On March 19, 2014, the Financial Conduct Authority (FCA) published a Final Notice against the insurance broker Besso Limited (Besso), imposing a financial penalty of £315,000 due to the inadequacy of the company’s bribery and corruption controls during the period from January 2005 to August 2011.
The FCA’s director of enforcement and financial crime, Tracey McDermott, reiterated that:
“[f]irms must play their part in preserving the integrity of the UK financial system, including taking all steps necessary to prevent financial crime. Where we find firms failing to do so, we will take action.” 
This decision and recent FCA enforcement actions, such as the £1.8m fine levied against JLT Specialty and the £7.6m fine against Standard Bank, signal that the FCA is clearly making good on its promise to focus on financial crime systems and controls. Furthermore, pending guidance from the government or case law arising under the Bribery Act 2010, this decision provides some indication of what “adequate procedures” may look like for both regulators and prosecutors. Moreover, with the FCA undertaking a thematic review of smaller general insurance brokers’ anti-bribery and corruption systems and controls,  all firms, irrespective of their size, should be aware of their obligations when it comes to regulatory compliance.
Overview of Findings and Failures
Besso is a medium-sized Lloyd’s general insurance broker, offering brokerage services across a wide range of industries and countries. As a wholesale broker, it was reliant upon the services of others, such as producing brokers, to bring business to it and with whom it would agree to split the commission, as well as other third party “introducers,” who would receive commissions for assisting with client introductions and market information.
Besso came to the FCA’s attention as the result of its ABC thematic review, which began in January 2009. The FCA conducted an investigation and also required Besso to commission a Skilled Person to review its ABC system and controls. Besso cooperated fully with both the investigation and the appointment of the Skilled Person, and also engaged legal assistance in respect of its ABC system and controls. As part of its investigation, the FCA reviewed records of 74 third parties, which covered over 10,000 insureds, and did not find any improper payments to or through these third parties. Besso’s third party payments were found to be of a lower risk category, e.g. as the payments were not made to parties in countries associated with high risks for bribery and corruption. The FCA nonetheless faulted the adequacy of Besso’s controls as a preventive matter.
More specifically, in its Notice, the FCA noted that Besso:
- Had limited bribery and corruption policies and procedures in place between January 2005 and October 2009 (the policies and procedures that were in place were generic, with a primary focus on money laundering and fraud, as opposed to bribery and corruption). It introduced written bribery and corruption policies and procedures in November 2009, but these were not adequate in their content or implementation;
- Failed to conduct adequate risk assessments of third parties before entering into business relationships (in particular, Besso did not have a prescribed or clear methodology to assess who was a third party, or what risks may arise from the nature of the relationship, the level of commission paid, the country of the third party and or the insured and also the industry in which the insured operated) and failed to implement revised systems adequately and consistently;
- Did not carry out adequate due diligence on third parties. In particular, Besso did not incorporate any checks to establish whether a third party was connected with the insured or any public officials nor did Besso ensure that once it had a risk assessment form in place, it was correctly completed by its employees;
- Failed to establish and record the business case for using third parties. Besso did not establish and record adequate commercial rationale to support payments to third parties and in many cases no written agreements in place with the third party, in part due to a lack of formal training of Besso’s employees in relation to anti-bribery and corruption risks;
- Failed to review its relationships with third parties in sufficient detail and on a regular basis, to confirm that it was still appropriate to continue with the business relationship (Besso is said to have relied on its existing knowledge of third parties, without conducting timely independent inquiries);
- Did not adequately monitor its staff to ensure the recording of an adequate commercial rationale and the carrying out of sufficient due diligence each time it engaged a third party; and
- Failed to maintain adequate records of the anti-bribery and corruption measures taken on its third party account files.
The FCA Warnings
The Final Notice also outlines various “warnings” that were given to Besso and ignored, many of which are warnings given to others operating in the insurance industry:
- The FSA’s ‘Dear CEO’ letter of November 22, 2007
This letter was sent to all wholesale insurance broker firms with an expectation that firms would review their business practices to ensure that they were not involved in, or associated with illicit payments. Besso only started to make significant changes to its policies and procedures two years later, in 2009. 
- Prior financial penalties levied on insurance brokers
Referring to Aon Limited, fined £5.25m in 2009 for inadequate internal control systems regarding “introducers,” and Willis Limited, fined £6.895m in 2011 for failings regarding anti-bribery and corruption systems and controls.
- Thematic Reviews
Referring to the FSA’s review of “Anti-bribery and corruption in commercial insurance broking.”
- FCA visits
Two visits were made in December 2009 and March 2011. Despite these, the FCA noted that the remedial action undertaken by Besso was insufficient to remedy the shortcomings identified, and was critical of the speed at which the improvements were made. 
The Financial Penalty Levied
It is worth noting that although the financial penalty of £315,000 may appear small, this case was decided under the old Decision Procedure and Penalties (DEPP) regime. Had the penalty been assessed under the current regime, it would have been significantly higher. Furthermore Besso’s co-operation, its engagement of solicitors and its agreement to settle at an early of the investigation, meant that it qualified for a 30% discount (stage 1). Had this discount not been applied, it would have received a financial penalty of £450,000. Finally the majority of the payments that were made to third parties had lower risks of bribery and corruption than those made in other cases involving FCA enforcement action.
Implications Going Forward
This decision and that of JLT Specialty clearly indicate that companies need to be proactive when it comes to regulatory compliance. Both companies were not only expected to follow the advice given to them by the FCA during site visits; they were also expected to be aware of, and implement guidance from, regulators’ publications, and to take notice of previous fines levied on similar companies.
Furthermore, in both of these cases, in contrast to Aon and Willis, no suspicious payments were identified during the FCA’s investigations. The mere fact that there was a lack of adequate systems and controls was held to be sufficient to impose financial penalties.
Most importantly for those operating in the regulated sector, these cases give a good overview of what “adequate procedures” is beginning to look like, and they highlight ever-increasing regulatory expectations. The need to keep compliance procedures and policies up-to-date and to have employees trained cannot be stressed enough. Third parties also merit significant attention as a central area of risks. However these decisions also highlight the necessity of conducting proper risk assessments and due diligence, based on a clear methodology, even in low-risk areas. Without such baseline assessments and without monitoring that employees are completing them in sufficient detail, in other words, proof that you are actually implementing and complying policies, no procedure will ever be adequate enough.