Introduction

1. The PRA has issued fines against individuals in two recent enforcement actions. The cases shed some light on what it means to take “reasonable steps” in the context of the SMCR, and address other important SMCR themes. There are some useful lessons to be learnt for all senior managers, and those advising them, such as legal and compliance teams. There may be other SMCR enforcement cases coming down the pipeline in the coming months. A review of your SMCR systems, controls and procedures could be timely. Tom Hine, himself a former Head of Enforcement, takes a look.

The Cases

2. The two SMCR cases against individuals are as follows:

1. On 11 January 2024, the PRA announced a fine of £119,000 against Iain Hunter in relation to his firm Wyelands Bank’s large exposures regime breaches and record-keeping issues.  Hunter failed both to act with due skill, care and diligence, and to take reasonable steps to ensure that Wyelands had adequate systems and controls in relation to the large exposures regime and PRA record keeping requirements. The PRA had already publicly censured Wyelands (which entered wind down in March 2020) for significant regulatory failings. Interestingly, it had not fined the Bank, given its financial difficulties. Hunter did not benefit from the same clemency – something to bear in mind if you are a senior manager at a firm in financial difficulties.
2. On 13 April 2023, the PRA announced a fine of £81,620 against Carlos Abarca in relation to  issues and service disruptions during TSB’s 2018 IT migration. As the CIO, Abarca was obliged to take reasonable steps in relation to identification and mitigation of risk relating to the migration readiness of outsourced providers, including a third party provider, SABIS.  Abarca had given assurances to the TSB Board about SABIS’ readiness without first ensuring that SABIS (and its contractors) had given appropriate assurances to TSB.  The PRA found Abarca’s failing to have undermined TSB’s operational resilience and contributed to the disruption in question. The incident was a high-profile one, and involved significant disruption to retail customers. The FCA and the PRA also fined TSB itself in relation to the incident, a total of £48.5m.

What can we learn from the cases?

Reasonable Steps

3. The senior manager conduct rules all require the manager to take “reasonable steps”. If conduct falls outside the realm of reasonable steps for a senior manager in their position, then the manager could find themselves facing enforcement action. Both the Hunter case and the Abarca case shed some light on what is meant by “reasonable steps”. The Hunter case is particularly instructive, as it has guidance which is generally applicable. The facts of the Abarca case are less generally applicable, although it has some handy guidance about the extent to which a senior manager can rely on others.

4. In the Hunter case, the PRA ruled that Hunter had failed to take reasonable steps to make sure Wyelands had adequate systems and controls relating to large exposures[1]. The firm entered into a series of structured transactions which exceeded the firm’s large exposure limits. Hunter held the SMF4 CRO role when the firm entered into the transactions, and later had SMF1 CEO oversight responsibility. Hunter failed to take reasonable steps to ensure that Wyeland’s business was controlled effectively (Senior Manager Conduct Rule 1[2]), and failed to take reasonable steps to ensure that Wyelands was complying the relevant requirements (Senior Manager Conduct Rule 2[3]). There are some useful lessons to be learned from Hunter’s failings:

1. Make sure roles and responsibilities are clear: one of the mistakes was that Hunter was responsible for allocating responsibilities. However, the firm had failed to make clear how responsibility for conducting analysis of the firm’s connected parties was clearly apportioned.  
2. Consider proportionality: the firm’s controls must be proportionate to the risk of its business model. The particular risks that Wyelands was running in relation to large exposures and connected parties meant that more rigorous control and oversight was required.
3. Be cautious about taking on multiple SMF roles: Hunter was, at various times, SMF 1 (CEO), SMF 2 (CFO) and SMF 4 (CRO). This made it much easier for the PRA to hold him responsible for the firm’s failings. In addition, acting as both CRO and CEO made it more difficult for the risk function to be independent, and to manage Wyeland’s regulatory risk. The issues were compounded by Hunter’s failure to follow the governance process (see below).
4. Record Keeping – keep detailed records of the steps that you take as a senior manager. This will allow you to defend yourself against allegations that you failed to take reasonable steps, or failed to challenge functions or address concerns raised by other parts of the business.

