December 15, 2022
The U.K. Financial Conduct Authority (the “FCA”) Final Notice against Julius Baer International Limited (“JBIL”)[1], including the imposition of a fine of more than £18 million, marks the latest in a series of enforcement actions against FCA authorised firms relating to failings in arrangements with third party intermediaries. In this alert, we draw out the key themes from those enforcement actions, highlighting particular areas of FCA concern and focus, and set out some practical steps that firms can take so as not to fall foul of regulatory requirements and expectations.
The JBIL Final Notice
JBIL, an investment advisory and wealth management firm, was found by the FCA to have failed to conduct its business with integrity, failed to take reasonable care to organise and control its affairs and failed to be open and cooperative with the FCA.[2] The finding, in particular, that JBIL failed to act with integrity stands out, with there being very few cases where the FCA has considered that there has been a breach of Principle 1 of its Principles for Businesses.[3]
The FCA concluded that JBIL facilitated finder’s arrangements between Bank Julius Baer (“BJB”) and an employee (the “Finder”) of a number of holding companies incorporated in various jurisdictions which owned the residual non-Russian assets of a Russian oil group (the “Client Group Companies”). Under these arrangements, BJB paid finder’s fees to the Finder for introducing Client Group Companies to Julius Baer. This was done on the understanding that the Client Group Companies would then place large cash sums with Julius Baer from which Julius Baer could generate significant revenues.
In particular, uncommercial FX transactions were made in which the Client Group Companies were charged far higher than standard rates, with the profits being shared between the Finder and Julius Baer. The Finder received commission payments totalling approximately USD 3m as a result of these arrangements. These fees were improper and together with the uncommercial FX transactions showed a lack of integrity in the way in which JBIL was undertaking this business.
Further, the FCA found that JBIL failed to have adequate policies and procedures in place to identify and manage the risks arising from the relationships between JBIL and finders (external third parties that introduced potential clients to Julius Baer in return for commission). This included having no policies which defined the rules surrounding the use of finders within JBIL until after June 2010. Policies introduced after that date were found to be inadequate.
Finally, JBIL became aware of the nature of these transactions – including the commission payments to the Finder – in 2012 and suspected that a potential fraud had been committed. However, it did not report these matters to the FCA immediately, as required, or at all until July 2014.
Previous FCA enforcement action against other firms
As noted above, the JBIL Final Notice follows a number of Final Notices imposed on other firms by the FCA. These range from Final Notices for not taking reasonable care to establish and maintain effective systems and controls for countering the risks of bribery and corruption associated with making payments to overseas third parties who assisted in winning business from overseas clients, to a Final Notice issued earlier this year relating to, broadly, the third-party introducers it used in its insurance business and bribes being made by such persons.
Key themes
(1) Policies and procedures
One recurring theme from the Final Notices is that the firms had failed to ensure that they had adequate policies and procedures in place to identify and manage the risks of using the third party intermediaries. For example, prior to 11 June 2010, there were no policies which defined the rules and guidelines to be adopted in respect of the use of finders within the Julius Baer group or JBIL. After that date, JBIL relied on BJB policies and procedures in relation to finders, which were inadequate, and other entities within the Julius Baer group were responsible for managing and overseeing key aspects of finder relationships, including the contractual terms and payment of fees. As a result, JBIL failed to ensure that it identified and managed potential conflicts of interests, both between finders and its clients and between the Julius Baer group and its clients. JBIL also failed to ensure that clients were properly informed of its arrangements with finders and consented to any payments made to finders. A particular similarity between the JBIL Final Notice and previous Final Notices is that firms have had an over-reliance on group procedures, which were not, on their own, sufficient. Firms should, therefore, be cognisant of their own regulatory responsibilities and not simply follow a group-wide policy without ensuring that the policies appropriately cover their own activities.
