took all reasonable steps to prevent the contravention occurring or continuing.

I expect that these changes will have a significant impact in terms of individual accountability. They have been designed to win back public trust in both the banking system and in the regulatory response after the conduct scandals of PPI mis-selling and the attempted LIBOR and FX manipulation. As a result of the new regime, we are likely to see the first cases of enforcement action being taken against bank staff who were previously not within the regulatory regime as they did not hold a controlled function. However, I believe that the regulators’ focus will continue to be on senior management and the change to the burden of proof is, in my view, likely to lead to an increase in enforcement actions as it will help the regulators overcome some of the difficulties they have encountered in establishing cases against senior management where they needed to prove that either the individual was in breach of the APER Statements of Principle or was “knowingly concerned” in the firm’s breach. In effect, it will now be for senior management to show that they took reasonable steps rather than for the regulator to show that they did not. This presumption of responsibility will also have potential resource savings for the regulator at the outset of an investigation which may encourage it to bring more cases.

While this may be seen as a way to redress the balance after the setback the FCA suffered in establishing a precedent for senior management in the case of Mr Pottage, the facts and evidence presented in that case did support his having taken reasonable steps so the change to the burden of proof would not have made any difference to the outcome of this particular case. The new rule will make it easier for the regulator to apportion blame for a firm’s failings, but it will not fix individuals with strict liability. The FCA’s decisions whether to take action will be made on the basis of its published criteria in the Decision and Procedure and Penalties Manual (DEPP) and will include looking at all the circumstances of the case, including the seriousness of the breach, the relevant individual’s position, responsibilities and seniority, and the need to use enforcement powers effectively and proportionately.

I consider that a consequence of this change is that we can expect to see more cases against senior management being taken to the Tribunal rather then settled or argued before the Regulatory Decisions Committee (RDC) as it will be very difficult during the administrative process of an enforcement action, to convince the regulator who has chosen to bring the action that reasonable steps were taken. As discussed above, cases against individuals tend to be harder fought because of the serious personal consequences for their career and livelihood. However, taking a case to the Tribunal is costly and time-consuming and this is difficult for many unless they have the support of their employer as Mr Pottage did. A further difficulty individuals will have in defending these cases is that the bank is likely to have accepted the breach of the regulatory requirement, taken the fine and settled the enforcement action against it so there will be limited scope to argue that there was no failing and the case will stand or fall on whether the senior manager can demonstrate they took all reasonable steps to prevent it.

It is also proposed that the new regime introduce a new criminal offence for a reckless decision causing a financial institution to fail. This is largely to satisfy public pressure and even the FCA expects it to be used “rarely”. I doubt whether we will see any cases brought for this offence. This is not only because lessons have been learned from the financial crisis, but also because attributing criminal liability to individuals for a bank’s decisions will be very difficult to establish and prove. It is not usually the case that one particular decision led to the failure; it will usually be a combination of factors including external events which led to an institution’s collapse.

It remains to be seen whether the regulators will look to introduce similar rules more widely outside of banks, but there must be a possibility whether in full or on a more limited basis.

A turning point?

The regulators, and in particular the FCA, have talked tough on senior management responsibility for some time, but have in the past struggled to match these words with actions. However, this appears to be changing and there has certainly been no let-up in their determination to bring this about, as demonstrated by the introduction of the rules under the new banking regime and the use of attestations to fix individuals with personal liability for the actions of their firms. Senior management would be well advised to take note and ensure they are fully aware of the regulatory expectations and requirements and above all ensure they act on warnings of potential issues arising in the areas of business for which they are responsible. We can expect to see the regulators bringing more cases for management failing to take reasonable steps, as the Swinton former executives found to their cost, although it is likely to be 2016 at least before we see any cases brought against bankers under the new senior managers regime.