Contentious Financial Services Autumn Update Webinar Transcript

LD: Morning everybody and welcome to the first of our autumnal webinars now that summer is sadly over. So I'm Lynn Dunne, so I'm the head of our Contentious Financial Services Group here at Ashurst and I'm joined today by, from my furthest left, Neil Donovan who is one of our senior associates, David Capps who is one of our senior consultants and Adam Jamieson who is one of our partners. A quick instruction to Adam – I think hopefully most of you know out of the three of us, but Adam recently joined us from Bryan Cave Leighton Paisner where he was a partner in the Disputes and Investigations department. He specialises in advising financial services firms, listed companies and senior individuals involved in internal and regulatory investigations, and he also has significant experience of representing clients and regulatory enforcement actions and he spent a year on secondment to the FCA's Enforcement and Market Oversight division, so we're really, really thrilled to welcome to our team and hopefully many of you will get to meet him over the course of the coming weeks and months.

So today we've got our usual bitesize agenda, so we're going to start with FCA enforcement trends which Adam will talk to you about. Then David's going to talk about the regulatory actions around the unauthorised use of WhatsApp, a real hot topic at the moment. Neil will talk about the current developments in financial crime and I will finish off by talking about an update on the Quinsecare duty.

So without further ado, I hand over to Adam.

AJ: Thanks Lynn, good morning everyone. So over the summer whilst hopefully many of you were enjoying a well-deserved break, the FCA published its annual report for 2021/2022 and buried within the operating metrics for the FCA were its enforcement statistics for the last year which I've summarised on the slide here. And the headlines really were that the FCA still has a vast and varied caseload within enforcement and perhaps rather frustratingly regulatory investigations are taking longer than ever with an average time of 33 months so nearly three years, and I think that's probably due to a couple of factors. One is the volume and complexity of the cases, and secondly and perhaps more importantly the lack of resource within FCA enforcement, and the annual report separately reported an 11 per cent drop in enforcement headcount.

So this morning for the purposes of the update I wanted to focus on one trend in particular, and perhaps unsurprisingly its one that we are probably most often asked about when we speak to senior management teams and boards about what's going on within the regulatory enforcement space. And that's the focus on individuals and the risk areas in relation to individuals' conduct. And the annual report shows that more than half of the FCA's caseload involves investigations into individuals, and individuals are also a focus for the PRA's Enforcement division and many find this statistic surprising as public outcomes against senior managers have been relatively few and far between. But it's clear from the investigations that we're seeing that there is this focus on individuals and there is this pipeline of cases, and this has been a trend for a number of years and the Senior Managers and Certification Regime has only really fuelled this fire by making it easier for the regulators to identify which senior manager or group of senior managers has responsibility for the particular area in question that the regulator is looking at as part of their wider investigations.

So what are we seeing in practice based on our work defending firms and senior managers on regulatory investigations? If we could just move on to the next slide please.

So mainly what we are seeing is parallel enforcement investigations into both firms and individuals being increasingly common by both the FCA and the PRA and very often we're asked who are these investigations into? And it's a real mix – it tends to be between two to four investigations into individuals, often senior managers or certified staff members often performing significant management functions both in the first line business area but also in the second line, and in relation to the same underlying issues within the firm. So the regulators are trying to work out who it is that's responsible for the issue, who has done what, and I think it is very important to note that the alleged misconduct in these type of investigations doesn't have to be egregious, it's not always active misconduct. Of course there are investigations ongoing into issues such as insider dealing but there's also a decent number of investigations into managerial oversight failings and they could be in relation to a conduct, credential or an operational risk. And I've got a stat there from a Freedom of Information Act request the FCA responded to where they said in April 2021 they had 31 ongoing investigations into senior managers under the Senior Managers Regime, and I think that's only likely to increase in the future, particularly as SMCR gets further embedded for all the solo regulated FCA firms that have still only come into the regime relatively recently. And the types of risks and controls that the FCA and the PRA tend to look at in these investigations, they normally only crystallise and are identified a number of years after the alleged breaches occur.

