The Bank of England’s approach to enforcement: changes to statements of policy and procedure following the Financial Services and Markets Act 2023

1: Overview

This Bank of England (the Bank) policy statement (PS) provides feedback on responses to the consultation paper (CP) The Bank of England’s approach to enforcement: proposed changes to statements of policy and procedure following the Financial Services and Markets Act 2023 that was published in March 2024. It also contains, in the form of an appendix, the Bank’s (including the Prudential Regulation Authority’s (PRA’s) final policy.

That appendix is the updated Bank of England approach to enforcement: statements of policy and procedure which is referred to in this PS as the ‘Enforcement SoPP’. Following the consultation, Annex 4 of the Enforcement SoPP has been amended in relation to critical third parties to reflect various matters raised by respondents to the CP, as explained further below.

This PS is relevant to:

• PRA-authorised firms (hereafter referred to simply as firms), qualifying parent undertakings, actuaries, auditors, and senior employees of those entities (including, but not limited to, authorised senior management function holders and certified employees under the Senior Managers and Certification Regime (SM&CR));
• Financial Market Infrastructures (FMIs) including FMI Sandbox entities;
• persons who are not PRA-authorised persons, and who act as an originator, sponsor or Securitisation Special Purpose Entity for the purposes of the Securitisation Regulations 2024, and individuals involved in securitisation activities;
• any person that is or may be recognised or specified, as appropriate, by HM Treasury (HMT) as a recognised payment system (RPS) that uses digital settlement assets (DSAs), as a DSA service provider (DSA SP), or as a service provider of an RPS that uses DSAs, or of a DSA SP;
• any person who is or may be recognised by HMT, or individual who is or may be specified by the Bank, in connection with the wholesale distribution of cash; and
• any person designated or who may be designated by HMT as a critical third party (CTP).

This PS will be of interest to professional advisers who represent firms and individuals potentially subject to enforcement action taken by the Bank and/or the PRA.

Background

In the CP, the Bank (including, where applicable, the PRA) consulted on proposed amendments to its Enforcement SoPP to reflect proposed updates in relation to its:

• enforcement policy and procedure in connection with the Securitisation Regulations 2024 (Proposal 1);
• enforcement policy and procedure in respect of digital settlement assets (Proposal 2);
• enforcement policy in connection with the wholesale distribution of cash (Proposal 3); and
• enforcement policy and procedure with respect to CTPs (Proposal 4).

Summary of responses

The Bank (including, where applicable, the PRA) received seven responses to its proposals in the CP. All were in response to Proposal 4, relating to the use of the enforcement powers of the Bank and the PRA (the Relevant Regulators insofar as this PS relates to CTPs) in respect of CTPs. For the avoidance of doubt, the proposed amendments to the Enforcement SoPP, sought to explain, and invited responses on the policies and procedures the Bank and PRA would apply in exercising new or expanded enforcement powers. Those powers were conferred on the Relevant Regulators by the Financial Services and Markets Act 2000 (FSMA 2000) (as amended by the Financial Services and Markets Act 2023 (FSMA 2023)) and the scope of the enforcement powers was not the subject of the CP.

Respondents broadly welcomed the proposals, while raising some operational concerns. Some of these concerns, which did not directly relate to the Relevant Regulators’ approach to the use of enforcement powers, had already been expressed in response to the separate consultation paper, jointly published by the Bank, the PRA and the Financial Conduct Authority (FCA), on the overall regulatory oversight framework that will apply to CTPs: PRA CP26/23 Operational resilience: Critical third parties to the UK financial sector. Feedback is provided in the corresponding policy statement PS16/24 and the Relevant Regulators therefore do not propose to refer to or provide feedback on those responses here.

In this PS, the Relevant Regulators provide detailed feedback on the responses to the enforcement CP (see Section 2 of this PS).

Respondents did not raise any Equality Act 2010 concerns.

Changes to draft policy

Following consideration of the comments, suggestions and observations made by respondents, the Relevant Regulators have made the following changes to certain chapters of Annex 4 of the Enforcement SoPP. The Relevant Regulators have:

• provided assurance in Chapter 1 that appropriate expertise in relation to CTPs and their services will be deployed throughout the enforcement process, including at the enforcement decision-making stages;
• made explicit in Chapter 2 their commitment to, where practicable, seeking alignment with international standards and frameworks on the approach to enforcement against CTPs, to promote a globally cohesive approach on operational resilience and to streamline reporting requirements;
• clarified in Chapter 3 that, when considering ‘all relevant facts and circumstances’ in deciding whether to impose a disciplinary measure in relation to a CTP, this will include consideration of the availability of services from other CTPs and whether the imposition of any disciplinary measure should be subject to a transitional period and/or conditions to enable alternative services to be sought and provided;
• clarified in Chapter 3 the factors that may be relevant to assessing the seriousness of any breach and whether to take enforcement action in relation to a CTP (including those relating to profits accrued or loss or other adverse effects suffered); and
• qualified in Chapter 3 that, in determining whether to take enforcement action against a CTP, consideration will be given to any mitigating factors and the conduct of the CTP after the breach was committed. This will include how promptly, comprehensively and effectively the CTP brought the breach to the attention of any ‘affected firm’ (as defined each Relevant Regulator’s Rulebook).

