This was greeted with headlines that talked of a ‘sweeping set of reforms’.
In truth, such a description, even on paper, appears somewhat hyperbolic. After all, businesses regulated by the FCA have always been required to hold and use only the necessary permissions to conduct their business.
The proposed changes relate, instead, to the process and speed with which unused permissions may be removed unilaterally by the FCA with 14 days’ notice (assuming the business in question fails to convince the regulator of the need for the permissions).
Statements made by the FCA's enforcement director Mark Steward touted the guidance as being a vital antidote, in part, to scams and the risk of consumers being misled by inaccurate permissions.
The FCA statement does not comment on the notion that the draft guidance has been issued to tackle the recent criticism of the FCA by the Complaints Commissioner, in having incorrect information on its public register. The public register is populated with data reported by businesses to the FCA as required under its own rules.
The FCA reviews that data and should update its records (including the public register) accordingly. There can be inaccuracy and delay in that process, which can lead to confusion for consumers. It remains to be seen whether the proposed changes are likely to have any appreciable impact on that.
Recording the correct scope of permissions on the public register is clearly desirable. It ensures that consumers are provided with correct information.
Also, reviewing and maintaining only those permissions that a business needs ensures that companies only pay necessary fees and helps companies demonstrate effective oversight of a business and compliance with obligations under the senior managers and certification regime.
Businesses are also required to provide the FCA with an annual attestation that the information held on the FCA public register is accurate.
Permissions are unlikely source of scams
However, it is unlikely that the new changes will make much difference to the ways of scammers. The scope of a company's permissions is unlikely to be the true source of many scams and fraud on consumers of financial services in the UK.
The current scourge, which has increased during the pandemic, includes spoofing and fake websites, imitating real businesses and the use of social media to mislead consumers.
Scammers are imitating real businesses, including stealing branding and content from regulated businesses' legitimate websites, and even replicating details of employees at regulated businesses using data taken from the FCA public register.
The speed at which such websites appear and then can be 'rinsed' and recreated is phenomenal and the FCA is arguably powerless to do anything about it.
Steward himself recognised the limitations of the FCA in tackling fraud earlier this year, noting that "traditional" fraud investigations lack potency, as they command less than 1 per cent of police resources.
Steward also confirmed that the FCA has no powers to prosecute fraud, even in relation to those businesses it regulates.
When it comes to scams targeted at financial services consumers, the FCA is largely impotent and is reliant on under-resourced agencies, dealing with a plethora of other crimes, to tackle it.
With law enforcement agencies experiencing scarcity of resource, it is unsurprising that fraud is investigated on a risk and/or impact-based approach.
Typically, the larger the fraud, the more likely it will be investigated, although meaningful investigation is never guaranteed in any case.
Businesses faster to react
In reality, it is regulated businesses themselves who are investing a significant amount of time, energy and resource in combating fraud. Companies report swindles to the FCA, usually swiftly upon discovery.
Anecdotally, experience is that there is often a significant delay of days or weeks (and sometimes months) before the FCA takes action, such as by publishing a warning on its website drawing the public’s attention to the scam inflicted on legitimate FCA businesses.
Delay means the horse has bolted, as the business has likely already had the offending website blocked and social media accounts shut down, such that there is no clear and present danger to consumers.
Instead, there is a belated and out-of-date warning that, when published, could cause confusion or mislead consumers, more so than protecting them.
Therefore, do the proposed changes to remove out-of-date regulatory permissions have utility? Yes, they do. Are they an effective and impactful answer to fraud and scams on the consumer public? No. The problem is much larger than accurate permissions on the FCA public register.
Douglas Cherry is a partner at Reed Smith
