Following recent FCA outcomes in relation to breaches of requirements imposed by the FCA on regulated firms, in this briefing we consider some lessons learned for clients around managing regulatory interventions, with a focus on VREQs and OIREQs.
In our briefing last summer, ‘Handling regulatory interventions: considerations for responders’ we discussed issues which firms might consider when managing interventions by increasingly assertive financial services regulators. This included a summary of the key supervisory intervention tools and powers which are available to the FCA and/or PRA where it suspects serious misconduct may have occurred and harm needs to be prevented immediately.
In this updated briefing we focus in particular on circumstances where the FCA or PRA has imposed requirements, whether as a result of voluntary application by the firm (known as a VREQ) or on the regulator’s own initiative (known as an OIREQ).
Lessons for firms when responding to and managing compliance with a VREQ or OIREQ
- Respond early and open a dialogue with the regulator: Recent experience and outcomes have suggested the regulator is willing to enter a dialogue with regards to the terms and wording of a VREQ. These discussions can be worthwhile in assisting firms to gain comfort that the restrictions agreed are practicable in terms of implementing the requirements imposed on their business. However, careful consideration needs to be given to what can and cannot be put into practice so as to avoid inadvertently creating a rod for the firm’s back, particularly where those negotiating are at one step removed from the practical implementation and where there is room for misunderstandings about what can be delivered. Failing to comply with a requirement that the firm has negotiated is likely to be viewed more seriously by the regulator. Consideration should also be given to whether there are alternatives that may address the regulator’s concern thereby avoiding the need for any requirement to be formally imposed and what options are available to the firm if negotiation is not successfully concluded.
- Document the governance framework for compliance: Writing down the methodology for how the firm intends to implement and ensure compliance with the VREQ/OIREQ may focus minds internally on the steps that will be needed and what policies and procedures and other measures are required to ensure the steps are taken. Having a methodology may also avoid criticism by the regulator for failure to have a (documented) governance framework in place to oversee compliance with the requirements or restrictions imposed.
- Ensure clear internal communications and a joined-up approach: The terms of the requirements or restrictions imposed by the regulator may require the involvement of a number of different functions who will need to communicate clearly regarding the implementation and operationalisation of any requirements. Where systems changes are needed to give effect to the VREQ/OIREQ, firms may need to ensure that the relevant IT or other technical teams within the business make the appropriate systems changes to give effect to the regulator’s requirements. Steps that can be taken to avoid messages becoming ‘lost in translation’ include converting technical jargon into plain English, conducting walk throughs to understand what will happen in practice and taking time to ensure all elements of the process are understood.
- Pre-implementation testing: Undertaking sufficiently robust pre-implementation testing will help the firm to understand where there might be any gaps in controls in the business which would undermine or prevent the VREQ/OIREQ from taking effect. In addition, firms would be well advised to keep records of the testing carried out (which should be an ongoing process, rather than adopting a ‘plug and play’ approach).
- Consider all practical ways in which the VREQ/OIREQ will work and be operationalised: This includes consideration across all products, business lines, services and systems (including in relation to any services or systems, for example, which the relevant entity shares with other entities in the group) and how to operationalise this, to avoid criticism for not adequately identifying possible loop holes in the implementation and risking a breach of the requirements/restrictions imposed (and possibly, subsequent disciplinary action). A team brainstorming approach and workshopping may assist with flushing out anomalies or less common aspects of the business which need to be factored in.
- Ongoing compliance monitoring: Following implementation the regulator will expect the firm to monitor the effectiveness of the processes put in place to ensure compliance with the VREQ/OIREQ and that procedures are in place to enable prompt notification to the regulator in the event of a breach and that the relevant systems are improved such that a similar error or breach does not reoccur. A monitoring plan should be prepared with input from relevant stakeholders and records should be kept of the extent and frequency of all monitoring activity to assist in demonstrating that it has been carried out. FCA outcomes (across different sectors) have indicated that penalties will be harsher for firms where breaches have not been self-identified but, for example, been brought to the firm’s attention via a third party (or the regulator itself).
- Record-keeping: Related to the above, records of steps taken with regards to the design, implementation, testing and ongoing monitoring of the VREQ/OIREQ should be maintained on a centralised basis and responsibility for updating these should be clearly assigned. Organised documentation puts a firm on the front foot in dealing with any regulatory enquiries which may be made on a relatively short notice basis.
- Consider wider review: In the event of a breach of the requirements, firms may wish to consider whether the breach is indicative of a wider concern with its systems and controls – or, perhaps, may indicate a similar issue in relation to another entity in the group (this may be the case for example in circumstances where a shared service model is in place).
Given the current regulatory focus on use of supervision powers to prevent misconduct and manage risk, we are continuing to see VREQ invitations and OIREQs with an increasingly wide range of requirements being sought and imposed.
In light of recent enforcement action firms should not underestimate how seriously the FCA will take a breach of requirements or restrictions imposed on regulated firms and as such firms should consider carefully whether it is possible to comply, what alternatives are available and what steps can be taken in order to implement and monitor compliance with any requirements. Once restrictions are in place and until it is possible to satisfy the regulator that they can be removed, a firm must be able to demonstrate to the regulator that it takes seriously its obligations to comply with the requirements/restrictions imposed.
We regularly advise on preparing financial institutions for responding to assertive supervisory action and intervention (including training), as well as supporting them in managing their relationship with the regulators throughout the process. Please contact us should you require more information on how we can help.