As financial institutions in Australia face into the culture and conduct storm that has engulfed the UK for the past decade, UK firms can be confident that they have already largely negotiated the regulatory waves which have followed the Banking Royal Commission in Australia. However, culture and customer treatment are themes that continue to be relevant on both sides of the world. In an article for Butterworths Journal of International Banking and Financial Law, Jenny Stainsby considers the implications of the Royal Commission’s recommendations for UK firms.
On 4 July 2019, Mr Justice William Davis approved a Deferred Prosecution Agreement (“DPA“) agreed between the Serious Fraud Office (“SFO“) and Serco Geografix Ltd (“SGL“), a wholly-owned subsidiary of outsourcing company Serco Group plc (“Serco Group“). SGL has agreed to pay £22.9 million, comprising a financial penalty of £19.2m and the full amount of the SFO’s investigative costs of £3.7m. This is in addition to the £12.8m in compensation Serco paid to the Ministry of Justice as part of a £70m civil settlement in 2013.
Following the introduction of DPAs in the UK in 2014 and the conclusion of the first DPA with the SFO in November 2015, the Serco DPA is the fifth and latest in a growing body of DPA case-law and confirms the importance placed by the SFO on the use of DPAs in tackling financial crime.
In this briefing, we provide some background on DPAs generally, an overview of the Serco DPA and discuss some of the emerging themes relating to DPAs and the SFO’s approach to enforcement.
The Financial Conduct Authority (“FCA“) has published proposals to ban the sale of derivatives or exchange traded notes (“ETNs“) which reference certain types of cryptoassets (“crypto-derivatives“), to address harm posed to retail consumers. The scope of the ban would extend to the sale, marketing and distribution of all derivatives (ie. options, futures and contracts for difference (“CFDs“)) and ETNs which reference ‘unregulated transferable cryptoassets’ by FCA-regulated firms acting in, or from the, UK to retail consumers (ie. ‘retail clients’ as defined in COBS 3.4). The ban would be implemented through proposed changes to the conduct of business (“COBS“) sourcebook.
Welcome to the Spring 2019 edition of our corporate crime update – our round up of developments in relation to corruption, money laundering, fraud, sanctions and related matters. Our update now covers a number of jurisdictions.
First published on Thomson Reuters Regulatory Intelligence on 12 June 2019 (this version includes updates as at 28 June 2019).
In our first article on cryptoassets we discussed considerations for boards and senior management. This second article considers regulatory risks specific to cryptoassets which the second line of defence (i.e. compliance and risk functions) within the three lines of defence (TLOD) model of compliance should consider.
In this blog post, we round-up forthcoming developments in the UK and at EU and International levels in financial services regulation for July 2019.
Authors: Clive Cunningham, Harry Millerchip, Katie McGrory
The FCA recently published its Industry Feedback for 2018/19 on its 5 Conduct Questions (5CQ) Programme (which can be accessed on the FCA’s website, here).
The 5CQ Programme was introduced by the FCA in 2015 for wholesale banks as a tool to help firms improve their conduct risk management and drive cultural change. This year, the 5CQ Programme was rolled out more widely across other wholesale financial services firms, including brokers.
The Industry Feedback is divided into three sections:
- Section 1 identifies the FCA’s high-level observations over recent years on efforts by firms to improve culture in the wholesale banking sector;
- Section 2 address each of the 5CQs in turn and provides an update on industry progress, outlining specific examples of firm behaviours observed by the FCA during its supervision work; and
- Section 3 sets out the FCA’s assessment of ‘speak up’ cultures and whistleblowing procedures in wholesale banks.
In this blog post we provide a brief overview of the content of the Industry Feedback; the key themes; and next steps in the 5CQ Programme. Although the Industry Feedback looks at the wholesale banking sector, the FCA has emphasised that it is broadly applicable to all firms in the financial sector and will be of interest to boards and non-executive directors (NEDs) of firms (among other stakeholders).
The Industry Feedback reflects the key priorities raised in the FCA’s Business Plan for 2019/20 (which can be accessed on the FCA’s website, here). The 5CQ Programme fits into the FCA’s broader focus on culture and governance, particularly with the upcoming extension of the UK Senior Managers and Certification Regime (SMCR).
