Read Global Enforcement Review 2018
The huge benchmark manipulation cases of recent years still cast a long shadow on financial services regulators’ enforcement activity. A shadow from which some regulators are only now just emerging. However, the signs are that a new regulatory enforcement landscape is coming into view.
On one hand, many of the regulators’ priorities are familiar and well worn. Corporate governance, disclosures to clients and markets, fraud, anti-money laundering (AML), and unlicensed activity remain key areas of focus and activity, with the number of enforcement cases in these areas consistently high across the last five years. On the other hand, a new determination to hold individuals to account and the new challenges presented by technology, are beginning to shape a new enforcement landscape.
Moreover, there has been no obvious dramatic change in enforcement activity when it comes to fines. After the surge in 2013 and 2014 comprising the bulk of the Libor and foreign exchange (FX) abuse cases, fine totals fell sharply. They have since edged up, rising to US$26.5 billion globally last year, from US$20.5 billion in 2015, under what looks like a new normal.
The U.S. regulators continue to account for most of these fines – 95% of the total global sum of fines against firms last year, and 96% of the sum since 2013. These large U.S. fines are also frequently levied against non-U.S. headquartered institutions. The perception that the U.S. is continuing to act as ‘Globo-cop’ in the industry may not be far wrong.
Look more closely, though, and while some things stay the same, the evolving financial services industry presents challenges in new areas.
New Priorities New Players
First, some other genuinely new regulatory priorities are emerging. Most obvious, is increasing concern from regulators globally around cybersecurity and data privacy. Firms must now contend with not only supervisory authorities such as the UK’s Information Commissioner’s Office (ICO), given increased powers through Europe’s General Data Protection Regulation (GDPR), but also financial regulators focusing – and fining – on these issues.
Technological developments, such as those around cryptocurrencies (a priority for the U.S. Financial Industry Regulatory Authority (FINRA) and the UK’s Financial Conduct Authority (FCA) among others), will also continue to present new challenges.
Priority is also being given globally to protecting retirement savings and investments, which will inevitably be an increasing area of enforcement focus for many regulators in the years ahead. Not surprisingly, this is most pronounced in those countries with well-developed private sector pensions such as the UK, U.S. and Australia. The FCA for instance has a goal to protect older savers from ill-advised transfers out of defined benefit pension schemes and other challenges arising from “pensions freedoms” introduced in recent years.
Second, the dominance of the U.S. at the top of the enforcement league table and a focus on fine amounts obscures a more complex picture. Some smaller but still significant activity can easily be missed, which shows the wider adoption of public enforcement action by regulators. We have seen, for example, an uptick in enforcement from certain regulators, like the Central Bank of Ireland and the two French regulators, the AMF and the PSRA, and action from more recent arrivals to the enforcement world, like ESMA.
Recent notable action can be lost in the totals, for example:
- The UK’s FCA used its powers under Section 384 of the Financial Services and Markets Act for the first time to require Tesco, a listed non-financial services company, to pay compensation to investors for market abuse in relation to a trading update.1
- The U.S. Securities and Exchange Commission (SEC) charged businessman Maksim Zaslavskiy and two companies with defrauding investors in relation to initial coin offerings purportedly backed by investments in real estate and diamonds, the first action of its kind by the SEC.2
- France’s AMF fined Natixis Asset Management €35 million3 (its largest on record) for breaching its professional obligations in relation to the management of formula funds.
- ESMA’s fine of €1.24 million against Moody’s Corporation, a credit ratings agency, for4 two breaches of the Credit Rating Agencies Regulation.
- Hong Kong’s Securities and Futures Commission (SFC) in March 2018 intervened to halt an initial coin offering by Black Cell Technology, over concerns that the firm had engaged in unauthorized promotional activities and unlicensed regulated activities.5
Finally, penalty amounts only give part of the story. Even in the U.S., the figure is heavily skewed by a few big cases. Whilst, fine amounts tell us a fair amount about the size of organizations involved, and perhaps the gravity of the breaches, but they tell less about the overall level of activity of the regulators when it comes to enforcement.
In fact, the total number of larger fines issued against firms globally tells a different story. It actually rose in 2015 (while fine amounts fell) but has been falling since: between 2015 and 2017, the number of significant fines fell by 30%.
Making it personal
The declining number of penalties and fine amounts compared with previous years arguably point to a weakening of regulators’ faith in the ability of big fines alone to change behavior, or at least a recognition of the importance of using other levers.
Those levers include, more creative methods to address failures, notably with an increased emphasis on restitution; and, perhaps more significantly, a focus on individual accountability: In fact, penalties against individuals accounts for almost a third (31%) of the total cases globally between 2013 and 2017. This has been rising steadily year on year apart from a drop of 13% in 2017.
That is only going to grow. At present there is still a relative dearth of large fines against individuals outside the U.S. Of the total US$627.9 million in large penalties imposed against individuals globally last year, US$621.3 million (99%) was by U.S. regulators. But change is coming.
New rules are bedding in with the UK Senior Managers and Certification Regime (SMCR) and Hong Kong’s Managers in Charge (MIC) rules. Singapore looks likely to join them with recently proposed Guidelines on Individual Accountability and Conduct from the MAS. Elsewhere, regulators have also been clear that individuals are in the firing line, not just for breaches and abuse, but also for failures for which they may not be directly responsible, but that happen on their watch.
How soon that change is seen in the enforcement figures is uncertain: The regulatory pipeline is long and a change in direction from the regulators is often only felt – or at least becomes apparent in enforcement figures – approximately two or three years on average in most jurisdictions (and in some case more) down the line. But, with massive fines against firms no longer retaining the power to shock, regulators are increasingly looking to alternative, more impactful approaches such as business restrictions, prohibitions and criminal actions against individuals.
For those individuals concerned, it might be that, in the years ahead, 2017-18 comes to be seen as the calm before the storm.