FCA takes enforcement action against broker for market abuse identification and reporting failures – behind the headlines

This article dives deep into the notices published against Sigma and three of its directors to consider the lessons to be learnt in relation to market abuse reporting, but also the wider implications relating to: FCA enforcement focus; reviewing the adequacy of controls for new and rapid-growth business areas; clear allocation of responsibilities at senior management level; taking “reasonable steps” when delegating and relying on others; and use of personal devices and encrypted messaging applications.

Background

Firms executing transactions in financial instruments on regulated or prescribed markets must send accurate and complete transaction reports to the FCA on a timely basis, as required by the FCA’s Supervision manual (SUP). The FCA’s rules also prescribe what information these transaction reports must contain.

Until 2 July 2016, SUP also required firms that arranged or executed a transaction with or for a client and which had reasonable grounds to suspect that the transaction might constitute market abuse to notify the FCA without delay (SUP 15.10.2R). These reports were known as suspicious transaction reports (STRs). Since 3 July 2016, when the EU Market Abuse Regulation (596/2014) (EU MAR) came into force, firms were subject to a similar obligation which extended to both suspicious orders and transactions (Article 16(2), EU MAR). This requirement continues to apply post-Brexit, under the onshored version of EU MAR (UK MAR). These reports are called suspicious transaction and order reports (STORs).

Facts

Sigma

Sigma is a brokerage firm. Its core business offered clients futures and options trading. In December 2014, Sigma decided to expand its client offering to include, amongst other products, contracts for difference (CFDs) and spread-bets. This expansion of Sigma’s business resulted in a significant change to its risk profile. Sigma recruited several brokers to work on a new CFD trading desk (CFD Desk). These traders had established customer bases and their remuneration was based largely on the level of fees that they generated.

Between early 2015 and 2016, Sigma increased the number of CFD trades that it executed by over 200%. However, it continued to rely on a manual trade surveillance process without any automatic electronic monitoring tools or basic case management software.

Identification of concerns about Sigma

In early 2016, the FCA’s Market Reporting Team identified some “transaction reporting anomalies” at Sigma relating to the accuracy and completeness of its transaction reporting.

The FCA raised these “anomalies” with Sigma and instructed a specialist firm to review a sample of the reports that it had submitted to the FCA in order to assess its compliance with the rules in SUP. This work led to the discovery that Sigma had failed to report any CFD and spread-bet transactions since the CFD Desk was established in December 2014.

During a supervisory visit to Sigma in June 2016, the FCA identified “further causes for concern as to whether Sigma was complying with regulatory standards”. These concerns led to Sigma voluntarily applying for the imposition of certain restrictions on its permissions relating to the CFD Desk.

Enforcement action taken against Sigma

The starting point for the FCA’s enforcement action against Sigma, which covered the period 1 December 2014 to 12 August 2016 (relevant period), were failures relating to its compliance with regulatory reporting requirements in SUP and EU MAR.

However, the FCA made a range of associated findings about Sigma’s systems and controls, which led to it finding that Sigma had also breached Principle 3 of the FCA’s Principles for Businesses (Principle 3).

Transaction reporting

The FCA found that, during the relevant period, Sigma failed to report, or to accurately report, an estimated 56,000 transactions relating to the activities of the CFD Desk.

These failings (which Sigma said arose from a “genuine misunderstanding” dating from when the CFD Desk was established) included the following, among other things:

• There was a mismatch between the instrument description and the derivative type in CFDs The description in transaction reports ended with “SB” indicating a spread bet, whereas these transactions were actually CFD hedges against a brokerage firm.
• CFDs were reported in GBP currency although the price stated reflected the pence at which the stock traded (for example, for one transaction, Sigma reported a price of GBP164.56 instead of 164.56p).
• Sigma executed its client trades in CFDs and spread-betting products using a ‘matched principle’ methodology, meaning that for each trade executed two trades were in fact executed. Although this methodology is permitted, Sigma only reported the hedging portion of its CFD activity, and not its client-side as should have been the case.

