|
Systems and Controls: why learn lessons the hard way?
By Dorian Drew, Senior Associate, Norton Rose
Today’s financial services firms are faced with a myriad of risks, including operational, credit, market and liquidity risk. To combat these risks, firms devise systems and controls having undertaken an assessment of the risks and the best way to manage and, in some cases, neutralise them. However, following the FSA’s decision to move towards a more principles-based approach to regulation, firms are increasingly self-reliant in having to determine what systems should be implemented and, importantly, how those systems compare with prevailing standards within the industry. The penalties for not implementing adequate systems and controls can be severe, but where does a firm seek information on designing adequate systems and controls where prescriptive rules are not in force?
Systems and controls touch on all aspects of a firm’s business, from governance and decision-making to training and monitoring. In devising systems, firms continue to receive limited help by consulting the rules and guidance in the FSA’s Handbook. In certain respects, the Handbook is still very prescriptive as regards the requirements for combating particular risks, for example, the nature and frequency of client money calculations, set out in the Client Assets Sourcebook (CASS).
Yet, beyond these measures, solid information can be hard to come by. The position is made even more difficult as it would appear that the FSA is seeking to broaden the reach of its regulatory regime. Traditionally, it was thought that the scope of the FSA’s high level Principles for Businesses and the standards expected under them could be ascertained by understanding what constitutes regulated business and the requirements of specific rules within the Handbook as it applies to that business. However, there is increasingly a perception that the FSA considers that the high level standards are capable of extending further than the requirements of the specific rules and guidance laid down in the Handbook. One example of such an area is the requirement under Principle 6 to pay due regard to the interests of customers and treat them fairly. Despite the fact that the FSA is not responsible under the Financial Services and Markets Act 2000 for the regulation of consumer credit contracts, it would appear that it is seeking to exert regulatory control over certain aspects of consumer credit through its Treating Customers Fairly initiative. Consequently, the more guidance and assistance that firms can derive from external sources in undertaking their risk assessment processes so as to ensure that appropriate systems are put in place, the better.
There are a number of sources of information available to firms. These include the firm’s supervisors, the results of thematic work undertaken by the FSA, Dear CEO letters, policy statements, newsletters, the FSA’s annual Business Plan and Financial Risk Outlook and speeches made by members of the FSA. These sources provide varying amounts of information at varying levels of specificity, from detailed recommendations as to what is expected of firms in feedback to thematic work (for example, in relation to the FSA’s review of the payment protection insurance industry) to high-level indications of areas or issues on which the FSA intends to focus in the year to come.
Within the enforcement sphere, previous FSA enforcement final notices and decisions of the Financial Services and Markets Tribunal provide firms with a wealth of useful, practical information. In 2006, the FSA published 102 enforcement final notices, which resulted in financial penalties totalling approximately £13.5 million (almost half of which was accounted for by the Deutsche Bank financial penalty). During the same period, the Tribunal published 18 decisions, of which 4 were purely procedural. Of the enforcement final notices published since N2, inadequate systems and controls, whether as the principal complaint or as ancillary failings to specific conduct, such as mis-selling or deficient financial promotions, represent the most recurrent failings for which firms have been criticised.
From an analysis of these final notices, the significant systems and controls failures exhibited by firms can be shown to fall within eight categories: assessment of risk, senior management oversight, resources, monitoring, training, compliance manuals, record-keeping and a failure to respond to issues raised during compliance reviews. By analysing the cases which raise issues within these categories, it is possible to identify the areas which cause firm’s difficulties and form the basis of repeated enforcement action.
Taking compliance manuals as an example, which are a fairly common source of failing, it is not sufficient to have adequate systems in place; they must be appropriately documented and made available to members of staff. Deficiencies in compliance manuals have included failing to address properly, or at all, the key regulatory issues, failing to ensure that manuals are kept up-to-date (both in relation to changes in regulatory requirements and internal controls), failing to make the manual appropriately available to staff (firms have been criticised for not providing each member of staff with access to their own copy), and failing to have a procedure whereby a record could be made of whether individual staff had read and understood the manual.
In the case of monitoring, the FSA has demonstrated a recent focus (in its payment protection insurance cases) on the requirement for firms to implement a risk-based approach to monitoring. Both Loans.co.uk Limited and Redcats (Brands) Limited were criticised for not implementing a risk-based approach to monitoring. There was no correlation between the volume of sales and the amount of monitoring which was undertaken at Loans.co.uk. Moreover, in the absence of other controls, the firm was criticised for the amount of transactions in respect of which monitoring was undertaken (1.3%). Both firms were also criticised for failing to use the results of monitoring to undertake trend analyses. A pattern can also be seen of firms being increasingly criticised for only undertaking quantitative, rather than also qualitative, monitoring.
Whilst the final notices, themselves, contain many useful lessons, those lessons are currently very difficult to find. Although all of the final notices are easily accessible on the FSA’s website, they are only listed by date and name. Consequently, the valuable lessons they contain may become lost and forgotten. Without reading a final notice, or having some prior knowledge about the case, it is not possible to identify prior cases for further consideration which raise issues similar to those currently faced by a firm. However, in June this year, a digest of enforcement final notices and Tribunal decisions, jointly produced by Butterworths and Norton Rose, is due to be published which will, for the first time, collate and summarise the final notices and Tribunal decisions issued since N2 (including chapters on systems and controls, market abuse, the Listing Rules, financial promotions and treating customers fairly). The online version will also be fully word searchable.
It may seem a bit strong to rely on the words of Karl Marx: “History repeats itself, first as tragedy, second as farce.” But, as the history of FSA disciplinary action has shown, firms often fall foul of the problems previously faced by others. With the FSA making clear statements that it expects financial penalties in disciplinary cases to increase, coupled with the potentially significant costs associated with third party reviews of procedures, customer contact exercises and the payment of compensation, every firm has a vested interest in ensuring they learn the lessons of the past.
2 May 2007
|
