Liability for risk and compliance management in United Kingdom

Liability

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

In addition to the regulatory requirements that apply to FCA authorised firms, there is a regime that applies to individuals who perform certain activities within authorised firms (known as ‘approved persons’). These activities are referred to as ‘controlled functions’ and examples include being a director of an authorised firm and overseeing the firm’s systems and controls.

The FCA may only grant an application for approval to perform a controlled function if it considers that the individual is fit and proper to perform the relevant function.

Individuals who perform controlled functions are required to comply with certain standards of conduct set out in the FCA’s rules. In particular, individuals must comply with the FCA’s Statements of Principle and Codes of Practice for Approved Persons (APER), which set out high-level principles of behaviour, as well as specific rules for particular types of controlled function.

The FCA may bring disciplinary action against individuals who fail to meet the standards of conduct expected of them (see question 15).

Increasing individual accountability is a key priority for the FCA. In March 2016, the FCA introduced the ‘Senior Managers and Certification Regime’ (SM&CR), which is designed to assist the FCA in holding senior management to account. Among other things, the regime requires firms to set out detailed statements of responsibility, identifying which individuals within the firm have responsibility for specific issues. There are also detailed rules relating to the conduct of ‘senior managers’ as well as new Conduct Rules that apply to most employees of relevant firms, including those performing unregulated roles. The Conduct Rules reflect the FCA’s core standards expected of employees of authorised firms.

The regime currently applies only to deposit-taking institutions and certain insurance firms. However, in 2018 the regime will be extended to cover almost all FCA authorised firms (and will replace the Approved Persons Regime described above). It is currently intended that the rules will apply to insurers in late 2018 and solo-regulated firms in mid-to-late 2019. The FCA has confirmed that it will publish its rules and approach to the transition in a statement in summer 2018.

As well as the risk and compliance management obligations owed by directors and senior managers of authorised firms, directors also have general duties that are set out in the Companies Act 2006, supplemented by common law. These duties apply to directors of companies outside the financial services sector.

Directors of UK listed companies (including companies outside of the financial services sector) are subject to additional obligations, for example in relation to corporate governance. These are outside the scope of this chapter.

Do undertakings face civil liability for risk and compliance management deficiencies?

Yes. FSMA contains a provision (section 138D FSMA) that allows private persons a right of action for damages in respect of loss suffered as a result of a breach of FSMA.

There are also provisions in FSMA that give a right of action for specific breaches, including misleading information in listing particulars and prospectuses (section 90 FSMA).

The current regulatory environment has seen an increase in civil actions against financial institutions (particularly banks) for the mis-selling of investments and other financial products. As well as claims arising under section 138D FSMA, claims may be based on:

• alleged breaches of contract relating to the bank’s advisory duty;
• alleged breaches of the bank’s tortious duty of care; or
• misrepresentation on the part of the bank.

Misrepresentation claims may arise under the Misrepresentation Act 1967, the bank’s duty not to misstate the position negligently or (less commonly) fraudulent misrepresentation.

The Consumer Rights Act 2015 came into force in October 2015 and allows businesses and consumers in all sectors to bring class actions in respect of breaches of competition law. This could make it easier for claimants to bring US-style class actions (for example, in relation to benchmark manipulations such as foreign exchange and LIBOR).

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Yes. The FCA has wide-ranging enforcement powers against firms for breaches of regulatory rules. Enforcement action for risk and compliance management deficiencies is likely to be based on Principle 3 of the FCA’s Principles for Businesses, which states that the firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

The FCA may impose a variety of disciplinary sanctions on firms for regulatory failures. These include:

• public censure;
• a financial penalty;
• suspensions or restrictions in relation to the firm’s permission to perform regulated activities; and
• variation or cancellation of the firm’s permission.

In deciding whether to impose a public censure or a financial penalty, the FCA will take into account the circumstances of the case, including the nature, seriousness and impact of the breach and the previous disciplinary record of the firm.

The FCA has provided guidance on the approach it will follow to determine the level of a financial penalty. Among other things, the FCA will take into account any financial benefit derived directly from the breach and any adjustments that should be made in light of mitigating and aggravating factors. The FCA also has the power to increase the penalty if it considers that the figure is insufficient to achieve its objective of deterrence.

