UK Financial Services Enforcement and Investigation
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
In summary
The UK’s Financial Conduct Authority (FCA) continues to pursue an active enforcement programme, imposing 21 fines totalling £392,303,087 during 2019. Market conduct, anti-money laundering (AML) and consumer protection remained key themes in the enforcement context; public and political scrutiny has focused on the FCA’s ability to act to prevent consumer detriment. The FCA’s Enforcement Division has claimed some success in working through a backlog of older investigations, although the time taken to complete investigations is still far too long. It remains to be seen what impact the covid-19 pandemic has on regulators’ immediate ability to progress investigations and in the longer term. Firms have seen some success in reducing fines imposed by the FCA using its partial settlement route, but questions around the FCA’s five-step penalty policy remain. The Prudential Regulation Authority (PRA) has increased its independent enforcement activity and articulated the role it sees for enforcement in prudential regulation.
Discussion points
- Overview of the FCA and PRA’s enforcement powers
- Summary of the FCA and PRA’s approach to enforcement
- Outline of the FCA enforcement process
- Review of significant cases concluded during the past 12 months
- Analysis of areas of heightened enforcement risk
- Issues with the regulators’ approach to setting penalties
Referenced in this article
- COCON – the FCA’s rules on individual conduct
- FSMA – Financial Services and Markets Act 2000
- MAR – Market Abuse Regulation (EU Regulation 596/2014 of 16 April 2016)
- MiFID II – Markets in Financial Instruments Directive (Directive 2014/65/EU)
- SMCR – Senior Managers and Certification Regime
Introduction
As the agency primarily responsible for the investigation of potential misconduct within the financial services sector in the UK, the Financial Conduct Authority (FCA) continues to investigate many diverse forms of suspected misconduct. While the number of cases under investigation by the FCA’s Enforcement Division continues to grow, there have been signs in the past 12 months that the rate at which new cases are being opened has begun to level off, after an initial steep rise following the introduction of a more ‘diagnostic’ approach to investigations in 2016. In that period, we have seen several firms successfully challenge the penalty proposed by the FCA while reaching agreement on the facts and breaches alleged against them (using what are known as ‘focused resolution agreements’). We anticipate such partially settled cases will become more prevalent given the apparent success of these early examples.
The FCA’s powers are not limited to enforcement against authorised firms and the individuals who work at them. As part of its role in promoting market integrity it is also empowered to investigate and bring enforcement proceedings against listed corporates and their officers in relation to compliance with their listing and disclosure obligations. 2019 saw action taken against Cathay International Holdings plc and two of its directors for non-compliance, as well as increasing levels of pre-Enforcement inquiries as the Market Oversight Division followed up on the greater amounts of data available to it since the implementation of Market Abuse Regulation (MAR) and the Markets in Financial Instruments Directive (MiFID II). The FCA can also investigate and prosecute anyone for the criminal and civil offences of insider dealing and market manipulation. It can prosecute authorised firms and their officers for certain breaches of the Money Laundering Regulations. We see an ongoing focus on regulatory action for anti-money laundering (AML)-related systems and controls breaches, but no use of the criminal powers in this area has been made as yet despite a large number of investigations beginning on this basis. In addition, the FCA published its first competition enforcement decision, against a trio of asset management firms, in February 2019 – although data on active FCA investigations suggests that use of its antitrust enforcement powers to investigate and take action in relation to anticompetitive behaviour within the financial services sector will remain limited.
During 2019 the PRA signalled a willingness to make more active use of its powers to investigate and enforce against firms that breach its rules, after taking regulatory enforcement action only 10 times in the first five years of its existence.[1] In the past year independent enforcement action by the Prudential Regulation Authority (PRA) to support its overall priorities has increased markedly – most notably in the Citigroup action published in December 2019[2] – but we anticipate that joint investigations such as that which led to the fines imposed on Raphael’s Bank in June 2019 will continue.[3]
The remainder of this article outlines the FCA’s enforcement process and sets out our view of the FCA’s current enforcement priorities, the agency’s expectations of those subject to investigation, and the FCA’s approach to penalties. Those operating within the financial services sector in the UK need also to be aware of the role of other agencies, in particular the Serious Fraud Office (SFO) with its focus on criminal offences involving serious fraud and bribery (however these are outside the scope of this article).
