Senior management responsibility – The Upper Tribunal reviews the standard – The Upper Tribunal (the tribunal) has recently overturned the Financial Services Authority’s (FSA) decision to hold John Pottage, former CEO at a large financial institution, responsible for an alleged failure to take reasonable steps to implement prompt measures to review and overhaul his firm’s systems and controls (John Pottage v FSA (FS/2010/0033)).

The FSA approach

1. The Financial Services Authority (FSA) has for some time, as part of its “credible deterrence” strategy, emphasised the personal responsibility of senior management and that it would take action against senior managers whose conduct fell below the relevant standard.
2. However, in practice, the FSA has rarely taken enforcement action against senior managers at large firms, and in particular, for alleged failure to take reasonable steps to ensure that the firm met regulatory requirements.
3. Before the Pottage case, FSA actions against senior managers tended to be
   • against individuals who had been directly involved in matters that went wrong at the firm, or
   • who had a clear line of responsibility for the relevant area (for example, compliance and money laundering reporting officers) or
   • managers of small firms in which it is easier to attribute failings of the firm to particular individuals.

Mr Pottage

1. Mr Pottage took on the role of UK Head of Wealth Management in 2006.
2. Various compliance issues came to light between September 2006 and July 2007.
3. Mr Pottage directed detailed investigations of these issues as they arose and ordered a comprehensive review of operational risks and controls in July 2007.
   Remedial action was taken following the investigations, and an independent audit firm confirmed that the controls issues had been corrected.
4. The FSA claimed that Mr Pottage could have identified deficiencies in the firm’s risk management framework earlier, when conducting an initial assessment on taking up his post as CEO.
5. The FSA viewed each of the compliance issues as warning signals of potential wider issues in governance and risk management at the firm.
6. Mr Pottage should therefore have initiated a comprehensive review of operational risks and controls on commencement of his role or in response to relevant warning signals.

As a consequence, the FSA

1. Claimed that he failed to implement
2. Improvements to systems and controls soon enough.
3. The FSA decided to fine Mr Pottage £100,000 for breach of principle 7 of APER, which requires an approved person to take reasonable steps to ensure that the business for which he is responsible complies with regulatory rules and standards.

The tribunal’s decision

1. The tribunal upheld Mr Pottage’s challenge to the FSA’s decision, determining that there was no evidence that Mr Pottage had breached his regulatory obligations. Therefore, there was no misconduct for which the FSA could impose a financial penalty.
2. It is, of course, difficult to draw many conclusions from a single decision which is heavily based on its own facts. However, a few points are worth noting.

The tribunal found that

1. Mr Pottage could not reasonably be expected to have reacted any earlier to any deficiencies in the firm’s UK governance and risk management frameworks, or to have proactively identified problems, when neither the bank’s own senior risk and compliance specialists, nor the FSA itself, had spotted that the warning signals merited a wider systems and controls review.
2. The obligation on senior management is not to ensure compliance, but merely to take reasonable steps to ensure that systems and controls are adequate; there is no strict liability.
3. The tribunal found that Mr Pottage did take reasonable steps to fulfil his obligations.

The tribunal found that

1. Mr Pottage was entitled to rely on advice from risk management and compliance specialists at the firm.
2. CEOs cannot blindly Trust the information provided from those responsible for risk management and compliance but, so long as they take reasonable steps to probe and verify that information, they can rely on it.

Implications of the tribunal’s decision

1. The FSA now routinely considers the roles and conduct of individuals when conducting an investigation, and this decision is unlikely to change that.
2. The FSA’s strategy of pursuing top-level executives is a key feature of its credible deterrence strategy. However, it is important that the tribunal has recognised that personal liability is appropriate only where the individual has failed to take reasonable steps and has also recognised the reliance that senior executives place on risk management and other similar functions.
3. In future, the FSA will need to scrutinise the conduct of individuals more carefully to identify whether enforcement action is appropriate.
4. The tribunal’s focus on Mr Pottage’s (legitimate) reliance on risk management and compliance managers might cause the FSA to direct its scrutiny to the second tier of management, such as individuals with significant influence functions appointed to lead risk management and compliance functions.
5. However, the FSA has generally (and rightly) been cautious about taking action against those in “gate-keeper” roles, save where there have been clear failings.
6. As to the question of whether the FSA should itself have spotted the issues, the FSA argued that its supervision is necessarily relatively high-level, and that it is often not in a position to spot systems and controls failings that the firm itself has not spotted.
7. Although the tribunal noted that at the time neither the firm nor indeed the FSA had suggested that it was necessary to carry out a wider review of systems and controls than that put in place, it avoided making a finding that Mr Pottage could rely on the FSA’s lack of criticism.
8. When the FSA does bring future actions against senior managers, the tribunal’s decision in this case is a further factor that may prompt individuals to dispute the FSA’s decision and refer the matter to the tribunal.

Lessons for compliance

1. The decision also sheds some light on the nature of the operational risk framework and management information that the FSA expects financial institutions to have in place.
2. The FSA viewed the matrix reporting structure at the firm as increasing the risks to the business, and considered that stronger controls were required to counter those risks.
3. The FSA argued that there was a conflict between functional reporting lines to overseas heads responsible for financial performance and remuneration (who were not necessarily familiar with UK regulatory requirements) on the one hand, and local reporting lines to those responsible for compliance with UK regulatory requirements, on the other.
4. The implication is that the FSA wants to see management arrangements that align remuneration incentives with regulatory compliance, and expects firms to consider whether reporting lines and other measures are likely to promote or detract from regulatory compliance.
5. The FSA also expects management information to engage with risk issues, and not to be restricted to financial and commercial information.
6. The FSA’s submissions highlighted the question of the resources devoted to the back office risk management and compliance functions, and the need for financial institutions, as they seek to reduce costs in current market conditions, to keep the front office to back office staffing ratio under review as a regulatory risk issue.
7. The FSA also expects that, on commencing a role as a senior executive, an individual will conduct an initial assessment of the governance and risk management frameworks.

In the case of a CEO, the FSA would expect this initial assessment to provide the person with an accurate and thorough under- standing of:

1. The state of the business, including the governance and risk management framework.
2. The operational risks of the business and the current systems of control.
3. The quality of management information available to assess whether the governance and risk management frameworks are working effectively.
4. Previously identified risks and compliance issues.
5. The strengths and weaknesses of the people who report to him.

The tribunal did not comment on the FSA’s expectations in these areas.