Watching the watchdog: What the fines and enforcements data tells you about the Central Bank’s focus
Reading time: 8 mins
A new analysis of Central Bank data shows that 27% of settlements over the past six years relates to banks. Investment and insurance firms also feature highly. However, if the watchdog gets its way, the next focus will be on individuals writes RDJ Regulatory Partner, DR. Brian Hunt in the following article.
This article first appeared in The Currency on 3 November 2020
Financial Crisis and Reform of CBI
Just 12 months on from the night of the infamous bank guarantee in September 2008, Matthew Elderfield was announced as the new Head of Financial Regulation at the Central Bank of Ireland. Readying himself to take up his position in January 2010, Elderfield was under no illusions as to the scale of the task that lay ahead of him – to bring law and order to the financial services equivalent of the wild west.
It was an appointment which would change the face of financial regulation in Ireland for some years to come. Just a few months after taking up his role, Elderfield requested the High Court to place Quinn Insurance in Administration – as clear a signal as any that the rules of the old game had changed. In his first public address (11 March 2010), Elderfield gave a very clear indication of the type of change that was coming:
“I intend to implement a framework of assertive risk-based regulation underpinned by the credible threat of enforcement. We need to insist that the biggest and riskiest firms manage themselves better and that firms and their management are held more accountable for their actions. A risk-based regulatory model will allow us to calibrate the intensity of our regulatory standards and day-to-day supervisory approach depending on the risk profile of the firms and sectors we supervise.”
These words signalled the shift to an assertive, risk-based approach to supervision, as well as a clear intention to make enforcement action a key tenet of the Central Bank’s approach to overseeing the functioning of the financial services sector in Ireland. Elderfied used his speech as an opportunity to expand on his thinking around the need to sharpen his enforcement tools and perhaps acquire some more:
“Ireland is competing as a premier financial services centre. But you can’t referee a Premier League match with one linesman and no red card in your pocket. It’s important that we have the resources and powers needed to do the job. As a result, there will need to be a substantial increase in resources at the regulator. And we will need new legislation informed by an assessment of the gaps in our current powers. I’m pleased to say that there is a strong commitment at the Board and in Government to do both.”
In case anyone doubted him, around 2 weeks later the Government published the Central Bank Reform Bill 2010 which paved the way for the introduction of the fitness and probity standards and all that goes with that, such as the designation of key roles within regulated entities as being controlled functions, as well as the need to seek pre-approval from the Central Bank for the appointment of persons to certain key roles within financial services firms.
The circumstances surrounding the financial crisis in Ireland were the subject of multiple investigations and reviews. The role of the Central Bank of Ireland, but more particularly the role and effectiveness of the Irish Financial Services Authority of Ireland (IFSRA), were the subject of much scrutiny. The report produced by Klaus Regling and Max Watson (June 2010) was scathing in its criticism of the level and effectiveness of the supervision of the financial services sector, finding:
“The supervisory culture was insufficiently intrusive, and staff resources were seriously inadequate for the more hands-on approach that was needed”
“… supervisory culture was insufficiently forceful and pre-emptive. On-site inspections were infrequent. Targeted follow-up was weak …”
“… there was a serious lack of skills, and to some degree of numbers of people, in the regulatory authority”
“… supervisory approach in Ireland [consisted of] light-touch regulation and reliance on markets”.
The Regling and Watson Report (as well as the other reports that also focused on the causes of the crisis) confirmed many of the failings that were already well understood. However, the starkness of the findings served to inject real impetus into efforts to remedy the problems that had been so well exposed.
For Elderfield this represented a mandate for major reform and he set to work on utterly changing the regulatory landscape. He rolled out a new Corporate Governance Code which became effective in 2011. He oversaw the introduction of a specially developed system of risk-based supervision, termed PRISM, in 2011, which forced those tasked with supervision to place the greatest amount of time and effort into focusing on firms, and aspects of firms that posed the greatest level of risk. In the following year, 2012, Elderfield rolled out the Fitness and Probity Standards and also a new Consumer Protection Code.
His efforts at lobbying government for greater enforcement powers paid off in the form of the Central Bank (Supervision and Enforcement) Act 2013. The Act introduced a range of reforms, but particularly significant were the increases in the maximum fines which the Central Bank could impose under its administrative sanctions regime. The Act increased the maximum level of fine from €5 million to €10 million or 10% of turnover, which ever is the greater. The maximum fine that could be imposed on an individual was increased €1 million.
