Final Notice
FINAL NOTICE
1.
ACTION
1.1.
For the reasons given in this notice, the Authority hereby imposes on Michael
John Allin (“Mr Allin”) a financial penalty of £9,900.
1.2.
Mr Allin agreed to settle at an early stage of the Authority’s investigation and
therefore qualified for a 30% (stage 1) discount under the Authority’s executive
settlement procedures. Were it not for this discount, the Authority would have
imposed on Mr Allin a financial penalty of £14,100.
2.
SUMMARY OF REASONS
2.1.
Between 1 June 2012 and 20 March 2013 (the “Relevant Period”) Mr Allin, in his
capacity as Internal Auditor at Bank of Beirut, failed to deal with the Authority in
an open and cooperative way and failed to disclose appropriately to the Authority
information of which it would reasonably expect notice. Mr Allin’s conduct
breached Principle 4 of the Authority’s Statement of Principles for Approved
Persons (“Statement of Principle 4”).
2.2.
The Authority visited Bank of Beirut in 2010 and 2011 and observed that whilst
the size and complexity of the business model gave rise to comparatively few
operational risks, it was concerned that the culture at Bank of Beirut was one of
insufficient consideration of risk or regulation, despite the high risk that its
business might be exploited to facilitate financial crime. These visits took place
prior to Mr Allin’s arrival as sole internal auditor at the Bank on 9 January 2012, a
position he held on a part time basis. The Authority required Bank of Beirut to
take specific actions to address the Authority’s concerns and to counter the risk
that it could be used to facilitate financial crime. The Authority had required that
the Bank implement these actions at deadlines between May 2011 and September
2011, before Mr Allin’s arrival at the Bank.
2.3.
The Authority specifically required Mr Allin, as the firm’s Internal Auditor, to
review whether Bank of Beirut had taken all these required actions and to provide
the Authority with assurance that the necessary improvements had been
embedded in the firm’s processes by 1 June 2012.
2.4.
Mr Allin breached Principle 4 because:
(1)
on 26 June 2012 he provided an assurance to be given to the Authority
that all of the action points had been implemented even though he had
failed to review the Bank’s implementation of the action points as required
by the Authority by 1 June 2012. Mr Allin was aware that the Bank had still
not completed two of the required actions by this date. Following
discussions with senior management about the response that the Authority
required, he did not provide the Authority with this information, which the
Authority would reasonably expect notice of.
(2)
on 30 November 2012, Mr Allin prepared a report for the Authority which
gave a misleading impression about the Bank’s completion of a specific
action point. Mr Allin omitted information from this report even though this
was information of which the Authority would reasonably expect notice. In
omitting this information, the Authority recognises that Mr Allin was
influenced by comments made by senior management.
2.5.
On 20 March 2013, Mr Allin was interviewed by the Authority. On this date, Mr
Allin shared his concerns with the Authority about Bank of Beirut’s completion of
this specific action point and corrected the misleading impression he had given on
30 November 2012.
2.6.
The Authority specifically requires Internal Auditors to evaluate the effectiveness
of firms’ internal controls and risk management processes, and are reliant on
Internal Auditors to maintain an open, constructive and cooperative relationship
with the Authority. The Authority is particularly reliant on the internal audit
function in supporting a culture of effective controls and governance at small
sized firms that are not subject to frequent supervision by the Authority. In this
case, Mr Allin’s failings did not result in direct consumer detriment. However, the
Authority relied on Mr Allin as the Bank’s Internal Auditor to report back to the
Authority on whether or not Bank of Beirut had addressed the Authority’s
concerns regarding its compliance with regulatory requirements that it had
observed during its visits in 2010 and 2011. The Authority’s concerns in relation
to Bank of Beirut were particularly serious because of the heightened risk that the
Bank might be used to facilitate financial crime, including money laundering,
which could in turn endanger the integrity of the UK financial system.
2.7.