So in relation to senior management function-holders, investigations tend to focus on alleged breaches of the duty of responsibility and/or the Senior Management Conduct Rules. And I think it's worth taking a moment to recognise that given the length of time that these investigations take they are extremely disruptive for the individuals involved. Whether they're suspended during the course of the investigation or they remain in role, they require a lot of support in relation to dealing with these investigations.

So moving on just to talk about and give you a bit of a flavour about what it is that the regulators focus on when they're looking at, in particular, senior managers. So typically they are thinking about, well has this senior manager taken reasonable steps to identify, assess and manage the risks in relation to the area in question and prevent any regulatory breach from occurring or continue. So what is it that the regulators are really focussing on?

So I think first and foremost it's very often apportionment of responsibility and delegation, so are there clear responsibilities and reporting lines within the area of the business that they are responsible for? Very often where activities are delegated, is there adequate resource within that area? Where there's vacancies, have those been addressed in a timely manner? Have steps been taken to fill them and put in place contingency arrangements?

Challenging oversight is always a big one, particularly within more sophisticated organisations. What type of management information is the senior manager receiving? Is it appropriate for them to identify and assess the relevant risks? What governance forums do they sit on or governance forums that report into them? And again, does that give them the information they need? And if it doesn't, they're expected to make sure that it does, so that's often no excuse. Escalation is another point of focus, how is the senior manager escalating risk? Have they done it in a timely manner? Has the escalation been appropriate, including up to the board and also to regulators and not downplaying the nature of issues?

Culture as a root cause is something that we're increasingly seeing. So to what extent has the issue arisen due to poor culture within a business? Is there a compliance culture? What's the tone from the top from the senior manager in relation to that? How can they evidence it? And what are they doing in relation to drivers of cultures? So remuneration, incentive structures within the business. Are they to blame for the issue that the regulator is looking at in relation to the wider firm?

And then finally and perhaps most importantly, response to red flags. So I struggle to think of an investigation where individuals have been placed under the spotlight where there isn't a red flag, so a line in the sand where the regulator says this is the point in time of which you should have identified an issue and/or you should have taken more action to deal with it. Now it could be near misses or previous incidents, it could be an adverse compliance review or an internal audit report, or it could be the regulator raising concerns directly with the firm in relation to that issue.

So hopefully that gives you a sense of the regulators' approach to these types of investigations. I'm very happy to take questions at the end of the session or discuss enforcement trends more generally over a coffee.

For now I'm going to handover to David who is going to take you through the regulatory actions around unauthorised use of WhatsApp.

DC: Thanks very much indeed. Right, so WhatsApp, and this has become more topical over the last week. Regulators are increasingly concerned about the use of WhatsApp, personal text messages, personal email, personal devices generally for business purposes. This kind of flowed out of the time when people were working at home in Covid and obviously the real reason behind this concern is that neither the firm itself or the regulator can get their arms around materials on personal devices and they can't get hold of it for the purposes of investigations – they are basically outside of their control, and that's kind of layered also with the fact that many of these apps are encrypted with receipts, and WhatsApp is the real hot one.

Now in the US we saw at the end of last year that the regulators there took action. The SCC and the CFTC were conducting investigations and took action in December against a broker dealer subsidiary of J.P. Morgan in relation to what they characterised as widespread and longstanding failures by the firm and its employees to both maintain and preserve all of those communications on personal devices and apps and so forth. Now J.P. Morgan admitted the facts in the SCC's order and agreed to pay a $125 million penalty and also implement fines and improvements. Now the admitted facts that were in the order basically say that from 2018 through to November 2020, JPM's employees frequently communicated about their securities business on these personal devices, text messages including WhatsApp and personal emails. As a result, those records were neither preserved or produced in response to subpoenas and information requests by the US authorities. This was firmwide, it involved employees at all levels of authority and it wasn't even hidden within the firms themselves. They referred to dozens of managing directors and senior supervisors who were themselves responsible for implementing the firm's policies and procedures and overseeing employees, but themselves doing this in breach of the firm's policies. JPM's employees were advised and prohibited from using unapproved electronical communication means and indeed WhatsApp was specifically referred to in the policies being a prohibited means for communication. And as I mentioned, JPM received a number of subpoenas and information requests but failed to either maintain the records of these personal devices or produce them in response and this was said by the SCC to have impacted their ability to investigate potential violations of securities laws.

