Expect a bolder enforcement approach from the UK financial regulator
Since taking the helm of the UK’s Financial Conduct Authority (FCA) in October 2020, its new Chief Executive, Nikhil Rathi, has been crystal clear about his vision for the regulator. He has promised ‘an FCA that looks and feels even more different. One that operates differently, partners differently, and communicates differently’. He has stressed that the FCA must continue to become ‘a forward-looking, proactive regulator’; one that is ‘tough, assertive, confident, decisive, agile’.
But, what does this really mean for the FCA’s approach to enforcement? In its Business Plan 2021/22 and in various pronouncements (see, for example, Rathi’s September 2021 speech, Seizing opportunity – challenges and priorities for the FCA) the FCA has indicated how it is seeking to ring the changes.
According to Rathi, the regulator will have ‘a bolder risk appetite in dealing with serious misconduct’ and the FCA recognizes (in its Business Plan) that it needs to be ‘taking greater risks when making decisions’. This includes using its criminal powers in the most serious cases involving financial crime or money laundering. In March 2021, the FCA brought its first criminal prosecution under the Money Laundering Regulations. It is clear that firms should expect to see more criminal action by the FCA in the financial crime space, certainly in the case of particularly egregious failings – or action taken on a ‘dual track’ basis (that is, with the FCA using both its criminal and civil powers).
Rathi has also said: ‘We will litigate more if we need to, recognizing we won’t win every aspect of every case but also appreciating that legal certainty can provide considerable benefits for industry as well’. The coronavirus business insurance test case, where the FCA brought court proceedings in the English Courts in order to determine issues of principle on policy coverage and causation under sample business interruption wordings, is clearly viewed by the FCA as a success. The case was the first to have been brought within the Financial Markets Test Case Scheme in the Financial List – a specific judicial process for the resolution of financial markets issues in relation to which immediately relevant authoritative English law guidance is needed. Firms should expect to see the FCA make more use of the English Courts, including further use of the Scheme, where legal clarity is needed and to assist the regulator in its objective of protecting consumers.
Even though its ‘regulatory perimeter’ determines what the FCA does, and does not, regulate, the FCA has stressed that it will nevertheless seek to be proactive at the boundaries of the perimeter ‘by speaking up and alerting [its] partners when [it] discovers risks and issues in markets’. It has made clear that it may use its Senior Managers & Certification Regime against individuals for unregulated activities. The FCA also points to the increasing blurred line between the wholesale and retail markets, saying that, 'while there are differences between [them], they cannot be entirely separated'. There has been an increase in the use and trading of wholesale products/instruments by retail consumers as a result of what the FCA refers to as ‘the “gamification” of finance in our increasingly digital lives’, but such consumers do not necessarily understand the risks and potential for losses. It makes the point that ‘an appropriate degree of consumer protection partly relies on firms in wholesale markets meeting the components of market integrity, orderly operation, resilience, transparency and proper financial crime and market abuse controls.’
In the vein of consumer protection, in December 2021 the FCA published new rules and guidance in relation to its new Consumer Duty – with the aim that they will come into force by the end of July 2022 (see FCA consulation paper CP 21/36.) The Duty comprises an overarching Consumer Principle, requiring firms to 'act to deliver good outcomes for retail clients.' developed and clarified by a set of ‘cross-cutting’ Rules. It is imperative that UK firms, and their senior managers, are clear on what they need to do in order to comply with the new Duty, so that they are prepared for increased scrutiny of their compliance by the regulator. The FCA has expressly said that it will use its full range of powers to tackle any breach of the Consumer Duty. This could include issuing fines against firms and securing redress for consumers who have suffered harm as a result of a breach. Notably, however, the FCA decided against introducing a private right of action in relation to the Duty, which will come as welcome relief for regulated firms who may have been anticipating a new wave of consumer claims through the Courts.
Note, too, the FCA’s continued hard line against non-financial misconduct. The recent prohibition of an independent financial adviser from working in financial services is another in a growing number of cases in this area. The individual was convicted of a serious criminal offence that was unrelated to his regulated activity and was not connected to financial dishonesty but, nonetheless, based on the fact of his conviction, and his failure to be open and transparent with the FCA, it was held that he lacked the necessary integrity to work in financial services. The case, which was referred to the Upper Tribunal, is the first time that the Tribunal has had to consider such a prohibition.
In terms of practical advancements, the FCA has said it is committed to better use of data and AI. It is investing more than £120 million over three years to deliver its data strategy, which has as its objective the smarter use of data and advanced analytics in the way the FCA regulates and supervises firms. In terms of assisting with enforcement, the FCA has said that it will ‘automate more of [its] data collection, better analyse data across systems and act earlier to prevent or stop misconduct and strengthen [its] holistic firm assessments’, and that it will ‘use advanced analytical techniques to proactively identify and prioritize firms or harms for investigation’.
U.S. enforcement surge may increase scrutiny of financial institutions and FinTechs
Multiple U.S. Department of Justice officials have recently announced that the Department has started to redouble its commitment to corporate enforcement. This includes embedding a new squad of FBI agents within the DOJ’s Criminal Fraud Section. DOJ officials have also identified a focus on export and sanctions controls cases as well as on crimes involving cryptocurrency, both of which could put financial institutions and FinTech companies in the cross-hairs and/or increase their compliance burden.
