DEPP 6.5A The five steps for penalties imposed on firms
Step 1 - disgorgement
- (1)
1The FCA2will seek to deprive a firm of the financial benefit derived directly from the breach (which may include the profit made or loss avoided) where it is practicable to quantify this. The FCA2 will ordinarily also charge interest on the benefit.
22 - (2)
Where the success of a firm’s entire business model is dependent on breachingFCA rules2 or other requirements of the regulatory system and the breach is at the core of the firm’s regulated activities, the FCA2 will seek to deprive the firm of all the financial benefit derived from such activities. Where a firm agrees to carry out a redress programme to compensate those who have suffered loss as a result of the breach, or where the FCA2 decides to impose a redress programme, the FCA2 will take this into consideration. In such cases the final penalty might not include a disgorgement element, or the disgorgement element might be reduced.
2222
[Note: For the purposes of DEPP 6.5A, “firm” has the special meaning given to it in DEPP 6.5.1 G]
Step 2 - the seriousness of the breach
- (1)
The FCA2 will determine a figure that reflects the seriousness of the breach. In many cases, the amount of revenue generated by a firm from a particular product line or business area is indicative of the harm or potential harm that its breach may cause, and in such cases the FCA2 will determine a figure which will be based on a percentage of the firm’s revenue from the relevant products or business areas. The FCA2 also believes that the amount of revenue generated by a firm from a particular product or business area is relevant in terms of the size of the financial penalty necessary to act as a credible deterrent. However, the FCA2 recognises that there may be cases where revenue is not an appropriate indicator of the harm or potential harm that a firm’s breach may cause, and in those cases the FCA2 will use an appropriate alternative.
22222 - (2)
In those cases where the FCA2 considers that revenue is an appropriate indicator of the harm or potential harm that a firm’s breach may cause, the FCA2 will determine a figure which will be based on a percentage of the firm’s “relevant revenue”. “Relevant revenue” will be the revenue derived by the firm during the period of the breach from the products or business areas to which the breach relates. Where the breach lasted less than 12 months, or was a one-off event, the relevant revenue will be that derived by the firm in the 12 months preceding the end of the breach. Where the firm was in existence for less than 12 months, its relevant revenue will be calculated on a pro rata basis to the equivalent of 12 months’ relevant revenue.
22 - (3)
Having determined the relevant revenue, the FCA2 will then decide on the percentage of that revenue which will form the basis of the penalty. In making this determination the FCA2 will consider the seriousness of the breach and choose a percentage between 0% and 20%. This range is divided into five fixed levels which represent, on a sliding scale, the seriousness of the breach. The more serious the breach, the higher the level. For penalties imposed on firms there are the following five levels:
22 - (4)
TheFCA2 will assess the seriousness of a breach to determine which level is most appropriate to the case.
2 - (5)
In deciding which level is most appropriate to a case involving a firm, the FCA2 will take into account various factors, which will usually fall into the following four categories:
2 - (6)
Factors relating to the impact of a breach committed by a firm include:
- (a)
the level of benefit gained or loss avoided, or intended to be gained or avoided, by the firm from the breach, either directly or indirectly;
- (b)
the loss or risk of loss, as a whole, caused to consumers, investors or other market users in general;
- (c)
the loss or risk of loss caused to individual consumers, investors or other market users;
- (d)
whether the breach had an effect on particularly vulnerable people, whether intentionally or otherwise;
- (e)
the inconvenience or distress caused to consumers; and
- (f)
whether the breach had an adverse effect on markets and, if so, how serious that effect was. This may include having regard to whether the orderliness of, or confidence in, the markets in question has been damaged or put at risk.
- (a)
- (7)
Factors relating to the nature of a breach by a firm include:
- (a)
the nature of the rules, requirements or provisions breached;
- (b)
the frequency of the breach;
- (c)
whether the breach revealed serious or systemic weaknesses in the firm’s procedures or in the management systems or internal controls relating to all or part of the firm’s business;
- (d)
whether the firm’s senior management were aware of the breach;
- (e)
the nature and extent of any financial crime facilitated, occasioned or otherwise attributable to the breach;
- (f)
the scope for any potential financial crime to be facilitated, occasioned or otherwise occur as a result of the breach;
- (g)
whether the firm failed to conduct its business with integrity;
- (h)
whether the firm, in committing the breach, took any steps to comply with FSA rules, and the adequacy of those steps; and
- (i)
in the context of contraventions of Part VI of the Act, the extent to which the behaviour which constitutes the contravention departs from current market practice.
- (a)
- (8)
Factors tending to show the breach was deliberate include:
- (a)
the breach was intentional, in that the firm’s senior management, or a responsible individual, intended or foresaw that the likely or actual consequences of their actions or inaction would result in a breach;
- (b)
the firm’s senior management, or a responsible individual, knew that their actions were not in accordance with the firm’s internal procedures;
- (c)
the firm’s senior management, or a responsible individual, sought to conceal their misconduct;
- (d)
the firm’s senior management, or a responsible individual, committed the breach in such a way as to avoid or reduce the risk that the breach would be discovered;
- (e)
the firm’s senior management, or a responsible individual, were influenced to commit the breach by the belief that it would be difficult to detect;
- (f)
the breach was repeated; and
- (g)
in the context of a contravention of any rule or requirement imposed by or under Part VI of the Act, the firm obtained reasonable professional advice before the contravention occurred and failed to follow that advice. Obtaining professional advice does not remove a person’s responsibility for compliance with applicable rules and requirements.
