pexels-ravi-kant-5328666

Scenario: “Compliance raised no red flags…”

Scenario

You have just joined Alpha Investment Management Ltd as a Senior Manager.

You have been told that the area of the business for which you have responsibility has undergone a number of reviews by the Compliance department and the internal audit function over the last few years.  The reviews raised no ‘red flags’.  You are aware that the Compliance department in particular is small and relies heavily on ad-hoc support from a third-party firm of compliance consultants.  However, the Head of Compliance is someone you used to work with at a different firm – you know that he’s a ‘great guy who really knows his stuff’.

From HR records, you can see that, historically, there has been a high degree of employee absence in this particular business function, as well as a relatively high degree of staff turnover.  Customer complaints have risen over the last 12 months and a number of vacancies in key areas of this business function (both on the operational side and on the sales side) remain open.

When you joined the firm, the Chief Executive Officer made clear that your priority was to drive revenue growth.  You decide to focus your initial efforts on filling the vacancies on the sales side.  You promise yourself that you will get ‘under the bonnet’ and ensure that the operational and risk control side of the function are operating as they should be ‘as soon as you can’.  In reaching this decision, you take comfort from the fact that both the Compliance department and the internal audit function have ‘signed off’ on the business function.

Questions to consider

  • Individual Conduct Rule 2: “You must act with due skill, care and diligence”.
  • Senior Manager Conduct Rule 1: “You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively”.

Points for discussion

The conduct in question does relate to the regulated or unregulated “financial activities” of the firm.  As such, the conduct should be considered as being in-scope for the purposes of the Conduct Rules.

Bear in mind that, under COCON 3.1.3G, a person will only be in breach of a Conduct Rule where they are personally culpable.  In other words, the person’s conduct must have been:

  1. Deliberate, or
  2. Below the standard of conduct that would be reasonable in all of the circumstances.

 

Pursuant to COCON 3.1.2G, in assessing whether a breach of the Conduct Rules has occurred, the FCA will have regard to the context in which a course of conduct was undertaken, including:

  1. The precise circumstances of the individual case,
  2. The characteristics of the particular function performed by the individual in question, and
  3. The behaviour expected of that function.

 

The FCA will also take into account whether the conduct in question (a) relates to activities that are subject to other provisions of the FCA Handbook, or (b) is consistent with the requirements and standards of the regulatory system (as far as it applies to the firm).

Pursuant to COCON 3.1.5G and 3.1.6G, in determining whether a breach of the Senior Manager Conduct Rules has occurred, the FCA will take into account:

  1. Whether the Senior Manager exercised reasonable care when considering the information available to them,
  2. Whether the Senior Manager reached a reasonable conclusion upon which to act,
  3. The nature, scale and complexity of the firm’s business (the smaller and less complex the business, the less detailed and extensive the systems of control in place need to be – and vice versa),
  4. The role and responsibility of the Senior Manager as determined by reference to his/her Statement of Responsibilities, and
  5. The knowledge which the Senior Manager had, or should have had, of regulatory concerns (if any) relating to their role and responsibilities.

Individual Conduct Rule 2 requires all individuals who are subject to the Conduct Rules to “act with due skill, care and diligence”.

The FCA provides specific guidance as to how this rule should be interpreted in the context of a manager (note that this person does not have to be a Senior Manager).  The FCA stresses that it is important for a manager to understand the business for which they are responsible.  The FCA accepts that a manager is unlikely to be an expert in all aspects of a complex financial services business.  Nonetheless, a manager is expected to understand and inform themselves about their business sufficiently to understand the risks of its trading, credit or other business activities.

A breach of Individual Conduct Rule 2 will occur where there is a failure on the part of a manager to take reasonable steps:

  1. to ensure that the business for which the manager has responsibility is controlled effectively,
  2. to ensure that the business for which the manager is responsible complies with regulatory requirements,
  3. to ensure that effective oversight of delegated responsibilities is implemented, or
  4. to adequately inform themselves about the business for which they are responsible.

 

In this sense, as far as it relates to managers, there is significant overlap between Individual Conduct Rule 2 and Senior Manager Conduct Rule 1.  The latter rule requires Senior Managers to ‘take reasonable steps to ensure that the business of the firm for which they are responsible is controlled effectively’.  In order to discharge this obligation, Senior Managers should take reasonable steps to ensure that the business for which they are responsible has operating procedures and systems with well-defined steps for complying with the detail of regulatory requirements.  They should also take reasonable steps to ensure that actual or suspected breaches of regulation are dealt with in a “timely and appropriate manner”.

The FCA provides a number of relevant examples of the types of conduct that could constitute a breach of Senior Manager Conduct Rule 1.  These include:

  1. Failing to take reasonable steps to implement adequate and appropriate systems of control to ensure compliance with regulatory requirements,
  2. Failing to take reasonable steps to monitor compliance with regulatory requirements,
  3. Failing to take reasonable steps to inform themselves as to the reasons why actual or suspected breaches of regulatory requirements may have arisen,
  4. Failing to take reasonable care to oversee the establishment and maintenance of appropriate systems and controls, and
  5. Failing to take reasonable steps to sure that procedures and systems of control are kept under review.

 

The high-level takeaway from this is that all Senior Managers are responsible for taking reasonable steps to ensure that they understand the business area(s) for which they are responsible and to ensure that any risks are properly controlled.  Whilst compliance reviews and internal audits are helpful, it is not sufficient merely to accept the results of a compliance or internal audit review without any kind of further investigation.  This will not be sufficient to discharge the legal obligations to which you are subject.

It may be that there are no real problems in the business area for which you have responsibility.  However, the point is that you have not stopped to investigate whether or not this is the case, despite possible warning signals.  Remember that the essence of Senior Manager Conduct Rule 2 is that it requires Senior Managers to take reasonable steps implement controls.  However, the first step in this process is to take some time and actually determine what controls are required versus what controls currently exist.  Unfortunately, in simply accepting the findings of the compliance and internal audit functions you have not even taken this first step.

The Senior Manager who has responsibility for the compliance function should share some responsibility in this scenario.

Senior Manager Conduct Rule 2 requires Senior Managers to ‘take reasonable steps to ensure that the business of the firm for which they are responsible compiles with the relevant requirements and standards of the regulatory system’.  Examples of the types of conduct that would constitute a breach of Senior Manager Conduct Rule 2 include a failure to ensure that the compliance department has sufficient authority, resources, expertise and access to information in order to effectively discharge its duties.  On the facts of this scenario, this might not be the case – with the result that Senior Manager Conduct Rule 2 may have been breached.

Downloads

Training document - trainee view

The training scenario as a downloadable PDF for the trainee to consider.

Training document - with answers

The training scenario as a downloadable PDF with answers to guide discussions.