Calibration of conduct- how best to deal with a Conduct Rule Breach
09 June 2021
Background
The senior managers and certification regime ("SMCR") has been in place for quite some time now; March 2016 for banks and PRA investment firms and December 2019 for most other FCA authorised firms. A key component of the SMCR is the Conduct Rules, which replaced the Principles for Approved Persons and were expanded in scope of application so that, under SMCR, Individual Conduct Rules now apply to almost all employees of a firm.
The Conduct Rules were a key tenet of the SMCR whose overarching aims were to reduce harm to consumers and strengthen market integrity. It was believed that these objectives would be achieved by raising the standards of conduct at all levels within financial services firms.
However, there is significant divergence in the market as to how firms approach Conduct Rules and, in particular, how a firm determines when a Conduct Rule has been breached. This is exacerbated by conflicting FCA Handbook guidance and rules under the Financial Services and Markets Act 2000 ("FSMA"). In our experience advising banks and financial services firms in this area, we consider that this is leading to unnecessary employment, compliance and litigation risk arising for firms.
We therefore believe that firms would be well advised to revisit their approach to Conduct Rules, including the interaction with their disciplinary processes and ensure that this is well calibrated compared to their peers.
This briefing sets out a background of the issues, some of the challenges firms face and our view on the best approach to take to mitigate unnecessary risk. In summary:
- Firms face difficulties in understanding conflicting regulatory rules and guidance in relation to the determination of Conduct Rule breaches;
- Risks arise where firms determine that Conduct Rules have been breached but that such conduct does not amount to a reportable Conduct Rule breach that requires notification to the regulator, often this is because such Conduct Rule breach would still need to be disclosed on a regulatory reference (under the catch all question G) but does not afford the individual the due process of a disciplinary procedure;
- Firms should ensure a consistent approach in relation to behaviour that triggers disciplinary processes and which could amount to a reportable Conduct Rule breach;
- Behaviour which does not trigger a disciplinary process may still amount to compliance or other internal breach but would not constitute a reportable Conduct Rule breach.
Conduct rules - What are they?
As part of the implementation of the SMCR, new rules were introduced which replaced the existing Principles for Approved Persons. These new rules are known as Conduct Rules. Individual conduct rules are set out in the FCA Handbook at COCON2.1 and consist of (each an "Individual Conduct Rule"):
- You must act with integrity.
- You must act with due skill, care and diligence.
- You must be open and cooperative with the FCA, the PRA and other regulators.
- You must pay due regard to the interests of customers and treat them fairly.
- You must observe proper standards of market conduct.
The Individual Conduct Rules apply to almost everyone in a firm (except ancillary staff, as defined in the FCA Handbook). There are an additional 4 Conduct Rules which apply only to senior managers and which are (each a "Senior Manager Conduct Rule"):
- SC1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
- SC2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
- SC3: You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
- SC4: You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.
Notification of Conduct Rule breaches
There are a number of different requirements which amount to obligations to notify the regulator of events which may include possible breaches of Conduct Rules.1 However, in addition, there are a number of issues which arise in relation to a determination of a Conduct Rule breach as a result of the legislative backdrop.
The starting point is section 64C of FSMA which requires firms to notify the regulators of disciplinary action relating to a breach of the Conduct Rules:
(1) If—
(a) [an] authorised person takes disciplinary action in relation to a relevant person, and
(b) the reason, or one of the reasons, for taking that action is a reason specified in rules made by the appropriate regulator for the purposes of this section [i.e. conduct rules], the [...] authorised person must notify that regulator of that fact.
Section 64C FSMA defines disciplinary action as the: (a) issuing of a formal written warning; (b) suspension or dismissal of the person; and/or (c) reduction or recovery of any of the person’s remuneration.
It is therefore clear from the primary legislation that there is a link required between a determination of a reportable Conduct Rule breach and disciplinary action.
This is supported by SUP15.11.6 which states that:
"If a reason for taking disciplinary action as referred to in section 64C of the Act (Requirement for authorised persons to notify regulator of disciplinary action) is any action, failure to act or circumstance that amounts to a breach of COCON, then the SMCR firm is required to notify the FCA of the disciplinary action."
