Recent published decisions of the enforcement division of the UK Financial Conduct Authority (FCA) have provided for significant civil penalties against high profile financial institutions. This should give other regulated businesses pause for thought, including both those subject to the jurisdiction of the FCA and to those operating within regimes that take their cues from the FCA.
A couple of decisions from around the turn of the year are worth highlighting. In December, insurance broker JLT Specialty Limited ("JLT") was hauled over the coals and handed a bill of over £1.8 million for lapses in anti-bribery and corruption controls pertaining to overseas introducers of business. January saw Standard Bank PLC (SB) subjected to a civil penalty of over £7.6 million for failings in relation to anti-money laundering (AML) controls. Both these penalties had been reduced in light of early agreements to settle.
These developments are particularly apposite in the Isle of Man. AML controls remain high up the supervisory agenda, particularly because of the attention they attract from supra-national bodies. Anti-bribery controls are highly topical since the introduction in the Isle of Man of the Bribery Act 2013. This legislation closely follows the UK primary legislation of 2010 and provides, amongst other things, for a corporate offence of failing to prevent bribery, thus necessitating the introduction of adequate procedures and training regimes.
Add to the mix the fact that the Isle of Man Financial Supervision Commission (FSC) is all set to expand the civil penalty regime to cover any breaches of the Financial Services Act 2008 and subordinate legislation made thereunder, including the Financial Services Rule Book 2013 (FSRB), and it is clear that all regulated businesses need to keep their procedures – and the implementation of them – under continued and critical review. Civil penalties available to the FSC under the new regime could extend to 9% of turnover.
Whilst AML has long been associated with the supervisory responsibilities of financial services regulators, many observers might not instinctively regard anti-bribery controls as similarly falling within the purview of the FCA. However, over recent years the FCA has made it clear that this is an area of focus and has made a number of public statements on the subject. In an illustration of the breadth of the FCA's enforcement remit, JLT was actually sanctioned for a breach of the FCA's Principle for Business No. 3, i.e. failing to "...take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems".
Even a cursory glance through the FSRB is enough to identify similar potential gateways through which the FSC could seek to take equivalent action on anti-bribery controls (Rule 8.6 of the FSRB springs to mind). This provision would also serve as an enforcement avenue in relation to AML controls, in addition to Rule 8.3 (which incorporates an obligation to ensure compliance with, inter alia, the provisions of the Money Laundering and Terrorist Financing Code 2013).
Although they concerned controls aimed at different risks, there are some striking similarities between the JLT and SB decisions that should be noted:
- In neither case was there any mention of any bribery or any money laundering having occurred. The failings related purely to the procedural controls that each organisation had in place to deal with these risks.
- In both cases, the relevant organisation did have procedures to address the relevant risk and, on the face of it, they were procedures that were capable of meeting the required standards, if properly implemented.
- In both cases, the key failings arose from the application of policies and procedures by staff dealing with the formation of new business relationships, the monitoring by management of compliance by staff with those policies and procedures and the on-going monitoring of the business, activities and risks flowing from those relationships.
- In neither case was the regulatory intervention entirely unheralded. In both cases, the relevant organisation had had interaction with the FCA in relation to certain of the issues that subsequently resulted in enforcement action.
What, then, are the key learning points from these decisions ?
- Adequate and appropriate policies and procedures (for AML, anti-bribery and other business risks) are a hygiene factor for compliance, but they are only the starting point. JLT had a comprehensive "Seven Alarm Bells" policy to assess anti-bribery risks, but staff weren't given the tools and guidance to apply them.
- The policies and procedures need to be attuned to the real risks of the business and staff need to be given adequate guidance and training in order to apply them to real life scenarios. The FCA singled out SB's approach to risk classification and the application of enhanced due diligence (EDD). Whilst the procedures were correct, in some cases the adopted risk classification policies were not properly applied and, even where they were, the implications of this were not communicated to those responsible for implementing EDD procedures and the outcome was that SB's own policy requirements in this area were not adhered to.
- On-going monitoring procedures must be robust and reflect the nature and risks of the business. A key failing of JLT identified by the FCA was that risk assessments were only undertaken when introducer relationships were first established; this led to the risk that subsequent higher risk business introduced by such persons was automatically approved, or approved without sign off at an appropriate level of seniority.
- Management need to monitor internal compliance with both initial take-one procedures and with on-going monitoring procedures. This requires board level ownership and should feed into a continuing cycle of critical review and refinement of procedures to ensure that they continue to address the risks of the business.
With continued scrutiny from supra-national bodies that appear to be concerned, in particular, to see a suitable quota of successful AML-related enforcement actions in smaller international finance centres, the speedier and more cost-effective enforcement opportunities likely to be afforded by the civil penalty regime may well prove a tempting alternative. Now is a good time to cast a critical eye over the management of these risks in your business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.