Amid the uncertainty brought about by the end of the Brexit transition period and the ongoing COVID-19 pandemic, firms should be aware that the FCA will retain an active approach to financial crime and regulatory enforcement in 2021. This OnPoint sets out our views on likely enforcement trends and potential areas of focus for the FCA in 2021. We also cover immediate steps firms should be taking to ensure they are well prepared and that their systems and controls are up-to-date.
Last year’s OnPoint on enforcement risk noted that the FCA’s primary focus in its 2020/21 business plan was on mitigating the impact of COVID-19 on the markets and protecting consumers.1 These issues will inevitably be a continuing theme for the FCA in 2021. For assets managers and banks, we anticipate that the FCA will take a particular interest in:
- Ensuring firms are continuing to operate effective compliance programmes (including systems and controls for countering financial crime) despite the disruptions caused by the ongoing pandemic. Indeed, a recent FCA Market Watch newsletter2 reminded firms of the importance of effective controls for monitoring and recording communications and the role those controls play in deterring and detecting market abuse.
- Prioritising effective governance in the asset management industry through the application of the Senior Managers and Certification Regime (SM&CR).3
Taking stock: 2020 enforcement activity
In 2020, the total value of fines issued by the FCA was £192.5 million, less than half the value of fines issued in 2019 (£392.3 million). However, the value of fines is only one part of the picture and there were some particular areas of note in 2020 enforcement activity:
- The first fine under the EU Short Selling Regulation (SSR)4 – the FCA fined an asset management firm based in Hong Kong over its failures to make 155 notifications to the FCA and 153 disclosures to the public in connection with the net short position which it had built up in an oil company between 2017 and 2019. According to the Final Notice, the firm had not appreciated the requirements of the SSR as it had relied on third party materials regarding the regulatory position in the UK rather than obtaining formal legal advice.5 Given the recent attention on the trading of GameStop shares (which prompted the FCA to issue a statement),6 short selling is (indirectly) under scrutiny and firms employing short selling strategies should be particularly conscious of their obligations under short selling legislation.
- Significant fines were handed out to firms for weaknesses in anti-money laundering and risk management controls. For example, in June 2020, the FCA fined Commerzbank AG (London Branch) £37,805,400 for its failure to put in place adequate anti-money laundering systems and controls.7 The issues identified in the FCA’s Final Notice spanned almost five years (from October 2012 to September 2017) and included the lack of a comprehensive documented process for exiting customer relationships for financial crime risk, backlogs in refreshing KYC checks and significant weaknesses in the bank’s automated transaction monitoring systems.8 We have previously written an OnPoint on the compliance lessons learned from the Commerzbank case.9
- The FCA has recently taken action for failures in the adequate protection of client assets, even in circumstances where no actual client assets or money were lost. Client asset arrangements are a perennial focus for the FCA; in its 30 September 2020 ‘Dear CEO’ letter, the FCA set out that it is imperative to maintain adequate arrangements to safeguard client assets amid the uncertainty caused by COVID-19.10 The strength of firms’ governance and monitoring controls to identify material risks to client asset arrangements are critical in this respect.
The FCA’s open cases as at 31 March 2020 highlight the emphasis placed by the FCA on financial crime (71 open cases) and insider dealing and market manipulation (117 open cases). While COVID-19 may have impacted the FCA’s enforcement capacity, we anticipate a continued emphasis on both of these areas, with firms needing to adapt to the evolving risks presented by new working environments.
Potential areas of enforcement focus in 2021
This section highlights areas we consider are likely to be a focus for the FCA over the next 12 months in its pre-enforcement and enforcement activity.
Market abuse risks have been heightened by the pandemic and, even prior to the pandemic, market abuse was a significant focus for the FCA (with 88 insider dealing cases and 29 market manipulation cases open as at 31 March 2020).11 In a 12 October 2020 speech titled “Market abuse in a time of coronavirus”, Julia Hoggett (the FCA’s Director of Market Oversight) outlined how novel methods of market abuse risk surveillance are necessary in the new remote working environment, setting out the FCA’s expectation that “going forward, office and working from home arrangements should be equivalent – this is not a market for information that we wish to see be arbitraged.”12 Hoggett outlined that the FCA’s expectations in this area will require firms, including asset managers, to:
- Continuously update market abuse risk assessments brought about by changes to working environments.
- Consider the changing nature of what constitutes inside information – for example, knowledge of whether a company has utilised the furlough scheme.
- Regularly review insider lists.
- Update policies, refresh training and put in place rigorous oversight processes reflecting the new environment.
On a related point, the FCA is also likely to be focused on risks from unmonitored communications, particularly involving encrypted messaging apps. The FCA’s most recent Market Watch newsletter13 outlined the FCA’s expectation for firms to continue to comply with their recording obligations regarding telephone and email communications when alternative working arrangements are in place. Where encrypted messaging apps are used for in-scope activities – including managing investments – they must be “recorded and auditable”.