The FCA attached particular weight to this final point. It noted that Sigma’s failure to report the client-side of its CFD activity materially impacted its ability to carry out effective market surveillance because without client-side transaction reports, the FCA is unable to differentiate transactions carried out by each individual and is left with an incomplete picture of each individual’s trading activity across different accounts and firms.

The FCA found that Sigma’s failure to submit certain transaction reports breached SUP 17.1.4R and that its failure to accurately submit other reports breached SUP 17.4.1EU and SUP 17 Annex 1 EU.

Reporting suspicious transactions and orders

The FCA’s records showed that Sigma had not filed any STRs or STORs with it during the relevant period. Given this, in February 2017 Sigma reviewed all transactions the CFD Desk had executed during the relevant period to determine whether it should have filed any STRs or STORs. This review identified 97 suspicious transactions or orders (none of which had previously been identified by Sigma), which should have been collectively reported to the FCA in 24 STRs or STORs.

The FCA noted that, during the relevant period, Sigma had filed two Suspicious Activity Reports (SARs) with the UK National Crime Agency (NCA) to report suspected money laundering offences. Even though one of these SARs related to a suspicious transaction, Sigma had not also submitted a STR or a STOR to the FCA.

The FCA identified as the root cause of this failing that Sigma “lacked an understanding of its regulatory obligations in respect of market abuse and in particular the fundamental difference between the STR/STOR regime and the SAR regime”. In particular, the FCA found that:

• No formal policy or procedure. Sigma had no formal policy or procedure in place regarding the escalation or consideration of suspicious transactions. There was an “informal but widely accepted custom” that members of the CFD Desk would verbally communicate any suspicions about transactions to more senior colleagues, who would then take a view before deciding whether to raise a transaction verbally with Sigma’s Chief Executive. The FCA described record keeping relating to these discussions as “largely non-existent” and Sigma kept no records to show why it decided not to submit a STR or STOR in specific cases.
• Ineffective and informal In May 2015, a senior member of the CFD Desk reminded other traders on the CFD Desk by email that they should escalate suspicious transactions to one of its more senior members in writing. However, no guidance was given as to what might constitute a suspicious transaction, or how the traders should identify one. Following this reminder, only eight escalations were made to the senior member of the CFD Desk and none of these resulted in Sigma filing STRs or STORs with the FCA.
• Unclear responsibility for “real-time” monitoring of the CFD During the investigation, Sigma told the FCA it had assigned to a specific employee responsibility for “real time” monitoring of the CFD Desk and that this employee would “report any suspicious transactions to Compliance for further evaluation”. However, Sigma did not record these responsibilities in any of its policies and procedures and did not formally allocate them to the employee in question. During an interview with the FCA, the employee in question denied having responsibility for market abuse surveillance, and instead asserted that this responsibility sat with another employee.
• Failure to implement EU MAR. The FCA found that Sigma failed to take any preparatory steps for the introduction of EU MAR on 3 July This included not taking any steps to ensure it was in a position to identify and report suspicious transactions and orders (the latter of which was a new requirement under EU MAR).
• Lack of post-trade The FCA found that there was confusion about who was responsible for post-trade surveillance to identify potentially suspicious trading activity relating to the CFD Desk. This meant that, in practice, no-one was performing this role.
• Inappropriate reliance on manual Sigma relied on “manual oversight of its CFD trading”. The FCA found that the lack of proper analysis or case management tools “hindered [Sigma’s] ability to capture types of suspicious activity and to identify patterns effectively”. The FCA stated that, given the daily volume of trades executed by the CFD Desk, Sigma should have implemented an in-house solution to collate trading data, and to track and evaluate emerging suspicions.

Overall, the FCA concluded that Sigma lacked an understanding of its regulatory obligations in respect of market abuse and, in particular, the fundamental difference between the STR/STOR regime and the SAR regime. The failings summarised in the final notice created “widespread uncertainty and misunderstanding amongst Sigma staff as to [its] regulatory obligations regarding market abuse, which transactions should be regarded as suspicious, when such transactions should be escalated, and to whom”.