Whilst the Authority recognises that Mr Allin’s actions were influenced by senior
management and that he has no previous disciplinary record with the Authority,
this does not excuse his misconduct. Mr Allin was in a position to understand the
true position with respect to Bank of Beirut’s completion of the action points
required by the Authority and as such should have resisted senior management in
this regard. Internal auditors must maintain their independence, and as an
approved person holding a significant influence function, Mr Allin was personally
bound by his own regulatory responsibilities.
2.8.
Mr Allin failed to deal with the Authority in an open and cooperative way in breach
of Statement of Principle 4. The Authority therefore imposes on Mr Allin a
financial penalty of £9,900.
3.
DEFINITIONS
3.1.
The definitions below are used in this Final Notice.
“the Act” means the Financial Services and Markets Act 2000
“ARROW” means the Advanced Risk Responsive Operative Framework.
“the Authority” means the body corporate previously known as the Financial
Services Authority and renamed on 1 April 2013 as the Financial Conduct
“Bank of Beirut” or “the Bank” means Bank of Beirut (UK) Ltd.
“FSF” means Firm Systematic Framework.
“Remediation Plan” means the risk mitigation programme the Authority provided
to the Bank of Beirut on 8 March 2011.
“Remediation Plan action points” means the specific actions set out in the
Remediation Plan that the Authority required Bank of Beirut to take.
4.
FACTS AND MATTERS
4.1.
Mr Allin has been employed on a part time basis as the sole Internal Auditor at
Bank of Beirut, the UK subsidiary of Lebanon domiciled Bank of Beirut S.A.L, since
9 January 2012. As Internal Auditor of the UK subsidiary, Mr Allin’s
responsibilities include planning and performing all internal audits and
investigations at the Bank of Beirut in order to advise all levels of management
and the Board, through its Audit Committee, on the quality of the Bank’s
operations with particular emphasis on systems and controls. Mr Allin’s role also
includes assisting “regulatory authorities providing them with copies of audit
reports if so requested”.
4.2.
Bank of Beirut’s principal activities are the provision of trade finance,
correspondent banking, commercial and retail banking services. Bank of Beirut
has fewer than 1000 customers, who are predominantly from countries that are
regarded as being high risk from a financial crime perspective. As at 31
December 2011, Bank of Beirut’s total assets were £321 million.
The Remediation Plan
4.3.
In December 2010, the Authority conducted a risk assessment at Bank of Beirut
(then known as an ARROW assessment, and now referred to as the FSF). On 8
March 2011, the Authority wrote to Bank of Beirut, setting out its findings from
the risk assessment, and attaching the Remediation Plan. This took place before
Mr Allin’s arrival at the Bank.
4.4.
The Authority observed that the culture of Bank of Beirut was one of inadequate
consideration of risk and regulatory requirements with insufficient focus on
governance and controls.
4.5.
The Authority had particular concerns around the effectiveness of Bank of Beirut’s
internal audit function, which was hampered by a failure to resolve outstanding
audit issues. The Authority emphasised to Bank of Beirut’s senior management
the Authority’s reliance on the internal audit function in supporting a culture of
effective controls and governance at small sized firms that are not subject to
frequent supervision by the Authority. The Authority required the Bank’s senior
management to resolve all outstanding issues of internal audit reports. The
Authority also had concerns about Bank of Beirut’s lack of a compliance
monitoring plan, designed to help Bank of Beirut monitor its compliance with its
regulatory obligations and to counter the risk of financial crime.
4.6.
In the Remediation Plan, among six other action points, the Authority set out
three action points that it expected Bank of Beirut to complete to address its most
serious concerns:
(1)
By 1 June 2011, “to resolve all outstanding issues of internal audit reports
and to report to the FSA what actions were taken and to ensure the setting
of deadlines for the resolution of all audit issues”.
(2)
By 1 September 2011, to “develop, implement and conduct an adequate
compliance monitoring program and to evidence this action with a
completion report to the FSA”.
(3)
By 1 June 2012, “the internal auditor to review the implementation of the
[Remediation Plan] action points in the annual internal audit cycle in order
to provide assurance the improvements are embedded in the firm’s
processes and have become a matter of course for the firm”.
