Anonymous – Written evidence (EGC0039)

Submission Overview

1. This is an individual submission to the House of Lords Financial Regulatory Services Committee (HLFRSC) for their call for evidence on the Financial Conduct Authority’s (FCA) updates to the enforcement guidance. This proposed various amendments to the enforcement guidance, including to publish firms under active enforcement investigation. The consultation reflects it wishes to “encourage witnesses and whistleblowers to come forward”[1] with evidence to assist regulatory investigations. This aligns to similar approaches taken by other regulators including the Serious Fraud Office.

2. My submission is from the perspective of a whistleblower who the FCA confirmed the same on 20 October 2023. Further, I write in the capacity as a financial crime subject matter expert with over a decade’s worth of experience, including 5 years at the FCA as a Supervisor. I have experience in dealing with regulatory investigations, Skilled Person reviews and regulatory interventions[2] whilst at the FCA. I additionally have for several years worked in the capacity as a Money Laundering Reporting Officer/completing complex remediations and advisory within the financial services industry. My clients are a wide sector of the financial services firms including systemic risk banks as well as market disruptors/new entrants including payment services, open banking, e-money and crypto firms. Therefore, I hope my experience will assist the HLFRSC in their assessment of the FCA’s approach.

Whistleblowing Concerns

3. Whilst I can see some merit in the publication of enforcement investigations, I have significant concern about the approach including the encouragement of whistleblowers stepping forward given my own experience. It is clear from the widespread criticism there are consistent concerns that the FCA is failing to protect whistleblowers against retaliation, including being unable to properly classify them. There is additional concern highlighted in the press there is inconsistency in meeting expectations towards whistleblowers as a “prescribed person” and a regulator of conduct[3]. It is not sustainable that it requires the press to ensure a powerful regulator is being responsible and the Executive Board being held accountable as a matter of good governance like any other business.

4. The case I have been involved with as a whistleblower has been ongoing since I disclosed myself to the FCA in July 2022. After a year of inaction, they eventually commenced a review into the regulated firm concerned in October 2023. They FCA confirmed the scope was to consider the regulated firm’s whistleblower systems and controls, how they handled protected disclosures and how they treated me as an internal whistleblower given the intelligence I had provided. Yet I was not informed the FCA had been on notice of these whistleblowing issues and my identity since August 2018. This was only made clear by the regulated firm in 2023.

5. The regulated firm denied the disclosures I raised were factually accurate, in fact called them an “exaggeration”. Through the course of an employment tribunal claim they denied the factual accuracy of my protected disclosures and refused to provide critical disclosure like the investigation into the whistleblowing claims. This would have uncovered that the firm did have major financial crime breaches as I had disclosed. The regulated firm also withheld they were under a major criminal investigation by the FCA, which ultimately resulted in a £107m fine by the FCA in December 2022[4]. The FCA Decision Notice confirmed multiple serious breaches of systems and controls to manage financial crime risk. This directly overlapped with several disclosures I had made in 2017, which had been denied but now proven true. Despite ample opportunity, the FCA ignored the intelligence they had about my protected disclosures for over 5 years despite them having direct relevance to their investigation. They also sat on vital information that would have proved my disclosures to be true and validate my concerns. This is not the first time this has happened in serious misconduct cases either. It is even arguable the intelligence was so relevant, it ought to have considered whether I should have been interviewed as a witness. Therefore giving rise to concern about how investigations were being effectively managed within the FCA, given this investigation is claimed to have lasted 10 years. Perhaps if all the key intelligence had been gathered, analysed and acted upon the evidential threshold could have been quickly established. However, it seems the left arm is often not talking to the right.

6. The FCA Decision Notice also referenced the wide scale money laundering that had taken place within the regulated firm’s business banking division. However, unusual to normal protocol, the FCA did not reference the prolific serious organised crime group connected to the Cali cartel at the source of the money laundering amounting to over £200m. This was only publicly exposed when Thomson Reuter Regulatory Intelligence investigative reporter Rachel Wolcott set out the full extent of the money laundering and criminals involved[5]. It is unclear why the FCA did not set this out in the Decision Notice given its public interest framework, the statutory objectives to maintain market integrity and its direct relevance to why the regulated firm’s legal breaches were egregious. Yet for many smaller firms in similar positions, the FCA will publish every detail within the Decision Notice. If full transparency is an objective the FCA seeks (as claimed within the enforcement guidance consultation) then the outcomes need to be consistent irrespective of firm size. Larger banks with greater resources are afforded wider discretion that the new market entrants are not. I assume from my experience, this is due to the difference in resources, size and level of influence. This is not indicative of establishing a fair playing field for a competitive market attractive to overseas investment and new market intrants such as fintech firms.

