So, you messed up. Now what?

When you’re a fast-growth financial firm, certain risks are accepted in pursuit of growth. As we’ve mentioned previously, founders and compliance officers alike place strategic bets with more potential upside than downside. Whilst this approach can help attain asymmetric gains, if executed poorly, it can mean that compliance gets neglected.

In the utopian world of risk and compliance theory, your tolerance for risk, or your risk appetite, will be pre-set in your Risk Management Framework or probably in a risk register somewhere. 

In the real world, unknown risks cannot be identified or computed. But these unseen exposures will also have the biggest impact on your firm’s survival. 

It is quite the conundrum, really. On one hand, you need to somehow prepare for and document your approach to the unforeseeable and uncomputable. On the other, given the futility of such an undertaking (and wise leaders know this) in practise, good risk management falls by the wayside. 

The problem with this is that many risks are knowable and addressable. And failing to operate effective controls in pursuit of aggressive growth is the perfect recipe for compliance hitting the proverbial.

By way of some examples:

• Missing an update to the high-risk third countries list and failing to  conduct Enhanced Due Diligence (EDD) on certain clients 
• Failing to update your business-wide AML risk assessment annually, upon launching a new product or in light of a new National Risk Assessment 
• Publishing a non-compliant financial promotion comparing a high-risk product to a bank
• Missing a bunch of FCA returns and the FCA threatens to cancel your permissions
• Failing to publish an outcomes statement on your website as a P2P lender
• Your staff are overdue compliance refresher training
• You failed to keep good records of your business decisions
• You failed to document any due diligence on critical vendors and third parties
• You breached your capital requirements since you thought that having cash in the bank in the bank today was sufficient, but your reserves are negative
  

We could go on, but, you get the idea.

How should you handle a compliance breach?

A compliance breach is any failure of policy, process, control or system designed to reduce your firm’s risk of enforcement action by the regulators, including fines, public censure, license suspension or criminal proceedings.

How you deal with any particular breach will depend on its severity, but first things first.

Relax

Breaches happen.

In fact, the FCA expects breaches to happen. During the occasional FCA visit to clients in the past, they actually asked why the breaches register was empty. So, it isn’t the end of the world that you’ve had a breach. But what matters is how you respond. 

Panicking doesn’t help anything and will cloud your judgement. Now is the time to think critically and deliberatively. 

Assess the damage

You need to understand how bad the breach is, or its nature. You need to, in precise terms, identify the issue and measure the extent of any damage. Ask yourself the following questions:

• Who or what was affected?
• Is there any customer detriment?
• Have clients lost money?
• What is the possible enforcement action as a result?
• Is it reversible?
  

The FCA will care most about breaches that harm consumers, especially where they’ve lost money or been mis-sold to. Other concerns include money laundering and market abuse controls. Any breaches in these areas should be rectified ASAP.

Failing to give your annual compliance refresher training is far less serious than advising a 70-year old pensioner to stick half their assets into crypto.

If possible, resolve it

Having accurately diagnosed the nature and severity of the breach, you now need to design a solution and action it ASAP. 

Remember Principles 2 and 3 of the FCA’s Principles for Businesses:

A firm must conduct its business with due skill, care and diligence.

and

A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

That means you need to take it seriously and competently address the problem. Document the steps you are taking. You should always have an audit trail.

Determine whether the breach is notifiable 

A notifiable breach is going to be anything that you feel the FCA would reasonably expect notice of. This is known as a Principle 11 notification. 

A reminder of Principle 11:

A firm must deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice.

You should use the latest version of the notification form, available in SUP 15 Annex 4. If the breach relates to cyber i.e. being hacked, you’ll need to notify the FCA through Connect and possibly need to tell the Information Commissioner's Office (ICO) as well.

Make sure that you have resolved the problem before notifying the FCA, otherwise you’ll find yourself in hot water. 

You should also make sure that you word your notification very carefully. If the breach cannot be fully resolved, your notification will serve as your confession and possible source of indictment.  

If you decide your breach isn’t notifiable, keep a record of all steps you have taken to prevent the breach occurring ever again. 

What next?

Dealing with a compliance breach can be difficult. What should you do? How can you stop it happening again? Is your notification good enough? Should you even be notifying?

Hopefully, this post has given you a steer in the right direction. If you require expert support, contact us today.