Compliance, Culture and Evolving Regulatory Expectations

Speech by Mark Steward, Executive Director of Enforcement and Market Oversight, delivered at NYU Law School.

mark steward speeches 340 180 migration.jpg

Speaker: Mark Steward, Executive Director of Enforcement and Market Oversight
Event: NYU Law School (Virtual)
Delivered: 31 March 2021
Note: this is the speech as drafted and may differ from the delivered version


  • The Senior Managers Regime (SMR) has changed the way firms allocate responsibilities, align those responsibilities to relevant controls and ensure oversight as to how these controls operate down the line.
  • The 5 Conduct Questions (5CQ), which start with ‘tone from the top’, are increasingly focussing on ‘tone from within’ which requires every person in an organisation to be personally accountable and engaged. 
  • Every employee of a regulated firm is subject to individual conduct rules, which impose broad obligations. 
  • The SMR and 5CQ questions require firms to think about how a system or function might fail because of non-compliance, and they inject a sharper focus on conduct risk into the fabric of an organisation. 
  • As demonstrated by enforcement cases, failures are not necessarily failures of compliance, but the consequence of choices made by individuals. 

Let me ask the following questions posed by Professor Arlen when we discussed what I should speak to you about this morning: 

  • How do you really embed compliance into the roots of an organisation?
  • How do employees really believe they have choices about their own conduct?
  • Can the law really change the mores of an organization?

Raising senior manager standards

Professor Arlen also asked me about the UK’s Senior Managers and Certification Regime, which commenced in 2016 as an initiative to raise senior management standards in banks and, since December 2019, has applied to all firms regulated by the FCA. Let me start with the Senior Managers Regime. 
In essence, the Senior Managers Regime:

  • Obliges firms to map key responsibilities or senior manager functions to specified senior managers
  • Imposes a statutory duty of responsibility on senior managers to take reasonable steps to ensure a firm complies with its regulatory responsibilities.
  • Imposes an obligation for firms to certify employees, who are not senior managers but whose role means they might cause harm, are fit and proper both on hiring them and then on an annual basis.
  • Applies specified individual conduct rules.

Under the statutory duty of responsibility, liability is not strict and requires positive evidence that the senior manager has failed to take a reasonable step to prevent a firm’s non-compliance. Secondly, the failure to take a reasonable step needs to be reasonably related or connected to the firm failure that has occurred. And thirdly, liability cannot arise through another’s failure to perform a function where reasonable steps have been taken: so there is no vicarious liability.

The regime has wrought some profound changes in the way firms allocate responsibilities, align those responsibilities to relevant controls 

Axiomatically, it is not a panacea for all firm misconduct and a firm can breach its obligations even if the senior manager has fulfilled his or her duty of responsibility for reasons that have little or nothing to do with any failure by the senior manager, especially in large firms.

The regime has wrought some profound changes in the way firms allocate responsibilities, align those responsibilities to relevant controls and ensure oversight as to how these controls operate down the line. 

Implementing the new regime has meant firms have built into their systems explicit reasonable steps to prevent non-compliance. This has required an assessment of what may make a particular control system or function more vulnerable to failure because it is in those places that the senior manager’s reasonable steps need to be particularly evident. 

By imposing personal liability, the regime uses self-interest – in this case the senior manager’s self-interest in avoiding liability – to avoid the bear pit of enforcement.  

Self-evidently, to be reasonable, those steps must be properly implemented and they must be effective.  

By imposing personal liability, the regime uses self-interest – in this case the senior manager’s self-interest in avoiding liability – to avoid the bear pit of enforcement. This is a virtuous circle: what protects senior management from liability also reduces (though cannot guarantee) the risk of non-compliance more generally within firms. 

The 5 Conduct Questions journey

The FCA has undertaken a uniquely nurturing role in this transformation and developed a new tool, the 5 conduct questions or 5CQ, expressly to help firms implement more effective change programmes as well as helping the FCA to interrogate progress. 

The 5CQ are addressed to firms and require self-reflective answers to the following:

  • What proactive steps do you take as a firm to identify the conduct risks inherent within your business? 
  • How do you encourage the individuals who work in front, middle, back office, control and support functions to feel and be responsible for managing the conduct of their business? 
  • What support (broadly defined) does the firm put in place to enable those who work for it to improve the conduct of their business or function? 
  • How does the Board and ExCo (or appropriate senior management) gain oversight of the conduct of business within their organisation and, equally importantly, how does the Board or ExCo consider the conduct implications of the strategic decisions that they make? 
  • Has the firm assessed whether there are any other activities that it undertakes that could undermine strategies put in place to improve conduct?