Overview of FCA enforcement process
An FCA Enforcement investigation can be opened where there are grounds to suspect that serious misconduct has occurred. This is a low threshold, and in recent years the FCA has emphasised its appetite to open more investigations and use them as a ‘diagnostic’ tool, that is to determine whether serious misconduct has occurred, and not just to investigate in cases where the evidence is strongly suggestive of breaches. Before an investigation is opened the subject may be approached for information to help inform the decision. We have seen the Market Oversight team increasingly contacting issuers with requests for an insider list and chronology and supervisors will require authorised firms to provide detail in relation to areas of concern arising from their relationship with the firm or their specialist work (on, for example, client assets or financial crime). These requests are usually made using the FCA’s formal powers and will inform the decision on Enforcement referral, so they require a careful and prompt response.
Once an investigation is under way, investigators will be appointed and the subject or subjects of the investigation notified, except in those rare cases where there are grounds to believe that this will prejudice the investigation. There will ordinarily be a ‘scoping’ meeting held between the investigators and the subject; these are often treated as a formality but can be a useful opportunity to set the tone, understand the investigation’s focus and agree a preliminary timetable. The FCA will then obtain evidence, usually by a combination of document requests and witness and subject interviews. Where it can, it will ordinarily use its powers to compel production of evidence, primarily to avoid difficulties with confidentiality obligations. These powers are wide (their precise extent will depend on the nature of the concerns under investigation) but do not allow the compulsion of items protected under section 413 the Financial Services and Markets Act (FSMA), which are broadly materials to which legal privilege would apply.
We have seen cases in which the evidence gathering phase of an investigation has lasted several years, with the result that published outcomes often relate to wrongdoing that has long been remedied: two FCA outcomes published in March 2019, penalties of £27.6 million and £34.3 million imposed on UBS AG and Goldman Sachs International, related to reporting failings that stretched back to November 2007.
Recently FCA senior management has emphasised the desirability of prompt and efficient investigation, with investigations being closed at an early stage where the initial evidence justifies this, but we have seen limited evidence of this occurring in practice save in those few cases where exculpatory evidence has been found rapidly.
When sufficient evidence has been gathered for the investigation team to understand the nature of any misconduct that has taken place and the appropriate action in response, if the enforcement team thinks there is a case to answer, it will seek to resolve the matter with the subject, initially through settlement negotiations.
Any matters that are not agreed are then determined by the FCA’s Regulatory Decisions Committee (RDC), a committee of the board of the FCA which is independent of the enforcement function. If the subject wants to challenge the RDC’s decision, the case can be referred directly to the Upper Tribunal for a full rehearing. Alternatively, a subject can choose to leapfrog the RDC stage and refer the matter directly to the Upper Tribunal.
The approach to settlement was revised in early 2017, in part to enable the subject to better understand the case alleged. Settlement discussions are now based on a draft formal notice setting out the facts as the FCA sees them, the alleged breaches and the proposed sanction, annotated to refer to an accompanying bundle of supporting evidence. The settlement period should now be preceded by a pre-resolution meeting at which the key facts and findings will be outlined. Negotiations themselves will generally take place over a 28-day period save in exceptional circumstances, although there may in practice be more flexibility over this. Discussions may lead to full settlement, or else to a ‘focused resolution’ (ie, partial agreement relating to some or all of the factual allegations, breaches or sanction). Where agreement is reached a settlement discount of up to 30 per cent of the proposed penalty is available.
Some firms are now making use of this partial settlement route in order to challenge the amount of the proposed fine while preserving the settlement discount available: in March and April 2019, the FCA published outcomes against Carphone Warehouse and Standard Chartered Bank in which the firms had each accepted issues of fact and liability, and made representations before the RDC only on the issue of sanction or penalty (thereby retaining a 30 per cent discount for early settlement). In April 2019, the Upper Tribunal also published its decision in relation to Linear Investments Limited, the first case in which it was asked to determine a reference where the only issue referred was the size of the penalty.
