Skip to content

FCA and PRA enforcement themes and trends (UK)

Back in July 2021, the Financial Conduct Authority (FCA) relaunched itself under its new CEO as a more assertive regulator.

FCA enforcement activity over the last year or so has demonstrated that this was much more than a simple rebranding exercise. There has been a noticeable shift in rhetoric when the FCA talks about enforcement, with a much stronger focus on identifying misconduct early and intervening even before an investigation has been launched.

FCA strategy 2022-25

A tangible expression of the FCA’s new approach is its strategy for 2022-25, where it sets out three key focus areas:

  • Reducing and preventing serious harm.
  • Setting and testing higher standards.
  • Promoting competition and positive change.

The focus on preventing serious harm is, unsurprisingly, where the FCA’s more assertive tone is most prominent. This is the area where the FCA is most likely to be using its enforcement and intervention powers most regularly.

Enforcement action

In the financial year 2021/22, the FCA imposed fines of 577.88 million, its highest total financial penalties since 2015/16, and the Prudential Regulation Authority (PRA) imposed its highest total fines ever of GBP51.93 million. By the end of 2022, the FCA had imposed GBP205.63 million in fines for the financial year 2022/23, excluding fines where the decision notices have been published but a referral has been made to the Upper Tribunal since the effect of those decision notices has been suspended pending the outcome of the referral. The PRA had imposed a single fine of GBP9.6 million by that same date.

Subjects of enforcement action

Over the last couple of years, the treatment of retail customers has attracted the most enforcement action, amounting to 34% of the total action for the period 1 April 2021 to 30 Sep 2022, with financial advisers, rather than retail banks, having been the target in most cases. Retail conduct cases have always dominated the FCA’s portfolio of enforcement investigations, most likely because of the breadth of issues that get included in that category, including mis-selling, customer scams, pensions transfer advice and financial promotions. The enforcement numbers in this area have been bolstered in recent years by a number of cases brought against firms and individuals in connection with pensions transfer advice.

In addition, financial crime and general systems and controls breaches have dominated the FCA’s enforcement activity (amounting to 27% and 21%, respectively, for the period 1 April 2021 to 30 Sep 2022). The targets of these enforcement actions, in both cases, have generally been brokers and wholesale banks.

That said, the FCA continues to investigate a variety of conduct and sectors. Overall, recent enforcement action by the FCA has covered most types of firms, including asset managers, listed insurers, financial advisers, brokers and wholesale banks, retail banks, consumer credit firms, insurers and claims management companies.

Root causes

Looking behind the headline issues to the root causes of issues that have led the FCA and PRA to take enforcement action against firms over the last couple of years, the same topics crop up time and time again.

Root causes of enforcement action

The main root causes of issues that have led the FCA and PRA to take enforcement action against firms during 2021/22 are:

  • Failing to have adequate escalation frameworks in place or to use frameworks that are available.
  • Having inadequate policies and procedures in place for specific areas.
  • Being on notice of an issue through review and interactions with regulators and failing to adequately address it.
  • Failing to act on specific red flags that should have alerted the firm to an issue.
  • Employees not following policies and procedures in practice.
  • Failing to interpret and therefore implement applicable regulatory requirements correctly.
  • Failing to remedy issues that were known before the start of an enforcement investigation.
  • Failing to roll out adequate training for employees in relation to specific compliance topics.
  • Failing to self-report issues to the FCA or PRA, and in some cases, providing inaccurate information.
  • Operating business or functions in silos, which inhibited effective internal information sharing.


The most frequently occurring root cause, by some margin, is escalation. This was a root cause in 47% of the FCA and PRA final notices issued to firms since 1 January 2021, including decision notices in cases concerning breaches of the Money Laundering Regulations 2007 (SI 2007/2157) (2007 Regulations). These cases included situations where firms did not have adequate escalation frameworks in place to ensure that issues or information, or both, are escalated appropriately to senior management and, in some cases, to the FCA and the PRA, or where these frameworks were in place but not used in practice.

This is a clear area of focus for the regulators at the moment, largely driven by the PRA and FCA's view that firms' ability to operate and manage their risk effectively is significantly inhibited if information is not making its way up to senior management. It is also seen as a risk when it comes to the effective flow of information between firms and the regulators, which the PRA and the FCA regard as severely affecting their ability to supervise firms effectively.

