Publishing information about

enforcement warning notices

What and When the FCA can do

By the




Don't forget, Compliance Consultant can provide a whole range of services
including:
Initial Risk Assessment or audit an initial analysis to identify higher risk areas of the
business and weaknesses in procedures.
Design Risk Management build a system with your business, for your business showing
complete audit trail of risk areas of the business and identifying any weaknesses in
procedures.
Business Development business analysis advice or advice on particular issues for
example, how your firm is Treating Customers Fairly and an action plan for implementing TCF
across your business.
Conduct Risk Development Identify where, when and how clients interact with your staff and
identify weakness or non-TCF issues and help develop an action plan across your business.
Governance Templates Policies, Logs, Minutes, Terms of Reference and other items
available from our IP library.
Help with setting up procedures for example procedural manuals for recruitment, training
and competence, complaints handling and anti-money laundering. May also include templates
for disclosure documents, fact-finds and registers.
File audits checks to ensure that procedures are being followed and identify good practices
and weaknesses
Complaints Handling cost effective and project managed from start to finish making your
response robust and consistent
Technical support may include advice on particular products or regulatory reporting. May
be available in various formats, including website, helpdesk and individual technical advice.
Training for example competency assessments, training opportunities or product risk
guidance. May be online support, regulatory updates or seminar based.
Support on individual issues for example in dealing with a complaint, a financial
promotion or a particular suitability letter.
Financial promotions (all areas of advertisement) - full support which would include
websites, brochures, DVD's, email templates, client mail shots, adverts, contacting existing
clients and so on.
Remedial work helping to action remedial work required by the FCA.
Ensuring you are aware of Handbook changes and the specific impact on
your business.
Your responsibilities and liabilities under SYSC and the recent changes. And
much more ... just ask! Email info@complianceconsultant.org


The FCA has confirmed that it will start to publish information
about warning notices it issues in enforcement cases
Although nothing new (originally announced 15
th
October 2013) when
deciding whether or not to publish any information relating to warning
notices, the regulator will start from the presumption that it will normally be
appropriate and fair to publish a summary of the allegations made against a
firm or an individual in an enforcement warning notice.
If the subject of the warning notice is an individual the Financial Conduct Authority (FCA) will
only identify that individual in exceptional circumstances, such as if it is necessary to do so in
order to prevent or dispel potentially harmful market rumours as to the identity of the
subject of the warning notice. However, if the FCA decides not to identify a specific
individual it may still publish the identity of the firm that they are employed by even if that
firm is not the subject of an FCA enforcement investigation.
If the subject of the warning notice is a firm, it is more than likely that the FCA will want to
identify that firm.
Acting in haste
This then means that in the event that the FCA thinks that it is then appropriate to publish
information relating to a particular warning notice, the person indicated in the warning
notice and any parties it may be copied to, will be notified of this. The subject will be given
14 days to make any representations to the FCA stating why they wish to challenge the
FCAs decision to publish the information. This provides a facility to focus representations on
whether it is fair or otherwise appropriate for the FCA to publish information about a
warning notice.
On consideration of the appropriate representations, the regulator still thinks that it is
appropriate to publish information about a warning notice, the publication will appear on its
website.
What if the enforcement action is discontinued?
Should the enforcement case regarding the published information at the warning notice
stage is then subsequently discontinued; the regulator has clearly stated that it does not
intend to remove any information from its website. What the FCA will do is to take steps to
make it clear that the action has been discontinued but will not give any reason for the
eventual discontinuance.


Background
Until 2010, the regulator, the then Financial Services Authority (FSA) could only publish
details about enforcement action against a firm or an individual at the conclusion of a case
when a final notice was published. In 2010, the point at which the FSA could publish
information about its enforcement cases was brought forward to the stage at which the
FSAs Regulatory Decisions Committee (the RDC) issued a decision notice (i.e. after the firm

or individual had made representations to the RDC in response to a warning notice but
before the Upper Tribunal had made a decision).

New powers were introduced in the Financial Services Act 2012 which gave the FCA the
green light to publish information about a matter in relation to which a warning notice has
been issued. This power then allowed the FCA to publish details about an enforcement
action against a firm or an individual at a much earlier stage than was previously permitted
and notably before a firm or an individual under investigation has had an opportunity to
formally challenge the FCAs case against them.

With the advent of the new regulators taking over, the FSA published a consultation
paper (CP13/8) in March 2013, where it set out proposals as to how the new FCA would
exercise its new power. Understanding what a serious and sensitive subject this could be,
the consultation paper clearly and expressly stated that the FCA would not start to use its
new power until it had confirmed how it would go about exercising it.

FCA Policy Statement PS13/9 was born
The FCA published a policy statement (PS13/9) on 15th October 2013 which confirmed the
regulators policy for publishing information about enforcement warning notices. The
approach to publishing such information included some significant changes from the FCAs
original proposals set out in the March Consultation Paper.

The FCA stated that it intended to publish information about enforcement notices in
accordance with the approach set out in the Policy Statement from the date of issue, but in
actual fact did not do so until the 3
rd
February 2014.

