What to do in a regulatory investigation

?

?

1 Introduction

Interactions with the regulator can take many forms - from participating in a thematic review, or receiving a tailored set of questions, to a full-blown s166 investigation (which is where the regulator appoints a Skilled Person to produce a report on the firm). And in these interactions, firms seriously underestimate the extent to which their responses and actions will influence the outcome – both positively and negatively.

This paper describes the techniques and approaches firms can use to significantly reduce the risk that: an initial enquiry from the regulator will lead to a s166 investigation, or that a s166 investigation will go badly and lead to an increase in remediation and redress requirements.

The paper uses examples from the FCA, but it is just as applicable to regulatory investigations by the PRA or Bank of England. Those firms already facing a s166 may want to jump to section 6, but for others, there is much to be done now to prevent the s166 from arriving.

?

2 Prevention is better than cure

For a firm, the best outcome for a s166 is not getting a s166 in the first place. Any adverse interaction with the regulator can be very expensive, sucks up an enormous amount of management time, and can constrain the way the firm does business in the future. So, it is important to future-proof the organisation against potential threats. This does not mean paralysing the commercial activities, it means taking steps to increase control.

?

2.1 Proactive steps

A few weeks ago, I wrote an article discussing Time’s Arrow , which in essence is – do what you said you were going to do, when you said you were going to do it. So, if the firm is scheduled to hold annual product reviews, monthly meetings to discuss Root Cause Analysis, or have the Compliance Monitoring Plan signed off at the Board; these things should happen, because it will be very evident to the s166 Skilled Person that they didn’t.

Equally, keep policies and procedures under review and up to date. As a Skilled Person, it is a difficult conversation to have, with a firm, to have to point out that they haven’t been operating in line with CONC requirements since 2015, and yes that does mean that all customers since that point are in scope for the customer redress payments.

And keep the contracts up to date. It is far easier to negotiate the roles and responsibilities with a counterparty at the start of the relationship, when both parties are on good terms, rather than when the FCA is knocking at the door, looking for someone to blame.

?

2.2 Reactive steps

It is important that firms have adequate horizon scanning in place, so they can identify potential problems, and take appropriate action. Regulators are fairly slow-moving as they develop their approach to a particular market sector. Their intentions are usually well-telegraphed from the: speeches, Dear CEO Letters, Discussion Papers, Thematic Reviews, CPs and PSs.

So firms should have a clear idea of where the regulator’s spotlight is going to fall next, and take action accordingly.

3 How do firms get on the regulator’s radar?

There are many reasons why a firm might come to the attention of the FCA. This may be due to the regulators increased interest in a particular market sector (e.g. motor finance), or it may be a specific focus on the individual firm.

?

3.1 Focus on the market sector

When considering particular market sectors to focus on, the FCA draws information from a wide range of sources, including:

• Feedback from consumers and consumer organisations
• Data and intelligence from firms and trade associations
• Analysis of RegData
• Insight from other regulatory organisations
• Information from MPs?

As part of the FCA’s investigation into a market sector, they will use their own internal data and insights, but they will also reach out to firms, to seek further information. At this stage, they may not have a view of the risk an individual firm poses, but they will quickly form an impression, based on the information they receive back.

?

3.2 Focus on the firm

The reasons why an individual firm can find itself the target of the FCA include:

• Self-referral – if the firm has made a Principle 11 notification, informing the FCA that they have a problem, the regulator will doubtless want to know more details about the event, the extent of customer harm, and what the firm is doing to address it.
• Outlier analysis - FCA increasingly describes itself as a data-driven regulator, and has created Data Science Units to analyse RegData and other metrics, and identify firms for further investigation. Indicators such as sharp variations in complaints or sales volumes can trigger scrutiny.
• Web and social media analysis – the FCA use web scraping to scan an average of 100,000 websites every day. They scrutinise online marketing looking for non-compliant financial promotions and delve into customer reviews looking for trends and themes. They take all this publicly available information and develop a target list of firms that require further scrutiny.
• Whistleblowers – internal staff may raise concerns directly with the regulator.
• Information from other firms – other firms may contact the regulator and raise issues.

?

4 What happens when the regulator makes contact?

The communication a firm receives from the regulator may be a generic information request (e.g. as part of a Thematic Review), or it may be a letter specifically targeted at the firm. It is normally fairly easy to distinguish between the two, but in either case, it must be taken seriously.

It is useful for firms to already have a ‘what to do if we get contacted by the regulator’ procedure in place. Because problems can arise with:

• Letters going to the wrong person (or to Group or subsidiaries), and not getting picked up.
• Firms not taking the issue seriously, and not devoting resources to developing the response
• Firms taking too long to reply – the letter will have a response date and the firm will need to make sure they meet it.
• Firms giving the wrong answer

And ‘giving the wrong answer’ is surprisingly common. Time and time again firms cause themselves problems by how they respond to queries from the regulator. So, if the firm does receive a letter, it is a very good idea to seek professional advice. Investing in a few hours of an advisor's time can save significant costs in the long run.

