Enforcement investigations do not always lead to disciplinary action. However, where misconduct is identified and disciplinary action is appropriate, authorities have a range of sanctions available. A regulator’s enforcement powers include any combination of:
- public or private censure
- financial or non-financial penalties against the regulated firm or specific individuals
- the power to withdraw a firm’s authorisation
- suspending a firm from undertaking specific regulated activities
- imposition of fines
- a court order to freeze assets
- injunctions or restitution orders
- prohibiting or suspending an individual from operating within the financial services sector
- preventing them from undertaking specific regulated activities
Enforcement more often than not comes with a forward-looking, proactive obligation
Those of us operating in the GCC are well aware of the publicly announced disciplinary and enforcement action by our respective financial services regulators in the recent past. That’s not necessarily to say that such actions are on the increase, and this awareness could be due to a number of factors or considerations. Enforcement action and, in particular, publication of regulatory sanctions, is meant to protect the
integrity of the system and sends a clear message to authorised firms, their senior management and their employees that misconduct will not be condoned. However, that doesn’t mean that all regulatory censure or penalties are made publicly available and there have been instances where enforceable undertakings have been agreed on a private basis.
Themes emerge based on the supervisory visits that are conducted in the regulator’s normal course. In 2015 for example, of the six enforcement actions published against Authorised Firms by the Dubai Financial Services Authority (DFSA), four related to AML deficiencies identified during risk assessments. These themes give us a good idea of where the regulator’s priorities are and allow compliance officers to steer management towards dedicating resources to key regulatory risks. These may be themes that the regulator is specifically focusing on during its reviews, resulting in the reported instances of failures. Reported enforcement actions also shed light on themes that will emerge as a consequence. For instance, firms should appreciate the DFSA's findings in the MAS Clearsight case as well as the DIFC Courts pronouncement on mis-selling in the Bank Sarasin case to direct their own compliance resources to assessing whether their policies, procedures, training and documentation adequately address conduct risk, client onboarding and suitability in particular. Weaknesses in corporate governance arrangements usually indicate deficiencies in other parts of the businesses that will need to be addressed.
Over time, regional regulators, either through their own risk assessment of the activities in their centres or through the involvement or implication of their regulated firms in cross-jurisdictional investigations, will align their thematic roadmap with that of their global peers. Firms should anticipate that the themes around AML/CTF, conduct risk and senior management responsibility coming out of the US and UK, will find focus regionally in the near term.
There are more authorities extending their reach. As access to international banking services becomes easier and necessary, and with the increased reliance on correspondent banking and cross-border cooperation, the number of regulators and enforcement bodies or organisations that have oversight over a firm at any one time, has increased. In turn, those regulatory and enforcement bodies have their own agenda to promote or, from a practical point of view, have governance or listing codes that require publicity as part of their compliance framework in order to maintain confidence in the effectiveness of the regime. This means that there are more regulators in the market to pursue a more structured regulatory oversight programme.
The extent of the penalty is aligned to the level of transparency, disclosure and cooperation by the firm during the course of a risk assessment or investigation. Regulators such as the DFSA have, among other things, the ability to pronounce a decision notice or an enforceable undertaking within their punitive powers. Decision notices are a more severe penalty that is imposed upon a firm, as opposed to an enforceable undertaking which is offered and agreed or settled with a firm. An enforceable undertaking usually denotes that a level of openness and cooperation has been displayed by the firm and its senior management to the authority. It takes into account that a firm will either have instructed an independent expert to review specific areas of weakness prior to or during an investigation or agrees in terms of the settlement to do so willingly at the direction of the regulator.
In some instances, individuals need to be censured for causing the firm to be non-compliant. It is less straightforward for a regulator to penalise an individual, but personal restrictions on an individual’s ability to follow his or her profession for what could be an extended period of time is key to demonstrating the reach of the regulator to both senior management and employees. A regulator needs to be able to hold an individual personally accountable to comply with both the spirit and the letter of the laws and regulations. The primary focus is on individuals who fulfil a controlled function or are authorised individuals bound by the regulatory principles of that particular jurisdiction. All are potentially liable to a warning, censure or financial penalty.
The high profile investigations and fines against big banks like HSBC, Standard Chartered and Barclays, to name a few, demonstrate that the fine is not the beginning or end of the story for the firms involved. The consequences are far-reaching and could keep the firm in the regulatory and public radar for years to come.