The FCA found that these failings led to Sigma breaching:

• SUP 15.10.2R, by failing to report 17 STRs to the FCA between 1 December 2014 and 2 July 2016.
• Article 16(2) of EU MAR, by failing to report seven STORs to the FCA between 3 July 2016 to 12 August 2016.

Sigma’s systems and controls

Principle 3 required Sigma to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. The FCA found that Sigma breached Principle 3 in a variety of ways, including in relation to its governance arrangements, Compliance function and policies and procedures.

Board governance

During the relevant period, Sigma had three directors (against whom the FCA also took enforcement action). The FCA found that Sigma’s board had no terms of reference (or equivalent document) setting out its responsibilities and against which Sigma’s directors could measure whether they were fulfilling their roles and exercising effective governance oversight.

In addition, the board did not meet formally or regularly during the relevant period. Sigma described holding informal meetings with “ad hoc discussions held between each director and other members of senior staff”. However, no formal minutes were taken of these meetings, meaning that Sigma held no record of attendees, the matters discussed or the nature of any challenges or decisions made. The FCA concluded that Sigma was unable to demonstrate the proper functioning of its board or the presence of any effective oversight of the CFD Desk.

Management information

The FCA found that Sigma’s board did not receive any structured management information (MI) that enabled it to understand the business of the CFD Desk. For example:

• Sigma could not provide the FCA with any board packs or briefing notes, or any evidence that employees (including those in its Compliance function) had briefed the board on the operations of the CFD Desk.
• A senior employee sent a memo to Sigma’s directors in November 2014 that, among other things, recorded a need to review and update certain compliance policies and procedures, as well as produce new policies and procedures to cover the activities of the CFD Desk. The FCA found that, despite these concerns being brought directly to the board’s attention, there was no evidence that the board monitored their progress or sought regular updates from those employees delegated to address them.
• In December 2014, a risk added to Sigma’s risk register stated that there was a lack of up-to-date and/or comprehensive policies and This risk was rated as critical, which was defined as “high likelihood of regulatory censure and/or remedial action requiring significant expenditure or timescale”. Despite the seriousness of this risk, Sigma could produce no evidence to the FCA that during the relevant period the board monitored this risk or recorded the steps being taken to address it.

The FCA stated that, even if the board received oral briefings covering these or similar matters, there was “no adequate record of what was said or any decisions that were reached to progress the concerns raised, because no minutes were taken”. From January 2015, Sigma’s Compliance team started to produce quarterly updates intended for the board which set out actions that needed to be taken in relation to the CFD Desk. However, the FCA identified no evidence that the board actually used these updates to effectively monitor and oversee progress on the actions that were raised.

Allocation and performance of FCA controlled functions

Two of Sigma’s directors were also approved by the FCA to perform the CF10 (Compliance Oversight) and CF11 (Money Laundering Reporting Officer) roles. The FCA found that Sigma allocated these roles to the directors with little regard to their capabilities, training or previous experience. For example:

• Stephen Tomlin performed the CF10 (Compliance Oversight) role. The FCA found that he did so “with reluctance” due to his lack of any previous compliance experience, but that he agreed to do so because there was no other suitably qualified person within Sigma to do During his interview with the FCA, Mr Tomlin explained that, although he had been comfortable performing the CF10 role in relation to certain aspects of Sigma’s business due to his industry experience, he had never been comfortable doing so in relation to the CFD Desk and that he intended to pass the role to someone with more appropriate experience than himself.
• Simon Tyson, Sigma’s then Chief Executive, performed the CF11 (Money Laundering Reporting Officer) role, despite having no relevant qualifications or having undertaken any training in relation to SARs, financial crime or market abuse. During his interview with the FCA, Mr Tyson said that he wanted both himself and Mr Tomlin to stop performing the CF10 and CF11 roles because “it was not a fair reflection of who did the work on a day-to-day basis and who had the relevant knowledge within the firm”. In 2015, a decision was taken to transfer the CF10 role from Mr Tomlin to Mr Tyson, but Sigma failed to notify the FCA or seek its approval for any such transfer of responsibilities between Mr Tomlin and Mr Tyson.

