In this article, a white-collar crime and regulatory investigations lawyer and ex-regulator who served as the Financial Conduct Authority's director of investigations in 2015-18 gauges the evolution of the FCA's drive to improve culture in financial services by making top managers more accountable for the misdeeds of their subordinates.

Ever since the global financial crisis began, governments, parliamentarians and regulators have been talking about the need to change the culture of the financial service industry. The credit crunch of 2008 was followed by a further crisis when widespread conduct-related problems emerged in the shape of Libor and Forex benchmark manipulation, which itself came hard on the heels of the payment protection insurance (PPI) mis-selling scandal. Commentators observed that trust and confidence in the sector was at a low ebb and that 'culture' was a root cause.
 
As far back as 2009, Lord Adair Turner, then chairman of Financial Services Authority, was already using the 'C-word' in the context of the industry he regulated. Regulators from then on made more and more pronouncements on the need to change and improve culture. Regulators, politicians and the press all noted that the industry offered conspicuous bonuses with little regard to performance, with consumers and taxpayers having to shoulder the consequences of wrongdoing.

In its approach to regulation the Financial Conduct Authority still broadcasts much rhetoric about cultural problems lying at the root of huge conduct-related failures. Last year, it published a notable discussion paper entitled Transforming Culture in Financial Services. This paper had an unusual and novel format, consisting of essays about culture from a wide variety of contributors including practitioners, regulators, consumer representatives and academics. This is a sign that the FCA is making a real attempt to talk to its 'stakeholders,' to use one of its favourite words. It also indicates that it is still trying to work out the best ways in which to prompt firms to change their cultures for the better.
 
The most telling observation, however, comes from Jonathan Davidson (FCA Director of Supervision). In his introduction to the essays, he comments that "the first [concept] is that regulation has to hold the individuals as well as the firm to account...from start-ups to large corporations, clear accountability for individuals is fundamental."

The SM&CR

Having absorbed the recommendations of the Parliamentary Commission on Banking Standards in 2013, HM Government introduced new legislation which led to the implementation of the Senior Managers and Certification Regime (SM&CR). This came into force for banks and some large investment firms in March 2016 and the Treasury announced in July 2018 that it was going to roll it out to all 47,000 FCA-regulated firms by the end of 2019. The new rules are far-reaching, requiring firms to allocate clear responsibility to senior managers for all aspects of their business. Senior managers will require individual approval from the regulators, with their responsibilities mapped out. Every senior manager has a statutory duty of responsibility; if a firm breaks an FCA rule, the senior manager responsible for that area could be held to account if he did not take reasonable steps to prevent it.

The SM&CR is consistent with the messages that the FCA has sought to drive home about wanting to change the culture of the financial sector by encouraging the people at the tops of firms to lead the process. Opening the FCA Annual Public Meeting in front of assembled stakeholders last September, CEO Andrew Bailey said the following.

"Ten years on from the crisis, there is no question that we saw behaviour in the past which was well below what we should expect. The regulatory regime did not create the correct incentives – emphasising individual culpability rather than the responsibility of senior people for the firm’s activities as a whole. A defence that the individual did not personally make a bad loan or mis-sell a product is not good enough. We are now implementing the new Senior Managers and Certification Regime across our landscape, extending it out from banks. This is a very important change."

We can trace the origins of the SM&CR back to the Parliamentary Commission on Banking Standards that Parliament appointed after the Libor scandal began to examine professional standards and conduct in the banking sector. The commission's report in 2013, Changing Banking for Good, concluded that many bankers, especially the senior ones, had been allowed to operate with very little personal accountability. When things went wrong, people claimed ignorance or hid behind collective decision-making and the regulator had little recourse to enforcement action against individuals. The commission made recommendations, among other things, to make people more accountable personally. It proposed that the regulators should set up a senior managers' regime and a set of conduct rules for all people employed at banks. It also made recommendations designed to cut through the "accountability firewall" so that regulators could impose tough penalties on individuals.

These FCA and its sister-regulator, the Prudential Regulation Authority or PRA, welcomed the recommendations. The Government used the Financial Service (Banking Reform) Act 2013 to enshrine the recommendations in law, giving the regulators new powers as it did so.

A key feature of the SM&CR is that firms must allocate responsibilities clearly, thereby ensuring that there is a senior manager accountable for every aspect of their regulated activities. Each application for approval as a senior manager at a relevant firm must contain a "statement of responsibilities." Every firm must have in place a "management responsibilities map" to describe its management and governance arrangements. By claiming that a manager has shirked his duty of responsibility, the FCA and the PRA can fine, ban or suspend him if he has not taken reasonable steps to avoid a contravention in his area of responsibility.

The SM&CR also, however, extends beyond senior managers to all staff employed at regulated firms in positions where they could pose a risk of significant harm to those firms or any of their customers. Such people do not require individual approval by the regulators, but they are subject to 'certification' requirements imposed on their employer-firms. Under the new regime, each firm must take reasonable care to ensure that no employee performs any of these functions without having been certified as fit and proper to do so, both at the point of recruitment and every year.

Finally, the SM&CR imposes new conduct rules on staff who work at the relevant firms. These say such things as "you must be open and co-operative with the FCA, the PRA and other regulators" and "you must pay due regard to the interests of customers and treat them fairly." They apply to all employees (except those in ancillary functions such as catering and security). Again, people who fail to live up to these standards can be fined or banished from financial services by the regulator.