The exact detail of the power to publish warning notices was granted under section 391(1)
of the Financial Services and Markets Act 2000 (FSMA), stated that the FCA has the power to
publish information about a matter in relation to which a warning notice has been issued,
provided that:
the person or persons to whom the warning notice has been issued or copied are consulted
prior to publication (section 391(1)(c) FSMA); and publication of information about the
warning notice would not be unfair to the subject of the warning notice, prejudicial to the
interests of consumers or detrimental to the stability of the UK financial system (section
391(6) FSMA).

Built in as a safeguard for minor offenders is that the FCAs power to publish information
only applies to warning notices which include a disciplinary outcome (i.e. an intention on the
part of the FCA to censure, fine or suspend a firm or an individual section 391(1ZB) FSMA).

The FCA continues to believe that the purpose of the new power justifies an approach of
normally publishing information about warning notices. Early transparency of enforcement
proceedings has several benefits and, to be clearer, they have amended the policy to
highlight some of them:
Consumers, firms and market users will be able to understand the types of behaviour
that we consider unacceptable at an earlier stage, which in turn should encourage
more compliant behaviour.

By showing at an earlier stage that we are taking action, confidence in the FCA and
the regulatory system should be enhanced.
There will be more openness in respect of the enforcement process, which will
generally be in the public interest.
And it aligns the stage at which publicity is given in regulatory cases with the stage at
which publicity is given in civil and criminal cases.

So effectively, the FCA explained that these actions are intended to create a more
transparent enforcement process and to inform consumers, firms approved persons and
the market at the earliest possible stage about types of conduct that the FCA finds
unacceptable and give them notice to address any internal issues they may have.

Steps to the FCA publishing warning notices?
The approach outlined in the PS13/9 is replicated as guidance in the FCAs Enforcement
Guidebook (paragraph 6.7 onwards).

When the FCA decides to issue a warning notice in an enforcement matter, it will consider
whether it should publish information relating to the warning notice. The FCA has stated
that it will start from the presumption that it is appropriate to publish information relating
to a warning notice so as to enable consumers, firms and market users to understand the
nature of the FCAs concerns in a particular case. However, the FCA has also said that it will
consider the circumstances of each case.

Identifying the subject of a warning notice
If and when the FCA considers that it may be appropriate to publish information about a
warning notice, it will then consider whether it is also appropriate to identify the subject of
the warning notice (i.e. the firm or individual against whom the FCA proposes to take
action). When making this decision, the FCA has noted that it intends to take different
approaches to firms and individuals.

In the PS they state; Whether the subject of the warning notice is a firm or an individual
will also continue to be relevant to our assessment of unfairness. Our presumption that it
will not normally be appropriate to identify an individual is based on our view that the
relative harm from publication is likely to be greater for an individual than for a firm and, in
line with this, our expectation is that it would be more difficult for a firm to demonstrate
unfairness than an individual. We will also have regard to the size of a firm. We consider this
is a relevant consideration because the impact of publication on a small firm is likely to be of
a different nature to the impact on a large firm, and in some cases could resemble the
impact on an individual. So we expect that larger firms will find it more difficult to
demonstrate unfairness than smaller firms.

This approach is noticeably different to the FCAs original proposal outlined in the
Consultation Paper which indicated that an individual who was the subject of a warning
notice would be identified, except in exceptional circumstances.

The FCA cites comments received in response to the Consultation Paper as the reason for
the change in approach towards identifying individuals who are the subject of warning
notices. In the Policy Statement, the FCA accepts that in most cases the harm that an

individual may suffer by being identified in information published about a warning notice
will outweigh the benefits that publishing this information may have in terms of improving
the transparency of the FCAs enforcement process.

However, the FCA notes some situations in the Policy Statement where it would still
consider identifying the subject of a warning notice. These situations include where it is
necessary to identify an individual in order to:
adequately describe the nature of the FCAs concerns;
avoid other individuals being mistakenly believed to be the subject of the warning
notice or to otherwise dispel rumours in the market (the FCA has indicated that this
factor may be of particular relevance where a prominent member of a firms senior
management is the subject of a warning notice, due to the heightened risk that
others may be mistakenly believed to be the subject of the warning notice);
help protect consumers; and/or
maintain public confidence in the financial system or market.

Consultation with the subject of an enforcement warning notice
Respondents to the CP raised concerns that the period of 14 days may be too short to
prepare and submit appropriate representations to the FCA concerning why they should not
publish information relating to the proposed warning notice. The regulators answer to this
was that if the subject of a warning notice or a party to whom it is copied thinks that there is
a possibility that they are likely to challenge the publication of information relating to the
warning notice, they would be well advised to consider the representations they do may
make and any evidence they may use to support these representations in advance of the
FCA issuing a warning notice.

Despite the regulator stating in the PS that it expects representations primarily to focus on
the issue of whether it would be specifically unfair to the subject of the warning notice to
publish information, the FCA has said that it will also take into account other
representations that provide other reasons as to why it would be inappropriate for the FCA
to publish information about a warning notice.

A point to consider for any respondent is that if the FCA indicated that they did not intend to
publish the identity of any individual who is the subject to a warning notice, that individual
may still wish to make representations at this stage. This could mean that they may wish to
make representations relating to the way in which they could be anonymously referred to in
the information published or whether there should be publication of any information about
their case at all.