Failure to react

A recurring theme in a few of the root causes of enforcement action is the situation where firms are aware, or on notice, of issues through internal or external reviews, including thematic or supervisory visits, skilled person reviews, audits, and red flags otherwise arising in the course of business; and then fail to address those points appropriately. A failure to react appropriately and in a timely manner is clearly an aggravating factor when the FCA or PRA are considering whether to open a formal enforcement investigation.

Regulatory requirements

A root cause that has started to appear more frequently in enforcement notices published in the last 18 months is failure to interpret and therefore implement applicable regulatory requirements correctly. In some cases, these have been quite complicated legal or regulatory requirements. The current period of frequent regulatory change means that there are plenty of large and complex change management programmes on the horizon, including the introduction of the new FCA consumer duty from 31 July 2023. It would be reasonable to expect the regulators to stay focused on this issue and further enforcement cases involving misinterpretation and misapplication of regulatory requirements are expected to be announced in the next year or so.

FCA consumer duty

The new FCA consumer duty will require firms to act to deliver good outcomes for retail customers. While the FCA has confirmed that it will not be introducing a private right of action for breaches of the consumer duty, at least not for now, its introduction still gives rise to a number of enforcement risks.

It is clear from the final policy statement and from the FCA’s recent messaging that the consumer duty remains a strong strategic priority and is still the centrepiece of the FCA’s retail agenda. The consumer duty is being used to shape FCA messaging in most sectors and across a broad range of issues.

Regulatory emphasis is being placed on firm governance, particularly during the implementation period, and it is clear that significant FCA supervision resource will be put behind the consumer duty. Historically, the FCA has enforced most vigorously in those areas where it supervises most intensively.

Enforcement action could be taken in relation to a breach of the consumer duty's requirements or, more likely in the next year or so, a failure to implement the new rules properly or in time. Lessons learned from other significant regulatory change projects suggest that the FCA will look particularly unfavourably on firms that fail to commit sufficient resources to either implementation or undertaking adequate planning.

Approaches to investigations 

In 2022, the FCA’s number of open enforcement investigations remained steady. However, there has been quite a bit of turnover in that headline figure. Although at the end of the 2021/22 financial year, the FCA had closed its lowest number of enforcement investigations since 2017/18, during that period, the FCA opened a significant number of new enforcement investigations. This is consistent with the FCA’s strategy of opening more enforcement investigations and using them as diagnostic tools, although it seems that the FCA is still not putting its objective of closing more of those enforcement investigations into practice. This strategy was devised by Mark Steward, the FCA’s current executive director of Enforcement and Market Oversight, shortly after he joined the FCA in 2015. In mid-October 2022, the FCA announced that Mr Steward is due to step down from this role and leave the FCA in Spring 2023. The search for his replacement is ongoing, and only time will tell if his successor chooses to continue with his enforcement strategy, or adopt a different approach.

The FCA’s sustained high number of open enforcement investigations exists against the backdrop of the FCA’s declining number of staff. There are, on average, 11% fewer staff working in the FCA’s Enforcement Division now, than in 2020/21. This can only mean that fewer staff are available to work the same high volume of cases. The FCA recently changed the way that it reports how long it takes, on average, to complete enforcement investigations, which makes it challenging to see what impact the reduced staff levels is having on the speed with which investigations progress and are completed. Based on the data that has been made available, it looks like it is still taking around two and a half to three years to complete enforcement investigations, which is broadly consistent with previous years.

Following the Covid-19 pandemic, the regulators continue to operate a hybrid model of working. Both the PRA and FCA conduct interviews and periodic investigation meetings in-person, hybrid and online. The availability and appetite for each option tends to vary across investigation teams and often depends on availability.

Following changes to its powers that took effect from 26 November 2021, the FCA’s Regulatory Decisions Committee (RDC), now handles far fewer cases and primarily focuses on contested enforcement cases. However, firms and individuals who refer their cases to the RDC can still expect an additional ten or eleven-month wait for their case to be considered.


The FCA has increased its emphasis on interventions, for example, imposing requirements on a firm to do, or refrain from doing, something. In the 2021/22 financial year, FCA own initiative interventions increased by 95% and voluntary interventions increased by 74% compared with the previous three years.

Interventions are often less visible to many regulated firms but they are as significant in many ways, as the FCA’s more conventional enforcement powers. Typically, only a small proportion of these cases are made public. It will be interesting to see if this changes as a result of the FCA’s new assertive approach.

Interventions can be used to stop a firm from undertaking all or part of its business or to stop firms accepting new customers, where the FCA considers that this is necessary to mitigate a significant risk of harm. The FCA has historically targeted its interventions at “problem firms” but can exercise the same powers against any firm, if it considers the risk of harm to be sufficiently serious.