Overview of the FCA’s Industry Feedback
Overall, the FCA concludes that firms have made significant progress with their conduct initiatives since the 5CQ Programme was introduced. As part of the 5CQ Programme, firms initially focused on correcting bad behaviours and problematic internal processes and procedures by implementing new policies and procedures, training and surveillance. The FCA now wants firms to focus on encouraging and protecting positive behaviour in its own right. Good culture and conduct are increasingly recognised as a key driver in corporate growth and a differentiating factor for customers.
The FCA highlighted a number of key themes and issues, including the following:
- although firms in the wholesale financial services sector have improved their conduct, non-financial misconduct remains a serious issue – the treatment of a firm’s own staff should be included in its definition of ‘conduct risk’;
- risk identification efforts are often top-down rather than bottom-up. Identifying risk (including conflicts) remains a weakness;
- close proximity of senior managers to the trading floor will not necessarily prevent or improve conduct risk management;
- there is little evidence of firms restructuring remuneration (eg. commission-based) to avoid or manage potential for harm; and
- firms are establishing new committees to focus on conduct risk.
We set out some of the FCA’s key messages on industry progress on the 5CQ Programme below. The FCA also outlines specific examples of good and bad initiatives and responses to its 5CQ Programme, which may be of interest to firms. See Section 2 of the Industry Feedback for more detail.
|The 5 Conduct Questions||Key messages on industry progress|
|What proactive steps do you take as a firm to identify the conduct risks inherent within your business?|
|How do you encourage the individuals who work in front, middle, back office, control and support functions to feel and be responsible for managing the conduct of their business?|
|What support (broadly defined) does the firm put in place to enable those who work for it to improve the conduct of their business or function?|
|How does the Board and ExCo (or appropriate senior management) gain oversight of the conduct of business within their organisation and equally importantly, how does the Board or ExCo consider the conduct implications of the strategic decisions that they make?|
|Has the firm assessed whether there are any other activities that it undertakes that could undermine strategies put in place to improve conduct?|
‘Speak up’ and whistleblowing
The FCA also commented on the status and health of ‘speak up’ cultures and whistleblowing structures and procedures. It emphasised that ‘speak up’ initiatives and whistleblowing procedures will continue to attract periodic testing and validation as part of the FCA’s routine supervision. The FCA’s key comments include:
- staff at firms need to feel comfortable to speak up, and share concerns and mistakes without fear of blame or retribution;
- ‘speak up’ initiatives should be about day-to-day conversations, discussions and challenge across the whole firm. They should be framed inclusively and designed to encourage participation – not (as the FCA observed in some firms) as “speak up, or else”;
- the FCA identified some uncertainty about the division between different channels of escalation (ie. ‘speak up’ initiatives versus whistleblowing). Firms have acknowledged they need to be clearer about the division;
- non-financial misconduct (including sexual harassment, bullying, favouritism and exclusion) is a significant problem which needs to be tackled with buy-in from staff at all levels, including senior management. Some firms reported that their whistleblowing channels had seen an increase in the number of non-financial misconduct cases. Firms expect this has been caused by increased media coverage and firm initiatives which have encouraged reporting, rather than a deterioration in behaviour; and
- many firms had no sense of what a normal level of whistleblowing events should be. The FCA recommends that firms establish case level expectations.
The FCA will continue to engage with firms on their conduct across the wholesale financial services sector, both as part of the 5CQ Programme and as part of its routine supervision. The FCA has indicated that it will increasingly test and challenge management and staff on conduct progress.
As part of its wider rollout of the 5CQ Programme, the FCA noted that few firms had the range of conduct initiatives which it has seen in the larger wholesale banks. Firms should be engaging with changing their conduct as an ongoing matter of priority (and not just in response to the rollout of the 5CQ Programme).
Firms in the wholesale financial services sector (and more broadly) should review the Industry Feedback carefully and take it into account as part of their ongoing work on conduct, culture and governance, and their engagement with the FCA.
First published on Thomson Reuters Regulatory Intelligence on 10 May 2019.
Authors: Clive Cunningham and Wendy Saunders
This is the first in a series of articles looking at crypto-assets (encompassing exchange tokens, security tokens, and utility tokens) through the lens of prevailing regulatory expectations of governance and risk management in the UK. In the absence of a specific regime for crypto assets, the legal and regulatory environment remains uncertain. Some crypto assets fall within the current regulatory regime; others do not. UK policymakers are in the process of clarifying the current perimeter and may expand it in the future.
