These companies should ensure their systems and controls address recent issues found by the regulator
Last month, the FCA published its findings into a review of how principal firms in the investment management sector understood and complied with their responsibilities in respect of their authorised representatives.
The firms covered a diverse range of regulated businesses, but some of the findings are clearly applicable to all principal/AR models. According to the results, some principal firms either do not understand the basics of the principal/AR relationship and how the regulatory framework applies, or they are (or were) hoping to fly under the radar.
The following are issues it is clear the FCA will now look at when supervising all principal firms.
Does the principal firm have a proper understanding of the impact of appointing ARs on its own business model, and has the firm put in place appropriate systems and controls to manage the risks associated with appointing ARs?
The FCA found many principal firms had completely inadequate governance systems in place to address this issue, which is fundamental to the principal/AR model. The principal is the authorised firm and is responsible for everything the AR does. If there is a problem with the AR’s business or conduct, it is the principal firm that will be subject to FCA supervisory or enforcement action.
The FCA was understandably surprised that many principal firms did not appear to grasp this concept, and properly assess and manage the risk to the principal (and customers) accordingly.
One way in which this demonstrated itself was in the failure of principals to monitor their ARs adequately. The FCA found that:
- Not one of the 338 principal firms in question regularly reviewed their ARs’ websites – and many of those websites contained non-compliant financial promotions;
- Many principals referred to the ARs as their “clients”. While commercially this may be the case, this type of language is a red rag to a bull as far as the FCA is concerned, indicating a lack of focus by a principal firm on customer outcomes. It is reminiscent of criticism by the regulator in historic cases of spectacular network failure. The principal should be focused on its responsibilities for its ARs’ business, not just on the commercial arrangements with the ARs;
- Many principals were over-reliant on “attestations” by their ARs, but failed to undertake any checking or monitoring of whether ARs were doing what they said they were, or indeed doing it in compliance with regulatory requirements;
- Many principals did not appear to understand their ARs’ business models particularly well and ended up being responsible for a host of different models, but lacking the skills, resources and staff to oversee them adequately;
- Several principals maintained relationships with what they believed to be inactive or dormant ARs for long periods. While this may sound innocuous, it indicates a lack of engagement between the principal and AR, with the principal not understanding why the AR wished to remain as an AR, and it could create risk for customers if the AR conducted regulated activities without the principal’s oversight.
Meanwhile, the FCA found some principals did not include AR revenues when submitting fee tariff data to the regulator, meaning those principals were underpaying fees by potentially significant amounts.
Like any form of “taxation”, this results in other fee-payers having to make up the difference.
The regulator also made an indirect reference to the Senior Managers Regime, stating: “Deficient risk management frameworks mean directors are unable to adequately discharge their responsibilities of providing oversight and direction.” This is a clear indication that directors of principals will be held personally responsible for these types of failings in the future.
So the expectations of the FCA for principal firms are clear. Principal firms should:
- Understand AR firms’ business models from the outset. When taking on an AR, a principal firm should have an audit trail showing it has properly assessed the AR, the type of business it intends to conduct and with whom, and the risks it may pose;
- Monitor ARs properly on an ongoing basis. Are they conducting the type of business expected? Are they doing this in line with the principal’s procedures? Has anything changed? If an AR appears to have stopped conducting business, does the principal understand why?
- Have systems and controls which adequately and consistently address the risks to the principal and customers posed by ARs and their business models. Can the directors of the principal show how they are managing those risks?
- Have clear internal governance arrangements, allocating responsibility to key individuals (i.e. the senior managers) for the key areas of business activity of the principal. Those senior managers will be individually accountable for those areas, which will (or at least should) encourage them to ensure they have sufficient oversight of each area to discharge that duty.
All principal firms should consider the results of the FCA’s findings, and ensure their own systems and controls address them.
Their Senior Managers and Certification Regime projects should also take those findings into account.
Alan Hughes is partner at Foot Anstey