Beyond the allocation of the CF10 and CF11 roles, the FCA found that there was no clear documented allocation of responsibilities among Sigma’s board members.

Risk assessment before the commencement of the CFD Desk’s activities

Although the establishment of the CFD Desk materially changed Sigma’s risk profile, Sigma failed to perform an adequate risk assessment before expanding its business into this higher risk business area. Sigma’s board had no prior experience of or expertise in relation to CFDs and spread bets. They did not take any steps to educate themselves about these products or the risks associated with them (for example, through Compliance resourcing or additional training).

Compliance oversight and delegation of responsibilities

During his interview with the FCA, Mr Tyson (who performed the CF11 role) acknowledged his own limited understanding of the activities of the CFD Desk. However, he claimed he had appropriately delegated oversight of the CFD Desk’s activities to other employees within Legal and Compliance.

As the delegations described by Mr Tyson were not clearly documented, there was uncertainty over which responsibilities had been delegated and to whom. For example, the other employees to whom Mr Tyson said he had delegated responsibilities relating to the CFD Desk denied during interviews with the FCA that this was the case.

Mr Tomlin told the FCA that the CFD Desk fell entirely outside his CF10 responsibilities and that he was not involved in compliance issues that arose in relation to it. For example, he did not know what systems and controls were in place regarding surveillance of the CFD Desk or what practical arrangements were in place to investigate potentially suspicious transactions and orders. Mr Tomlin was also unaware of who was responsible for these areas, or whether Sigma had filed any STRs or STORs with the FCA in relation to the CFD Desk’s activities. Overall, Mr Tomlin said that the CFD Desk was “run as a separate company” by Mr Tyson.

Sigma’s Compliance function

During the relevant period, there was only one employee in Sigma’s Compliance function. He had no prior experience of CFDs and did not consider that his responsibilities covered the activities of the CFD Desk. Other employees, however, denied having these responsibilities. These conflicting accounts led to the FCA finding that the compliance arrangements relating to the CFD Desk were “unclear and confused”, as well as inadequately documented.

The FCA stated that Sigma should have recruited suitably qualified compliance staff to cover the CFD Desk or provided training to existing employees so that they could fulfil this role. The FCA also found that concerns over inadequate and ineffective compliance resourcing for the CFD Desk should have been escalated within Sigma and remedied.

Sigma’s Compliance function maintained a policy document, entitled “Compliance Monitoring Programme”, which described its purpose as one of the means by which Sigma could monitor its activities on a periodic basis to ensure it remained compliant with relevant regulatory requirements. The Compliance Monitoring Programme included financial crime and market conduct, but Sigma could not provide the FCA with any evidence to show that any review or monitoring of the CFD Desk’s activities occurred.

CFD Desk policies and monitoring of broker conduct

Sigma was unable to provide the FCA with a clear picture of which policies and procedures it had in place with respect to the activities of the CFD Desk during the relevant period. Even where Sigma did have policies in place, many of them did not record when they were implemented or when they may have been revised, if at all. For example:

• There was no written policy or procedure in place regarding the escalation or consideration of suspicious transactions by members of the CFD Sigma’s Market Conduct Policy and Procedure referred only to procedures for reporting a SAR if a suspicious transaction was identified.
• Sigma did not monitor any telephone conversations held on recorded lines, contrary to its own compliance
• There were no formal written policies prohibiting the use of unrecorded devices to take instructions from Sigma’s clients, nor was there any training provided on restrictions about the use of personal devices to communicate with customers in breach of FCA requirements (namely COBS 8.5AR). The FCA observed that brokers on the CFD Desk were using encrypted messaging applications on their personal devices to communicate with, and take orders from, clients without the knowledge of or approval from Compliance.
• Brokers on the CFD Desk had power of attorney (PoA) arrangements with clients, which were neither declared as a conflict of interest nor monitored by Compliance. One broker on the CFD Desk had a PoA over the trading account of a family member from whom he had received loans which totalled over GBP100,000 during the relevant These loans were not recorded in Sigma’s gifts and inducements register or reported to Compliance.