Consideration of grounds that may prohibit publication of information
Once the FCA has received representations from the subject and/or third parties, it will then
be in a position to consider whether there are any factors which would prohibit the
publishing of information relating to a warning notice.

There are three grounds which, if applicable, would prohibit the FCA from publishing
information relating to a warning notice (section 391(6) FSMA). These grounds are if
publication of information relating to a warning notice would be:

i. Unfair to the subject of the warning notice: In the Policy Statement, the FCA has stated
that in order to demonstrate that publication of information relating to a warning notice
would be unfair, a firm or individual must provide clear and convincing evidence of how
that unfairness may arise and how they could suffer a disproportionate level of damage.

The FCA has indicated that the following factors may be relevant to the issue of whether
publication of information about a warning notice would be unfair to the subject of the
warning notice:
Firm or individual: Whether the subject of the warning notice is an individual or a
firm. The FCA has indicated that it is likely to be more difficult for a firm to establish
that it would be unfair for the FCA to publish information relating to it than it would
be for an individual. This is because the FCA acknowledges that the relative harm
from publishing such information is likely to be greater for individuals than for firms.

Size of a firm: If the subject of a warning notice is a firm, the size of the firm will be a
relevant consideration for the FCA when it is considering the issue of fairness. The
FCA has indicated that larger firms may find it harder than smaller firms to show that
publishing information relating to a warning notice would be unfair. This is because
the FCA recognises that in some cases smaller firms may suffer a similar level of
harm from publishing such information as individuals.

Risk of reputational damage: The FCA has not ruled out the possibility that the risk of
reputational damage to the subject of a warning notice by itself may be enough to
prevent publication of information relating to it. The FCA has also stated that it is
likely to find arguments along these lines more compelling if a person is able to
provide evidence of the harm that they would suffer as a consequence of the
damage to their reputation. However, it remains to be seen how easy it will be in
practice for persons to evidence the risk of reputational damage that they may suffer
as a result of publication.

Personal circumstances: If publishing information about a warning notice could
materially affect the subjects health, result in bankruptcy or insolvency, a loss of
livelihood or a significant loss of income.

The subjects awareness of the case: The extent to which the subject of the warning
notice has been made aware of the FCAs case against them, for example via a
preliminary findings letter.

Criminal proceedings: If there are on-going criminal proceedings to which the subject
of the warning notice is a party and these proceedings may be prejudiced if
information relating to the warning notice is published.

The FCA has made it clear that arguments relating to the fairness of FCAs power to publish
information relating to warning notices or the merits of the warning notice itself will not be
material to the FCAs decision as to whether such information should be published.

ii. Prejudicial to the interests of consumers.

iii. Detrimental to the stability of the UK financial system.

The FCA expects that circumstances which may give rise to grounds ii) and iii) above will
rarely arise when it is considering whether to publish information in relation to a warning
notice. For this reason, the FCA has not provided any guidance or examples as to when
publication of information relating to a warning notice may be prejudicial to the interests of
consumers or detrimental to the stability of the UK financial system.


Publication of information relating to a warning notice
If, having gone through the steps outlined above, the FCA still considers that it is
appropriate to publish information relating to a warning notice, it will publish this
information on its website.

What information about enforcement warning notices will the FCA publish?
The FCA does not have the power to publish warning notices in their entirety. Rather, the
FCA may only publish such information about a matter to which a warning notice relates.
The FCA has stated that it intends to exercise this power by publishing the following
information:
Summary of the alleged misconduct and breaches: A brief summary of the alleged
misconduct which forms the basis of the warning notice, including the rules and/or
Principles for Business or Approved Persons which the FCA allege have been
breached.

The identity of the subject: If it is considered appropriate, the FCA will publish the
identity of the subject of a warning notice. If the FCA decides not to identify the
subject, they will be referred to as a firm or an individual or, where appropriate,
the type of person, for example, a bank or a trader. Even if the FCA decides not to
identify an individual who is the subject of a warning notice, it may still consider
whether to publish the identity of the individuals employer, even if the employer is
not the subject of an FCA investigation in relation to the matter.

Status of the matter: The FCA has stated that each time it publishes information
relating to a warning notice, it will include a prominent statement which makes clear
that: (a) a warning notice does not represent a final decision made by the FCA and
there is a possibility that the matter may be discontinued, (b) the subject of the
warning notice has not yet had the opportunity to make representations to the RDC
in relation to the matter, and (c) at a later stage, the subject of the warning notice
may refer the matter to the Upper Tribunal.
The Policy Statement states that the FCA does not intend to publish any details about the
sanction it is intending to impose upon the subject of a warning notice.

Subsequent discontinuance of an enforcement action
In the event that the enforcement case to which a warning notice relates is discontinued at
a later date, the FCA has explained that it will not remove the information about the
warning notice from its website. Rather, the FCA will add a note to the information
published about the warning notice to say that the enforcement action has been
discontinued and, if the subject of the warning notice consents, also publish the notice of

discontinuance on its website, along with an accompanying press release. This means that
even if the FCA decides not to proceed with a case or the Upper Tribunal directs the FCA to
take no action, the allegations made in the summary of the warning notice published on the
FCAs website will continue to be publicly available.

