Out-Law Analysis | 15 Jul 2016 | 3:14 pm | 10 min. read
This is part of Out-Law's series of news and insights from Pinsent Masons experts on the impact of the UK's EU referendum. Watch our video on the issues facing businesses and sign up to receive our 'What next?' checklist.
With almost all thoughts currently focused on what form a 'Brexit' might take, it is easy to forget that it remains very much business as usual for regulated firms from the point of view of the UK's financial services regulatory authorities.
In a statement issued following the result of the UK's referendum on EU membership on 24 June, the FCA confirmed that regulated firms must continue to implement compliance programmes to deal with all EU legislation which is currently in the pipeline and due to be implemented in the UK - for example, implementation of the revised Markets in Financial Infrastructure Directive (MiFID II) and associated regulation. UK-specific regimes, such as the Senior Managers and Certification Regimes (SM&CRs), will continue to apply in any event.
At the same time, the supervisory priorities on which the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have agreed to concentrate for 2016/17 should not be forgotten. These include continuing work to ensure firms have a "robust" corporate governance framework and maintain a "good" culture.
UK regulators and good governance
The board of a regulated financial services firm is primarily responsible for that firm's governance and risk management, and good governance is vital to a well-functioning UK financial services sector. In discharging this function, the board must always have regard to the interests of the firm's shareholders and to the regulatory framework with which it must comply. In the first instance, compliance with the regulators' rules is a matter for the board and not the firm's compliance function. Non-executive directors (NEDs) also have an important part to play, and are required to offer robust challenge to decisions at board meetings and hold the executive members to account.
The concept of corporate governance is nothing particularly new in the UK. Corporate governance obligations have always featured in the legal framework for UK incorporated entities, particularly through the provisions of the 2006 Companies Act and the 2000 Financial Services and Markets Act (FSMA). There are also a number of important sources of guidance, such as the UK Corporate Governance Code and the Stewardship Code relating to the obligations firms have to their shareholders. Financial services firms are also bound by high-level rules shaped by the PRA's Fundamental Rules and the FCA's Principles for Businesses.
Though they still remain largely non-prescriptive, there are more granular requirements set out in the General Organisational Requirements part of the PRA Rulebook and the Senior Management Arrangements, Systems and Controls Manual (SYSC) of the FCA Handbook. To a certain extent, these are driven by the corporate governance provisions set out in MiFID, the EU's Markets in Financial Instruments Directive.
The global financial crisis of 2008 exposed inadequate corporate governance controls in financial services entities all over the world. It also revealed a deep-seated 'laissez faire' attitude on the part of senior individuals within those entities to their personal responsibilities and duties. In particular, senior failings in risk management systems and procedures as well as in senior management decision-making at the larger financial and credit institutions were uncovered during 2008 and 2009. NEDs failed in their duty to identify excessive risk-taking and challenge poor decision-making. All of these failures led to a number of different initiatives and pieces of legislation to strengthen corporate governance and individual accountability in the financial services sector.
At the same time, remuneration levels for staff and management at financial firms still seemed to rise every year and, worse, to bear no relation to the performance of the firm. Indeed, the public's perception remains that poor behaviours and standards are rewarded handsomely, and that the industry works purely for its own profit. This has stoked anti-banker sentiment amongst the wider public, and engendered a general mistrust of the financial services industry as a whole.
This has led to a step change in the way that the FCA and PRA now supervise corporate governance and senior management responsibility, including the role that remuneration plays in driving good or bad behaviours. The incoming MiFID II, which is due to be implemented in the UK by 3 January 2018, will introduce further requirements to strengthen the framework, particularly in relation to the knowledge and competency of senior individuals.
What is 'culture'?
It is clear from recent speeches that the regulators believe that they can prevent bad practices from taking hold within firms by focusing more on the way firms govern themselves, by holding senior individuals to account and ensuring that there is the right environment in which to operate the business. However, so much has been written about 'culture' since the financial crisis that it has almost become a buzz word without a properly understood meaning.
Culture remains notoriously difficult to define. Clive Adamson, when he was director of supervision at the FCA, provided a good description back in 2013. He said that culture was "like DNA. It shapes judgments, ethics and behaviours displayed at those key moments, big or small, that matter to the performance and reputation of firms and the service that it provides to customers and clients". He went on to say that, to be effective, firm culture must support "a business model and business practices that have, at their core, the fair treatment of customers and behaviours that do not harm market integrity".
It is clear that, in Adamson's view, culture combines:
These 'best practice' behaviours are instilled in individuals within a firm through so-called 'tone from the top', at board level, which in turn is translated directly into actual business practice which shapes how firms make business decisions, how staff should behave and how matters can be circulated around the business or elevated to the correct level of seniority appropriately.
More recently this month, Clive Adamson’s successor at the FCA, Jonathan Davidson, described culture as “the typical, habitual behaviours and mind-sets that characterise a particular organisation. The behaviours are ‘the way things get done around here’; they are the way we act, speak and make decisions without thinking consciously about it. And sitting underneath these behaviours or habits are mind-sets inside people’s heads; the beliefs or values that people feel are important. We can’t see these mind-sets but they are the main determinant of behaviour from the trading floor to the Board. The mind-sets themselves are influenced by the incentives inherent within each firm.” This builds upon the definition provided by Adamson in 2013 and specifically encompasses within culture the idea that it should be habitual. It should include an element of unconscious, instinctive action on the part of the individual Board member or employee that leads to the “right” decision and the “right” outcome, and this should be replicated and understood by other employees at the firm. In other words, each individual has a personal responsibility to do the right thing and management should encourage this. He also describes culture as coming “from the past”, as being reinforced over time by continuous repetition and being passed down from generation to generation within the firm.