These powers are not new, but recent changes to internal decision making at the FCA have made them an attractive and nimble tool that can be used more often and more rapidly. Consequently, the trend of increased interventions in relation to a broader range of firms is expected to continue.

PRA approach

With the scope of its powers focused on fewer firms and fewer issues than the FCA, the PRA typically takes a small number of enforcement actions against firms each year. The PRA will take action where the conduct of firms might affect the PRA’s ability to supervise; or where a crystallised risk, action or a public event could have a direct impact on the PRA’s statutory objectives.

The total number of open investigations at the PRA had been increasing over the last four or five years, culminating in 29 open investigations in 2021, which was a record-breaking number for the PRA. That trend seems to have reversed. The PRA now has significantly fewer open investigations; by 7 October 2022, there had been a 41% reduction in the number of open investigations between 2021 and 2022.

At the end of 2021, the PRA announced two significant enforcement outcomes. However, this does not account for the reduction in the PRA’s investigations caseload. Of the 13 PRA enforcement investigations closed between 2021 and 2022, as at 4 November 2022, only three resulted in enforcement action being taken.

In 2021, the PRA levied two fines against firms, totalling over GBP50 million, both for reporting failures. These final notices and other PRA communications suggest a focus on:

  • Preventing inaccuracies in regulatory reporting and returns, and dealing with them effectively when they occur.
  • Ensuring clear and effective internal escalation of issues and information.
  • Ensuring adherence to internal reporting thresholds.
  • Effectively monitoring and keeping pace with complex regulatory requirements.

The last of these, will be a particular focus where firms are considering entering new markets or experiencing a period of rapid growth.

In 2022, the PRA levied only two fines, totalling GBP36.7 million. One in relation to historic governance and oversight failures, following a group reorganisation at an insurance business and one in relation to operational resilience.

Although one of the PRA’s two fines of 2022 related to misconduct in relation to which the FCA also took enforcement action, the PRA appears to be moving away from focusing on joint investigations with the FCA and has a growing appetite for conducting its own standalone investigations; that is, where the FCA is not conducting a parallel investigation into the same misconduct. It will be interesting to observe, over the next couple of years, the extent to which this results in a significant divergence between the two regulators with regard to the way in which they investigate the same or similar issues.

Emerging issues

A number of themes are emerging as areas of interest to the regulators.


Greenwashing is currently a supervisory focus for the FCA and enforcement action to date has been attributable to other authorities, for example, the Advertising Standards Agency. While formal enforcement action in the UK feels a little way off and the FCA has confirmed that it has no current open enforcement investigations into greenwashing, there may start to be more publicity of FCA supervisory interventions in the next couple of years, followed by enforcement action in the years to follow.

Regulatory reporting

The FCA is increasingly focused on its data strategy as a key part of its regulatory approach. The FCA’s focus on the quality of firm reporting is directly linked to the extent to which it relies on this data for supervision and oversight. As the FCA places ever greater reliance on data, it would be reasonable to expect higher levels of enforcement for reporting failures.

Cost-of-living crisis

The cost-of-living crisis is clearly an area of focus for the FCA, with significant messaging to firms, both in terms of volume and assertiveness, over the last 12 months. Indeed, this messaging has now been pulled together in a dedicated section of the FCA’s website. It seems likely, therefore, that there will be investigations and enforcement action in this space.

Financial crime 

Although financial crime clearly remains a priority for the FCA, the number of open enforcement investigations into financial crime has been declining. From a high of 86 investigations in 2018/19, to a five-year low of only 47 open investigations at the end of the 2021/22 financial year.

Conduct of investigations

The vast majority (81%) of the FCA’s open financial crime investigations are regulatory-only, with dual-track investigations accounting for 18% and criminal-only investigations accounting for only 6%. The FCA also continues to use skilled person reports quite extensively in connection with financial crime issues. Around a quarter of skilled person reports undertaken by the FCA relate to financial crime concerns.

However, in terms of enforcement outcomes, financial crime comes out on top. Since October 2021, eleven fines have been imposed on firms relating to financial crime systems and controls. This represents just under half of all fines imposed on firms in that period, compared with only two financial crime-related outcomes in the previous year. To a certain extent, this is the result of a high number of open financial crime investigations in previous years working their way through the enforcement process and reaching a conclusion. Nonetheless, it is clear that financial crime remains a high priority for the FCA and it remains intent on sending this message.