When Matthew Elderfield joined the Central Bank in 2010, its staff numbers stood at approximately 1,000 and today the Central Bank has a staff of just over 2,000. Not only has the Central Bank dramatically increased its staff levels, its increased effectiveness as a supervisor can be attributed to it now having a more highly skilled and professional workforce which understands the sector.
Importance of Enforcement
There are three pillars to the system of oversight of the financial services system in Ireland: 1. Legislation, 2. Supervision, and 3. Enforcement. We know that ineffective supervision combined with deficient legislative framework, and a near-absence of enforcement were all contributory factors to the financial crisis.
In an address in 2012, Mathew Elderfield shared some of his thinking on the importance of enforcement in the context of the supervision of the financial services sector:
“The broader benefit, which supports supervision, is the deterrent effect of enforcement. If firms think there is a credible risk that their own non-compliance with regulatory standards would lead to sanctions from the Central Bank, then that provides a very powerful motivation to boards of directors and senior management teams to ensure a high standard of conduct. The fact that the Central Bank has sanctioned firms and has published details of these sanctions has made some in the industry uncomfortable and leads to pleas to ease up on the use of the enforcement tool. We do not apologise for taking enforcement actions or publicising them. There is no deterrence value unless firms, investors, consumers and the public are aware that we will respond with enforcement action where behaviour and practices fall short. I am firm in my belief that this is a necessary and best practice element in the regulatory toolkit of the Central Bank. And, unless these sanctions are published with enough detail about what occurred and the sanctions imposed the deterrent effect will be diluted.”
Even though Matthew Elderfield departed the Central Bank a number of years ago, the Central Bank’s thinking and the emphasis that it places in enforcement has not changed very significantly. Speaking in 2016, Derville Rowland, then Director of Enforcement Central Bank, seemed to reiterate Elderfield’s mantra: “The Central Bank operates an assertive risk based approach to supervision which is supported by a credible threat of enforcement.”
Speaking in 2018, Seana Cunningham, the current Director of Enforcement and AML suggested that the Central Bank had achieved its objective of embedding a credible threat of enforcement in the minds of those at eth helm of regulated entities:
“To my mind, the Central Bank has established the credible threat of enforcement that it set out to achieve with the establishment of the separate enforcement function. My message for firms, their boards and their senior management, is that the Central Bank has and will continue to take robust enforcement action where serious or significant regulatory failings arise.”
Enforcement is viewed by the Central Bank as being an integral part of its engagement with the firms that it regulates. It is viewed as being a complimentary strategy to regulation and supervision. Enforcement action can take a number of forms and in addition to resulting in the application of the Administrative Sanctions Procedure, the Central Bank can issue prohibition notices against individuals, and also has the ultimate power to revoke a firm’s authorisation.
The Enforcement Division of the Central Bank consists of multi-disciplinary teams which include a mix of lawyers, accountants and investigative experts. In addition to initiating investigations and triggering the administrative sanctions procedure, members of the Enforcement Division also provide support to the supervisory divisions before any formal enforcement action even arises.
Enforcement in Practice – The Administrative Sanctions Procedure
The Administrative Sanctions Procedure which derives from Part IIIC of the Central Bank Act 1942, provides the Central Bank with the power to administer sanctions in respect of the commission of prescribed contraventions by regulated financial service providers and by persons presently or formerly concerned in their management who have participated in the prescribed contraventions committed by the regulated financial service provider.
In practice, what this means is that where the Central Bank suspects on reasonable grounds that a breach has been committed, it may put in place an Inquiry panel to inquire into the matter, determine whether the breach did in fact occur and, if so, to then decide what sanctions ought to be imposed. On foot of such an Inquiry or where a case settles prior to a formal determination being made by the Inquiry, the Central Bank may impose a very substantial monetary penalty. In circumstances where an individual has been identified as being culpable, the Central Bank may also disqualify an individual from being concerned in the management of a regulated entity.
The operation of the administrative sanctions procedure is not just about inflicting financial pain on firms; it is a process that has been designed to be a deliberately intrusive and a less than pleasant experience which invariably involves the Central Bank requiring individuals to attend for interview, to account for their actions and justify their own conduct and that of their firm. Widely publicising the outcome is also a core part of the Central Bank’s approach to enforcement. When it reaches a settlement agreement with a firm, the Central Bank publishes a statement which will set out in some detail the nature of the contravention, the level of penalty imposed, and will also spell out the factors considered by the Central Bank in deciding the level of penalty to impose.