Author: Hanne Gundersrud
The FCA and PRA have announced their second enforcement action in relation to outsourcing failures by the retail bank R. Raphael & Sons plc (“Raphaels“). The firm failed to manage its outsourcing arrangements properly, in breach of FCA Principles 2 and 3, the applicable provisions of Chapter 8 of the FCA’s Senior Management Arrangements, Systems and Controls sourcebook (“SYSC 8”), and PRA Fundamental Rules 2, 5 and 6. Raphaels received separate fines of £775,100 from the FCA and £1,112,152 from the PRA in respect of the breaches, resulting in a combined fine of £1,887,252. Raphaels agreed to resolve the matter with its regulators and therefore qualified for a 30% discount in the fines imposed by both regulators.
Authors: Susannah Cogman, Daniel Hudson and Hannah Lau
On 17 May, the EU adopted legislation which will enable it to impose sanctions against persons and entities who engage in cyber-attacks against the EU and its member states. The sanctions will be designed “to deter and respond to cyber-attacks with a significant effect which constitute an external threat to the EU and its Member States”. The new regime underlines a clear commitment by the EU to continue to strengthen its capability to address its “[concern] at the rise of malicious behaviour in cyberspace”.
In recent years, the EU has taken a series of actions to tackle cyber threats. On 19 June 2017, the EU developed a framework for a joint response to malicious cyber threats (known as the “Cyber Diplomacy Toolbox”), and subsequent implementing guidelines envisaged sanctions as one of the tools available. The timing of the announcement of the new regime is also notable given its proximity to the EU Parliament elections which started on 23 May.
Reported concerns amongst officials from the EU and certain member states in the past have related to hacking incidents or threats linked to China, Russia and North Korea. However, the legislation explicitly states that the imposition of sanctions against a person or entity does not amount to attribution of responsibility to a third state, which is a political decision.
The sanctions will target persons involved in cyber-attacks with a significant effect which constitute an external threat to the EU and/or its member states. It also covers attempted attacks with a potentially significant effect.
Cyber-attacks constituting an external threat include those which:
- originate, or are carried out, from outside the EU;
- use infrastructure outside the EU;
- are carried out by any person or entity established or operating outside the EU; or
- are carried out with the support, at the direction of or under the control of any person or entity operating outside the EU.
“Threat to member states or the EU”
Attacks which are a threat to member states are envisaged to be cyber-attacks targeting: (a) critical infrastructure; (b) social and economic services (such as in the energy, health and financial markets sector); (c) critical state functions (such as areas of defence and public elections); and (d) classified information.
Threats to the EU include cyber-attacks carried out against its various institutions and its common security and defence policy (“CFSP”). The legislation also reserves the right to apply sanctions in relation to cyber-attacks against third States and international organisations where deemed necessary to achieve CFSP objectives, giving it a potentially broad scope.
Whether an attack has a “significant effect” will depend on a range of factors including the scale of disruption, the number of persons or entities concerned, the loss caused, and the nature of the data stolen.
Who can be penalised
There is a broad scope for those who could be listed. The sanctions could target individuals or entities who:
- carry out (attempted) cyber-attacks;
- provide financial, technical or material support for such attacks including facilitating such attacks by action or omission; or
- are associated with those in (a) or (b) above.
The type of sanctions imposed
The sanctions available will include a ban on any listed persons from travelling to the EU and asset freezes. EU persons and entities will also be forbidden from making funds or economic resources available directly or indirectly to those listed.
The new regime emphasises the continuing willingness of the EU to use sanctions to address concerns, noting the similarity of these sanctions to recent EU sanctions aimed at targeting the use of chemical weapons. While no one has yet been listed under this framework, there is a continuing need for companies to ensure that they have thorough, up-to-date and ongoing screening to identify any listed persons they might directly or indirectly deal with.
It is noted that the UK government has said that in the event of a “no deal” Brexit, it will look to carry over all EU sanctions through regulations made under the Sanctions and Anti-Money Laundering Act 2018, in order to ensure a smooth transition. These UK regulations will come into force on 11 June 2019.