Furthermore, the FCA has made it clear that in the event that it does discontinue a case in
relation to which information about the warning notice has been published, it will not
publish the reasons for the discontinuance. Not only does this approach seem at odds with
the FCAs underlying objective for publishing information relating to warning notices in the
first place (to improve the transparency of its enforcement process), but it may also give rise
to confusion amongst consumers, firms and approved persons. This is because it may not be
clear why the FCA had concerns about the conduct of a firm or an individual when it issued a
warning notice but eventually decided not to take any enforcement action in relation to the
matter.

Comment
The FCAs decision to publish information relating to warning notices constitutes a
significant change to its enforcement process. Approved Persons of all categories need to be
aware of these changes and, if necessary, the stage or stages at which the FCA may publish
information in relation to any on-going enforcement cases.

The adopted approach by the FCA in their Policy Statement is also different to the original
proposals outlined in the Consultation Paper, in particular, relating to the identification of
individuals who are the subjects of warning notices. This change in approach may be
beneficial to some individuals who, under the FCAs new policy, may not be identified if
information relating to a warning notice is published. There is still a risk that senior
individuals will be identified in information published relating to warning notices in order to
help avoid confusion or market rumour regarding the identity of the subject of a warning
notice. All Senior Managers ned to understand their potential risk of involvement and
identify ways to mitigate their position by ensuring that their processes and procedures are
correctly assessed and controls are appropriate.

The FCAs ability to publish information about an on-going enforcement case before the
subject has an opportunity to formally challenge the FCAs findings will, in turn, also impact
the strategy employed by the subject of an FCA investigation and their advisers. For
example, it will be more important for the subject of an FCA investigation and their advisers
to engage with the FCA as to the merits of their case at an earlier stage instead of waiting
until the FCA issues a warning notice before doing so. Doing so may help to ensure that
representations made to the FCA before the warning notice stage are taken into account in
the information published about the warning notice.

The FCA may also use their ability to publish information about on-going enforcement cases
at the point at which a warning notice is issued as a negotiating tool in order to encourage
the subject of an FCA investigation to settle their case at an earlier stage. This is because if a
firm or an individual shows willingness to settle a matter at the warning notice stage, the
FCA may decide not to publish information relating to the warning notice and instead wait
until the final notice can be published.


Looking more broadly, the FCAs power to publish information relating to warning notices
may also lead to an increased and earlier litigation risk for firms and/or individuals who are
connected to a warning notice. For example, a claimant may base their claim against a firm
on the basis of allegations included in the summary of the warning notice published by the
FCA. Even if the allegations made by FCA are changed or dropped at a later date, the firm
may still have to expend significant sums to defend or apply for a stay of the litigation in the
meantime.


Steps To Help You Succeed as a Regulatory Chief Compliance Officer and
Keep Out Of The FCA Warning Notices

"Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you."
- Theodore Roosevelt, 26th President of the United States.

While there is not a discrete or succinct formula that guarantees success of the CCO, there
are essentially three steps that can be taken that will prove to be instrumental in obtaining
the desired success.

Step 1: Creating a "Right" Culture

Principle to your success as a CCO is the creation of the "right" culture, and this can be
demonstrated by this example:

You are driving in your car down the street towards a traffic light controlled junction. As you
approach the intersection, the traffic light turns from green to amber then to red. What do
you do? You arrive at the intersection and stop your car.
Do you wait until the light turns green again and then proceed through?
Do you pull up to the lights, look all ways for other vehicles or the police and if none are
around, then proceed on through?
The reason we don't go for the second option is "Culture".

Your action of stopping and waiting for the green light is "built" in because somebody at
some stage in your life provided you with a set of values that dictated how you responded
to the traffic light event. They gave you a values blueprint that you abide to, creating your
own "culture".

With the "right" culture or values blueprint one acts with honesty, integrity and high ethical
standards. Therefore, with a vales blueprint, your behaviour comes naturally and is done
without much thought.

Without the majority of people having the "right" culture, in the traffic light example we
would have streets of chaos. No society, and certainly no Financial Services Institution or
firm can operate, nor survive, under a system of chaos.

Ideally we want officers and employees, right from the top to the bottom, to act with
utmost integrity, honesty and high ethical standards. We want them all to behave

accordingly, not necessarily because they feel that they are being checked up on, but almost
subconsciously knowing what the right thing to do is, whether or not they may have
controls in place. We want them to behave in the right way as second nature and not having
to think about it, or check in a policy somewhere, to know the proper action. Worse still, we
don't want people making decisions "on the fly" without understanding the ramifications of
their actions.

Personal responsibility for one's actions has to be the core of the "right" culture. Any
regulatory compliance officer should not want to have to position a control or check-point
at every juncture of the business. It would cost too much and in the end, would fail as
people would find a way to circumnavigate the cumbersome and clumsy rules. So as the
CCO you must work to build a culture where "doing the right thing" is expected from all
officers and employees. Consequently, behaving badly should be penalised and the right
behaviour should be rewarded, but this can only happen at the time of the behaviour taking
place: praising or punishing afterwards is pointless and a waste of time, or our judicila
system would have eradicated crime hundreds of years ago.

