We discuss the major compliance issues facing UK-based companies in 2021 from Brexit, Covid-19, vulnerable customers and whistleblowing to the SMCR.
Major UK compliance issues in 2021
- Vulnerable Customer Management
- Senior Managers and Certification Regime (SMCR)
Compliance Issue #1 - Covid-19
Where do we even start? Coronavirus has impacted every aspect of society, and in the process created a compliance cluster-bomb. For the first time ever you heard the BBC talking about 'levels of compliance'. Some areas of compliance have always been life or death, but in 2020 we could see this writ large because of Covid-19.
From a strategic angle, it highlighted the issue of compliance planning as well as implementation. Business continuity plans came under scrutiny, followed closely by compliance continuity planning. Don't feel bad if your plans wobbled, it was a once in a lifetime event and even the UK Government was found wanting.
One major impact was patterns of work. With huge numbers suddenly forced to work from home, compliance outside the office moved from an overlooked luxury to a necessity. As staff accessed systems remotely this increased every risk related to data. Then there are the health and safety issues of working at home, not forgetting mental health risks. Finally, the unseen risks relating to bullying and harassment.
For those unable to work at home, your choices became 'furlough' or socially-distanced offices. Both come with their own health and safety compliance issues. We could add a link to the guidelines, but I think we know they likely changed as you reading this.
The impact on certain industries has been severe. In many cases, furlough has delayed the inevitable. That means that 2021 could see mass redundancies, not helped by Brexit. If your organisation is forced to make individuals redundant, it is important to follow the guidelines or risk claims of unfair dismissal.
Not forgetting how impact has affected your customers. From ensuring publicly accessible locations are Covid-secure to ensuring that you understand how to deal with vulnerable customers (which we deal with under Compliance Issue #3).
Finally, the arrival of vaccines provides light at the end of the tunnel. But yet another compliance headache. The burden of maintaining sensitive data related to employee health takes on a new form. Initially organisations just need to know if people were ill, or exposed to an infected person. Now the question of whether employees can attend their place of work without proof of vaccination is just around the corner. It's one for the government to decide, but there has been a habit of devolving responsibility for such matters of late...
Compliance Issue #2 - Brexit
Now, with the exception of a few politicians, most people are fed up with hearing about Brexit, soft deals, hard deals and no deals. Indeed, a quick Google search shows that the word 'Backstop' has never been so well used in the history of the English language. However, unlike others, it's not possible for Compliance Officers simply to tune out of this saga.
Following the 'meaningful vote' things didn't get clearer. Now after a 12 month 'transitional period' companies are still in the dark. With Brexit just around the corner, the EU 'nothing is agreed until everything is agreed principle' is looming over the UK, which could lead to the dreaded 'no deal' scenario.
These multiplying outcomes for Brexit and the little time left leave us in the scary position of not knowing which regulatory/legislative regime we will find ourselves in a few weeks time, giving us very little time to react in compliance terms.
One has to wonder how much attention was being paid to such a regime when the focus of Parliament appeared to have been on in-house battles, leadership challenges and votes of no confidence!
However, until the Government is able to confirm what plans need to be in place for Brexit, the legislation has to wait, even though one would have hoped that all the necessary legislation was already in place and ready to go.
Even if there is an agreement, many regulatory matters considered 'low-risk' have been parked, the consequences of which will also remain unknown until these risks materialise. This leaves companies even more vulnerable to regulatory slips than at any other time in recent memory.
Compliance Issue #3 - Vulnerable Customer Management
Moving on from an issue that we in Compliance can do little about - i.e. Brexit - let's move to a compliance issue that we can and should do more to address: vulnerable customers.
The recognition about and urgency of providing better safeguards for such customers is growing in stature at a rate of knots. From an Occasional Paper issued by the FCA in February 2015, we have now seen the likes of the Gambling Commission fining firms such as SkyBet, Paddy Power, 888, William Hill, 32Red and the Rank Group for failings in this area.
