Introduction

The maintenance of effective systems and controls is a core regulatory responsibility of firms authorised by the FSA. Principle 3 of the FSA’s Principles for Business requires that ‘a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems’. Systems and controls failings have been a key theme of recent FSA enforcement action. In its Annual Report 2007/08 the FSA noted that, of the 125 enforcement actions open at 31 March 2007 (excluding non-threshold condition actions), 14 per cent involved systems and controls issues. Of the 186 open at 31 March 2008, 25 per cent involved systems and controls issues.

The role of senior management

Although the FSA has long emphasised the responsibility of firms’ senior management for the implementation and maintenance of effective systems and controls, there has not yet been a significant number of enforcement decisions against individuals for failings in this area. This is partly due to the evidential difficulty in showing that an individual is responsible for systemic failings within a firm and also due to the fact that enforcement cases against individuals tend to be more vigorously defended than those against firms.

However in May 2008 the FSA fined Paul Briant (Land of Leather’s CEO) £14,000 for failing to take reasonable steps to ensure that Land of Leather had adequate systems and controls in place in relation to the sale of PPI. The FSA reached its decision notwithstanding the fact that Mr Briant had delegated responsibility for PPI sales to other managers.

The Land of Leather decision could well be the precedent for further enforcement decisions against individuals for systems and controls failings. Margaret Cole (the FSA’s head of enforcement) stated in a speech at the FSA’s enforcement conference on 18 June that it has ‘made a strategic decision to investigate more individuals’, on the basis that enforcement action against individuals is a more effective and credible deterrent against regulatory breaches than action against firms. Ms Cole stated that the FSA was particularly interested in taking enforcement cases against individuals with Significant Influence Functions (SIF) in cases involving issues of competence (not just personal integrity), such as the systems and controls failings identified in Land of Leather.

Systems and controls issues within the insurance sector

In light of these comments, individuals with SIF authorisation need to take an active role in developing, implementing and monitoring compliance with their firms’ systems and controls. We have identified a number of areas where systems and controls issues could potentially arise in the insurance sector and these warrant particular scrutiny from senior management to ensure that adequate systems and controls are in place (and they are themselves, free from the risk of enforcement action).

Delegation of underwriting authority

These arrangements can involve significant regulatory and commercial risks for insurers and brokers. Insurers (and brokers sub-delegating authority) need to have systems in place to ensure that the scope of authority delegated is clear and appropriately documented, that authority is delegated only to third parties with appropriate expertise and that the manner in which delegated authority is exercised is appropriately monitored. One of the FSA’s first enforcement decisions in the insurance sector (against Goshawk Syndicate Management Limited in October 2005) arose from the firm’s failure to ensure that it had effective controls over binding authorities. Brokers must also maintain adequate systems and controls to ensure that they only issue policies or settle claims within the scope of their authority.

Use of appointed representatives (ARs)

Firms must ensure they have adequate contractual documentation governing their relationship with their ARs, and sufficient systems and controls to provide assurance that their ARs are complying with applicable regulatory rules. The FSA has recently commented that ‘it is essential that firms with ARs have good monitoring and controls to ensure their ARs are meeting FSA requirements’.

Client money

The FSA has expressed concerns that significant numbers of brokers do not have sufficient systems and controls in place to ensure they are complying with the FSA’s client money (CASS) rules. In May 2007, the FSA made clear that it would consider enforcement action against intermediaries that did not have ‘robust systems in place to protect clients’ money’.

Understanding underwriting risk

Insurers must maintain systems and controls to ensure that they understand the scope and nature of the risks they underwrite. The FSA has commented that ‘insurers must apply robust controls to their underwriting strategy’ and warned that it ‘will continue looking at how firms set their risk appetite and underwriting strategy, and the systems they have in place for monitoring their performance against their strategy’. These systems are particularly important in light of the transition from ICAS to the use of internal models generated by insurers to determine capital requirements under Solvency II, which will place insurers’ risk management systems and controls at the centre of the new insurers’ capital adequacy regime.

Systems and controls culture

However, perhaps the most significant systems and controls challenge facing senior management is to ensure that policies and processes in place are consistently followed by employees. Achieving consistent compliance involves fostering a corporate culture in which compliance with systems and controls is firmly embedded within the firm and is regarded as an integral part of an employee’s responsibilities. Creating such a culture involves regular training, frequent internal monitoring and a system of rewards and penalties for employees that reflects the importance the firm attaches to compliance with its systems and controls. If senior management promote such a culture they will be well placed to meet any systems and controls challenges – those that do not run a real risk of being held personally accountable by the FSA for any failures.

Systems and controls: a challenge for the FSA

Finally, systems and controls issues represent a challenge for the FSA as well as for firms. One of the principal benefits of principles-based regulation is that firms are given flexibility to develop their own approaches to achieve required regulatory outcomes. However, this will be significantly undermined if the FSA adopts an unduly formalistic approach to systems and controls, emphasising the need for senior managers to put in place complex processes and procedures without regard to how they improve firms’ ability to manage their commercial and regulatory risks.