The UK Financial Conduct Authority (FCA) published its Annual Report and Accounts for 2022/23 on 20 July 2023. The Annual Report sets out the FCA's progress and key achievements during the past year. In addition, it provides valuable insight for firms into the current enforcement and supervisory trends, and potential areas of focus in the coming year which should help inform your horizon scanning for internal audit.

In this article, we discuss what we think are the key takeaways to help spot emerging enforcement and supervisory trends, and in particular where the FCA sees developing areas of potential "serious harm". As broad overarching topics, the FCA remains focused on the prevention of financial crime, setting out how it is using its powers to restrict access to the market for those firms that do not have sufficiently robust AML controls, and describes its supervisory activities focusing on sanctions systems and controls in regulated firms. It also describes emerging work being conducted in the anti-fraud space. We will discuss each of these below.

In terms of supervisory focus, the report also describes the measures being taken in respect of consumer protection, most notably the implementation of the customer duty (which came into force on 31 July 2023), which sets out further expectation for firms in how they treat their customers. Consumer protection was also bolstered by a continued focus on financial promotions and the new financial promotions authorisation framework.

As is naturally the case, an increased supervisory focus on a particular known "issue" is almost always a precursor to enforcement action. Where the FCA conducts targeted reviews of particular problem areas, in particular where these are linked to thematic reviews of firms operating in the relevant portfolio, it will of course consider whether failings identified during the course of the review identify serious potential breaches of rules or principles which have or may cause consumer detriment or damage to confidence in the market.

As such, when horizon scanning and considering areas of focus for internal audit, firms ought properly to consider whether any of the following may be relevant.

Financial crime

• Sanctions: Russia's war against Ukraine has brought sanctions compliance to the front of every regulator's priority list. The FCA has indicated that it reviewed nearly 100 suspected sanction breaches during the past year. Not mentioned in the Annual Report is the recently concluded thematic review by the FCA into a sample of almost 40 firms using an FCA-designed data tool to test the effectiveness of firms' sanctions screening. The FCA made a number of findings and recommendations which our sanctions team will explore in more detail in a forthcoming briefing, but key themes are, as expected, the implementation of effective governance and oversight around sanctions; the adequate resourcing of teams; and the importance of effective customer due diligence to ensure that all sanctions individuals in a business relationship are identified.

The FCA's priority with respect to sanctions is ensuring that authorised firms have effective systems and controls in place to be able to monitor and comply with UK sanctions obligations, and this jurisdiction for systems and controls should be something that regulated firms consider in addition to OFSI jurisdiction. With Russian controls now firmly in place for most firms, and with potential further requirements in respect of China on the horizon, we would recommend that firms conduct a health check to ensure that they are able to meet expectations. We anticipate enforcement action in this space for those that do not, particularly given the expectations set out post thematic review.

• Fraud: The FCA states in its report that it has put in place a new fraud team, which is currently developing a tool to assess firms' anti-fraud systems and controls. This is an expected development given the FCA's focus on financial crime reduction and the role that it is expected to play in the implementation of the requirements under the Economic Crime and Transparency Act. Although the Act will not be in force for some time, we would recommend that fraud controls are firmly placed on horizon scanning agendas to ensure that firms are able to meet expectations.

• Crypto: The tension between the benefits that can flow from the innovative solutions that cryptoassets allow for, and the risk that these assets are used to further financial crime, is by now apparent to everyone. For this reason, crypto has been a focus for the FCA for some time, in its effort to ensure that the benefits continue to outweigh the risks. In the last year, the FCA has taken its first steps to intervene against illegal crypto activity, often in collaboration with other law enforcement agencies. Notably, in November 2022, the FCA conducted an operation in collaboration with one of the Regional Organised Crime Units relating to an unregistered crypto business, apparent money laundering and other offences. The operation led to restraining orders for more than £3 million in crypto (and other) assets and several detentions, ceased illegal crypto-exchange activity and disrupted a serious organised crime unit.

We are likely to see a significant increase in FCA's enforcement action against illegal crypto activity and a step-up in compliance obligations for crypto firms once they are brought under broader FCA supervision from 8 October 2023 when new financial promotions rules come into effect. The FCA has already indicated a specific focus on ensuring that crypto firms have adequate AML and counter-terrorist financing measures in place. We recommend that firms involved in crypto activity ensure that they are familiar with the FCA's guidance on good and poor practice on AML and counter-terrorist financing when applying for FCA registration under the Money Laundering Regulations.

