The competence and capability expected of holders of the compliance function has been brought into sharp focus by two final notices issued by the Financial Conduct Authority (FCA) this summer. One holder of the compliance function (the CF10), was fined £75,000 for failing to exercise due skill, care and diligence in performing his compliance oversight role. The other, a would-be compliance officer, had his application for CF10 and the money laundering reporting function (CF11) refused on the grounds of ‘competence and capability’.
Senior managers regime
Both cases highlight the value of the ‘Statement of Responsibilities’, a concise and clear record of the responsibilities associated with the role that is provided to the FCA and updated when there are major changes. It is a cornerstone of the Senior Managers Regime, which currently applies only to the banking sector but that will be rolled out to all firms with a Part4a permission under the Financial Services and Markets Act 2000 (FSMA) from 2018.
A statement of responsibilities should serve to clarify who takes personal responsibility and accountability for key areas in the business. It’ll be the specification against which the FCA will assess competence and capability of appointees to senior manager roles and will be the guide for others in the firm when identifying to whom issues should be directed.
In the cases mentioned above, the former, Mr Watters, was found to have failed to have taken reasonable steps to adequately inform himself about his obligations in performing the CF10 controlled function and about the specific nature and risks of his business, the Enhanced Transfer Value (ETV) advice business. In addition, he failed to take reasonable steps to ensure that the ETV advice process was compliant and capable of providing compliant advice.
The latter, Mr Nathan, failed to demonstrate a ‘detailed knowledge and understanding of the implications of the Firm’s operating model (a contract for difference (CFD) trading firm), the money laundering and financial crime risks faced by the firm, and the processes that need to be put in place at the firm satisfactorily to address those risks’. He failed to ‘convey an adequate understanding of the difficulties in assessing the appropriateness of transactions for customers inherent in the firm’s business model, including a sufficient understanding of the risks arising from the firm’s ICAAP’. He was only able to provide a very loose description of the business model – describing it as ‘very, very simple’ – and was only able to make ‘high level reference to key elements of the AML and compliance function’ while providing very little specificity or ‘granular detail’.
In regards to financial crime, rather than mentioning any one of the risks arising out of the particular jurisdiction from which most of the firm’s clients were based, for example, the product type provided or the fact that business was primarily conducted in a non-face-to-face manner (via the internet), Mr Nathan simply noted ‘generalised financial crime risks’.
Importance of assessing the risks
The final notice includes a summary of the key representations made by Mr Nathan, one of which was that he had been hampered by a lack of information since ‘having not taken up the refused Controlled Functions within the Firm while employed there, he did not have the degree of information about the Firm that he would have had on doing so’. The FCA’s response is that they have taken this into account in their judgement, which sets down a clear marker that in seeking to take up such a position, an applicant must undertake their own due diligence on their prospective employer to understand the business and the risks involved.
Clearly this is a two-way straight. Firms must make their own assessment of competence and capability and not rely on a previous FCA approval as an indicator that approval will be forthcoming next time. Equally, appointees must be savvy to look under the bonnet and ask the tough questions. Firms seeking to attract the best talent must balance ‘selling’ the role to their new prospective senior manager with providing enough information to allow them to know what they are getting into. A firm’s risk register will be a great place to start. As outlined before, not every firm has to compile an ICAAP (Internal Capital Adequacy Assessment Process), but the process is a useful way to meet the obligation to ‘identify, manager, monitor and report any risks to which it [the firm] might be exposed.’ (regulation 6(5)(b) of both the Payment Services Regulations 2009 and the Electronic Money Regulations 2011).
Risk assessments, obviously, have been part of the anti-money laundering (AML) landscape for some time now, but they’ve very much been brought to the fore by the fourth money laundering directive (4MLD)with its requirement for documented risk assessments. E-money and payment institutions preparing their re-authorisation applications ahead of the gateway opening on 13 October will be updating their business-wide risk assessments now, paying particular focus on information security, AML and fraud risks.
Personal responsibility
The Senior Managers Regime is intended to ‘encourage a culture of staff at all levels taking personal responsibility for their actions’ and to ‘make sure firms and staff clearly understand and can demonstrate where responsibility lies’. While the regime will not apply to payment and e-money institutions that are not otherwise authorised under FSMA (because the maximum harmonising nature of the payment services and e-money directives prohibits the UK from applying standards higher than those in the directive) the principles are applicable and a clear indication of the FCA’s expectation.
If you would like to discuss how your firm can better understand and manage your risk or any other compliance matter, contact me or one of my colleagues.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.