The FCA recently issued guidance on appropriate financial resources for all solo regulated firms, i.e. insurance brokers, claims management firms and MGAs in the insurance sector. FG20/1 is designed to provide guidance to firms on the FCA’s expectations about how firms should determine whether they have appropriate financial resources and how they will assess those resources, though there is also mention of non-financial resources.
There is a regulatory theme here. The PRA has also recently issued some guidance which related directly to capital by looking at how it will assess the prudency of investment portfolios. Watch this space for our review of the Prudent Persons Principle.
The timing is intentional. Covid-19 has had an impact in the sector and there are firms which are struggling as a consequence. However, as we are all hearing the pandemic is not going to be the end of this. There is an increasing move to more agile working and we all have a recession to live through though there are significantly varied views on length and depth of that and whether the shape of the recovery will be a curve or V-shape on the economic cycle. ICSR have seen an increase in firms seeking to review their operating model and consequently their resources.
This article therefore looks at the FCA Guidance and some of the issues firms need to consider.
The Starting Point
Regulated Firms must at all times meet the FCA Threshold Conditions. A failure to do so can and often leads to the withdrawal of the firm’s permissions. Within the Threshold Conditions are the rules relating to the requirement to have appropriate resources, financial and non-financial. Known as Threshold Condition 2.4, it that provides that the resources of a firm must be appropriate in relation to the activities that the firm carries on or seeks to carry on.
Thankfully, the Threshold Condition (the TC) provides flexibility in that the matters which are relevant to determining appropriateness of financial resources include:
- The nature and scale of the business carried on or to be carried on,
- The risks to continuity of the services provided or to be provided, and
- Any impact that membership of a group may have.
When considering non-financial resources, the following are relevant:
- The skills and experience of the management, and
- Whether the resources are sufficient for the firm to comply with the FCA’s requirements.
The FCA guidance, however, goes one step further than these. It states that the FCA expect “firms to assess their adequate financial resources commensurate with the risk of harm and complexity of their business. [That] starts with considering whether they have enough assets to cover their debts when due”. That is of course the base level question of solvency considering both the cash flow (ability to pay as debts fall due) and balance sheet (assets exceeding liabilities) tests. This also means that capital comes in different forms including liquid resources.
The mention of harm is important and should not be overlooked. Firms with limited potential to cause harm may need no more than the ability to maintain base solvency levels. On the other hand, a larger firm which may have a high proportion of consumer or SME business is very likely to require more than the base level of solvency.
The FCA are interested in ensuring not only continuity of service through appropriateness of resources but also that the resources are sufficient to permit orderly wind down of operations if things do not work out as the firm would hope.
So, the starting point is base solvency. From there the FCA will, when assessing whether a firm is meeting the TC, consider whether:
- The firm has taken reasonable steps to identify and measure its risks,
- There are appropriate systems and controls and human resources to measure risks prudently at all times,
- The firm has access to adequate capital to support the business and client monies are not placed at risk, and
- The resources are commensurate with the likely risks.
For those that did not notice, this is not for assessment of the overall appropriateness of the firm’s resources but the financial resources. A firm therefore that does not have a strong risk function (by which we simply mean someone responsible for assessing and advising the Board on the firm’s risks) which provides regular assessment of the firm’s risks is exposing itself to a need to hold higher levels of capital than one that does. Of course, the paradigm is that a firm with a strong appetite to risk may find that they are needing higher levels of capital. The upside however is that that firm will at least be comfortable in the knowledge that it is meeting the TCs .
Any assessment by the FCA of a firms’ approach to risk will include:
- A look at the quality of the firm’s risk framework,
- The adequacy and appropriateness of the identification of risks to the firm,
- How the firm undertakes assessment of the materiality of each risk,
- What controls the firm has in place to mitigate the risks,
- Whether the firm makes use of stress tests, and
- Whether there is any application of the “use test” which sees assessment of risks used on a day by day basis for decision making.
The FCA accepts that the principle of proportionality applies, after all it is built into TC 2.4. However, even at a base level the FCA will expect that assessment to be ongoing. An annual review is very unlikely to be sufficient. The reasons for this are obvious. Risks to firms change constantly whether as a result of the firm’ changing business model or the nature or scale of the business undertaken or changes in the external regulatory or economic climate.
The last few years have seen significant changes in the regulatory and legal environment including the introduction of the IDD, GDPR and SM&CR to name but a few of the more important ones. Present circumstances may fall into both internal and external categories with firm’s considering remote/agile working and a recession. The FCA will expect that firms will not only have reacted but also identified the changes in their risk profile and adapted accordingly as well as considered the adequacy of their financial (and other) resources.
