By Hol Thomas-Wrightson, 18 December 2023
Regulatory enforcement action is an ever-present concern for any firm operating in a regulated industry. A wide range of businesses, big and small, make the headlines for receiving regulatory fines due to failing to meet compliance standards. As such, it is integral for regulated firms to look at these events as an opportunity to learn from, and to ensure that they not only comply, but demonstrate compliance to the levels and standards required.
In late 2023, Heather Wurster, Global Lead at ICA, led a discussion on lessons from recent regulatory enforcements and risk management failures with Rebecca Cummings, Principal leading the financial crime practice at Avyse Partners, and Kate Robinson, Principal leading the conduct and governance practice at Avyse Partners.
What can we learn from fines?
Fines are the most obvious evidence of firms failing to comply with regulatory standards. While they may make the headlines when they’re particularly sizeable, once the shock and scandal has settled, they can offer a valuable learning opportunity for other firms in the regulated sector.
Cummings offers the example of the £6 million fine given by the Financial Conduct Authority (FCA) to ADM Investor Services.[1] It is incredibly rare for a final notice to be delivered without previous feedback from the regulator. For ADM, there were several areas of improvement raised, but these were not rectified in a timely enough manner to avoid enforcement action.
Another educational insight from this case was the importance of the money laundering reporting officer (MLRO) report, and how ADM’s failure to complete this to the expected standard had very real consequences. The MLRO report outlines to senior management what systems and controls are in place against financial crime risks, where there are gaps, actions needed for the year ahead, and where the areas of focus and prioritisation should be.
ADM appears to have treated the MLRO report as more of a tick box exercise, which could be carried over largely unchanged from one year to the next, rather than looking at the live, relevant changes in the environment. Cummings connects this to the importance of understanding the value of, the ‘why’ behind, an organisation ensuring effective governance.
Robinson adds that the largest fine given by the Prudential Regulation Authority (PRA) to date, which was applied to Credit Suisse and totalled £87 million,[2] offers a lot of lessons for firms of all sizes, scope and scale.
Are regulatory fines seen as just a ‘cost of business’?
While large businesses put provisions in place against the risk of regulatory action, this should not be seen as an indication that they are welcomed. As Robinson notes from her experience, the majority of firms set out with the right intentions. ‘Fundamentally, everybody wants the same thing… to find out what went wrong, why it went wrong and how to fix it.’
Mitigation of regulatory risk cannot be ignored or evaded, and regulators have made that message clear to any firm that thinks it may be cheaper to just ignore regulation. Wurster looks at the case of ING, which not only faced fines for its regulatory failings, but was also charged with a disgorgement cost representing the money that was ‘saved’ by not implementing the appropriate compliance measures.
It is also important to note that while fines may be the most outwardly visible form of regulatory enforcement, it is not the only tool in a regulator’s arsenal. The FCA, for example, often attempts to influence behaviour with actions that are harder for firms to navigate than ‘just’ paying a fine, such as imposing business restrictions – e.g., restricting the onboarding of new clients, new types of business with specific, potentially high-risk clients, and the undertaking of certain types of transactions.
The impact of reputational harm should also not be underestimated. The damage of negative press coverage following regulatory enforcement can affect things like winning government contracts, customers choosing to take their business to competitors, or losing talent.
How should a firm react to regulators issuing a warning?
Robinson advises that good management of governance and culture is intrinsic to reducing a firm’s regulatory risk, and that these can be strengthened by looking at the following five key areas.
- Roles and responsibilities – Ensure that there are clear expectations on who owns a particular risk and clear reporting lines.
- Ownership – As part of this, make sure that ownership is sitting in the right place and with the right individuals, especially when working across local and regional levels.
- Clear communication of risk appetites – A lot of regulatory issues come from a lack of understanding over the firm’s risk appetite. To overcome this, implement a risk appetite statement, including clearly outlined thresholds, and ensure it is properly communicated and used. This includes documenting the rationale for going outside that risk appetite, and what controls were put in place for balance.
- Look at your committee framework – Some questions to consider here: Are the right people around the table? Do they cover all the necessary skills and experience? Is your committee delivering a response to actions, and focusing on them, or are they just discussing them around a table?
- Recognise the firm’s ability to manage risk – Know your firm’s ability to handle, identify and manage risk, and if there are gaps in those abilities, be ready to acknowledge those areas that need further training or support.
Tips for how to manage global jurisdictions
To help understand the different requirements of the range of jurisdictions your firm operates in, Cummings recommends compiling a list of all the regulatory requirements, identifying where they overlap or are similar, and where they differ. Once this is done, a firm can carry out a risk assessment, which can allow it to distinguish potential areas of high risk, such as high revenue streams. From there, a framework can be built to manage these risks, and assess whether a jurisdiction’s requirements are nuanced enough to have local-level measures, rather than a globalised view of risk management.
Robinson adds to this by looking at the risk of spreading different aspects of one service across multiple jurisdictions.
It is also important to remember that regulators issue a range of materials to try and help firms maintain the standards expected, and that their warnings and nudges are issued to direct firms’ focus to areas for improvement. Publicly visible enforcement such as fines should be seen as a guide for what to do, and what not to do, to avoid facing the same consequences.