Coupled with action taken by the FCA in February 2018 - utilising a Serious Crime Prevention Order against an illegal money lender who was targeting the vulnerable, which culminated in a three-and-a-half-year prison sentence for him - we can see that this is a topic to be taken very seriously.
Interestingly and quite importantly, vulnerable customer management is intrinsically linked to a number of other serious compliance topics: fraud, bribery, data protection and AML, for example. One only has to look at the final notices issued alongside the fines mentioned above to see how many times failings in know your customer (KYC) are cited.
Whenever failings in KYC are noted by a regulator, a firm's concern over the levels of compliance for their whole client book automatically rises, even if the firm was not the one to receive the fine or regulatory comment.
KYC remediation is clearly an issue that merits the utmost consideration. KYC skeletons in the closet are bound to come out, perhaps in the UK even more so than ever, with the creation of the National Economic Crime Centre (NECC) and Office for Professional Body AML Supervision (OPBAS) - now what is known by regulators has a very good chance of being known by all.
Inevitably, wherever there is AML regulatory enforcement, there is KYC remediation, and there has been no shortage of enforcement action on a global scale recently. Generally speaking, a regulatory fine against one firm should be taken by all other firms as an industry warning issued by the regulator, so, where action was taken against one firm that resulted in a call for KYC remediation, other firms should seriously consider whether this is something that they should prepare for too.
Outcome testing can be a very useful preventative measure in this regard. If used correctly and proactively, identifying failings for yourself in advance of the regulator, and, in some very proactive cases, even before the customer, can prove a very wise investment. After all, prevention is better than cure.
Compliance Issue #4 - SMCR
SMCR! You say - hold on, didn't we have that last year? Well, yes, and the year before and the year before that… this one seems to be caught in a time loop like some regulatory groundhog day.
Just when you think all the deadlines have come and gone, they move. Good news for those yet to sort out their SMCR roadmap!
The deadline for solo-regulated firms to undertake the first assessment of the fitness and propriety of their Certified Persons has been delayed from 9 December 2020 until 31 March 2021. Their benchmark administrators have until December 2021 to train non-Senior Manager staff in the Conduct Rules.
However, in fairness to the Financial Conduct Authority (FCA), it had its work cut out in trying to implement an accountability regime in its sprawling domain, which ranges from individual financial advisers to global financial behemoths.
The Senior Managers and Certification Regime was developed as a result of the 2008 financial crisis and the outcry from the public following their perception of the lack of accountability and punishment of those running and controlling banks and other financial sector firms, while, by way of a ripple effect, the public paid the economic price for the actions of these banking officials and the reckless manner in which they ran their businesses.
The SMCR replaced the Approved Persons Regime for banks, building societies, credit unions and dual-regulated (FCA- and PRA-regulated) investment firms in March 2016.
Simlarly, the Senior Insurance Managers Regime (SIMR) and Revised Approved Persons Regime for insurance firms were replaced by SMCR on 10 December 2018.
- Insurers and reinsurers
- The Society of Lloyd's
- Managing Agents
- UK branches of third-country firms and European Economic Area (EEA) firms
The Senior Managers and Certification Regime has replaced the Approved Persons Regime for almost every other FCA-regulated firm - from very small firms and those with limited permissions (including sole traders and limited-permission consumer credit firms) to many of the largest global firms from 9 December 2019.
There are 3 tiers under SMCR for this sector:
Core: firms in this tier will have to comply with the baseline requirements.
Enhanced: this will apply to a small number of firms whose size, complexity and potential impact on consumers or markets warrant more attention.
Limited: this will apply to firms that already have exemptions under the Approved Persons Regime. These firms will be exempt from some baseline requirements and will typically have fewer senior management functions.
While SMCR applies to all firms that are currently subject to the Approved Persons Regime, it is important for firms to establish which tier they belong to. To aid in this discovery, the FCA has published a Guide to SMCR for solo-regulated firms.
