- The FCA had a relatively quiet year in 2018. The number of published enforcement outcomes was significantly less than in previous years. However, the level of enforcement activity has increased dramatically.
- We anticipate that whilst some of these cases may be discontinued without further action, it is likely that we will see an increase in enforcement outcomes in 2019. We also anticipate the further use of Focused Resolution Agreements (FRAs) as a means of partial settlement with the regulator.
- The FCA has listed seven key priority areas of focus in its 2018/2019 Business Plan, and we can expect to see enforcement action in 2019 closely aligned to these priorities.
- In particular, following the roll-out of the Senior Managers and Certification Regime (SM&CR) to all FSMA regulated firms and the introduction of the General Data Protection Regulation (GDPR) in May 2018, we can expect to see increased regulatory activity in relation to:
- culture and governance
- individual accountability, and
- cyber security.
The FCA can and will pursue individuals under (i) the SM&CR (if the relevant individual falls under the definition of a Senior Manager); (ii) the “Duty of Responsibility” for Senior Managers; and (iii) the Conduct Rules. As at 01 August 2018, there were 520 open enforcement investigations, including five investigations into Senior Management Function holders and seven investigations into certified individuals. This is because the FCA is increasingly identifying individuals potentially involved in a breach at an early stage of the investigation. It is important to note that personal gains are not required for the FCA to find misconduct sufficiently serious to impose a penalty against individuals. To date, only one final notice has been issued under the new conduct rules but we expect to see many more in 2019.
Culture and governance
Culture and governance will remain a key area of focus for the FCA this year. The FCA has been clear, both in its business plan and other recent publications, that it sees culture and governance as central to driving good behaviours and producing outcomes likely to benefit consumers and markets. In particular, the FCA has recently stated that it can and will investigate instances of non-financial misconduct, such as sexual harassment and bullying. In her September 2018 letter to the Women’s & Equality Committee, Megan Butler (Director of Supervision at the FCA) stated that the FCA considers that “misconduct is misconduct, whether it is financial or non-financial”. She added that “when we look at fit and proper, that is not merely in the context of financial decision making; it is in a broader, cultural set of values.”. It remains to be seen how far the FCA will seek to stretch its jurisdiction in this regard; for example, will it take action for non-financial misconduct outside the workplace? In conjunction with increased enforcement action under the SM&CR, we may see outcomes against (i) senior individuals for non-financial conduct (given their ability to affect firmwide culture); and (ii) firms for failing to prevent non-financial misconduct.
GDPR and cyber security
Following the introduction of the GDPR in May 2018, we expect cyber security to be a key focus for the FCA this year. The FCA included data security, resilience and outsourcing as one of its seven key priorities in its 2018/2019 Business Plan, since technology plays a pivotal role in delivering financial products and services. In October 2018, the FCA fined Tesco Personal Finance Plc £16.4m for a breach of Principle 2 for failing to exercise due skill care and diligence in protecting its personal current account holders against a cyber attack. The FCA found the that risk was foreseeable risk and the response taken was described as “too little, too late”.
The FCA also stated that ultimate responsibility for ensuring that cyber crime controls are designed to meet standards of resilience lies with the Board. Mark Steward (Director of Enforcement and Oversight at the FCA) said that “the standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack.” We can expect to see further action in relation to cyber resilience system and controls in the coming year with the FCA potentially working alongside other regulators such as the PRA (given the potential systemic risks) and the ICO.
Focused Resolution Agreements
An FRA is an agreement setting out an agreed position on one or more, but not all, of the elements relevant to a proposed enforcement action. It is an available option for any proposed enforcement action that requires the FCA to issue a warning notice. The first decision notice involving an FRA was published in September 2018 against Linear Investments Limited. In this case, the facts and liability were agreed by Linear, with only the quantum being disputed. The decision of the FCA has been referred to the Upper Tribunal on the issue of penalty only. This option may work well for certain types of cases and we anticipate their increased use in 2019 and beyond.
What this means for you
After a quiet year, 2019 is likely to see an increase in regulatory action in several key areas. The FCA’s focus on its seven key priority areas means it is possible to predict where the Regulator’s efforts will be concentrated and regulated entities should accordingly ensure each of these areas is being adequately addressed in their compliance programmes. In particular, robust action is needed to prevent all forms of misconduct. Where instances of misconduct arise, allegations should be promptly investigated and consideration given to whether a notification should be made to the FCA under Principle 11. Cyber security systems and controls should also be high on board agendas.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.