The Legacy of Lehman: regulatory enforcement in the UK

This article is part of our series marking the 10 year anniversary of the collapse of Lehman examining today's issues from the perspective of Lehman and Lehman's legacy.

Executive Summary

The failure of Lehman Brothers on 15 September 2008 triggered a host of changes to regulatory enforcement in the UK: the replacement of the FSA with the FCA and PRA, new regulatory powers, new penalties and new levels of international cooperation between regulators.

There are two fundamental changes though that most closely reflect the fallout from Lehman’s collapse; they are the new measures designed to bring about individual accountability and to regulate culture. A lack of individual accountability, particularly among senior managers, and inappropriate culture were viewed as central to the widespread prudential and conduct failings that followed Lehman’s collapse. Efforts to address these shortcomings are likely to be viewed as the principal response of conduct regulators to Lehman Brothers and, while their efficacy has yet to be tested, their impact should now start to be witnessed. It is too early to judge whether these measures would have prevented or lessened the financial crisis, and flaws in the enforcement regime persist, but it is clear that they will have a significant effect on regulatory enforcement in UK financial services.


Lehman Brothers failed, disproving the belief that certain institutions were "too big to fail". The result was a significant dislocation to financial markets and further bank failures. Numerous scandals followed as conduct failures in the sector came to light. That prudential and conduct failures occurred simultaneously was not considered to be a coincidence. The conclusion of the Parliamentary Commission on Banking Standards (PCBS) was that they were the result of common deficiencies of standards and culture. Two deficiencies were identified by the PCBS and other bodies tasked with analysing the causes of the crisis as being at its core: a lack of accountability among senior managers for failures and an inappropriate culture among financial services professionals. 

The complex structure and diverse activities of many large firms at the time obscured senior executives’ understanding of what was really going on in the businesses they were running. Many firms also had a structure of cross-cutting functions and committees which meant that key decisions and risks were not owned by single executives but were shared. Senior executives avoided accountability for failings by relying on ignorance or collective decision-making, benefitting from what was described as an “accountability firewall” between themselves and individual misconduct. The PCBS described as “dismal” and “striking” the limitation on the sense of personal responsibility and accountability of industry leaders at the time of Lehman’s collapse.

This accountability firewall made it difficult for the regulatory authorities to bring sanctions against those who presided over failures in the years that followed. The Approved Persons regime that was in place at the time of the crisis was deemed inadequate on the basis that, despite mandating standards of individual conduct and accountability, enforcement action against Approved Persons at senior levels was unusual. The small number of instances where the FCA sought to do so resulted in some limited success, such as the Cummings case,1 but also met with significant reverses, such as the Pottage case.2 This lack of action reflected the difficulty that regulators faced in penetrating the accountability firewall of collective responsibility so as to make any single individual responsible.

Holding individuals to account was, however, viewed as an imperative part of the response to the crisis: enforcement action against institutions was deemed an insufficient deterrent against future misconduct while, politically, the public demanded that individuals be held to account for the damage the crisis had inflicted.

Cultural constraints upon individuals’ behaviour in the financial services sector had also been eroded by the forces of globalisation, technological developments and changing incentives. In the years prior to Lehman’s collapse banking, for example, encompassed a much wider range of activities than had traditionally been the case and had fewer features of a professional identity. As a result a "blind eye" was turned to misconduct on a frequent basis, illustrated by the rarity of whistleblowing, even where, such as in the case of Libor manipulation, prolonged misconduct has been evident.

In the years that followed it became generally understood that culture was a key root cause of the conduct failings that occurred. Compliance with the letter of numerous and detailed rules would never be effective if those regulated viewed rules as an obstacle to be overcome rather than a baseline for high standards of personal conduct. Instilling a culture where individuals felt personally invested in standards of conduct and empowered to speak up without fear of reprisal if those standards were transgressed was viewed as a top priority.

Individual accountability: the SM&CR

In March 2016, the FCA replaced the Approved Persons Regime with the Senior Managers & Certification Regime (SM&CR) for banks and the regime will shortly be extended to nearly all other financial services firms. This followed the PCBS recommendation for a new accountability framework that would provide clarity as to:

“who is exercising responsibility at the highest levels, what they knew and did, and what they reasonably could and should have known and done.”

This would provide a sound basis for the regulators to impose remedial requirements or take enforcement action where serious problems occur. The recommendation has been translated into the following core SM&CR requirements:

  1. Every senior manager must have a "statement of responsibilities" that says what they are responsible and accountable for and firms must have a "responsibilities maps" setting out the responsibilities of their senior managers.
  2. There are some specific "prescribed" responsibilities that firms must give to their senior managers in order to make sure there is a senior manager accountable for key conduct and prudential risks, while there must also be a senior manager responsible for each of the firm's business functions and activities.
  3. Every senior manager has a "duty of responsibility", which means if there is a regulatory breach in the area that a senior manager is responsible for, the FCA and PRA may take action against that senior manager if he or she did not take "reasonable steps" to prevent the contravention happening.
  4. A new set of conduct rules for senior managers.

