15 December 2004
Speech by Andrew Proctor

I. Preamble

Most of what I have to say will be broadly familiar to you, and I hope that many of you will have heard me speak before about some of the themes I will touch on this afternoon. Other speakers will give you enough of the detail around the T&C regime and our expectations for me to safely pass over that. There are two things I would like to emphasise.

 

II. Agenda

Firstly, I would like to assure you of the importance that we place on a good T&C regime when we come to make key enforcement decisions. There are two aspects to that: the decision to take a case into enforcement at all, and what we do once we have received that case into enforcement. Both of these decisions involve fundamental considerations of the quality of T&C within firms in many cases.

Secondly, I would like to give you some material to take back and use in debates and discussions within your firms when you reach the difficult part of the year when people are asking for budgets to allocate to T&C. I would like to give you some arguments to put to senior management in support of adequate investment in T&C. To do that, I need to give you some information that will enable you to persuade senior management within your firm that it is in their best interest that they make that investment. David has described in some detail our expectations of senior management in the context of the T&C regime and our handbook, and the wider legal obligations that most firms and companies have.

 

III. Senior Management Responsibility

  1. Fundamental Assumptions

    In essence, we expect that senior management will take responsibility for the day to day running of the firm. We are not there as a regulator, supervisor or enforcement agency in terms of the day to day running of the company. If you think about that, there are some aspects which involve some fairly fundamental assumptions about senior management. You must assume that senior management are trying to comply with regulations, to understand what is expected of them and to make a sufficient investment to get it right. If we did not believe that, our proposition about senior management running the company from day to day would hardly stack up, and we would have to make a significantly different set of judgements about how we supervise firms and use our enforcement tools. That is the philosophical starting point from the perspective of enforcement, and most senior management are trying to comply.

  2. Trust The implication, therefore, is that we can and should trust most senior management to try to comply with their regulatory responsibilities, and expect that they will try to ensure that the firm does the same. It is, therefore, not a strict liability regime. It is not a case for enforcement to describe a situation in which a breach has occurred, even when consumers have lost money. That is not the way we think about our judgements in terms of which cases to take into enforcement. We start with some propositions about the statutory objectives of the FSA, but then we very quickly ask ourselves whether this is a case that is worth the allocation of enforcement resource.

  3. Questions

    We immediately start to ask ourselves whether our trust in respect of senior management is justified in the particular case. Is there some evidence that senior management have actually been trying to get it right? Do we think that they were genuinely trying to comply? Is this a case of a breach despite the reasonable efforts of senior management? What can we see, by way of evidence that they are trying to get it right? Among the first things we look at is the compliance regime within the firm, to determine whether or not our basic philosophical starting point is justified in the particular case.

  4. Justification for Enforcement

    It is well known that we do not investigate every case; there needs to be a justification in our mind for the allocation of enforcement resources. In one sense, a case not only needs to be provable, but it needs to be sufficiently important in the context of our statutory objectives to justify the allocation of enforcement resource. If you think about it, enforcement is very often the longest, slowest and most expensive way to make a point. It ought to be a point well and truly worth making if enforcement resources are going to be allocated to it for a period of at least many months and, given our enforcement decision making process, often more than a year.

  5. Evidence

    Let us assume a breach in a particular case; we ask ourselves questions about senior management in a firm in that case. Should a case, nonetheless, remain in enforcement? We ask ourselves whether the firm has identified the problem for itself and whether it has sufficient systems and controls to do so. What has it done since identifying it? Has it brought it to our attention? There are difficulties around identification and early notification to the FSA, but it is one of the key indicators that a firm is genuinely trying to comply. What has it done by way of remedial action plans?

  6. Remedial Action

    In many cases, the evidence of remedial action will depend fundamentally on a review of the T&C and compliance regimes within the firm. What has it done to identify the problem, bring it to our attention, take external advice where necessary and set about the task of reducing the risk of a problem recurring in the future? Even if a firm does ultimately find itself in enforcement because the breach is sufficiently serious; if it has set out down a path of trying to remedy the problem, to take advice, and to reduce the risk of recurrence; it will still, very likely, benefit as a consequence of reduced penalty.

    More fundamentally, however, it stands the best possible chance of not coming into enforcement at all. That kind of senior management and organisation informed by a proper understanding of the obligations of T&C and the regime described by David represents the kind of firm that we can confidently say ought to stay in supervision, even where a breach has occurred, because it is getting on and addressing the problems.

    You ought to tell us about a problem quickly and cooperate with us as we try to put in place remedial action, which might involve the Section 166 route that many of you will be familiar with – the retainer of an external expert – so that you stand the best possible chance of staying in supervision.

  7. Attitude and Approach

    However, if the breach is so serious that it justifies the allocation of enforcement resources, even in those situations, the kind of attitude and approach that I have described to T&C obligations and to compliance generally is the kind of response that will justify enforcement taking a different attitude to you. One of the things that we promise firms at the outset of investigations is that, if you do the right thing, you will benefit.

  8. Scoping Visit

    Very often, in most of our cases, the first thing that happens is that one of our members of staff will undertake a scoping visit at the firm, in which we set out our principal concerns. It is also a visit in which we give you an opportunity; we tell you that matters do not look very good and that there is enough for us to investigate, but that there is a long way to go.