I should add that we are considering a sixth question in our future work which will interrogate firms on diversity and inclusion, another telling indicator of culture.

The most recent report on progress, using the 5CQ, was published in September last year. It reflected some new conduct risks triggered by the pandemic. The report also contained a frank assessment of both an improving recognition of conduct risk among firms and as well as recording significant gaps and areas of improvement.

Relevantly, last year’s report contained an implicit story or narrative, from the top of the firm down to its most junior levels, what I might call the 5CQ journey.
Initially, 4 years ago, the 5CQ assessment focussed heavily on the role of senior management to deliver ‘the tone from the top’. In its next stage, the assessment developed to focus on what was called ‘tone from above’ which is the example set by one’s immediate line manager. 

The G30 noted ‘tone from above’ in its November 2018 report Banking Conduct & Culture, A Permanent Mindset Change.
As the G30 report found:

‘Banks have shown a clear, rapid, and positive shift in their view of the importance of conduct and culture. But much of the work has been done at the most senior levels of the organization—with “tone from the top” receiving much more focus than “tone from above.” For permanent and ongoing change to occur, banks now need to focus on embedding culture awareness and stewardship at all levels of the organization, with a particular focus on middle management and frontline businesses. Only by making culture stewardship a permanent and integral part of how business is conducted will organizations avoid culture fatigue and backsliding.’ (Executive Summary, page xi)

Last year’s 5CQ report took this one step further and introduced what it called the ‘tone from within’, which was described as:

‘….one’s individual mindset, preferences, beliefs, habits and pre-dispositions. It is one thing to have an idea about how your CEO or line manager might respond in a situation, it is another to be clear about how you might respond on your own and why. Whether stated directly or not, the development of Tone from Within via training, self-reflection and self-challenge is a precursor to wider corporate change.’

The 5CQ journey from the ‘tone from the top’, then ‘tone from above’ and now ‘tone from within’ is asking very similar questions to those posed by Professor Arlen. How do you embed the right responses into the roots of the organisation? 

The answer, is, I think the burrowing interrogation posed by the 5CQ, from a firm’s the senior layer into its roots, touching every individual. 

‘Tone from the top’ is necessary for setting the parameters, the expectations and the examples; ‘tone from above’ reinforces the ‘tone from the top’ at local levels and ‘tone from within’ requires every person in the organisation to be personally accountable and engaged.  

Burrowing down to the roots is also reflected in the senior manager’s regime, with the allocation of senior management responsibilities and the statutory duty of responsibility sitting at the top, to the certification process that regulates those whose conduct carries with it significant risk of harm, or ‘the tone from above’, to the individual conduct rules that embrace the ‘tone from within’.

The individual conduct rules impose the broadest obligations. These rules, which form part of the FCA’s Handbook, contain simple and direct instructions. They apply to everyone in the firm and there are only five of them: to act with integrity; to act with due skill, care and diligence; to be open and cooperative with the regulators; to pay due regard to the interests of customers and treat customers fairly and to observe proper standards of market conduct.

Choices from within

Practice and reality are of course different. Let me give you two confounding examples.#

Last December, following two trials and an appeal, our insider dealing case against Fabiana Abdel-Malek, a former senior compliance officer at UBS and Walid Choucair, her day trading co-defendant, finally ended. Convictions and terms of imprisonment were upheld. We have subsequently secured asset confiscations under Proceeds of Crime legislation against Choucair.

As the Court of Appeal noted, Fabiana was brought up in London, the daughter of a respectable family, well-educated, highly intelligent, with no prior convictions (R (FCA) v Fabiana Abdel-Malek & Walid Choucair [2020] EWCA Crim 1730, para 8). She knew her co-defendant, because their mothers were close friends. On graduating from university, she joined the bank’s graduate trainee programme and, in time, was promoted to become a senior compliance officer. In that position she was in a position of trust with full access to the bank’s highly confidential, undisclosed global mergers & acquisitions work. 

Our case was that she used that access to provide confidential information to Choucair who used it to place highly profitable trades shortly before the deals became public.