To keep up to date on the developments in the crypto space, take a look at the Dentons Crypto Bytes podcast series and our recent article: Crypto crime: what's next?

Online scams/misleading or unapproved financial promotions

• Authorised firms have historically been able to approve financial promotions for non-authorised firms. Historically, there has been limited enforcement action in this space to deter firms from waving through promotions with limited investigation to ensure that approvers are comfortable that promotions meet requirements to be clear, fair and not misleading. This has been addressed by a new requirement, under the Financial Services and Markets Act 2023, requiring firms to obtain specific permissions to approve financial promotions. Increased supervision is likely to make this a much higher risk activity to undertake and is likely to deter many firms from continuing this business model on a risk versus reward basis. Firms considering applying for relevant permissions should think carefully about the controls that they will have to put in place to ensure that they can evidence how they diligently review and approve financial promotions to ensure compliance with relevant rules.

• The FCA has long talked about taking a data-led and outcomes-based approach to enforcement and supervision. A pertinent example of this relates to the work the FCA is carrying out to monitor online scams. Through the use of its data system, the FCA scans 100,000 websites a day looking for unlawful activity, in particular online scams and illegal financial promotions. As most investment fraud originates online, this area has potential to create significant harm to consumers.

In the last year alone, the FCA's scanning of websites resulted in 1,882 warnings being issued, an increase of 34% from 2021 (when the number of warnings was 1,410). 8,582 financial promotions were withdrawn or amended in 2022 which is 14 times more than the year before.

Although the FCA only used its powers to ban a financial promotion twice in the past year (as opposed to the promotion being amended or withdrawn by the firm), this use of data and innovative tools appears to be increasing the FCA's ability to intervene where online scams are detected. This in turn should help the FCA achieve its consumer protection objective. We also note that in enforcement action where misleading financial promotions are involved, this is being pursued as a standalone regulatory (and potentially criminal) offence, and we anticipate an increase in investigations opened against both the producer of the promotion and the approver.

The FCA has also contributed to the Online Safety Bill, which is currently at its final stages in the House of Lords. A priority for the FCA was ensuring that "priority illegal content" and "paid-for advertising" fraud offences fell within the scope of the Bill. If the Bill is passed with the FCA's changes, platforms such as search engines and social media platforms will need to actively take steps to prevent people being exposed to fraudulent content. This will require such firms to continue to develop their anti-scam detection framework and put in place proactive gateway controls to prevent the platforming of unapproved or misleading financial promotions, or risk potential liability. This would support the work the FCA has already been carrying out with some of these platforms on a voluntary basis to reduce the risks of consumer harm. It will be interesting to see whether the FCA seeks to flex its enforcement powers in this space.

• Market abuse and oversight: The FCA has continued its primary markets monitoring, with specific focus on accurate and timely market disclosure. Due to recent unpredictable market conditions, the FCA has specifically directed increased scrutiny on firms dealing in commodities and fixed income. We recommend that firms continue to ensure that they have robust inside information controls in place, as well as appropriate procedures for making market disclosures to meet expectations, in particular around the speed with which disclosures need to be made which can be challenging in fast-moving environments.

In the past year, the FCA suspended listings of instruments on 34 occasions and there were 54 instances of clarificatory statements to the market after contact from the FCA. Further, three enforcement actions were brought against firms for failures in market abuse systems and controls.

One of the most significant market abuse enforcement actions from the past year involves Carillion Plc. The FCA proposed total fines of £870,200 for three of its former directors and, had Carillion not been in liquidation, it would have faced a penalty of £37.9 million. Among other failings, Carillion recklessly published misleading announcements and did not reflect significant deteriorations in its expected financial performance.

Consumer protection

• Consumer duty: At the front and centre of the FCA's emerging supervisory trends is the new Consumer Duty which came into force on 31 July 2023 for new and existing products that are open for sale and renewal. As part of the consumer duty, the FCA has indicated a focus on ensuring that consumers are treated fairly and that firms are sensitive to the impact the cost-of-living crisis has on consumers in particular. All firms involved in products that are ultimately sold to consumers should have implemented changes and have in place a consumer duty champion. However, the consumer duty implementation journey is not yet over, with firms required to implement the expectations the FCA has for closed products by 31 July 2024 – something firms should keep in mind as these types of products can often be forgotten about. One thing which the FCA has still not resolved, however, is the extent to which the consumer duty is enforceable. This is not a reason for non-implementation, but it will be interesting to see how the FCA grapples with this moving forward.