In terms of volume there were 21,000 texts and emails in one year mentioned in the citizen's order. Separately the CFTC announced a settlement with J.P. Morgan and affiliated entities and they were subject to a $75 million financial penalty.

Now that was obviously quite some time ago however only last week the SCC announced it had settled similar charges against 16 more Wall Street firms. Now eight of those firms were fined $125 million each, the remainder faced smaller fines. At the same time and in a similar kind of way the CFTC fined 11 firms between $30 million and $1 million each. Now the orders are very similar to the J.P. Morgan ones, the facts are very similar but at least one of the orders refers to employees in the UK and at least one of those orders refers to intentional deletion rewords, that's obviously one of the CFTC orders. Each of the orders has an example on a particular person not named, usually a senior manager having been responsible for sending lots and lots of these things. So I think we can see what's going on in the US – the warning signals are there.

Now what about in the UK? Now back in 2017 we saw a fine, we saw a chap called Christopher Niehaus, a former Jefferies investment banker, he was fined for sharing client information over WhatsApp and they found he had breached the principles of failing to act with due skill, care and diligence.

Now more recently last year the FCA Market Watch 66 was published in January 2021 and that warned about the increasing use of unmonitored and encrypted communication, and that's including WhatsApp. The FCA said that they will be taking action against a number of individuals and firms in relation to the use of WhatsApp and other social media. Now all rather ominously they added "…We expect this to remain an area of focus…" and also put down a marker that it expects firms to proactively review policies and procedures in relation to this area. I've personally had some first-hand experience in relation to this where FCA investigated as a live direct client and asked to have access to the traders' phones including unlocking access to WhatsApp. That was some time ago now but that's obviously something that I've seen up close and personal.

And then looking forward as often we do with these things, if these things are playing out in the US there's a very good chance they will play out here. A number of these audits are firmwide issues so I would expect that this is going to be an area that the FCA will be ratcheting up, they probably might already be doing it in a number of firms, particularly those who face effective pressure in the US.

Now just to wrap up, I had a question which was asked of me which I will probably cover now: "Could a firm have a policy that staff are not permitted to use WhatsApp for business purposes?" Well I think the short answer to that is probably yes, or most definitely yes. And then the second part of that question is "What onus is there on firms to check that the policy is being abided by?" Well the problem here is how do you check that people are not using personal devices because by their nature they are personal to them. I think the answer to that is perhaps can you include a permission to look at personal devices in employment contracts, can we ask to have access in relation to pleas where the subject of the conduct with staff, that sort of thing. But the difficulty you might also have is that clients of the firm may think that these sorts of apps are there for the firm for everybody's communication. So I think the big difficulty for firms here is how do you police it. I think better find a way and at the time it comments the rules or amongst your employment terms and just generally putting pressure on staff, making sure they are aware of policies and clients to abide by.

So if there are any further questions I am happy to take those at the end but this I think is going to be an area of focus on my piece of paper.