Current FCA Enforcement priorities
The FCA published its Approach to Enforcement in April 2019, as part of a drive towards transparency that began with the 2017 publication of its mission document.[4] In its Approach to Enforcement paper, it describes the overriding principle of its approach as substantive justice, ensuring it carries out investigations in a consistent and open-minded way to deliver the right outcomes.[5]
The approach document highlights one area already repeatedly emphasised as a priority for enforcement, namely individual responsibility. The Enforcement Division’s approach to investigating individuals has shifted in recent years, to promote consistent decision making and ensure that action is taken against both individuals and firms wherever appropriate. Enforcement now investigates individual wrongdoing ‘as far as possible’ at the same time as it conducts its investigation into firms; and we are increasingly seeing individual culpability highlighted as one of the issues under investigation even where there is no individual identified initially. Concurrent investigations may have a significant impact on the ability of firms to resolve matters early through settlement if the FCA holds good on its stated intention to resolve matters against firms and individuals at the same time. This is part of an ongoing response to the sustained criticism the FCA has received for its difficulties in taking meaningful action against senior individuals within the regulated sector, and in particular for largely failing to hold to account any of those popularly perceived to have been responsible for the financial crisis. Early in 2016 the FCA (and PRA) rolled out a new framework for regulating individuals working within banks, deposit takers and certain significant investment firms, the Senior Managers and Certificiation Regime (SMCR); a similar regime has now been rolled out to the rest of the regulated sector. For those firms within the regime, a wider population of individuals is subject to the FCA’s Code of Conduct rules (COCON) than was the case previously under the approved persons regime. In addition, senior managers are now under a duty of responsibility, whereby action can be taken against them if they are responsible for the management of any activities of their firm in relation to which the firm breaches a regulatory requirement and they did not take such steps as could reasonably be expected to prevent the breach occurring or continuing.
Three years on there remains very limited evidence that these new rules will have much impact on regulatory enforcement investigations. Data from June 2019 stated that there were only 15 live investigations into senior managers under SMCR, out of a total of 401 investigations into individuals.[6] The only final notice published to date solely based on the new rules relates to Jes Staley’s actions in response to a whistle-blowing allegation and provide no real precedent for the management and oversight aspect of the new regime. What is clear from ongoing investigation work is that the regulator is focusing not simply on the effectiveness of underlying systems and controls, but also the speed with which issues are escalated to senior management and, once escalated, how long it takes for the issues to be robustly addressed.
The focus on market disclosures identifiable since the arrival of Steward, who sees good disclosure by issuers as ‘an important component in any market working well’, continues. Cathay International Holdings plc and two of its directors were penalised in June 2019 for failings relating to the timing of publication of a trading update.[7] But the broader picture suggests that these investigations are proving challenging: while the investigation into circumstances surrounding Carillion’s July 2017 profit warning appears to be ongoing, those announced into two other companies, Mitie Group plc and Cobham plc, were both discontinued during 2018. Despite this, the FCA has confirmed that it has several investigations ongoing into suspected or misleading statements by listed issuers, a number of which are nearing resolution.
Two earlier outcomes arising from corporate failure to comply with the disclosure requirements demonstrate the FCA’s interest in the conduct of listed companies and also highlight other themes relating to the FCA’s approach to penalties developed further below. In October 2017, Rio Tinto plc was fined over £27 million for breaching the disclosure and transparency rules, after it failed to conduct impairment tests ahead of announcing its 2012 interim results, as a consequence of which the FCA said that those interim results were inaccurate and misleading.[8] The record fine imposed in that case demonstrates the risks posed to large corporates as a result of the way in which the FCA assesses financial penalties. The final notice makes clear that Rio Tinto’s failures were not at the most serious end of the spectrum; despite this, because the penalty was calculated by reference to the firm’s market capitalisation, it became the highest penalty ever imposed for failings of this type.
