Category: Regulatory Intelligence Page 1 of 10

British Airways Anticipates 90% Discount on GDPR Fine

British Airways Anticipates 90% Discount on GDPR Fine

When the ICO announced their intention to fine British Airways £183million, it was seen as one of the landmark penalties in GDPR. It was a shot across the bow for any company handling personal data, that the ICO intended to make full use of its powers under the new data protection act. Now though, the airline says it expects to pay only 10% of the total fine. So does this mean the regulator is taking a lighter touch?

What happened at British Airways?

In July, the ICO announced that it had fined British Airways £183million after a computer hack which compromised the personal data of half a million people. At the time, the airline said it had been the victim of a ‘highly sophisticated attack’ which compromised the bank information of half a million people who had booked flights through its website.

However, the ICO took the view that information had been compromised by poor security arrangements and took action accordingly. The £183million fine represents an enormous 1.5% of the firm’s annual turnover and is also the largest fine that the ICO has handed out. Furthermore, it was the first fine it made public since the new rules came into force. Under the rules of GDPR, the ICO could have decided to levy a higher fine, amounting to 4% of the annual turnover, should they have deemed necessary.

A reduced fine?

From that perspective, BA could have been said to have got off lightly. However, they immediately announced their intention to defend their position and make any necessary appeals.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Willie Walsh, head of British Airways’ parent company (International Airlines Group) at the time

BA announced its intentions to make representations to the ICO and these appear to have had an effect. In its July 31st statement the company said it had put aside only £20 million to cover the fine. This, it said, represented their “best estimate of the amount of any penalty issued by the ICO”.


If they are correct, the final penalty would represent a 90% reduction and the news has concerned a number of privacy campaigners. Your Lawyers, a consumer action law firm that has been appointed in a Steering Committee position by the High Court of Justice against British Airways in the GDPR case, have condemned the move.

The firm’s director Aman Johal, said that the indication of a vastly reduced fine “is an affront to data protection and the GDPR.”

He went on to say:

“The ICO’s decision last year to issue a record provisional intention to fine was a landmark decision that could set the standard for organisations and act as the candid warning that is so desperately needed in today’s age of continual breaches. Such a substantial reduction could seriously undermine the purpose of GDPR, which was to act as a credible deterrent for organisations to ensure that they protect the information they store and process.”

In a statement the ICO said, “The regulatory process is ongoing, and we will not be commenting until it has concluded.” However, it is unlikely that BA’s management will have plucked this figure from thin air. The chances are, it represents their best guess based on the ongoing negotiations between the airline and the regulator.

What does it mean?

The ICO is remaining tight lipped about the proposed fine, which leaves us to speculate on their possible reasoning. It may be that BA has been highly convincing in its representations to the regulator. If they can show that there were mitigating circumstances or that they had taken measures to safeguard data, the regulator might have been persuaded to take a more lenient stance.

Equally, though, this reduced fine may also be down to the ongoing pandemic – the ICO has already announced that it would take a lighter touch on GDPR enforcement during the pandemic, and will take into account whether an organisation’s financial difficulties have stemmed from the pandemic.

BA, like other airlines, has suffered during lockdown. Passenger numbers fell by 98% in the second quarter of 2020 as lockdown devastated business in various sectors. IAG, the owner of BA, was forced to raise £2.49bn to strengthen its balance sheet after reporting record losses. Over 10,000 jobs have already been cut in an effort to lower costs.

The fine, then, comes at a time that BA’s ability to absorb such a fine would have been compromised. Time will tell on the reasoning, however, with the ICO thus far having not followed through on its intention to fine Marriot Hotels under GDPR, the episode will raise questions about how and what stance the regulator intends to take over GDPR.

Firms are Failing to Learn From AML Mistakes

Firms are Failing to Learn From AML Mistakes

Anti-money laundering (AML) fines have already surpassed the total for 2019 in the first half of the year. Are firms failing to learn from their mistakes?

Anti-money laundering fines surged to $706 million in the first half of this year, compared to $444 million for the whole of 2019. That’s the finding of the seventh annual Global Enforcement Review from Duff & Phelps.