In Chapter 2 of the Enforcement SoPP, the Relevant Regulators have added two additional rows to Table 6: Regulatory enforcement statutory decisions – CTPs to reflect their powers of restitution relating to CTPs under FSMA 2000.

There were a number of responses which, in the view of the Relevant Regulators, did not necessitate further changes to the draft Enforcement SoPP as the matters to which they related are already embedded in the statutory requirements and procedures of FSMA 2000 (for example, responses requesting that enforcement proceedings observe due process and provide a right for the subject to make representations) and/or are already addressed in the draft Enforcement SoPP.

As indicated above, there were no responses to the CP in relation to Proposals 1, 2 and 3. The Bank has, however, made some minor/technical corrections in relation to Proposal 3.

We have also clarified that the approach which currently applies to FMI enforcement (and, in particular, to central securities depositories) set out in Annex 2 will also, going forward, apply to digital securities depositories (DSDs)^{footnote [1]} as indicated in the Enforcement SoPP.^{footnote [2]}

Implementation

The updated Enforcement SoPP will take effect on 12 November 2024.

The Bank (including, where applicable, the PRA) will have regard to the policies on exercising its enforcement powers in force at the time of any misconduct, contravention or failure (collectively referred to as a breach).^{footnote [3]} Consequently, when conduct which would have amounted to a breach under the updated Enforcement SoPP begins before 12 November 2024 (when the new policies take effect) and continues after that date, the new regimes apply only to the conduct from 12 November 2024 onwards and not before. These considerations do not apply in relation to, for example, critical third parties as at the time of publication of this PS and the date when the updated Enforcement SoPP takes effect, no entities have been designated as CTPs such that they are subject to the Relevant Regulators’ oversight and enforcement regimes.

2: Feedback to responses

The Bank (including, where applicable, the PRA) must consider representations that are made to it in accordance with its duty to consult on its general policies and practices and must publish, in such manner as it thinks fit, responses to those representations.

The Relevant Regulators have considered the responses received to the CP. This section summarises the responses under headings reflecting their subject matter and then sets out the Relevant Regulators’ feedback to those responses and their final decisions.

Responses and feedback

Scope of enforcement action

One respondent sought clarification as to whether the Relevant Regulators’ ability to take enforcement action against CTPs was limited to ‘material services’ provided by CTPs to firms and FMIs, or to extended to ‘all services’.

Any breach of the rules applicable to CTPs may result in enforcement action. The scope of the relevant rules will determine the scope of any potential enforcement action. However, the Relevant Regulators have stated in supervisory statement SS6/24 and policy statement PS16/24 that all CTP rules apply to ‘systemic third-party services’ only, with the exception of CTP Fundamental Rule 6,^{footnote [4]} which also applies to non-systemic third party services.

Proportionate approach to enforcement

Three respondents stated that proportionality considerations around enforcement were essential (in deciding whether to investigate and in subsequently deciding whether to take enforcement action). One of these respondents expressed concern that a disproportionate approach could result in reduced innovation, while another suggested it could prompt CTPs to withdraw from the UK.

The Relevant Regulators confirm that while they will not hesitate to exercise their powers where there has been a breach of relevant rules, the proportionality of any action (including use of enforcement powers) will remain a key consideration, including enforcement cases involving CTPs.

Evidence relied on

One respondent said it would be helpful if the Relevant Regulators confirmed the types of evidence they will rely on when making enforcement decisions, including when evaluating the extent of the CTP’s responsibility for a breach, and whether the Relevant Regulators would consider, for instance, contracts between CTPs and their firm/FMI customers.

When making an enforcement decision, the Relevant Regulators will consider all the relevant circumstances of the particular matter. While contractual agreements between CTPs and their firm/FMI clients may be informative with respect to understanding how the parties had agreed to allocate responsibility for certain matters as between themselves, the Relevant Regulators’ focus will be on determining whether a party has committed a regulatory, rather than a contractual, breach.