Commission based remuneration

The FCA observed that, against the background of the various deficiencies identified in Sigma’s systems and controls, its commission-based remuneration structure incentivised brokers on the CFD Desk to focus on their trading activity “to the potential detriment of promoting the identification and escalation of potential market abuse”. Brokers on the CFD Desk did not receive a salary, but instead were entitled to up to 60% of the net revenue generated by their clients as commission.

The FCA acknowledged that similar remuneration structures are not uncommon across the industry, but that they may bring with them conflicts that should be mitigated. For example, the FCA observed that brokers dependent largely on commission income may be reluctant to escalate concerns regarding trading by high revenue generating clients. The FCA found that the conflicts that existed in relation to the brokers on the CFD Desk were exacerbated by the fact that many of them maintained close personal relationships with their clients.

In addition, Mr Tomlin’s only income from Sigma during much of the relevant period was derived from his trading, creating a potential further conflict in the performance of his CF10 role which should have been appropriately managed.

Enforcement action taken against Sigma’s directors

The FCA also took enforcement action against three of Sigma’s directors:

• Mr Tyson, Sigma’s former Chief Executive, who was approved by the FCA to perform the CF3 (Chief Executive), CF1 (Director) and CF11 (Money Laundering Reporting Officer)
• Mr Tomlin, a former director, who was approved by the FCA to perform the CF1 (Director) and CF10 (Compliance Oversight) roles.
• Matthew Kent, a current director, who was approved by the FCA to perform the CF1 (Director)

Findings common to all directors

The FCA found that all three directors breached Principle 7 of its Statements of Principle and Code of Practice for Approved Persons (APER Principle 7), which required them to take reasonable steps to ensure that the business of Sigma for which they were responsible complied with the relevant requirements and standards of the regulatory system.

The reasons for this breach were broadly consistent across all three directors. The FCA found that the directors (individually and collectively) failed to take reasonable steps to ensure that Sigma complied with Principle 3 by having adequate systems and controls in place that were sufficient to enable its board to review in a structured fashion the business activities of the CFD Desk, and to ensure that Sigma complied with its transaction reporting obligations under SUP and EU MAR.

In particular, the FCA found that all three directors failed to ensure that:

• Board meetings were held with sufficient regularity to enable the board to exercise effective oversight of Sigma’s business.
• Board minutes were maintained that were sufficient to record the matters discussed and decisions
• They received adequate management information to enable them to properly oversee, understand, and where appropriate challenge Sigma’s business This included MI regarding the CFD Desk’s activities to enable the board to reasonably satisfy itself that Sigma was complying with its regulatory reporting obligations under SUP and EU MAR.
• An adequate risk assessment was undertaken before the commencement of the CFD Desk’s business activities.
• They had reviewed or approved any policies and procedures describing the CFD Desk’s reporting and monitoring
• They received any, or any adequate, reports on the nature of the CFD Desk’s reporting and monitoring activities, the numbers of suspicious transactions and orders that the CFD Desk was escalating to Compliance, or the number of STRs or STORs that Sigma was filing with the FCA.
• Sigma had taken adequate preparatory steps for the introduction of EU MAR in July 2016.
• There was any structured probing of any compliance issues by members of the board, or any engagement on their part in compliance matters.

The FCA described these arrangements as being “wholly inadequate to furnish the board with the information it needed to play its part in identifying, measuring, managing and controlling the risks associated with the CFD Desk’s activities such as market abuse, insider dealing, market abuse and financial crime”.

In its findings concerning Mr Tyson and Mr Kent, the FCA also found that, to the extent that the board had delegated responsibilities relating to transaction reporting to Mr Tomlin in his capacity as the CF10, they did not have reasonable grounds for believing that Mr Tomlin had the necessary competence, knowledge or skill to deal with these responsibilities. The FCA also found that they failed to take reasonable steps to satisfy themselves that Sigma’s procedures for complying with its reporting obligations, whether delegated to Mr Tomlin or others, were operating satisfactorily.