Like most insider dealing cases, the evidence was circumstantial. Fabiana and Choucair communicated with one another using ‘pay as you go’ or burner phones which he supplied to her. Call records evidenced communications after Fabiana accessed the bank’s systems to search for deals. The trades that were the subject of the charges all involved deals she had no need to be looking at as part of her compliance role. Four of the five deals didn’t involve deals that were even in the London office of the bank. The model of phone was the same as the model issued by the bank and when the bank changed models, Choucair provided Fabiana with one exactly the same. He claimed this was a coincidence; we said this was to reduce any suspicions inside the office.

When interviewed, Fabiana denied both communicating with Choucair using burner phones and knowledge of his trading activities, claiming she didn’t know what he did. She later admitted these were lies at trial.

While we alleged Choucair made substantial profits from his use of information provided by the compliance officer, there was no evidence any of these profits were shared with Fabiana, nor was there any evidence their relationship was anything other than a friendship. We alleged the friendship gave her a social world that she would otherwise not have had, but otherwise, there was no evidence of any profit or other inducement for her tips.

Fabiana’s offending is baffling. As a senior compliance officer, she was trusted to set an example and to uphold the highest conduct standards. The risks she was running were obvious ones, as were the choices she made, especially for an intelligent and experienced compliance officer. Yet she betrayed her employer’s trust and, in effect, swapped her position in a global wholesale bank for a term of imprisonment. No amount of ‘tone from the top’, or ‘tone from above’ could have made clearer the ‘tone from within’ choices that Fabiana made. 

Presumably Fabiana calculated her conduct risks quite differently. Perhaps she took the view that the risk of being caught was low because they could not be detected without one of them betraying the other (which was not true) and/or she had no sense that what she was doing was harmful or prejudicial (again not true).

The point of Fabiana’s story is not that all systems and controls are prey to the rogue bad actor. We know this to be the case. The point is that systems and controls are prey to individual assessments of risk which might be wrong. As experienced and as intelligent as she clearly is, Fabiana’s assessment of risk, if that is what it was, was not only baffling, it was completely wrong.

The second example is one from my last regulatory role which came into mind because of other headlines in the last few days. Archegos Capital used to be named Tiger Asia and, under that name, together with Bill Hwang and others, was the subject of insider dealing proceedings brought by the Hong Kong Securities & Futures Commission. 

The proceedings involved trading in three bank stocks. In each case, Tiger Asia was approached in relation to a proposed block sale and agreed to be wall-crossed for the purpose of considering the deal. The practice of wall-crossing involves an agreement to receive confidential inside information on the basis that the information cannot be used to trade. In other words, in each case Tiger Asia became an insider and so was prohibited from trading in the relevant shares. On each occasion, unbeknownst to the banking party seeking to sell the shares, Tiger Asia, directed by Bill Hwang, used the inside information and traded the shares for significant profit.

Bill Hwang claimed the decision to trade, notwithstanding the promise not to, was not made dishonestly and was an error of judgement This was not accepted by Hong Kong’s Market Misconduct Tribunal which found that the misconduct was not the result of compliance failures but a calculated risk, stating that:

Bill Hwang’s actions raise the gravest doubts as to his sense of honour as a leading figure in the finance industry. That itself gives rise to the question: how much trust can be placed in a man who places such little store by his personal integrity? (Paragraph 127)

Embedding behavioural change

The Senior Managers Regime and the FCA’s 5CQ questions are great drivers of a different approach because they require firms to think about behaviour at the point it might fail. 

The senior managers statutory duty of responsibility is based on steps taken to avoid or prevent non-compliance which requires an acutely calibrated assessment of how a system or function might fail because of non-compliance. 

The focus on points of failure not only encourages greater awareness, it also promotes better calculations of judgement

The focus on points of failure not only encourages greater awareness, it also promotes better calculations of judgement: about consequences, foresight of potential harm or damage and, in highly mature systems, the increasing risk of detection or being caught, which, in the case of bad actors, is the one risk that is often miscalculated, as the stories of Fabiana and Bill Hwang demonstrate.

Let me conclude on this note: The Senior Managers and Certification Regime is a cogent framework for injecting sharper focus on conduct risk into the fabric of an organisation. The rules here do not exist as externalities, they are under the skin of the firm. And the 5CQ approach is one that is also engaging firms with the challenge of transformational change, starting with the ‘tone from the top’, burrowing down and into the firm’s roots. 

So, can the law really change the mores of an organisation? The optimist in us must say there is a good chance of that. But, as Hong Kong’s Market Misconduct Tribunal observed in the Tiger Asia case, the point of failure is not necessarily a failure of compliance and, for us enforcers of the law, it is human nature that is the real challenge.