The Bank of England and Financial Services Act 2016 extended the SM&CR to all sectors of the financial services industry. In July last year the FCA published the near-final rules that will eventually impose the SM&CR on all 47,000 FCA solo-regulated firms. The Treasury has announced that these rules will commence for all firms in December of this year.

These measures now complete the law necessary to impose the Government's current policy in terms of senior management accountability.

A new approach to enforcement

It is one thing for a regulator to have some laws and a set of powers to enforce them; it is another thing for it to use those powers effectively. Effective enforcement that changes behaviour requires a clear and coherent policy for enforcement and a commitment to devote proper resources to complex and lengthy investigations and litigation.

The FCA's Enforcement Division came under the leadership of Mark Steward, who arrived from the Hong Kong Securities and Futures Commission, in late 2015. The times favoured radical changes. The FCA and PRA had recently published a report by Andrew Green QC, who had been commissioned to review the FSA's enforcement activity regarding the failure of HBOS. Green carried out a scrupulous examination of the FSA's processes and decision-making in that case. His most poignant criticism was reserved for the decisions that the FSA's enforcers took when deciding which senior individuals to investigate and which not to. Green detected a fundamental flaw in the FSA's approach because it took such decisions on the basis of its ex-ante assessment of the prospects of successful action against those individuals. The FSA had been trying to obtain the "best bang for its buck," hoping to change firms' behaviour through a strategy of "credible deterrence." The problem was, by Green's reckoning, that this approach put the cart before the horse. He thought that a public authority endowed with the responsibility of serving the public interest by deploying enforcement powers should make its decisions about how and when to use them more dispassionately and on the basis of firmer evidence. The evidential assessment of the prospects of a case's success, he reasoned, can only be performed properly after a good investigation of the facts.

This critique chimed with Steward's own view that regulatory enforcement was a means of serving "substantive justice". The FCA overhauled its processes and it now conducts its investigations on the statutory test of whether there are "circumstances suggesting" that misconduct has occurred. In every case it also finds out whether the misconduct it suspects is serious enough to merit investigation. That assessment is based on the harm or potential harm that the misconduct may cause to consumers or the integrity of the markets. The FCA published its Approach to Enforcement consultative document in March 2018, in which it set out the tenets of this approach.

One obvious consequence of the FCA's approach is that the number of investigations it opens has swelled significantly over the last two years. Indeed, it opened nearly three times as many investigations in FY2017/2018 than in FY2015/2016. Its investigations are also concentrating more and more on the conduct of senior managers and other accountable people. It is finding it difficult to fund all these investigations, so it has been trying to improve efficiency through better case management and oversight.

The FCA does not expect all of these investigations to result in enforcement action. It reviews all cases regularly and tries to identify the cases it wants to continued with in an objective manner. It knows that it often alters the lives of the people it investigates for the worse, both emotionally and in terms of their careers, and says that it wants to use its powers proportionately and fairly.
 
There can be little doubt that the dial has shifted. The risk of being investigated and eventually being the subject of enforcement action is higher for people in the financial sector now than at any time in the past. It may be some time before we see the full consequences of the FCA's new policy in public, but a glance at some recent regulatory cases gives us some interesting indications of the way things are changing.

Case studies: Staley and Prodhan

Much attention was directed towards the FCA's and PRA's case against Jes Staley, Barclay's chief executive, in May 2018. The regulators fined Staley a total of £642,430 for his failure to act with due skill, care and diligence in his response to an anonymous "whistleblower letter" received by Barclays in June 2016. This was obviously not an SM&CR case, but if the new regime had been in place at the time he might have attracted a fine for his failure as a senior manager to exercise proper control over the business for which he was responsible as a senior manager. Instead, the regulators found that his personal conduct in attempting to identify an anonymous whistleblower was at fault. There was no wider corporate failure beyond his own misconduct. This case shows that the regulators were determined to hold people at the apex of the largest of firms to account. The days of "one rule for the big guys and one rule for the little guys" are over.

Another, less well publicised, case can be seen in a decision notice published by the FCA in December last year in which the regulator imposed a fine of £76,000 on Mohammed Prodhan, the former CEO of Sonali Bank (UK) Ltd. This case has not attracted the same limelight as Staley's, but it may be a better indication of the shape of things to come. The FCA decided that Mr Prodhan failed to take reasonable steps to assess and mitigate the anti-money laundering risks arising from a culture of non-compliance among the bank's staff. It had previously imposed a £3.25 million fine and a restriction on Sonali Bank in October 2016 and had fined the money-laundering reporting officer. It obviously took a further two years of investigation and litigation to get to this point and Mr Prodhan has referred his case to the Upper Tribunal (the successor to the Financial Services and Markets Tribunal, set up to prevent regulatory cases from being judged by real courts), so there may still be years left to run before all is over and, of course, the FCA may be overruled. Nevertheless, this shows that the FCA is determined to get its man.

When arguing that Mr Prodhan failed to live up to his responsibilities the FCA cites his failure to "put in place a conduct risk framework"; his failure to keep himself informed of the relevant risks; and his failure to "conduct proper management reporting."

Despite their differences, both these cases are evidence of the FCA's campaign to effect cultural change in every corner of the financial services industry, paying special attention to the accountability of senior people. In this coming year we shall see how effective this policy really is.

* Jamie Symington can be reached on +44 207 851 6149 or at jsymington@brownrudnick.com