In an era where corporations seek to jealously guard their reputations, the publication of the finer details of settlement agreements is intended to secure the maximum level of publicity of the settlement much to the chagrin of the firm that has been sanctioned. It also serves as a stark reminder to other firms that the Central Bank has teeth and is not shy about using them.
A Lookback at Enforcement Actions 2016 - 2020
According to the Central Bank, since 2006, it has entered into 139 settlement agreements under its Administrative Sanctions Procedure, bringing total fines imposed by the Central Bank to over €123m.
The analysis that follows is based on a lookback at CBI enforcement activity over the past 5 years, during which time fines imposed by the Central Bank (€78.4m) account for 63% of the total imposed since 2006.
By simply looking at the number of settlement agreements entered into so far in 2020, 4 in all, we can see that the range of sectors and number of firms affected is down from 7 in 2019. While the Enforcement Division at the Central Bank has substantial numbers of staff and expertise, the reduced level of enforcement activity across other parts of the financial services sector may be attributable to a concentration of effort and resources on finalising enforcement actions arising from the tracker mortgage scandal.
While the final report on the Central Bank’s Tracker Mortgage Examination was published in July 2019, we know from the Central Bank’s Annual Report 2019 and Annual Performance Statement that as at end-December 2019, enforcement investigations were ongoing in respect of a number of lenders. While some have since been finalised, it seems that the end of this saga has not yet been reached.
Looking back at enforcement activity over the past five years, we can get a sense of those parts of the financial services sector where the Central Bank’s enforcement activity has been more heavily focused. 27% of settlement agreements concluded in the period involved banks. Settlement agreements concluded with investment firms ranked second, at 17%, with insurance/reinsurance firms accounting for 15%, and investment intermediaries/insurance intermediaries also standing at 15%.
Of all of the categories of regulated firms, in terms of enforcement, Banks have been hit hardest in recent years, handing over €64.1m to the Central Bank in fines. Though we have yet to reach year end, we can already see that 2020, just like 2019, has been a particularly harsh year for certain banks which forked out a total of €24.6m so far in 2020 and €28.1m in 2019 on enforcement actions. Banks have accounted for 99% of the Central Bank penalties imposed so far in 2020, and contrasts with 2016 when banks accounted for just 39% of penalties imposed that year.
Aside from tracker mortgage-related cases, the settlement agreements reached with banks spanned a range of areas, including failings in regulatory reporting, breaches of Code of Practice for Credit Institutions, breaches of the Consumer Protection Code, breaches of the Code of Practice on Lending to Related Parties, and breaches of anti-money laundering requirements.
In the five year period examined, insurers/reinsures have paid €7.6m in fines to the Central Bank. This represents 9.3% of the total value of fines imposed on the financial services sector over the period. So far in 2020, and also for 2019, insurers have fared much better than the banks, and have avoided being the subject of any publicly announced settlement agreements with the Central Bank. However, the sector did not escape attention in 2018 when two firms handed over a total of €5m to the Central Bank, a sharp increase on the €1m paid in 2017 and the €1.6m paid in fines in 2016.
The settlement agreements reached with insurers and reinsurers covered a breaches across a number of different areas, including reserving, solvency calculations, anti-money laundering requirements, the Consumer Protection Code, the Minimum Competency Code, the Minimum competency Requirements, and the Corporate Governance Code.
In four of the past five years Credit Unions have been the subject of settlement agreements with the Central Bank, paying out €773k in fines. Enforcement actions taken against Credit Unions accounted for 5 of the 40 settlements reached with the Central Bank in the period examined.
The contraventions which formed the basis of settlement agreements with Credit Unions included the governance of long-term lending, director remuneration, breaches of fitness and probity requirements, governance and risk management failures arsing from migration to a new IT system, as well as breaches of anti-money laundering requirements.
Investment Firms have been subject to 7 settlement agreements in the past 5 years resulting in the payment of fines totalling €2.7m to the Central Bank. The focus of the settlement agreements included breaches of conditions of authorisation, breach of outsourcing requirements, breach of anti-money laundering requirements, breaches of conduct of business rules, breaches of fitness and probity requirements, breach of client assessment requirements, and also a breach of the terms of authorisation.
