Why do regulatory change projects fail?

The FCA's £17.9m fine on Citigroup for failings in its implementation of the Market Abuse Regulation is remarkable for two main reasons: 

"Residual risk multiplier" - a new concept in penalty calculations? 

First, the regulatory enforcement geeks among us will immediately spot that here we have another example of FCA re-writing its penalty policy through individual cases: Suddenly, despite the FCA's statutory obligation to consult publicly on new penalty policy, we have a brand new concept being introduced - the "residual risk multiplier". What on earth is that? Well, it's not entirely clear. The Final Notice states: 

"The Authority has measured the risk created by the absence of effective controls by calculating a residual risk multiplier. Residual risk is the risk that remains after controls have been taken into account. In this case, residual risk is the risk that certain types of market abuse could not be detected and reported by CGML because of a lack of effective arrangements, systems, and procedures. CGML’s relevant revenue has been calculated by applying the residual risk multiplier to the total revenue that CGML generated during the Relevant Period from the arrangement or execution of transactions in the financial instruments that fall within the scope of MAR (£2,575,148,623). The Authority therefore considers CGML’s relevant revenue to be £986,632,387"

"Residual risk" is of course a concept well known to risk managers. What is unclear from the Notice is why this concept has suddenly been introduced into a penalty calculation (given it is not mentioned in the FCA's published penalty policy) or how the FCA has purported to measure the residual risk. One can surmise that it is perhaps based on the percentage of coverage gaps in respect of market abuse risks in different parts of CGML's business that are outlined elsewhere in the notice. If so, that is not explained in the notice and this begs important questions as to the validity of the methodology and the practicalities of doing similar calculations of "residual risk" in other cases.  

Also a mystery is what the point of this exercise was, as the "relevant revenue" still produced a penalty figure so out of proportion to the breaches that the FCA reduced it by a further 83.5% "having taken into account previous cases". 

However, neither the regulators' tendency to develop new penalty policy through "case law", nor the idiosyncrasies of the 5 step penalty calculation are news, as the last PRA penalty imposed on Citi illustrates.

Lessons in implementing regulatory reforms 

The second reason the case is of real interest is of much greater importance for all regulated businesses: it is an example of an enforcement action that is almost exclusively concerned with shortcomings in the way a large regulated business has gone about implementing regulatory change. While this case concerned MAR implementation, it is interesting not just from the perspective of confirming the regulator's expectation of automated market abuse surveillance in a regulated broker-dealer. Regulated firms face a seemingly unending flow of regulatory reform, whether it be EU reform, post-Brexit reform of the UK regime in the Financial Services Bill, the wholesale markets review, introduction of the consumer duty, ESG, the operational resilience regime - the list goes on. How to manage regulatory change effectively ought to be high on the list of priorities for senior management of all regulated financial services firms. 

So what lessons can firms draw from the FCA's Notice against CGML in this case? 

• Comprehensive review of business against scope of regulatory changes: detailed analysis of the incoming rules is essential, to ensure your change programme reflects not just the high level requirements but also all supporting standards or guidance.  
• Risk assessment and gap analysis: to be effective these require a deep understanding of the business and how that might interact with the regulation – a Market Abuse Risk Analysis requires a nuanced understanding of different forms of insider dealing and market manipulation which are complex, difficult legal concepts.
• Clarify ownership, objectives and tests for completion: one of the themes running through the Notice is a lack of clarity around the role of the different teams in ensuring compliance with the regulatory changes and of communication between those teams. The lack of clarity around the scope of work required obscured the progress - or lack of it - in implementation.       
• Relying on global programmes to achieve local/regional compliance: the interaction between global and regional change programmes seems to have led to delay in effective implementation. Where local changes are subsumed into global programmes particular care is needed to ensure the detail of local requirements is not overlooked; 
• Consider tactical solutions or manual workarounds where target operating model is going to take time to build: the Notice makes clear that firms should implement appropriate workarounds where there are technical obstacles to achieving full compliance, the example here relating to quote surveillance.
• Listen to regulators and plan and resource ahead: CGML was advised that its approach was unsystematic and its failure to act promptly on that advice led directly to an uplift in penalty. Ultimately CGML was found to have left it too late to grip the implementation of MAR effectively. Interestingly, FCA judged this in part by reference to the speed of CGML's own remediation of the issues once a proper risk assessment and gap analysis had been done.  
• Risk-based compliance does not mean partial compliance: Use of risk management method in regulation and compliance can sometimes lead to a false sense that all compliance risks can be subject to a risk-based prioritisation. The danger with this is that limitations on the available resources can come to dictate the appetite of the organisation for compliance failures (rather than adequate resources being applied to bring the risk failure down to an acceptable level). The dangers of this are particular great in large, high volume businesses where relatively "minor" gaps in compliance can have significant impacts. This is illustrated in the CGML case where the FCA highlights  that  MAR applies to the full range of CGML’s trading activities (as defined in Articles 2(1) and 2(2) of MAR) and, although Equities accounted for 72.9% of CGML’s average daily trading volume during the Relevant Period, and Rates, Credit/GSM, and Commodities collectively accounted for less than 5%, "the Authority considers the surveillance gaps associated with CGML’s low-volume asset classes to be significant, particularly because of the scale, size, and complexity of CGML’s business, which meant that even a small proportion of CGML’s business could represent a significant volume.... even its lowest volume asset class (Commodities) had an average daily trading volume in excess of 6,000 trades." 

But why?

The Notice explains how CGML failed but does not really get to the bottom of why: was there a lack of resource, a lack of skills/capability, or an issue arising from the balance of power between the various regional and global functions? The reader is left to speculate. 

Regulatory change projects are challenging and when they fail it is important not simply to answer the question what the failings were and who was at fault but to investigate the root causes. The "due skill care and diligence" (negligence) standard is fine for allocating liability for compensation in civil proceedings but principles-based enforcement on that basis does not shed much light on the lessons for the future. It tends to explain what went wrong but does not always get to the bottom of why? Internal reviews of compliance failings may need to go deeper and ask why organisations and the people within them behaved in the way they did, took the decisions they did or failed to spot things they should have spotted.