• Financial services regulatory reform: The FCA has a busy year ahead, preparing the financial services industry for the implementation of the Future Regulatory Framework and the Government's Edinburgh Reforms, through the Financial Services and Markets Act 2023 (FSMA 2023).

FSMA 2023 repeals the retained EU law for financial services with the aim of delivering a smarter regulatory framework more tailored to the UK. Now is a good time for financial services firms to prepare and consider how their current business practices may need to adapt as the new regulatory framework is implemented. For example, various changes have been proposed to the UK Listing Rules to encourage competition and improve the choice for investors. We recommend firms consider any potential changes that may be beneficial for them, such as the proposed more permissive approach to dual class share structures or the removal of compulsory shareholder votes and shareholder circulars for significant transactions, and include these in their horizon scanning.

For example, FSMA 2023 gives the FCA powers to ensure the reasonable provision of cash access services across the UK. The FCA is currently developing rules and guidance in anticipation of these new powers. It intends to pay particularly close attention to branch closures planned in areas where there are fewer cash access alternatives, such as post office services, as well as areas with significant indicators of potential customer vulnerability. While most firms look to technology to innovate and create new products, it is important to be mindful of all groups of customers and their respective needs when it comes to financial services.

To prepare for the changes brought about by FSMA 2023, take a look at the following series of articles providing you with a helpful overview of the Act.

• Increased scrutiny on authorisation: The FCA has invested in technology that allows it to deal with authorisation applications faster, reducing its caseload by nearly 60% from approximately 12,500 to below 6,000 – something which will come as welcome news to anyone who has recently submitted an application to the FCA. The new technology, according to the FCA, has also enabled increased scrutiny of authorisation applications, which may be backed up by the data – the number of firms for which the FCA refused to grant authorisation was one in four in 2022/23. This is up from one in five in 2021/22 and one in 14 in 2020/21.

The trend of enhanced authorisation scrutiny is also seen in the cancellation of the authorisation of 627 firms that failed to meet the FCA's minimum standards or could not evidence that they were currently or intending to shortly exercise their permissions (the "use it or lose it" principle) in 2022 – a 30% increase from 2021. The implementation of the "use it or lose it" initiative highlights a shift in direction in authorisation scrutiny. In previous years, obtaining permissions on a precautionary basis by firms was commonly accepted. However, since "use it or lose it", firms are required to proactively review their regulatory permissions and prove that they are carrying out the regulated activities they are permitted to or face losing this permission with the FCA's ability to cancel permissions 28 days after an issued warning. Firms may also be aware with the rollout of the new Economic Crime Levy, which applied from April 2022, that a firm with unused or unnecessary permissions may find itself caught by the Levy where it holds permissions for activities caught by the Money Laundering Regulations. This will of course have a negative financial consequence for firms, compounded by the fact that the Levy is assessed on a firm's total income in the UK for both regulated and unregulated activities and not only on income generated from activities falling within the Money Laundering Regulations. We would recommend that, as part of horizon scanning, compliance officers consider a regular review of firms' held permissions and whether these are required for current or planned activities.

• Financial resilience: With the new baseline financial resilience regulatory return to go live from 1 January 2024, the FCA expects to be better able to identify firms with low levels of financial resilience and take steps to reduce harm to consumers and markets from potential failure.

Following the collapse of the Silicon Valley Bank in the US (which impacted its UK operations) and the continuing economic pressures affecting businesses, it is expected that the FCA will use the baseline to closely monitor firms subject to financial, or other, stress which may lead to failure.

• Improving transparency in ESG-related products: In October 2022, the FCA published its Sustainability Disclosure Requirements and investment labels consultation paper. The consultation outlined the proposed measures to ensure greater transparency, consistency and trust in the market for sustainable investment products.

The FCA is currently considering feedback on the consultation and plans to publish a policy statement in Q3 2023. With the FCA aiming to embed ESG considerations in all aspects of its regulatory activity, businesses across different financial services sectors need to consider their approach to ESG issues.

We are closely monitoring the increased regulatory scrutiny on ESG. For example, in June, together with our European colleagues, we published a podcast exploring the impact that ESG has on the insurance sector.

If you would like to discuss any of the matters which arise in this article, please reach out to a member of our team.