HOMESERVE: FURTHER INSIGHT INTO REGULATORY EXPECTATIONS OF SENIOR MANAGEMENT FINANCIAL SERVICES The recently-published FCA sanction against HomeServe Membership Limited, an insurance intermediary, provides further insight into the regulator s expectations of senior management; and highlights the corresponding importance of a strong regulatory compliance culture within financial institutions. In February 2014, HomeServe received the largest ever retail conduct fine - 30m for a series of serious, systemic and long running failings This article focuses on those aspects of the FCA s findings relating to senior management engagement and compliance culture two key areas of current regulatory focus. Whilst it may be tempting to dismiss the FCA s conclusions in HomeServe as retailspecific, prudent wholesale firms will also take heed for there are lessons to be learnt across the regulatory spectrum. RELEVANT FINDINGS AND PRACTICAL POINTERS In broad terms, HomeServe failed to embed a robust culture with adequate focus on compliance and treating customers fairly. Additionally, senior management were found to have been insufficiently engaged with compliance matters. However, an examination of certain of the FCA s specific underlying findings provides some instructive insight into the regulator s mind-set. Indeed, firms might view the following sections (together with the cultural indicators contained in the Annex) as a sensible framework, against which to assess aspects of their own conduct. Governance and the role of Compliance Following the (cost-efficiency-driven) departure of HomeServe s former Legal and Compliance Director, compliance representation at Board meetings was limited to a senior compliance officer, attending in an observational capacity. This representative had no formal input into the meetings, other than to answer any relevant queries arising. HomeServe itself acknowledged that the Compliance Department was not given sufficient weight to raise serious issues. While there is of course no strict requirement for Compliance to have a seat on the Board, firms must nevertheless be prepared to articulate how, in practice, Compliance is afforded (and, where necessary, actually exerts) the requisite level of influence. Compliance visibility and credibility are also likely to feature prominently on the regulator s agenda. For example, firms might usefully consider whether: The relevant compliance representative has the necessary gravitas and experience; and will be prepared (and is seen to) to challenge the business, where appropriate Compliance should routinely be consulted at agendaplanning stage The reporting line of the Compliance function is appropriate It would be appropriate for Compliance to have a standing slot at Board meetings It would be desirable for Compliance to sit (or be otherwise represented) on the Board The level of day-to-day interaction between Compliance and senior management is appropriate Compliance is seen as a necessary evil ; and, if so, why? Compliance is well-respected and has the ear of senior management From the regulator s perspective, Compliance represents a fundamental independent control - which must be demonstrably evident in practice. As the HomeServe case illustrates, the FCA will view dimly any suggestion that compliance is not taken sufficiently seriously. Indeed, any such suspicions have been known to precipitate a wider and more in-depth supervisory examination.
Insufficient board engagement On a separate albeit related note, HomeServe s Board was criticised for failing to pay sufficient attention to compliance issues and therefore taking inadequate remedial steps. In particular, the Board failed to review and react to compliance monitoring reports that raised serious concerns 1. It was acknowledged that the Board did periodically receive a brief update (from the Compliance and Risk Committee (CRC)). However, the FCA considered that this was insufficient, as the Board was not informed about all key compliance issues that arose. While the Board packs included a copy of CRC meeting minutes, they did not include compliance monitoring reports 2, notwithstanding the serious concerns raised. This meant that significant issues which required Board attention may not have subsequently been raised and discussed at Board level. In the same vein, the FCA found that discussions about compliance reports at Board level were limited and that compliance issues were not regarded with sufficient importance. Further, there were no criteria to determine when or why a particular compliance monitoring report should be discussed at Board level. The regulator will expect to see demonstrable evidence of substantive Board engagement in compliance and risk issues. Whilst there are no prescriptive requirements as such, in practice, this is likely to involve: Board packs and management information consistently incorporating all significant compliance-related reports Agreed criteria to determine when a compliance issue should be discussed at Board level Substantive (and meaningful) discussion around relevant issues Capturing, and properly reflecting, such discussions in the Board minutes Substantive compliance representation (and voice) at all Board meetings at which relevant compliance-related issues are discussed to ensure that the significance of any such issues is properly explained and understood Lack of senior management training The FCA found that there was a widespread lack of regulatory knowledge amongst HomeServe s senior management team: HomeServe failed to ensure that its senior management undertook appropriate regulatory training. Specifically, regulatory training provided to senior management was at best, limited, ad hoc and dependent on the individual, but more often nonexistent. In consequence, regulatory risks were not appreciated by some senior managers and regulatory objectives were not ingrained in HomeServe s culture. More specifically, the FCA noted that this perceived