Festivities, Fun and the FCA. Non-Financial Misconduct at Christmas.

The Christmas party season is in full swing. Friends, colleagues, and clients are all out and about celebrating the end of the year, unwinding and getting to know each other beyond the Teams calls. It is a most wonderful time of the year. But it is also an uncomfortable truth that incidents of non-financial misconduct spike over the Christmas and New Year period. As a Regulator I have responded to whistleblowing and firm notifications of poor behaviour at seasonal celebrations, providing regulatory review of concluded investigations and challenging them on the contents of their conduct frameworks and the outcomes they produce. It is another uncomfortable truth that whilst most firms acknowledge and understand the Regulators expectations around non-financial misconduct, how their frameworks respond following an incident often exposes material weaknesses. In this post, rather than give a rundown of what firms should have in place, I am going to focus on how the Regulator might respond to a notification and what concerns they might raise with a notifying firm or following a whistleblowing disclosure.

Formal reporting of breaches of conduct rules for non-SMF staff subject to the conduct rules is done annually as part of REP008 regulatory reporting. Supervisors will look at this data and follow up with firms where appropriate. For SMF staff, the requirement is to inform the regulator within 7 days of the conclusion of disciplinary action. For whistleblowing, the Regulator should act with an urgency commensurate to the severity and proximity of the incident whilst protecting the identity of the whistleblower. Dual-regulated firms should also ensure they are aware of the PRA’s requirements around Conduct Rule breaches.

The Incident

For the purposes of this blog, we are concerned with incidents that involve individuals outside of the working environment where there is no direct supervision or oversight. One individual or group of individuals have conducted themselves in such a way that another individual, the employing firm, a member of the public, or a victim has made a disclosure to the Regulator. The big stick I have as a Regulator is Principle 11 of the FCA’s Principles: a firm must “…disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice”. This Principle works very hard in these circumstances. The key thing to remember is that it is the FCA’s view of what is appropriate and reasonable to disclose, not the firm. This means an expansive approach is best. If you are in doubt as to whether to contact the FCA or not, it is better to do so. Should the FCA become aware of a serious incident of NFM or disciplinary action that the firm had an opportunity to disclose but did not, the firm can expect a more robust challenge from the Regulator.

The Subject

The Code of Conduct sourcebook (COCON) and the Senior Managers and Certification Regime (SMCR) comprise the framework I am looking to leverage when I am reviewing the incident notification. This framework establishes standards of conduct and behaviour against which I can hold individuals to account. If it is a Senior Management Function (SMF) or Certified Person who is the subject of the notification, then the potential outcomes are straighter forward should an intervention or enforcement case be appropriate. That is not to say that the FCA has no leverage if the subject is not covered by the SMCR. I have seen cases where the FCA have challenged firms on why an individual with a relatively senior role was not certified. I am also aware of cases where SMCR individuals were not involved in the incident, but were present at the time and did not take what the FCA considered appropriate action to prevent the incident, stop it or support the subsequent investigation. There are also incidents of such severity that the FCA would expect to be notified no matter what level of employee was involved.

The Victim

If a victim has been identified, I am looking for how their wellbeing has been safeguarded. I would expect the firm to have a policy and process in place that ensures the dignity, privacy and safety of the victim and offers them appropriate support, not just at the time of the incident but on an ongoing basis. If a grievance was raised, I want to understand how it was progressed and what the outcome was. A high proportion of whistleblowing cases supervisors deal with follow a grievance process that the whistle-blower deems unfair or poorly administered. I am looking for assurance that the process was administered fairly and in line with the firms’ internal policies and procedures, which in turn align with regulatory expectations.

The Immediate Response

The period immediately following an incident is where mistakes are often made. These can have a high cost in terms of the integrity of the process that follows and the support that witnesses and participants give to any subsequent investigation. There should be an established procedure to identify potential witnesses and secure evidence. An experienced or suitably trained individual should oversee this. Independence, or a perceived lack of it, can lead to challenge. Especially when many policies give responsibility for the initial investigation, prior to escalation, to line managers in the department whose Christmas do the incident occurred at. I would expect firms to think carefully about who carries out an investigation. Serious allegations, incidents involving senior managers or SMFs, or firms with a smaller headcount should consider whether external investigators would better support the integrity and independence of the investigation process.

The Follow Up

Once the investigation has concluded, any disciplinary actions have drawn to a close, and reporting obligations have been met, I would want to see the firm undertake a full and frank lessons-learned review. What I would expect to be included in the review depends on the incident, how the conduct framework performed and the outcomes it produced. Depending on the nature of the incident, such reviews can go as far as looking at recruitment and vetting practices and feed into the remuneration process. As a supervisor, my preference is for the review to be expansive and robust, and overseen by someone appropriately senior.

Within the FCA a decision will be made about further actions. This could be anything from a strong letter, to formally or informally requesting the firm undertakes a review of specific aspects of their Conduct Framework, to enforcement action against individuals or the firm, to recording the details of individuals for intelligence purposes.? ?

The suitability and effectiveness of conduct and non-financial misconduct frameworks is reduced when these policies and procedures are not regularly reviewed and refreshed. Weak or out of date policies lead to increased risk of harm to employees and the public, and material reputational, legal, and regulatory risk for the firm. Ensure you have secured appropriate support.

I wish all my friends, colleagues, clients, and connections a merry and incident free festive season.

#FCA #RSM #NFM #SMCR #conductandculture #conductrisk #riskmanagement