By Philip Naughton, Partner, ACA Compliance Group.
On the first day of Christmas, the industry gave to me…. twelve recurring compliance issues
Unfortunately, when it comes to compliance programmes this Christmas, UK financial services firms are still making the same errors, over and over again. Recent compliance reviews carried out by ACA Compliance on financial services firms identified, on average, 24 different regulatory failings or weaknesses – one for every day of advent!
This Christmas, ACA Compliance Group has rounded up 12 of the most frequently observed compliance failings by firms this year. By tackling this list of potential issues, compliance teams can put their organisation’s programmes on a sounder footing should the UK Financial Conduct Authority (FCA) come calling in 2020!
1. Governance – Firms need formal, minuted Board and senior management meetings. Undocumented decisions and activities cannot be evidenced to regulators. The arrival of SM&CR in December 2019 makes good governance even more essential both from a corporate and personal perspective.
2. Compliance arrangements – Keeping basic compliance infrastructure, such as the compliance manual, policies, and procedures, up-to-date is absolutely vital. A SYSC 4 rule requires senior management to receive certain reports at least annually relative to compliance arrangements in key areas.
3. General compliance – The devil is often in the detail, when it comes to getting things right for the regulator:
· Be accurate: use the correct form of words for the Statutory Status Disclosure
· Check the firm’s standing data details within 30 days of its accounting reference date, as required by SUP 16.10. The FCA knows it has inaccurate data for many firms. Keep an eye out for changes coming into play after 30 Jan 2020
· Validate the quality of recordkeeping with a compliance review.
· Examine the firm’s ‘Part 4A Permission profile. If the firm doesn’t need or use a permission, or intend to use it within the next 12 months, remove it.
4. Personnel – Firms often neglect important regulatory requirements in the human resources area. These include:
· Failing to conduct and document a formal review of an individual before registering them as an approved person with the FCA
· Using attestations only sporadically, either when a person joins a firm or afterwards
· Getting the 12-week rule wrong. SUP 10A.5.6 allows the appointment of an individual to a Significant Influence Function for 12 weeks only in temporary or reasonably unforeseen circumstances.
5. Training – Compliance training mustn’t be a “tick box” exercise – it needs to be foundational to the firm’s overall culture. Training should be designed appropriately for the firm’s operations and risks, and be well executed and documented.
6. Financial crime arrangements – The financial crime risk management and controls programme should be an ongoing, continuous process. Risk assessments need to be conducted regularly and evaluated annually by the Money Laundering Reporting Officer (MLRO). Lastly, the REP-CRIM report (where relevant) needs to be completed accurately – it informs the FCA’s supervisory approach towards the firm.
7. FCA reporting – Three key issues that pop up over and over again in firms’ regulatory reporting include:
· Incorrect Gabriel schedule – Often these have been set up the wrong way or amended incorrectly. Firms should regularly review their schedules.
· Erroneous fixed overheads requirements calculations – There are two different calculation methods in the FCA’s Handbook. Use the correct one.
· Wrong controllers and close links reports – It’s important to provide the right information. Also, senior managers must understand the impact of decisions on group structure.
8. Financial planning – Firms often neglect this area. The FCA expects that firms:
· Undertake financial forecasting – Have a three-year outlook in place.
· Consider capital and liquidity – Evaluate the impact on all financial resources – not just capital – and non-financial resources when assessing risks.
· Create a wind-down plan – Have a proportionate plan for winding down the business in a way that doesn’t cause harm.
9. ICAAP – The Internal Capital Adequacy Assessment Process (ICAAP) should never be a tick-box exercise. Key elements of a strong ICAAP approach include:
· Culture created by the Board – The ICAAP process must be owned by the Board and delegated downwards, with clear lines of reporting and escalation.
· Risk management framework embedded in ‘business as usual’ – Have a risk management strategy set by the board, with its own risk appetite, detailed assessments of risks, policies and procedures.
· Complete Pillar 2A capital assessment – Thoroughly assess and quantify Pillar 2 capital requirements, considering risks not fully captured in Pillar 1.
· Relevant stress and scenario tests – Scenarios should be linked the risks assessed as material to the firm, where base case financial plans are flexed based on the impact such risks could have on the business over time.
10. Regulatory change – The Investment Firms Regulation and Directive is coming! Some firm types can expect significant increases regulatory capital amounts. Firms should examine the impact of this regulatory change now and make preparations to increase capital, if needed.
11. Market abuse – In Market Watch 58, the FCA highlighted just how much of a challenge transaction monitoring continues to be for firms. In addition, firms still struggle to complete an annual market abuse risk assessment, as well as perform communications surveillance, and surveillance of staff personal account dealing –something the FCA specifically called out in its Market Watch 62, in which it expresses significant concerns about authorised firms’ systems and controls when it comes to Personal Account Dealing (“PAD”). The FCA has repeatedly articulated the practices it expects to see, and said market abuse remains an area of focus.
12. Transaction reporting – Firms are not meeting the required standard across a variety of fronts, from incomplete or incorrect data being submitted to their Approved Reporting Mechanism to failing to reconcile the data, process rejections, and monitor resubmissions. Firms are being warned that not engaging correctly means that they are not totally complying with the requirement to submit complete transaction reports.
So in this festive season, you may want to add a compliance review to your Christmas list to help ensure you don’t make it onto the regulator’s naughty list.