It is a cardinal principle of modern public life that, where something has gone wrong in an organisation, one or more senior individuals must be responsible and must be seen to be punished.
After the failure of banks such as HBOS, Royal Bank of Scotland and Northern Rock during the financial crisis, the Financial Services Authority was widely condemned for its failure to take enforcement action against more of the senior executives involved in the decisions that led to the banks' failure. The FSA's 2011 report on the failure of RBS identified errors of judgement and execution by RBS's management but explained that, in the FSA's view, the regulatory regime did not enable action to be taken against the RBS executives.
The FCA has emphasised the importance it attaches to taking enforcement action against senior managers where failures have occurred. The FCA believes such action helps ensure that senior managers put in place robust systems and controls to ensure regulatory compliance and foster corporate cultures which reflect regulatory priorities. Despite this rhetoric, there have been few successful enforcement cases against senior managers at large firms. However, the political pressure to bring such cases and forthcoming changes to the regime for senior managers means that more enforcement action of this kind may be taken in the future. Furthermore, the threat of such action may itself have significant consequences for the manner in which senior managers run their businesses.
This article outlines (a) the current bases of liability for senior managers, (b) the new liability regime for senior managers at banks due to come into force in 2015, and (c) practical implications for firms.
Bases of liability
The current position
An approved person can currently be subject to enforcement action by the regulators where he has:
- breached an applicable principle in APER;
- been knowingly concerned in a breach of a regulatory requirement by a firm; or
- ceased to be fit and proper to conduct business in the financial services sector.
The penalties that can be imposed on these bases include public censure, fines and (in the case of the most serious misconduct and in cases where an individual has ceased to be fit and proper) the cancellation of the individual's approval and prohibition from working in the financial services sector in the future.
This liability regime allows liability to be imposed on SIFs (approved persons holding significant influence functions) both (a) where a SIF holder has personally been involved in a breach of regulatory requirements and (b) where there has been such a breach in operations for which the SIF holder is responsible and the regulator can prove the individual failed to comply with his obligations under APER with respect to those operations.
An example of liability on the former basis is the FSA's public censure in March 2013 of Tidjane Thiam, chief executive of Prudential, for being knowingly concerned in the insurer's failure to inform the UKLA of a proposed corporate acquisition in sufficient time. A censure was imposed although Thiam had taken professional advice on the insurer's disclosure obligations.
An example of liability on the latter basis is the FSA's attempt to impose liability on John Pottage, the CEO of the wealth management division of UBS, for alleged breach of APER Principle 7. The FSA complained that the root and branch review of systems and controls he ultimately instituted after taking up his position should have been commenced sooner given various 'warning signals' that such a review was required. Pottage referred the FSA's decision to the tribunal. The tribunal determined that he had taken the reasonable steps to be expected of a person in his position. In considering what was reasonable, the tribunal held Pottage was entitled to rely on the confirmations and advice provided to him by risk management and compliance specialists given that he had taken reasonable steps to probe and verify the confirmations and advice.
The Pottage and Thiam decisions indicate the difficulty of determining whether a given set of factual circumstances will give rise to personal liability for a SIF; the FSA found Thiam liable although he took professional advice, while the tribunal found that Pottage was not liable because it was reasonable for him to rely on assurances and confirmations given by specialist staff.
Changes to the SIF Regime for the banking sector
Although it is difficult to determine precisely when a SIF can be held personally responsible for failings under the current regime, it is accepted by the regulators that liability arises only where some element of personal culpability can be demonstrated. This can make it difficult to take action against senior managers where there has been a breach, particularly in large financial institutions with complex reporting lines which make it difficult to demonstrate which senior individual is responsible for regulatory compliance in a particular business area.
The Financial Services (Banking Reform) Act 2013, expected to come into force in 2015, replaces the SIF regime with a new 'senior managers' regime for banks. Broadly speaking this regime will apply to deposit-takers and dual- regulated investment firms (which are referred to generically as 'banks' below). Some aspects of how the regime will operate are presently unclear, as the detail will be set out in rules issued by the regulators, which will be consulted on later this summer.