Horizon scanning on financial crime

Global events mean that the risks of financial crime are increasing and that brings with it the risk that firms’ controls will not keep pace with the risks. As the cost-of-living crisis deepens, the FCA expects some types of financial crime to increase. For example, it expects that more retail banking customers will be attracted into acting as money mules. It also expects higher levels of fraud.

The FCA continues to focus on sanctions-related risks, following the introduction of a suite of sanctions and sanctions law reforms, in reaction to the Russian invasion of Ukraine in February 2022. The Office of Financial Sanctions Implementation (OFSI) is the authority in the UK responsible for enforcing breaches of UK sanctions. However, the CEO of the FCA has stated that if a sanctions breach indicates a material weakness in systems and controls, the FCA will consider taking action alongside any enforcement action taken by OFSI. The FCA has also made it clear that it expects to be notified of all suspected breaches reported to OFSI.

It would be reasonable to expect greater focus from the FCA on new market entrants, such as e-money firms and crypto businesses (see "Crypto-businesses").

Firms with financial crime controls failings may also find themselves increasingly exposed to claims for consumer redress. The Payment Services Regulator is consulting on proposals relating to push-payment fraud which, if implemented, would require sending and receiving payment service providers to jointly share the cost of reimbursing defrauded customers, subject to limited thresholds and exceptions (see "Retail conduct and redress" in the main text).


Financial crime penalties continue to be among the highest financial penalties imposed on firms. By the end of 2022, penalties imposed on firms in financial crime cases, since 1 October 2021, totalled GBP619.7 million, including a criminal fine of GBP264 million.

One of the reasons for the high fines is that financial crime cases tend to consider failings that persist over a number of years, affecting substantial businesses, meaning that the relevant revenue considered in the FCA’s penalty calculation tends to be high. In fact, in two of the most recent FCA enforcements, the FCA exercised its discretion to reduce the level of penalty because it considered that the penalty would otherwise have been disproportionately high. However, this will not always be the case: in another case, the FCA doubled the proposed penalty against an insurance broker because it felt that the penalties previously imposed on the firm had not acted as a credible deterrent.

Interestingly, in the FCA’s criminal prosecution for a breach of the 2007 Regulations, the court considered whether to use the company's turnover as a starting point for calculating the criminal fine, but in that case, decided that the amount laundered was a more appropriate starting point for calculating the fine. The bank and the FCA were both supportive of this approach.

International co-operation

Financial crime remains a focus for international regulators and the FCA continues to co-operate with international regulators. The two most recent FCA outcomes relating to anti-bribery and corruption systems and controls failings, both also involved fines and disgorgement or restitution to the US Department of Justice.

Focus of enforcement action

Looking at themes in financial crime enforcement, there has been an increase in enforcement under the 2007 Regulations. Four of the financial crime enforcement outcomes announced since November 2021 have related to the 2007 Regulations. The first was the first criminal prosecution by the FCA. The remainder were brought under Principle 2 (due skill, care and diligence) and Principle 3 (systems and controls) of the FCA’s Principles for Businesses. In contrast, there was only one enforcement for breaches of the 2007 Regulations in the prior six-year period, from January 2016 to November 2021. It is possible that this is simply a manifestation of the decision by the FCA, some time ago, to use its powers under the 2007 Regulations more extensively, working its way through the enforcement process.

The FCA is bringing a variety of cases in relation to financial crime, both in terms of the sectors targeted and the underlying financial crime at issue. Cases have covered retail banking and commercial banking, with correspondent banking featuring in two of the FCA’s most recent enforcements, together with brokers and insurance brokers. Cases have involved actual and potential money laundering; bribery and corruption; tax fraud (in three cum-ex related cases); as well as unauthorised regulated activities.

Aggravating factors

A failure to follow FCA published guidance, or issues highlighted by the FCA in decisions published against other firms, is almost always cited by the FCA as an aggravating factor in financial crime enforcement notices. Aside from that, a failure to respond adequately to known issues is probably the most frequently cited aggravating factor.

Business restrictions

In two of the FCA’s recent financial crime enforcements, the firms received mitigation credit for agreeing to voluntary business restrictions targeted at reducing financial crime risks. In the past, the FCA has used business restrictions as a sanction, as part of the penalty imposed on firms for financial failings. However, over the past year or so, these have not featured heavily in sanctions imposed and the FCA appears to be using them more sparingly, recognising the significant impact that business restrictions can have on both firms and consumers. However, the FCA’s greater use of interventions at an earlier stage when they have concerns about a firm’s business (see “Interventions” above) may mean that there is less need to impose business restrictions.

