The FCA’s Business Plan is a must read for all compliance professionals in the UK.
In this article, Ben Mason considers emerging themes, what the Business Plan means for compliance teams and, most importantly, concludes with some concrete suggestions as to what you should do about it.
What is in the Business Plan and are there any surprises?
For those that routinely review such documents, it will not be a surprise that consumer protection, market integrity and financial crime all feature heavily. ESG features, and surprisingly a lesser amount of focus on Diversity and Inclusion than last year, with the FCA’s internal D&I efforts not being commented on here. Predictably, Appointed Representatives, crypto and BNPL all get an airing – the latter two being issues which generate a lot of noise for the small number of regulated firms they impact. And, personally, I find it very helpful when the FCA quantify increases in their activity, such as the number of scams they have intervened in or the number of financial promotions they have asked firms to withdraw.
From the perspective of readers who are compliance professionals looking to manage regulatory risk, there were two primary points of new or evolving interest that I believe are material for all compliance teams to consider. The first is the increasing focus on being ‘data-led’. The second is the FCA’s new-found ability to recast the threshold conditions.
Firstly, being data-led. The word ‘data’ was mentioned 28 times in last year’s Business Plan and 46 times this year. If you think that is a slightly crude metric, please consider this: the FCA’s new Leeds office is there to focus on ‘enhancing our digital and data capabilities’. With 200 staff based there, that is a massive upgrade on existing resources. Those staff are there for a reason and I think firms should take this seriously. There are actions that need to be taken to work out what this means for you, and I return to this later.
Secondly, threshold conditions (TCs). The TCs are ambiguous and the FCA can use them to take the strongest action against regulated firms when it wants to. The Business Plan says the FCA will ‘expand the types of breaches of Threshold Conditions that we take action against.’ I take this to mean that they will broaden how they interpret the TCs, at will. This is putting a marker down that they have identified an opportunity to strengthen their powers of intervention using the TCs.
Moving on, I should acknowledge there is a lot about the competitiveness of the UK’s wholesale markets. Firms operating in wholesale markets will already be aware of the significant changes coming their way, as the UK looks to strengthen its position post Brexit. These changes are listed in the Business Plan and are far reaching for some compliance teams.
A final comment is that the FCA’s 8.5% increased annual funding requirement starkly contrasts with the PRA’s 3% decrease. While the reasons are all explained, firms already hit with new regulatory fees, such as the Economic Crime Levy, may have some emotive feelings about that.
What is the context in which this Business Plan has been produced?
The FCA always has a lot going on. It has recruited 700 new staff, on top of staff turnover. It has experienced significant regional expansion (more people in regional offices across the country). As often happens, some changes in the perimeter will impact the FCA’s supervision and authorisation teams.
The ongoing political challenge for regulators is the stark contradiction of politicians wanting lighter regulation while also heavily criticising any perceived regulatory failure. Brexit and the Future Regulatory Framework also give a colourful backdrop.
From a regulatory strategy perspective, compliance teams should read the Business Plan in the context of the other swathe of regulatory policy and strategy documents. This includes the FCA’s 3 year Strategy, the Regulatory Initiatives Matrix, the Commitments and Objectives, the Metrics and the Perimeter Report, along with all the normal supervisory activity we are all familiar with: enforcement action, Dear CEO letters, policy updates and so on. Ideally, it should feel that these all align, you can relate them to the risk that you already prioritise and you therefore experience no supervisory surprises.
Confused? You might be…
Before coming onto the practical implications of the Business Plan there is one final observation I can’t help but mention: reading the Business Plan can be slightly confusing.
Ostensibly, the Business Plan is built around three themes which it calls focuses – ‘Focus 1’, ‘Focus 2’ etc. However, another section of the Business Plan called ‘Our Focus’ lists 8 completely different ‘focuses’. Slightly strange.
They then talk about prioritising their work. You might think ‘priorities’ and ‘focuses’ were all closely related. However, this is a completely different list of 4 priorities, separate to the 3 focus areas and 8 focuses.
And, of course, there is thematic overlap between the 3 focus areas, the 8 focuses and the 4 priorities.
Now we have cleared that up, we get to another slight comprehension challenge.
The 3 focus areas are all broken down into ‘commitments’ and the FCA has 13 commitments in its strategy all supported by metrics it tracks. So far, so good.
However, just to keep things simple, when the FCA has ‘additional resources available’ it has 4 additional commitments. Which sounds like a commitment to maybe being committed… if resources allow.
Confused? Well, maybe just a little.
Finally, what should you do about it?
There are a couple of things compliance officers should do about the Business Plan, and the other regulatory policy documents (as identified above).
Firstly, the easy thing. Review them all and make sure that your risk focus matches the FCA’s. Ensure your deployment of resources is risk based, and your compliance monitoring programme, thematic reviews and other routine compliance assurance activities, match the FCA’s focus and priorities. Brief your Board and ExCo. Make sure the whole company is aligned in where your regulatory risk lies and how you mitigate it. Your Board will be very relieved to hear you link your activity to the risks the FCA have defined. Assess your resourcing to deliver this and identify shortfalls accordingly.
There is also a much more difficult activity to consider, but potentially with a higher pay off, that compliance and risk teams need to start considering.
Let’s return to the FCA’s data-led strategy and what it means – both generally and for your firm specifically.
Firstly, let’s triangulate 3 different aspects:
- The FCA is data-led, meaning it is now analysing data more effectively, to enable it to take early interventions against the firms it regulates.
- In its metrics, the FCA publishes a list of the KPIs linked to its objectives and commitments. It uses these to trigger this interventionist activity.
- Some of those metrics will be directly informed by the data provided by firms, including yours, via regulatory reporting.
What I believe this means for compliance teams is that the time has come to map data provided to the FCA (within regulatory reporting) back to the KPIs the FCA tracks. And from there you can ensure you track and report equivalent KPIs internally, that match the FCA’s own KPIs, specifically in those areas that affect your business. You might also track your distance from the formal target. All of this would make a very informative regulatory risk heat map.
By doing this you can establish how close you are likely to be to breaching a risk threshold and thereby being identified for investigation. You can also identify internal changes to reduce the likelihood of such breaches.
That is a tougher project but will be highly rewarding for those that execute it.
To assist firms with this activity, we have developed a spreadsheet which lists the FCA’s metrics in tabular form and offers a number of filters to help you sort through them. Please click here to access the FCA Metrics Report from My Compliance Centre.
For more information, please contact Ben Mason, Founder, My Compliance Centre at firstname.lastname@example.org