Crime and punishment have long been the bane of regulators’ existence. How do you compel compliance within your financial services community? What kinds of enforcement measures are dramatic enough to scare execs into taking regulation seriously enough that they address their shortcomings? All of these things keep your national competent authorities up at night and they’re also what make them so unpopular at parties.
So how do regulators tackle enforcement? In the United States, the focus has largely been on naming and shaming the individuals in question. The Securities and Exchange Commission has long been a proponent of heavy penalties on individuals and firms, as well as barring individuals from the industry for defined periods of time. They often work in concert with their peer regulators to issue joint enforcement actions such as with the Financial Crimes Enforcement Network (FinCEN) for money laundering infractions or the Commodity Futures Trading Commission (CFTC) for actions against derivatives firms. This cooperation often results in heftier financial penalties, as firms must settle multiple infractions with each regulator, and the industry has frequently complained that this notion of “piling on” charges and fines is detrimental to the industry overall.
The US regulators also have a common approach to catching their targets—a heavy reliance on whistleblowers. They have whistleblower hotlines that are heavily publicised—if you’ve been to a financial industry conference where the SEC or CFTC are present, they’ll most likely be giving out whistleblowing paraphernalia. I mean, who doesn’t want a CFTC whistleblower mousemat or whistle to decorate their office? I must admit, I have brought them back for colleagues as joke presents—I can’t think of any other reason you’d ever pick one up.
Whistleblowers obviously don’t want to publicise their activities—it could be the kiss of death for their careers—so anonymity is a key part of this approach. They are also well compensated for the risk they take in turning in their organisations. For example, SEC whistleblower awards can range from 10% to 30% of the money collected when the monetary sanctions exceed $1 million. Not exactly chump change. Regulators have also begun to publicise the amounts received by these whistleblowers to encourage more individuals to get in on the act.
Comparatively, the European regulators tend to have taken a slightly softer approach to enforcement overall—with the exception of the UK’s Financial Conduct Authority (FCA) that is. The FCA is a key proponent of whistleblowing activities and beefed up its whistleblowing hotline team in 2018 in a bid to increase the number of tips it receives from the industry. At the time it noted that whistleblowing provides “some of the best intelligence we get as an organisation”. Many of the fines that have been meted out for regulatory infractions over the last few years are likely to have originated from whistleblowers tipping off the regulator to look at certain data sets in defined time periods.
The FCA has also ramped up its fines for regulatory infractions over the last few years in a bid to get the industry to take its compliance obligations more seriously. The introduction of the Senior Managers and Certification Regime (SMCR) last year also signalled a significant shift in responsibility from firms to their executives. Personal liability and fines are a key tenet of the regime, which reflects the FCA’s continued tendency to go one step further than other European regulators in terms of compliance. The FCA has long been known for gold-plating EU-level regulation.
If you think the national regulators have a tough time, just think about the EU-level and supranational regulators. They have to corral all the noncompliant national regulators, as well as assessing all of those markets under their purview. It’s a tough life being a cross-border regulator and the industry is global after all. Financial crime enforcement is particularly tricky and the numerous attempts to establish global frameworks have highlighted the challenge of getting regulators in vastly different political regimes to cooperate and agree with each other on global standards. Enforcement in such circumstances relies on complex memorandums of understanding and often results in extremely high fines, as every involved regulator pitches in.
Crime and punishment in the digital age is especially complex when you take into account data privacy and cloud-based services—which regime do you apply? All of them? As an industry we’ll likely see more and more regulatory adaptations to reflect the increasingly fuzzy borders between markets and locations. Sometimes though, when it comes to compliance infractions, it’s hard not to break the rules somewhere due to the multiple conflicts between national regimes. As an industry we’re often stuck between a rock and a hard place.