lack of regulatory knowledge was evident from its interviews with various members of senior management. For example, there was confusion around the differences between controlled functions and lack of clarity over relevant controlled function responsibilities. Additionally, the FCA found that this lack of regulatory appreciation contributed to an unhelpful profit-driven culture, with inadequate regard paid to customers interests; and to the Compliance function possessing insufficient internal gravitas. These issues were exacerbated by the fact that HomeServe had failed to learn lessons from a past skilled person report into its governance, risk and control mechanisms, which had not been appropriately embedded. One issue identified in that report related to the firm s general lack of regulatory awareness. Periodic regulatory training has become an effective prerequisite for senior management of regulated firms. Ideally, such training should be: Interactive - with ample opportunity for questions and debate Tailored - to the specific business and operations of the firm concerned Focused on key issues of likely practical relevance (both present and on the horizon) Regular at least annually Mandatory no member of senior management is likely to be immune to regulatory sanction 1 Here, about potential mis-selling of products. 2 As the FCA suggested should have been included as a matter of course. 2
Interestingly, recent experience indicates an increased appetite from senior management bodies for regulatory training. The FCA s concerted focus on senior individual accountability and the (related) proliferation of attestation requests has undoubtedly served to focus minds. Without the requisite regulatory awareness, firms (and, potentially, relevant implicated individuals) run a real risk of adverse regulatory interest as HomeServe clearly illustrates. CONCLUSION The findings outlined above may serve as an opportune prompt for firms to re-assess whether their existing compliance culture and level of senior management engagement on compliance issues would withstand close regulatory scrutiny. The highlighted practical pointers (alongside the cultural indicators contained in the Annex) are intended to provide a framework, against which firms might undertake such an initial assessment. In the current regulatory environment, words alone will not suffice. Rather, the regulator will expect to see demonstrable substance underpinning the rhetoric evidenced, for example, through active senior management engagement in compliance issues, effective Compliance input at Board level and formal documentation 3 reflecting such involvement. It is also clear - if it were ever in doubt - that regulatory ignorance will not constitute a defence for those occupying senior management positions. Never have such demonstrability and heightened regulatory awareness been so important Boards and senior management should consider themselves duly warned! 3 For example, minutes and management information. 3
ANNEX CULTURE Culture is like DNA. It shapes judgements, ethics and behaviours displayed at those key moments, big or small, that matter to the performance and reputation of firms and the service that it provides to customers and clients. In many cases, where things have gone wrong a cultural issue is at the heart of the problem. We will draw conclusions about culture from what we observe about a firm 1 The above quotations represent a small (albeit instructive) selection of recently-published regulatory pronouncements concerning culture a topic of concerted FCA focus. The regulator has expressed readiness to draw cultural conclusions from its observations of a firm. This note suggests some 2 practical indicators, to which the regulator is likely to have regard in this context; and may therefore serve as a useful reference point for any cultural self-assessment. CULTURAL INDICATORS Response to issues / incidents (including near misses ) A firm s response to an incident or issue can often prove to be a key cultural indicator after all, actions speak louder than words. For example: Was the response sufficiently credible? Did it indicate a resolute determination on the firm s part to do the right thing? To whom was it escalated? Who is responsible for dealing with the identified issue? How robustly was it handled? Was it prioritised appropriately, with the requisite sense of urgency? Was the regulator informed in a timely manner? Has an action / remedial plan been instituted? Are deadlines appropriate (and not too far out)? Was a wider internal investigation appropriate in the circumstances? Were any lessons to be learnt? If so, how in practice? Complaints handling How seriously is the firm treating complaints? For example: Are any trends being monitored effectively and actioned accordingly? By whom? Is the complaints-handling process sufficiently transparent and designed to give the complainant a fair hearing? What complaints-related MI is being generated? To whom is it circulated? Incentive structures Is an appropriate balance being struck between the interests of clients and the firm? To what extent (if at all) is the emphasis on clients interests / good regulatory compliance conduct, as opposed to revenue generation? Where is this evidenced? What (if any) claw-back mechanisms exist? Performance management Are appropriate metrics being used to assess individuals performance? How seriously are contraventions treated in practice? Is good citizenship being afforded sufficient weight? Is there an over-focus on revenue generation? What sanctions are employed for: failure to complete mandatory compliance training; and material and/or repeated breaches of internal policies and procedures? Are they credible? Is there a true incentive to do the right thing? 1 The Importance of Culture in Driving the Behaviour of Firms and How the FCA will Assess This, Clive Adamson, Director of Supervision, FCA, April 2013. 2 Albeit not an exhaustive list.
