Highlights from the FCA's 2019/2020 Business Plan
On 17 April 2019, the FCA released its latest Business Plan, setting out its key priorities and main areas of focus for 2019/2020. The FCA has since published its Approach to Enforcement and Approach to Supervision, which aim to help explain how the FCA carries out its activities in accordance with its Mission. We consider some of the key themes.
Prioritising technology and data – how you use it, how you lose it
Broadly speaking, the FCA's concerns relating to technology and data fall into two categories, which Andrew Bailey has summarised as "how you use it", concerning fair and lawful use of data including personal data, and "how you lose it", concerning technology and data security under the wider umbrella of operational resilience. Technology and data receive greater attention in the 2019/2020 Business Plan than has been the case in previous business plans, as illustrated by the fact that they feature prominently in the Chairman's foreword of the Business Plan.
As to the use of data, the FCA currently treats this as primarily a matter to be addressed through its Treating Customers Fairly (TCF) initiative. However, the FCA is planning to undertake discovery work through a firm survey, roundtables and supervisory conversations, to better understand how the use of data and machine learning could shape products and services and the potential implications for consumers and the functioning of markets. The FCA will then publish its views on whether its approach to TCF is sufficient to cover data ethics in financial services. One of the issues the FCA is likely to explore here is whether certain uses of data may be beneficial to customers, but harmful to others (for example, in the context of insurance pricing).
Our briefing in March highlighted that the use of "big data" or alternative data analysis in wholesale markets has created new forms of market misconduct risk. The FCA's Business Plan indicates that it will review "access to and the use of data in wholesale financial markets, as data creates opportunities for innovation, but also can drive harm".
As to technological resilience and data security, the FCA is planning to develop policy proposals and to conduct a consultation on strengthening the operational resilience of firms later this year, in response to its July 2018 Discussion Paper (DP 18/4), noting that 17% of the incidents that firms reported to the FCA between October 2017 and September 2018 were caused by IT failure at a third-party supplier. The FCA will work to set out clear expectations on firms' outsourcing arrangements. The FCA will also carry out supervisory multi-firm work on cyber-attacks and will use "ethical hacking" more regularly to test firms' cyber capabilities.
We have already seen a steady stream of high-profile enforcement investigations and outcomes relating to IT security and operational resilience. We expect this to continue. So far, we have not seen significant enforcement activity relating to artificial intelligence and "big data", but we anticipate that will change. Firms need to have appropriate principles in place to ensure that data use is fair and appropriate, both to customers and with respect to the markets and society more broadly. Firms then need to ensure that those principles are properly applied through appropriate governance arrangements when new products are developed.
Culture – new focus on "purpose" and business models
The FCA continues to stress the need for firms to create and maintain healthy cultures. Culture is the second cross-sector priority for 2019/2020 after Brexit.
The FCA is now focusing on the role that "purpose" plays in culture. The Business Plan states:
"In 2019, we will look more deeply at the concept of purpose in financial services and the case for creating purposeful cultures. We will be looking to assemble and review the evidence for a causal linkage between healthy cultures and business models and healthy outcomes for consumers, markets and firms. We will set up a working group with members from different disciplines, host industry roundtables and publish the conclusions."
Similarly, the Approach to Supervision emphasises that the FCA looks at the purpose of a firm to understand what the firm is trying to achieve in practice, not just what is written in its mission statement. The fourth of nine questions in the Firm Assessment Model set out in the Approach to Supervision is:
"How effective is the firm’s purpose in reducing the potential harm arising from the firm’s business model?"
In 2018, the FCA issued a Discussion Paper (DP 18/2) regarding culture, which indicated that thinking and perceptions on culture need to evolve. The new focus on "purpose" signifies that the FCA's own understanding of culture is evolving too. There is a desire to move beyond what may be characterised as an artificial tone from the top and a focus purely on mission statements, to look at how the inherent structure of a business impacts behaviours.
To date, firms have tended to concentrate on leadership, governance, training and reward in their approach to culture, to make sure that staff are "doing the right thing". Firms now need to go further than this to consider, expressly, how the way in which their businesses make money may influence behaviour, and then to think about whether the model needs to change or whether it may be necessary to take steps to mitigate any negative impact.
We have started to see scrutiny of these issues in enforcement investigations.
Spotlight on the perimeter
Two years ago, the word "perimeter" did not feature in the FCA's Business Plan. Now, in the wake of high-profile cases, including the collapse of London Capital & Finance and the investigation into RBS's Global Restructuring Group, the FCA is giving greater attention to the regulatory perimeter. Perimeter issues are now a cross-sector priority under the FCA's broader "future of regulation" head. The FCA notes that consumer harm often occurs on or around the regulatory perimeter, with firms and market participants unclear over its role for specific activities.
The FCA will issue its first Perimeter Statement as part of its 2019 Annual Report, which will detail issues that the FCA has faced in relation to its regulatory perimeter, including potential gaps in protection. It is anticipated that the FCA will interpret its existing regulatory powers expansively, and there is scope for its remit to be widened through engagement with the Government and Parliament.
It is important that firms clearly understand the boundary of the FCA's regulated activities and take steps to ensure that their customers do so too. The FCA has sent "Dear CEO" letters in January and April this year to remind firms of their responsibilities relating to the use of financial promotions.
Enforcement – emphasis on "serious misconduct" and remediation
Following Andrew Green QC's review of FCA (then FSA) enforcement actions, we have seen a significant increase in the number of open enforcement investigations. The draft Approach to Enforcement document published last year made clear that the FCA would seek to focus its enforcement efforts on those cases involving "serious misconduct", clarifying that not every case where there are circumstances suggesting a breach of regulatory rules will lead to enforcement.
Alongside the final Approach to Enforcement, the FCA has published a new set of "investigation opening criteria", which replace the revised enforcement referral criteria issued in 2015.
The new investigation opening criteria are shorter and simpler than the referral criteria. They focus on the concept of "serious misconduct" and list the following four specific factors against which misconduct is assessed for seriousness:
- The nature and severity of the actual and potential harm arising from the suspected misconduct. This could include the extent to which the suspected misconduct has or may affect consumers, markets or firms if [the FCA] do not take action.
- Whether the suspected misconduct has potentially wider or broader implications, and in particular whether vulnerable customers appear to have been exploited. A vulnerable consumer is someone who, due to their personal circumstances, is especially susceptible to detriment, particularly when a firm is not acting with appropriate levels of care.
- The extent to which the suspected misconduct may have involved any lack of fitness or propriety.
- The public interest in investigating the matter.
It is noteworthy that the investigation opening criteria refer specifically to remediation, even though remediation is more likely to be relevant in determining any penalty rather than whether an investigation is opened in the first place. This reflects the FCA's desire to give greater weight to remediation steps (or lack of them) in its decision-making. In particular, the investigation opening criteria state that:
"Firms and individuals should not wait for an investigation to end, or for us to impose a sanction, before acting in a way they think is right. This includes taking proactive steps to put right any harm or damage that may have been caused to consumers. This does not mean that, if a firm or individual has taken remedial action, we will not investigate or take enforcement action where serious misconduct appears to have occurred. We need to make sure there is full accountability for serious misconduct. However, when we decide on the appropriate sanction, we will acknowledge and give appropriate credit to wrongdoers who speedily address wrongdoing."