Skilled person review: prevention is better than cure (Part 2)
This blog is a follow on from last week’s Part 1. If you haven’t already, you should read that page first.
Why had the firms not resolved these issues on their own?
When reading the issues in Part 1, it all might feel a bit “obvious”. But given the consistency of issues identified it cannot be that simple. So we wanted to explore why firms had ended up in these situations.
It isn’t uncommon to see situations where either:
Individuals (including those with formal responsibility for preventing financial crime) simply think that the framework and controls in place are sufficient
Issues are known about but do not receive sufficient attention. This might be because:
the issue isn’t being shouted about loudly enough
the issue is being shouted about but those with the power to enable change are not listening
Some potential reasons for this are outlined below.
Lack of meaningful external insight:
Many firms benefit from stable resource bases with long serving staff. The benefits of this are clear in terms of consistency, relationships and institutional knowledge, but one of the downsides is not having visibility of what other firms are doing and what risk-based, acceptable, good, or market leading looks like.
Regulatory expectations are continually evolving as firms across the industry (and world) gradually develop new and better ways of doing things, but this can bite when those expectations have not translated to your firm.
When firms do benchmark, we have seen a tendency for them to be narrow in the institutions they see as peers (such as those from a similar jurisdiction, size or those offering similar products). However, the risk is that you can end up replicating controls from institutions that do not meet regulatory expectations set from a wider set of regulated firms.
And we’re not suggesting there should be any kind of rush to set ever higher standards. In fact, the answer may often be quite the opposite. Where external perspective can really help is in seeing how a truly risk-based framework can operate, and recognising which controls are just “ticking the box”. Afterall, it is all about purpose.
Periodically get external perspective i.e. through new hires, consultant input or industry events
Critically appraise all inputs. You need to get meaningful and practical expert advice. There are lots of peers, consultants and lawyers that can help to varying levels. If what you need help with is specialist, engage with the right individuals. Challenge yourself on their credentials and whether what they offer can be trusted.
Competing priorities:
You are a commercial entity and whether it is business priorities or other risk and compliance issues, there is a lot to keep on top of. We have seen examples of where it was quite clear that although financial crime weaknesses were known about, they simply did not make the cut in terms of priority activities. There is no easy answer here, particularly when it comes to balancing up against other compliance issues. But it is important that financial crime is properly represented in the change agenda so that conscious decision making can occur and there is documented decision making and clear accountability for those de-prioritising certain initiatives.
A holistic view of all risk and compliance issues can help inform conscious decision making on what to prioritise
A good financial crime risk assessment will help to keep issues in perspective against other issues - but it needs to be objective
Comprehensive compliance monitoring and audit is necessary to surface issues to allow them to be prioritised
If you’re not going to do something - do it consciously and write down your rationale
Recognise that you have to keep moving in order to stand still – you don’t want to stand out from the pack
Perception of cost
It is apparent that many decisions regarding whether or not to address an identified issue, have been made on the basis of the cost of making the necessary changes. Although this is a legitimate factor, from a regulatory perspective, firms making decisions based on cost are essentially gambling on whether the regulator will identify the issue.
And of course, sometimes the temptation can be to treat the symptoms and not the cause. Quickly throwing resource at an issue may feel like the best way of addressing an issue, when in fact understanding and containing an issue whilst addressing the root cause is more likely to cost less in the longer term.
Decision making occurs with a lack of insight and Management Information
Poor grasp of the fundamental issues
Sometimes it isn’t actually about the financial crime systems and controls themselves. As we discussed in our recent blog about the FCA Dear CEO letter for Retail firms, perhaps the issues are more fundamental. See that blog for our seven Cs of organisational challenge.
Culture
Culture is complex. It is rarely what management think it is. It is hard to articulate, measure or manage. It can be looked at through multiple lenses - a firm, a department, a country etc. And it has such a significant impact on outcomes.
We have seen situations where there is a fear of honesty from middle management upwards. Even though senior management want to hear the truth, often middle management aren’t willing or able to provide this because of the potential personal consequences.
There is definitely scope to more formally link incentives (and disincentives) to the compliance programme. Primarily this is through the performance management and remuneration processes.
And finally, it is the responsibility of the people at the top to set the culture. It is set out of your everyday behaviours and decisions, not what you state it should be. These behaviours and decisions will precipitate the business and will be modelled. This means that culture can be controlled, shaped and changed - but it is a select few people who can do this and they need to do it with hearts and heads equally. It has to be real.
Incentivise honest and open escalations
Incentivise (and where appropriate disincentivise) the behaviours, decisions and actions deployed across the firm
Ensure whistleblowing arrangements are in place and well publicised
Show introspection and emotional intelligence with regards to the corporate culture - particularly at top management levels as you DO shape the culture
Wider impacts of regulatory intervention
Most of these reviews become multi-phase activities (some may extend three years+) with significant review activities and resultant change programmes needing to be delivered on top of BAU. The cost of a review is high – cost of change is even higher. Regulatory intervention is resource intensive and often a distraction from what the firm is trying to do commercially.
