The twelve days of compliance
Philip Naughton, ACA Compliance, Partner, London, 10 December 2019
On the first day of Christmas, the industry gave to me...twelve recurring compliance problems. Unfortunately, when it comes to compliance this yuletide, British financial service firms are still committing the same errors over and over again.
Our recent compliance reviews of financial service firms spotted, on average, 24 different regulatory failings or weaknesses – one for every day on the advent calendar! Of these, I have rounded up 12 of the most frequently observed transgressions of which firms have been guilty this year. By looking for these problems and tackling them, compliance teams can put their efforts on a sounder footing and be readier than many others for a call from the Financial Conduct Authority in 2020!
1. Governance. Firms need formal meetings between board members and senior managers and they ought to take minutes of them. Regulators do not view decisions and activities that are not recounted in documents as evidence. The arrival of the Senior Managers and Certification Regime, which the FCA extended to about 47,000 new firms yesterday, makes good governance more essential than ever, both from a corporate and personal perspective.
2. Compliance arrangements. It is absolutely vital to keep one's basic compliance infrastructure, such as the compliance manual, policies, and procedures, up-to-date. A SYSC 4 rule requires senior managers to receive certain reports at least annually regarding compliance arrangements in key areas.
3. General compliance. The devil is often in the detail when it comes to getting things right for the regulators, so please avoid the mistakes of many firms and do the following.
- Be accurate: use the correct form of words for the Statutory Status Disclosure.
- Check the firm’s standing data details within 30 days of its accounting reference date, as required by SUP 16.10. The FCA knows that it has inaccurate data for many firms. Keep an eye out for changes coming into play after 30 Jan 2020.
- Validate the quality of recordkeeping with a compliance review.
- Examine the firm’s Part 4A Permission profile. If the firm does not need or use a permission, or intend to use it within the next 12 months, remove it.
4. Personnel. Firms often neglect important regulatory requirements in the field of human resources. These include:
- failing to conduct and write down a formal review of an individual before registering him as an 'approved person' with the FCA;
- using attestations only sporadically, either when a person joins a firm or afterwards; and
- getting the 12-week rule wrong. SUP 10A.5.6 allows the appointment of an individual to a Significant Influence Function for 12 weeks only in temporary or reasonably unforeseen circumstances.
5. Training. Compliance training must not be a 'tick box' exercise – it needs to be the capstone of the culture of the firm as a whole. Training should be designed appropriately for the firm’s operations and risks. The firm must keep records and do it well.
6. Financial crime arrangements. Financial crime risk management and controls should be continuous. Risk assessments ought to be conducted regularly and evaluated annually by the Money Laundering Reporting Officer (MLRO). Lastly, the REP-CRIM report (where relevant) has to be completed accurately or the FCA will be cross.
7. Reporting data to the FCA. There are three drawbacks that pop up over and over again in firms’ regulatory reporting.
- Incorrect Gabriel schedules. Firms often set these up the wrong way or amend them incorrectly, so they should review them regularly.
- The miscalculation of fixed-overhead requirements. There are two different methods of calculation in the FCA’s rulebook. Use the correct one!
- Wrong "controllers and close links" reports. It is all too easy not to provide the right information. Also, senior managers must understand the effect of decisions on group structure.
8. Financial planning. Firms often neglect this. The FCA expects them to:
- do some financial forecasting and have three-year 'outlooks' that display it;
- evaluate the effect of capital and liquidity – not just capital – and non-financial resources when assessing risks; and
- draw up their own wind-down plans, i.e proportionate plans for winding down their businesses in ways that cause no harm.
9. ICAAP. The Internal Capital Adequacy Assessment Process should never be a box-ticking exercise. Good practice is as follows.
A culture created by the board – the board must rule the ICAAP process and delegate it downwards, with clear lines of reporting and escalation.
- A "risk management framework embedded in ‘business as usual’" – this phrase describes a risk management strategy set by the board, with its own risk appetite and detailed assessments of risks, policies and procedures.
- The assessment of Pillar 2A capital – the firm should assess and quantify Pillar 2 capital requirements thoroughly, considering risks not fully catered for in Pillar 1.
- Relevant stress and scenario tests – scenarios should be linked to the risks that the firm thinks are 'material' to it.
10. Regulatory change. The European Union’s Investment Firms Regulation Directive is coming! Some firm types can expect significant increases regulatory capital amounts. Firms should examine the impact of this regulatory change now and make preparations to increase capital, if needed.
11. Market abuse. In Market Watch 58, the FCA made it obvious that transaction monitoring continues to be a terrible trial for firms. Many a firm, moreover, still struggles to complete its annual market-abuse risk assessment and keep an eye on staff communications and personal account dealing – something that the FCA specifically denounced in its Market Watch 62, in which it expresses significant concerns about authorised firms’ systems and controls when it comes to Personal Account Dealing or PAD. The FCA has repeatedly mentioned the practices that it expects to see, and said market abuse remains an obsession.
12. Transaction reporting. Firms are not meeting the required standard on a variety of fronts, from incomplete or incorrect data being submitted to their Approved Reporting Mechanisms to failures to reconcile the data, process rejections and monitor resubmissions. The regulators are warning them about failure in this area.
So, in this festive season you may want to add a compliance review to your Christmas agenda to help you stay off the regulator’s naughty list.
Merry Christmas!