REGULATOR ACTIONS AND THE LESSONS EMERGING
29 June 2020, 14:30:00
Regulatory action is on the rise, and this across all sectors. High quality governance and risk management are without question the key elements to mitigating the potential for regulatory failure and these need to be the priority of all boards.
Regulators are taking increasing levels of action against licensed firms.
They are also taking to publishing their findings and reasoning in more and more detail.
It doesn't really matter which industry you are in:
Education and immigration
The result is the same, more visits, more remediation, more enforcement.
Is this because more firms are breaching requirements, or is it simply that regulators are choosing to take more action?
In my series looking at this, and what we can learn, here is my take on the direction of travel in Guernsey's financial services, however the learning points are equally relevant across industries.
The Guernsey Financial Services Commission (GFSC) has issued a number of Public Statements on organisations over the last three years and there are more to come following recent announcements.
Standard Chartered Trust (Guernsey) Limited - not yet published
Global Insurance Group Limited - not yet published
Criteria Wealth Management Limited
Louvre Fund Services Limited (2019)
Certes Capital Limited
Louvre Trust (Guernsey) Limited
Vida Financial Services Limited
Richmond Fiduciary Group Limited
Blenheim Fiduciary Group Limited
Capital Solutions Limited et al
Marlborough Trust Company Limited et al
Louvre Fund Services Limited (2016)
Bordeaux Services (Guernsey) Limited
Guernsey Insurance Brokers Limited
Provident Trustees (Guernsey) Limited
We can learn a huge amount from reflecting on these statements as a collective.
Observing the trends that emerge and any direction that the GFSC might be moving in its approach to regulation and enforcement.
Here, I reflect on these cases, drawing out the themes and putting forward some key learning points and possible actions that could be considered by any regulated entity.
There are a number of different types of visit and in my review, these are the types mapped against those that have then reached enforcement. Of course, some entities were visited more that once with different types of visit before action was taken, and these have been factored in.
Ratio of enforcement vs visit
Financial Crime 6
Thematic Review 5
External Events 6
What's interesting here, is the actually surprising number arising from Supervisory visits. In my conversations with organisations, there has been a view that enforcement has been preceded largely by a financial crime visit and this should, therefore, be taken more 'seriously' than those from the 'friendly' supervisory team. The data suggests otherwise.
Key themes arising from these Statements:
Conducting unlicensed business
This ranges from not identifying NRFSBs to the conduct of unlicensed investment and fiduciary activities.
Insufficient procedures and controls
Principally targeted on absence in the AML/CFT arena, however sometimes this extends into conduct matters such as customer management and suitability assessment.
Evidence of failure of procedures and controls
This is almost exclusively in the AML/CFT area, and I suggest this is because it is easier to identify and 'pin down' than other failures.
Failure to carry out sufficient due diligence
Specifically in the AML/CFT space because it clearly relates to the requirements to identify and then verify the identity of your customers, however expect this to extend into the source of funds and wealth space in the very near future.
Director incompetence, specifically in the oversight of compliance
Whilst I have not included a specific review here of the action taken against Directors and Officers, I have brought this in as it's a theme arising from the organisational Statements in their own right.
Here there is a clear connection between regulatory failure and the oversight of the board. Most notably, this occurs around internal compliance, however expect future sanctions to include oversight of third-party outsourced compliance.
Failure to keep adequate records
This focuses most often in relation to aspects of financial crime compliance, however does extend into corporate governance aspects such as minute taking, company records and other aspects such as outcomes from compliance monitoring programmes.
Failure in conduct towards customers
These cases tend to arise from action following an external event, such as involvement of another regulator or customer complaints, however there are also cases related to internal failures, such as controls around fee pricing and charging.
Whilst the areas of concern may look fairly obvious, what's interesting to me is the diverse nature of these failings. This indicates to me that financial services businesses are not struggling with one particular aspect of their compliance with regulation, but many.
This aligns with my view that compliance is not a function in itself, but a product of two key elements:
When I say governance here, I don't mean corporate governance. This is a rather limited and possibly in my view rather ineffective expression of governance. Here I am talking about overall governance of an organisation, comprised of the three overarching aspects of:
This 'governance' needs to be embedded throughout an organisation, not just an action from senior executives. It is 'hard' to implement and get right. It requires persistence, consistency and resilience from the board and senior management and needs to involve the entire spectrum of employees and other stakeholders.
Risk management here is specifically focused at regulatory risk management, but can equally be applied in other domains.
It needs to be robust, clear in its approach and involve all stakeholders. This cannot be a 'function' purely 'left to compliance'. The ownership of this needs to be spread across and throughout the organisation, with each domain and each person understanding the risks 'they own'.
1. The regulatory action being undertaken by the GFSC is increasing and there seem no abatement on this. Certainly the message coming out from the regulator itself is that it will get tougher on regulated businesses that continue to demonstrate 'poor compliance'.
2. The origins of action do not exclusively come from failures in financial crime compliance, but from a wide variety of areas within a business. Directors need to ensure that they do not become too focused on financial crime compliance at the expense of other areas.
3. The regulator is clear that ownership of failure sits with the board and officers. Expect more scrutiny and higher fines and numbers of sanctions against individuals in the coming 18-months.
4. Oversight of compliance internally is important, but the regulator is also keen to ensure that this extends to third-party provision of compliance services. Expect action against those that fail to have sufficient oversight and challenge of these services.
5. Compliance is not a thing that is done by anyone or any function. Compliance is an outcome. Compliance is a product. A product of doing two things really well,
Governance and risk management.
Think hard about this.
It needs to be in your strategy.
It needs to be top of your board's agenda.
You need to understand this.