The March 2017 action against Tesco[9] was notable primarily because the FCA did not impose a financial penalty on the firm. Instead, the case was the first in which a firm was required to pay restitution estimated at £85 million to market participants who were deemed to have lost out as a result of its misstatement. There has been an earlier market abuse case in which an individual was ordered to pay restitution,[10] but in that case this was directed towards a single counterparty who had sustained financial losses as a result of an instrument linked to the shares that were manipulated rather than participants in the market generally. The Tesco final notice sets out the terms of the restitution scheme, which aims to identify and reimburse those who invested in certain Tesco securities between the misstatement and the correction published a month later. The decision not to impose an additional penalty appears to have been influenced by the concurrent deferred prosecution agreement Tesco reached with the SFO, which included a fine of £129 million, and what is described as Tesco’s ‘exemplary’ cooperation and steps to ensure similar misconduct will not recur.
As a third priority, we would highlight an ongoing focus on financial crime and anti-money laundering, and how these overlap with market abuse. Financial crime is again specifically called out in the FCA’s Business Plan for 2020–2021 and is the basis for numerous financial crime investigations currently underway across the Enforcement Division. Throughout its existence the FCA has sanctioned a number firms for failing to operate effective AML systems and controls, leading to significant fines (the largest being £163 million imposed against Deutsche Bank in January 2017, while the most recent is that imposed on Standard Chartered Bank in April 2019, in a simultaneous settlement alongside numerous agencies in the US) and the imposition of short-term restrictions on the regulated activities being conducted by the subjects. So far, the FCA has not used its power to prosecute firms for such failings where breaches of the Money Laundering Regulations 2007 and/or 2017 may amount to criminal offences, although such action has been regularly threatened. Steward:
I suspect criminal prosecutions [for AML systems and controls failings], as opposed to civil or regulatory action, will be exceptional. However, we need to enliven the jurisdiction if we want to ensure it is not a white elephant and that is what we intend to do where we find strong evidence of egregiously poor systems and controls and what looks like actual money-laundering.
We expect to see further investigation work focused on firms’ operational resilience – reflecting the approach and issues set out in the regulators’ December 2019 consultation papers. Service failures have generated significant public criticism for the FCA, and we anticipate further public outcomes to follow up on the fine imposed on Raphael’s Bank in June 2019 for technology outsourcing failures that led to customers being unable to use payment cards for several hours on Christmas Eve 2015.[11] At the time of writing, firms are engaged in a massive effort to continue operating and providing services in the face of unparalleled challenges created by the covid-19 pandemic, with significant regulatory intervention. It is too soon to identify the lessons that will be learned from this process, but there will almost certainly be significant focus by both regulators on how well firms were prepared for a crisis of this magnitude once the worst of the disruption is over.
Finally, we have seen the FCA come under increasing public and political pressure to take action in respect of the activities of regulated firms outside of the regulatory perimeter. The public, understandably, expects products or services offered by firms carrying FCA authorisation to be subject to its disciplinary remit. Where business conducted outside of the regulatory perimeter results in widespread consumer harm, as has occurred in several recent cases, the FCA can find (and indeed has found) itself having to defend itself for failing to exercise powers it does not have. The reputational implications of this are significant. The FCA has committed to using its 2020 perimeter report to set out the extent to which it can exercise its functions in relation to all financial services-related activities undertaken by an authorised firm. It has also been clear that the (enforceable) obligations imposed upon senior managers apply whether they relate to business conducted within or outside of the perimeter.
FCA expectations of firms subject to investigation
The FCA continues to stress the importance of cooperation from those subject to investigation, and the approach document suggests that even more significance will in future be attached to this when assessing the appropriate outcome of any case. The FCA states it will in future encourage firms to voluntarily account for and redress misconduct by imposing lower sanctions on such firms, and imposing more severe sanctions on those who fail to address harm.
This goes beyond the approach to date, which has suggested that credit will be given for cooperation but given little concrete detail or practical guidance about what cooperation means in practice. This has begun to change: the Tesco notice referred to ‘exemplary’ cooperation and described this as proactively offering information, responding constructively to requests and disclosing significant material voluntarily, and agreeing not to interview witnesses without prior reference to the FCA; the Deutsche Bank notice describes the bank’s cooperation as exceptional for including senior management engagement from the outset, extensive and wide-ranging internal investigations and reporting the conclusions of those investigations in a fully transparent manner. Authorised firms are required to be open and cooperative with the FCA, and all recipients are obliged to respond to lawfully compelled requests for information. The FCA will not credit the cooperation of an investigation subject doing only what it is obliged to do in any event. If a firm does wish to demonstrate unusual cooperation, early dialogue with the FCA will be essential so that the investigation team understands the efforts made and the approach adopted.