Your change programme will be at the discretion of a third party. This means you won’t have full control over timescales, design decisions, priorities, standards or the level of scrutiny (QA / QC) required. This lack of control will create opportunity costs as other initiatives may have to be de-prioritised.
You will usually be required to have some form of follow up - either by the skilled person, the Regulator or your own internal audit. This adds an extra element of time and cost to the overall process.
On a more positive note, well informed intervention can have broad benefits to a firm’s governance and culture. We received feedback from one firm, stating that the changes made as a result of our financial crime skilled person review had prepared them well to handle the coronavirus pandemic. This was principally because of the increased effectiveness of governance arrangements. This ultimately stemmed from our focus on identifying the root causes of the issues.
And of course if financial crime systems and controls are improved in a sustainable way, cost can actually be reduced in the medium term.
Are section 166 reviews effective?
It’s probably important to acknowledge that the definition of “effective” is relative. Even within an organisation this definition is hard to agree, this is further complicated by the tri-lateral relationship of the firm, skilled person and regulator.
From a regulatory perspective, its probably fair to say that the use of skilled person reviews is effective. This is illustrated by their increasing use. They clearly work in terms of focusing senior management attention; forcing an uplift in capability and control; and bringing firms to a “compliant” state.
There is no doubt that the process will result in some form of uplift in systems and controls.
There can be significant improvements in culture, understanding and capability across all three lines of defence and often head office. Sometimes hearing the same issues but from an external party or regulator is the only meaningful catalyst for change.
Indirect improvement for other control areas. The governance structures in place after extensive regulatory intervention have led to firms operating in a more effective, efficient and compliant way. We have also seen institutions who have addressed poor data ownership (which had affected financial crime controls such as screening), use the enhancements made through regulatory intervention to trigger other bank wide efficiencies.
There are definitely questions around effectiveness of such reviews when you consider:
Sustainability: whilst a firm is under intense scrutiny, they have to get things in order. Once the process is finished it is down to the firm to maintain new higher standards. It may be a number of years until the next Regulatory visit and we have seen some firms act quite cynically with regards to getting through the process before reverting back to previous standards.
Opportunity costs: the intensity of the process categorically means other opportunities (whether they’re commercial or other compliance priorities) get delayed or missed altogether.
Direct cost: the cost to firms of paying for the skilled person, advisors, additional staff or procurement of new tools / systems can add up quickly.
Reputational: the commercial costs of the process could potentially outweigh all other direct costs if, for instance, business restrictions are put in place or if knowledge of the matter creates nervousness in the market.
Going too far: The control framework put in place during regulatory scrutiny can go beyond what is actually required. Especially if the recommendations from your Skilled Person or Monitor are not appropriate. It is important to watch out for terms like “industry standard” and really challenge what they mean. Is this minimum, or leading, standard? Can it be evidenced?
Also, and of critical importance to Avyse Partners, is the question of whether the process is effective in preventing harm, or just demonstrating systems and controls? Whether regulatory intervention achieves true purpose or not depends on a range of factors, including the firm’s aims, internal culture, the skilled person themselves, and of course the skilled person’s team. Real value for a firm, for a regulator and for society at large is to reach the target state of effective, risk-based controls which actually work to deter, prevent and detect crime, not to just tick boxes of a certain level of regulatory compliance. We’re not convinced that this measure of effectiveness is currently high enough of the priority list for regulatory interventions.
Conclusions
Prevention clearly is better than cure. If you can achieve effective systems and controls under your own direction it is likely to be more risk-based and less costly.
The reviews definitely can be effective - but maximising effectiveness is contingent on the attitude of the firm and the proportionality and sophistication of the skilled person.
Get on the front foot. The more you can show you’re in control (even if that is in control of dealing with self identified deficiencies) the less likely you are to fall under formal processes.
Getting meaningful external insight will pay for itself. The firms we have seen with better outcomes are the ones who are proactive at seeking help from people who have been through the process before either as a skilled person or as a regulator. Having the help of someone who interacts with the FCA, DoJ or NY DFS can greatly improve the overall outcomes.
Learn from the mistakes of others. Take lessons from other enforcement action by the FCA. The enforcement notices for financial crime and thematic reviews that have been published by the FCA are always referenced in final notices against firms. Remind yourself of the failings of others.
Your choice of Skilled Person or Monitor can make a huge difference. While cost is important it can often end up being more expensive in the long run if your Skilled Person uses inexperienced staff who may not understand the complexities of the products and services you offer or who isn’t sufficiently focused on true purpose. Recommendations and remediation projects suggested by third parties can be arduous, so you want to make sure the people drafting them understand all of the regulatory, operational and financial impacts.
Deliver against your commitments in a robust and sustainable manner. The more severe regulatory intervention is always saved for those firms who have failed to address issues which have been raised (whether by the Regulator or the firm themselves).
Richard
Richard@avyse.co.uk