It is important to note, however, that while personal responsibility is definitely the core
element of the "right" culture, the CCO can not simply operate with blind faith and a prayer
book. The system and framework of internal control must include detection as well as a
prevention element so those who violate the culture are identified.

Tone from the top.
To succeed, there must be a consistent and robust tone from the top must be one that
communicates and supports the "right" culture. A zero tolerance standard must be adopted
with senior managers and leaders as well as demonstrated by their own words and actions.
Alone, even the most correct tone from the top can not create the "right" culture. There are
many steps and activities that the CCO must instigate and support to create, foster and
maintain culture that results in doing the right thing, first time, all the time.

Actions and Steps to Build the "Right" Culture

Get buy-in not just from executive or senior management, but from all levels and all
employees. The CCO should be a partner with all; not just senior management.
Act so that everybody feels comfortable approaching compliance function, not only
to report exceptions, breaches or violations, but more importantly to seek advice
and sage counsel. The CCO should be proactive in offering advice and be seen as part
of the solution that supports the business's objectives. That advice is better when
provided up-front where new processes, sales, etc., are being proposed and planned.
Consequently, the CCO should make every attempt to say "yes." When the
regulations prohibit a "yes," the CCO needs to say no offer alternatives and other
options, working with the business on finding an answer.
Develop, coach, communicate, and train, etc., on the standards, the rules, the
policies, the expectations and rationale behind the rules and guidance.
Be approachable and interesting to work with. The CCO should be easily and readily
available.


Act with speed; act fast. The CCO does not want to be seen to slow the business down; to be
viewed as a "cog."

Undoubtedly compliance with all laws, rules, and policies is seen as the primary
responsibility of the CCO. An environment of zero tolerance for absolute risks should be the
case without exception. Beyond that, the CCO should establish an acceptable risk appetite
and risk mitigation process to manage those inherent risks. Such a culture and environment
ensures compliance with all mandatory laws, rules, regulations, public policy standards, and
internally generated standards such as policies and procedures, codes of conduct, etc. And it
provides for an internal control system where risks are identified up-front and managed in
furtherance of business success.

It pays to ensure that absolute risks such as laws, regulations, rules and policies are
interpreted in a clear and easily understood way; violations should never be tolerated.
Inherent risks may or may not happen and in a well run and compliant culture, controls are
designed and built to manage and mitigate inherent risks.

Creating the "right" culture is an absolutely critical role for a CCO. It may well require hard
work, but without a culture where honesty and integrity are the norms a CCO will not
succeed. Achieving the "right" culture will not in itself guarantee success, but it will at least
put you well on the path to achieving a compliant firm.


"Take calculated risks; that is quite different from being rash."
General George S. Patton, World War II General

Being a Chief Compliance Officer (CCO) or having to establish (or refresh) a risk function can
be a daunting challenge.

The second step for your achievement is the development of a practical risk based
environment and management system. Here are some practical advice tips for success of
the second step.

Step 2: Developing a Risk Based Environment and Management System

Compliance is a lot more than just adhering to laws and regulations: it is making sure that
risk culture, policies, procedures, and controls are being properly adhered to. The CCO
should steer and direct the organisation to stay within mandatory boundaries of laws and
regulations as well as the voluntary boundaries of risk culture, tolerance, appetite, and
corporate as well as (hopefully) personal values.

So how do you do this?

First and foremost, you should establish a clear and practical risk based environment and
management system with a mandated and supported zero tolerance for absolute risks. An
environment of zero tolerance for all absolute risks such as laws, regulations, rules and
policies should be the case without exception. Compliance with these risks is mandatory;

absolute risks must be avoided. They are never acceptable risks since to do so would violate
the law.

An effective and quality risk based environment and management system communicates
and ensures absolute compliance with all mandatory laws, rules, regulations, public policy
standards. You have to recognise that not all risks can be avoided or eliminated, nor would
you want to. Many risks are needed for the upside to be managed in a business, and to
provide some element of skill in their management. Thus, the CCO should establish an
acceptable risk appetite and risk mitigation process to manage these risks.

Inherent risks are intrinsic to a business activity and arise from exposure to, and uncertainty
from, possible future events, or changes in business or economic conditions. Inherent risks
may or may not happen. Under a risk management system, controls are designed and built
to identify, anticipate, manage, monitor and mitigate inherent risks. The risk management
system is ultimately the systematic application of processes and structures that enable an
organisation to mitigate, accept, improve, or transfer risk.

The only way an organisation can manage risk appropriately is if acceptable and
unacceptable risk is defined. The CCO and Chief Risk Officer (CRO) should clearly define,
establish and communicate the environment of risk taking, acceptance, tolerance, and
appetite not only to the board, but throughout the business appropriately. If the CCO does
not do this, risk taking is seen to fall to individuals and often in a less than coherent strategy
and this places the integrity of the organisation in jeopardy.

Actions to Build a Risk Based Environment and Management System

Initially the development a risk based environment is to identify the risks and potential areas
of vulnerability in the business.