The figure shows a reversal of the trends from previous years which showed a steady decline, ($3,297 million for 2018 and 2017 for $2,136 million). However, according to Nick Bayley, Head of Regulatory Consultancy at Duff & Phelps, this new uptick doesn’t necessarily mean firms have stopped paying attention to AML issues.

“Despite the uptick in AML fine amounts in 2020 we are still seeing fewer massive fines being imposed in the United States. This is very unlikely to reflect regulators attaching any less importance to AML compliance, it may simply be that the very largest financial institutions may be beginning to get their AML compliance in order, at last.”

“Although we do see some big institutions repeatedly receiving major fines for their AML failings, the sheer size of the fines that have been imposed for these failings and the associated huge cost of remediation means many have seemingly now learned their lesson.”

Nick Bayley

Even so, he does acknowledge that the report showed multiple fines for the same offenses and that they have been cropping up time and time again.

“Interestingly, looking at the key AML failings that are identified by regulators, we see the same areas being sanctioned again and again. This is consistent for regulators across the globe and also over the past five years.”

Handling AML regulation has been one of the major challenges for most banks for quite some time now. Banks can face massive fines for breaches, up to approximately £4,5 million, or 10% of their total turnover.

USA

The USA saw a significant reduction in the value of fines. In 2018, regulators in the USA accounted for 58% of the total fines issued. This time around it was down to just 12%. However, the total number of fines remained the same, suggesting the US regulator had simply not issued some of the mega fines seen last year.

UK

Here in the UK, though, fines appear to have been down on last year to £36.6 million compared to £98.2 million for the whole of last year.

Regulatory intelligence

The ultimate support for banks and financial services firms, RegTech and regulatory intelligence has been developing at rapid speeds over recent years and has helped to moderate financial crime through various means, including process automation, real-time payments monitoring, predictive analytics, scrutinising enormous amounts of data sets and revealing patterns within them. These are just some of the areas in which regulatory intelligence assists the financial services industry, helping to ensure compliance and mitigating risk.

Waymark Tech’s software has been developed to offer all of this and more. The implementation of artificial intelligence and natural language processing (NLP) has already saved large amounts of man hours and has alleviated serious risk. Moving away from the traditional approaches within the financial services sphere has seen Waymark grow since it was founded in 2016. Preparation for regulatory compliance is crucial in the avoidance of fines. If you feel that regulatory intelligence could be valuable for your organisation, please do email us for a complimentary and no-obligation demo of our innovative software at support@waymark.tech.

Lessons not learned

The figures are certainly mixed. They are well up on 2019 but still down on 2018 and 2017. As Bayley says, it’s perfectly possible that these simply show firms are finally beginning to get the message. However, the familiar nature of the failings suggests those firms who have not, are making the same mistakes time and time again.

In a year marked by the global pandemic, in which the challenges of maintaining compliance are higher and in which fraudsters are presented with a wealth of opportunities, those firms not paying close attention are playing with fire. This was demonstrated rather clearly with the $47 million fine for Commerzbank which was found to have failed to put right problems despite repeated warnings from the regulator. (See our article on this here).

These failings occurred at a time when defending against fraudsters and money launderers was comparatively straightforward compared to the world under lockdown. Any firm carrying over the same deficiencies through this year is putting themselves at serious risk.

According to most experts, Commerzbank’s failure to address shortcomings was down to an issue of resources. So this may be one of the tools in avoiding the same fate and where Waymark’s technology comes in. Making sure compliance teams have the resources they need and that they are up to date with the latest requirements, will be crucial to break the cycle, and ensure those important lessons finally hit home.

DSG Retail Fine - Lessons to Learn

DSG Retail Fine: Lessons to Learn

The ICO’s decision to issue DSG Retail Ltd with the maximum penalty possible highlights how seriously they take data security and what factors influence their decisions.

The ICO’s decision to issue a £500,000 penalty notice against DSG Retail Ltd, under the old data protection act should serve as a warning shot across the bows of the industry. DSG, meanwhile, should be heaving a sigh of relief that the breach happened just before GDPR came into force.

What happened?

The scale of the fine comes thanks to a litany of errors which on their own could have constituted a breach, but taken together amounted to a serious and multifaceted breach of the data protection act.