Investment Intermediaries/Insurance Intermediaries
Settlement agreements reached with Investment Intermediaries/Insurance Intermediaries accounted for fines of €1.1m, however the bulk of this figure consists of a settlement agreement reached with Capita Life & Pensions.
In the period examined, the Central Bank published settlement agreements relating to individuals on only three occasions, where the average fine was €37k.
One thing that is notable about these particular settlement agreements is that in each case the enforcement action against the individual essentially flowed from an earlier enforcement action taken by the Central Bank against the firm in which that person previously served. In June 2020, the Central Bank concluded a settlement agreement with the former CFO and Executive Director of RSA Ireland. In 2018 the Central Bank had imposed a fine of €3.5m on RSA.
In in February 2018, the Central Bank announced the conclusion of a settlement agreement with the former Non-Executive Chairman of Irish Nationwide Building Society, and in December 2018, the Central Bank reached a settlement agreement with the former Senior Manager of Commercial Lending in Irish Nationwide Building Society. Both of these settlement agreements were preceded by a settlement agreement, in 2015, involving Irish Nationwide itself.
The pattern that can be observed thus far suggests that the Central Bank is pursuing enforcement actions individuals in circumstances where they can be clearly held directly accountable for egregious breaches that arose at the firm at which they held a key office.
As mentioned earlier, in addition to imposing a reprimand and fine on an individual, the Central Bank can also issue a Prohibition Notice, which in practice means that the individual is prohibited from performing a controlled function for a specified period or indefinitely. Since the introduction of the fitness and probity regime, the Central Bank has issued eight such notices.
A look at the average level of fines across the various segments of the sector is worthwhile, however as always when looking at averages deduced from statistically low volumes, caution must be applied.
In the period 2016 to 2020, the average fine imposed on banks was €5.8m, very substantially higher than the average fine of €1m imposed on insurers. In contrast with banks and insurers, there appears to be a reasonable level of consistency as regards the individual fines imposed on Credit Unions, with the average fine standing at €154k. The average fine imposed on Investment Firms over the period was €398k, a figure which is distorted somewhat by the €1.6m fine that was imposed on JP Morgan in 2019. More typically investment firms are being subjected to fines in the region of €230k-240k. Investment Intermediaries and Insurance Intermediaries are typically subjected to an average fine of €1,544.00.
Exposure of Breaches
The Central Bank has a range of tools that it utilises in order to more effectively supervise firms. At the most routine level, the Central Bank will request documentation or information from a regulated entity. Also, the Central Bank may occasionally request to meet with senior executives at a regulated entity, either for the purpose of discussing a particular matter that has come to its attention or in the context of fulfilling requirements under PRISM.
The Central Bank also has the power to conduct different types of reviews and inspections. These include the conduct of a full, detailed risk assessment of firms on a periodic basis. The Central Bank also conducts thematic reviews, which in practice involve the Central Bank selecting a particular segment of the financial services sector and reviewing or inspecting those firms in relation to one particular topic. Targeted Risk Assessments are another tool, whereby the Central Bank selects a particular topic within a particular firm, for closer scrutiny, which often involves an on-site visit by a team from the Central Bank. At the more intrusive end of the scale, the Central Bank conducts more lengthy on-site inspections, which can involve a team of dedicated inspectors taking up residence in a firm’s office for a period of several weeks, poring over files and systems as well as conducting interviews.
Each of these represent opportunities for the Central Bank to interact with a firm, identify any deficiencies or potential contraventions. Invariably when the central Bank conducts a firm-specific review or inspection, it produces a report which sets out a series of remediation actions which a firm is required to take within a specified timeframe. The potential for enforcement action arises where a contravention of existing regulatory requirements has been identified during an inspection, or where a firm, having been given an opportunity, fails to implement the required remediation action either correctly or in a timely way.
Of the 40 settlement agreements entered into by the Central Bank in the period 2016 to 2020, in the vast majority of cases, the contravention was discovered by the Central Bank on foot of the deployment of its own supervisory and investigative tools, principally thematic reviews and on-site inspections. Of the 40 or so settlement agreements examined, it would appear that in only 6 or 7 (15%) of the cases was the firm itself responsible for identifying the potential contravention and then self-reporting the matter to the Central Bank. However, even in those instances, the firms which took the initiative to self-report contraventions were subjected to substantial fines, ranging from €185k to €3.5m, with the average being €1.3m.
