if (window.console) { console.log = function() {}; }

October 15, 2024

Regulatory Enforcement and Control Frameworks – Prevention Is Better than Cure

At the recent AFME Compliance and Legal conference, one of the major themes was trends in regulatory enforcement. In this article, we will explore the change in the Financial Conduct Authority’s (FCA) enforcement approach to focus on earlier intervention and prevention and what this means for firms.

In a speech in 2021, Nikhil Rathi, the CEO of the FCA, signalled the beginning of a three year strategy to make the FCA ‘a more innovative, adaptive, assertive and proactive regulator’. An important pillar of this strategy is the evolution of the FCA’s enforcement stance, with the emphasis on being more proactive and forward-looking, focused on identifying and addressing non-compliance before it escalates into more serious misconduct.

The most recent enforcement statistics demonstrate this new approach in action, most notably in the halving of the total value of financial penalties from £199.3m in 2022/23 to £42.4m in 2023/2024. In addition, the regulator has secured more ‘voluntary outcomes’ compared to the previous period, where firms agree to the FCA’s suggested remediation steps are a result of enforcement interventions at an earlier stage. This shift marks a departure from the FCA’s traditional reactive approach, which primarily focused on penalising non-compliance after it occurred. The new strategy aims to foster a culture of compliance within firms, encouraging them to take responsibility for their own conduct and compliance processes. Whilst challenging, it is vital for firms to proactively respond to this change by ensuring that they are fully in control and aware of their holistic regulatory risk exposure.

Adopting a data-driven approach to the management of risk and control frameworks can help to prioritise areas of weakness and ensure that they are aligned with the FCA’s preventative approach to enforcement.

Key Aspects of the FCA’s New Approach to Regulatory Enforcement

In her speech at the AFME conference, Therese Chambers, the FCA’s Joint Executive Director of Enforcement and Market Oversight reiterated the central themes of her department’s new enforcement strategy:

  • A shift towards preventative measures, aimed at pre-empting non-compliance before it materialises into larger issues.
  • Prioritisation of early intervention and a more robust supervisory model, aiming to detect potential risks and mitigate them before they escalate into serious misconduct.
  • An emphasis on firm-specific supervisory actions. Rather than applying a one-size-fits-all approach, the FCA focuses on the unique characteristics, risks, and challenges of each individual firm. This allows for more tailored and effective regulation, ensuring that each firm is held accountable for its specific conduct and compliance processes.
  • Increasing use of data and technology to monitor the market and detect misconduct in real time.

Perhaps most importantly, Chambers stressed the need for firms to take responsibility for their own compliance, encouraging firms to foster this in their organisational culture. She said that firms should aim to identify and rectify non-compliance internally, and to maintain open lines of communication with the regulator. To deliver this, Chambers emphasised that:

“Controls must be robust: recognising and reflecting human behaviour patterns, constantly reviewed to keep pace with changing market conditions”

These insights from Chambers serve as a clear message to financial institutions about what the FCA expects from them in this new regulatory era.

Adopting a Data-Driven Response to Preventative Enforcement

Just as the FCA is focused on becoming more proactive and data-driven, regulated firms need to act similarly. The regulator’s shift to concentrate on prevention means that regulatory scrutiny is likely to be more intrusive and at an earlier stage in their investigatory processes, resulting in more ad hoc data requests and evidencing of compliance.

Managing all of this can be extremely challenging when many institutions are already balancing large transformation programmes, regulatory remediation projects and also looking to future regulatory changes to ensure they can meet compliance deadlines.

However, uplifting risk and control frameworks is a good place to start, using a combination of data and a risk-based lens to determine priority areas. For our perspective as the industry utility for non-financial risk management, we recommend two key activities that will go a long way to help provide assurance to regulators such as the FCA that you are in control.

Reading Regulators’ Signals

Regulators provide a wealth of information with respect to their work programmes, enforcement decisions and their views on the firms they supervise (e.g. Supervisory Review and Evaluation Process reports). A careful reading of enforcement notices over the last couple of years, for example, can help firms to understand the fundamental causes of compliance failures. As well as clear rule breaches, drilling down to the root causes nearly always reveals problems related to deficiencies in risk and control frameworks. Examples include not having the correct automated controls to prevent ‘fat finger’ trading errors’, weaknesses in financial crime controls that allowed bags of cash to be deposited at a bank branch and operational risk and conduct risk frameworks that have not been fully embedded and / or operating effectively.

Based on this data, firms should conduct reviews to identify the quality of the control frameworks in applicable areas to ensure they meet regulatory expectations and are operating effectively. A critical element of these reviews is the ability to evidence the robustness of controls by providing a clear view of automated vs manual controls and preventative vs detective controls.

For example, the PRA’s letters to banks in December 2020 regarding trading controls gave a strong indication of the supervisor’s preference for automated and preventative controls. From this, firms can infer they must be able to identify and justify why their frameworks may diverge from this expectation and how they compare to their peers.

Evidencing Regulatory Alignment

Typically, firms have linked policies, risks and controls together using a combination of spreadsheets and Governance, Risk & Control tools, requiring a high degree of manual intervention. Increasing pressure for regulated firms to demonstrate the traceability of their regulatory obligations directly to their control frameworks is being driven by several factors.

Regulatory authorities, especially those in the US, are demanding evidence of direct linkages between regulatory rules and controls – either as part of their investigatory process or day-to-day supervision and compliance monitoring.

Summary

The UK’s regulatory enforcement landscape is shifting towards proactive intervention, with regulators focusing on early detection of risks and tailored supervisory actions. This heightened scrutiny requires firms to strengthen their risk and control frameworks to ensure compliance and prevent common failings that could trigger widespread regulatory actions.

To stay ahead, firms need to demonstrate greater transparency in linking regulatory rules to control frameworks and provide evidence of their control effectiveness. With increasing regulatory expectations, institutions must adopt more pre-emptive measures to maintain the integrity of their operations.

Acin’s solution addresses these challenges by providing full traceability from regulatory obligations to risks and controls. By leveraging a common industry standard and AI-driven insights, Acin significantly reduces the costs and manual effort of regulatory mapping while ensuring comprehensive compliance. Our platform offers banks the tools to align regulatory changes with internal control frameworks, delivering data-driven assurance and enabling them to respond swiftly to regulatory demands.

In this evolving landscape, Acin equips firms to stay compliant, mitigate risks effectively, and demonstrate to regulators that they are in full control.

XLoD Global London 2024 highlighted how AI and data are transforming risk management. From improving efficiency to enhancing regulatory dialogue, the event showcased the power of technology in shaping the future of financial services. Read more on the key takeaways from the event.

November 27, 2024

The 4th annual WiRC event by Acin and Deutsche Bank examined how AI and data transformation are reshaping Non-Financial Risk Management, focusing on data quality, AI-driven compliance, and fostering adaptability for future challenges.

November 11, 2024