Provision of misleading information to the Authority
26 June 2012 email
4.7.
On 14 May 2012, the Authority reminded the Bank of the Remediation Plan action
point due on 1 June 2012 requiring the Internal Auditor to review the
implementation of all the other Remediation Plan action points. The Authority
required that all the other Remediation Plan action points were implemented at
deadlines between May 2011 and September 2011, before Mr Allin’s arrival at the
Bank. It appears that Mr Allin only became aware of this Remediation Plan action
point (or indeed any of the Remediation Plan action points) at around this time,
despite arriving at the Bank some five months earlier in January 2012.
4.8.
By the deadline of 1 June 2012, Mr Allin had not conducted an internal audit to
review the implementation of the Remediation Plan action points, and had not
provided any confirmation to the Authority that the improvements had been
embedded in the firm’s processes.
4.9.
On 12 June 2012, the Authority sent an email to the Bank of Beirut chasing the
Firm for a response to this overdue Remediation Plan action point.
4.10. On 25 June 2012, Mr Allin sent an internal email addressing the implementation
of the Remediation Plan action points as required by the Authority. His email
indicated that the Remediation Plan action points had not all been implemented
and embedded. Specifically, Mr Allin referred to two Remediation Plan action
points “which are currently being addressed”:
(1)
Mr Allin noted that the Remediation Plan action point to resolve all
outstanding internal audit issues by 1 June 2011 had not been completed,
and commented that he expected to close all outstanding internal audit
issues “during 2012”.
(2)
Mr Allin identified that the requirement to develop, implement and conduct
an adequate compliance monitoring program by 1 September 2011 had
not yet been completed, stating that the “Bank has developed a
Compliance Monitoring Program which has not been fully implemented”.
4.11. However, the next day (26 June 2012), following discussions with senior
management over the response that the Authority required, Mr Allin revised his
response. He provided reassurance in an internal email that “I can confirm that
the [Remediation Plan] action points have been implemented and are embedded
in Bank policy and procedures” with no detail about the outstanding Remediation
Plan action points. This was despite the fact that:
(1)
Mr Allin had no reason to believe that the two outstanding Remediation
Plan action points which he referred to in his email the previous day had
been resolved; and
(2)
Mr Allin had still not conducted an internal audit to assess the
implementation of the Remediation Plan action points.
4.12. Mr Allin gave this assurance knowing that it was for the purpose of providing it to
the Authority. However, in light of the two outstanding Remediation Plan action
points, this assurance was misleading and failed to provide information of which
the Authority would reasonably expect notice.
4.13. Shortly after Mr Allin sent that email, the Bank of Beirut emailed the Authority on
26 June 2012 stating “our Internal Auditor confirms that the [Remediation Plan]
action points have been implemented and are embedded in the Bank’s policies
and procedures”. No information was provided regarding the unresolved internal
audit points which the Bank had been required to resolve by 1 June 2011.
Further, no information was provided regarding the Bank’s failure to implement
fully and conduct the compliance monitoring plan, which should have been
completed by 1 September 2011. This was information of which the Authority
would reasonably expect notice.
30 November 2012 completion report
4.14. The Authority wrote to Bank of Beirut on 16 August 2012 setting out its concerns
that certain Remediation Plan action points remained outstanding. The Authority
requested further information from the Bank on these issues. In particular, the
Authority required Mr Allin, as Bank of Beirut’s Internal Auditor, to provide a
“completion report” to confirm that the Remediation Plan action point relating to
the compliance monitoring plan had been completed. Given the lack of progress
at Bank of Beirut, the Authority had to extend the original Remediation Plan
deadline for this completion report from 1 September 2011 to 30 November
2012.
4.15. The relevant Remediation Plan action point required the Bank of Beirut to
“develop, implement and conduct an adequate compliance monitoring program”
and to evidence this with a completion report. The Authority’s expectation was
that this report would confirm that Bank of Beirut had completed a full cycle of an
appropriate compliance monitoring plan. It appears that Mr Allin may have
initially misunderstood what the Authority required, although he later understood
the correct position. He noted in an internal email on 29 August 2012 to senior
management: “A completion report sounds like they expect the whole
[compliance monitoring plan] to have been performed by the end of November?