Common weaknesses

The common weaknesses identified in recent financial crime final and decision notices follow closely the root causes of enforcement action (see "Root causes" above). Inadequate investigation or escalation of red flags and concerns was an issue in eight of the eleven FCA financial crime enforcements since October 2021. Other commonly occurring issues include: failing to follow a firm’s own policies and procedures; conducting inadequate customer due diligence, enhanced due diligence or ongoing customer monitoring; and having inadequate policies, procedures or guidance in place.

Market abuse

“Market abuse” is a phrase that is often used to describe a wide range of conduct and offences, including breaches of the Listing Rules. The data included in the FCA’s annual report generally splits market abuse investigations into four categories, based on the primary issue under investigation: insider dealing, market manipulation, misleading statements and breaches of the Listing Rules, Disclosure and Transparency Rules or the Prospectus Rules. In addition to these categories, the FCA investigates the systems and controls that it expects firms to have in place to identify and prevent market abuse.

General enforcement trends

The number of open FCA enforcement investigations relating to substantive market abuse offences such as insider dealing, market manipulation and unlawful disclosure, continues to decline, having fallen by 35% since 2018/19. Outcomes remain low too, with none announced in 2021/22 and only one in 2022. However, the FCA has published three decision notices against individuals in relation to market manipulation, all of which have been referred to the Upper Tribunal, and it appears to have a pipeline of cases nearing completion.

There has been a noticeable uptick in enforcements relating to market abuse systems and controls in 2022, with three significant enforcements announced in 2022. In one of these cases, decision notices were also issued against three of the firm’s former directors, two of whom have been prohibited.

Looking a little further back, the number of open FCA enforcement investigations where the primary issue being investigated is the making of misleading statements has shot up by 154% in the last six years and the FCA is building a successful prosecution record for those offences.

Criminal prosecutions

Market abuse accounts for roughly a third of the FCA’s criminal and dual-track investigations, but the number of convictions secured by the FCA in relation to market abuse remains low. In 2022, the FCA secured the second of two convictions against former executives of an AIM listed company for making misleading statements, contrary to the section 89 of the Financial Services Act 2012, as well as various accounting fraud offences.

The conviction rate on FCA prosecutions relating to market abuse is currently sitting at 40% but this is based on a very small pool of cases. Again, the FCA appears to have a pipeline of cases with more activity to be announced during 2023. In addition, in June 2022, the FCA revealed that it was dealing with three cases in which prosecution decisions would be made, relating to ten individuals, before the end of 2022.

Individual accountability

One notable case in 2022 involved a listed issuer that was censured by the FCA for recklessly publishing announcements that were misleading and did not accurately disclose the true performance of the company. The FCA also issued decisions against three former directors of that company for being knowingly concerned in the company’s breach under section 131AD of the Financial Services and Markets Act 2000 (FSMA).

All three individuals have referred the FCA decisions made against them to the Upper Tribunal on a number of different grounds, the most interesting being the relevant test for an individual being “knowingly concerned” in a company’s breach, in the context of market abuse. The individuals in these cases argue that the FCA must demonstrate that they actually knew the announcements were false, whereas the FCA considers that it is enough to demonstrate that the individuals knew of the information contained in the announcements and should have known that the announcements were misleading.

The FCA will be concerned to ensure that the decision in this case does not support directors who turn a blind eye or fail to engage meaningfully with their responsibilities.

Systems and controls

The headline decline in the number of substantive market abuse cases is interesting but it would be a mistake to infer from these numbers that the FCA’s focus on tackling market abuse is declining. It is clear, for example, from the FCA’s Strategy for 2022-25 that tackling market abuse remains a key strategic priority for the FCA.

Market abuse surveillance is probably the area of the FCA that is most forward-looking with regard to its use of data and technology. The FCA has dedicated specialist supervision teams in its Market Oversight division, focused specifically on market abuse and this still constitutes a significant organisational investment.

The FCA has long been seeking to push into more complex and challenging areas, beyond insider trading in equities, and this might account for some of the trends that can be observed.

The FCA’s own market surveillance is partly dependent on the data that it receives from firms, including suspicious transaction and order reports (STORs). The FCA had been concerned about under reporting of STORs during the Covid-19 pandemic. The number of STORs filed is increasing, by 15% in 2021, but is not yet back to pre-pandemic levels. Despite the FCA warning that it expects to see more STORs filed in relation to non-equities asset classes, the vast majority of reports (93%) filed in 2021 related to suspected insider dealing and equities.