Additional findings made about Mr Kent

The FCA also found that it was not reasonable in the circumstances for Mr Kent (who only performed the CF1 (Director) role) to rely entirely, or almost entirely, on the other members of the board (that is, Mr Tyson and Mr Tomlin) to discharge its function of governance and oversight. This was especially so when he failed to take any reasonable steps to satisfy himself that they were doing so in compliance with regulatory requirements.

The FCA took the opportunity to issue a reminder that APER Principle 7 means that there is a responsibility on individual directors to take reasonable steps to ensure that a firm complies with its regulatory obligations. Although Mr Tyson (as CF3 and CF11) and Mr Tomlin (as CF10) had specific responsibilities in this regard, the FCA noted that this did not absolve Mr Kent from obtaining a sufficient understanding of Sigma’s business, the key issues that were likely to arise out of the CFD Desk’s business and the manner in which they were being addressed. The FCA found that Mr Kent, in common with Mr Tyson and Mr Tomlin as the other members of Sigma’s board, had ultimate responsibility to manage these matters.

The FCA also referred to what it described as a “clear obligation” on the part of Sigma’s board as a whole to challenge the actions of individual directors performing particular functions and to ensure that there were processes in place whereby it could receive the necessary information to do so. The FCA found that Mr Kent failed to discharge this obligation in practice when it came to his interactions with Mr Tyson and Mr Tomlin.

Additional findings made about Mr Tomlin

In light of his role as the CF10, the FCA made additional findings about Mr Tomlin. In particular:

• The FCA identified that Mr Tomlin had committed further breaches of APER Principle 7, as he failed to take reasonable steps to ensure that:
  • the roles and responsibilities within the Compliance function, and those employed by the CFD Desk who assisted with certain transaction reporting and monitoring activities, were adequately recorded and communicated such that they were clear and properly understood;
  • those in Compliance who were responsible for transaction reporting were provided with clear policies and procedures, and sufficient training and guidance, so they could properly discharge their responsibilities;
  • Sigma had in place effective systems, including clear reporting lines and policies and procedures, such that it could comply with its post-trade monitoring obligations, especially as the volume of transactions executed by the CFD Desk This included the appropriate and timely escalation of potentially suspicious transactions and orders by the CFD Desk; and
  • Sigma complied with its regulatory obligations to ensure that the Compliance function had in place adequate policies and procedures in relation to the conduct of brokers on the CFD Desk and that these were effectively communicated and monitored.

• The FCA also found that Mr Tomlin breached Principle 6 of the FCA’s Statements of Principle and Code of Practice for Approved Persons, which required him to exercise due skill, care and diligence in managing the business of the firm for which he was responsible (APER Principle 6). The FCA found that Mr Tomlin breached APER Principle 6 by failing to exercise due skill, care and diligence in managing Sigma’s Compliance function by failing to take reasonable steps to:
  • adequately inform himself about the Compliance function’s oversight of the CFD Desk; and
  • maintain an appropriate level of understanding about the CFD Desk’s transaction reporting and monitoring activities, including those tasks that he had delegated (or thought he had delegated) to others within Sigma.

Sanctions imposed

Sigma

The FCA imposed a fine of GBP531,600 on Sigma.

In cases where firms have failed to file transaction reports (either at all or accurately), the FCA has traditionally attributed a value to each transaction report (most recently GBP1.50) and multiplied this figure by the number of impacted transaction reports. The FCA has then used a percentage of this figure as its starting point for a financial penalty under Step 2 of its penalty calculation framework. The FCA did not take this approach in relation to Sigma, and instead decided to use as its starting point a percentage (15%) of the revenue generated by the CFD Desk during the relevant period.

