Credit Suisse FCA fine: what can we learn?
The FCA’s £147m fine imposed on Credit Suisse has been well publicised. Many common failings are apparent, including:
Failure to spot red flags, looking at them in isolation, or ignoring them altogether
Not utilising the due diligence which has been performed to assess or understand risk – a tick box approach to due diligence
Poor compliance culture, a “business at all costs” mentality and a lack of transparency
But we wanted to go beyond the obvious failings and look at whether there is anything else practical that firms can take from the enforcement:
Governance: fundamentally these failings come down to failings in governance. On paper, Credit Suisse had the frameworks, systems, controls and processes in place to identify, assess, manage and monitor higher risk scenarios like this – yet protocols weren’t followed. Tone from the top, MI, communications and record keeping and transparency all come in to question here.
Those who own systems and controls, particularly high-risk decisioning committees should take stock and consider whether their processes are working as intended of if they’re just a box ticking exercise.
Revisit your code of ethics and ensure you are bringing it to life through the decisions you are making collectively and as individuals.
Fee transparency: the fees for one transaction were lowered by $11m from $49m to $38m. However, none of the “three CS Individuals” informed senior management or the bank’s compliance functions. This lack of transparency over non-standard terms meant another red-flag was missed. Fee levels, rebates and non-standard terms can be a key bribery indicator.
How do you measure and monitor both the fees as set, but also as paid and/or refunded? Do you know what “normal” looks like so you could identify outliers? Many firms exclude lending facilities from transaction monitoring, but close scrutiny of fees across books can provide great insight into potential bribes.
Segregation of duties: the “three CS individuals” controlled the messaging around the transactions which meant they controlled the understanding of risk. If third party due diligence reports had been submitted to an independent function; fee structures were set elsewhere; or onsite visits conducted by a third party reporting directly to a committee, a more comprehensive understanding of risk may have been achieved.
Do you have segregation of duties in place for higher risk, complex or non-standard arrangements?
Product risk assessment: We’d hazard a guess that you consider syndicated lending as “low” risk. The case underscores that low risk does not equal no risk and should probably be referred to as “lower” risk. Even lower risk products have vulnerabilities and firms need to understand and control them. Efforts should be made to ensure that low risk is not an excuse for caution and professional skepticism.
Do you clearly articulate what the specific vulnerabilities of your products are?
Country risk ratings: Firms put a lot of time, cost and effort into developing and maintaining country risk lists – but they need to be meaningful. Whilst country risk may blend into a customer risk assessment, it needs to be more prominently considered in complex, bespoke or higher risk transactions.
The presence of other red flags alongside a higher country risk rating need to mean something, and not excused away without genuine challenge.
Bribery harms society and the integrity of financial markets. The opportunity for personal gain is always going to risk incentivising bad behaviors. The trick for firms is not only having a well designed framework with all the right checks and balances in place, but actually ensuring that operates as intended. Governance and culture yet again are the root cause of purposeful business and successful outcomes.