It started in May 2017 when an assessment of DSG’s point of sale payment terminals across their stores in Curry’s PC World and Dixons Travel found that they were not compliant with PCI DSS standards. Even so, DSG were slow to make changes.

Almost a year later, they discovered that the payment terminals had been compromised. Over the course of night months, a cyber attacker had taken control of a number of domain administrator accounts and installed malware onto the POS system. This accessed payment card details of around 5.6 million customers, although an investigation later found that only a total of 85 cards had been potentially used fraudulently.

The fraudsters had also accessed non financial data belonging to about 14 million customers including credit checks, contact details and failed credit checks. The company was inundated with nearly 3,300 customer complaints about the breach and the regulator received 158 complaints.

  • The ICO’s investigations listed numerous systemic failures including
  • Lack of firewall on the POS terminals
  • Inadequate patching of software
  • A poor response system
  • Insufficient network segregation
  • Mismanagement of the application white listing


These amounted to multiple breaches of the Data Protection Act, but a number of aggravating factors made this even worse. The firm were already aware of the vulnerabilities but failed to take action quickly enough. They took a whole nine months to identify the breach and that Carphone Warehouse which belongs to the same group as DSG had previously been fined £400,000 for the same breach.

The regulator also took into account the volume of the data and the resources that the retailer should have had at their disposal. The scale of the operation and the nature of the breach had the potential to cause significant distress to customers.

Moreover as a major retailer, handling large quantities of sensitive customer data, DSG, should have been able to lead by example. They had plenty of resources at their disposal and should have been able to offer better protection to their customers.

The only mitigating factor is that DSG had taken steps to notify its customers and cooperated with investigators. Even so the regulator deemed the maximum penalty appropriate.

Lessons to be learned

The scale of this fine, should serve as a warning about how serious the ICO is taking data security. Had the breach occurred under GDPR the fine could have potentially been in the millions. It shows the factors the regulator takes into account when deciding including the volume of the data exposed, the nature of the breach, resources of the firm and how the company responded to known breaches.

It’s a reminder for businesses to maintain and proactively monitor their security systems and any deficiencies should be fixed as soon as possible. Cyber crime is becoming so widespread that if a company does identify a weakness, there’s a very good chance an attack will come sooner or later. While firms might be reluctant to spend the time and money fixing issues, if they don’t they run a high risk of finding themselves before the ISO and, with GDPR in full swing, the consequences could be catastrophic.

What Can We Learn From the Commerzbank Fine? - Waymark Tech Blog

What Can We Learn From the Commerzbank Fine?

The Watchdog’s second biggest fine for failing to have proper financial controls in place should serve as a warning to the rest of the sector.

The FCA has made anti money laundering one of its key focuses for 2020 and this month it showed it means business with a £37, 805,400.00 fine to Commerzbank London for failing to implement proper controls over a five year period. It’s the second biggest fine of its kind and offers some key lessons for the wider sector.

Listen to the regulator

The scale of the fine is partly down to the fact that the Bank was aware of the problem, had been warned by the regulator but failed to take action. The FCA said it had warned Commerzbank on three separate occasions about the risk of financial crime going undetected but had “failed to take reasonable and effective steps to fix them.”

Maintaining due diligence

The regulator found that the bank failed to undertake effective due diligence checks on clients. As of March 1st 2017, checks were overdue on 1,772 customers. In the meantime, many of these customers were able to continue doing business with their London branch through their Exceptional Control Scheme which the FCA argues got out of hand.

The rules apply to you

AML requirements have toughened up in recent years, and regulators have very publicly stated this is a priority. However, many financial institutions, for one reason or another, haven’t fully understood the implications of the changes or that these rules apply to them. With the EU’s sixth anti money laundering directive coming into force in December, firms will have to continually update and review their measures to maintain compliance.

Getting the technology right

Companies are increasingly leaning on automated compliance monitoring systems. However, these are only effective if functioning properly. The FCA noted a failure to address known weaknesses with the automated tool for monitoring money laundering risks. In 2015, the bank noticed that 40 high risk countries were missing from its tool and 1,110 high risk clients had not been added.

