FCA and PRA enforcement trends: individual accountability

Senior managers

Levels of enforcement action under the Senior Managers Regime remains modest. As at October 2022, the UK Financial Conduct Authority (FCA) had 50 Senior Managers under investigation, which is more than double the figure for the same time in 2021. However, this still represents a very small proportion of the more than 70,000 Senior Managers operating in the industry today. In fact, the increase in enforcement investigations is most likely attributable to an increase in the total number of Senior Managers, which has increased quite significantly over the last few years as more firms have become subject to the Senior Managers Regime. 

Despite a lack of direct enforcement against Senior Managers, the FCA and the Prudential Regulation Authority (PRA) often criticise senior management in general terms in the notices that they issue about their firms. These criticisms cover a range of topics but, based on recent decisions that have been published, the FCA remains concerned about committees not operating effectively to help Senior Managers discharge their obligations, either in the way that the committee operates, or does not operate, or through poor record keeping. Management information is a key tool relied on by Senior Managers to enable them to exercise effective oversight over their areas of responsibility. There have been plenty of cases in 2021 and 2022 where the regulators have been critical of the quality or accuracy of management information, or where senior management have not used this information effectively, or at all. 

Other areas of weakness identified by the FCA in recent enforcement notices include: lack of clarity about or failure to obtain senior management approvals; lack of escalation of issues and information to or between Senior Managers; lack of meaningful senior management engagement in key issues and decisions; and failure to clearly assign roles, responsibilities and reporting lines. 

Individuals subject to the Certification Regime and Code of Conduct 

It is a similar story for enforcement action for other individuals who are subject to the Certification Regime and Code of Conduct. The FCA has only 16 Certified Persons or Conduct Rules staff members under investigation but it can be expected that this number will start creeping up soon. 

Neither the FCA nor the PRA have taken enforcement action against any Certified Persons or Conduct Rules staff members. However, the FCA has announced that it is proposing to take enforcement action against several former employees of a bank for breaching Individual Conduct Rule 1 (the requirement to act with integrity) for allegedly producing a presentation that set out how a client could engage in market manipulation. 

The number of individuals reported to the FCA as having been assessed by their firms as breaching the FCA’s Code of Conduct was over 33 times higher in 2021 (3072) than in 2016 (92). This is partly because more firms are now subject to the Senior Managers and Certification Regime, but it is also likely to reflect the fact that firms are becoming more confident in assessing breaches of the conduct rules and in identifying conduct and misconduct that falls within scope. 

The FCA continues to scrutinise firms’ decisions in relation to breaches of the Code of Conduct, especially in borderline cases or where the issues that feature in cases are high on its regulatory agenda. There is also a clear regulatory expectation that, where possible, firms will assess breaches of the Code of Conduct for former employees. At the same time, employees found to have breached the Code of Conduct, and the lawyers who advise them, are becoming more litigious in challenging firms’ regulatory findings about them. 

Personal devices 

Use of unauthorised devices and messaging platforms has been attracting a lot of attention from US regulators and law enforcement in 2022 and a number of firms have been fined considerable sums by the US Securities and Exchange Commission, where employees have been found to be using unauthorised encrypted messaging apps for business communications. 

Back in 2017, the FCA took action against an individual for sharing confidential information with third parties on WhatsApp. More recently, the FCA confirmed that it was actively discussing personal device and encrypted messaging application use with UK authorised firms. It also highlighted this issue in a recent fine against a broker for financial crime failures. 

We expect this issue to come up more frequently, most likely as part of a case focusing on wider systems and controls failures or market misconduct. It is understood that the FCA has alighted on this issue in several of its ongoing market conduct investigations.  

Non-financial misconduct 

The regulators are also interested in firms’ approaches to handling and investigating non-financial misconduct, for example, allegations of sexual misconduct, bullying, harassment and discrimination.

In March 2022, Lloyd’s of London took action against an underwriting firm for a collection of failures and shortcomings relating to the way that it investigated and handled allegations of bullying and discrimination.  These included: senior management being seen to turn a blind eye to poor employee misconduct; shying away from investigating the misconduct or instigating disciplinary processes; inadequately protecting employees who raised concerns; inappropriate use of settlement agreements to avoid taking action against implicated employees; and senior management participation in, or tolerance of, inappropriate conduct, including at work events. 

While this action was taken by Lloyd’s of London, it is reasonable to assume that the FCA would adopt a similar position if it identified firms that were not handling allegations of non-financial misconduct in an appropriate way.  

Diversity and inclusion 

The FCA and PRA are yet to publish their long-awaited rules on diversity and inclusion (D&I), originally promised in the third quarter of 2022 in the joint FCA, PRA and Bank of England discussion paper (DP21/2). However, their previous discussion paper and comments made in FCA board minutes in May 2022 give some indication of what to expect; that is, a greater focus on consistent data gathering and submission by firms to the regulators, and scrutiny of that data by the regulators. 

D&I has been part of the FCA’s supervision agenda for a while but it lacked teeth and felt intangible in day-to-day supervisory interactions with firms. DP21/2 and the anticipated rules are important steps in establishing the FCA’s licence to take action in this space and will give FCA supervision teams more confidence to engage with the subject. Firms should expect future conversations with regulators on D&I to be more frequent and feel more tangible, for example, with greater scrutiny of board appointments and assessments of Senior Managers, including through the FCA’s formal interview process. 

From an enforcement perspective, it seems unlikely that the FCA will pursue standalone D&I cases but it is starting to look at D&I issues as potential root causes for more traditional regulatory breaches, such as whether a lack of diversity in part of a business led to poor risk management decisions, or “group think”. 

This post is based on an article “FCA and PRA Enforcement Action: Trends and Predictions” which first appeared in the January/February edition of PLC Magazine. A copy of the full article is available here and on the PLC Magazine website.