One interesting dynamic is that there are firms which assess the capital they may require for their downside risk, that is the risk that they may need to commence an orderly wind down of operations, according to how long it might take them to sell the firm to an interested buyer. In a buoyant consolidating market that may mean the firm only needs capital to cover the cost of operations for 4 to 8 weeks. However, that can change and can change very quickly. The purpose of this article is not to consider whether present circumstances have changed the market for consolidation but if capital for consolidators and the availability of willing purchasers was to dry up firms may find themselves short of their capital requirements for meeting TC 2.4. Certainly, firms should be looking now at whether they hold sufficient capital at this point in time and ensure that the Board records their review and assessment.
The fact that the FCA speaks of non-financial resources (risk) as a strong element of the assessment of financial resources speaks volumes for the importance of non-financial resources to them. The Guidance specifically looks at the need for a strong control environment and good governance. These require non-financial resources. Most importantly people but that is not all. IT can also play a considerable role as well as outsourcing arrangements. All however must be governed and overseen appropriately.
Dealing with the people aspects there is a need to not only have the right number of people but also the right quality and, where individuals may be under-developed the processes to ensure that they are receiving appropriate development and support. There has been a lot on culture in recent years and a great deal of that has focused on employees and employee engagement. This is an extension of the principles of Conduct Risk but it is also linked directly to the need to ensure that a firm’s resources are of the right quality as well as quantity. A firm without a sufficient quantity and quality of people will not be meeting culture expectations and in severe cases may also not be meeting threshold conditions.
Easy examples come in the form of compliance and risk activities. A firm which is not meeting its basic compliance or regulatory requirements, or which is not properly assessing its risks and appropriately mitigating them with effective controls is unlikely to have appropriate resources and is therefore unlikely to be meeting TC2.4. A firm which is operating and relying entirely on spreadsheets for financial information may find it has a TC2.4 issue because the risk of error and/or omission would be considered quite high. Proportionality is at play here according to assessment of risk of harm through failure.
Governance and the access of the Board to good quality, timely and accurate management information is also very high on the FCA agenda. Good governance has been on the FCA’s annual plan and agenda for about a decade and is unlikely to be removed. A firm that does not have good reporting to the Board and an effective level of governance by the Board may find it is not meeting TC2.4 (among a plethora of other FCA rules) whether that is because it does not have the IT resources to produce that MI or sufficient quantity or quality of people to ensure that reporting is appropriate.
Other examples are abundant but likely to have less significant consequences. For example, a firm which constantly fails to meet FCA requirements for handling complaints on time or appropriately is likely to have a resource (and possibly a systems and control) issue but only in the most severe cases would this be considered to be a possible breach of TC2.4. The possibility of harm is high but there is, if other resources are appropriate, the ability for redress.
As firms look at agile and remote working as part of their future operating models, they must consider whether any changes they make will impact their control environment or the controls they require and their resources. An obvious example has been the increase in risk to firms from the increase in remote working. Hackers and fraudsters have been having a field day. If remote working is to continue firms need to consider this increase in risk to their and their client’s data and ensure that they have beefed up their security. This is but one example. There are others are plenty of questions which firms need to ask including:
- Is remote working less efficient. If so, will more resources be required?
- What has been the impact on the ability of Internal Audit (whether in-house or out/co-sourced) and risk and compliance to undertake their monitoring or other control activities? What adjustments are required to their activities to ensure that the control environment remains effective?
- How has the quality of governance and oversight of the business or individuals been maintained at the necessary standard? What changes might be required?
- Has or is the firm’s culture likely to be impacted? If so, what needs to be done?
- For firms with a young workforce, how is the development of individuals being managed to ensure that they have the appropriate level of skills to perform their role?
In each case it is a question of what the risks are and what the impact on the firm’s resource requirements are to be able to operate appropriately but also to ensure that they continue to meet the threshold conditions.
The FCA has been very active during the pandemic providing significant guidance on a plethora of issues. Most have had immediate application and provided clear guidance for the FCA’s expectations on areas where guidance has not previously been available. The same is now true for Appropriateness of a firm’s resources. The FCA’s Guidance may only deal with Financial Resources but there is enough there to be a warning to firms about their expectations to ensure that going forward firms continue to meet all the Threshold Conditions and are thinking about how they will do so.
Well-managed firms have seen the importance of these changes and many are taking the opportunity to review the adequacy or appropriateness of their resources, financial and non-financial as well as the risks and mitigating controls for their firm in the new norm and making adjustments. Not surprisingly PRA regulated firms have been doing the same.
If you would like to discuss any of these issues in complete confidence, please contact us.