The FCA has issued multiple warnings about the importance of firms’ market abuse surveillance controls and these are now being translated into enforcement action. Many of the common themes mirror those highlighted in relation to financial crime controls (see "Common weaknesses" above). Issues unique to market abuse surveillance include: relying on inadequate or out-of-date market abuse risk assessments; using automated monitoring systems that have not been configured to the firm’s market abuse risk assessments; and failing to accurately or promptly file STORs.


Enforcements and other regulatory interventions in the crypto space have been limited to date. With the vast majority of crypto-related activity falling outside the FCA's regulatory perimeter, this is not surprising, but will likely change as the perimeter expands.

On 1 February 2023 HM Treasury launched a consultation on the future financial services regulatory regime for cryptoassets, which envisages a phased approach to regulating crypto businesses, eventually bringing much of it within the FCA’s enforcement perimeter. In the meantime:

  • Work is already underway to extend the newly enhanced financial promotions regime applicable to high-risk investments so that it also applies to promotions relating to cryptoassets.
  • In keeping with its general approach to tackling financial crime, the FCA has warned more traditional, authorised, firms of their obligations not to support or assist crypto-related businesses in any way that might be illegal or in breach of authorised firms’ regulatory obligations.
  • It is expected that the FCA will continue to filter out relevant crypto-businesses that are unable to meet the requirements of the Money Laundering Regulations 2017 (SI 2017/692) (2017 Regulations), through the authorisations gateway. The FCA has authorised just 41 of the hundreds of crypto-related businesses required to register with it for money laundering and counter terrorist supervision purposes since January 2020. This probably reflects the FCA’s perception of the systems and controls and governance arrangements in crypto-businesses more generally.

It is clear that the FCA will be keeping a very close eye on those crypto businesses that do make it through the authorisations gateway. In 2022, it established a number of new teams, focusing on online businesses, firms new to the regulated sector and, in enforcement, early interventions. In addition, the FCA’s appetite for enforcement under the 2017 Regulations is strong and will, no doubt, have been reinforced by the high number of enforcement outcomes announced in the last twelve months or so.

Retail conduct and redress 

Although retail conduct cases still dominate the FCA’s portfolio of open enforcement investigations, there has been a slowdown in the number of retail conduct enforcement actions against larger firms.


The FCA has imposed GBP268 million in financial penalties on firms for retail misconduct since 1 January 2019. However, the largest costs associated with retail conduct cases are almost always attributable to mandatory or voluntary redress schemes. The landscape in this area has been steadily changing for several years, with increasing pressure being put on firms to pay redress to impacted customers in an increasingly broad range of situations.

In one example, the FCA essentially required a bank to voluntarily act in a role akin to the insurer of a rogue financial adviser who was one of the bank’s corporate banking clients and was found to have committed fraud against his own customers, as the FCA considered that the bank should have identified and taken steps to prevent the fraud. Other developments include: the Payment Services Regulator's consultation on compensating victims of push-payment fraud; the FCA’s confirmation that it will launch its second ever scheme of redress under section 404 of FSMA in early 2023 in relation to advice relating to the British Steel Pension Scheme; and the FCA accepting or encouraging debt forgiveness as a form of redress (see box "Horizon scanning on financial crime").

The way that redress schemes are administered is also changing. The FCA is requiring firms to appoint skilled persons to conduct and administer redress programmes on a more frequent basis, rather than allowing firms to do this themselves or with the help of professional advisers that are appointed outside of the skilled person review framework.

It is not always the case that a firm providing redress will receive mitigation credit from the FCA. The FCA is scrutinising in a lot more detail how proactive, effective and generous a redress scheme is, and this tends to dictate whether and how generous any mitigation credit will be.

Operational resilience

Operational resilience is a key focus for both the PRA and the FCA, and current market and geopolitical events have only intensified that focus.

In March 2021, the PRA and FCA published new rules aimed at building firms’ operational resilience. Firms should now have identified their important business services, set impact tolerances and identified vulnerabilities. Firms have until March 2025 to perform mapping and testing and to effectively implement the rest of rules. Like the consumer duty, these new operational resilience rules are a significant development and, for similar reasons, will come under intense scrutiny from the regulators over the next couple of years. Firms are exposed to two key enforcement risks:

  • That the systems and controls they develop will prove inadequate.
  • That their implementation programme is found not to be adequate or inaccurate information is communicated to the regulators about the status of a firm’s implementation programme.