The FCA has explicitly linked the ways in which staff are incentivised with good and bad culture within firms and Mr Davidson’s speech is merely the latest FCA publication to confirm this. Indeed, he makes it abundantly clear performance management, employee development and reward programmes are also important drivers of the right culture in a firm. The FCA requires firms to put in place remuneration structures and incentivisation programmes for staff which reward the correct behaviours, and remind them that their primary role is to serve their clients. Closely linked with this is the requirement to ensure that promotion polices and performance development management is effective and reinforces the correct messages. The rise of complex remuneration codes for different types of financial services firms, as set out in chapter 19A-D of SYSC in the FCA Handbook, is a testament to how serious the FCA perceives the link between poor incentivation, bad culture and excessive risk-taking to be.
Firms must not only affirm good behaviours, but also enforce the consequences for behaviours which do not conform with the culture that they wish to project. This is particularly relevant where such behaviours are carried on by mid-level managers and senior staff. Staff will always follow the lead of their managers, so if they are shown that such behaviour is normal they are much more likely to copy it themselves.
Clearly, a "good" or "correct" culture is therefore not something that can be implemented via a set of prescriptive rules, or imposed in a "one size fits all" fashion from above by the regulators. It cannot be codified in the same way as corporate governance. It is a process which must be embedded over time taking account of the individual characteristics of the particular firm in question. The challenge for firms is to ensure that the development of a culture is continuously reinforced and maintained, even where it comes up against conflicting business objectives. However, moves taken by the regulators to improve personal responsibility in firms and make management more accountable should go a long way to resolving the issue.
The FCA and PRA have dramatically increased their scrutiny of individuals in senior management at regulated firms. As a result of the reports prepared by the Parliamentary Commission on Banking Standards (PCBS) on professional conduct and culture in the banking sector in response to the financial crisis, the FCA and PRA implemented the senior managers' regime (SMR) and certification regime (CR) which came into force in March of this year. The aim of these new rules is to embed a culture of personal responsibility within firms in the banking sector. The PRA and FCA also implemented the Senior Insurance Managers' Regime (SIMR) at the same time, which shares broad similarities with the SM&CR but is not nearly as wide-ranging or prescriptive.
The rules on regulatory references, which form part of the SMR and SIMR and require firms looking to employ certain senior individuals to request a reference from the individual's previous employers over the last five years, have been delayed so that regulators are able to consider the recommendations of the Fair and Effective Markets Review (FEMR) and consult on the procedures involved. The rules are expected during the summer of 2016. In October 2015, the Treasury began consulting with the goal of extending the SMR to all other authorised firms in the financial services industry, including to insurers. This is intended to be in place by 2018.
The SMR introduces further measures on remuneration to encourage more effective risk management and highlight further the need to align individual decision-making with good standards of conduct for firms in the banking sector. These changes include introducing longer deferral periods for senior managers than those set out in the Remuneration Codes for other types of firm, so that they must apply deferral periods of at least seven years to variable remuneration. All those defined as "material risk takers" must apply such periods for three to five years. PRA-designated senior managers are not subject to a 'clawback' period of ten years rather than seven if the firm has been notified or a regulatory investigation or begun an internal investigation which may lead to a recalibration of remuneration.
How a board assesses and evaluates its own performance is of great importance to the corporate governance framework. Well-functioning entities need to be self-critical, and ensure that they remain on the ball. NEDs play a valuable role in this process by offering challenges – but they must also ensure that they balance their own independence with a good knowledge of the business in question. The UK Corporate Governance Code expects boards of firms within its scope to evaluate their own performance and those of their committees rigorously and regularly, preferably annually.
Former chief executive of the PRA, and now chief executive of the FCA, Andrew Bailey, provided a useful and succinct statement of the three things the regulator expects from a board in a speech to the Westminster Business Forum in November 2015:
Poor governance and culture leading to weak compliance
There is an obvious connection between weak corporate governance and poor culture on one hand, and regulatory breaches that lead to enforcement action on the other.
The root cause of many FCA enforcement actions in recent times has been a breach of Principle 3 (management and control) under the FCA's Principles for Business. These breaches are often the ultimate reason behind breaches of numerous other rules, as well as pointing to the fact that the management of the firm in question does not have the requisite oversight of activities or an understanding of the situation 'on the ground' within the firm.
A good example of this is the £1.2 million fine handed to WH Ireland Ltd by the FCA in February 2016 for systems and controls failings in relation to market abuse. Among other reasons, the FCA's final notice cites "poor governance including a lack of clearly allocated responsibilities, reporting lines and accountability and ... a lack of market abuse [management information] and a lack of challenge and review of this by the board and its committees". Clearly the FCA placed must of the blame for the inadequate market abuse framework and conflicts of interest failings at the firm on inadequate governance arrangements. Had the firm been better governed, with a suitably engaged management, the likelihood is that these breaches would not have occurred.
There has also been a noticeable increase in successful enforcement actions against individuals – and this is something that the FCA is rigorously pursuing, as shown by the value of fines handed to individuals by the regulator more than doubling in value to £17m during the lack financial year. With the implementation of the SMR and SIMR, this is likely to increase and it confirms that the FCA is focusing more than ever not just on how firms are behaving, but also how the individuals who run them are performing and behaving.