The FCA recently published guidance reiterating a long-standing mandate of the regulator: the onus is on FCA-regulated organisations to monitor employee behaviour for bad actors. Therefore, even if conduct isn’t tied to a specific rule, poor behaviour that results in someone getting harmed will see the FCA take action.
For firms doing business in the United Kingdom, it’s time to ask whether you are sufficiently prepared for the restatement of this mandate. Essentially, the FCA is putting those firms on notice that certain activities that pertain to conduct—including communications across social networks—will now be under greater scrutiny.
In conjunction with the Senior Managers and Certification Regime (“SMCR”), which makes senior management accountable, the FCA’s restatement puts further responsibility on leadership to ensure their employees are acting in a way that is consistent with their policies.
To proactively manage this risk, forward-looking programmes should review their compliance and supervision policies and procedures to ensure that they account for the FCA’s guidance, and that the four pillars of a robust compliance programme are fit-for-purpose.
Anyone involved in a client engagement programme (marketing, compliance, sales) can utilise the questions below to assess the readiness of their existing programme.
- Have you outlined acceptable behaviour as it relates to electronic communications?
- Have you defined which channels (SMS, social media, instant messaging) are permitted, and by whom?
- Do you have a procedure in place to periodically review and update your policies as needed?
- Is your senior leadership involved in the sign-off of those policies?
- Do you have controls in place to ensure you’re distributing only fair and balanced (not misleading) content?
- Do you have a way to monitor for recommendations that may not be appropriate for either content or audience?
- Have you held training sessions with your employees on policies, including recording attendance?
- Have you assessed your pre-approval and post-approval breakdown of financial promotions to ensure appropriateness for your business model?
- Do you have lexicons in place that block or flag problematic content?
- Are there people in the approval workflow with the requisite training and/or experience?
- Does your Senior Management have sufficient insight into your electronic communication regime, including social media or text messaging, to satisfy their Duty of Responsibility under SMCR?
- Are you capturing all of your social media posts, profiles, and audit trails for each step during the approval workflow?
- Are they being stored in a way that is consistent with the applicable regulations (e.g. durable media for MiFID-related communications)?
- Do you have a way to reliably and quickly retrieve these records in the event that you need them?
While these are not the only questions that a Senior Manager should ask, they can lay the groundwork for an internal dialogue that reassesses your response preparedness. All firms should strive to understand the implications of this restatement, and enforce effective policies and procedures as part of their ongoing oversight.