7. I raised concern about the delays in the FCA inaction given their explicit knowledge since August 2018. The Executive Director of Enforcement denied the FCA’s knowledge of my protected disclosures and treatment in the meeting in February 2024. However, I have since secured evidence via a data subject access request (DSAR) that the FCA in fact had been on explicit knowledge in correspondence sent by the regulated firm to them in August 2018. It took nearly a year to obtain the DSAR with inappropriate intervention from the press office. Their role appears to be focussed on obfuscating the process. I can see why once I reviewed the DSAR materials. These were embarrassing and contradictory given previous assurances the FCA had made to me. However, as a quango with public authority functionality, they need to be held accountable, and obstructing transparency did nothing more than present themselves as if there was something to hide. Thereby undermining their responsibility to uphold wider conduct rules and protect me as a whistleblower.

8. The DSAR materials identified that the regulated firm used their ongoing relationship with the FCA inappropriately through making inaccurate insinuations that were unsubstantiated and without evidence about my conduct- that appeared accepted by the FCA which were not relevant to their remit. None of which appeared to be challenged and were idly accepted on face value irrespective of the damage it was professionally causing to me. Whilst the FCA is seeking to investigate the matter now, it is over 6 years later when witnesses have left the organisation, information is lost and after the damage has been done.

9. In addition, the DSAR uncovered internal practices that were unusual and deeply alarming. This included albeit not exhaustively:

1. The Head of Whistleblowing seeking to block my ability to be given a copy of a voluntary recording of two meetings I had with the FCA’s whistleblowing team. The emails provided evidenced their extensive engagement with CEO office and various senior executives such as the Enforcement Executive Director, wasting considerable time and resources when I was legally entitled to the recording. Yet by contrast, there was a total lack of resource/efforts exerted to the whistleblowing review to properly investigate and bring it to a sensible conclusion after several years. In the past 2 years, the Supervision team has only had x1 meeting for 1.5 hours despite it being an enormously complex matter with voluminous materials. They refuse to engage in further meetings to better understand the issues and speed up the review which is irrational.
2. The Head of Retail Banking Supervision originally oversighting the review, kept repeatedly closing the whistleblowing escalations based solely on representations from the regulated firm and despite limited investigation/evidence bypassing basic review processes. I later discovered through open-source checks, that the Head of Retail Banking Supervision had a second external role as a consultant. I raised concern to the FCA about the appearance of a conflict of interest given this person was the lead in the investigation and taken decisions which appeared to be contrary to standard protocol. Further I queried how this perceived conflict of interest was being managed, which to date has not receive a satisfactory reply. It is not just the length and subject matter of investigations that are important. It is critical that whistleblowers and the regulated sector have full confidence in the investigating team’s impartiality and independence. This incident highlights this as an issue.
3. I had concerns about the perceived lack of transparency from the FCA, in the way I saw them handle my data protection request (DSAR). The emails I read appeared to show that the Executive Director of Enforcement liaising with the Head of the Press office on my simple DSAR request when they receive hundreds each year. I found it disproportionate and disconcerting that a simple task required FCA Executive management involvement. It is also unclear why the press office should manage DSAR and FOIA requests; it is in the public interest that information is made reasonably available, and it is not a reputational damage exercise. My data was drip fed to me over a period of a year (when it should be legally provided in 30 days), in small bundles that were heavily redacted. It took the threat of legal escalation for suddenly 200 pages to be provided in June 2024. This left me with the impression it was being purposely withheld from the onset. My view is as a quango with public authority responsibilities, there must be transparency in decisioning. If there are issues, it enables fair challenge of the process to be made. Respectfully, it appeared in my view, the FCA executives prioritised the perception of their image/reputational damage over ensuring they were held to account and actively demonstrating they are meeting statutory objectives. In my experience, this only seeks to diminish trust and confidence not only in the organisation, but the investigation process itself.
4. The whistleblowing investigation having commenced in 2022 had made no material progress. The correspondence to the regulated firm under review was sparse, unclear and not requesting specific evidence to enable a conclusion to be drawn. To add to this, in a meeting dated July 2024, the Supervisory team completing the review, the Head of Department and Manager confirmed they had not spoken to any witnesses, were missing material information, did not have a clear chronology and despite having a plethora of tools available to analyse/request information, had achieved very little in 2 years. In fact, it was left to me- as the victim and whistleblower, to gather all the relevant evidence and produce the analysis demonstrating unfair treatment with supporting evidence to the team at their request. This is a task I would have completed as a FCA Supervisor, yet I felt obligated to complete it out of desperation to ensure matters moved forward.
5. In the same meeting in July 2024, the Head of Department and Manager oversighting the whistleblowing investigation were asked to explain what definition of whistleblowing they were using and what they deemed to be protected disclosure, and they were unable to answer. Respectfully, it is unclear how the FCA does not know the content of the subject matter they are seeking to investigate. The DSAR supported this, as it was littered with internal communications demonstrating their understanding of definitions and legal/regulatory requirements were inconsistent and in places not legally correct. This approach destroys trust and confidence. It is not unreasonable to expect the FCA to have sufficient skills and competence to execute out their statutory obligations. It is is not surprising enforcement investigations are taking excessive periods of time if the subject matter is not even understood. This is neither efficient nor effective regulation.