The FCA does not acknowledge or explain this change in approach to calculating Sigma’s fine. However, the number of impacted transaction reports in this case (56,000) is significantly lower than the numbers that have been impacted in other transaction reporting cases (which often extend to tens of millions). Had the FCA taken its traditional approach and attributed GBP1.50 per impacted transaction report in Sigma’s case, this would have resulted in a much lower starting figure for the fine (a percentage of GBP84,000). The FCA may have considered this figure to be too low in comparison to the starting figure of GBP537,003 (15% of GBP3,580,025) that it relied on by using the revenue generated by the CFD Desk for this purpose.

The fine imposed on Sigma incorporated a 10% uplift, which was attributable to an aggravating factor, namely the “substantial and ongoing support” that the FCA has provided to the industry about transaction reporting requirements, as well as the steps it has taken to highlight the importance of transaction reporting and the submission of STRs and STORs.

Sigma only benefitted from a 10% settlement discount (as opposed to the usual 30%). This is because Sigma did not agree to settle the FCA’s enforcement action during Stage 1. Rather, settlement was reached after Stage 1, but before the expiry of the deadline for Sigma to submit its representations to the FCA’s Regulatory Decisions Committee (RDC).

Directors

The FCA fined Mr Tyson GBP67,900, Mr Tomlin GBP69,600 and Mr Kent GBP83,600. The FCA took the same approach to calculating all three fines, with the differences between them being attributable to their varying levels of remuneration during the relevant period (a percentage (30%) of which the FCA used as its starting point to calculate the fines). Similarly to Sigma (and for the same reasons), each individual also received a 10% uplift to their fine due to an aggravating factor and only benefitted from a 10% settlement discount.

Notably, the FCA also imposed prohibition orders on Mr Tyson and Mr Tomlin, banning them from performing any senior management function (SMF) or significant influence function (SIF) in relation to any regulated activity carried on by an authorised person in the future. The FCA did so on the basis that Mr Tyson and Mr Tomlin are not fit and proper (by reason of their lack of competence and capability) to perform such roles.

The FCA did not impose a prohibition order on Mr Kent, who remains approved by the FCA to act as a director of Sigma. The FCA does not explain why, unlike Mr Tyson and Mr Tomlin, it did not impose a prohibition order on Mr Kent. However, this different approach may be because, unlike the other directors, Mr Kent did not perform a more specific role that was relevant to the FCA’s findings, such as the CF10 or CF11 roles.

Decision insight

The FCA’s enforcement action against Sigma and the three directors came almost seven years after it initially became aware of the regulatory reporting issues. This delay between the FCA becoming aware of an issue and taking enforcement action in relation to it is a recurring theme in a number of enforcement outcomes that the FCA is publishing.

Although the headline of the FCA’s press release announcing its enforcement action only refers to “market abuse reporting failures”, some of the most interesting points in this case do not relate to the transaction reporting failures. These points are outlined in the sections that follow.

Market abuse controls

The FCA has a strong track record of focusing on firms’ market abuse controls, including how they comply with their surveillance and reporting obligations. The pandemic shone an even brighter spotlight on this area, which led to the FCA expressing concerns about the increased risks of misconduct (including market abuse) when employees were working at home. More recently, in issue 69 of its Market Watch newsletter, the FCA identified a number of common weaknesses relating to market abuse surveillance arrangements at small and medium sized (SME) firms.

These weaknesses spanned market abuse risk assessments, transaction and order surveillance systems, firms’ policies and procedures and surveillance outsourcing arrangements.

According to its Business Plan for 2022/23, the FCA continues to intend to deliver assertive action on market abuse, especially by ensuring that firms have robust systems and controls, high quality reporting practices and a strong anti-market abuse culture.

Having adequate controls to service a new and growing business

In this case, the trigger for the transaction reporting failures was that, by establishing the CFD Desk, Sigma decided to venture into a new business that ended up expanding rapidly.

Against this backdrop, Sigma failed to ensure that it had put in place adequate controls to handle this new business and its rapid growth. This included not putting in place adequate systems and processes, but also failing to ensure that it had personnel (including on its board and in its Compliance function) who understood and could adequately oversee the new business area. When firms decide to launch a new or expand an existing business, they need to ensure that their systems, controls and internal expertise are able to cater for this development and grow with the new business area.