From an enforcement perspective, however, there are four key features to the new regime:
- It will require senior managers at banks to submit a 'statement of responsibilities' with their application for approval to the regulators. This must set out the aspects of the bank's affairs for which the senior manager will be responsible. The regulators are likely to insist that statements of responsibilities are drafted so that when there is a breach of regulatory requirements in a bank, the senior individuals responsible for the affected operations can be clearly identified.
The FCA is already seeking to achieve the same result by requiring senior individuals at firms to give personal attestations of compliance (despite there being no clear basis for requiring such attestations under the current regime).
- The new regime will replace APER and its code with a more targeted set of conduct rules. These rules may be cast in such a way as to make it easier for the regulators to establish breaches by setting high standards.
- The new regime will allow liability to be imposed on a senior manager not only where the regulators can demonstrate he was personally at fault (for breaching the new conduct rules applicable, being knowingly concerned in a breach by the firm or ceasing to be 'fit and proper), but also on the basis of a reversed burden of proof. This will arise where there has been a breach of regulatory requirements in an area of the business for which a senior manager is responsible (pursuant to the statements of responsibilities). In these circumstances the relevant senior person is liable to disciplinary action unless he can show that he took such steps as a person in his position could reasonably be expected to take to prevent the breach.
- Under the new regime the limitation period for bringing disciplinary action against all individuals will be extended from three to six years. This will make it easier for the regulators to bring an enforcement case against a firm and then, having first established a regulatory contravention by the firm, commence enforcement action against the relevant senior manager on the basis of a reversed burden of proof.
Collectively these features will make it easier for the regulators to take enforcement action against senior managers at banks. Even if this does not lead to more enforcement actions against individuals, the new regime will cause senior management at banks to worry more about their personal exposure if things go wrong.
If the new regime is successful in achieving its objectives, it may well be extended to the wider financial services industry.
Practical implications for firms
The potential for senior managers to be subject to enforcement action has a number of important practical implications for firms. First, there are implications for the way in which senior managers perform their function before any dispute with the regulators begins:
- It is important that governance arrangements ensure that senior managers receive the right information about the businesses for which they are responsible and properly probe and use that information to make decisions.
- The operation of governance arrangements will need to be properly recorded (given the reversed burden of proof under the new senior managers regime for banks in particular). Where a senior manager needs to argue they took reasonable steps to secure regulatory compliance they will generally be in a stronger position where there is documentary evidence to demonstrate the steps they have taken.
- There is a significant risk for firms of senior managers protecting their personal position by taking the lowest risk approach to issues, even when other approaches may be reasonable and would be in the interests of the firm's shareholders. There is no easy way to mitigate this risk. The Thiam decision demonstrates that the regulators will not necessarily accept the taking of professional advice as a defence. However, ensuring that difficult decisions are taken collectively in a forum which allows proper debate and testing of different approaches, with a sensible record being kept of the factors taken into account in reaching decisions, is likely to be an important part of risk mitigation.
Second, there are implications when it becomes apparent that there may be a dispute between a firm and the regulators:
- In these circumstances, the potential for enforcement action against senior individuals may give rise to a conflict of interest, even at the very outset of a discussion about an issue. For example, if the FCA indicates it is unhappy about the way a product has been sold, but says it will take no action if generous compensation is paid to relevant customers, the senior manager's personal interest may well be in satisfying the regulator in order to avoid the risk of personal enforcement action. The firm's interest, however, may be in resisting the regulator's demands. Such conflict may have a bearing on the extent to which the senior individual should be allowed to determine the firm's response to regulatory demands. Once a formal enforcement process is underway, a firm's interests are often served by early settlement with the regulator, but acceptance of a settlement may (under the new senior managers regime) switch the burden of proof against the senior person responsible for the affected business, so the senior manager may prefer that the firm resist if there is a prospect that charges may not withstand scrutiny in the formal enforcement process.
- The firm will need to keep under review whether the potential for action against an individual means that that individual requires their own legal representation. D&O insurance policies may cover the costs of an individual's legal representation. Separate representation may make it more difficult to involve the individual in the defence of the firm.