5. In the Abarca case, as CIO of TSB, Abarca had responsibility for TSB complying with the PRA’s outsourcing rules. In particular, he was responsible for TSB’s key outsourcing relationship with its main third-party supplier for the IT migration programme. As part of this, he gave assurance to the TSB Board that the third party, as key supplier, was prepared for migration. However, he failed to ensure that TSB had itself obtained sufficient assurance from the third party before doing so. What can we learn from this?

1. Make sure you substantiate what people tell you. A senior manager should adequately substantiate any assurances they give to a governance body. They should also annex underlying confirmations on which the assurance is based. The PRA criticised Abarca for providing his assurance to the TSB Board without annexing the underlying confirmation from SABIS or including it in the papers for the Board. When SABIS and other parties told TSB they were ready, they were more expectations or forward-looking statements than statement of fact. Abarca failed to critically assess these statements or verify them properly.
2. Think about the triggers that might require closer oversight. In the Abarca case, there were multiple service level breaches during the outsourcing, but Abarca failed to reassess the provider’s capabilities.

Follow your Governance

6. In the Hunter case, the PRA found that Hunter had breached PRA Individual Conduct Rule 2 because he failed to act with due skill, care and diligence in performing his roles at Wyelands. The breaches of this conduct rule included a number of incidences of Hunter failing to follow the firm’s own internal governance:

1. The firm had an “Engagement Policy” that required structured transactions with a key shareholder (the “GFG Alliance”) to be approved by the Wyelands board, but Hunter failed to follow the policy.
2. The terms of reference of the Wyelands board required acquisitions to be considered by the board, but Hunter failed to ensure that this occurred.

Make sure that what you tell the regulator is accurate

7. In the Hunter case, Hunter made a number of statements to the PRA which turned out to be inaccurate. The PRA found that Hunter breached Conduct Rule 2 because he failed to take appropriate steps to verify the accuracy of the statements that he made.

Your written policies and procedures are your best protection

8. In the vast majority of enforcement cases in financial markets, particularly those relating to systems and controls, the investigation is mainly desk-based. An investigation often arises as a result of a serious and unexpected event. In the Hunter case, it was the failing of the bank. In the Abarca case, it was the IT outage which affected thousands of customers. The regulator will then open an investigation, and request large numbers of documents relating to the systems, controls and procedures of the firm. They will review policies, procedures, management information, board packs, board minutes etc. There may well be interviews of the personnel involved as well, but these will likely be secondary to the desk-based review. If the firm’s documentation is poor, then it is highly likely that enforcement will result, however compelling the individual is in interview. Therefore, it is strongly recommended that you regularly review your documentation to ensure that it will withstanding regulatory scrutiny. You never know what is round the corner!

Voluntary Undertakings

9. The Hunter case had an interesting and novel feature: the PRA accepted a voluntary undertaking from Hunter, the effect of which was similar to a prohibition, given his ex-UK residency and his settlement with the PRA.  This may be of interest to individuals who are in similar circumstances in future.

Conclusion

10. We expect the Abarca and Hunter cases to be the first of a number of enforcement actions in relation to the SMCR from the PRA and the FCA. Given that, in most cases, it has been a number of years since SMCR-implementation, it would be prudent to review your systems, controls and processes to ensure that they are fit for purpose. The recent cases, particularly the Hunter case, shed some helpful light on what is expected of senior managers. More guidance will be given as further cases are published. Watch this space!

11. Contact tom.hine@kempitlaw.com to discuss or for further information.

[1] The large exposures regime under the Capital Requirements Regulation (No 575/2013) (“CRR”) seeks to avoid risks to a firm’s financial stability by preventing concentration of a firm’s exposures to an individual party or group of connected parties. As part of the regime, firms are required to monitor and control their large exposures and report such exposures to the PRA.

[2] Senior Manager Conduct Rule 1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively

[3] You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.