Enhanced due diligence

Companies will be coming under increasing pressure to ensure their due diligence processes are as good as they possibly can be. This means enhanced ongoing monitoring of any situation which by its nature presents a high risk of money laundering or terrorist financing and maintaining up to date data and documentation.

Prompt action

One area where the bank performed well was in promptly agreeing to resolve the issue. The FCA says that the lender agreed to make changes at an early stage of the investigation, earning itself a considerable reduction of the fine. Without these changes, the FCA says the fine would have been £50 million.

Cooperation is seen in a positive light by the regulator. They are looking to use fines to encourage change rather than as a blunt tool of punishment. Those firms that can demonstrate an understanding of the problem and a willingness to change, will receive kinder treatment.

Most importantly, this fine, coming quickly on the heels of Standard Charter’s £1.1bn fine for violating sanctions and anti money laundering rules, shows regulators are upping their games. The UK is continuing to align itself with the more aggressive approach taken towards anti money laundering within the EU in recent years. Although we do not know how closely the UK will continue to be aligned with the EU after Brexit, their actions do nothing to suggest their approach will weaken.

Coronavirus Gives SM&CR its First Real Test - Waymark Tech Blog

Coronavirus Gives SM&CR its First Real Test

COVID-19 is proving to be the first real test of financial regulations introduced since 2008 with the Senior Managers and Certification Regime in the front line.

Speaking to the Financial Times, the FCA’s interim Chief Executive, Christopher Woolard has suggested that the Senior Managers Regime could give the regulator more weapons in ensuring corporations continue to behave ethically throughout the crisis.

Although he admitted that the FCA had little power to take action against those lenders who did not treat customers fairly, he suggested the regime did give the regulator an option to ensure fair treatment of lenders.

These rules allow regulators to take action against senior managers based on their conduct, including fair treatment of customers. With all commercial lending being unregulated, this will be the only weapon the regulator has to put pressure on banks.

However, since its introduction, the FCA has been criticised for taking relatively little action. After three years, it was only in August 2019 that it secured its first conviction when Barclays Chief Executive Jes Staley was jointly fined £642,000 by the FCA and PRA for his response to an anonymous whistleblower letter.

Since then, the regime has been extended from the banking sector and across all authorised firms, but its impact is still one which exists in the fears and imaginations of senior managers rather than in actuality. However, this crisis could be an opportunity for SM&CR to play a significant role.

Since the outbreak of COVID-19, there have been a number of complaints about how banks have been treating their customers, especially in the way the Government-backed loan scheme has been rolled out. The Federation of Small Businesses has been among those raising concerns about how the loan scheme is being implemented.

Although pace has picked up, approval rates are lower than with commercial lending despite the number of companies facing difficulties. The FSB has called for reassurances from the regulator that the banks are not putting profits before people.

The FCA has written to the banks reminding them of their responsibility to treat borrowers fairly at this stressful time, but beyond that it has relatively few direct powers. SM&CR could offer an alternative approach, and Woolard admitted this period would prove to be a test of the scheme.

Nonetheless, the difficulty they’ve experienced in securing convictions so far suggests they might face an uphill battle. The problem for the regulation is that it can be difficult to attribute the action of a company to a single individual. The burden of proof lies with the FCA and, in many cases, this is proving too high a hurdle to clear.

So far, then, SM&CR has been used as an abstract threat – a tool to place more pressure on individual managers to take greater responsibility for good conduct. Whether this will be enough remains to be seen.

COVID-19 is the first period of great stress for the financial sector. It is at these moments that corporate responsibility and regulation comes under pressure. It’s also at moments like these that the cracks show and problems in the existing system are there for all too see. This in itself could serve as a warning to any corporates who do not heed the FCA’s letter and treat customers fairly.

Even though the regulator’s powers may be limited at present, if they are not satisfied by the actions of lenders during this time, they will be more likely to step up their oversight.

This could come in the form of enhanced regulation and stricter rules in the future.