In recent years, the FCA has imposed substantial financial penalties against banks for benchmark manipulation and anti-money laundering (AML) controls failings. In May 2015, the FCA imposed a financial penalty of £284,432,000 on Barclays Bank for systems and controls failures in connection with foreign exchange manipulation. At the time of writing, this is the largest financial penalty ever imposed by the FCA. In January 2017, the FCA imposed a financial penalty of £163,076,224 on Deutsche Bank AG for failing to maintain an adequate AML control framework (see question 18). At the time of writing, this is the largest financial penalty for AML controls failings ever imposed by the FCA.

Firms in all sectors can also face lengthy investigations by the CMA, when they are suspected of failing to act in accordance with competition law. Financial services firms may also face competition law investigations by the FCA. These investigations can result in large-scale fines.

Do undertakings face criminal liability for risk and compliance management deficiencies?

The UK government is currently consulting on the creation of new offences to make corporations liable for certain criminal activities.

For serious offences that do not impose strict liability, a corporation will only normally be liable for the criminal actions of an employee if the individual is sufficiently senior to be the ‘directing mind and will’ of the company (the identification doctrine). This is a highly fact-specific question, the complexity of which increases with the size of the company and the structure of its management. A company can only be criminally liable if it can be shown that the directing mind, namely, the board or senior management of the organisation, were involved in the commission of the offence. Successful prosecutions of companies on this basis are challenging and consequently rare.

In January 2017, the UK government published a Call for Evidence seeking views on the extension of the failure to prevent offence under the Bribery Act 2010 (see question 9), as well as four alternative options. If a new corporate failure to prevent offence proves to be the best option for reform, the government’s starting position is that the offence should initially apply to the most serious economic crime offences, which may include:

• conspiracy to defraud;
• fraud;
• false accounting; and
• money laundering.

If implemented, the offence will apply to corporations in all sectors.

In January 2017, the UK government also published a Call for Evidence on the alternatives to the identification doctrine for corporate criminal liability. At the time of writing, the Government is analysing the feedback.

Deferred Prosecution Agreements (DPAs) are available to bodies corporate, partnerships and unincorporated associations facing criminal proceedings in the UK. In question 18, we discuss the £500 million DPA that Rolls-Royce recently agreed with the SFO.

There is no specific corporate criminal liability for competition law breaches.

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

As explained in question 11, section 138D FSMA provides a right of action for damages for a person who has suffered a loss as a result of a breach of an FCA rule. See also question 15.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

Yes. The FCA may take disciplinary action against approved persons who act in a way that is inconsistent with the standards of conduct set out in the FCA rules.

The FCA’s disciplinary powers include financial penalties and issuing a public statement about the misconduct. The FCA may also suspend, restrict or withdraw the individual’s approval and impose a prohibition order preventing the individual from performing controlled functions.

Under the SM&CR, the government has introduced a new statutory ‘duty of responsibility’ for senior managers, which means that they are required to take reasonable steps to prevent a regulatory breach by the firm in their area of responsibility. The FCA and the PRA can take disciplinary action against a senior manager for a breach of this statutory duty.

Directors, managers and other officers can face director disqualification orders for failing to comply with competition law. This applies to individuals in all sectors.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

There are certain criminal offences that could apply to directors and senior managers of financial institutions if the individuals were personally culpable. For example, under section 89 of the Financial Services Act 2012, it is an offence to make false or misleading statements or create false or misleading impressions with the intention of inducing (or being reckless as to whether it may induce) another person to enter into an agreement (eg, an agreement to sell or buy shares in a company).

For conduct occurring post-March 2016, there is a new criminal offence relating to decisions taken by senior managers of banks, building societies and major investment firms (section 36 of the Financial Services (Banking Reform) Act 2013). Senior managers may be criminally liable if they make a decision (or fail to take steps that could prevent a decision being taken) that causes a financial institution to fail. In order for the offence to be made out, the senior manager must have been aware (at the time the decision was taken) of the risk that the decision might cause the financial institution to fail. The individual’s conduct must also fall ‘far below’ what could reasonably be expected of someone in their position. At the time of writing, the FCA has not brought any prosecutions for this offence.

Directors and managers in all sectors can be prosecuted by the CMA for committing a cartel offence, namely, agreeing with one or more other persons to make or implement, or cause to be made or implemented, arrangements whereby at least two undertakings will engage in one or more prohibited cartel activities. For such agreements entered into from 1 April 2014 onwards there is no need to establish that the individual acted ‘dishonestly’.