ND: Next slide please. Good morning everyone, I'm just going to spend a few minutes covering three hot topics from the financial crime space. Firstly it won't come as any surprise to anyone that the predominant issue throughout the year and over the summer and continuing over the summer has been compliance with economic sanctions. Given the speed at which the sanctions were implemented back at the start of the year, the FCA and the Office of Financial Sanctions Implementation and Treasury were expected to allow firms a grace period while they reacted to the new rules. It is safe to say that that position has hardened over the summer – the FCA set out its position very clearly in a letter to the Treasury Select Committee indicating that that period is now over and that firms have had a reasonable period to respond and that they're increasing their assessment work on sanctions controls, very much with a focus on sanctions breaches and attempts to circumvent sanctions. In this regard the FCA has initiated a round of onsite reviews and visits and interestingly they have deployed a new analytics-based tool which tests firms' implementation of sanctions against Russia. And the way this works is that the tool generates test data and sends firms a list of 100,000 entities to screen in order to test the best systems can identify sanctioned entities effectively. The use of this tool is quite significant because it has the potential to enable the FCA to conduct targeted sanctions assessments over a much larger number of firms and it's obviously a lot more efficient than conducting onsite reviews and requires less resource. And the FCA has highlighted this as an example of its data-lead approach as part of its broader transformation in terms of supervision and enforcement.

A couple of other points just to mention on sanctions. There are very, very broad legal obligations, notification obligations when it comes to sanctions in terms of notifying OFSE about any breaches or coming into contact with a designated person or entity. The FCA has also indicated that it expects to be notified simultaneously of any reports to OFSE, so again the detection risk and the risk of potential parallel investigations has increased. And the FCA has been encouraging whistleblowers to come forward and report any perceived weaknesses in sanctions, systems and controls, and interestingly the FCA has been emphasising its information sharing agreements in place with OFSE and the FCA's seconded members from its financial crime scene to OFSE. And so I think the key takeaway from firms is that there is a very close working relationship between the two and sanctions compliance very much remains a focus for the FCA.

Moving on, Adam mentioned earlier the FCA's annual report and in that they restated that financial crime remains a strategic area of focus. On the supervision side we've seen continued sematic work, most recently they have focused on financial crime controls in challenger banks which was identified as a high risk sector in the national risk assessment last year. But as ever the FCA has stressed that the findings should be reviewed and taken into account by firms across the sector when it comes to financial crime.

Now the common areas of failing are the ones that we have seen before the pandemic in terms of customer risk assessments, failure to complete customer due diligence and enhanced due diligence measures, inconsistent and inadequate rationales for discounting alerts and for not reviewing alerts holistically and looking at financial crime risks more broadly.

An emerging area that we haven't seen previously is the FCA focus on weaknesses overseeing firms' managements and governance of financial crime change transformation programmes. This is an area that appears to be under closer scrutiny as firms adopt new technologies and implement more sophisticated financial crime controls. And the FCA commented on inadequate oversight, lack of implementation plans and clear milestones and deliverable dates. From a governance perspective they have indicated that they expect risk committees, audit committees and senior managements to be involved in overseeing these transformation programmes and they also flagged Principle 11 as an obligation that firms need to be keeping in mind if there are any issues in terms of implementation of these programmes.

I'm going to finish just on a very, very recent development which is the publication of the Economic Crime in Corporate Transparency Bill the week before last. This has been a major development because it will if enacted introduce significant changes to the UK's regime for AML and economic crime more generally. It's the second piece of legislation in 2022 targeting economic crime following the Economic Crime Transparency Enforcement Act which was partied in over three days following the invasion of the Ukraine earlier in the year. And the new Bill builds on a number of themes and government priorities addressed in that earlier Act, notably transparency of ownership of corporate structures and it's aimed very much at deterring international criminals from seeking to use the UK as a safe haven in which to launder criminal assets. The Bill proposes wide-ranging reforms and so we won't have time to go into all of them today but a number of them are aimed at making Companies House a more effect gatekeeper and enhancing its powers to check, remove or decline information submitted to the register.

I'm going to mention three changes of interest to financial institutions.

First, the Bill proposes exemptions for financial institutions only to the principle money laundering offences under the Proceeds of Crime Act 2002. So these are the offences which broadly prohibit dealing with criminal proceeds, and one of the more interesting exemptions is that firms will no longer be required to notify the NCA and will not be committing an offence where they are terminating a customer's account and clear ways of suspected criminal property to the customer of up to £1,000 in value. And this initiative is very much aimed at reducing a number of SARs and DAMLs that are submitted to the NCA which have increased exponentially in recent years and enable the NCA to commit resources to tackling more serious economic crime.