  9. Two Alternatives

    There are really two ways in which we can do it: we can do things the long, formal way – we have all the powers we need and we will eventually obtain the information we need to make judgements; or senior management can remain involved in this case throughout, accepting responsibility for that involvement. If they do the right thing in terms of cooperation, do more than required in terms of statute, and set about those tasks of identifying how to reduce risk in the future, we make them some promises:


  • The case will be over far more quickly.
  • If we decide that you are in breach, we will give you a significant discount on the penalty you might otherwise have been given.
  • We will say very positive things about you at the end of the case.
    Not surprisingly, where we have that kind of discussion, senior management often take up the offer and go down the cooperative route, but it is very important that you, as advisers to senior management, understand that that opportunity will be made available. Go back to senior management and explain to them our approach to enforcement and that it is preventative, although there are also ways of reducing the level of pain once you are in enforcement.
 

IV. Recent Cases

  1. Focus on T&C Failures

    Over recent months, there have been a number of cases where we have particularly focused on T&C failures. I can imagine a situation in which T&C, itself, would be sufficiently serious for us to justify the allocation of enforcement resources. We came close to that in the Carr Shepherds case; however, generally speaking, it will not be sufficient reason itself to justify a referral from supervision to enforcement. It is the kind of problem where we would tell the supervisors that we think they can deal with the matter, on the assumption that senior management are trying to comply, unless they can demonstrate that senior management have been given opportunities to remedy problems in the T&C regime and have failed to do so.

  2. Aggregated Breaches

    In cases where there is a breach of some other sort, we say that that breach will often be aggregated by a poor T&C regime, poor systems and controls, and a poor compliance culture. Where we see a combination like this, we really hit the firm hard. We invite our regulatory decisions committee to significantly increase the level of penalty in that situation, because it is not just the instant case, but the fact that the entire culture of non compliance and failure to put in place and train competent staff has exposed a much wider population of customers to risk. There is not only the specific deterrent to the particular firm that we are trying to deliver, but a much wider and more general message. In those cases, we will explicitly focus in on that systems and T&C failure to send a message of general deterrence to the wider population of firms in that company’s peer group.

  3. Case Studies
  1. Bank of Ireland

    In the Bank of Ireland case, where we fined the firm £375,000 for breaches of anti money laundering requirements, we said:

    ‘The Bank of Ireland did not establish adequate systems and controls to monitor the issuing of bank drafts, and did not check that its staff understood fully their anti money laundering responsibilities in relation to the recognition and reporting of suspicious transactions.’

    We delivered that statement and levied a penalty of a size to send a general deterrent message based on T&C failures.

  2. Carr Shepherds Crosthwaite

    The second case I want to touch on is Carr Shepherds Crosthwaite (CSC), which was fined £500,000 for compliance failings. This is an unusual case and is the one which comes closest to being only about compliance in T&C. The failings arose because the firm failed to keep fully up to date with the regulatory developments that had taken place since the establishment of the FSA. In this particular case, I said:

    ‘If a compliance department is to be fully effective, it needs to keep up to date with the regulatory requirements and market developments. The creation of the FSA has led to important changes in that landscape, of which CSC has failed to stay fully appraised.’

    We went on to highlight the fact that CSC’s compliance policies, procedures and their monitoring were inadequate and incomplete, and that they had not kept pace with regulatory developments. For example, they did not have a complete, adequate and up to date compliance manual, and its branches outside London were not subject to regular visits by the compliance department.

    There was a very long and detailed final notice in that case, which runs to nearly 10 pages, in which we set out our concerns in some detail. Essentially, it comes back to the fact that we were concerned, not because a particular customer had lost out or because there was a particular breach, but because the compliance and cultural failings within that firm had exposed clients to the risk of loss.

  3. DSB

    The third case I want to discuss is in the area of financial promotions. There have been a number of such cases in recent weeks, but this particular one is useful for making the point about failures and inadequate training. DBS were fined £100,000 for misleading advertising, but the significant point about this case was that, in our view, DBS’s procedures for approving advertising material were inadequate. More particularly still, we said that there was no ongoing training provided to the advertising officer in order for that person to maintain appropriate levels of current experience.

    We very much focused on the training aspects and its failure; not the particular defective adverts, although they are what triggered our interest in the firm, but we were really irritated by the fact that, because the particular responsible advertising officer had not been given proper training, a wide range of people were potentially exposed to risk.

  1. The Model Going Forward

    You may observe that no senior management were taken to task in those three cases, which is a very critical point to focus on. We cannot allow that to continue to be the model. In our view, when we see situations of the sort that I have described in those cases, we will have to take very direct action against the senior management who are responsible for the failure to put in place a proper compliance culture, proper training and proper standards of competence.

  2. Focus on Responsible Individuals

    We have recognised that the most acute way of driving home this message about T&C and standards is to focus on the individuals responsible. The next trick is to balance the proposition that most people will try to comply if they understand what is expected of them. Therefore, in such cases, in the future, we will be asking another question: whether or not there is evidence that the senior management failed to make a serious effort to put in place an adequate T&C or compliance regime. We will then ask ourselves why we should not take that individual through enforcement.

 

More Speeches: