FCA enforcement priorities during and after the pandemic

The FCA’s Covid-19 webpage updates the industry on its expectations of firms in response to the pandemic and its aftermath. However, firms should still consider the FCA Business Plan 2020/21 published last month, which, as always, sets out the FCA’s areas of focus and priorities for the next one to three years. These have been largely reshaped due to the pandemic, but the FCA emphasised that it will continue to pursue these areas of focus. In this blog we look at each enforcement priority, looping in various further announcements made by the FCA in May.

Tackling market abuse

The FCA Sector Views document noted back in February that the FCA continues to see instances of firms lacking controls, oversight and understanding of market abuse requirements, including poor control of inside information and ineffective market surveillance systems.

Now, during the pandemic, the FCA is showing particular interest in the increased risk of market abuse, as issuers need to take steps to raise additional equity or debt. Warnings given in Market Watch 63 published on 27 May follow comments to the press in May by Mark Steward (Executive Director of Enforcement and Market Oversight at the FCA) that he is expecting an uptick in market abuse cases in the coming months.

During the pandemic, the FCA is encouraging a particular focus on:

• ensuring inside information continues to be appropriately identified and handled by all persons involved in the information chain so that it is not misused for insider dealing or for commercial advantage;
• ensuring inside information is appropriately disclosed by issuers so that investors are not misled;
• maintaining robust market surveillance and STORs by relevant market participants, in the context of changes in market conditions and the current use of alternative working arrangements;
• meeting the transparency and short position covering requirements under the Short Selling Regulation for market participants to support the effective functioning of the market; and
• identifying and managing conflicts of interest by market participants that may arise around capital raising events.

The FCA warns: “We will continue to use our range of powers to monitor, make enquiries, investigate, and if necessary take enforcement action to protect the integrity and orderly functioning of the market”.

Preventing financial crime

As seen in the last few years, and as discussed in previous blog posts, the prevention of financial crime remains a priority for the FCA. The most common subject area giving rise to a Skilled Person Report for the last three years has been financial crime, and an emphasis on financial crime was repeated in both Sector Views and the Business Plan. To reduce financial crime, in line with its commitments in the UK’s 2019 National Economic Crime Plan, the FCA intends to pursue enforcement action in cases of serious misconduct, particularly where there is a high risk of money laundering.

In an update to the Business Plan, on 6 May, the FCA published new guidance on financial crime systems and controls during Covid-19: “Criminals are already taking advantage of the…pandemic to carry out fraud and exploitation scams through a variety of methods, including cyber-enabled fraud. Those seeking to launder criminal proceeds or finance terrorism are likely to also exploit any weaknesses in firms’ systems”. The guidance includes practical steps for firms.

• Remain vigilant to the risk of fraud and exploitation scams: firms should continually analyse and amend their control environment to respond to the changing threats. This includes timely reporting of SARs for any new threats.
• Consider how best to re-prioritise AML and CTF activities: the FCA is clear that firms should not address any operational challenges simply by changing their risk appetite. However, firms may need to “re-prioritise or reasonably delay” some AML and counter terrorism financing activities (which could include ongoing customer due diligence reviews, or reviews of transaction monitoring alerts). This should be done on a risk basis and with a clear plan to return to the usual process “as soon as reasonably possible”. Note separate guidance published by the UK Government on 12 May (with, in contrast, no reference to the pandemic) requiring information sharing within corporate groups and a consistent application of AML/CTF controls.
• Continue client identity verification: the FCA “expects firms to continue to comply with their obligations on client identity verification” and that the list provided of various remote client identity verification methods “does not represent a relaxation of requirements”.

Where firms need to amend their financial crime controls in response to the pandemic, it would be wise – as stressed by the FCA itself – for any decisions to go through appropriate governance and be carefully documented.

Checking operational resilience

Operational reliance is an increasingly hot topic. Our blog “A steady hand on the tiller: how to build operational resilience” last December explained FCA and PRA expectations of firms around avoiding operational disruption, and, in February, the FCA repeated in its Sector Views document that operational resilience remained a focus, with the high risk of cyber-attacks as a particular concern. The pandemic has increased the FCA’s focus here, and we expect enforcement action in the future for related failures. The FCA Covid-19 webpage states that the FCA and Bank of England are “actively evaluating” the contingency plans of many firms. This includes:

• firms’ assessments of operational risks;
• the ability of firms to continue to operate effectively; and
• the steps firms are taking to serve and support their customers.

The example given is the closing of a call centre, requiring staff to work from other locations (including their homes). The FCA emphasises that the firm should establish appropriate systems and controls to ensure it maintains appropriate records, including call recordings if required.

The FCA has also updated its Covid-19 webpage to confirm its expectations concerning information security in light of increasing criminal activity during the pandemic, when reliance on online systems is critical to the way financial institutions are operating. Given that more organisations are allowing employees to work from home, firms should review their controls to ensure they are adequate in managing cyber threats and responding to “major incidents”. As part of a firm’s vigilance, the FCA expects each firm to put in place or review existing enhanced monitoring, governance and oversight arrangements, and systems security defences. Any “significant” incidents should be reported appropriately.

Emphasising the importance that firms should place on operational resilience, and possible enforcement action for failures, a speech by Nausicaa Delfas (Executive Director of International at the FCA) on 6 May noted that vulnerability to disruption has come under increasing regulatory focus, especially with respect to outsourcing of significant operations to other countries.

Assessing culture and governance

Continuing its interest in culture and governance, the FCA confirmed in its Business Plan that it will focus on the four “key culture drivers“: purpose, leadership, approach to rewarding and managing people, and governance. Mark Steward has said to the press that the FCA will operate fairly, reasonably and proportionately when policing the behaviour of senior financial services workers during the coronavirus crisis: “In the circumstances of the lockdown [that] means taking into account all of the unique, unusual, novel, one off and crazy things that no doubt are going on in every operation, because of the circumstances that we find ourselves in, that no one’s ever been in before”, he said. We expect that the FCA will ‘forgive’ relatively minor issues that crop up due to the current situation, but will also see this time as a real test of how well firms have embedded SMCR and their operational resilience/business continuity arrangements. There may be some ‘examples’ held to account where firms have got it very wrong.

New shifts: smaller firms focus and a post-Brexit framework

Beyond the main enforcement priorities discussed above, it is worth noting that the FCA states in the Business Plan that its focus this year will shift towards smaller firms. It will be looking at firms that “consistently fail” to meet the standards set by the FCA, and it aims to “move more swiftly” to enforcement against any such firms causing harm.

Separately, the FCA suggested that the current regulatory framework focuses too much on “rules and process”, with too many resources devoted to redress and remediation. In preparing a post-Brexit framework, the FCA suggested that it will increase the focus on principles and outcomes, and on regulatory action to prevent harm.

What is happening in practice?

Since the beginning of the pandemic, we have seen some slowing in the FCA’s work on investigations, which is to be expected. FCA staff have been working from home too and some investigative steps are more difficult to conduct remotely, particularly interviews. However, the FCA is not stopping its investigations. Indeed it is rapidly getting back to business as normal and will be particularly driven to enforce in any cases of wrongdoing or failures in the areas outlined above. The Business Plan is still a good guide for where we may see enforcement during and after the pandemic.

But things may yet change due to the current unprecedented circumstances. As the Business Plan states: “it may be months before we are in a more stable position and can focus fully on the activities in this plan. Even then, the shape and scale of the issues we need to address may have changed significantly as a result of the virus.“