There is, however, a tension between the FCA’s desire to encourage firms to uncover and report wrongdoing and the concerns regularly expressed by senior enforcement staff that firms not put the FCA’s own investigation at risk by for example interviewing potential witnesses. Steward has also publicly and repeatedly expressed scepticism about the value of firm-commissioned investigation reports, and there is increasingly an expectation on the part of the FCA that it will be consulted about the conduct of internal investigations early on, rather than simply being presented with the product of a firm’s own investigation. It is notable that Tesco was given credit for refraining, at the FCA’s request, from interviewing witnesses or taking statements. The FCA’s desire to exert control over the conduct of investigations is also apparent from its resistance, in some cases, to allowing a firm’s external lawyers to attend compelled interviews of the firm’s employees, even in cases where those employees are witnesses and not subjects of the investigation.
Firms under investigation or considering self-reporting will therefore need to consider at an early stage how best to approach any internal investigation, including at which points it may be appropriate to consult with the FCA regarding its expectations.
The FCA, like the SFO, also appears increasingly willing to challenge assertions of legal professional privilege over certain categories of material. Consistent with this trend, we are seeing more requests from the FCA for privilege logs (a list of documents withheld from the FCA on privilege grounds) and requests for those logs to contain increasing levels of detail with respect to the withheld documents.
Whether privilege will attach to material generated in the course of an internal investigation – in particular to notes of interviews with employees and other potential witnesses – will depend on the circumstances, in particular on whether litigation has commenced or is in reasonable contemplation.[12] It is particularly important for firms to consider carefully how any employee interviews should be conducted and recorded, and indeed whether, in certain circumstances, interviews should be conducted at all. Firms under investigation or considering self-reporting may need to limit the creation of material that is unlikely to attract privilege, as well as carefully considering how to minimise the risks associated with agreeing to share the product of an internal investigation. These risks can be particularly acute in investigations with a cross-border element or high possibility of civil litigation in other jurisdictions (particularly the US).
Even where a claim of privilege is accepted by the FCA, waiver of privilege over relevant documents is increasingly viewed as a hallmark of cooperation and firms may come under significant pressure to disclose privileged documents. Indeed, the FCA’s Enforcement Guide expressly states that a firm’s willingness to volunteer the results of its own investigation, whether privileged or not, will be welcomed and may be taken into account by the FCA when deciding what action to take.[13]
Penalties
The FCA has long promised a review of its approach to imposing financial penalties. Comments made by Steward earlier this year, however, suggest that this is no longer a priority. This is disappointing as there are several areas in which the FCA’s current approach to setting penalties could be clarified or improved.
The FCA’s current approach to imposing financial penalties was introduced in March 2010, and is based on a five-step process, beginning with the disgorgement of any benefit, then assessment of a figure representative of the risk of harm caused by the breach, adjustment for any aggravating or mitigating factors, further adjustment for deterrence, and reduction for early settlement.[14] This process was designed to make the assessment of penalties more transparent, but the flexibility adopted in relation to each step in practice has undermined that goal.
The current policy suggests that for firms the figure representative of the risk of harm caused will be based on the relevant revenue earned by the firm, to which a set percentage will be applied depending on the seriousness of the misconduct alleged. In practice, the FCA has departed from this in many of its cases. Examples include those involving issuers, where the firm’s market capitalisation has been used as the starting point; those involving client assets, where the average client assets at risk has been used; those involving transaction reporting failures, where an amount per transaction has been used; and those involving breaches of the obligation to cooperate with the regulator under Principle 11 of the Principles for Business, which have selected an arbitrary figure to reflect seriousness.[15] Even where a starting point is identified the resulting figure can be adjusted for proportionality if this is deemed appropriate: the Rio Tinto figure referred to above was reduced by 25 per cent, in a recent case against Interactive Brokers (UK) Limited it was halved, and in the Deutsche Bank fine for AML failings[16] the figure was also reduced to an apparently arbitrary £200 million. Significant reductions for proportionality were also made to several of the penalty metrics used in the Standard Chartered Bank[17] decision published in April 2019. This is not just an issue for the FCA; in November 2019 the PRA reduced significantly the step two figure in its decision against Citigroup,[18] where its policy had generated an initial figure of well over £1 billion.
