BUSINESS PLAN GIVES A HINT AT WHERE FUTURE INVESTIGATIONS WORK MAY BE FOCUSED, AS WELL AS SETTING OUT THE FCA'S INITIAL THOUGHTS AND RESPONSE TO THE COVID 19 PANDEMIC
On 7 April 2020, the FCA published its Business Plan for 2020/21 (the "Plan"). The FCA has incorporated its early thinking on the Covid-19 pandemic (the "Pandemic"), as well as publishing the Plan in exceptional times, with much of the UK in a lockdown aimed at stemming the outbreak of the Covid-19 virus, negotiations for the UK's long term relationship with the EU ongoing, the government and Bank of England (the "BoE") warning of the risks of a serious economic downturn, and the FCA itself under interim leadership but undertaking a plan for its own transformation following on from its renewed mission statement in 2017. In this note, we consider what the Plan suggests about the FCA's enforcement priorities for the coming years, and identify particular areas of enforcement risk for firms.
FCA'S GENERAL APPROACH
The Plan is shorter than equivalent business plans that the FCA has published in past years and provides little specific information about the FCA's current enforcement activity. However, the FCA has incorporated its early thinking on the Covid-19 pandemic (the "Pandemic"), as well as setting out its areas of focus over the next few years. The FCA acknowledges that the Pandemic may change the issues which will be central to its focus and an updated Business Plan may be published once matters stabilise (or not). The FCA has already indicated that it has delayed certain planned activity as a result of the Pandemic and unsurprisingly, it has been necessary to reallocate resource within the FCA to meet critical demand. However, notwithstanding this, the Plan suggests a number of areas are on its enforcement radar.
Faster and more effective Enforcement decision making?
In recent years, the slow speed with which the FCA has been able to progress and complete investigations, its (in our experience, often opaque) approach to selecting and prioritising cases, and its rapidly growing open caseload (some 650 open cases at 31 March 2019), have all been the subject of criticism. Slow progress and a lack of clear direction can create real problems for those in enforcement, particularly smaller firms and individuals. It is therefore of interest that the Plan contains further indications of the FCA's desire to move towards using its regulatory toolkit in a more integrated way, as 'One FCA', by simplifying or changing processes to be more efficient. The FCA's comment (p11 of the Plan) 'we must ensure that, whatever tool we use, we use it with a pace and decisiveness that matches the urgency of the issue' presumably applies to its enforcement tool as much as its supervision, competition, and other tools.
If the speed of FCA enforcement is improved over the coming years, that is likely to be welcome, although clearly it must not be at the expense of quality of the investigation work. However, firms and individuals might be forgiven for some scepticism about how much real progress will be made in this area (at least without a substantial increase in the FCA's Enforcement budget and resources). Firms will recall that it is not long since the FCA completed its implementation of the last (long running) Enforcement Review. That was also in part aimed at speeding up Enforcement decision making processes and was completed in March 2017 (see PS 17/1).
A renewed emphasis on the Principles for Businesses as a basis for Enforcement?
The FCA has taken the opportunity in the Plan to reiterate a significant pillar of its recent dialogue which is the need for firms to review their practices in line with the Principles for Businesses. On 12 February 2020 Mark Steward addressed this point in a speech in which he emphasised that in most enforcement cases in the previous year, it was apparent that "neither firms nor senior management engaged directly or explicitly with the Principles for Business in deciding, carrying out or managing the conduct that led to the findings of a breach."1 We interpret this as a clear indication of the importance of the Principles (as opposed to specific Handbook or other rules) as part of the analysis for all regulated firms in identifying how to conduct their business and assessing whether they have acted appropriately.
Similarly, aspects of the language used in the Plan, particularly references to prioritising 'end outcomes for consumers, markets and firms' (p12 of the Plan), and to the current regulatory framework being 'too focused on rules and process, and not enough on principles and outcomes' (p4 of the Plan), is reminiscent of material that the FSA published at onset of the global financial crisis in 2007-2008. At the time, that heralded a marked increase in the extent of the FSA's Enforcement work, and in particular in the number of cases against firms for breaches of the Principles for Businesses. It is too early to say whether the Pandemic and any ensuing economic downturn will have a similar impact, but we suggest there are some clear parallels in the language used.
Culture remains crucial
This focus on the Principles also coincides with the FCA's shift in recent years to a focus on a firm's culture and governance. The FCA takes the opportunity in the Plan to reiterate what it believes are the four key culture drivers in firms, namely: a firm's (i) leadership; (ii) purpose; (ii) governance; and (iv) approach to rewarding and managing people. Despite the fact that, to date, there have been few public enforcement outcomes for breaches of the Senior Managers and Certification Regime ("SMCR"), with a wider set of firms now in scope of SMCR, cultural failings, and/or failures by senior managers to take reasonable steps, remain a key Enforcement risk in our view.