Financial Conduct Authority Updates Action on Coronavirus - Waymark Tech Blog

Financial Conduct Authority Updates Action on Coronavirus

As the UK goes into lockdown the FCA continues to update its guidance and work out how it can support the financial sector and those who rely on it through what is now undeniably, an unprecedented crisis. With questions about trading practices, vulnerable customers and reporting, the FCA has issued a series of statements over the past few weeks outlining its expectations.

Short selling

The FCA has not followed the examples of other countries such as Italy and Spain in banning short selling. Both countries have banned the practice in order to counter market volatility as the virus spreads across the world. Experts in the US have also argued strongly against short selling. However, the FCA claimed there was no evidence that it was behind the recent turmoil in the market. Indeed, they said short selling remains a useful tool in investment strategy, allowing companies to manage risks by taking long and short positions.

Vulnerable clients

Its work on vulnerable clients has been shelved as it postpones all non-essential work in the face of the pandemic. Publication of its guidance on vulnerable customers will be placed on the back burner for the time being.

However, the FCA has stepped up pressure to prevent repossessions in the fallout of the crisis. The regulator’s guidance says lenders should offer a three-month payment holiday in the face of the spreading pandemic. It should be granted where homeowners are experiencing payment difficulties because of COVID-19. This can apply where a customer first asks for leniency or if a lender feels they qualify for a break. The Government has said there is no expectation under its guidance for a lender to fully investigate the circumstances surrounding a request for a payment holiday.

“We are making it clear that no responsible lender should be considering repossession as an appropriate measure at this time.”

Christopher woolard, interim chief executive of the fca

Delayed disclosure

The FCA has urged companies to delay publication of their preliminary results for at least two weeks.

“The unprecedented events of the last couple of weeks mean that the basis on which companies are reporting and planning is changing rapidly.”

Financial conduct authority

Companies, it said, should give due consideration to the impact of the virus and that the events of the last couple of weeks meant that time tables set before the virus would mean there would be little time to achieve this.

It says it is in talks with the audit regulator, the Financial Reporting Council (FRC) and the Bank of England’s Prudential Regulation Authority (PRA) about a package of measures to ensure companies take time to prepare appropriate disclosures. The FRC, for its part, has also asked companies to delay disclosing financial reports rather than produce substandard audits.

This is uncharted territory for the entire sector. The FCA’s role in this is to reduce turmoil as much as possible and put pressure on companies to maintain sustainable and responsible policies which do not cause additional stress and anxiety to their customers.

How should firms adapt for AMLD5 - Waymark Tech Blog

How Should Firms Adapt for AMLD5?

New anti money laundering legislation has arrived and firms will have to move very quickly in order to comply if they have not already. Those that do not, will be unable to plead ignorance. Even so, many are lagging.

On 10th January, the Government introduced its Fifth EU Anti-Money Laundering Directive (AMLD5). It’s an update of existing legislation so it doesn’t involve a massive overhaul but firms still need to take immediate action to ensure they are compliant.

What’s new?

The new regulation will enhance the powers of the EU financial intelligence units and increase transparency around company trust and ownership using beneficial benefit ownership registers. It will also prevent risks associated with the use of virtual currencies for financing terrorism and enhance access to information for financial intelligence units.

Specific and complete identification of real holders of passbooks, bank accounts or e-wallets must be provided. Until now, they could be anonymous. The required subjects list has been expanded, particularly taking us into the realm of digital currencies. The registration processes of holders and trusts will also be expanded.

Electronic sources

With the new regulation coming so quickly after Christmas there isn’t much time to get ready and it’s easy to see how some companies might get caught out. Of all the changes, it’s the requirement for electronic documentation, where possible, which might cause the most problems.

The legislation states:
“(19) Information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where […]
(a) it is obtained by means of an electronic identification process, including by using electronic identification means or by using a trust service (within the meanings of those terms in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23rd July 2014 on electronic identification and trust services for electronic transactions in the internal market(11)); and…
If you do not have a reliable way of obtaining documentation which meets these standards, you’ll have to develop it quickly. “

Due diligence

When deciding on due diligence, firms will have to consider a number of risk factors, such as transactions from high-risk countries, if the customer is the beneficiary of a life insurance policy, a national of a third country seeking residence rights or if businesses relationships are not face to face. If a transaction is related to oil, arms, precious metals or tobacco products they will also have to take more care.