However, it is not just the UK. The growing and rapid changes within the finance sector have seen a notable trend in regulators from multiple jurisdictions focusing on the importance of a firm's culture and conduct, and the accountability of the individuals running these firms.
While the specifics of the regulations may have some jurisdictional nuances, since SMCR was introduced in the UK, we have seen similar regimes popping up in other countries, such as Australia and Hong Kong, with the aim being the same: to improve accountability by imposing stronger consequences for conduct that is not in line with the standards expected by the regulators, so that they can create a sounder financial market, improve consumer confidence and eradicate consumer detriment at the hands of those in charge of financial institutions.
While the UK has SMCR, Hong Kong has the Manager In Charge Regime (MICR) and Australia has the Banking Executive Accountability Regime (BEAR). As yet, Singapore has not implemented an official regime, but there is an emerging trend that puts greater emphasis on executive accountability, as well as conduct and culture.
The USA has also responded in a similar way. On 9 September 2015, Deputy Attorney General (DAG) Sally Quillian Yates issued a memorandum titled "Individual Accountability for Corporate Wrongdoing".
While the Yates memo was, in part, a response to criticism about the lack of individual prosecutions in the aftermath of the 2008 crisis, it applied to many industries, including those outside of financial services.
Although the US Department of Justice (DOJ) has long enforced a policy of holding individuals and corporations criminally and civilly liable for corporate misconduct, the "Yates Memo" announced the implementation of more aggressive enforcement policies for corporate and individual prosecution.
So the USA, UK and Asia all now appear to be singing from the same song sheet. How long before the rest of the world follow suit and introduce a SMR of sorts? Undoubtedly, it won't be long before those who are entrusted with running financial institutions and managing the public's money will be held personally accountable, no matter where they work in the world - at least, we should hope so!
Compliance Issue #5 - Whistleblowing
This leads on nicely from SMCR, because, in May 2018, the FCA and PRA brought a joint prosecution against the CEO of Barclays Bank, resulting from him failing to act with due skill, care and diligence with regard to the bank's whistleblowing procedures, following receipt of an anonymous whistle-blowing letter to the bank in June 2016.
- Individuals will be held accountable. With a personal fine of £642,430 (10% of the CEO's net relevant annual income), it is clear that the regulator will use its powers as and when it deems it necessary, and the fines being imposed for failing to discharge a senior management role effectively are significant.
- The CEO survived it. While it was found that the CEO had not acted with due skill, care and diligence, it was not found to be in breach of the requirement to act with integrity. Had he been in breach, it would most likely have led to his dismissal.
- Reputational damage was severe. Despite the fine being levied against an individual, when that individual is the CEO, the reputational damage caused by not only the fine but also the fact that it was made against the CEO also brings the firm into disrepute. A firm and its senior management should not underestimate the domino effect of reputational damage, and the dynamic manner in which it will travel around the world. Proven or not proven, innocent or guilty, bad news always makes good press, and the public at large will not necessarily distinguish between the actions of the CEO and those of the firm.
- The bank has not escaped unscathed. The UK regulator has imposed enhanced scrutiny and monitoring of the bank's whistle-blowing systems and controls, which includes annual reporting to the FCA and PRA, and the US regulator (the DFS) fined the bank $15million for the actions of its CEO.
- It could indicate a systemic risk. It would be wrong to tar the whole regulated sector with the same brush, but if an organisation as big and as well run as it should be can still have a CEO who can make such fundamental errors of judgement in relation to whistle blowing, it begs the question of how the rest of the regulated market fares?
- Whistleblowing needs to be acted upon. Whistleblowing is treated with such low levels of seriousness that regulated firms can make obvious errors in applying the controls that should surround it.
- Learn the lessons or face the fines. Perhaps a new raft of regulatory attention for all firms in relation to whistle blowing will come from this enforcement action - who knows? However, one thing is for sure: if every other person within SMCR does not learn from the mistakes of this CEO, the personal fines are only likely to get bigger.
Looking for more compliance insights?
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news subscribe to Skillcast Compliance Bulletin.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!