Firms should proactively review their recording policies and procedures and provide updated training to staff where policies have been amended. The Market Watch newsletter reiterates that the FCA considers that Senior Managers have an important part to play in embedding the right culture and governance within firms. Firms should actively be able to demonstrate the adequacy of their controls in this area to the FCA.
AML systems and controls
As demonstrated by the Commerzbank case, AML systems and controls have been a fruitful source of FCA enforcement activity. In addition, the COVID crisis has created significant opportunity for criminals to commit fraud and launder the proceeds of crime by targeting weaknesses in customer due diligence (CDD) processes brought about by the pandemic and the widespread shift to remote working.
We anticipate the FCA will continue to take action in relation to AML issues. Firms should ensure that their AML policies and procedures have been adapted to take account of the challenges posed by the pandemic and that the effectiveness of these policies and procedures is kept under review.
Sanctions systems and controls
The FCA is alert to sanctions systems and controls failures and some of the largest ever fines issued by the FCA have touched on weaknesses in sanctions-related controls. The UK sanctions regime has also changed as a result of Brexit. For example, the UK now has its own global human rights sanction regime.
Firms must ensure that their sanctions screening systems take into account both the new UK sanctions regime and any nuances in the way that existing sanctions legislation has been updated post-Brexit.
Other areas of regulatory focus
Individual accountability – SM&CR
Investment management firms will be aware of the FCA’s emphasis on prioritising effective governance in the industry.14 In December 2020, the FCA announced that it expects solo-regulated firms’ application of Senior Managers and Certification Regime (SM&CR) rules to return to normal (after additional flexibility was granted earlier in the year due to the pandemic).15 Asset management firms should ensure their governance processes place sufficient emphasis on the implementation of SM&CR and should expect the FCA to take particular interest in any failings.
The damage from the recent Solar Winds hack in the U.S. has been substantial and, in light of widely reported increases in cybercrime, firms would be well advised to ensure that their cybersecurity systems and controls are sufficiently robust. The FCA’s 'Dear CEO' letters to the investment management industry in January 2020 outlined that managing technological and cyber risks were a key focus. The FCA’s expectations in this area will likely require firms to increase their investment in cyber protections to provide a defence against harmful data breaches.
Cryptoassets have seen large fluctuations in price over the last few months, which has been partly attributable to institutional investors increasingly looking towards digital assets such as Bitcoin and Ethereum for investment returns.
Cryptoassets are particularly susceptible to money laundering risks. Cryptoasset firms have needed to be compliant with the Money Laundering Regulations since the beginning of last year and, from 10 January 2021, all UK cryptoasset firms have needed to be registered with the FCA.16 We anticipate that further regulation and enforcement with respect to crypto assets is inevitable, with HM Treasury launching a consultation and call for evidence in January 2021 on the UK regulatory approach to crypto assets.17 The FCA has been particularly forthcoming in relation to the risks of investing in cryptoassets and has issued the following warning: “If consumers invest in these types of product, they should be prepared to lose all their money.”
The FCA has also taken action where firms have had incorrect permissions for the activities they are carrying on (a breach of section 20 of FSMA –authorised persons acting without permission). On the other hand, the FCA recently announced in response to the Independent Investigation into its regulation of London Capital & Finance plc that it will “undertake a ‘use it or lose it’ exercise, with firms that have not used their regulatory permissions to earn any regulated income for the last 12 months at risk of having their Authorisation revoked, to reduce the risk of firms using a permission to carry out regulated activity purely to add credibility to their unregulated activities.”18
These recent events are reminders for firms to ensure they have the appropriate regulatory permissions and that they cancel any permissions that they no longer require.
What can firms do?
It is clear from FCA statements that the regulator is not substantially relaxing its expectations of firms because of the challenges of different working practices arising from the pandemic. Firms, and particularly asset managers and banks, must assess the adequacy of their systems and controls in the areas covered in this OnPoint and take risk mitigation steps to remedy weaknesses.
3) FCA Business Plan, 2020/21.
4) Following the end of the transition period, the EU Short Selling Regulation has been converted into UK law by the Short Selling (Amendment) (EU Exit) Regulations 2018. Related technical standards have also been converted into domestic law by the Technical Standards (Short Selling) EU Exit) Instrument 2019.
7) The FCA determined Commerzbank was in breach of Principle 3 (i.e. the requirement for a firm to take reasonable care to organise its affairs responsibly and effectively, with adequate risk management systems).
11) FCA Enforcement Annual Report, 2019-20.
14) FCA Business Plan, 2020/21.
18) https://www.fca.org.uk/publication/corporate/lcf-independent-investigation-response.pdf. Dechert’s London office supported the Independent Investigator in connection with the investigation into the FCA’s regulation of London Capital & Finance plc (https://www.dechert.com/knowledge/news/2021/2/dechert-supports-dame-elizabeth-gloster-in-her-independent-inves.html