The original Action Point did state that the [compliance monitoring plan] was to
have been developed, implemented and conducted!”
4.16. Mr Allin circulated a draft completion report internally within Bank of Beirut on 27
November 2012, which set out his findings following his audit of the compliance
monitoring plan. The draft contained the following wording in the “Detailed
Findings” section:
“Detailed Findings
Issue
The Compliance department has not fully completed all of the Compliance
Monitoring Program tests and in some instances monitoring has not been
conducted in accordance with the prescribed frequency.”
4.17. Senior management queried the inclusion of the “Detailed Findings” section in the
completion report, and commented that they would not expect the report to
“highlight areas not yet covered which is sure to lead to the FSA providing yet
another deadline date and report to complete.”
4.18. Mr Allin amended his response to the Authority and subsequently deleted the
“Detailed Findings” section from the report, which was provided to the Authority
on 30 November. The final completion report confirmed that “…the specific
[Remediation Plan] point in respect of the compliance monitoring program has
been fully implemented.” It no longer included the statement that the compliance
department had not fully completed all of the tests under the compliance
monitoring plan.
4.19. Whilst Mr Allin’s final report still referred to the fact that “the [compliance
monitoring plan] is a continuing cycle of regulatory tests and reviews [and] it is
inevitable that the work being performed is ongoing”, it failed to provide the
Authority with a clear picture of the true status of the compliance monitoring
plan, namely that it had not in fact been fully conducted as required by the
Remediation Plan.
4.20. In March 2013, Mr Allin was required to attend an interview with the Authority as
part of the Authority’s follow-up visit to Bank of Beirut. In that interview, Mr Allin
corrected the misleading impression contained in his 30 November 2012
completion report by sharing with the Authority his ongoing concerns about the
adequacy of the compliance monitoring plan for the Bank, and about the quality
of the monitoring work performed under it. Mr Allin did not include any of this
information within his November 2012 completion report, despite the fact that
this is information of which the Authority would reasonably expect notice.
5.
FAILINGS
5.1.
The regulatory provisions relevant to this Final Notice are referred to in Annex A.
5.1.
By reason of the facts and matters referred to above, Mr Allin breached
Statement of Principle 4 because he failed to deal with the Authority in an open
and cooperative way and to disclose appropriately any information of which the
Authority would reasonably expect notice, in that:
(1)
He failed to review Bank of Beirut’s implementation of the Remediation
Plan action points in the annual internal audit cycle in order to provide
assurance the improvements were embedded in the processes and have
become a matter of course for the firm as required by the Authority by 1
June 2012.
(2)
Mr Allin then provided this assurance to be passed on to the Authority, on
26 June 2012, even though he had not yet conducted an internal audit of
the Remediation Plan action points and was aware that two of the
Remediation Plan action points had not yet been completed. Mr Allin failed
to inform the Authority about the two outstanding Remediation Plan action
points, which was information of which the Authority would reasonably
expect notice.
(3)
On 30 November 2012, Mr Allin provided the Authority with a completion
report in respect of the compliance monitoring plan which gave a
misleading
impression
regarding
the
progress
of
the
compliance
monitoring plan and also omitted information of which the Authority would
reasonably expect notice.
6.
SANCTION
6.1.
The Authority has considered the disciplinary and other options available to it and
has concluded that a financial penalty is the appropriate sanction in the
circumstances of this particular case.
6.2.
The Authority’s policy for imposing a financial penalty is set out in Chapter 6 of
DEPP. For this period the Authority applies a five-step framework, as set out in
DEPP 6.5B, to determine the appropriate level of financial penalty imposed on
individuals in non-market abuse cases.
Step 1: disgorgement
6.3.
Pursuant to DEPP 6.5B.1G, at Step 1 the Authority seeks to deprive an individual
of the financial benefit derived directly from the breach where it is practicable to
quantify this.
