Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

In addition to the regulatory requirements that apply to firms authorised by the Financial Conduct Authority (FCA), there is the Senior Managers and Certification Regime (SM&CR), which came into force in stages: in March 2016 for banks, in December 2018 for insurers and for most other authorised firms at the end of 2019. The SM&CR regime fully replaced the previous ‘approved persons’ regime for most businesses. The SM&CR applies to individuals who perform senior management fuctions within authorised firms. It consist of three parts: the senior managers regime (SMR); the certification regime; and the conduct rules.

The FCA may only grant an application for approval to perform a senior manager function if it considers that the individual is fit and proper to perform the relevant function. Any relevant individual must make an application accompanied by a statement of responsibilities to the regulator.

Individuals who perform senior manager functions (eg, the CEO, the director and the chair) are required to comply with certain standards of conduct set out in the rules. In particular, individuals must comply with the FCA’s Statements of Principle and the Conduct Rules, which set out high-level principles of behaviour, as well as specific rules for particular types of senior manager functions.

The FCA may bring disciplinary action against individuals who fail to meet the standards of conduct expected of them. A central aspect of the SMR is the ‘duty of responsibility’ for individual senior managers that requires them to take steps to prevent or stop a breach of rules in their designated area. The certification regime similarly covers individuals who are not strictly senior managers, but who have a role that has a significant influence on customers or business, or both. Organisations themselves need to certify that these individuals are fit and proper to undertake their role.

Increasing individual accountability continues to be a key priority for the FCA. The SM&CR is designed to improve culture, governance and accountability within financial services firms and to assist the FCA in holding senior management to account. In addition to the detailed rules relating to the conduct of ‘senior managers’, there are the Conduct Rule, which apply to most employees of relevant firms, including those performing unregulated roles. The Conduct Rules reflect the FCA’s core standards expected of employees of authorised firms.

As well as the risk and compliance management obligations owed by directors and senior managers of authorised firms, directors also have general duties that are set out in the Companies Act 2006, supplemented by common law. These duties apply to directors of all UK companies, including those outside of the financial services sector.

Directors of UK listed companies (including companies outside the financial services sector) are subject to additional obligations, for example in relation to corporate governance.

Do undertakings face civil liability for risk and compliance management deficiencies?

Yes. The Financial Services and Markets Act 2000 (FSMA) contains a provision (section 138D) that allows private persons (broadly, individuals and other non-corporate persons) a right of action for damages in respect of loss suffered as a result of a breach of the FSMA.

There are also provisions in the FSMA that give a right of action for specific breaches, including misleading information in listing particulars and prospectuses (section 90).

The current regulatory environment has seen an increase in civil actions against financial institutions (particularly banks) for the mis-selling of investments and other financial products. As well as claims arising under section 138D of the FSMA, claims may be based on:

  • alleged breaches of contract relating to the bank’s advisory duty;
  • alleged breaches of the bank’s tortious duty of care; or
  • misrepresentation on the part of the bank.

Misrepresentation claims may arise under the Misrepresentation Act 1967, the bank’s duty not to misstate the position negligently or (less commonly) fraudulent misrepresentation.

Both businesses and individuals can bring private actions for breaches of competition law. Such claims may be brought on either a ‘follow on’ basis whereby the claimant relies on the infringement decision of a regulator to establish liability; or a ‘stand-alone’ basis where the claimant has to prove that there has been an infringement of competition law. The level of damages claimed is usually significant and the cases are invariably complex and involve multiple claimants and defendants.

Since the introduction of the Consumer Rights Act 2015 in October 2015, businesses and consumers in all sectors are able to bring class actions in respect of breaches of competition law. This could make it easier for claimants to bring US-style class actions where claims are brought on behalf of a group or ‘class‘ of claimants. One effect of this is that it enables claimants (or at least those bringing the claim on behalf of the claimants) to claim much higher sums as they seek to recover losses from every member of the affected class. To bring such a claim, it is necessary to obtain a collective proceedings order (CPO), which authorises one party to act as a representative of the whole class. At the time of writing, no CPO application has successfully overcome the challenges of having its class action certified by the UK’s Competition Appeal Tribunal. However, there are a number of notable cases where CPO applications are outstanding. These include an action against MasterCard for damages arising from the European Commission’s 2007 decision that MasterCard’s multilateral interchange fees in the European Economic Area were in breach of EU competition law as well as actions against various banks in relation to benchmark manipulations, such as foreign exchange and LIBOR. In the latter case, the Tribunal has been asked to decide between competing CPO applications.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Yes. The FCA has wide-ranging enforcement powers against firms for breaches of regulatory rules. Enforcement action for risk and compliance management deficiencies is likely to be based on Principle 3 of the FCA’s Principles for Businesses, which states that the firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

The FCA may impose a variety of disciplinary sanctions on firms for regulatory failures. These include:

  • public censure;
  • a financial penalty;
  • suspensions or restrictions in relation to the firm’s permission to perform regulated activities; and
  • variation or cancellation of the firm’s permission.

In recent years, the FCA has expanded its use of non-pecuniary sanctions and has also made use of redress schemes as a way of compensating consumers who have suffered loss as a result of a firm’s misconduct.

In deciding whether to impose a public censure or a financial penalty, the FCA will take into account the circumstances of the case, including the nature, seriousness and impact of the breach and the previous disciplinary record of the firm.