Secondly, the Bill proposes a new provision in POCA which will allow information sharing between regulated firms without the risk of civil liability for breaching duties of confidentiality owed to customers, and the proposed provision will allow two firms to make direct disclosures to one another regarding an existing or former customer where the disclosure is for the purposes of preventing, detecting and investigating economic crime. This is the government's second attempt at this in terms of information sharing within the sector. The first under the Criminal Finances Act 2017 had had very limited effect and that's due to the onerous notification requirements which required law enforcement to be notified at each stage of the process. This new mechanism on paper looks much more efficient and if it's enacted as drafted then it may well increase cross-sector information flow regarding suspected criminality in the financial system.

And finally just to mention from an SFO perspective, the Bill expands the powers of the SFO to compel entities to provide information during the pre-investigation stage, so this is before the director formally opens an investigation. These powers have to date been limited to cases of overseas and suspected overseas bribery and corruption but they have been very effective for the SFO in developing its intelligence gathering capabilities and mining new cases. The Bill proposes to expand these powers to all forms of serious fraud so there will no longer be limits into overseas bribery and corruption.

I'm going to pause there but very happy to take questions.

LD: Thank you Neil. So I'm just going to spend a few minutes talking about the Quincecare evolution/revolution. So as the law in this area has expanded incrementally through case law, banks will be as aware of the issues the courts haven't determined as those that they have. And there is still considerable uncertainty, for example around what banks are expected to do in practice to discharge their Quincecare obligations and about whether banks will be liable for loss if they suspect fraud and refuse a transaction which subsequently turns out to be genuine.

So I want to just run through the developments in this area, starting with the case that gave its name in 1992, Quincecare and Barclays, and summarise the current position with a brief word about the overlay of the consumer duty. So in Barclays Bank and Quincecare it was held that it was an implied term of the contract between a bank and its customer that the bank would use reasonable skill and care in executing the customer orders. This was subject to the conflicting duty to execute the orders promptly so as to avoid causing financial loss to the customer. But there would be liability if the bank executed the order knowing it to be dishonestly given or shut its eyes to the obvious factor the dishonesty or acted recklessly in failing to make such enquiries as an honest or reasonable man would make. And the bank should also refrain from executing an order if and for so long it was put on enquiry by having reasonable grounds although not necessarily proof for believing that the order was an attempt to misappropriate funds. So quite a lot there for banks to deal with in 1992.

25 years later we move forward to a case which went to the Supreme Court, Singularis and Daiwa, and the market took a great deal of interest in this case because it was really the first one racking at the issue since the Barclays case and we actually acted for the defendants in this case and I know we spoke to many of you about it at the time. In this case Mr Al Sanea was the sole shareholder, director, chairman, president and treasurer of Singularis and he was also the signatory with its bank accounts, and as that signatory he instructed the bank to pay $204 million out of its account to third parties. And Singularis subsequently went into liquidation and the joint liquidators brought a claim against Daiwa to recover the misappropriated funds. And it was held that there was a clear breach of the bank's principal care duty or care to Singularis. And the particular issue before the Supreme Court was whether such a claim for breach of a bank's principal duty of care was defeated if the company's instructions were given by the company's chairman and sole shareholder who was the dominant influence over the affairs of the company. So could his fraud be attributed to the company? So the bank argued that if the fraud was attributed to the company then Singularis' loss was caused by its own fault and not by the fault of Daiwa. So the Supreme Court held that Al Sanea's fraudulent conduct could not be attributed to Singualris on the basis that to do so would [de-new] the principal care of duty of any value in places where it was most needed.

