New SMCR fine: right-sizing controls to your business risk (and SMF delegations)

Bit by bit, enforcement actions are giving us more clarity on what “reasonable steps” means for senior managers.  

The latest news: the PRA has fined Iain Hunter £119k in relation to his firm Wyelands Bank’s Large Exposures regime breaches and record-keeping issues.  It already censured Wyelands, deciding not to fine it because it was winding down and short of funds.  Hunter received no such special treatment (senior managers of distressed firms, take note).

Abarca and Equifax were primarily about internal reporting and verifying confirmations from others (at least in the SMCR context).  This new decision helpfully has a different focus: it communicates regulatory expectations around matching a firm’s controls to its regulatory risk profile, the separation of lines of defence, adequate internal challenge and record-keeping.

And it has a novel feature: the PRA accepted a voluntary undertaking from Hunter equivalent to a prohibition, given his ex-UK residency and his settlement with the PRA.  Perhaps an option of interest to individuals in similar circumstances in future.

Let’s look at the action in more depth and explore the “reasonable steps” key messages.

The action

Hunter was at various times SMF1 (CEO), SMF4 (CRO), and SMF2 (CFO) of Wyelands.

The PRA’s action against Hunter related to Wyelands’ entry into certain transactions in excess of risk concentration limits under the Large Exposures (LE) regime, having failed to identify that they involved “connected parties”. There were also breaches of the PRA’s record-keeping rules and findings regarding conflicts of interest.

The PRA found that Hunter breached Individual Conduct Rule 2 (skill, care and diligence) and Senior Manager Conduct Rules 1 (effective controls) and 2 (compliance).  

The PRA found that Hunter failed to take reasonable steps to ensure that the firm had adequate systems and controls relating to LEs, reported to the PRA LEs that accurately captured connected party exposures, clearly apportioned LEs’ compliance responsibilities, and adequately retained pertinent documents.  

And that Hunter – breaching internal policies – did not appropriately manage potential conflicts of interest linked to the Gupta Family Group (GFG) Alliance , which was the largest client of Greensill Capital prior to the financing company’s insolvency in 2021.

Finally, Hunter’s correspondence with the PRA contained inadequately verified statements about the firm’s lending, LE regime controls, and the role of an external regulatory compliance adviser with whom Hunter had been in contact (who was an employee of one of the connected parties).

On penalty, the PRA started with 25% of Hunter’s relevant income. The penalty was increased by 10% for deterrence purposes.  Hunter enjoyed no settlement discount because he settled after the Discount Stage.

Reasonable steps for Senior managers: key messages

1. Right-sizing controls.  Senior managers should ensure that their firm's controls are proportionate to the regulatory risks presented by their firm's business model. Here, the firm’s minimal LE leeway necessitated more rigorous controls and oversight. Systems to ensure the smooth flow of management information and clear escalation arrangements can assist in identifying and addressing potential issues promptly. 
2. Clear responsibilities.  Unambiguously allocate responsibilities for regulatory compliance, with routine roles for all three lines of defence. 
3. Separation of SMFs.  Exercise caution when taking on multiple SMFs.  Here, Hunter's wide-ranging delegated authorities may have heightened his regulatory risk. In particular he was both SMF1 and SMF4 which may have affected the Risk function’s capacity to independently monitor and manage the firm’s regulatory risk. Allocating SMFs to different individuals also helps streamline focus and to ensure SMs have sufficient bandwidth. 
4. Reliance on external consultants.  When using external consultants for compliance tasks, give clear instructions that address the specific needs of the business. Ensure that any external verification of regulatory returns is based on accurate information that is validated (ideally by the firm).
5. Managing enforcement risk.  Senior managers, particularly those with wide-ranging responsibilities, should take care to follow internal policies and governance arrangements. Also: carefully verify and qualify statements to the regulators - especially when there is room for interpretation or limited information. 
6. Proactive record-keeping.  Senior managers should document the reasonable steps they take, including to proactively challenge functions and address concerns raised internally or by the regulator. This will help mitigate enforcement risk and facilitate sound internal governance.