10. The regulated firm should never have been in a position where they could deny the disclosure’s factual accuracy in civil litigation/to me and yet be admitting to liability at the exact same time on the same issues to the FCA. The FCA should have been forthcoming with information. It crystallises the ability for abuses of process and undermines market integrity- the objective the FCA is meant to be maintaining. The FCA should have addressed the matter once on notice and if they had, I have no doubt the situation would not have escalated to cause irreparable harm, stress and professional damage. I cannot see any reasonable excuses for the FCA’s neglect. Whilst I appreciate mistakes can happen, there appears to be no appetite to take swift corrective action. The DSAR indicates efforts are more focussed on the FCA’s defensive stance should matters be made public briefing the press office, rather than investigating the case that should have been resolved years ago. This must be more than “taking their word for it", which has been the approach which has defied process and good sense.

11. Contrary to the enforcement guidance consultation assumptions, I do not consider the publication of the enforcement investigation would have helped me step forward. What I would have needed was the reassurance I would be protected from retaliation by the FCA given the vulnerable position and the inequality of power/resources I would have against a global corporate firm. The FCA does not appear to engage with this despite multiple whistleblowing charities and interested persons expressing the same concern. Therefore, I would not encourage whistleblowers to step forward until there is reform/improvements. 

12. Whistleblowing retaliation plainly is a conduct issue and falls squarely within the FCA remit to consider under Conduct for Business rules (COBs). The systems and controls regulated firms must ensure they have to properly investigate and do not retaliate against a whistleblower is found under system and control rules (SYSC) and wider obligations under Principles for Business (PRIN). Misconduct is a directly relevant concern for those who fall under the Senior Managers Regime and is an indication of a firm’s culture if they permit retaliation against those that speak up- least of all those who report financial crime concerns given the UK’s economic crime and fraud epidemic![6]. The UK remains at the top of the list for laundering dirty money, with Credas confirming a ranking as 2nd in the world in 2022. There is a vested interest to get a control on money lost to economic crime and gather better quality intelligence including from whistleblowers. Yet I have repeatedly found the FCA seeking to deny their own responsibilities and remit- even to myself. I agree with Lord Tyrie in the Times article[7], that the FCA’s approach and policy towards whistleblowing requires further scrutiny and it should be addressed at the Treasury Select Committee. All regulatory bodies require scrutiny to ensure accountability given the power they possess. The Complaint Commissioner is not enough and there are multiple examples of whistleblowing not being managed to the requisite standard. If using witnesses and whistleblowers is to form part of FCA enforcement investigations and demonstrate how they comply with its public interest framework, then this is even more reason to scrutinise. 

Disparity of impact on Smaller firms

13. Whilst there is a separate HLFRSC call for evidence to consider the FCA’s competition and growth objectives, which I will provide a submission for, it is prudent to make a few points on the consultation’s impact on smaller firms.

14. Given my role within the industry I have first-hand experience of the disparity in treatment smaller firms such as fintechs face as new market entrants with high growth. There are legitimately concerns that must be addressed but it cannot be one size fits all. Large investment and Retail banks have the resources and many years of trying to implement and uphold conduct standards. Payment services, E-money, crypto firms are not in that space as new market entrances with limited trading history. There needs to be other mechanisms to address their non-compliance to give them a chance to comply before publication of an investigation. I can appreciate the concern that the commercial impact on a smaller firm is simply not the same as a systemic risk bank and it would have the ability to severely impact their ability to continue as a going concern. However, no firm finds themselves under enforcement investigation for no reason, so I do not believe any risk and compliance professional believes its totally disproportionate. Many cases are discounted at the enforcement referral stage. It may have helped if the statistics had been included within the consultation to give it context.

15. The publication of enforcement investigations is powerful in ensuring suitable deterrence. In every firm I have worked with, each Board will ask to be shown a legal rule, Decision Notice or example of where the FCA has acted before they will entertain the risk as being material to the business. Whilst the enforcement guidance consultation may have had good intent, it is clear it needed considerable finesse and better engagement with relevant stakeholders/interested parties before its publication. It is a shame this was not exercised and better engagement with interested parties may have gathered a less forceful response.

16. I would be happy to present further information and/or give oral evidence should the HLFRSC require it. I have purposely tried to keep the submission as simple as possible.

17. Lastly, I wish to sincerely thank the HLFRSC for being inclusive in its call for evidence and its willingness to consider individual persons rather than solely interested parties, trade groups and firms. I hope it will assist them in gathering a holistic picture to address these issues, which I warmly welcome. 

11 October 2024