It is widely recognised that poor culture has been a major root cause of past conduct failures. In light of this, the FCA is clear that it expects senior leaders to nurture a purposeful culture in the firms which they lead.
Part of establishing a healthy culture is embedding sound controls and good governance throughout an organisation and recent developments have shown that effective governance is fundamental to a wide range of regulatory focus areas such as ESG, financial crime and crypto.
To assist firms in this area as we move into 2023, we have analysed some of the key FCA enforcement cases from the past year to draw out some learning points on governance, focusing on the following themes: roles and responsibilities; oversight; policies and procedures; and investment and resourcing.
Roles and responsibilities
Cases from the past year illustrate the importance of ensuring that all relevant roles and responsibilities have been assigned effectively and that this is properly documented. For example, one firm was criticised for failing to formally assign responsibility for analysing new consultation papers or regulations to assess their relevance to the firm and how any changes should be implemented. Going into the New Year, firms may wish to carry out an assessment for any responsibility gaps, including giving consideration as to any new matters which may require allocation.
Oversight
There are also a number of takeaways relating to oversight from recent cases. For example, firms need to ensure that there are no gaps in the control framework, including by regularly checking that committee Terms of Reference cover all relevant matters. In addition, senior management has to have adequate understanding of policies and procedures and adequate management information to be able to challenge sufficiently and hold others to account. To achieve this firms should, amongst other things, implement regular training. Lastly, relevant bodies - such as the Audit Committee – need to meet sufficiently regularly, with minutes of key decisions and follow up actions, and adequate escalation mechanisms.
Policies and Procedures
In terms of policies and procedures, firms should have clearly documented policies that are accessible and comprehensible. Examples of regulatory failures from the cases in this regard include not effectively disseminating policies, inconsistencies between different policies and failing to properly update policies to reflect changes in a firm’s business.
Investment and resourcing
Finally, the recent cases act as a reminder that firms that have seen significant expansion, or which are planning for growth in 2023, need to make sure this is matched by investment in adequate resources - both in terms of number of relevant people with the right skillsets and in terms of effective systems and controls commensurate with the firm’s business. Lack of such investment is a false economy, as it creates risks to the business of regulatory intervention and remediation.
We have seen a number of examples of poor resourcing highlighted in recent cases. These include a lack of SMF experience amongst the management team; an over reliance on manual processes and dependencies on key individuals and/or processes which were not scalable; and inadequate systems not capturing all relevant information. The cases demonstrate that when planning for expansion, firms should conduct an assessment of the skills and level of resource required for growth, including in support functions such as Compliance, and have a clear plan to address any resourcing gaps.
There is a real opportunity now for firms to proactively review their governance arrangements so that they can improve their own systems and controls, and provide assurance to senior management. Such steps may prove timely given that we expect governance to remain a key regulatory priority in 2023, and for the FCA and PRA to continue to take enforcement action against firms and individuals in connection with governance failings.