One of the truisms about regulatory announcements is that what they don’t say is often as important as what they do. This is often especially true of Enforcement Final Notices and the press releases that accompany them, and this one is no exception.
Two omissions are especially worth commenting on here:
- SMCR itself barely get a mention: presumably, this can only be due to negotiation over the wording between the respective lawyers. From the body of the Final Notice, it seems the FCA’s view is that the respective Senior Managers took the “reasonable step” expected of them under the regime. But, the FCA doesn’t state this clearly and so it can only be an implicit conclusion. This seems a missed opportunity.
- The PRA isn't mentioned: It’s hard to imagine the prudential regulator doesn’t have an interest here, not least given the recent joint discussion paper on Operational Resilience (more on this next week), which is even mentioned in the press release. While the Jes Staley Final Notice was, very prominently, a joint one. So we might assume that the PRA considers this incident either more important than the FCA does, or less. If it’s the former, a separate announcement is possible.
Beyond noting these silences, it would be easy to read too much into what is only one enforcement case, so there is a significant caveat to what follows. However, from an initial reading of the body of the Notice, there are four further conclusions we can provisionally draw:
1. The FCA is taking a relatively conservative view of what constitutes reasonable steps: The Notice places much more weight on the frameworks, policies and processes Tesco Bank had in place, and the various reviews that were commissioned, than it does from the outcomes on the ground.
2. Consequently, Senior Managers can take some comfort from surrounding themselves with clear and clean governance: This isn’t as easy as it sounds. Clarity and coherence of committee roles, in both theory and practice, is a lot harder to articulate or execute than it is to talk about. But still, it’s both achievable and possible to evidence, so is a relatively easy win in this context.
3. As a corollary to this, the performance of Tesco’s 3LoD was a critical factor in the FCA’s judgement: The Final Notice contains an extensive section looking at the respective activities of its three lines of defence - Business Management, Operational Risk and Internal Audit. Unusually for such cases, it finds little to criticise. Likewise, there is implicit praise for the speed and thoroughness of Tesco management’s response – commissioning an independent review, providing customer redress etc.
4. The FCA seems to have pulled back, at least slightly, from the most literal interpretations of SMCR rhetoric: One obvious conclusion from the Notice is that SMCR is a little less personal than some of the rhetoric has suggested - there’s a good deal of emphasis on the collective for what was meant to be an individually-focused accountability regime. This might just reflect legal reality but, 10 years on from the RBS bailout, it’s probably not what the PCBS had in mind when it made SMCR one of its major recommendations.
The FCA concludes that “Tesco Bank’s financial crime governance framework was clear and each body within (it) had an appropriate role and … worked together to achieve the common purpose.” [para 4.86].
To the extent there is individual accountability identified, it seems to be at levels below Senior Manager. The certification element of SMCR is not mentioned, but it's not clear if this is significant.
After the Jes Staley/Barclays case, this Final Notice adds something to the SMCR jigsaw. But the picture of how SMCR will operate in practice remains far from complete.
Cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack. Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.