A few years later in 2022 we had Philipp and Barclays Bank which went to the Court of Appeal. So in that case Mrs Philipp was the victim of an authorised push payment or APP fraud, which many of you will be familiar with. So she was deceived by a fraudster into instructing her bank to make payments of £400,000 and £300,000 out of her Barclays account to accounts in the UAE controlled by the fraudster. The Court of Appeal rejected the bank's argument that the principal care duty was limited to cases in which there was fraud by an agent acting for the customer because in such cases the fraud meant that there was no authorisation by the customer for the transfer, and the bank's obligation is simply not simply to execute every payment instruction of whatever kind unthinkingly. It was reasonably arguable that that duty would arise in any case where the bank was on enquiry that the order was an attempt to misappropriate funds even where the personal customer was themselves giving the instruction, and in this case the instruction had actually been given in person in one of the instances in a branch. So the Court of Appeal's decision marked a significant victory for consumers and is clearly unhelpful to banks. So as a matter of law, a relevant duty of care can arise where an individual customer is unknowingly the victim of APP fraud and instructs their bank to make a payment. So if the bank is put on enquiry by the particular facts of the case and by applying the standards of an ordinary frequent banker, in the context of any relevant codes, policies and procedures, that complying with the customer's instructions could result in their funds being misappropriated, the bank will have a duty to refrain from making the payment until further enquiries are made. So this opens an avenue by which banks could be liable to compensate individual customers who are victims of APP fraud. The bank has sought leave in the Supreme Court but that leave hasn't as of yet been granted and even if it is it will be one to two years before that case will be heard in the Supreme Court. So it leaves banks currently in a pretty difficult position. UK Finance have intervened about appeal so we wait to see what happens.

As an aside on APP while I'm touching on it, the PSR, the Payment Systems Regulator, has also recently announced a consultation into mandatory reimbursement for losses of more than £100 except in cases of the customer's fraud or gross negligence, and that consultation runs until 25 November.

So there was one other case in 2022 just worth mentioning which was Royal Bank of Scotland against JP SPC. So this was a decision that will be welcomed by banks contrary to the Phillip's one where the Privy Council held that the bank's principal care of duty does not extend beyond being a duty owed to the bank's customer. The Privy Council held that a banker has no principal care of duty to a person who is known to be the beneficial owner of monies held in the account of a customer of the bank and who is being defrauded by the customer. So some limitation there on the principal care of duty but still very onerous obligations on banks to limit loss of those monies. And that Privy Council decision has persuaded authority obviously in the English and Welsh courts.

So with those duties in mind, some thoughts on the new consumer duty in this context, if you could just move onto the next slide, thank you. So the FCA is introducing a new consumer duty effective from 31 July 2023 and as you know, that extends the new Principles for Business 12, so a firm must act to deliver good outcomes for retail customers and a number of underlying cost-cutting rules including rule 2 which is avoiding causing foreseeable harm to retail customers and that's in relation to regulated firms' activities in relation to retail customers as defined in the FCA Rulebook, such as COPS. Deposit-taking is a regulated activity so the consumer duty and the rules will apply to the operation of bank accounts. So this is another onerous obligation on banks and coupled with the Philipp's case really highlights the difficulties which are being faced. However, regarding the consumer duty breaches, the sort of semi good news is that retail customers will have no private right of action under section 138(d) of FISMA to bring sort of damages claims for breach of the consumer duty or the rules, but bear in mind that the FCA itself can enforce in that instance. So we'll have to wait and see how it all develops both in the context of any Supreme Court ruling if it goes that far and leave is granted, but also how the consumer duty is implemented.

So that was all from us, we've had a number of questions which I will turn to, so thank you very much for those. And if anyone does have any other questions do just put them in the Q&A box.

So I think, David, this is one for you. They've done a couple of parts, if I start with the first part. So given the US regulators base their cases on information outside of the firm's systems, how do they determine how much and what type of information this was?

DC: Well I think looking at the orders, basically it became clear to the US regulators that they hadn't received all of the information and they had specifically made requests to J.P. Morgan, they specifically made a request to the firm to produce the material that was on personal devices and that was then forthcoming so that was how they went about it. So clearly, this is obviously in the US so US security specialists of JPM must have required simple reasons to produce them.