Both regulators are concerned about the growing role that third-party service providers, including cloud service providers, play in the financial services sector. The Bank of England, PRA and FCA have jointly consulted on proposals to bring these service providers within the regulatory perimeter. A further consultation is expected in 2023. The current proposals would enable the regulators to issue directions, appoint skilled persons and impose rules over those critical third-party service providers. If these proposals come into effect, they will significantly extend the powers of the regulators to take action in this area.

Other areas of operational resilience currently under scrutiny include sanctions and cyber security. In the case of sanctions, risks exist both in relation to ensuring compliance with new and existing sanctions imposed by the UK, US and EU, but also in relation to the adequacy of systems and controls in place to spot, escalate, resolve and report issues. Both the PRA and FCA have repeatedly warned of the increased risk of cyber attacks, particularly since the Russian invasion of Ukraine. Firms that suffer an attack and have not taken adequate steps to guard against the perceived increased risk, are at high risk of assertive enforcement action being taken against them.

Senior managers

Levels of enforcement action under the senior managers regime remains modest. As at March 2022, the FCA had 50 senior managers under investigation, which is more than double the figure for the same time in 2021. However, this still represents a very small proportion of the more than 70,000 senior managers operating in the industry today. In fact, the increase in enforcement investigations is most likely attributable to an increase in the total number of senior managers, which has increased quite significantly over the last few years as more firms have become subject to the senior managers regime.

To date, only one senior manager has had enforcement action taken against them by both the FCA and the PRA. This case concerned a breach of individual conduct rule 2 (the requirement to act with due skill, care and diligence). As a result, there has not yet been an enforcement case that tests the application of the senior manager conduct rules, the duty of responsibility and the obligation to take reasonable steps in an enforcement context.

Despite a lack of direct enforcement against senior managers, the FCA and the PRA often criticise senior management in general terms in the notices that they issue about their firms. These criticisms cover a range of topics but, based on recent decisions that have been published, the FCA remains concerned about committees not operating effectively to help senior managers discharge their obligations, either in the way that the committee operates, or does not operate, or through poor record keeping. Management information is a key tool relied on by senior managers to enable them to exercise effective oversight over their areas of responsibility. There have been plenty of cases in 2021 and 2022 where the regulators have been critical of the quality or accuracy of management information, or where senior management have not used this information effectively, or at all.

Other areas of weakness identified by the FCA in recent enforcement notices include: lack of clarity about or failure to obtain senior management approvals; lack of escalation of issues and information to or between senior managers; lack of meaningful senior management engagement in key issues and decisions; and failure to clearly assign roles, responsibilities and reporting lines.

Individuals subject to SMCR and code of conduct

It is a similar story for enforcement action for other individuals who are subject to the senior managers and certification regime (SMCR). The FCA has only 16 certified person or conduct rules staff members under investigation but it can be expected that this number will start creeping up soon.

Neither the FCA nor the PRA have taken enforcement action against any certified person or conduct rules staff members, but the FCA has announced that it is proposing to take enforcement action against several former employees of a bank for breaching individual conduct rule 1 (the requirement to act with integrity) for allegedly producing a presentation that set out how a client could engage in market manipulation.

The number of individuals reported to the FCA as having been assessed by their firms as breaching the FCA's code of conduct was over 33 times higher in 2021 (3072) than in 2016 (92). This is partly because more firms are now subject to the SMCR but it is also likely to reflect the fact that firms are becoming more confident in assessing breaches of the conduct rules and in identifying conduct and misconduct that falls within scope.

The FCA continues to scrutinise firms’ decisions in relation to breaches of the code of conduct, especially in borderline cases or where the issues that feature in cases are high on its regulatory agenda. There is also a clear regulatory expectation that, where possible, firms will assess breaches of the code of conduct for former employees. At the same time, employees who are found to have breached the code of conduct, and the lawyers who advise them, are becoming more litigious in challenging firms’ regulatory findings about them.

Personal misconduct

There has been shift in the types of personal misconduct arising in internal and regulatory investigations before, during and after the Covid-19 pandemic, partly reflecting the different method of working during these three periods. As firms adapt to hybrid working models, and work travel and entertainment recommences, the types of misconduct that commonly trigger internal or external investigations include breaches of gifts and entertainment policies and false expense claims.

Personal devices

Use of unauthorised devices and messaging platforms has been attracting a lot of attention from U.S. regulators and law enforcement in 2022 and a number of firms have been fined considerable sums by the U.S. Securities and Exchange Commission, where employees have been found to be using unauthorised encrypted messaging apps for business communications.