To cope with these new demands, firms will have to enhance their due diligence checks and install AML training for all staff. You’ll also have to use electronic verification wherever possible, although paper-based checks may still be available in some circumstances such as if they have been provided by the client from electronic sources. While the changes to AML5 are far from exhaustive, they do require a significant adjustment, some which are all too easy to overlook.

Five Lessons - Waymark Tech Blog

Five Lessons From SMCR

The Senior Managers and Certification Regime (SMCR) is finally upon us. After years of preparation, the FCA has finally rolled it out to virtually all regulated firms in the UK. Anyone performing a role designated by the FCA as a senior manager position will now be given designated responsibilities for which they are personally responsible.

With the rules now fully implemented, what can we learn from the FCA’s statements and investigations so far?

Convictions are difficult

Despite a number of investigations using SMCR powers, there has only been one high profile conviction when Jes Staley was fined more than £642,000 for failing to act with due skill, care and diligence in his response to a whistleblower in 2016. In a large firm, it is proving difficult to conclusively prove that one person should be held accountable for wrongdoing. The burden of proof is on the FCA which makes it difficult to secure a conviction but…

… Convictions may be higher for smaller businesses

With SMCR now extended to solo-regulated firms, that conviction rate could climb. While it can be impossible to prove personal responsibility in a large corporation it will be much easier in a smaller firm.

Firms should be proactive against non-financial misconduct

Non-financial misconduct will form part of the FCA’s assessment about who is a fit and proper person. In a Dear CEO letter Johnathan Davidson, Executive Director of Supervision, retail and authorisation wrote: “Following recent, publicised incidents of non-financial misconduct in the wholesale general insurance sector, I am writing to set out our clear expectation that you should be proactive in tackling such issues.” The FCA says it expects firms to identify what drives bad misconduct and, ‘modify those drivers’ to improve conduct.

Governance, governance, governance

As another Dear CEO letter highlights, this time from Marc Teasdale, the FCA is disappointed about standards of governance:

“Overall standards of governance, particularly at the level of the regulated entity, generally fall below our expectations. Funds offered to retail investors in the UK do not consistently deliver good value, frequently due to failure to identify and manage conflicts of interest,” he wrote.

A key issue, according to Teasdale, is liquidity management in open-ended funds. Liquidity, he said, should remain the responsibility of the asset manager even if outsourced to a third-party provider. While it is possible to delegate control, it is not possible to delegate responsibility.

SMCR is an opportunity

Much depends on how companies choose to perceive SMCR. Some will see it as simply being a compliance project, another box to be ticked in order to satisfy the regulators. However, it helps businesses get their governance in order. It includes all the things that companies should be doing in any case and helps companies highlight risk. Those who see this as a positive element of strategy are likely to see real benefits.

Smaller businesses are still getting to grips with SMCR. There may be bumps along the way, but every investigation, enforcement action and statement from the FCA contains lessons for the wider sector.

FCA Issues First Fine Against Claims Management Firm - Waymark Tech Blog

FCA Issues First Fine Against Claims Management Firm

The FCA has issued its first fine against a claims management company since it took over regulation of the sector eight months ago. It’s a finding which should signal the need for financial institutions to maintain the highest standards of transparency when communicating to customers.

Essex-based Professional Personal Claims (PPC) was fined £70,000 by the regulator for misleading branding and for submitting inaccurate or misleading claims to banks.

The FCA also believed that the firm was attempting to give customers the impression that they were making claims direct to those banks, when this of course, was not the case. PPC operated websites with the logos of five banks which contained their domains. The FCA said that this muddied the water of what customers might expect.

Customers could easily have been confused that the claims were being submitted directly to the banks rather than through a claims management firm in return for a fee.

“PPC’s misleading website and marketing material suggested PPC was associated with the five banks when this was not the case,” said Mark Steward, Executive Director of Enforcement. “Claims management firms must ensure their advertising is accurate. Not only in terms of what they say about themselves and their services but also in terms of what is represented.”

A lack of detail

The second charge is arguably just as damaging. People use claims management firms because they either don’t want the hassle of making the claim themselves or they aren’t confident they will fill out the forms correctly.