- (a)
- (9)
Factors tending to show the breach was reckless include:
- (a)
the firm’s senior management, or a responsible individual, appreciated there was a risk that their actions or inaction could result in a breach and failed adequately to mitigate that risk; and
- (b)
the firm’s senior management, or a responsible individual, were aware there was a risk that their actions or inaction could result in a breach but failed to check if they were acting in accordance with the firm’s internal procedures.
- (a)
- (10)
Additional factors to which the FCA2 will have regard when determining the appropriate level of financial penalty to be imposed under regulation 34 of the RCB Regulations are set out in RCB 4.2.5 G.
2 - (11)
In following this approach factors which are likely to be considered ‘level 4 factors’ or ‘level 5 factors’ include:
- (a)
the breach caused a significant loss or risk of loss to individual consumers, investors or other market users;
- (b)
the breach revealed serious or systemic weaknesses in the firm’s procedures or in the management systems or internal controls relating to all or part of the firm’s business;
- (c)
financial crime was facilitated, occasioned or otherwise attributable to the breach;
- (d)
the breach created a significant risk that financial crime would be facilitated, occasioned or otherwise occur;
- (e)
the firm failed to conduct its business with integrity; and
- (f)
the breach was committed deliberately or recklessly.
- (a)
- (12)
Factors which are likely to be considered ‘level 1 factors’, ‘level 2 factors’ or ‘level 3 factors’ include:
- (a)
little, or no, profits were made or losses avoided as a result of the breach, either directly or indirectly;
- (b)
there was no or little loss or risk of loss to consumers, investors or other market users individually and in general;
- (c)
there was no, or limited, actual or potential effect on the orderliness of, or confidence in, markets as a result of the breach;
- (d)
there is no evidence that the breach indicates a widespread problem or weakness at the firm; and
- (e)
the breach was committed negligently or inadvertently.
- (a)
- (13)
In those cases where revenue is not an appropriate indicator of the harm or potential harm that a firm’s breach may cause, the FCA2 will adopt a similar approach, and so will determine the appropriate Step 2 amount for a particular breach by taking into account relevant factors, including those listed above. In these cases the FCA2 may not use the percentage levels that are applied in those cases in which revenue is an appropriate indicator of the harm or potential harm that a firm’s breach may cause.
22
Step 3 - mitigating and aggravating factors
- (1)
The FCA2 may increase or decrease the amount of the financial penalty arrived at after Step 2, but not including any amount to be disgorged as set out in Step 1, to take into account factors which aggravate or mitigate the breach. Any such adjustments will be made by way of a percentage adjustment to the figure determined at Step 2.
2 - (2)
The following list of factors may have the effect of aggravating or mitigating the breach:
- (a)
the conduct of the firm in bringing (or failing to bring) quickly, effectively and completely the breach to the FCA's2 attention (or the attention of other regulatory authorities, where relevant);
2 - (b)
the degree of cooperation the firm showed during the investigation of the breach by the FCA2, or any other regulatory authority allowed to share information with the FCA2;
22 - (c)
where the firm’s senior management were aware of the breach or of the potential for a breach, whether they took any steps to stop the breach, and when these steps were taken;
- (d)
any remedial steps taken since the breach was identified, including whether these were taken on the firm’s own initiative or that of the FCA2 or another regulatory authority; for example, identifying whether consumers or investors or other market users suffered loss and compensating them where they have; correcting any misleading statement or impression; taking disciplinary action against staff involved (if appropriate); and taking steps to ensure that similar problems cannot arise in the future. The size and resources of the firm may be relevant to assessing the reasonableness of the steps taken;
2 - (e)
whether the firm has arranged its resources in such a way as to allow or avoid disgorgement and/or payment of a financial penalty;
- (f)
whether the firm had previously been told about the FCA's2 concerns in relation to the issue, either by means of a private warning or in supervisory correspondence;
2 - (g)
whether the firm had previously undertaken not to perform a particular act or engage in particular behaviour;
- (h)
whether the firm concerned has complied with any requirements or rulings of another regulatory authority relating to the breach;
- (i)
the previous disciplinary record and general compliance history of the firm;
- (j)
action taken against the firm by other domestic or international regulatory authorities that is relevant to the breach in question;
- (k)
whether FCA2 guidance or other published materials had already raised relevant concerns, and the nature and accessibility of such materials; and
2 - (l)
whether the FCA2 publicly called for an improvement in standards in relation to the behaviour constituting the breach or similar behaviour before or during the occurrence of the breach.
2
- (a)
Step 4 - adjustment for deterrence
- (1)
If the FCA2 considers the figure arrived at after Step 3 is insufficient to deter the firm who committed the breach, or others, from committing further or similar breaches then the FCA2 may increase the penalty. Circumstances where the FCA2 may do this include:
222- (a)
where the FCA2 considers the absolute value of the penalty too small in relation to the breach to meet its objective of credible deterrence;
2 - (b)
where previous FCA2 action in respect of similar breaches has failed to improve industry standards. This may include similar breaches relating to different products (for example, action for mis-selling or claims handling failures in respect of ‘x’ product may be relevant to a case for mis-selling or claims handling failures in respect of ‘y’ product);
2 - (c)
where the FCA2 considers it is likely that similar breaches will be committed by the firm or by other firms in the future in the absence of such an increase to the penalty; and
2 - (d)
where the FCA2 considers that the likelihood of the detection of such a breach is low.
2
- (a)
Step 5 - settlement discount
The FCA2 and the firm on whom a penalty is to be imposed may seek to agree the amount of any financial penalty and other terms. In recognition of the benefits of such agreements, DEPP 6.7 provides that the amount of the financial penalty which might otherwise have been payable will be reduced to reflect the stage at which the FCA2 and the firm concerned reached an agreement. The settlement discount does not apply to the disgorgement of any benefit calculated at Step 1.
22