In an October speech at a GIR Connect conference in New York, DOJ’s Principal Associate Deputy Attorney General, John Carlin, emphasized the ‘critical’ nature of sanctions enforcement and explained that industries should expect a recent uptick of sanctions and export control investigations to continue. He explained that cases involving cryptocurrency is another area ‘ripe for innovation and vigorous enforcement.’ His remarks reflect a wider effort of the Biden Administration to deter crimes that utilize cryptocurrency including ransomware attacks, money laundering, fraud and terrorist financing.
The Biden Administration’s focus on cryptocurrency has also led to the launch of the National Cryptocurrency Enforcement Team (NCET), which will include members of DOJ's Money Laundering and Asset Recovery Protection Section, Computer Crime and Intellectual Property Section, as well as Assistant U.S. Attorneys from offices across the country who will conduct investigations and prosecutions involving criminal misuse of cryptocurrency, and assist in the tracing and recovery of assets lost to these crimes. Concurrently, regulators at the Securities and Exchange Commission (SEC) and at the Commodity Futures Trading Commission (CFTC) continue to express an intent to tighten regulation of cryptocurrencies, and the U.S. House of Representatives Committee on Financial Services has established a Digital Asset Working Group to work on legislation and policy solutions relating to cryptocurrency regulation, the use of blockchain and distributed ledger technology, and the possible development of a U.S. Central Bank Digital Currency.
There are also reports that the SEC has begun a broad inquiry into how banks are keeping track of employees’ digital communications such as text messages and emails including those sent on personal devices. Many financial institutions are subject to strict record retention requirements. Broker-dealers are subject to Rule 17a-4 under the Securities Exchange Act, as well as FINRA Rule 3110 and related guidance, and investment advisers are subject to Rule 204-2. Wide-spread remote working and rapidly-changing technology platforms have made compliance with these rules more challenging.
In a 6 October 2021 speech, Gurbir Grewal, the SEC’s Director, Division of Enforcement, highlighted recordkeeping obligations and the role they play in SEC investigations. He noted that the SEC brought an enforcement action against a broker-dealer in September 2020 after discovering, in the course of an unrelated investigation, that firm representatives used their personal devices to communicate with each other, with customers, and with third parties. These messages were potentially responsive to a records request the SEC staff made, and Director Grewal explained ‘this is not an isolated example. We continue to see in multiple investigations instances where one party or firm that used off-channel communications has preserved and produced them, while the other has not. Not only do these failures delay and obstruct investigations, they raise broader accountability, integrity and spoliation issues.’
Finally, financial institutions should take note that future DOJ enforcement actions will be shaped by new policies. Deputy Attorney General (DAG) Lisa O. Monaco announced three new DOJ policies on 28 October 2021:
- Cooperation credit to require broader disclosure: DOJ will be restoring prior guidance regarding eligibility for cooperation credit, which will require companies to provide DOJ with all non-privileged information about individuals involved in or responsible for the misconduct at issue in order to get full cooperation credit.
- Resolutions to take into account similar and dissimilar prior infractions: Prosecutors are now directed to consider the full criminal, civil and regulatory record of any company when deciding what resolution is appropriate, ‘whether or not that misconduct is similar to the conduct at issue in a particular investigation.’
- Corporate monitors not disfavored: DOJ will be given more freedom to require the imposition of independent monitors whenever appropriate or necessary to satisfy prosecutors that a company will meet its compliance and disclosure obligations under deferred prosecution agreements (DPAs) and non-prosecution agreements (NPAs). DAG Monaco explained, ‘To the extent that prior Justice Department guidance suggested that monitorships are disfavored or are the exception, I am rescinding that guidance.’
More details about these changes are available here. In other developments under the Biden administration, the SEC enforcement division, which has historically allowed companies to settle investigations without admitting or denying the SEC’s allegations, resurrected an Obama-era policy of seeking admissions in cases of egregious misconduct. Sanjay Wadhwa, the deputy director of the SEC Enforcement Division, reportedly indicated at a recent conference that regulators would seek admissions in cases in which the defendants engaged in egregious misconduct and also either: caused harm to a large number of investors; or involved defendants obstructing an SEC investigation.
What’s Next?
Arguably, the areas of regulator focus are not altogether new. Financial crime, consumer protection, cryptocurrency risk, and non-financial misconduct are all areas of risk familiar to firms in the financial services sector. What is new is the renewed vigor with which regulators will seek to enforce against misconduct and failures, and their commitment to use all the powers and avenues available to them to do so.
Of course, it remains to be seen how the initiatives and pronouncements outlined above will shape enforcement actions in the coming months on either side of the pond. However, financial institutions and FinTechs would be wise to review their compliance programs with an eye toward ensuring, as a minimum:
- Compliance with anti-money laundering and ‘Know Your Customer’ regulations in multiple jurisdictions.
- Adequate due diligence is in place to confirm that no ransom payments made or facilitated involve parties subject to U.S. sanctions, where applicable. The U.S. Treasury Department highlighted this risk in a September 21, 2021 guidance.
- FinTech companies take action beyond relying on their financial institution partners’ compliance programs, to make sure risks raised by services and products that involve cryptocurrencies are properly mitigated.
- Relevant firms are prepared to comply with increased regulation of cryptocurrency transactions that may be on the horizon.
- Firms are ahead of the curve with the implementation of new regulations on the horizon applicable to their business, and understand the risks of failing to do so.
Authored by Elaine Penrose, Ann Kim, Daniela Vella, and Rebecca Umhofer.