The high-level rules map is going to be fairly similar for all UK regulated firms. Once you start
increasing the depth of information you may well find that not all parts of each law will
apply to every section of your firm. Whereas it will appear to be a bit of skipping from one
relevant law to another, it is also important to realise that your firm has existing policies and
procedures in place that may reference out of date legislation these are obviously risk areas
for you to address.

If your firm is a small concern with one main line of business then a single regulatory rules
map is more likely to be applicable however when you link up to the FCA handbook you will
find that not all sections within these sourcebooks will necessarily apply to your firm so you
could end up with large gaps or blanks in your matrix.

To construct your matrices correctly there are two methods you can use one being the
bottom-up approach, which are self-explanatory insomuch as you start at the activity level
and consider all the legislative and regulatory impacts that may apply.

The top-down approach is a more detailed and time-consuming rules mapping exercise
where you may be searching for applicability to a certain law which may, not actually apply
to your type of business. If you're a large company and operate in diverse fields such as

running distributor influenced funds or even a stockbroking facility then the top-down
approach may well be more applicable. Although this can be tedious it can also be
worthwhile if you have the time.

Typical sample rules map
If you drew yourself a spreadsheet with the headings from the left-hand side of reference,
rules, life sales, pensions sales, investment sales, mortgages etc. across the top. Each line
would have a reference under the first heading starting with SYSC, PRIN, COBS1, COBS2,
etc., and the section heading under the rules: your matrix will be formed. From this basic
matrix you can identify where the sourcebook would apply to your firm if it is not applicable,
why not.

If you had offices or branches in other jurisdictions this very simple matrix could be
replicated for the local regulator or judiciary that may impact it.

Full details can be found in the Compliance Managers Guidebook available at the end of this
document.

Risks can also be identified from many sources including the following;

Internal & External Audit Reports
Ethics Reports
Regulatory Examinations and Inquires
Management Reports
Self-initiated Risk Assessments
Results from preventive controls
Information gleaned from Business Partnerships

Secondly, once the risks have been identified, the CCO needs to determine the proper action
regarding the risk. This requires the CCO to establish an acceptable risk appetite. There are
three options for managing inherent risks:

(1) Reduce or mitigate;
(2) Transfer or
(3) Retain and accept; cost benefit analysis for positive exposure.

Reduce and Mitigate. This option is chosen for those risks that are too great to accept.
Action and strategies are developed and implemented to reduce or mitigate exposure.

Transfer. The exposure for some risks can be transferred with outsourcing or by the
purchase of insurance.

Retain and Accept. Some risks will be acceptable without any mitigation efforts. However,
the organisation should consider reasonable budgeting for the exposure.

Each identified risk should be evaluated to determine the desired course of action. One of
the three above courses should be applied to each risk.


Finally, once the risks have been identified, a risk appetite has been determined and a
management plan has been implemented, a monitoring and reporting process needs to be
instituted.

This is an iterative process: it never ends. The CCO must continually identify risks, determine
risk treatment, implement and monitor.


"We are constantly working towards the highest level of compliance possible."
Mike Davidson, 20th Century American Author

Step 3: Building an Internal Control Framework

Along with a comfortable compliant culture and an effective risk management system, the
CCO will need to build a framework and process of internal controls. A framework of
internal control is the process by which they can obtain reasonable assurance that the
culture and risk management system is working. The CCO needs to construct an internal
control framework that surrounds the compliant culture and environment created in the
first two steps to ensure that the information received will indicate that the efforts in
compliance works "first time and every time", or if not, where it has failed.

Elements of an Internal Control Framework

Policies and Procedures: The CCO should formulate a set of policies and procedures and
other internal guidelines and standards to reflect the regulatory or legal requirements.
Policies and procedures are a set of documents that describe an organisation's rules or
practices for operation of the business and the procedures to implement or fulfill them.
These rules should be distributed or made available to all the organisation's employees.
Awareness training for all relevant policies and procedures should be provided to all
employees.

Workplace Code of Conduct: The CCO should formulate a code of conduct that details the
basic ethical behaviours expected of the firm's employees. Potential topics for inclusion on
Workplace Code of Conduct are: Compliance, Conflict of Interest, Equal Employment
Opportunities, Sexual, diversity and other Discriminatory Harassments, Gifts and
Entertainment, Government or high profile contacts, Political or Press Activity, Fair Dealing,
Respect, Whistleblowing and Nepotism. The Workplace Code of Conduct should be designed
seeking input from all areas and then distributed to all the organisation's employees and any
relevant mandatory training should be provided.

Operational Process Maps: The compliance function, along with business should map out or
outline all operational processes at least to a high level. The results should be reviewed for
compliance and risk identification and control application and ensure that there are no
"corner cutting" or heuristics used; if necessary to correct any areas out of compliance. The
CCO should require the maintenance of the maps and operational adherence to the mapped
processes. The business should use the maps as a tool when any process is being changed to
verify the new or changed elements, as well as other processes that may be impacted, of
the process are accurate and compliant.


Front-end controls. The CCO should build effective controls into front-end processes. Front-
end controls are "preventive" in that they should prevent non-compliant actions or
transactions before they occur.

