
Publication
Asia M&A trends: Future outlook
Whilst global M&A rose in deal value terms in 2024, both deal values and volumes fell in most parts of Asia.
United Kingdom | Publication | 3月 2025
FCA and PRA enforcement action covers a range of misconduct with recent outcomes including both retail and wholesale cases and findings in respect of matters as various as customer treatment, market abuse and risk management.
The details of the breaches and the activity which gave rise to the issues may vary but a consistent theme running through many of these cases is governance which is often both at the root of what went wrong and the key to putting things right.
The FCA’s message to firms and senior management is that reviewing its publications including Final Notices is key to identifying and meeting regulatory expectations and yet learning lessons from enforcement cases is not straightforward because the governance aspects are sometimes to be found in the detail of the findings beyond the headline misconduct.
Based on our analysis and tracking of recent FCA and PRA enforcement cases, we set out below some self-assessment questions in ten key areas that firms may wish to consider with a view to managing the risks of poor governance giving rise to regulatory failings.
Have you recently reviewed your responsibility maps and statements of responsibility and in light of any changes such as new products or business lines or new risk frameworks. If you were asked to provide these documents to the FCA, would they demonstrate clear and consistent allocation of responsibilities.
Where regulatory attestations or other formal confirmations or processes have been mandated, has responsibility been allocated appropriately so that ownership is clear and is a robust governance process in place to support any individual providing them? For example, is there a clear written description of steps to be taken and documented as part of the assurance process?
When was the last time you carried out an audit of management information to consider whether it facilitates effective oversight through, for example:
Do your meeting minutes adequately evidence:
Is resourcing being managed appropriately? To what extent is there a clear plan to address any under-resourcing which has been escalated or temporary stretch, created for example by unusual activity diverting attention from BAU or significant periods of annual leave? If a determination has been made that resourcing is adequate, what is the basis for this and has it been recorded?
Are there any capability gaps at the governance level or in key functions arising for example from recent departures or new developments impacting the business and, if so, is there a plan to bridge these?
If any vacancies have remained unfilled for a significant period, what steps are being taken to address associated risks such as tasks being carried out by those without the requisite skills and experience or not at all.
Is sufficient time being allowed for new joiners including members of the management team to embed and gain adequate understanding of the activities, risks and resources in their accountability areas.
How do you address loss of institutional knowledge due to key stakeholders leaving over time (through for example documented handovers and effective central record-keeping)?
Are policies and processes:
Are key risks being mitigated such as where:
Have any new systems been adequately tested both before, and sufficiently promptly after, implementation and in accordance with a formal methodology to ensure they are functioning as expected and as required and so that any recalibration can take place expeditiously.
Is testing carried out consistently across all relevant systems to identify any process gaps for particular activities?
Have any system changes or thresholds been reviewed to ensure they are still appropriate (for example where any pandemic-related adjustments were made and are still in place)?
Are any alerts that are generated subjected to consistent review and follow up action where appropriate?
Has testing and calibration carried out been recorded appropriately?
Does the compliance monitoring programme and internal audit process adequately check adherence to relevant policies and procedures and effectiveness of training?
Does monitoring take a sufficiently holistic view (for example through regular end-to-end outcome testing of customer journeys)?
Have opportunities to investigate, through for example third parties raising red flags or potential issues being identified internally, been grasped and actioned without undue delay? Is there an effective escalation process and an internal investigation policy for dealing with such matters?
Where internal reviews have been carried out, have they been scoped appropriately; are they sufficiently outcomes focussed and have they given effective consideration to whether there are any root causes indicative of wider problems?
Do internal projects have an appropriate governance framework which may include allocating adequate resource with sufficiently diverse skill sets; utilisation of project management expertise; clearly defined terms of reference covering matters such as the objective of the project, senior management ownership and decision making arrangements and escalation criteria; and minutes of meetings with clear action trackers.
Has legal advice been sought appropriately particularly with regards to any material interpretations of regulatory requirements?
Has all relevant information been provided to legal advisers and have the right questions been asked?
Have you acted in accordance with legal advice or is there a clear rationale for any departure from the advice?
Have appropriate records been kept and maintained (see below)?
What steps are being taken to mitigate the potentially increasing risks of individual failures being attributed to the firm and giving rise to a regulatory breach or a criminal offence?
How would you evidence that the training provided equips your staff with the necessary skills?
Is there sufficient focus on training in any strategic plans with a view to this being completed prior to any roll outs?
Is there a documented plan to address any additional training needs that have been identified with a clear timeframe and owner and with escalation where appropriate to governance forums or to 2LOD.
To what extent does your record-keeping assist in evidencing compliance with regulatory requirements? If, for example, you were in receipt of an FCA information request or skilled person review, how quickly and confidently would you be able to provide information and documents requested (with particular focus on areas most likely to be in the regulatory spotlight).
Do you have clear records of legal advice sought and obtained and have appropriate steps been taken to maintain any legal privilege?
We continuously track and monitor regulatory enforcement action and advise firms, their boards and senior managers on all aspects of governance with a view to meeting the expectations of regulators such as the FCA and PRA so please get in touch if a conversation would be helpful or if you have any particular queries.
Publication
Whilst global M&A rose in deal value terms in 2024, both deal values and volumes fell in most parts of Asia.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2025