The UK FCA reminds firms about the confidentiality of information requirements

Confidentiality restrictions

Formal information requirements issued by the FCA typically contain some form of wording to make it clear that they are confidential. However, the wording used by the FCA varies depending on the nature of the investigation in question.

The FCA typically reserves the most stringent confidentiality wording and restrictions for information requirements issued in the context of investigations into suspected market misconduct, including suspected market abuse and insider trading. In these situations, the FCA usually requires the fact of, and contents of, an information requirement to be kept strictly confidential and only discussed with other individuals (i.e. outside Legal or Compliance) on a ‘need to know basis’ with the prior agreement of the FCA. The main driver for these confidentiality restrictions is to avoid ‘the inappropriate dissemination of knowledge of [the FCA’s] enquiries’. In particular, the FCA is concerned about the risk that subjects of their investigations may be tipped off, which could prejudice their investigations and/or lead to the destruction of relevant evidence.

The FCA highlighted the importance of firms complying with these confidentiality restrictions in its Market Watch newsletter, noting that firms that fail to do so ‘run the risk of regulatory scrutiny or action’ as well as ‘reputational damage’.

A real-life example

To underline the importance of firms complying with confidentiality restrictions in information requirements, the FCA referred to a real-life situation involving an unnamed firm. In that case, the FCA stated that it required the firm to provide records of staff access to inside information for a takeover for which the firm was acting as an advisor.

The information requirement sent to the firm explained that it was confidential and should not be shared outside the firm’s Compliance team without first consulting the FCA. However, without first consulting the FCA, the firm’s Compliance team contacted the deal team working on the takeover in order to help gather the information that was responsive to the FCA’s information requirement.

Compliance identified unauthorised and repeated access to files containing information about the takeover by an employee who was not on the deal team and had no reason to access inside information about the takeover. Compliance communicated this information to the deal team. Without consulting Legal or Compliance, a member of the deal team questioned the employee in question about their access to the inside information relating to the takeover. This employee resigned from their role at the firm and left the country, which according to the FCA ‘severely’ hindered its ability to investigate the situation.

What should firms do?

When firms receive information requirements from the FCA, they should check what confidentiality restrictions they contain. In particular, firms should check if there are any restrictions on the fact or contents of the information requirement being shared outside Legal and/or Compliance.

Even if an FCA information requirement does not contain such restrictions, firms should consider whether sharing the fact or contents of the information requirement more widely could result in tipping off the potential subject of the FCA’s investigation. If firms are in any doubt about what confidentiality restrictions apply to an FCA information requirement, they should contact the FCA.

In its newsletter, the FCA acknowledged that firms may need to speak to individuals outside Legal and/or Compliance in order to gather information that is responsive to an information requirement. If firms need to consult the FCA, firms should ensure that they do so before speaking to these individuals. When consulting the FCA, firms should be prepared to provide the FCA with the identities of individuals they need to speak to in order to gather responsive information, as well as any risks that are associated with speaking to those individuals (e.g. if they work closely with someone who is the subject or potential subject of the FCA’s investigation). If information requested by the FCA can only be obtained from individuals who are the actual or potential subjects of the FCA’s investigation then firms should explain this point to the FCA.

If the FCA is consulted and is satisfied for firms to speak to individuals outside Legal and/or Compliance in order to gather information that is responsive to an information requirement, firms should:

• emphasise the confidential nature of their enquiries when speaking to these individuals and the consequences of confidentiality not being maintained; and
• inform these individuals that they should not speak to anyone else in order to obtain the information sought. These individuals should also be told that, if they think that someone else may be better placed to provide certain information, they should inform Legal and/or Compliance instead of approaching these other individuals directly.

In its newsletter, the FCA says that individuals may be told (subject to obtaining the FCA’s prior consent) that the information they are being asked to provide is ‘required to fulfil an FCA information requirement’. In practice, it may not always be necessary to inform an individual that this is the case in order to obtain relevant information from them.

Confidentiality restrictions that are included in FCA information requirements do not prevent the recipients of those requests seeking advice from their legal advisers and information requirements usually expressly state this point. As a result, the contents of the FCA’s latest Market Watch newsletter does not impact firms’ abilities to receive specialist legal advice in relation to FCA investigations and information requirements.