(2) Systems and controls
Principle 3 requires a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. In the JBIL Final Notice, it was determined that the conduct of the relationship with the Client Group Companies highlighted serious issues with JBIL’s control environment. Amongst other things, the FCA found that JBIL: (i) did not have a sufficient understanding of the relationships between finders and introduced clients to enable it to identify potential conflicts of interests and did not have sufficient information or oversight to identify any other risks that might arise from relationships with finders; (ii) was not able to take steps adequately to monitor or control the risks arising from relationships with finders, or to assess whether it was appropriate for Julius Baer to maintain such relationships at all; and (iii) was not able to and did not control the disclosure of relationships with finders to clients.
Interestingly, in the JBIL Final Notice and previous Final Notices, the FCA has been critical of the firms in question for not having taken into account relevant key publications produced by the FCA that should have served as a warning and guidance to them. For example, in the JBIL Final Notice, the FCA specifically referred to the “financial crime risks presented by firms’ use of Finders [having] been highlighted by the Authority in publications and enforcement action against firms including Aon (6 January 2009), Willis (21 July 2011) and Besso (17 March 2014)”. This is a clear message that firms should be monitoring the publication of relevant guidance by the FCA and seeing if any lessons can be learned from enforcement action against other market participants.
Another recurring theme of the Final Notices in this space has been what the FCA perceives as inadequate governance, including the manner in which risks, including those relating to financial crime, were presented to certain committees did not enable them to assess the risks holistically and relevant risks and issues were not appropriately escalated to control functions. It is vital, therefore, that firms ensure: (i) the flow of appropriate MI to the relevant committees; (ii) that such information is properly scrutinised and, where necessary, challenged; (iii) that individuals with appropriate skills and experience are sitting on the Board or relevant committees; and (iv) that individuals holding important roles such as the MLRO function are at a sufficiently senior level.
(3) Communicating with the FCA
It is interesting to contrast the views of the FCA on how JBIL and other firms have communicated with it prior to and throughout the enforcement process. In the JBIL Final Notice the FCA noted that “[on] 22 May 2014, [JBIL] reported potential acts of bribery and corruption to UK law enforcement. It referred to payments made by BJB to [the Finder] in finder’s fees and stated that the payments may have been tainted by a ‘scheme’ by [the Finder] and [another individual], to defraud the [Client] Group Companies of money. [JBIL] informed the [FCA] of this on 7 July 2014”. Whilst firms will always want to take time to establish the facts before reporting potential issues to regulators, care must be taken to avoid overly long delay. In this case, the FCA highlighted the gap between the date of internal escalation of serious concerns and the date on which the FCA were notified of the issue: “The [FCA] expects to be notified of allegations of financial crime immediately and should have been promptly informed about the concerns raised on 30 November 2012”.
By contrast, in other Final Notices, the FCA has acknowledged the assistance that firms have provided to it during its investigation when coming to the amount of the fine issued. Firms should, therefore, give great consideration to how and when they communicate with the FCA. This is particularly important in the context of ensuring that firms appropriately comply with their Principle 11 notification obligations.
Practical steps
We set out below a table of examples of “good” and “poor” practice that should assist firms in their approach to ensuring they are complying with FCA expectations in the context of relationships with third party intermediaries, primarily viewed through an anti-bribery and corruption lens. It is informed by the FCA’s guidance in Chapter 13 of its “Financial Crime Thematic Reviews” guide.
