Are the FCA’s Dear CEO letters and general published guidance an effective way for a regulator to communicate?
by Len Williams
Imagine you are the CEO of a wealth management firm. One morning, you receive an FCA letter beginning: “Dear CEO …”
The letter is fairly long and broad, setting out the regulator’s expectations that you ensure “client portfolios are managed in line with individual client risk profiles”, that there are “robust systems and controls to mitigate the risks of harm arising from financial crime” and that firms like yours will “foster healthy cultures”. What on earth are you supposed to make of it?
The particular letter referred to above was sent by the FCA on 16 September 2021 to a large number of firms in wealth management and stockbroking. And it is just one of a growing number of ‘Dear CEO’ letters the regulator has sent out and published online in recent years.
According to 2020 research from financial services advisory BDO, there’s been a significant rise in these sorts of letters since 2010, when the FCA published just one. This rose to five in 2014/15 and fifteen in 2019/20.
FCA Dear CEO letters published
This is not the only method the FCA uses to communicate about its rules and expectations (although it may well be one of the more memorable methods if you are a CEO). Its Handbook contains a complete record of all its legal instruments, plus updates about changes. The FCA also puts out policy statements, discussion and consultation papers, email alerts, speeches, and social media announcements.
So, why does the regulator need to send Dear CEO letters and similar notes too?
The FCA’s less ‘formal’ communications
The FCA calls these communications ‘portfolio letters’, explaining on its website that it supervises all firms “as members of a portfolio of firms that share a common business model. For portfolio communications, we will set out our view of the main risks of harm in a portfolio, the action we expect firms to take, and what we will be doing to reduce the level of harm in that sector”. There are currently 41 such sectors, and not all of them will have received a Dear CEO letter yet.
"There can be no excuse that you didn't know" While each letter is different, they follow a similar structure, identifying “key harms” in the portfolio, as well as an outline of the FCA’s strategy for dealing with these harms. They also provide information about next steps. Dear CEO letters and other informal FCA communications are not prescriptive nor are they specific to the recipient; they simply identify issues and expectations for firms in a particular sector.
And this is where they can cause a certain amount of confusion. Shabaz Ahmed, an associate at DWF Law and contributor to our Regulatory Update in The Review print edition, points to the example of the FCA's recently published expectations for remote or hybrid working. The FCA warns: “It’s important that firms are prepared and take responsibility to ensure employees understand that the FCA has powers to visit any location where work is performed, business is carried out and employees are based (including residential addresses) for any regulatory purposes. This includes supervisory and enforcement visits.”
This communication raises several important questions, but doesn’t provide any answers. Shabaz explains that it doesn’t state whether the FCA considers that it would need a warrant to enter a worker’s home unannounced, or if it considers that workers are obliged to allow entry in accordance with Individual Conduct Rule 3 – which imposes a requirement to be open and cooperative with the FCA – refusal of which could be considered a breach. If the latter, it is unclear how this squares up with a person's “right to respect for [their] private and family life, [their] home and [their] correspondence" under Article 8 of the European Convention of Human Rights.
The lack of clarity in some of the authority’s communications might therefore leave firms scratching their heads, but they can also serve to highlight potential problems that firms should be looking into. The FCA regulates tens of thousands of firms, many of whom are small and unable to stay up to date with every change in the rules. Some may not necessarily be aware that there is even an issue in their sector until they receive a letter from the FCA.
We told you so
“Think of them as a warning shot across the bows,” says Graeme Stewart, head of consultancy at Paradigm Consulting, a compliance advisory. If a firm is operating in a portfolio that the FCA has identified as having issues, the Dear CEO letters let them know they and their peers could potentially be breaking the rules. Receiving a Dear CEO letter certainly doesn’t mean a particular firm is doing anything wrong, but if there is any malpractice, Graeme remarks “there can be no excuse that you didn’t know”.
While the FCA does not necessarily request firms to provide evidence that they’ve acted on the letters, “in future, it would be possible for them to come and ask firms what they did about the issues raised”, Graeme says. For those who can show they read the letter and did something about it, this will presumably be viewed in a good light by the regulator. As much as anything, Graeme sees these communications as a way of reminding business leaders that they need to be following the spirit of the rules and “doing the right thing”.