Consideration of shared responsibility model

Two respondents suggested the ‘shared responsibility model’ (whereby, for example, security for different aspects of the services provided are apportioned by contractual agreement between a CTP and its customer) should be reflected in enforcement actions.

As indicated above, the Relevant Regulators will consider all relevant circumstances when making decisions in relation to enforcement action. The circumstances will vary depending on the particular matter under consideration and, where such a model is in operation, the details of a shared responsibilities model may be relevant to the breach under consideration and to culpability for that breach, as will the respective parties’ regulatory obligations. We have amended Chapter 3 of Annex 4 to reflect this.

Use of information gathering powers

Two respondents requested further clarity on how the Relevant Regulators will exercise their information gathering powers, such as issuing statutory information requirements. One of these respondents recommended information requirements only be issued to a CTP’s firm/FMI customers if the CTP itself had already failed to respond in a satisfactory or sufficient manner to an information requirement.

The Relevant Regulators will consider in any enforcement case how best to obtain relevant information to inform an enforcement investigation but will not seek to restrict the information gathering powers conferred on them by Parliament. It may be that a CTP or its firm/FMI customers, or both, hold relevant information and the Relevant Regulators will exercise their respective powers accordingly on a case-by-case basis.

Definition of economic benefits

Two respondents requested clarity on the precise meaning of the ‘economic benefits’ the Relevant Regulators will consider when deciding whether to take enforcement action against a CTP.

The Relevant Regulators agree further clarity may be helpful here. They have therefore removed the reference to ‘economic benefits’ from Chapter 3 and replaced it with a reference to profits accrued, or loss or other adverse effects suffered, as a consequence of the breach.

Use of condition or limitation powers

One respondent requested clarification as to the exact circumstances when the Relevant Regulators will use their powers to impose conditions or limitations on the services provided by CTPs. The same respondent also suggested conditions or limitations should only be imposed following a dialogue with the firms/FMIs which are in receipt of the services in question.

The Relevant Regulators will consider the most appropriate disciplinary power, taking into account all relevant circumstances in each enforcement case. It is not possible to prescribe the exact circumstances in which the Relevant Regulators would use any given power. The Relevant Regulators will always seek to act in a proportionate manner, taking into account relevant considerations and, where appropriate to do so, material representations.

Due process and transparency

One respondent urged the Relevant Regulators to exercise their statutory powers transparently and in accordance with due process.

Subject to applicable confidentiality restrictions, the Relevant Regulators seek to be as transparent as possible and are required, in accordance with the statutory regime in FSMA 2000 applicable to the exercise of their enforcement powers, to observe due process and to afford due process to the subjects of enforcement actions – for example, the Relevant Regulators must give reasons for any proposal to take enforcement action and the subject has the right to make representations in response, which must be taken into account before any decision to take enforcement action is made.

Experts

One respondent encouraged the Relevant Regulators to include guidance regarding their approach to selecting decision-making committee and Enforcement Decision Making Committee members, to ensure decision-makers have sufficient expertise to reflect the fact that the CTP oversight regime is new to both the Relevant Regulators and CTPs.

The Relevant Regulators recognise that the inclusion of CTPs within the regulatory enforcement perimeter is novel for regulators and CTPs alike. Decision-makers within the Relevant Regulators have a wide variety of backgrounds, expertise and experience and, equally, may call upon colleagues with equally broad expertise and experience. Nonetheless, the Relevant Regulators have updated Chapter 1 to provide assurance that appropriate expertise in relation to CTPs and their services will be deployed as necessary throughout the enforcement process, including during enforcement decision-making.

Confidentiality and information security

With respect to information sharing by the Relevant Regulators during an enforcement investigation, three respondents raised concerns about confidentiality and information security.

The Relevant Regulators acknowledge these concerns and agrees with the importance of maintaining confidentiality and strong information security. In addition to legal restrictions on the sharing of confidential information, to which it adheres, the Relevant Regulators also employ strict information security controls. This will continue to be the case on enforcement investigations relating to CTPs.

Non-compliance with investigators

One respondent requested further clarity on the consequences for individuals who fail to comply with investigators in the exercise of their statutory powers.

The Relevant Regulators expect individuals at firms within the regulatory perimeter to behave in an open and co-operative manner when investigators are exercising statutory powers. Acts or omissions by senior individuals at a CTP in failing to be open and co-operative with investigators will be relevant to the Relevant Regulators’ assessment of an enforcement action relating to a CTP.

Notice given to firms/FMIs

Three respondents suggested firms/FMIs would require advance notice of a Relevant Regulator’s decision to impose a disciplinary measure on a CTP, to give them sufficient time to transfer to an alternative service provider with minimal disruption or harm being caused to them or their end customers.

As indicated above, the Relevant Regulators are subject to confidentiality obligations but recognise that substitutability of CTP services is of concern and may present practical and operational difficulties. There may be cases with particular circumstances where the Relevant Regulators consider it necessary and proportionate to provide affected firms/FMIs with ‘advance notice’ of a forthcoming enforcement decision against a CTP. The Relevant Regulators will balance any such consideration against confidentiality obligations and the fact that the need for such advance notice may, in appropriate circumstances, be mitigated or negated by the provision of a transitional period for the implementation of certain disciplinary powers.

Absence of financial penalty power and SM&CR

Four respondents suggested the Relevant Regulators’ enforcement toolkit would be enhanced by the addition of a power to impose financial penalties on CTPs. One of these respondents suggested the proposed measures may not provide the desired deterrent effect for large international hosting providers.

One respondent was of the view that, in the absence of a regime such as the SM&CR or similar, there was little to incentivise senior individuals within CTPs to set the ‘tone from the top’ in terms of encouraging high standards of behaviour.

As noted above, the scope of the enforcement powers was not the subject of the CP and therefore the Relevant Regulators offer no comments on those responses.

Unintended consequences of enforcement action and the potential for implementation/transition period

Five respondents stressed the importance of considering the risk that enforcement against CTPs (particularly where this involves prohibition) could have unintended, adverse consequences for firms/FMIs and their end customers. These respondents suggested that, due to the concentrated nature of CTPs and consequential challenges around sourcing, conducting due diligence around and contracting with an alternative CTP there was a risk of significant disruption to the provision of uninterrupted services and potential harm to firms/FMIs and their end customers.

The Relevant Regulators recognise that firms/FMIs may face challenges obtaining services from an alternative CTP. To reflect this the Relevant Regulators have amended Chapter 3 to state explicitly that consideration of all relevant facts and circumstances in any enforcement case will, as relevant, include consideration of the availability of other service providers. It will also include consideration of whether the imposition of the disciplinary measure should be subject to a transitional period and/or conditions to facilitate as smooth a substitution of services as possible and to mitigate risks to the entities concerned, including the risks of firms and FMIs within the regulatory perimeter falling foul of the regulatory requirements applicable to them. The Relevant Regulators will consider the most appropriate disciplinary power, taking into account all relevant circumstances in each enforcement case.

Possibility that CTPs will seek to pass costs down

Two respondents expressed concern that an unintended consequence of the CTP regime is that CTPs may pass the costs associated with enforcement proceedings down to firms/FMIs, which may in turn pass them down to end customers.

As the Relevant Regulators received the same or similar comments on this point in relation to the overall CTP oversight regime in response to CP26/23, they will provide feedback in the PS16/24 covering the overall CTP oversight regime. The Relevant Regulators’ enforcement powers are designed to address misconduct in relation to the provision of CTP services and, their focus in any enforcement case will necessarily be on whether the CTP has adhered to regulatory requirements and rules. The Relevant Regulators will not hesitate in any case to take robust enforcement action where appropriate.

Co-ordination with the FCA

One respondent queried how the Relevant Regulators will co-ordinate with the FCA to ensure clear alignment of approach in respect of enforcement against CTPs, given none of the three regulators is designated as the final arbiter.

Throughout the development of the CTP regime and this policy, the three regulators have carefully considered this issue and agreed a new tripartite Memorandum of Understanding (MoU) on how they will approach CTP oversight and enforcement. The MoU should be read in conjunction with the Enforcement SoPP.

International alignment

One respondent stressed the importance of the Relevant Regulators aligning with international standards and frameworks to promote a globally cohesive approach on operational resilience.

The Relevant Regulators are aware of the international environment in which financial services firms and FMIs operate, as do many CTPs which are subject to laws and requirements in various jurisdictions. The Relevant Regulators recognise the potential for regulatory burden on entities and therefore, across their respective remits, seek to align, where practicable, with international standards and with domestic (for example, the FCA – see above) and overseas regulators and to promote co-operation with them, considering this to be an essential part of the advancement of the Relevant Regulators’ statutory objectives and general functions, including an effective enforcement regime. The Bank has updated Chapter 2 to make this explicit.

Cost benefit analysis

One respondent recommended the Relevant Regulators undertake a more rigorous cost benefit analysis to assess the full costs of bringing CTPs into the regulatory perimeter, and to ensure the costs of doing so are apportioned fairly.

As the Relevant Regulators received the same or similar comments on this point in response to CP26/23, they will provide feedback in the policy statement PS16/24 covering the overall CTP oversight regime.