Final notices published under the existing regime provide little clarity as to how aggravating and mitigating factors are assessed at the third step of the calculation. The factors referenced at this stage are often not very different from those used to determine the level of seriousness at step two, which may give rise to an appearance of double counting. There is also a particular absence of clarity around what constitutes the type of ‘exceptional’ cooperation the FCA has indicated can result in a mitigation discount. The use of the adjustment for deterrence to increase the penalty dramatically is similarly opaque and has been widely criticised.
The approach document confirmed that the FCA will also continue to expand the use of its full suite of enforcement powers. The last decade has seen the FCA grow in confidence as a criminal prosecutor, with a number of successful prosecutions for insider dealing, breaches of the regulatory perimeter and associated fraud, and substantive money laundering offences.
The FCA has made tentative use of the restriction and suspension powers it has had since 2014, imposing restrictions on the regulated activities conducted by Bank of Beirut in 2015 and Sonali Bank in 2016 in response to failings in those institutions’ AML systems and controls. Both cases involved financial penalties as well as restrictions, and the purpose of imposing the restriction was said in each case to be more effective deterrence than a financial penalty alone.
The power to suspend or restrict a firm’s regulated activities as a consequence of a regulatory breach is intended to be disciplinary rather than protective in nature. There is a renewed focus on using the FCA’s power to vary a firm’s permissions in order to prevent harm. This can be done by the FCA on its own initiative, but in practice firms often prefer to vary their permissions voluntarily rather than have a variation imposed by means of a public notice.
Conclusion
The FCA is committed to investigating serious misconduct wherever this affects the proper functioning of UK markets. Where issues arise, careful consideration will need to be given as to how best to approach an FCA enquiry or investigation so as to minimise the associated risks. Proactivity and cooperation can bring benefits but these may come at a substantial price. A firm’s handling of information and the individuals involved in an investigation will also require careful management to balance their interests against regulatory expectations.
Notes
[1] For further detail on the PRA’s powers and how these are used, see https://www.bankofengland.co.uk/prudential-regulation/regulatory-action.
[2] See https://www.bankofengland.co.uk/news/2019/november/pra-fines-citigroups-uk-operations-44-million-for-failings.
[3] Raphaels Bank was fined a combined total of £1.89 million for failings in respect of its outsourcing of key business functions (see further here https://www.bankofengland.co.uk/news/2019/may/fca-and-pra-jointly-fine-raphaels-bank-1-89m-for- outsourcing-failings).
[5] https://www.fca.org.uk/publication/corporate/our-approach-enforcement-final-report-feedback-statement.pdf.
[6] FCA FOI response FOI6490, 19 June 2019; FCA FOI response FOI6683, 5 September 2019; FCA Enforcement Annual Performance Report 2018-19.
[7] https://www.fca.org.uk/news/press-releases/fca-publishes-decision-notices-concerning-cathay-international-holdings- limited and https://www.fca.org.uk/news/press-releases/fca-issued-final-notices-against-cathay-international-holdings- limited.
[11] https://www.bankofengland.co.uk/news/2019/may/fca-and-pra-jointly-fine-raphaels-bank-1-89m-for-outsourcing-failings.
[12] See further the decision of the Court of Appeal in Serious Fraud Office v Eurasian Natural Resources Corporation Ltd [2018] EWCA Civ 2006.
[13] FCA Enforcement Guide, paragraph 3.18.
[14] The framework is set out in detail in DEPP 6.
[15] eg, in its 2015 action against Deutsche Bank AG https://www.fca.org.uk/publication/final-notices/deutsche-bank-ag-2015.pdf.