Future Direction of Enforcement
In comparison to how it stood in the aftermath of the financial crisis, the Central Bank’s enforcement regime has been transformed in several respects, particularly in terms of the powers and resources now available to it. In parallel with that, the Central Bank has very significantly increased its activity around enforcement.
In recent times the consideration of enforcement has expanded to encompass issues relating to organisational culture. This shift in emphasis has largely been driven by a recognition that invariably, poor organisational culture is not conducive to the consideration of the best interests of customers. Another driving force behind the increased prevalence of organisational culture as a consideration has been the Central Bank’s deep frustration at the need for it to almost coerce certain banks to do the right thing in relation to the tracker mortgage scandal.
However, in terms of completing the revamp of its enforcement capabilities, for the central Bank, there remains one large piece of unfinished business.
For some time now, the Central Bank has vocalised its ambition to be afforded greater scope to hold individuals to account. There are four elements to the Central Bank’s demands:
the introduction of enforceable Conduct Standards which would set out the behaviour the Central Bank expects of regulated firms and the individuals working within them;
the introduction of a Senior Executive Accountability Regime (SEAR), which would oblige firms and senior individuals within them to set out clearly where responsibility and decision-making lie for their business;
enhancements to the current fitness and probity Regime;
- a unified enforcement process, which would apply to all breaches by firms or individuals of financial services legislation, and the removal of the hurdle of participation so as to pave the way for the Central Bank to pursue individuals, rather than only in circumstances where they are proven to have participated in a firm’s wrongdoing.
The Central Bank’s proposals look set to be implemented in the Central Bank (Amendment) Bill which is currently being drafted.
But the delivery of SEAR and the other components will not mark the end of the development of the enforcement regime. In an age where financial services regulation sometimes lags behind technological developments, in order to be remain effective in the long term, the enforcement regime will need to continuously evolve.
In the meantime, we can expect the Central Bank to continue to invest considerable resources in pursuing enforcement actions, and once the anticipated new Central Bank Bill becomes law, we can expect to see much of that activity being focused on holding individuals to account.
Avoidance of Enforcement Action
Not everything in any business is perfect all of the time, but that does not mean that regulated firms should not strive for a high level of compliance or that they should ditch their zero-tolerance for regulatory breaches.
It’s not all in the hands of the gods; there are steps that the Boards and management teams of regulated firms can take to reduce the risk of their firm being subjected to enforcement action.
There is no doubting the resolve of the Central Bank to pursue firms for regulatory breaches and to hit them where it hurts, both in fiscal and reputational terms. No Director or executive wants to have an enforcement action sully their otherwise clean fitness and probity record. But avoiding the risk of enforcement action does not happen by accident.
There is always scope for Boards and management within financial services entities to take more seriously the concerns of their Compliance, Risk and Internal Audit functions. Those functions, as well as the first line risk owners have the capability and responsibility to call out issues of deficiencies that if left unchecked could cause the firm to be in breach of the legislative and regulatory requirements. To do this in an effective way, management teams and Boards must be receptive to early warnings of potential issues from within the executive ranks. Management teams and Boards should be more proactive in seeking out potential pitfalls so that they can be remedies. Boards should use the Internal Audit capability wisely and point them towards areas of concern.
For regulated firms, building trust with the Central Bank is key to developing a strong relationship. Openness and transparency is central to this. The Central Bank will be sensitive to reticence and slowness in responses to requests that it makes of a firm under its supervision, as these are indicators of a poor organisational culture. Firms should prioritise requests that are received from the Central Bank and avoid at all costs the temptation to ask for an extension of the Central Bank deadline.
Transparency is also critical in the context of Central Bank on-site inspections. A firm which thinks that it can fob the Central Bank off is setting itself up for an increased level of supervisory attention.
Where a firm is subject to a Central Bank remediation programme, a wise firm will implement the remediation actions to the letter as well as in spirit. The half-hearted or delayed implementation of remediation actions could serve to attract more unwanted supervisory attention.
Boards and management should assess on an ongoing basis the settlement agreements that are concluded by the Central Bank and consider whether there are lessons within those which can be applied within their own firm.
In addition to keeping apace with legislative developments and supervisory developments domestic level, firms should look further afield to developments at regional and international level, because in time those developments are likely to be adopted in this market.
Where something goes wrong and a regulatory breach is likely to have arisen, it is crucial for firms to establish the facts and ensure that the Board and the Central Bank are informed in a timely way.