An advisor can give guidance on whether:

• This is a generic letter, which has gone out to many firms in the sector, but you still need to answer it carefully, or
• This is serious, the FCA believes, or has a strong suspicion, that your firm are in breach of X

And the advisor can help craft the reply – because the response the firm gives to the regulator will determine what happens next.

?

5 What action can the regulator take?

In an ideal situation, the regulator may take the firm’s response, and consider it sufficient and require no further action. However, if they are not satisfied, the FCA has a range of diagnostic and remedy tools at their disposal. The use of which will depend on the circumstances.

If the regulator is confident in their understanding of the situation (and their ability to substantiate their allegations), they may go straight to a remedy. This may include:

• Stopping the harm – either through a voluntary requirement (‘VREQ’) or an Own Initiative Requirement (‘OIREQ’), ensuring the firm discontinues the activity the FCA considers harmful. For example, stopping the firm from accepting new business, or undertaking a particular regulated activity. VREQs are often used as part of a further investigation, where the FCA will request the firm stop taking on new business while the s166 is underway.
• Reducing prudential risk – the FCA can enforce a minimum level of capital and/or liquidity, if they feel current levels are inadequate.
• Reducing operational risk – where there are control failings, the FCA can require the firm to put in place additional policies or procedures, recruit additional staff or de-risk processes.
• Ensuring the firm puts things right – where there has been customer harm, the FCA can require the firm to pay redress to customers.
• Holding individuals to account – the FCA may take action under the SMCR rules against individuals in the firm, which may result in prohibitions and/or fines.

?If the regulator requires further information, they may seek this from the firm themselves, or use their s166 powers to have a Skilled Person investigate.

?

6 The s166 process

The arrival of a s166 Requirements Notice is a concerning experience for any firm, particularly those who have not had much experience dealing directly with the regulator before.

The important thing is to act quickly (the timeframes are tight), decisively (senior management should be involved from the start), and carefully – the actions the firm takes from this point on will determine the outcome of the s166. And the vast majority of the actions will be irreversible; starting with the response to the Requirements Notice and the selection of the Skilled Person.

?

6.1 Get professional advice

Now is the time to get professional advice, if it hasn’t been sought already. Given the potential cost of the s166, many firms may baulk at the expense of hiring another professional advisor, but it is money well spent. Having someone ‘in your corner’ who understands the process, is invaluable. As a s166 Skilled Person, dealing with a firm who have good advisors makes the process far easier, and can lead to a much better outcome. Choosing a firm-side professional advisor is similar to choosing a Skilled Person (see section 6.3 below).

?

6.2 Reviewing the s166 notice

The most important word to read in the Requirements Notice is at the top – Draft. The FCA will issue a Draft Requirements Notice first, and then a Final Requirements Notice which will fix the content and timeframes. Between those two points, there is scope for the firm to alter the trajectory of the s166.

Clearly, it will be unlikely that the firm will be able to completely change the direction of the investigation, but there is considerable opportunity to mitigate the impact. Particularly in areas such as:

• Misunderstanding – the regulator may not have understood the firm’s activities or their role. If this is the case it is important to respond quickly and explain the reasons why the allegations may be incorrect.
• Timeframes – the FCA often proposes very tight timetables for s166s. Firms can successfully argue that more time will be required to properly undertake the investigation and develop the remediation plan.
• Information gathering – historically, the regulator has been keen on proposing large file review exercises. These are very expensive, and (beyond a statistically relevant sample size) they don’t always improve understanding. Firms can propose that a smaller sample size is used initially, with an option for further sampling if it is warranted.

These negotiations are an area where the right Skilled Person can be enormously useful to the firm, in helping to right-size the FCA’s requirements. So, it is important to choose the Skilled Person carefully.

?

6.3 Selecting the Skilled Person

The selection of the Skilled Person is the most important decision of the process, and it will have a great impact on the outcome for the firm. Having a Skilled Person who does not understand the organisation or does not develop a good working relationship with senior management will, in all likelihood, lead to a report which presents the firm in an unfavourable light.

In some circumstances, the FCA will choose the Skilled Person themselves, but it is common for the regulator to allow the firm to choose. The FCA have a panel of firms they use themselves, and again it is common for firms to choose from that list, although it is not a requirement. However, the FCA will need to approve the choice (details in handbook SUP 5 ).

Therefore, it is important for the firm to ask the right questions, and choose the Skilled Person carefully:

6.4 Managing the s166 process

Once the Requirements Notice is finalised, the scope of the s166 is fixed. However, the actions of the firm, during the course of investigation, will still have a big impact on the outcome.

?

