Comsure’s Directors training focuses on collective and personal responsibilities.  In consideration of Personal liability, Comsure deals with directors accountabilities, and in doing so touch on the FCA/PRA Senior Managers and Certification Regime (SMCR) regime.  Also, the case below is considered.  Although the case dates back to 2012, it has some powerful reminders and tips on what is expected and what should be done.

Comsure summary of the case along with the key learning outcome is = TRUST BUT VERIFY

Comsure Directors Duties Training – Case Study

Upper Tribunal unanimously clears CEO [John Pottage] of misconduct [May 2012]

In May 2012 the Upper Tribunal (the “Tribunal”) issued an important decision clearing John Pottage of misconduct in carrying out his CF3 and CF8 functions while he was CEO at UBS Wealth Management (UK) Limited and UBS AG. In so doing, it directed the FSA to take no action against him (overturning the £100,000 fine the regulator had sought to impose).

The decision undoubtedly represented a set-back for the FSA in the pursuit of its credible deterrence strategy against ever more senior individuals, particularly those at large firms, and provides a welcome reminder as to the degree of culpability that is required before an approved person is guilty of misconduct.

However, the FSA (and in turn the FCA) will continue to target high profile, senior managers and it would be unwise for anyone to derive too much comfort from a case that was ultimately decided on its facts.

That said, the matters arising from the FSA’s case and the Tribunal’s decision do provide useful pointers as to:

1. the standards against which senior management (and in particular those exercising the CF3 function) will be assessed in determining whether they have breached their individual regulatory requirements;
2. Specific behaviours which those exercising the CF3 functions will be expected to demonstrate in carrying out their functions; and
3. the governance and risk management frameworks which firms need to have in place to comply with regulatory requirements.
4. Also of note is the fact that the FSA clearly has high expectations as to what an incoming CEO should do on first assuming the role and in the first few months of his/her appointment.

Below are some key points to note for regulated firms and their senior management and compliance staff.

Key points to note:

1. Mr Pottage referred to the Tribunal an FSA Decision Notice imposing a £100,000 fine on him for breaches of Statement of Principle 7 of APER (“SP7”), as a result of
   1. His failure, on assuming a CF3 function within UBS and early enough after that,
   2. To carry out sufficient initial assessment and continuous monitoring so as to conclude, sufficiently quickly, that a “Systematic Overhaul” was Required of the governance and risk management frameworks then in place.
2. The Tribunal first considered whether there were “serious flaws” in the relevant UBS business activities, and concluded that there It, therefore, proceeded to consider whether Mr Pottage was guilty of misconduct by breaching SP7.
3. Considering all of the evidence, and drawing on some key facts which demonstrated
   1. how specific control failures identified in the business during the relevant period had been dealt with, and
   2. how Mr Pottage himself had taken steps to discharge his control responsibilities, the Tribunal concluded that the FSA had failed to establish its case that Mr Pottage had committed
4. In particular, on the evidence of what Mr Pottage had actually done in practice in the relatively short space of time since becoming CEO, the Tribunal found that Mr Pottage
   1. had taken reasonable steps to ensure that the business for which he was responsible complied with regulatory requirements (despite the fact that there were, as the FSA had contended, serious flaws within that Business).

The decision displays a robust attitude by the Tribunal towards the FSA, further the decision, though based very heavily on the particular facts, is important for the following reasons:

1. The Tribunal disagreed strongly with the FSA’s conclusions on certain factual evidence
2. criticised the “judgmental” approach of the FSA’s expert,
3. noted throughout its Judgment the FSA’s tendency to disregard points and evidence as the case proceeded and
4. noted a change of direction by The FSA which, it said, invalidated an allegation by the FSA of inconsistency in Mr Pottage’s evidence.

The decision is a useful reminder that for the FSA to succeed in an action against an Approved Person, personal culpability is required:

• Drawing on APER 3.1.4G, the Tribunal said that:-

“…an approved person will only be in breach of Statements of principles where he is personally culpable, and not simply because a regulatory failure has occurred in an Area of business for which he is responsible”.

Although the Tribunal did not refer to it, the FSA’s statement at page 17 of its December 2011 report on the failure of RBS also bears consideration:

• “For a legal sanction to be appropriate, it has to be clear that there was strong evidence that individuals broke specific rules and/or that decisions were made which were not only mistaken in retrospect but were outside the bounds of reasonableness at the time they were taken.”

The decision provides useful guidance to CF3s and other Significant Influence Approved Persons (SIAPs) and the Key points expressed in or to be inferred from the decision include:

1. An incoming CEO needs to carry out and document a detailed “Initial Assessment” of governance and risk management frameworks within 2 or, at most, 3 months.
2. The FSA has clearly set out, in this case, what it expects to form part of this assessment.
3. CEOs should be absolutely clear on their role and remit when they start their job. Have they, for instance, been instructed with a particular focus? Does their position as CEO of a business unit within a larger structure circumscribe their powers?
4. CEOs need to carry out continuous monitoring of governance and risk management frameworks.
5. CEOs may well not be risk experts and are entitled to rely on such specialists, although a CEO must “Trust but Verify” what he is told by such specialists.
6. However, this may not require him to do more than to question them Appropriately: if the specialists do not have concerns, the CEO “will more likely have no or insufficient Information on which to base his challenge”.

The corollary to the above is that risk specialists may, it would appear, themselves be held to a higher standard:

1. the Tribunal notes that had Mr Pottage been such an expert his perception of the “serious flaws” might have been “better focussed” before the date on which he commissioned the “Systematic Overhaul”.
2. For an SIAP to be guilty of misconduct under SP7, the FSA (on whom the burden of proof rests) must prove that the relevant conduct “fell outside the bounds of reasonableness”;
3. other formulations used by the Tribunal are that the conduct must have been “below that which was reasonable in all the circumstances”;
4. conduct willapparently not be objectionable if it is “within the range of reasonable responses”.

However, an SIAP may want to consider what he wishes to avoid: an adverse finding by the Tribunal, or any FSAscrutiny in the first place. If the latter, he would be well-advised to hold himself to a higher standard, wherepossible, than the thresholds of reasonableness set out above.

Additionally, the decision provides some useful guidance to firms on risk and control issues:

1. there is clearly a need for A risk control framework to operate properly down to ground level;
2. caution should be exercised as regards self-certification of risk control frameworks;
3. an overlap between risk and management committees is completely acceptable and may, in fact, strengthen the overall structure by permitting easier escalation of risk issues;
4. Consideration should be given to finding a way (subject to privilege issues) of ensuring that the prominence and length of risk discussions are recorded in committee minutes; and (v) MI needs to be assessed as to both form and content, and redundancy is to be avoided.