When these rules were entering into force, the regulators addressed this issue of conduct rule breaches in their commentary in policy statements to SMCR. In PS16/22 (with reference to bank SMCR implementation), the FCA said that: "the requirements to disclose Conduct Rule breaches in a reference should mirror the FSMA’s new notification requirements for banks and they should focus on breaches where disciplinary action has been taken, as such legal and specialist input would have occurred as part of the disciplinary process and not at the point of providing a reference."
As such, a Conduct Rule breach which is required to be disclosed under a regulatory reference ought to be accompanied by a disciplinary outcome.
In PS 18/4 (with reference to the extension of SMCR to all FCA authorised firms), the FCA said:
"Firms should only report Conduct Rule breaches to us where they result in one of these courses of [disciplinary] action, and once the relevant disciplinary process has been completed. This means that if an individual leaves the firm during the disciplinary process and the process can’t be completed, the firm should not submit a report." […]
"We consider that the requirement that only completed disciplinary proceedings should be reported should be enough to prevent malicious reporting. It will also mean only proven Conduct Rule breaches will be reported to us."
The issue for authorised firms to grapple with is that, notwithstanding the process set out above, the non-exhaustive list of examples of conduct that the FCA sets out would be in breach of conduct rules may be seen as a low bar to disciplinary action. For example, not paying due regard to the interests of a customer (COCON 4.1.1(14)) or providing advice on a transaction without reasonable understanding of the risk exposure of the transaction (COCON4.1.3).
The Ashurst view
Some firms have implemented the SMCR rules including Conduct Rules on a standalone basis without cross referencing disciplinary policies and procedures, partly because of a lack of understanding of the wide definition of "disciplinary action" in this context. This could lead to determinations of a breach of a Conduct Rule prior to any disciplinary action having been taken which in turn, whilst not reportable to the FCA may be disclosable on regulatory references for certified persons and senior managers.
In our view, failing to follow a disciplinary process leaves a firm susceptible to challenge from individuals who will scrutinise why a Conduct Rule has been deemed to have been 'breached' but potentially no notification to the regulator has been made nor any disciplinary process invoked. This scrutiny often arises because a Conduct Rule breach will be required to be disclosed on a regulatory reference for an individual which may have significant personal and professional consequences. Often this issues arises when firms consider question G of the regulatory reference template which asks: "Are we aware of any other information that we reasonably consider to be relevant to your assessment of whether the individual is fit and proper?". Many firms consider that any Conduct Rule breaches, even where not reportable, ought to be included in this field.
Depending on the manner in which the underlying facts were investigated, this could also be subject to challenge by individuals against whom a Conduct Rule breach finding is made on the basis that they did not have the same opportunity to present their counter arguments or relevant facts as they would have in a more robust disciplinary process.
We therefore consider that a firm should be clear about what conduct will trigger a disciplinary process for an issue that could be a reportable Conduct Rule breach. Where conduct does not reach this threshold, we would suggest that while this may amount to a compliance or HR breach, it will not constitute a reportable Conduct Rule breach.
The conduct of the individual should be sufficient to trigger a disciplinary process (even where it leads to a disciplinary outcome such as a written warning) before there is a consideration of whether the conduct in question amounts to a Conduct Rule breach.
In addition, only those Conduct Rules which have been found to have been breached ought to be notified to the regulator under SUP15.11 and consequently included on any regulatory reference. This approach ensures that there is fairness of process for all parties and that a Conduct Rule breach determination is justifiable. It also ensures formal calibration of conduct as to what does and does not amount to a Conduct Rule breach within an organisation ensuring 'best practice' is followed.
Recommended steps
It is often the case that firms' approaches towards Conduct Rules and Conduct Rule breaches are siloed and do not work cohesively with their disciplinary processes or regulatory notification policies.
Given that the regulator now oversees over 47,000 FCA solo authorised firms who will be submitting annual Conduct Rule breach notifications on an annual basis, we believe that the regulator's focus will turn to those firms who are either overreporting or underreporting Conduct Rule breaches. We expect further scrutiny in this area.
Firms are well advised to ask the following questions:
- How do we determine whether a Conduct Rule has been breached?