Back-end controls. The CCO should build effective controls into back-end processes. Back-
end controls are "detective" in that they detect compliance violations after the action or
transaction has occurred. This could be an oversight role or audit, even a quality assurance
check.

Please Note: Any system of front-end and back-end testing should place a greater emphasis
on front-end preventive controls over back-end detective controls. Business is best served
by prevention of non-compliant actions and not waiting to mop up mistakes, regulatory
breaches or accidents. Back-end controls should be a second check for errors, breaches or
other violations.

Compliance Charter: The compliance charter expands the concepts within the mission
statement and can be used to serve both as a promotional piece and a high level contract
for services between the compliance department and the rest of the firm. Senior
management should then endorse this charter so that everybody is aware of the role of the
department and the services it provides. This will be key in future when additional resource
or external consultancy is a recommended, in the event of disputes or requirements for
material corrective action.

There is no point in wording the compliance charter in regulator speak nor is there any need
for people to have studied English language at University before reading your charter. There
is always a tendency to use jargon, MBA speak etc. But you'll find if you use the house
language option the charter will not only be understood better but staff are more likely to
accept and recall it.

Full details can be found in the Compliance Managers Guidebook available at the end of this
document.

Breach/Error Reporting Process: The CCO should create a process for employees to ask
questions and to report potential violations. This process should be easy to use and should
allow for anonymous reporting. A good approach is three pronged and consist of:
A hard copy set of forms;
A telephone hotline; and
An e-mail address.

The process for reporting should be communicated to all the firm's employees.

Management Information (MI): The CCO should communicate to management, as well as
all levels of employees, throughout the organisation on the successes and failures of the risk
management system. To do this effectively, accurate and pertinent MI should be created
and cascaded appropriately.


Risk Management Committee: The CCO should establish a risk management committee.
This group should meet regularly to review projects, proposals, proposed rules and policies,
etc. All functions and disciplines should be represented on the risk management committee.

An effective internal control framework allows the CCO to have and exercise reasonable
oversight. Under an internal control system risks are identified. Plans to eliminate, mitigate
or transfer are implemented. Monitoring is utilized to ensure that the laws, rules and
internal policies are being followed.

Summary
Succeeding as a CCO will be not an easy task. But it is necessary role requisite for a business
to succeed today. Following these three steps:
(1) Creating the Right Culture;
(2) Developing a Risk Management System and
(3) Building an Internal Control Framework

All these will not guarantee success of the CCO but, if followed, these steps can provide the
robust tools needed to stay out of being mentioned in despatches from the FCA.

Good luck!

Lee Werrell
Tel: 07092 289901
Lee is compliance professional with over 25 years experience in the financial services industry,
including roles at board and senior executive level for a bank, bancassurer and a major IFA. Lee
has also advised numerous businesses on Financial Services Authority regulatory issues and
developments including how to modify and adapt their strategy and procedures accordingly.
With a range of expertise provided to FTSE 100 institutions and a variety of banks and retail
operations, working with governance, risk and compliance functions and has been nominated as a
skilled person by the FSA. Lee has set up a foreign sponsored bank and worked with local
authorities.
Lee is Fellow of Chartered Fellow of the Chartered Institute for Securities & Investment and a
Fellow of the Institute for Sales & Marketing Management, and a Member of the Association
of Professional Compliance Consultants.


Companies we have worked with in the last 11 years
Interact with the author, Lee Werrell
https://www.facebook.com/ComplianceDoctor
http://www.google.com/profiles/lee.werrell
http://wattpad.com/LeeWerrell
http://www.youtube.com/leewer100
uk.linkedin.com/leewerrell
Twitter
@leewerrell
@complianceconst
@s166reports
Tel +44 7092 289901


We provide email courses for people who are interested
in various evergreen issues.
Contractor to Consultant course http://wp.me/p2B1Xd-5I
3 Common Mistakes Compliance risk http://wp.me/p2B1Xd-5o
Outsourcing Requirements http://wp.me/p2B1Xd-5v
Financial Promotions http://wp.me/p2B1Xd-5y
On Becoming An eSmart Consultant Any Industry http://goo.gl/YqZn3L

FREE DOWNLOADS
20 Page PDF on Conduct Risk: http://goo.gl/y9E2pl

Proprietary Books (Available as PDF)
90+ Page Template Compliance Manual http://goo.gl/X9RjnI