An investigation related to one regulatory failing is likely to trigger additional investigations into underlying weaknesses across the business activities of the firm. Firms should appreciate that the regulator will want to unpick governance, risk and compliance arrangements from the top down to identify and address any systemic weaknesses that put stakeholders at risk. And it is not only the firm’s regulator that will take an investigative role. We need to look no further than the 2014 BNP Paribas case to appreciate the full extent of the scope and extent of the powers of the criminal and administrative bodies at a state and a federal level.
BNP Paribas pleaded guilty to two criminal charges including violating US sanctions against Sudan, Cuba & Iran. In this case, the U.S. Department of Justice fined BNP $3.8 billion for willful violations of the International Emergency Economic Powers Act & Trading with the Enemy Act; OFAC fined the bank $963 million for 3,897 violations of Sudanese, Iranian, Cuban and Burmese Sanctions Regulations between 2005 – 2012; the Federal Reserve fine for violating the AML and CTF regulations was $508 million. Moreover, the New York State Department of Financial Services issued a $2.24 billion civil penalty and ordered $1.05 billion in reparations and restitution, as well as requiring BNP to terminate 13 employees and discipline a further 30. Finally, the Manhattan District Attorney fined BNP $448 million.
Typically, the supervisory relationship should be one of open cooperation and dialogue with the authority, giving firms an avenue to address any identified weaknesses and deficiencies, or actual breaches, before they are raised by the regulator, or to the regulator by means of a customer complaint or a whistleblower, for example. There is a distinct change in the nature of the regulatory relationship once a matter goes to enforcement. The enforcement team is usually staffed with lawyers and their actions are driven by adherence to the powers and obligations set out in the relevant regulatory laws. From here on, the firm’s conversations with the regulator require careful liaison with legal counsel, are structured and formal, and are likely under oath and recorded for evidentiary purposes. Internal lines of communication should be established within the firm to manage the information that may be discoverable during investigative proceedings.
The cost of enforcement is not limited to the extent of the fine or penalty the firm must settle, or the consequential black mark against the firm’s reputation and impact on its share value. The cost of management time, legal expenses, third party expert reviews, related to both the initial investigation as well as monitoring the implementation of any remedial action, and any additional anticipated regulatory and administrative investigation, cannot be under-estimated.
Regulators are increasingly putting the onus on firms to demonstrate their regulatory fitness by requiring them to provide a report by an independent expert, commonly known in the UK as the Section 166 Report or Skilled Persons Report. In the UK, the Regulator’s use of the Section 166 Report increased significantly, with the financial year ending March 2013 yielding 113 Reports compared to just 18 in the year ending March 2006. Many industry commentators believe that an increase in regulatory scrutiny coupled with limited supervisory and enforcement resources at the regulator led to the increase in reports.
In the Dubai International Financial Centre (DIFC), Article 74 of the Regulatory Law underpins the DFSA’s powers to require a firm to appoint a suitably experienced Person to provide a Report on any matter required by the Regulator. This power is further embedded in the regulatory framework through GEN 11.12 and the RPP Sourcebook.
In 2015, the DFSA publically issued six regulatory actions against Authorised Firms, three of which have included a requirement for the firms to provide a Report by an independent expert. The action against Deutsche Bank AG was linked to an independent report carried out in 2013, which was not publicly disclosed at the time, and ABN Amro had already appointed third party experts as part of an agreed remediation plan prior to the issuance of the Decision Notice. These numbers are hardly in the same dimension as the UK statistics quoted above, primarily due to the size and depth of the market, but there does seem to be a change in the DFSA’s use of this regulatory power.
There is no doubt that enforcement action is becoming more public and monetary fines are on the increase, which is a sign for firms to make sure their house is in order. The cost of compliance in the ordinary course is a far easier number for stakeholders to swallow compared to punitive or additional costs and reputational harm once under regulatory or administrative scrutiny. Drawing on the ABN Amro experience, it is worthwhile for firms to think about conducting a full or thematic risk and systems review themselves and take the regulator into their confidence at a supervisory level in respect of any identified weaknesses of failures, than to disregard or dismiss the risk and later bear the full weight of enforcement, possible criminal prosecution and reputational damage. This article has shared some thoughts on the value of enforcement actions as a deterrent for regulated firms and no doubt will be reinforced by future enforcement initiatives.