These requirements undoubtedly address the “accountability firewall” that presented such great difficulty to regulators in the post-Lehman era. It is hard to see how a senior manager could now argue that a failure in his or her area of responsibility was not in fact his or her responsibility.

However, while identifying the individual responsible for a failing should now become relatively straightforward for the regulators, demonstrating that he or she in fact breached a regulatory requirement is likely to remain fraught with difficulties.

What the Pottage and Cummings cases demonstrated is that, pre-SM&CR, even when the identity of the individual responsible is clear it will still be difficult for the regulator to prove that he or she failed to take reasonable steps to prevent regulatory failings. This reflects the fact that there are myriad factors that can contribute to a breach and a similar number of possible steps that a senior manager might have taken to prevent it. Judged with the benefit of hindsight it is often easy to identify where an incorrect decision was taken. However, whether it was “reasonable” or not to take that decision in the heat of the moment is much harder to discern.

The regulators have a difficult role to play in this respect; they have to form a value judgment on whether or not the steps taken were reasonable at the time that they were taken, putting out of their mind what they know through the benefit of hindsight while taking into account all of the other numerous and often complex considerations that the senior manager would have had to balance. The regulators’ assessment of what was not reasonable will likely face challenge by the individuals concerned, who will point to all of the countervailing factors that drove his or her actions at the time.

The SM&CR does not fundamentally change this and the problem of determining what is “reasonable” is likely to persist. It is also unclear to what extent a body of cases will build up and provide clarity on where the boundary lies in terms of taking or not taking reasonable steps. The financial and psychological cost of challenging FCA enforcement action to the RDC and the Tribunal are considerable for individuals, who are unlikely to have the support of their present or former employer in doing so. The result can be weak enforcement cases left unchallenged.

Accordingly, while the SM&CR would appear to have removed the “accountability firewall” a lack of certainty as to what constitutes culpable behaviour remains. Whether the SM&CR can achieve individual accountability despite this uncertainty will become clearer as the reforms take effect and enforcement actions follow.


Culture, commonly defined for regulatory purposes as “the way we do things around here”, is not something that lends itself to being regulated. The FCA has recognised this in its discussion papers; making clear that while it no longer considers that simply complying with rules is sufficient, it does not believe that culture can be “one size fits all”. However, the FCA nevertheless believes that firms can and should take responsibility for ensuring their culture is healthy; giving rise to a quandary for firms, who are told that they must have a “good culture”, but not what a good culture looks like.

While the positive obligation to have a good culture remains nebulous, there have nevertheless been clear reforms with regard to whistleblowing. The law post-Lehman Brothers now provides greater protection to whistleblowers and imposes new regulatory obligations on firms, such as the requirement to have a whistleblowers’ champion among senior management. One of the intended benefits of greater whistleblowing is that it will result in a light being shone on poor culture, with the prospect of censure and negative publicity providing firms and individuals with an incentive to establish, and abide by, a good culture.

Whether increased whistleblowing will improve culture within firms however remains to be seen. While on the one hand firms will appreciate that poor culture is likely to be the subject of whistleblowing, and therefore cannot be hidden from the regulators, the absence of clarity on what constitutes “good” culture means that whistleblowers will have to exercise their own subjective value judgment in identifying poor culture. That subjective assessment might well be inconsistent with the firm’s, or the FCA’s, views on culture; resulting in uncertainty for all concerned. Whistleblowing could become devalued in consequence, with reports of serious misconduct mixed with mere differences of opinion on cultural practices within a "grey area" of acceptability. Contested enforcement action might also follow, with the onus on the regulators to demonstrate that the cultural practices that were reported contravened a principle or rule in a manner deserving of sanction.

Comment: a worthy legacy?

A lack of individual accountability and poor culture were viewed as key drivers in the collapse of Lehman Brothers, the financial crisis and conduct scandals that followed. Measures have followed which are designed address those shortcomings, principally in the form of the SM&CR and whistleblowing regimes. These measures are based on the deterrent effect of regulatory enforcement, with individuals made aware of their own personal liability and firms aware of the need to comply with the spirit as well as the letter of the rules. It is likely that success or failure of the measures will be viewed as Lehman Brothers’ legacy to regulatory enforcement in the UK.

Both the SM&CR and whistleblowing regimes appear to have made significant steps in terms of addressing the question of who may be subject to enforcement action: the SM&CR clarifies which senior managers are responsible for failings while whistleblowing will prevent the concealment of failings. However, neither measure has moved the position forward significantly in terms of what may be the subject of enforcement action: individuals and firms must still grapple with the nebulous concepts of “reasonableness” and “culture” when deciding how to act. Whether the measures can overcome this uncertainty and prevent the next Lehman Brothers-like crisis will only become clearer as enforcement action is taken and behavioural responses follow. Nevertheless, both measures represent fundamental shifts in the enforcement landscape in the UK and their effects are likely to be felt for years to come.

For more information see our dedicated microsites SM&CR and its extension and Senior managers and certification regime for banks. Our article on Whistleblowing in England and Wales provides more background on the topic. Our Whistleblowing Toolkit sets out key tools for companies considering how best to deal with issues in relation to whistleblowing including a draft policy, slides for internal briefings, and a checklist for those in the FI sector implementing the new rules.


This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.