Board / senior management engagement Is the correct tone from the top being conveyed? Does it pervade throughout the organisation? How (if at all) have the Chief Executive Officer (CEO) / senior management articulated their cultural expectations? Where is the evidence? For instance, when did the CEO last issue a relevant communication to all personnel, setting out his or her clear expectations? Is it time for a re-articulation? Is the articulation of the firm s cross-selling approach consistent with TCF and clients best interests? Are they demonstrably practising what they preach? To what extent (if at all) will the board / senior management become (and remain) involved in any material regulatory compliance issues? Through what channel(s)? Has there been a recent example? If so, how did it play out? What relevant MI is provided to the board / senior management? Does this, for instance, include any TCFrelated information? Quality of MI MI will be a key evidential indicator of cultural awareness throughout an organisation {linking into several of the other areas covered in this note}. Is MI sufficiently informative in the context of customerfacing issues? Is MI being provided to the right bodies / individuals within the firm s governance framework? Is MI receiving appropriate challenge? How is this evidenced? Is MI prepared to the right level of detail to ensure a proper understanding of issues? Is this periodically reviewed? Is MI sufficiently meaningful in its content? Approach to training A firm s approach to training and education can be a good indicator of its attitude towards good compliance conduct. What is the firm s general approach to training its personnel? What does the training programme look like? Who is responsible for this? Does it appropriately reflect regulatory expectations and evolve over time? Is it sufficiently tailored and practical? Is it undertaken frequently enough? Is training mandatory? What checks are in place to ensure that all required participants do in fact attend? Are new joiners provided with appropriate induction training? Is completion of all required training modules an important factor in appraisals? For example: Are bonuses withheld from any individual who has not successfully completed their training? Response to legal or regulatory developments Is the firm sufficiently responsive to regulatory pronouncements and developments (including relevant published Final Notices)? How does the firm monitor for relevant pronouncements and developments? Who is responsible for ensuring that the firm remains in line with prevailing regulatory expectations and developments? Approach to contraventions of internal requirements The manner in which breaches of internal requirements are treated will be an important cultural indicator. The Breach Register will often be an obvious first port of call for a regulator. What is the process for investigating policy / procedure breaches? To whom might issues be escalated? How are repeated contraventions dealt with? What flow-though is there into appraisals / bonus determinations?
Is the firm practising what it preaches? What does the Breach Register look like? What story does it tell? Decision-making and escalation Are decisions being taken at the right levels and issues escalated appropriately? Customer experience How customer-friendly was the front-line sales experience? Approach to product development and on-going product monitoring Is sufficient weight being attached to TCF and clients interests throughout the product development process and beyond into post-sale? Do internal templates and New Product Committee minutes adequately reflect customers interests; or are they solely focused on commercial considerations? Role / status of Chief Compliance Officer (CCO) and Chief Risk Officer (CRO) within organisational framework Where do the CCO / CRO feature within the governance framework? Do the CCO / CRO have a meaningful voice? Extent of day-to-day contact with senior management Internal perception of Compliance / Risk business prevention versus commercial facilitation Relationship with regulators Does the firm enjoy a healthy and constructive relationship with the FCA / PRA? Does the firm endeavour to remain on the front foot with the regulator? Has the firm consistently shown itself to be open and cooperative? Are trends actively monitored; and by whom? For example: Products exceeding all expectations is there an untoward reason for this? Products attracting an unusually / inordinate number of complaints or queries Are products being sold to the type of customers for whom they were originally intended? CONTACT DETAILS If you would like further information or specific advice please contact: DAVID BERMAN DD: +44 (0)20 7849 2733 david.berman@macfarlanes.com FEBRUARY 2014 What post-sale MI is generated? How is this considered? By whom? MACFARLANES LLP 20 CURSITOR STREET LONDON EC4A 1LT T: +44 (0)20 7831 9222 F: +44 (0)20 7831 9607 DX 138 Chancery Lane www.macfarlanes.com This note is intended to provide general information about some recent and anticipated developments which may be of interest. It is not intended to be comprehensive nor to provide any specific legal advice and should not be acted or relied upon as doing so. Professional advice appropriate to the specific situation should always be obtained. Macfarlanes LLP is a limited liability partnership registered in England with number OC334406. Its registered office and principal place of business are at 20 Cursitor Street, London EC4A 1LT. The firm is not authorised under the Financial Services and Markets Act 2000, but is able in certain circumstances to offer a limited range of investment services to clients because it is authorised and regulated by the Solicitors Regulation Authority. It can provide these investment services if they are an incidental part of the professional services it has been engaged to provide. Macfarlanes February 2014