Other titles by Lee Werrell
Click on the link and be taken to your countrys Amazon site (defaults to
Amazon.com). For Google Books, just search on Google using the code.
Personal Development EBooks
10 Golden Rules for Developing Charisma http://bookgoodies.com/a/B00AOQZL90
10 Myths of Success http://bookgoodies.com/a/B007OIBAP0 or
Google Books pSDMAAAAQBAJ
11 Golden Keys to Building Credibility http://bookgoodies.com/a/B00AOCNMPY
11 Secret Steps to Success in Anything You Want in Life
http://bookgoodies.com/a/B00APL4E88
21 Easy Ways to Improve Your Business and Personal Life
http://bookgoodies.com/a/B00B0OTB3M
5 Golden Secrets to running a Fee Based Consultancy
http://bookgoodies.com/a/B00AP8F75K
9 Easy Ways to Set Yourself Up For Success http://bookgoodies.com/a/B00B0GTNUQ
How To Develop Your Natural Charisma http://bookgoodies.com/a/B00CPN8B1A
Learn How To Practice Personal Development Easily: Project Success
http://bookgoodies.com/a/B00CF3XFHA
Six Golden Keys to the Persuasion Game of Selling
http://bookgoodies.com/a/B00ANXV2YW
Success in a Month http://bookgoodies.com/a/B007W4M5QO
or Google Books CSHMAAAAQBAJ
The Universal Laws of Success http://bookgoodies.com/a/B00772CM3W
Ultimate Traffic Secrets http://bookgoodies.com/a/B00771BNZQ
Unlock Your Success Secrets http://bookgoodies.com/a/B007A3AQ7W
or Google Books hV3lAQAAQBAJ
70 Tips on Persistence http://bookgoodies.com/a/B00HOIH8CE
How & Why Ebooks
5 Top Reasons Why You Should Use Social Media in Your Business
http://bookgoodies.com/a/B00E80EZW2
6 Major Secrets to Handling Objections http://bookgoodies.com/a/B00AQ4TT16
7 Key Ways to Become a Trusted Adviser http://bookgoodies.com/a/B00AVLI2CQ
70 Social Networking Tips To Boost Your Online Business and Brand
http://bookgoodies.com/a/B00H5WJMQY
Exposed! Top Secrets of Setting Up and Running a Consultancy
http://bookgoodies.com/a/B00B6UFSDC
Golden Rules for Developing and Setting Strategy in the 21st Century
http://bookgoodies.com/a/B00B070CP0
How to Get New Business, Acquire Customers and Build Your Client List
http://bookgoodies.com/a/B00ATQVYPK

How to Quickly CopyWrite http://bookgoodies.com/a/B0078OKMIQ
How to Quickly Master Time Management http://bookgoodies.com/a/B007B44RYI
How To Use Social Media in Financial Services
http://bookgoodies.com/a/B00CLD7CIW
Secrets of PDF, Mobi, Kindle and Other EBooks Advertising, Marketing and
Promotions Resources http://bookgoodies.com/a/B00CVZK53E
Business Bloggers: The Best Businesses Social Media Tool
http://bookgoodies.com/a/B00FA63CCC

Technical EBooks
ARMS http://bookgoodies.com/a/B008PEC65A
Compliance Manager Guidebook http://bookgoodies.com/a/B00CH22066
IFA Risk Management http://bookgoodies.com/a/B008OKFFAS

ENovels
Global Crossing http://bookgoodies.com/a/B00E3BVUKQ
The Baram Venture http://bookgoodies.com/a/B0077VP1MC
You might like to find out about EBooks available from Amazon
Just CLICK HERE
Don't forget, our Consultants can provide a whole range of services including:
Initial Risk Assessment or audit an initial analysis to identify higher risk areas of the
business and weaknesses in procedures.
Design Risk Management build a system with your business, for your business showing
complete audit trail of risk areas of the business and identifying any weaknesses in
procedures.
Business Development business analysis advice or advice on particular issues for
example, how your firm is Treating Customers Fairly and an action plan for implementing TCF
across your business.
Conduct Risk Development Identify where, when and how clients interact with your staff and
identify weakness or non-TCF issues and help develop an action plan across your business.
Governance Templates Policies, Logs, Minutes, Terms of Reference and other items
available from our IP library.
Help with setting up procedures for example procedural manuals for recruitment, training
and competence, complaints handling and anti-money laundering. May also include templates
for disclosure documents, fact-finds and registers.
File audits checks to ensure that procedures are being followed and identify good practices
and weaknesses
Complaints Handling cost effective and project managed from start to finish making your
response robust and consistent
Technical support may include advice on particular products or regulatory reporting. May
be available in various formats, including website, helpdesk and individual technical advice.
Training for example competency assessments, training opportunities or product risk
guidance. May be online support, regulatory updates or seminar based.
Support on individual issues for example in dealing with a complaint, a financial
promotion or a particular suitability letter.
Financial promotions (all areas of advertisement) - full support which would include
websites, brochures, DVD's, email templates, client mail shots, adverts, contacting existing
clients and so on.
Remedial work helping to action remedial work required by the FCA.
Ensuring you are aware of Handbook changes and the specific impact on
your business.
Your responsibilities and liabilities under SYSC and the recent changes. And
much more ... just ask! Email info@complianceconsultant.org





Now
Available
as Kindle or EBook Download
Is your Compliance Department as
compliant as it should be?
Are your Compliance Risk
Assessments accurate?
Is your Annual Monitoring Plan as
comprehensive as it should be?

CLICK HERE

Also Available At Last, a Risk
Management System that means you
DO NOT have to buy any software.
ARMS is a system that shows you how to
identify your processes and the inherent risks
within.
identify your risks
step by step guidance
fast 8 step guide to record future risks
If you want demonstrate your risk management system for reputation, insurance and regulatory
needs, quickly manage all your operational risks, or even if you just want a suite of templates

designed to provide a complete package of demonstrable results, then this is the most important
book you'll buy all year! CLICK HERE