|
Examples of “good practice” |
Examples of “poor practice” |
|
Governance |
|
|
Clear, documented responsibility for anti-bribery and corruption apportioned to either a single senior manager or a committee with appropriate terms of reference and senior management membership, reporting ultimately to the Board. |
Failing to establish an effective governance framework to address bribery and corruption risk. |
|
Regular and substantive MI to the Board and other relevant senior management forums, including: an overview of the bribery and corruption risks faced by the business; systems and controls to mitigate those risks; information about the effectiveness of those systems and controls; and legal and regulatory developments. |
Failing to allocate responsibility for anti-bribery and corruption to a single senior manager or an appropriately formed committee. |
|
Where relevant, MI includes information about third parties, including (but not limited to) unusually high commission paid to third parties. |
Little or no MI sent to the Board about bribery and corruption issues, including legislative or regulatory developments, emerging risks and higher risk third-party relationships or payments. |
|
Assessing bribery and corruption risk |
|
|
The firm takes adequate steps to identify the bribery and corruption risk. Where internal knowledge and understanding of corruption risk is limited, the firm supplements this with external expertise. |
The risk assessment is a one-off exercise. |
|
Risk assessment is a continuous process based on qualitative and relevant information available from internal and external sources. |
Efforts to understand the risk assessment are piecemeal and lack coordination. |
|
Firms consider the potential conflicts of interest which might lead business units to downplay the level of bribery and corruption risk to which they are exposed. |
Risk assessments are incomplete and too generic. |
|
The bribery and corruption risk assessment informs the development of monitoring programmes; policies and procedures; training; and operational processes. |
Firms do not satisfy themselves that staff involved in risk assessment are sufficiently aware of, or sensitised to, bribery and corruption issues. |
|
Policies and procedures |
|
|
The firm clearly sets out the behaviour expected of those acting on its behalf. |
The firm has no method in place to monitor and assess staff compliance with anti-bribery and corruption policies and procedures. |
|
The team responsible for ensuring the firm’s compliance with its anti-bribery and corruption obligations engages with the business units about the development and implementation of anti-bribery and corruption systems and controls. |
Staff responsible for the implementation and monitoring of anti-bribery and corruption policies and procedures have inadequate expertise on bribery and corruption. |
|
There should be an effective mechanism for reporting issues to the team or committee responsible for ensuring compliance with the firm’s anti-bribery and corruption obligations. |
|
|
Third party relationships and due diligence |
|
|
Where third parties are used to generate business, these relationships are subject to thorough due diligence and management oversight. |
A firm using intermediaries fails to satisfy itself that those businesses have adequate controls to detect and prevent staff using bribery or corruption to generate business. |
|
Third-party relationships are reviewed regularly and in sufficient detail to confirm that they are still necessary and appropriate to continue. |
The firm fails to establish and record an adequate commercial rationale for using the services of third parties. |
|
There are higher, or extra, levels of due diligence and approval for high risk third-party relationships. |
The firm is unable to produce a list of approved third parties, associated due diligence and details of payments made to them. |
|
There is appropriate scrutiny of, and approval for, relationships with third parties that introduce business to the firm. |
There is no checking of compliance’s operational role in approving new third-party relationships and accounts. |
|
The firm’s compliance function has oversight of all third-party relationships and monitors this list to identify risk indicators, such as a third party’s political or public service connections. |
A firm assumes that long-standing third-party relationships present no bribery or corruption risk. |
|
Evidence that a risk-based approach has been adopted to identify higher risk relationships in order to apply enhanced due diligence. |
A firm relies exclusively on informal means, such as staff’s personal knowledge, to assess the bribery and corruption risk associated with third parties. |
|
Enhanced due diligence procedures include a review of the third party’s own anti-bribery and corruption controls. |
No prescribed take-on process for new third-party relationships. |
|
Inclusion of anti-bribery and corruption-specific clauses and appropriate protections in contracts with third parties. |
A firm does not keep full records of due diligence on third parties and cannot evidence that it has considered the bribery and corruption risk associated with a third-party relationship. |
|
Providing good quality, standard training on anti-bribery and corruption for all staff. |
|
__________________________
[1] https://www.fca.org.uk/publication/final-notices/julius-baer-international-limited-2022.pdf.
[2] The FCA also published decision notices for three connected individuals (available here).
[3] The most recent instance prior to this was the Coverall Worldwide Ltd Final Notice in 2016: https://www.fca.org.uk/publication/final-notices/coverall-worldwide-ltd.pdf.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact the Gibson Dunn lawyer with whom you usually work, any member of Gibson Dunn’s Global Financial Regulatory team, or the following authors in London:
Michelle M. Kirschner (+44 (0) 20 7071 4212, [email protected])
Matthew Nunan (+44 (0) 20 7071 4201, [email protected])
Martin Coombes (+44 (0) 20 7071 4258, [email protected])
Chris Hickey (+44 (0) 20 7071 4265, [email protected])
© 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.