Back in 2017, the FCA took action against an individual for sharing confidential information with third parties on WhatsApp. More recently, the FCA confirmed that it was actively discussing personal device and encrypted messaging application use with UK authorised firms. It also highlighted this issue in a recent fine against a broker for financial crime failures. In that case, the FCA was concerned about the use of encrypted chat apps on brokers’ personal mobile phones to communicate with each other and take orders from clients, without the knowledge or approval of the firms’ compliance function. The FCA considered that the firm had inadequate systems and controls in this area, including a lack of policies and procedures setting out any restrictions on employees using their personal devices or encrypted messaging applications for this purpose.

It would be reasonable to expect this issue to come up more frequently, most likely as part of a case focusing on wider systems and controls failures or market misconduct. It is understood that the FCA has alighted on this issue in several of its ongoing market conduct investigations.

Non-financial misconduct

The regulators are also interested in firms’ approaches to handling and investigating non-financial misconduct, for example, allegations of sexual misconduct, bullying, harassment and discrimination.

In March 2022, Lloyd’s of London took action against an underwriting firm for a collection of failures and shortcomings relating to the way that it investigated and handled allegations of bullying and discrimination. These included: senior management being seen to turn a blind eye to poor employee misconduct; shying away from investigating the misconduct or instigating disciplinary processes; inadequately protecting employees who raised concerns; inappropriate use of settlement agreements to avoid taking action against implicated employees; and senior management participation in, or tolerance of, inappropriate conduct, including at work events.

While this action was taken by Lloyd’s of London, it is reasonable to assume that the FCA would adopt a similar position if it identified firms that were not handling allegations of non-financial misconduct in an appropriate way.

Diversity and inclusion

The FCA and PRA are yet to publish their long-awaited rules on diversity and inclusion (D&I), originally promised in the third quarter of 2022 in the joint FCA, PRA and Bank of England discussion paper (DP21/2). The timing for the publication of these proposed rules currently stands at early 2023. However, their previous discussion paper and comments made in FCA board minutes in May 2022 give some indication of what to expect; that is, a greater focus on consistent data gathering and submission by firms to the regulators, and scrutiny of that data by the regulators.

The FCA considers that the financial services sector still needs to make significant progress in this area, particularly in relation to gender and ethnicity pay gaps, and parts of the industry where diversity is lacking at senior levels. The proposals aim to further the FCA’s three operational objectives by putting D&I at the core of firms’ culture and practices. It seems likely that some form of regulatory collection and reporting of diversity data will be required. However, the new rules are expected to include an element of proportionality, which should ease the burden on smaller firms.

D&I has been part of the FCA’s supervision agenda for a while but it lacked teeth and felt intangible in day-to-day supervisory interactions with firms. DP21/2 and the anticipated rules are important steps in establishing the FCA’s licence to take action in this space and will give FCA supervision teams more confidence to engage with the subject. Firms should expect future conversations with regulators on D&I to be more frequent and feel more tangible, for example, with greater scrutiny of board appointments and assessments of senior managers, including through the FCA’s formal interview process.

From an enforcement perspective, it seems unlikely that the FCA will pursue standalone D&I cases but it is starting to look at D&I issues as potential root causes for more traditional regulatory breaches, such as whether a lack of diversity in part of a business led to poor risk management decisions, or "group think".

Conflicts of interest

The recent FCA enforcement activity in relation to conflicts of interest issues is perhaps not as surprising as the period of inactivity that subsisted between 2015 and 2021. This is an issue that has long been a focus for the FCA, particularly in relation to wholesale markets.

The FCA views poorly managed conflicts of interest as the most significant driver of consumer harm in wholesale markets.

Recent FCA enforcement decisions, one of which is being challenged by the firm in the Upper Tribunal, have focused on the identification of actual and potential conflicts of interest; how decisions are taken about conflicts of interest, and by who; and management of conflicts of interest, including by disclosures. This is an area where the FCA’s perception is that firms really need to improve, particularly in the asset management sector.

An assertive approach

The UK appears to be heading into a more challenging enforcement environment with an unhappy confluence between a number of the regulators’ key areas of focus, particularly the protection of consumers, market abuse, financial crime and operational resilience, and the impact of current market, societal and geopolitical events. This significantly increases the risk of employee misconduct, consumer detriment and weaknesses being highlighted in some firms’ systems and controls. When combined with the FCA’s stated intention to be more assertive, it seems likely to lead to more investigations and enforcement by the regulators.

This article first appeared in the January/February 2023 issue of PLC Magazine: