January 11, 2022
Estimated reading time: 20 minutes
An overview of global enforcement trends in 2021
All change or business as usual?
2021 has been another turbulent year for the global financial industry with the ongoing effects of the Covid-19 pandemic affecting regulators, financial service providers, and customers alike.
Over the course of 2020, numerous regulators put regulatory activity on hold, or at the very least pressed pause on emerging regulations. As we approach the end of 2021, we now see the same regulators put their foot very much on the gas – with an onslaught of new regulations and enforcements.
With that in mind, we’ve analysed the enforcement activity from global regulators across 2021, to see whether Covid – as well as a shift in focus for environmental, social and governance (ESG) factors – has changed the landscape for enforcement. Have the regulators focussed their sights on crypto, cyber, accountability and operational effectiveness? Or do factors such as AML and inadequate disclosures still reign supreme across the enforcement landscape?
1. Securities and Exchange Commission
Adjusting to a new administration
In the first months of 2021, the Security and Exchange Commission (SEC) adjusted to the newly elected Biden administration. The transition involved a leftward lean and saw changes to the SEC’s leadership, including the appointment of new Chairman, Gary Gensler. Gensler inspired a reframing of the SEC’s regulatory focus and over the course of the year highlighted a willingness to act on environmental, social and governance (ESG) factors.
While there have been no adjustments made to existing regulatory standards in 2021, the SEC has signalled an enhanced focus on firms that do not properly disclose their ESG risks.
In March 2021, the SEC introduced its Climate and ESG Task Force, dedicated to analysing and identifying ESG-related misconduct. The Task Force will work to “identify material gaps or misstatements in issuers’ disclosure of climate risks under existing rules.”
A recent article in the New York Times has alluded to potential regulatory action from the SEC, in tandem with BaFin, which is looking to tackle ‘greenwashing’ through the lens of fraud. So, in parallel to the new Task Force and other ‘softer’ guidance, it looks as though the SEC intends to take proactive enforcement action against those that look to fraudulently monopolize on the shift to sustainable investments.
New enforcements are on the rise
Many would have expected that, owing to the ensuing chaos caused by the global pandemic, enforcement activities would have risen sharply over 2021. Having looked solely at the high-profile enforcements (those that warranted a press release) however, the number of enforcements has stayed broadly the same month-on-month.
This is supported by the SEC’s Enforcement Results for Fiscal Year 2021, which found only a 7% increase in new actions in 2021, with the overall amount of regulatory activity decreasing by 3%.
Looking at the money, the amount issued in penalties increased by 33% over the year, which broadly
equals the decrease in the amount that was disgorged year-on-year.
Accountability for those at the top
Last year, the SEC’s Division of Enforcement brought 405 standalone actions, with 72% brought against on or more individuals. The SEC’s Division of Enforcement Director at the time, Stephanie Avakian, noted that these included “individuals at the top of the corporate hierarchy, including CEOs, CFOs, COOs – as well as gatekeepers like accountants, auditors and attorneys.”
2021 tells broadly the same story. Of the 434 new actions brought, 70% included at least one individual. These included high-profile enforcements against corporate executives of established banks, including:
High-profile enforcements against corporate executives of established banks
$2.5 million penalty against former Wells Fargo CEO and Chairman, John Stumpf, for misleading investors about the success of the bank.
Charges against former CEO and Chairman of Nikola Corporation, Trevor Milton, for repeatedly disseminating false and misleading information about the company, typically by spreading false information to investors on social media.
Charges against the CEO and CFO of WageWorks Inc. for making false and misleading statements and omissions to the company’s auditors.
$4.7 million settlement with the CEO of human resources company ProSky for defrauding investors by providing falsified bank statements and balance sheets.
It’s not hard to see the running trend here – falsifying documents or providing fraudulent statements with a view to impress investors or auditors.
The move to digital for financial services, combined with the immediacy of social media, now blurs the lines between what qualifies as market manipulation (NB Elon Musk). It is often said that good compliance should become part of a firm’s’ culture, embedded across the organisation from the top down. However, when it is those at the top of a firm who are acting in a non-compliant way, it doesn’t bode well for the rest of the company.
Emerging enforcement activity for crypto
In 2020, enforcement action with regard to cryptocurrency was nowhere to be seen. Much like the current state of play for climate-related risks, crypto has been on the lips of regulators for some time.
However, only now are we starting to see the SEC take enforcement action with regard to crypto. This is especially pertinent when, as alluded to previously, the crypto market is highly gameable and prone to instability through celebrity endorsement and social media rushes. In particular, we’ve seen that the SEC:
- Charged three individuals – including the founder of Bitcoiin2Gen – for fraudulently inducing investors to buy digital asset securities by making false claims, such as it was “the largest Bitcoin exchange in euro volume and liquidity”.
- Charged two California-based founders for defrauding more than 1,000 investors in an unregistered offering of digital asset securities, similarly, including charges for false claims such as having “patent pending technology”.
- Filed an action against CEO and chairman of Ripple Labs Inc for raising more than $1.3bn through an unregistered digital asset securities offering.
It’s not all change
While 2021 saw a raft of new regulatory activity from the SEC, including in its first ever enforcement against an alternative-data firm, much of the enforcement action focussed on familiar non-compliance favourites, including improper conduct by investment professionals, insider trading, and market manipulation.
Cybersecurity similarly continued as a common thread across enforcements.
The SEC has maintained a focus on cybersecurity controls since 2017 with a dedicated Cyber Unit. In 2020, it increased that focus to reflect the rising number of online crimes committed during periods of pandemic-related lockdown.
In 2021, that trend continued with the SEC pursuing a number of cybercrime investigations and enforcement actions, including a large-scale investigation into the hack of the SolarWinds Corporation, and a $487,616 settlement in June with the First American Financial Corporation over cybersecurity disclosure failures. In August 2021, the SEC handed down a fine of $1 million to Pearson PLC for failing to properly disclose a cyberattack to its customers.
2. Financial Industry Regulatory Authority (FINRA)
Are compliance teams keeping up?
FINRA had not released its annual report at time of writing, however it does publish monthly updates about the disciplinary actions it has taken. Looking at the first half of 2021, from January to June – it would appear that the household names of non-compliance top the charts: supervision, reporting, AML and policies, procedures, and controls.
Of the 70 actions taken against firms, 20 related to ineffective supervision across the business, from failures to supervise communications of employees to failures to failing to implement a supervisory system altogether. In close second were reporting failures, often concerning instances where firms had failed to submit reports by certain timelines or had made costly errors and mistakes.
Much of this points to the finding that financial institutions that fall under FINRA’s supervisory umbrella struggled to keep up over the last year. Run of the mill operations – from reporting, record retention, and maintaining effective policies and controls – clearly became more challenging. This could be attributed to myriad causes, Covid or digitisation, for example.
It could also point to a lack of resource for compliance teams who may be struggling to keep up with emerging regulatory changes for ESG, crypto, cyber and privacy, meaning these less ‘significant’ tasks fall by the wayside. Of course, such tasks are no less ‘significant’ for the regulators.
The cost of non-compliance
The significance of non-compliance becomes especially apparent when considered alongside the cumulative costs of enforcement action. By our own estimations, FINRA issued fines amounting to around $23million in the first six months of this year:
Of course, February’s figures are skewed slightly by a $2.5million fine for one multinational investment bank who failed to keep on top of their record keeping requirements. Nonetheless, with the average fine totalling around $285,000, it goes to show that maintaining effective regulatory reporting, as well as policies, procedures and controls, is well worth the cost.
A closer look
A closer look at FINRA’s enforcements for the first part of this year see a few trends emerging, especially when viewed alongside its regulatory messaging:
Anti-Money Laundering (AML)
AML remained a key focus for FINRA in 2021 with the regulator handing down over $1 million in fines for AML-related compliance violations. Some of the most significant AML enforcement actions were a consequence of deficiencies in firms’ AML programs, with FINRA focusing its harshest punishments on suspicious activity reporting issues.
FINRA enforcement actions have also emphasized compliance with Best Execution Regulations (Rule 5310), which requires companies to ensure they ascertain the most favourable prices for customer securities under prevailing market conditions. If a firm does not review every single securities trade, it must ensure that it performs ‘regular and rigorous’ reviews of the quality of its executions. FINRA has indicated that it would be examining 0% commission trades for Best Execution compliance.
FINRA has indicated that compliance with Supervisory regulations will be a priority in 2021, especially in the wake of the Covid-19 pandemic and the increased reliance on remote work. In keeping with the messaging from other global regulators, FINRA is sharpening its focus to ensure that firms continue to operate in a way that is compliant in the absence of in-person supervisory measures. Member organizations are expected to utilize new communication technologies to meet their supervisory obligations and adapt to a new operational landscape.
*The above graphs are calculated by CUBE. In the absence of an end of year report from FINRA, CUBE looked at the individual monthly disciplinary actions for January – June 2021 and tallied the amounts that firms were fined. We then broadly summarised each enforcement action by topic area. As such, these results may differ from FINRA’s end of year report (when published).
3. Financial Conduct Authority (FCA)
A quieter year for enforcements…
The FCA published its annual report in July 2021, setting out the key enforcement actions that it had taken over fiscal year 2020-21. The FCA accompanied the release of the report with an acknowledgement of the ‘challenging’ circumstances of the previous 12 months and its objective to ‘protect vulnerable people’ and help ‘hundreds of thousands of businesses, large and small, through the Covid-19 pandemic’. With that in mind, over fiscal year 20/21 the FCA issued a total £189.8 million in financial penalties to offending firms, allocated £21.7 million for consumer redress in cases of unauthorised investment, and froze £7 million in illegal funds.
Following this annual report, it was easy to speculate that the FCA was having a quieter year for enforcements, especially given that the previous year’s annual report showed the FCA to have issued £224.4m in financial penalties over the same period. Fiscal year on fiscal year, the amount issued in financial penalties had fallen.
In comparison to previous years, £189.8 million in financial penalties is a 15% decrease from FY 2020, which had a 1% increase from FY 2019.
Bucking the trend of other global regulators, the FCA issued only two cases against individuals in FY 2020/21, which is less than both FY 2018/19 and FY 2019/20.
…or so we thought
While the FCA’s enforcement data for FY 2020/21 suggested a year of fewer fines at a lesser value, December 2021 saw two regulatory enforcements that caused the tables to turn. According to the FCA’s end of year enforcement data, it issued a staggering £567,765,219 over the course of the 2021 calendar year, up by £375,195,201 from 2020, in which it issued £192,570,018 in fines.
More than 50% of 2021’s cumulative fines were issued in December 2021, comprising two AML-related enforcements – one which saw National Westminster Bank Plc face a £264.7m penalty for failure to comply with the Money Laundering Regulations 2007. It is worth noting, however, that this is not a fine that will appear in the FCA’s statutory accounts as it is not levied by, or paid to, the FCA.
Three fines to rule them all
While the value of fines issued in 2021 is high, it only comprises 10 enforcement actions.
Of this sum, a large proportion – 88.5% – comes from three fines in particular:
£264,772,619.95 issued to NatWest following a conviction for three offences of failing to comply with money laundering regulations. This was the time the FCA pursued criminal charges for money laundering failings. It was noted by the sentencing judge in the case, however, that NatWest was “in no way complicit in the money laundering that took place” but that it could not have taken place “without the bank – and without the bank’s failures”.
£90,688,400 issued to Lloyds Bank General Insurance Limited for failing to ensure that language contained within millions of home insurance renewals communications was clear, fair and not misleading.
£147,190,200 issued to Credit Suisse International for serious financial crime due diligence failings, related to loans worth over $1.3 billion, which the bank arranged for the Republic of Mozambique.
Other smaller – though not insignificant fines – were issued for breaches including:
- £642,000 for a broker who had deficient anti-money laundering systems and controls in place
- £116,000 for an individual who failed to act with integrity and failing to ensure that his company complied with the relevant standards and regulatory system
- £178,000 issued to an investment bank for failings which led to the risk of facilitating fraudulent trading and money laundering.
No new ground
Criminal proceedings brought against NatWest mark a landmark judgment for the FCA. However, despite being a big year for regulatory fines, it has been a relatively uneventful year for the regulator in terms of the focus of its enforcement activity. Unlike some of its US counterparts, we’re not seeing enforcement activity in newer fields such as crypto. Moreover, despite regulations such as SMCR now in full swing, we’re seeing less enforcement action brought against individuals. Perhaps everybody is behaving?
With that in mind, much of this years’ regulatory action has concerned the usual suspects for the FCA:
The FCA’s priority to protect consumers during the Covid-19 pandemic saw it launch a ScamSmart investment campaign designed to alert the general public to the increased threat of cyber-crime during the pandemic – the campaign drove 150,000 visits to the ScamSmart website. The FCA also issued 1,292 consumer warnings during 2020-21 and ensured 4.5 million payment deferrals for mortgage and credit payment customers.
The FCA’s collective £189.8 million in financial penalties for corporate firms was accompanied by 1,715 supervision cases into scams and high risk investments, and 1,293 enforcement enquiry cases. The FCA singled out its enforcement activity against the Digital Wealth Society (DWS) and the unauthorised investment scheme Outsourcing Express Limited (OEL), both of which promised unrealistically high returns for investors. After investigating those firms, the FCA returned £3.428 million to 606 victims.
One of the FCA’s priorities for 2020-21 was ensuring the safety and resilience of the UK’s financial markets. The FCA’s regulatory focus on cryptocurrency was reflected in 223 new registration applications from UK crypto-asset service providers, seeking regulatory oversight of their AML measures. The FCA also prioritized the protection of UK corporate whistleblowers, assessing 1.046 whistleblower reports comprising 2,754 allegations.
4. Monetary Authority Of Singapore (MAS)
Focus on recovery and resilience
In 2020, MAS worked to manage the challenges of the Covid-19 pandemic, issuing S$3.4 million in penalties In 2021, MAS’ annual report underlined its commitment to In 2020, MAS worked to manage the challenges of the Covid-19 pandemic, issuing S$3.4 million in penalties across 18 financial institutions, with a focus on 3 key enforcement priorities: market abuse, financial services misconduct, and AML-related control breaches.
In 2021, MAS’ annual report underlined its commitment to addressing Covid-19 challenges, and maintaining the status of Singapore as a robust and resilient financial centre. While, at the time of writing, MAS had not released its annual enforcement report, the regulator has published what appear to be the majority of their enforcements in press releases. These releases point to a clear focus on conduct and dishonesty from MAS in 2021.
Three key focus areas for enforcements in 2021
1. Cyber resilience
In January 2021, MAS issued revised Technology Risk Management Guidelines, designed to help firms keep pace with emerging cyber-threats. MAS included guidance on managing third-party cyber-risks and on the need for senior leadership participation in ensuring corporate cyber-resilience.
In January 2021, cryptocurrency service providers fell under the scope of Singapore’s Payment Services Act (PSA). In March 2021, MAS published guidance for cryptocurrency service providers to facilitate the better implementation of AML/CFT controls.
MAS continued to work with financial institutions throughout 2020-21, focusing on high risk areas and vulnerabilities. MAS focused on leveraging technology and data to support surveillance and supervision. MAS also worked closely with financial institutions on managing specific money laundering risks during the Covid-19 pandemic.
Regulation over enforcement?
Despite cementing their commitment to key areas for 2021, the enforcement activity we’ve seen would suggest that MAS’s approach is much more carrot and stick than punitive. Of course, the annual enforcement report might paint a different picture – there is the chance that MAS is keeping its enforcement under wraps until then. But given the recent scrutiny it has received for its inaction with company’s involved in the latest Pandora Papers release, it seems reasonable to suggest that the regulator is focussing more on publishing regulation than it is on implementing it.
This comes as a surprise. MAS has is often seen as a regulator that tackles emerging regulatory challenges head on – from climate-related risk to crypto. So, while its regulatory messaging is often pioneering, its enforcement activity doesn’t seem to live up to expectations. Again, though, perhaps financial organisations in Singapore are just being compliant.
5. Australia’s Securities and Investments Commission (ASIC)
Before Covid, the Australian financial system was still attempting to re-establish robust compliance practices following the fallout from 2019’s Final Report of the Royal Commission into misconduct. So, when the global pandemic took hold, some might argue that ASIC were on the back foot, already struggling under a deluge of non-compliance actions.
However, it could be suggested that ASIC’s proactive work set them in good stead to manage impending challenge – and indeed, its latest enforcement figures would support that.
At the time of writing, the latest information about ASIC’s 2021 enforcement action could be found in its September 2021 Enforcement Update. Over the first six months of 2021, ASIC concluded:
Increased focus on small business and individuals
What is particularly interesting from ASIC, however, is the number of enforcements it has concluded against small businesses and individuals. Over the first 6 months of 2021, ASIC had concluded 180 enforcements related to small businesses or individuals, more than all of the other enforcements put together.
Of these 180 enforcements:
123 persons were convicted for failing to help liquidators under external administrator programs
3 people were convicted of criminal offences (two received criminal convictions)
10 companies were prosecuted for failing to lodge annual financial reports
16 people were disqualified from managing corporations
27 people had their Australian credit licenses cancelled or suspended
A robust regulatory approach
In comparison to other global financial regulators, ASIC appears to be issuing a steady flow of robust regulatory action. The focus of those enforcements may not be ground-breaking, but the Australian regulator appears to be doing what it set out to do – restore a fair, strong and efficient financial system for Australians.
Final thoughts on enforcement trends in 2021
There is no doubt that the last year has marked an incredible shift for financial services across the globe. It is not necessarily true to say, however, that shift has transcended across to regulatory enforcement action.
It is perhaps jumping the gun to expect that regulators would be taking punitive action around emerging themes such as ESG and crypto when the regulatory environment for such areas is still immature. Moreover, any malpractice that may have occurred – or loopholes that were taken advantage of – may yet to have shown themselves, never mind complete the full stage of the enforcement lifecycle.
There are certain areas that are coming to the fore, however. Operational effectiveness is a running theme across global regulators, potentially owing to new technological systems being implemented (but not sufficiently tested and maintained) in the last year.
Individual accountability is another area of note. Most regulators appear to be looking increasingly at CEOs, CCOs, CFOs and other gatekeepers to run a clean ship. The buck no longer stops with the less senior employees where malpractice occurs. Accountability leads to a wider topic of culture – a theme that appeared to prevail in 2019 returns with a vengeance in 2021, likely owing to both a societal shift paired with the new working environment afforded by covid.
From the data available, it does not seem that the landscape for enforcements has transformed across 2021. However, there are undoubtedly signals that suggest change is on its way. In the meantime, firms would do well to ensure their current systems, processes and controls are watertight – so they can go into the new dawn with the confidence that they may withstand increasing regulatory scrutiny in the future.
What to watch
- Emerging regulations and regulatory enforcement surrounding cryptocurrency
- Increased regulatory focus on culture and supervision, especially for individuals at the top
- Operational effectiveness across all new and current systems
- Continued importance of the compliance classics; AML, cyber and effective policies, procedures, and controls
How CUBE can help
The regulatory landscape is constantly evolving. While some financial regulators continue to focus on age-old issues of non-compliance including AML and financial crime, others move to create regulatory frameworks around emerging risks including crypto and climate change. Most financial regulators are looking to widen their scope and, in turn, their regulatory perimeter to ensure that every facet of the financial landscape has a watertight regulatory regime in place. What does this mean for compliance teams? A deluge of emerging regulation and expectation.
CUBE is a SaaS based RegTech designed to take the complexity out of regulatory change management using artificial intelligence and automation to deliver Automated Regulatory Intelligence.
In short, we track, capture and monitor every regulatory change across the globe and makes sense of it for our customers. Drawing on ten years of experience, we have a mature data set which covers the length and breadth of regulatory content. This means that our AI can make accurate inferences and intelligently link regulatory changes across different books and regulators, spot trends and make predictions rooted in data. This can all then be automatically mapped to our customer’s policies and controls – leaving compliance officers to implement regulatory change across the organisation.
Whether you’re a large, multinational bank, or a small financial organisation with up to a handful of compliance officers, we’ve got a suite of products tailored to you – to ensure you don’t fall on the wrong side of the regulators.