Clarity of responsibilities at senior management level

The FCA’s findings highlight numerous conflicting accounts in terms of who was responsible for what within Sigma in relation to regulatory reporting, surveillance and the CFD Desk itself. Most of these conflicting accounts seem to have come from comments made by the directors and other employees during interviews with the FCA.

The facts that gave rise to the FCA’s enforcement action took place before the senior managers regime (SMR) applied to Sigma and, as a result, the directors did not need to have statements of responsibilities, which may have ensured greater clarity about who was responsible for what at a senior level.

That said, statements of responsibilities are often brief and disagreements about more granular responsibilities may still arise between senior managers. As a result, this case serves as a valuable lesson for firms to ensure that the responsibilities of their senior management team are clearly defined and expressly agreed with relevant individuals, and that there are no gaps in responsibilities. 

Delegation

As the relevant period took place before the SMR applied to Sigma, senior manager conduct rule 3 (which requires senior managers to take reasonable steps to ensure that any delegation of their responsibilities is to an appropriate person and that they oversee the discharge of those delegated responsibilities effectively) did not apply to Sigma’s directors. However, the FCA’s enforcement action against Sigma still includes some important lessons for other firms and their senior managers to learn about effective delegation.

A significant proportion of the confusion around responsibilities within Sigma occurred below senior management level, with multiple employees denying they were responsible for key tasks and saying that others had these responsibilities, only for those other employees to deny that this was the case. The SMR focuses on clarifying responsibilities at senior manager level, but leaves firms to decide how to ensure that this clarity flows down to middle management and beyond. The FCA’s enforcement action against Sigma emphasises the importance of firms getting this right to ensure that responsibilities at all levels are clear and understood.

Reliance on others

The FCA’s findings about the third director, Mr Kent, highlight the expectations of directors when it comes to issues or areas that may fall outside their specific personal responsibilities.

The FCA makes clear that the following points apply when a director is relying on others (including other directors) to perform certain roles or address specific issues:

• A director cannot rely entirely, or almost entirely, on other members of the board to discharge governance and oversight Instead, they must take reasonable steps to satisfy themselves that these other members of the board are discharging these functions in compliance with regulatory requirements.
• The fact that other directors have specific responsibilities does not absolve a director from obtaining a sufficient understanding of their firm’s business, the key issues (including risks) that are likely to arise from it and the way in which those issues are being addressed. The board collectively has ultimate responsibility to manage these matters.
• Board members have a collective obligation to challenge the actions of individual directors who perform particular roles and to ensure that they have sufficient information to enable them to do so.

Use of personal devices and encrypted messaging applications

Regulators in the UK and the U.S. have been unequivocal in their recent messages: the unauthorised use of unmonitored personal devices and encrypted communication applications can pose significant risks to firms.

In January 2021, the FCA used issue 66 of its Market Watch newsletter to warn firms about increased risks associated with homeworking, including “increased use of unmonitored and/or encrypted communication applications such as WhatsApp for sharing potentially sensitive information connected with work”, noting that this “can present challenges and significant compliance risks, since firms will be less able to effectively monitor communications using these channels”. More recently, it has been widely reported that the FCA has issued information requests to a number of firms about the frequency and content of employee exchanges through encrypted communication applications, suggesting a reinvigorated focus on this area.

The FCA did not make a formal finding about Sigma’s lack of policies relating to use of personal devices and encrypted messaging applications, or the fact that brokers on the CFD Desk were communicating in this way with clients. However, this is the first in what is likely to be a long line of cases that will make similar observations.

In response to a Freedom of Information Act (FOIA) request, the FCA has confirmed that, as at the end of October 2022, it has no open enforcement investigations that principally or solely focus on unauthorised use of personal devices or encrypted messaging applications. However, the FCA has confirmed that it has identified, and is looking into, this issue in a number of ongoing market conduct investigations.

This article first appeared on Practical Law (www.practicallaw.com) and is reproduced with the permission of the publishers.