However, according to the FCA, PPC submitted claim forms to the banks which were either misleading or contained the wrong information.

The claims had already been made by the former regulator before the FCA took over, which had received 14 complaints about the company. PPC had originally challenged the finding in court, before withdrawing their claim in September leaving the FCA to adjudicate the penalty.

What can we learn?

This fine comes at a difficult time for claims management firms. The end of the PPI deadline leaves many people wondering what the future will bring for them. The FCA has only around 350 firms registering with them, compared to 700 during the height of the claims process.

The reputation of the sector is also extremely shaky. It has been blamed for misleading customers and also creating a compensation culture which has cost the banks billions.

If claims management firms are to go forward, the FCA, has served notice that it expects it to adhere to the highest standards of accountability and transparency. Advertising must be scrupulously accurate, communication must be clear and they will need to ensure all documentation is accurate, complete and correct. That might be something of an adjustment to a sector which has often thrived on ambiguity.

Before the deadline, the FCA had launched a high-profile marketing campaign to inform people about their rights and ensure they understood that they could make the claim themselves without using a claims firm.

Going forward they will have to ensure they are whiter than white, being clear about what they offer, how much they charge and that they are not affiliated with any bank or financial institution.

Check your Conduct Before the FCA Does - Waymark Tech Blog

Check your Conduct Before the FCA Does

Over the past year, the FCA has increased its focus on conduct which is why it’s a good idea to investigate your own firm’s behaviour – before the FCA does it for you.

2019 began with the collapse of London Capital & Finance together with all the grizzly details that came with it. As the FCA’s investigations progressed, a picture emerged of a company in which misconduct was commonplace and went unchecked.

In response, the FCA said it planned to intervene more swiftly to protect the interests of investors and it has been true to its word. 2019 was a bumper year for fines, the biggest for four years hinting at a regulator which is becoming more confident and aggressive.

In particular, though, they have started to focus on the conduct and culture of a business because this, the FCA believes, is a prime indicator for which firms are more likely to experience compliance issues.

Monitoring conduct

In a recent letter to the insurance sector, the FCA warned that firms would be at risk of failing SMCR if they failed to address financial misconduct. Jonathan Davidson, Executive Director of Supervision, Retail and Authorisations at the FCA, said the letter had come as a result of “recent, publicised incidents of non-financial misconduct in the wholesale general insurance sector”.

The same message was again hammered home in a recent speech at the Personal Finance Society by Debbie Gupta, the FCA’s Director of Life Insurance and Financial Advice.

“We expect you to adhere to your regulatory and professional duty, to give suitable advice to clients by identifying those conflicts of interest and managing it.”

Although many of the misconduct fines issued in the past year relate to historic abuses, the FCA still believes there is a culture of putting a firm’s financial interests above those of its clients. Firms are failing in their oversight and allowing a culture to develop where non-compliance becomes highly likely.

Take steps now

The FCA, then, will be grilling firms over their conduct, so it makes sense to beat them to the punch.

Ultimately, the FCA will be asking five questions of firms and you will need good answers for all of them. They are:

  • 1. What proactive steps do you take as a firm to identify risks?
  • 2. How do you encourage individuals who work in the front, middle and back-office to be responsible for managing the conduct of their business?
  • 3. What support does the firm have to enable people to improve conduct within their area of the business?
  • 4. How does the Board maintain oversight and consider the implications of each strategic decision?
  • 5. Has the firm assessed whether any of their other activities could undermine their attempts to improve conduct?

Firms can start by identifying risks within their business. Those firms with higher degrees of permissions will require more extensive governance and oversight. Are people within the firm sufficiently competent to carry out their roles and are they given enough support?

Firms will need to maintain oversight and implement adequate controls to monitor conduct within their business. They will need to look at the strategic decisions senior managers will be making and what expectations are being placed on their employees.

Those who are too heavily incentivised for financial performance, rather than representing the interests of the customers, will be more likely to act against their best interests.

In other words, you should put yourself in the shoes of the FCA and start asking the questions they will. So, when they do come calling, you will have all the answers in place.

Page 1 of 10

Powered by WordPress & Theme by Anders Norén