What lessons do firms need to learn from recent FCA regulatory outcomes related to breaches of requirements imposed by the FCA on regulated firms? In this briefing we consider some lessons around managing regulatory interventions.

Our focus here is on VREQs (a voluntary agreement by a firm regulated by the FCA to restrict how it carries out its business) and OIREQs (where the FCA imposes its own initiative requirement to stop harm).

Lessons for firms when responding to and managing compliance 

Respond early and open a dialogue with the regulator

Recent experience and outcomes have suggested the regulator is willing to enter a dialogue with regards to the terms and wording of a VREQ. These discussions can be worthwhile in assisting firms to gain comfort that the restrictions agreed are practicable in terms of implementing the requirements imposed on their business. 

However, careful consideration needs to be given to what can and cannot be put into practice so as to avoid inadvertently creating a rod for the firm’s back, particularly where those negotiating are at one step removed from the practical implementation and where there is room for misunderstandings about what can be delivered. Failing to comply with a requirement that the firm has negotiated is likely to be viewed more seriously by the regulator. 

Consideration should also be given to whether there are alternatives that may address the regulator’s concern, thereby avoiding the need for any requirement to be formally imposed and what options are available to the firm if negotiation is not successfully concluded.  

Document the governance framework for compliance

Writing down the methodology for how the firm intends to implement and ensure compliance with the VREQ/OIREQ may focus minds internally on the steps that will be needed and what policies, procedures and other measures are required to ensure the steps are taken. Having a methodology may also avoid criticism by the regulator for failure to have a (documented) governance framework in place to oversee compliance with the requirements or restrictions imposed.

Ensure clear internal communications and a joined-up approach

The terms of the requirements or restrictions imposed by the regulator may require a number of different functions to communicate clearly regarding the implementation and operationalization of any requirements. Where systems changes are needed to give effect to the VREQ/OIREQ, firms may need to ensure that the relevant IT or other technical teams within the business make the appropriate systems changes to give effect to the regulator’s requirements. 

Steps that can be taken to avoid messages becoming lost in translation include converting technical jargon into plain English, conducting walk throughs to understand what will happen in practice, and taking time to ensure all elements of the process are understood.  

Pre-implementation testing

Undertaking sufficiently robust pre-implementation testing will help the firm to understand where there might be any gaps in controls in the business that would undermine or prevent the VREQ/OIREQ from taking effect. In addition, firms would be well advised to keep records of the testing carried out (which should be an ongoing process, rather than adopting a “plug and play” approach).

Consider all practical ways in which the VREQ/OIREQ will work and be operationalized

This includes consideration across all products, business lines, services and systems (including in relation to any services or systems, for example, which the relevant entity shares with other entities in the group) and how to operationalize this, to avoid criticism for not adequately identifying possible loop holes in the implementation and risking a breach of the requirements / restrictions imposed (and possibly, subsequent disciplinary action).

A team brainstorming approach and workshopping may assist with flushing out anomalies or less common aspects of the business which need to be factored in. 

Ongoing compliance monitoring

Following implementation, the regulator will expect the firm to monitor the effectiveness of the processes put in place to ensure compliance with the VREQ/OIREQ. It will also want to see that procedures are in place to enable it to be notified promptly in the event of a breach and that the relevant systems are improved, so that a similar error or breach does not reoccur. 

A monitoring plan should be prepared with input from relevant stakeholders, and records should be kept of the extent and frequency of all monitoring activity to assist in demonstrating that it has been carried out. FCA outcomes (across different sectors) have indicated that penalties will be harsher for firms where breaches have not been self-identified but have, for example, been brought to the firm’s attention via a third party (or the regulator itself).

Recordkeeping  

Related to the above, records of steps taken with regards to the design, implementation, testing and ongoing monitoring of the VREQ/OIREQ should be maintained on a centralized basis and responsibility for updating these should be clearly assigned. Organized documentation puts a firm on the front foot in dealing with any regulatory enquiries which may be made on a relatively short notice basis.

Consider wider review

In the event of a breach of the requirements, firms may wish to consider whether the breach is indicative of a wider concern with systems and controls – or, perhaps, may indicate a similar issue in relation to another entity in the group. This may be the case, for example, in circumstances where a shared service model is in place.

Supervisory focus to prevent misconduct and manage risk

Given the current regulatory focus on use of supervision powers to prevent misconduct and manage risk, we are continuing to see VREQ invitations and OIREQs with an increasingly wide range of requirements being sought and imposed. 

In light of recent enforcement action, firms should not underestimate how seriously the FCA will take a breach of requirements or restrictions imposed on regulated firms. So firms should consider carefully whether it is possible to comply, what alternatives are available, and what steps can be taken in order to implement and monitor compliance with any requirements. Once restrictions are in place and until it is possible to satisfy the regulator that they can be removed, a firm must be able to demonstrate to the regulator that it takes seriously its obligations to comply with the requirements/restrictions imposed. 

We regularly advise on preparing financial institutions for responding to assertive supervisory action and intervention (including training), as well as supporting them in managing their relationship with the regulators throughout the process.