LD: Okay, and a question which flows from that is the applicability or otherwise of GDPR in those circumstances. So none of us here are GDPR specialists although we do have a team and we can get back to you on that separately, but all I would say on that is that we have had a recent investigation where the WhatsApp data was compelled by the regulators so they get into quite an interesting point as to how the powers of compulsion sit against the obligations of the institution under GDPR and to whether it's acting as controller or operator.

DC: And just going back to my point about how you mull through this, if you have got conductible staff they probably would feel under a great deal of pressure if they were asked to produce business records on their personal devices, I think you would be quite brave to start running GDPR arguments if you did show, for example, because the firm took the other side of those, could lead some of those communications for the regulator, so I think there are means by which some pressure can be put upon although I am not going to try and answer too many things off the top of my head.

LD: Well, depending on where we go with the Government, GDPR may go behind us. So Neil, one for you, what action can we expect the FCA to take in relation to breaches of Russian sanctions?

ND: Yeah, that is a good question. I think the first point to remember here is that it is the Office of Financial Sanctions Enforcement of the Treasury that is responsible for enforcing actual violations and circumvention of sanctions and breaches of the rules. However, breaches may also indicate to the FCA interior weakness in firm's systems and controls, and I think this is the angle which the FCA would take. It is very easy to see the parallels and the case theories that the FCA could leverage from the work it's done over many years now in investigating and enforcing respective AML systems and controls breaches. And say, for example, they could probe defective sanctions screening, processes and tools, ineffective escalation, potential sanction skips. So, I think the key takeaway for firms here is to be ready to answer those questions if there is a concern that one of the rules/one of the sanctions has been breached and be in a position to demonstrate to the FCA that the system was properly calibrated and there were effective escalation channels in place.

LD: You are obviously very popular this morning, we have got another question for you. Hot on financial crime. It's quite technical. Does the FCA expect a notification following an OFSI designated person report even where there are no assets for general activity on the account?

ND: Yes, I mean, I haven’t come across making a notification to the FCA on this specifically that …. the FCA's expectation is set out in the Treasury Select Committee Letter which was issued in July so I would encourage you to look back on that, and it simply says that they expect to be informed where [OFSE] is notified of an issue. So I think erring on the side of caution it would make sense to certainly consider those by the FCA and, depending on the nature of the interactions of the designated person, then it may be necessary also, and the circumstances in which it has happened, it may be necessary to consider Principal 11 obligations as well.

LD: Thank you. And one last question this morning, this one for you Adam, what can senior managers do to evidence that they have taken reasonable steps?

AJ: Well, I think the challenge in relation that senior managers is often these investigations are launched many years after the event in question, memories fade, very often the individual might have even left the organisation or moved on to a different role, so evidencing what they have done to discharge their duties is quite difficult. Some senior managers and firms put in place what are described as reasonable steps assurance frameworks which really enables senior managers to create a record of you know what the risk management framework was which they relied upon. So what was the relevant policies and procedures for their area of the business, who were the key people and reporting lines, what type of management information did they receive and produce, what governance forums did they sit on and provide challenge in relation to what assurance reviews were carried out, and really just all those different steps such that if an investigation is launched later they had at least got a starting point to look at all the data that would exist on the firm's systems to help both the firm and themselves defend those investigations.

ND: I echo that, that reasonable steps framework is pretty much standard I would say amongst firms that they actually comply with this and I think that that is going to be the starting point to be able to put/ensure that there is such a framework in place, certainly needs to be back in the interview that would get you quite a long way down the line in relation to compliance with your individual conductible obligations as a senior manager.

LD: Thank you. Okay, well that concludes our session for this morning. I would like to thank Neil, David and Adam, I would like to thank you all for joining. A shameless plug for our next webinar, where it says it's the 7th December, so very much hope to see all of you there and thanks very much again. And if you would like any follow-ups our details are on the screen and please do not hesitate to contact any one of us. Thanks very much.