If a business ever receives an enforcement notice from the FCA, the regulator will point back to communications it has sent about its rules and expectations, explains Jeremy Irving, head of financial services at law firm Browne Jacobson. These might be thematic reviews and other detailed guidance, but could also include Dear CEO letters.
“As a firm, we have been on the receiving end of a few ‘Dear CEO’ letters, and when speaking with other financial planners about it, I would have to say that their use has been considered as a ‘fast-track’ way of gaining action without the bureaucracy of changing the rulebook” says Amyr Rocha-Lima CFP™ Chartered FCSI, partner at Holland Hahn & Wills and chair of the CISI Financial Planning Forum. He says the letters gain “immediate attention and prompt action – so you could say they do their job”.
A pragmatic response
If the FCA already publishes a Handbook with all its rules online, why does it need to send out Dear CEO letters at all? And how do they relate to the existing rule book?
Part of the answer relates to how the FCA creates rules in the first place. Tom Murrell, a trainee solicitor at Browne Jacobson, explains it can take up to two years for the FCA to create new rules. But, in a fast-paced market, with new technology, companies and business models emerging all the time, it’s not always possible to draft regulations to tackle possible harms fast enough. So, while Tom is clear that the letters do not impose new rules, they offer a way of telling firms about problems and encouraging them to change their behaviour.
His colleague Jeremy Irving suggests they help “nudge and steer” firms in the right direction. Tom explains that the FCA gathers information from a variety of sources about how firms are behaving in its various portfolios. This includes firms’ own reporting, information about complaints to the Financial Ombudsman Service or visits to review the firm’s practices. If the regulator notices an increase in problems in a particular sector, it might well choose to address the issue with a Dear CEO letter.
A common feature of Dear CEO letters is an emphasis on culture For Richard Barnwell, a partner at BDO, they are a “pragmatic response” by the FCA to the realities of communicating with the thousands of businesses it regulates. While some of the biggest players in the financial services sector will have a compliance team in place, it is not uncommon for many smaller and medium-sized firms in the sector to have no internal compliance team at all. This means there may be no one employed to actively monitor the rules and ensure the firm is following them.
A common feature of Dear CEO letters, Jeremy notes, is an emphasis on culture. The FCA does not want to give out templates on how to create a ‘healthy’ company culture but understands that the culture in place at firms can have a real effect on their performance, as well as how they treat customers and employees. By emphasising the importance of thinking about culture, the regulator hopes it will encourage CEOs to think about this topic more, says Jeremy.
A useful tool
The FCA (as well as the Prudential Regulation Authority) has become responsible for a wider range of firms than ever in recent years (including fintech firms). With ever more firms to communicate with, it seems the FCA feels Dear CEO letters are an efficient way of talking to the 51,000 companies it regulates.
Richard also sees this increase as a consequence of the 2008 financial crisis. “Regulators found it difficult to hold individuals at firms accountable,” he says. There was much media and political anger in the aftermath of the crisis that almost no irresponsible bankers were prosecuted for often criminal behaviour. By sending a Dear CEO letter, the regulator reinforces the idea that specific individuals will be held accountable for any failings in a market.
Richard notes that the increase in Dear CEO letters in recent years also coincides with the 2019 Senior Managers and Certification Regime (SMCR), an effort by the FCA to make individuals at firms more accountable.
The FCA is also held accountable. While it is politically independent, it does still come under some media and political pressure to tackle problems in the sectors it regulates. The Dear CEO letters, among their other output, show that the regulator is actively “doing something”, says Richard.
Food for thought
So, what should a CEO do if they receive this kind of letter from the FCA? There is of course no universal answer, and Jeremy says they are not intended to produce a coordinated response across the sector. Instead, he suggests a CEO should share it out at board and senior management level, as well as discussing the issues raised by the letter with their compliance and risk teams (or the responsible person) and work out if they are meeting the regulator’s expectations.
And Richard suggests that after receiving this kind of letter, a CEO needs to ask: “Does this apply to me?” He adds that it is “better to find out you’re doing something wrong from a Dear CEO letter” than to receive a more direct warning about your firm’s specific failings.
While they are not the only way that the FCA communicates with the firms it regulates, these letters do seem to be an increasingly common way for it to alert firms to problems. By providing the regulator with the flexibility to nudge companies in the right direction, they appear to be a valuable weapon in the FCA’s arsenal.