The FCA has achieved a number of 'blockbuster' fines in recent years, bringing with it publicity and (the FCA would no doubt argue) increasing deterrence. However, aspects of the Plan in our view suggest that the FCA will shift its focus to smaller firms which consistently fail to meet its standards and that it will bring swift enforcement against those causing harm. This objective would be consistent with the recent extension of the SMCR.
Enforcement across the regulatory perimeter?
Interestingly, the FCA devotes part of the Plan (p8) to explaining the complexity of the regulatory perimeter: 'the regulatory framework, and what is excluded from it, has built up over many years. While many of the reasons for the exclusions are clear on their own, they can create a complex picture for consumers and firms when taken together. Many of the toughest issues we face involve activity at or over the other side of this boundary.' The Plan notes that the FCA continues to work with HM Treasury in this regard.
The technicalities of the regulatory perimeter, which has been repeatedly and gradually amended and reshaped (particularly through EU legislation) since FSMA was first enacted, in our experience can be critical in Enforcement cases. The extent of the FCA's jurisdiction is often complex and difficult for firms to understand without legal advice. There have also been clear cases of tension between what firms are legally entitled to do, and the kinds of action that the general public, media, and political process expect the FCA to be able to take, in circumstances where problems have arisen (e.g. in relation to matters such as SME lending and mini-bonds). Further action by the FCA in this area, working in conjunction with government, could have a material impact on the risk of future Enforcement action.
It remains to be seen whether Brexit – which has the potential to stop the flow of new EU legislation repeatedly amending the UK regulatory perimeter – will present an opportunity for the regulators to rethink the underlying law in this area.
Financial crime issues have been central to the FCA's business plans for several years and the Plan does not suggest any change in that emphasis. The FCA remains committed to reducing financial crime in accordance with the UK's Economic Crime Plan for 2019-2022 (published in July last year). The Plan clearly indicates (in particular at pp16, 19 and 20) that FCA intends to make greater use of the data it receives from firms to deal with these issues, and expects to see a reduction in the incidence of financial crime through firms' regulatory returns. We interpret this as a further indication that the FCA will use financial crime returns pro-actively to identify firms requiring more intensive supervision and potentially enforcement action.
The Plan would appear to maintain the FCA's past focus on money laundering and market abuse. The FCA has recently implemented its registration and supervision regime for some cryptoasset activities as part of the UK's implementation of the Fifth EU Money Laundering Directive (MLD5), and enforcement of failures to comply with that (as well as failures to implement and comply with the more stringent requirements of MLD5 more generally) seem likely.
The onset of the Pandemic has also seen a rise of financial scams targeting consumers and firms. We see material future enforcement risks – from the FCA and potentially also from the PSR – for firms whose financial crime systems and controls fail to respond quickly enough to that rapidly changing environment.
The FCA's recently found that the General Insurance, Cash Savings and Mortgages markets failed to give customers fair value with long term customers paying more than the cost of the product. The FCA expects that this harm will be exacerbated by the Pandemic and vulnerable customers in particular are likely to be exploited. It is likely that the FCA will take action against firms who do not comply with its published guidance and are found to be building loyalty penalties into their pricing. It is more likely to take action where vulnerable customers suffer harm. Firms should carefully consider how they justify their pricing policy on objective grounds, particularly whether they can attribute increases in prices to objective factors rather than to recouping profit forfeited by offering low prices to win customers.
FCA AS A PRICE REGULATOR: A FURTHER STEP ALONG THE ROAD?
The FCA devotes a section of the Plan to 'delivering fair value in a digital age' in which it makes clear it will 'develop an approach with measurements and metrics to assess fair value for consumers', with an accompanying data strategy. This could clearly be interpreted as a further indication of the FCA's move towards being a price regulator; in light of this and a series of previous FCA communications, it is difficult to conclude that the FCA is not one already.
However it remains unclear whether the FCA's future strategy for dealing with firms that it considers are not providing 'fair value' would be based primarily on its competition powers, or its more traditional enforcement and disciplinary powers, and whether the enforcement focus is likely to be on firms issuing the products, senior individuals signing off on pricing decisions, or both. Any of these routes is potentially possible, and experience suggests that a combination of them may be used.
Operational resilience has been an important theme in recent FCA publications and we can expect a policy statement on how to strengthen operational resilience in the financial services sector after the (extended) consultation period closes on 1 October 2020. The Plan explains that, alongside the BoE it is actively evaluating the contingency plans of a wide range of firms and so the FCA is likely to take action against firms where it identifies harm as a result of ineffective business continuity measures being in place. The Pandemic will pose new tests for firms' operational resilience and more investigations should be expected in this area. The Plan (at p16) sets out a clear expectation that the number of firms' operational incidents and outage times will reduce; in our view further enforcement in this area (by FCA, PRA and/or the PSR) is clearly possible.
