Advice Matters is an accredited monthly e-journal. Each edition contains a number of articles written by industry experts, that combine knowledge and skills related topics, with technical and regulatory updates. Every edition is aligned to the ApEx standards, with a review at the end of each journal to show the learning outcomes and standards covered. (This is not available in the sample below).
Advice Matters will allow professionals to access 12 hours of structured CPD throughout the year from the comfort of their desk, or on the go using a mobile device. Each edition is also accompanied by associated questions and answers to help test and verify knowledge.
Take a look at a recent article from our ‘Staying on Track’ section of Advice Matters that focuses on your personal development. The article provided below looks at surviving a regulatory visit.
Personal Development is often forgotten or neglected, as it is not seen as important as the other areas of CPD. In reality it can be the aspect that makes the real difference to your clients and your earning capacity. In each edition of Advice Matters we will discuss potential development areas and ensure any Regulator focus that aligns to this area is covered in a very timely manner.
Surviving a regulatory visit
If you were a scout (maybe you still are) you would be familiar with the Scout motto – Be Prepared.
When asked “Prepared for what?” founder of scouting movement Robert Baden-Powell answered: “Why, for any old thing.”
It wouldn’t be a bad idea to adopt this motto for the financial services sector especially in respect to Regulatory visits.
In previous articles the regulator has been called the “Big Bad Wolf” – stressing the need to build your house of stone so the Big Bad Wolf can “huff and puff” but your house stands firm. When you receive notification of a regulatory visit it is important to ensure your firm is built of stone.
Whether you receive a letter, email or telephone call advising of a regulatory visit the most important thing is to have a plan in place to handle the visit. “Be Prepared” and plan, plan, plan.
So how do you survive a regulatory visit?
The first thing to do is to treat the visit as a project and therefore put a detailed project plan in place. The key things to consider are:
Prior to the visit
All firms should have a regulatory file that holds key documentation that most Regulators will ask for prior to visiting the offices. This information will very often be static, but it is important that it is updated
regularly, especially when significant events happen. Examples of this type of documentation are:
Firm Structure and Corporate Governance
- Brief corporate history with details of current operations and nature of business written
- Internal organisation charts showing key staff, departments and reporting lines
- Analysis of changes in key members of management and the associated operational impact
- Details of current Board and Committee structures and members
- Terms of reference for Board and Committees
- The business strategy
- Up to date business plan
- Details of the product design and development strategy in the short and medium term
Systems and Controls / Operational Risk Management
- Description of key IT systems
- Summary of material outsource providers and arrangements for monitoring performance
- Details of conflicts of interest policies and procedures
- Details of procedures for maintaining awareness of regulatory obligations
- Copy of product design/development governance and procedures
- Detail of procedures for oversight and control of cover holders and Third Party Administrators
- Copies of the TCF policy and TCF Strategy
- Current terms of reference for senior management and an outline of the executive appraisal process
- Succession planning and arrangements
- Disciplinary policy and procedures
- Remuneration policy for senior management
The Regulator will also want copies of management information. By its nature this information evolves and it is important to have a process in place to ensure that it can be compiled very quickly following a request from the Regulator. Examples of this type of Management Information are:
- Minutes of Board, Subcommittees and executive meetings held in the last 6 months
- Copy of Board pack of management information from the most recent Board meeting
- Copy of the latest ICAAP
- Details of complaints by product line or service
- List of product/service types and distribution channels including data on funds under management and gross income by type of product/service and clients by product/service
- Copies of financial crime logs
- Details of last internal audit review and rating of conflicts of interest policies and procedures
- Copy of the last three months of TCF MI
- Description of any key ongoing projects
- Summary of the status of any current IT projects
- Management information on material outsource providers and performance monitoring
- Reports on any reviews of outsourcing
- Latest compliance plan / report with details of responsibility and status
- Copy of the current risk register
- A full copy of the last two internal audit reports issued during the last 12 months including ratings and a summary of the management response to each
- List all findings raised in all internal and external audits over the last 12 months including ratings and a summary of the management response to each
- Latest external audit report and management letter
When complying with the information request you receive from the Regulator, make sure you keep copies of everything you provide and keep them filed in an orderly manner so that they can be easily referenced. Allocate responsibility for complying with the data request and for maintaining the filed copies. Take a look at the list above and consider what standing data is and what information is likely to change more rapidly. As documentation is refreshed is part of BAU just keep asking yourself “does our readiness pack need this refreshed?”