6.4.1 Project oversight and prioritisation

Senior management should be overseeing the project. They should be reviewing the material presented to the s166 team, and monitoring the emerging risks and developments – as issues may come to light during the s166 which require prompt action. The s166 should be the most important thing the firm is dealing with, at the moment. Commercial initiatives and discretionary projects should be deprioritised, and resources should be freed up to devote to the project.

?

6.4.2 Logistics

There will be a large amount of work, from the firm side. The firm should agree with the Skilled Person on a document request list and a timetable of interviews.

Document control is incredibly important – the firm will want to ensure the s166 team gets the right version of the document they requested. The firm will also want to ensure the s166 team doesn’t receive any additional information, they didn’t ask for, which paints the firm in a bad light. Using a data room and having a clear review and sign-off process is important.

Clear and accurate record-keeping is also required. To track what information has been presented to the s166 team, what feedback has been received, who has signed off on decisions, and what actions have been taken.

?

6.4.3 3rd Party engagement

If the firm is part of a distribution chain, or using outsourced services, there may be a requirement to seek information from them, or even for the Skilled Person to engage with them directly. Hopefully, the firm will already have contracts in place which allow for access (see section 2.1), but it will be important to engage with the 3rd parties and ensure there is clarity on roles, responsibilities and message.

?

6.4.4 Interviews

Members of the firm's staff and management team will be interviewed. It is therefore important that staff make themselves available, are cooperative and that they understand that all interactions with the s166 team are effectively ‘on the record’.

Individuals who hold SMF positions should also be aware of the potential for personal liability. And all individuals should be aware of the impact on future regulatory references – being responsible for a major regulatory control failure could have an impact on future employment.

It is important that staff are honest in their dealings with the s166 team, but it is equally important that they present the facts clearly, consistently, and with appropriate reference to any mitigating factors. Therefore, firms should run preparation sessions, prior to people being formally interviewed.

?

6.4.5 Pre-remediation

It may not feel like it during the process, but the aim of the s166 is to improve the firm’s controls. Therefore, there is considerable scope to agree with the Skilled Person that certain documents and processes can be revised, even before the report is completed. This does not mean re-writing history – if the firm applied the wrong approach to customers back in 2019, then that is the way it is, and redress will need to be calculated – but a firm can start the improvement process now.

?

6.4.6 Relationship management

If the Skilled Person forms the impression that the firm is obstructive, uncooperative, dissembling, and/or simply does not ‘get it’ when it comes to regulatory requirements – the firm will receive a poor s166 report. It is basic human nature - the s166 team is assessing the facts (did the policy meet the requirements of CONC 5) but they are also forming a view on the culture and purpose of the business. This view can either be:

• The management team made mistakes, but they recognise it, and are prepared to learn from the s166 experience.
• The management team is not ‘fit and proper’, and will return to their ‘old ways’ once the s166 is completed.

It is therefore incredibly important that the firm develops and maintains a good relationship with the s166 team. The clear message from the firm (in every interaction) should be – we understand we got it wrong, we’re keen to resolve this positively, address customer harms, and improve our controls.

This approach may ‘stick in the craw’ of some members of the management team, but firms should understand – you determine how the Skilled Person feels about you.

?

6.4.7 Negotiating the findings

If the firm has managed the relationship well, the draft report should not contain surprises. And it is in the steps above (before the report is written) that the firm will really be ‘negotiating the findings’. However, once the draft report arrives, there will still be elements that are open for discussion. Particularly:

• Factual inaccuracies – if findings are wrong, the firm can challenge -with appropriate evidence.
• The scope and timeframes for remediation – the firm could suggest a longer timeframe in order for them to improve controls.
• The quantum of customer redress – this will be the most contentious part of the s166 report. This is an area where professional advisors can be very helpful in negotiating what the payout will be, and how many customers are eligible.

?

7 Fixing the underlying issues

In the effort to manage the s166, and complete the remediation actions, many firms forget to consider the root cause of the issues. Firms overlook the fact that operational failings and regulatory breaches are, at their heart, governance and risk management failings. If firms don’t address the root causes, the likelihood of a repeat failure is high.

Firms should ask themselves:

• What does this incident say about our governance?
• What does it say about our culture? Do we know ‘what good looks like’?
• How did our risk management framework miss this?
• Why wasn’t the issue spotted? What is wrong with our MI and oversight?
• Why didn’t 1st line senior management take action?
• What else is going wrong in the firm?

?

8 Conclusion

Any interaction with the regulator presents a potential risk to the firm. Senior management teams should recognise that they have a significant influence on how this risk crystalises. The actions of the firm, particularly during a s166 investigation, have a far greater impact on the outcomes than people realise.

Therefore, firms should take any regulator interaction seriously, seek professional advice where it is needed, and consider carefully the choices they make.

? GRR Consulting Ltd

?