The FCA has provided guidance on the approach it will follow to determine the level of a financial penalty. Among other things, the FCA will take into account any financial benefit derived directly from the breach and any adjustments that should be made in light of mitigating and aggravating factors. The FCA also has the power to increase the penalty if it considers that the figure is insufficient to achieve its objective of deterrence.

In recent years, the FCA has imposed substantial financial penalties against banks for benchmark manipulation and anti-money laundering controls failings.

In May 2015, the FCA imposed a financial penalty of £284,432,000 on Barclays Bank for systems and controls failures in connection with foreign exchange manipulation. In January 2017, the FCA imposed a financial penalty of £163,076,224 on Deutsche Bank AG for failing to maintain an adequate anti-money laundering control framework, and in April 2019, it imposed a fine of £102,163,200 on the Standard Chartered Bank for breaches of the Money Laundering Regulations 2007.

In recent years, the FCA has increased its focus on firms’ digital defences and the extent to which firms have put in place effective systems and controls to prevent cyberattacks. In October 2018, the FCA levied a substantial fine (£16.4 million) against Tesco Personal Finance Plc for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyberattack that had occurred in November 2016. The FCA found that Tesco had breached Principle 2 of the FCA’s Principles for Businesses, which requires a firm to conduct its business with due skill, care and diligence.

Firms in all sectors can also face lengthy investigations by the Competition and Markets Authority (CMA) if they are suspected of failing to act in accordance with competition law. Financial services firms may also face competition law investigations by the FCA. These investigations can result in large fines.

Do undertakings face criminal liability for risk and compliance management deficiencies?

There are two key corporate criminal offences in respect of risk and compliance management deficiencies: the corporate offence of failure to prevent bribery under the Bribery Act 2010 and the corporate offence of failing to prevent the criminal facilitation of UK and foreign tax evasion under the Criminal Finances Act 2017.

Except these offences, a corporation will only normally be liable for the criminal actions of an employee if the individual is sufficiently senior to be the ‘directing mind and will’ of the company (the identification doctrine). This is a highly fact-specific question, the complexity of which increases with the size of the company and the structure of its management. A company can only be criminally liable if it can be shown that the directing mind – namely, the board or senior management of the organisation – were involved in the commission of the offence. Successful prosecutions of companies on this basis are challenging and consequently rare.

Deferred Prosecution Agreements (DPAs) are available to bodies corporate, partnerships and unincorporated associations facing criminal proceedings in the UK. There have been seven DPAs since their introduction in early 2014, the most recent being the record-breaking DPA with Airbus SE in January 2020 in relation to allegations that the company had used external consultants to bribe customers to buy its civilian and military aircrafts.

There is no specific corporate criminal liability for competition law breaches.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

Section 138D of the FSMA provides a right of action for damages for a person who has suffered a loss as a result of a breach of an FCA rule.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

Yes. The FCA may take disciplinary action against approved persons who act in a way that is inconsistent with the standards of conduct set out in the FCA rules.

The FCA’s disciplinary powers include financial penalties and issuing a public statement about the misconduct. The FCA may also suspend, restrict or withdraw the individual’s approval and impose a prohibition order preventing the individual from performing controlled functions.

Under the SM&CR, the government has introduced a new statutory ‘duty of responsibility’ for senior managers, which means that they are required to take reasonable steps to prevent a regulatory breach by the firm in their area of responsibility. To determine a senior manager’s area of responsibility, the regulator will consider the senior manager’s statement of responsibilities and the firm’s responsibilities map.

The FCA and the Prudential Regulation Authority can take disciplinary action against a senior manager for a breach of this statutory duty. Since the introduction of SM&CR, there has been an increase in enforcement activity against individuals, and this is a trend that is likely to continue in the next few years. The FCA is committed to seeing a change in ‘corporate culture’ and for senior managers to ‘set the tone form the top’ in their organisaitons.

Directors, managers and other officers can face director disqualification orders for failing to comply with competition law. This applies to individuals in all sectors. The CMA has increasingly been applying this regime and streamlined its guidance on director disqualification orders in February 2019.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

There are certain criminal offences that could apply to directors and senior managers of financial institutions if the individuals were personally culpable. For example, under section 89 of the Financial Services Act 2012, it is an offence to make false or misleading statements with the intention of inducing (or being reckless as to whether it may induce) another person to enter into an agreement (eg, an agreement to sell or buy shares in a company).

For conduct occurring post-March 2016, there is a new criminal offence relating to decisions taken by senior managers of UK banks, building societies and major investment firms (section 36 of the Financial Services (Banking Reform) Act 2013). Senior managers may be criminally liable if they make a decision (or fail to take steps that could prevent a decision being taken) that causes a financial institution to fail. For the offence to be made out, the senior manager must have been aware (at the time the decision was taken) of the risk that the decision might result in the failure of the financial institution. The individual’s conduct must also fall ‘far below’ what could reasonably be expected of someone in their position. At the time of writing, the FCA has not brought any prosecutions for this offence; nevertheless, senior managers and financial instututions should be alert to it.

Directors and managers in all sectors can be prosecuted by the CMA for committing a cartel offence, namely, agreeing with one or more other persons to make or implement, or cause to be made or implemented, arrangements whereby at least two undertakings will engage in one or more prohibited cartel activities. For such agreements entered into from 1 April 2014 onwards, there is no need to establish that the individual acted ‘dishonestly’.

Law stated date

Correct on

Give the date on which the information above is accurate.

19 February 2020