- Does our Conduct Rule breach determination follow a disciplinary process?
- Do our disciplinary policies and regulator notification policies reflect the correct approach to Conduct Rule breaches?
- How do we calibrate conduct across the organisation and is our calibration in line with our peers?
At Ashurst we are well placed to be able to perform SMCR audits which can help identify gaps and inconsistencies in a firm's approach to SMCR requirements. The breadth of our experience can help to give a practical view of the market on what should and should not amount to a Conduct Rule breach. Our experts from our finance regulatory, employment and disputes practices work together to ensure that we can help firms best manage their regulatory, employment and litigation risks in this area.
If you would like to find out more, please contact any of the authors below.
- A summary table of the key notification obligations is at the end of this briefing.
Annex
| FCA Handbook Reference | Matter to be notified | Contents of Notification | Trigger Event | Timing |
|---|---|---|---|---|
|
COCON 2.2.4R |
Senior Manager Conduct Rule 4 requires the senior manager to disclose any information of which the FCA or PRA would reasonably expect notice of. |
Appropriate disclosure. |
Any information which the FCA or PRA would reasonably expect notice of. |
Appropriate. |
| Principle 11 / SUP 15.3.7G |
Principle 11 requires a firm to deal with its regulators in an open and cooperative way and to disclosure to the FCA anything relating to the firm of which the FCA would reasonably expect notice. |
Details of the matter. | Anything which FCA would reasonably expect notice. | At an early stage and depending on the urgency and significance of the matter. |
| SUP 15.3.1R |
There is a general notification requirement on a firm to notify the FCA where the following has occurred, may have occurred or may occur in the foreseeable future: a. the firm fails to satisfy its threshold conductions; or b. any matter which could have a significant adverse impact on the firm's reputation; or c. any matter which could affect the firm's ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm; or d. any matter in respect of the firm which could result in serious financial consequences to the UK Financial system or to other firms. |
Details of the matter. | Where the event has occurred, may have occurred, or may occur in the foreseeable future. | Immediately when it becomes aware or has information which reasonably suggests that a notifiable event has occurred. |
| SUP 15.3.11R |
A firm must notify the FCA of a significant breach of a rule (which includes a COCON rule) in relation to any of its directors, officers, employees or approved persons. Significance should be determined having regard to potential financial losses to customers or to the firm, frequency of the breach, implications for the firm's systems and controls and if there were delays in identifying or rectifying the breach. |
The notification should contain:
If the same matter needs to be notified under SUP 15.3.11R and SUP 15.11, separate notifications are required. |
Where the event has occurred, may have occurred, or may occur in the foreseeable future. | Immediately when it becomes aware, or has information which reasonably suggests, that any of the matters has occurred, may have occurred or may occur in the foreseeable future. |
| SUP 15.11.6R |
If a reason for taking disciplinary action is any action, failure to act or circumstance that amounts to a breach of COCON, then the firm is required to notify the FCA of the disciplinary action. If a firm becomes aware of information which would reasonably be material to the assessment of the fitness and propriety of an senior manager, or of candidate to be one, it must inform the FCA (SUP 10C.14.18R). |
Description of conduct rule breached and details of the breach. New notification required if update to a previous notification is required. | If a firm takes disciplinary action and the reason or one of the reasons for taking that action is any action, failure to act or circumstance that amounts to a breach of COCON. |
For non-senior managers, the notification must be made annually within two months of a firm's financial reporting period ending on its accounting reference date (form H). For senior managers, as soon as practicable and, in any case, within seven business days (using Form C or Form D). (But note PRA requirement below.) |
| PRA Rulebook 11.2 | If a firm takes disciplinary action against a person relating to any action, failure to act, or circumstance that amounts to a breach of any conduct rule it must notify the PRA. | Description of conduct rule breached and details of the breach. New notification required if update to a previous notification is required. | If a firm takes disciplinary action and the reason or one of the reasons for taking that action is any action, failure to act or circumstance that amounts to a breach of COCON. |
A firm must do so within seven business days of the point at which it determined the relevant requirement applied, by submitting Form L or Form C or D depending on the type of firm. A firm must not unreasonably delay its determination of whether or not the requirement applies. |