Preparing your staff
It is important to remember to train staff and to include interview training for the staff likely to be interviewed. The expectation is that your staff will be trained, so train them. You cannot under estimate the value of good interview training in preparation for a regulatory visit.
Firms should operate on the premise of no surprises. Explain to all the staff that a visit is going to take place and the purpose of the visit. Remind them of the need to be respectful and be open and honest with the Regulator in accordance with the FCA Handbook. Could every member of your staff explain what Conduct Risk is?
APER 2.1A.3 – Statements of Principle – Statement of Principle 4:
An approved person must deal with the FCA and PRA and other regulators in an open and cooperative way and must disclose appropriately any information of which the FCA and PRA would reasonably expect notice.
COCON 2.1 Individual conduct rules – Rule3:
You must be open and cooperative with the FCA and PRA and other regulators.
Once the Regulator provides a list of staff they wish to see, make sure that they are available and if not, advise the Regulator as soon as possible detailing the reason why they are not available and offer alternative dates or people for them to see.
Look after the Regulator by providing office space and if necessary additional rooms for them to conduct their interviews. Talk to them and find out what they require and do your utmost to provide it. If you cannot meet their expectations, explain why and offer alternatives.
Point of contact
Make sure that you provide the Regulator a point of contact and an alternative so that all requests are met in a timely manner and communication can be centralised, recorded and anything that needs to be added to the project plan is done so immediately.
During the regulatory visit
The Regulator will have their own agenda and project plan. Make sure that you provide the necessary support for them to achieve their objectives.
It is customary to have an opening meeting when the Regulator first arrives on site. This is an opportunity for the firm to introduce the key people within the organisation such as the CEO, COO, Finance Director, Compliance Officer and Head of Risk. This is also an opportunity for the firm to explain how it operates, the markets it operates in and other key information.
Offer a presentation which details the key points about the firm, the governance structure, details of the Senior Management team, the type of client base and any issues that the firm is aware of including key risks. This will help the Regulator understand the firm.
At the opening meeting advise the Regulator that a note taker will be attending all meetings and interviews. There maybe occasions when the Regulator may not want certain people attending as note takers, but they normally will allow an alternative person to attend. It is important for the firm to have its own record of the meetings.
Equally important is to ask the Regulator to keep you updated on their progress and to raise any concerns or possible misunderstandings as the visit proceeds and not leave it to the end of the visit. Express a desire for an open dialogue.
The Regulator will ask for further documentation throughout the visit. Provide the documentation in a timely manner and make sure you keep copies of everything.
Interviews and meetings
Interviews are a key regulatory tool and it is important that anybody being interviewed remembers the reliance the Regulator puts on this regulatory tool. There are several basic things to remember:
- Be open and answer the questions honestly
- Never be afraid to say you do not know the answer or don’t understand the question
- If you are unsure of the question, ask them to repeat it. Never guess the question
After each interview or meeting, the firm should have a debriefing meeting where any concerns or issues can be raised. This will not only highlight any issues but will also provide support to the people who have been interviewed or attended the meeting. It is stressful meeting with the Regulator and it is important to support your employees.
The Regulator will normally have a closing meeting where any findings, issues or concerns are raised. This is also an opportunity for the firm to raise anything with the Regulator, particularly if you think that the findings are not valid. If you have kept an open dialogue with the Regulator during the visit there should be no surprises.
Post the Regulatory visit
Following the visit, the firm will normally receive a letter detailing the findings from the visit. It is important that the letter is read in detail and acknowledged in accordance with the timescales detailed in the letter. If there are any points where the firm disagrees with the findings, the firm should advise the Regulator as soon as possible that the firm disagrees with these points.
A full response to the letter should be prepared and signed off in accordance with the firm’s internal processes and procedures. Current best practice is that the initial letter from the Regulator detailing the findings is presented to the Board with a draft response for Board approval. If necessary the letter and draft response can be circulated electronically as it is important that all Board members are aware of the content.
It is important that the firm responds to the letter in accordance with the timescales detailed in the letter. On receipt of the letter, the dates should be added to the project plan together with key milestones to make sure the reporting dates are met.
In the majority of cases the Regulator will ask for a project plan detailing when and how the issues raised will be remediated. It is important to make sure all of the points in the letter are included in the plan and the remediation dates achieved. Keep the Regulator updated on progress and if timescales slip advise them immediately.
When the visit has been completed and a response to the visit letter has been sent to the Regulator the firm should undertake a review of the whole process to ascertain lessons learnt.