The Conduct Chronicles – Fast and furious: The Regulatory Hazards of Fast Growth

The Hype Before the Fall

We’ve all witnessed it. The ambitious, fast-growing firm announcing its global domination plans, coupled with high-profile launch events and impressive press coverage. But the dazzling media hype conceals a darker, more concerning story. One that is playing out behind the scenes. Because the firm is actually creaking at the seams. The spectacular growth means there are too few people to process and manage the inflow of business, let alone answer the deluge of customer queries and complaints. 

Meanwhile, technology has been deployed across multiple sites without the requisite rigor. And the focus on implementing business-related solutions, means compliance technology has been left behind. Worse still, governance failings mean that gaps have not been identified nor escalated and the lack of compliance technology has left teams scrambling for data that is locked away in spreadsheets and emails. 

Then the fall-out begins.

Articles hit the press, highlighting the departures of high-profile personnel. The Board must now contend with the reputational damage arising from the press coverage, alongside industry commentators speculating on the nature of the internal issues that have led to the departures. 

Then, consumers take to social media to vent their anger at poor customer service and complaining that products don’t meet their needs or have caused them to lose money. 

Then (if not before), the regulators start asking some very pointed questions. They are looking for answers. And they are looking for data.

Regulatory Scrutiny

Fast growth, without adequate planning, introduces risk, and this is on the regulator’s radar. 

In 2023, the UK FCA released the findings of its review of firms that had experienced fast growth over a 3-year period. The review considered risk management, governance, and adequacy of financial resources. And while the focus was on Contracts for Difference providers, wealth managers and payment services firms, the FCA noted “our observations are relevant to all regulated firms that have grown rapidly or have plans to do so.”

This is what it found:

• Risk management and governance frameworks (across all lines of defense) had not been scaled to cope with the business growth.
• Assessments of the adequacy of financial resources did not consider the growth in the underlying business. This, in turn, resulted in financial resources assessments that were not commensurate with the size, business model and underlying risks. Not only can this affect the financial resilience of firms, but it can also increase the risk of a disorderly failure.
• Inadequate wind-down plans thereby increasing risk of harm – to the market and to consumers – in the event of failure.

Whilst the FCA’s review focused on UK-entities, it’s worth highlighting that many of the firms reviewed are part of international groups. For some of these firms, the FCA’s review uncovered significant risks due to intragroup dependencies for financial and non-financial transactions and outsourcing arrangements.

The point around international connectivity is important. If you are a UK-headquartered firm, your lead regulator will be the FCA. And whilst your other entities will fall under other regulatory regimes, the FCA will be keeping a keen eye out on what is happening in those jurisdictions (and yes, regulators talk!). The FCA will also expect a certain amount of technical capability across sites. Hence, if your firm has leading-edge surveillance and recordkeeping capabilities in the UK, it will expect the same (or plans to achieve that) in the other jurisdictions.

Given the review findings, the FCA has recommended that firms ensure:

• There are regular updates to a firm’s risk and governance arrangements thereby ensuring there are adequate resources in place to identify, assess, manage and monitor risks and potential for harms. This will of course include compliance technology and recordkeeping capabilities.
• The adequacy and review of a firm’s financial resources, alongside ensuring that wind-down plans are in place and kept updated. This may require an increase in the level of capital/liquid assets held. With its focus on market stability, and mitigating against potential consumer harm, the FCA is keen to ensure an orderly wind-down in the event a firm ceases to trade.

Bringing to life the risk, Starling Bank was recently fined by the FCA for failings that occurred between December 2019 and November 2023 in relation to the onboarding of certain high-risk customers and sanctions screening processes. In October, the Bank issued an admission stating that ‘controls failed to keep pace with the growth of the business’. The Bank added that it had ‘completed both a detailed re-screening of transactions and an in-depth back book review of customer accounts in respect of the contraventions detailed in the Notice.’

Reflecting on the Starling Bank fine, alongside the recent FTX scandal and the significant record keeping enforcement actions (the now notorious ‘WhatsApp’ fines), it’s clear that the criticality of good corporate governance and risk management is increasingly being recognized, and penalized where deficiencies are identified.

Who’s Accountable?

Aligned to the need for good corporate governance is a growth in regulatory accountability regimes that aim to clarify roles, responsibilities, and importantly, to ensure that reasonable steps are taken to address issues that are identified. Regulators are seeking data and the corresponding audit trails around how issues are being escalated and managed, and how the action plans to resolve them are being documented and tracked.

That said, despite the new accountability obligations, what we have yet to see is wholesale enforcement actions at an individual level. Instead, fines have been at company level – for example, the recent record keeping enforcement actions. Whether we see a shift to more individual-level enforcement actions remains to be seen.