The FCA has published its findings on yet another thematic review – this time looking at ‘Flows of Confidential and Inside Information’ (TR15/13).
The review sample consisted of 16 mostly small to medium-sized wholesale firms which the paper describes as ‘investment banking firms’ (however the accompanying article on the FCA website, as well as the document itself, makes it clear that the review is relevant to all firms that handle confidential and/or inside information). The sample firms provided their policies and related documentation and the FCA made full-day visits to 10 of them.
Key findings can be summarised under the following three headings:
Circumstances Posing Heightened Risk
The need for regular assessment of conduct risks in the light of changing circumstances should not be overlooked e.g. changes to business model or rapid growth.
Conduct, Culture and Responsibility
Recognition that all staff members across the three lines of defence (internal controls, Compliance and Risk Management, Internal Audit/independent assurance) have a role to play, albeit that ultimate responsibility sits with senior management.
Firm Systems, Procedures and Infrastructure
Robust systems, procedures and infrastructure underpin the effective management of flows of confidential and inside information in firms.
Chapter 3 of TR15/13 sets out the detailed findings, and an expansion of the above three headings, including examples of good practice and poor practice. It’s certainly worth a read, as much for the poor practice as for the good practice. Examples of the former include findings of non-UK headquartered firms failing to make any reference to the UK regulatory regime in their policies and procedures and the remoteness of Compliance (to the extent that, in one instance, the function was based in a different city). Oddly enough, cases where Compliance was too strong also fell under the ‘poor practice’ banner. Although this initially would seem to confound logic, the concern was that over-reliance on Compliance could, over time, lead to it operating as part of the first line of defence, meaning that Compliance, as the second line of defence, would end up monitoring its own work.
The FCA advises us that all UK-based and FCA-regulated firms need to consider whether their own arrangements are fit for purpose and meet the standards set out in the report. The paper informs the reader that “This is not a one-off exercise”. Given this, firms’ senior management are required to pay heed to the findings and messages outlined and take the steps necessary to identify and resolve any outstanding issues.
The thematic review serves as a reminder of the changes that will take place to ‘market abuse’ as a whole next July as a result of the Market Abuse Regulation (596/2014) – see Regulatory Roundup 70 for further details.