SECTOR SPECIFIC ISSUES
The Plan suggests a number of areas in the wholesale financial markets where the FCA is alive to misconduct. There are also specific references to market abuse and capitalising on investors’ concerns (p10 of the Plan) as examples. Since the Plan, the FCA has already (by way of a 'Dear CEO' letter released on 28 April) indicated a particular focus on the relationship between a bank as a lender and as an adviser on an equity raising, noting that the use of lending relationships to secure equity mandates could be a breach of the Principles, Conduct of Business Rules, SM&CR, and the Market Abuse Regulation.
The Pandemic will undoubtedly have a significant financial impact on consumers and small businesses, with an increased risk for vulnerable consumers. Shortly after publishing the Plan, the FCA announced a package of targeted temporary measures to help consumers with some of the most commonly used consumer credit products. This has since been supplemented by the Bounceback Loan Scheme (BBLs), designed to shorten the time to market of lending to small businesses, facilitated by abbreviated regulatory and legal requirements, and a government guarantee with specific compliance requirements.
This trend of requiring firms to exercise greater flexibility where it is in the consumers' best interests is likely to continue. The FCA may look to take action where it finds that firms have not conducted appropriate affordability assessments and/or treated customers unfairly (in the case of regulated lending) (see in particular p15 of the Plan). In the area of unregulated SME lending, the 15 April Dear CEO letter from the FCA reminded firms that the conduct rules on SMF Managers and conduct rules staff apply outside of regulated lending and specifically in the SME lending space. Individual Conduct Rule 4 concerns treating customers fairly. It is clear that the FCA will look to take action against Senior Managers in this area.
The FCA expects payment services firms and banks to keep customer data safe and to minimise the impact of fraud and operational failure. Whilst the Payment Systems Regulator has jurisdiction to investigate compliance with the IFR and many other payments issues, the FCA has stated that it will increase its focus on evaluating firms' systems and controls while monitoring any emerging risks. To measure progress in this regard, it will monitor the number of operational incidents and outage times and assess if firms have adequate systems and controls to prevent financial crime, and expects to see these incidents reduce. Payment firms have been working exceptionally hard to adjust in order to support contactless payments as part of the response to the Pandemic. But the FCA is still likely to take action where firms are unable to manage the operational aspects of payments adequately, particularly in light of the decreased use of cash during the Pandemic and national dependency on payments.
The FCA perceives a significant risk of harm in the pensions and retail investment markets in part driven by the way consumers have been given additional responsibility for complex investment decisions through the pension freedoms reforms but also because the Pandemic is likely to amplify issues caused by volatile markets. There has already been plenty of enforcement in this area and we can expect this trend to continue as ongoing volatility reveals challenges and shortcomings around suitability, risk appetite and capacity for loss, and jeopardises the performance of products. Firms should look at heightening their scrutiny of products they are selling – the performance, changes to the asset composition of funds and investment parameters. Firms will need to think carefully about this and react to changing performance in a way that treats different types of client mandate fairly – particularly where they have a mix of advised, discretionary managed and execution only.
The FCA has already identified significant harm in this area due to poor governance, lack of focus on good value, lack of investment in technology and operational resilience. To avoid enforcement action, firms should address these areas of concern and ensure fairer outcomes for customers. This can be achieved by focusing on effective disclosures, fully embedding individual personal responsibility in line with the expectations of SMCR and addressing their exposure to LIBOR risks. We can expect the FCA to take action where firms do not address its concerns.
GENERAL INSURANCE AND PROTECTION
The general insurance market has been a relatively new area of focus for the FCA since the implementation of the Insurance Distribution Directive (IDD) on 1 October 2018, and firms of all sizes should continue to focus on being fully IDD-compliant. In the Plan, the FCA has focussed specifically on the requirement on firms to communicate with consumers in a way that is clear, fair and not misleading both when they take out products for the first time and when they look to renew or switch. Firms need to assess consumers' demands and needs on a continuous basis, and ensure that products sold continue to be consistent with those assessments. Notwithstanding numerous consultations on this topic, it appears that firms continue to fall short of the rules and it is anticipated that enforcement action in this area is imminent.
The Plan can be seen as distinct to previous Plans because of the Pandemic and the need to respond in short order to provide certainty to markets and consumers, yet it still contains some clues about the potential direction of future enforcement action, and accordingly key areas where firms may wish to pay particular care and attention over the course of the next year or so.
Whilst some of the FCA's current messaging to firms rightly recognises the operational challenges for firms brought by the Pandemic, it is a particular issue that risks from conduct now may only crystallise into enforcement action months to years in the future, potentially in a different economic, regulatory or public health environment. We anticipate that the criticism which the FSA (and then FCA) experienced in the post-financial crisis era is likely to inform its approach to enforcement now. The early evidence is that it is acting pro-actively through supervision and other intervention where it sees potential harm. However there remains real enforcement risk for firms arising out of their conduct now.