Scenario: Lack of controls over outsourcing

In order to be considered in-scope for the purposes of the Conduct Rules, the conduct in question must relate to the regulated or unregulated “financial activities” of the firm.

Under COCON 3.1.3G, a person will only be in breach of a Conduct Rule where they are personally culpable.  In other words, the person’s conduct must have been:

1. Deliberate, or
2. Below the standard of conduct that would be reasonable in all of the circumstances.

Pursuant to COCON 3.1.2G, in assessing whether a breach of the Conduct Rules has occurred, the FCA will have regard to the context in which a course of conduct was undertaken, including:

1. The precise circumstances of the individual case,
2. The characteristics of the particular function performed by the individual in question, and
3. The behaviour expected of that function.

The FCA will also take into account whether the conduct in question (a) relates to activities that are subject to other provisions of the FCA Handbook, or (b) is consistent with the requirements and standards of the regulatory system (as far as it applies to the firm).

Pursuant to COCON 3.1.5G and 3.1.6G, in determining whether a breach of the Senior Manager Conduct Rules has occurred, the FCA will take into account:

1. Whether the Senior Manager exercised reasonable care when considering the information available to them,
2. Whether the Senior Manager reached a reasonable conclusion upon which to act,
3. The nature, scale and complexity of the firm’s business (the smaller and less complex the business, the less detailed and extensive the systems of control in place need to be – and vice versa),
4. The role and responsibility of the Senior Manager as determined by reference to his/her Statement of Responsibilities, and
5. The knowledge which the Senior Manager had, or should have had, of regulatory concerns (if any) relating to their role and responsibilities.

In terms of the territorial application of the Conduct Rules, in general the Conduct Rules only apply to ‘UK activity’.  More specifically, the Conduct Rules apply to:

1. Conduct performed from an establishment maintained in the UK by a firm which is subject to the SM&CR, or
2. Conduct which involves dealing with a UK-based client of a UK firm which is subject to the SM&CR from an establishment overseas.

However, the Conduct Rules apply to the conduct of the following individuals wherever it is performed:

1. A Senior Manager, or
2. An employee of an SM&CR firm who performs the function of a Senior Manager, or
3. A non-executive director, or
4. A Certification Employee who performs Certification Function (6) (“Material Risk Taker”).

Ultimately, the firm will have to notify the FCA of any breach of the Conduct Rules.  Normally, breaches of the Conduct Rules by non-Senior Managers must be notified to the FCA annually in October using Form H (also known as “REP008 – Notification of Disciplinary Action”).  However, the following types of breaches must be reported to the FCA “immediately”:

1. Any “significant” breach of a Conduct Rule (SUP 15.1.7G(1) and SUP 15.3.11R(1)(a)), or
2. Any matter that could have a significant adverse effect on the firm’s reputation (SUP 15.3.1R(3)), or
3. The occurrence of any fraud with respect to any member of staff (SUP 15.2.17R).

The FCA must be notified of any breach of the Conduct Rules by a Senior Manager within 7 days, pursuant to SUP 10C Annex 2G.

Senior Manager Conduct Rule 1 requires Senior Managers to ‘take reasonable steps to ensure that the business of the firm for which they are responsible is controlled effectively’.  Much of the FCA guidance found in COCON 4 with respect to Senior Manager Conduct Rule 1 focuses on ‘control and suitability’ of individuals – emphasising the need for clear job descriptions and reporting lines as well as competency assessments.  However, it seems sensible to assume that the FCA is less concerned about WHO is exercising ‘control’ and more concerned about whether or not ‘control’ is being EXERCISED and whether it is EFFECTIVE.  To that end, Senior Manager Conduct Rule 1 would seem to be relevant in this scenario.

Senior Manager Conduct Rule 2 requires Senior Managers to ‘take reasonable steps to ensure that the business of the firm for which they are responsible complies with the relevant requirements and standards of the regulatory system’.  The FCA guidance accompanying this rule requires Senior Managers to (among other things) take reasonable steps to:

1. Ensure that the business for which they are responsible has operating procedures and systems designed to promote regulatory compliance and to ensure that the business is run prudently,
2. Monitor compliance with regulatory requirements,
3. Ensure that operating procedures and systems are periodically reviewed (particularly after regulatory breaches come to light), and
4. Deal with actual or potential breaches of regulation “in a timely and appropriate manner” and inform themselves of the root causes of regulatory breaches.

A firm cannot outsource its regulatory responsibilities.  As such, Trusty Asset Management Ltd is ultimately responsible for ensuring that the outsourcing arrangement with Best Administrators Ltd is governed and controlled effectively.  As the Senior Manager with responsibility for outsourcing arrangements it falls to you to implement the necessary controls.  Specifically, you must implement the controls necessary to ensure that the service provided by Best Administrators Ltd is both appropriate, of a suitably high quality and controlled effectively.

The lack of KPIs and MI generally means that Trusty Asset Management Ltd should revisit the SLA in order to ensure that all proper KPIs are agreed and robust monitoring arrangements are implemented.  In addition, Trusty Asset Management Ltd needs to get ‘its own house in order’ in the sense that it needs to implement and embed the systems and controls necessary to properly monitor compliance and to deal promptly with any issues that may arise in the future.

In light of the deteriorating services levels and the suspected breaches of regulation, Trusty Asset Management Ltd needs to approach Best Administrators and discuss the situation as a matter of urgency.  It is important to get to the root cause of the suspected breaches.  Are they primarily due to failings on the Trusty Asset Management Ltd ‘side of the fence’?  Are they primarily due to failings on the Best Administrators Ltd ‘side of the fence’?  Is the reality that problems lie on ‘both sides of the fence’?  The answers to these questions will drive what actions you should take next.  However, you should be prepared for the possibility that any remedial actions may involve you reviewing how, and the extent to which, the SM&CR is implemented within Best Administrators Ltd.  If Best Administrators Ltd is not prepared to renegotiate the arrangement or engage in a genuine remedial process, Trusty Asset Management Ltd may have to consider terminating its contract with Best Administrators Ltd.

Whilst there is little that can be done about the situation now, in an effort to ensure compliance with Senior Manager Conduct Rule 1, at the very least, steps should have been taken by your predecessor to ensure an “orderly transition” to you.  To this end, a comprehensive set of handover notes should have been drafted.  It seems clear that this has not happened.  Now that responsibility for outsourcing has passed to you, you should ensure that this failure is not repeated.  The Chief Executive Officer of Trust Asset Management Ltd may now be liable for this failure given that he/she has ultimate oversight and responsibility for all other Senior Managers.

In passing, it seems unlikely that Senior Manager Conduct Rule 3 has been breached.  Senior Manager Conduct Rule 3 requires Senior Managers to ‘take reasonable steps to ensure that any delegation of responsibilities is to an appropriate individual and that the discharge of the delegated responsibility is effectively overseen’.  Despite the fact that Senior Manager Conduct Rule 3 refers to ‘delegation’, the underlying assumption clearly seems to be that the delegation taking place is to an INDIVIDUAL (irrespective of whether that individual is an internal member of staff or an external contractor).  Trusty Asset Management Ltd has not entered into the outsourcing arrangement with an individual.  Rather, it has entered into the outsourcing arrangement with a corporate entity, Best Administrators Ltd.