6.4.
The Authority has not identified any financial benefit that Mr Allin derived directly
from the breach.
6.5.
Step 1 is therefore £0.
Step 2: the seriousness of the breach
6.6.
Pursuant to DEPP 6.5B.2G, at Step 2 the Authority determines a figure that
reflects the seriousness of the breach. That figure is based on a percentage of the
individual’s relevant income. The individual’s relevant income is the gross amount
of all benefits received by the individual from the employment in connection with
which the breach occurred.
6.7.
Mr Allin’s breach occurred between 1 June 2012 and 20 March 2013. As stated in
DEPP 6.5B.2G(2), where the period of a breach lasts less than 12 months, the
relevant income will be the amount earned by the individual in the 12 months
preceding the end of the breach. In this case, Mr Allin’s breaches ended on 20
March 2013, and therefore the relevant period for calculating Mr Allin’s income is
21 March 2012 to 20 March 2013. Mr Allin’s relevant income in this period was
£47,256.
6.8.
In deciding on the percentage of the relevant income that forms the basis of the
Step 2 figure, the Authority considers the seriousness of the breach and chooses
a percentage between 0% and 40%. The range is divided into five fixed levels
which represent, on a sliding scale, the seriousness of the breach; the more
serious the breach, the higher the level. For penalties imposed on individuals in
non-market abuse cases there are the following five levels:
Level 1 – 0%
Level 2 – 10%
Level 3 – 20%
Level 4 – 30%
Level 5 – 40%
6.9.
A non-exhaustive list of factors which are likely to be considered level 4 factors or
level 5 factors is set out at DEPP 6.5B.2G(12). In the circumstances of this case,
the Authority considers the following factor to be relevant:
(1)
The breach was committed recklessly: Mr Allin appreciated that there was
a risk that the assurance he provided on 26 June 2012 that all
Remediation Plan action points had been implemented consisted of a
failure to be open with the Authority and that it would not be aware of
relevant matters (which he initially included in his response). He also
appreciated that his decision to remove certain information from the 30
November 2012 completion report could result in the Authority not being
in receipt of full information. Mr Allin failed adequately to mitigate that
risk.
6.10. The Authority also considers that the following factors are relevant:
(1)
The scope for any potential financial crime to be facilitated, occasioned or
otherwise occur as a result of the breach: Mr Allin’s failure to provide the
Authority with accurate information regarding the status of the
Remediation Plan action points (despite being asked for specific
assurances) might have left the firm open to the risk that it be used to
further financial crime.
(2)
The nature of the breach: The Authority is particularly reliant on the
internal audit function in supporting a culture of effective controls and
governance at small sized firms that are not subject to frequent
supervision by the Authority. In particular, the Authority must be able to
rely upon assurances provided by Internal Auditors that actions have been
completed and risks mitigated or resolved.
(3)
The frequency of the breach: Mr Allin provided misleading information in
relation to the Remediation Plan to be submitted to the Authority on two
separate occasions during the Relevant Period.
(4)
The impact of the breach: Mr Allin made no gain from the breach.
6.11. Taking all these factors into account, the Authority has concluded the seriousness
of the breach to be Level 4. As such, the Step 2 figure is 30% of £47,256.
6.12. Step 2 is therefore £14,177.
Step 3: mitigating and aggravating factors
6.13. Pursuant to DEPP 6.5B.3G, at Step 3 the Authority may increase or decrease the
amount of the financial penalty arrived at after Step 2, but not including any
amount to be disgorged as set out in Step 1, to take into account factors which
aggravate or mitigate the breach.
6.14. The Authority does not consider there are any relevant factors which aggravate or
mitigate the breach; therefore the Step 2 figure should not be changed.
6.15. Step 3 is therefore £14,177.
Step 4: adjustment for deterrence
6.16. Pursuant to DEPP 6.5B.4G, if the Authority considers the figure arrived at after
Step 3 is insufficient to deter the individual who committed the breach, or others,
from committing further or similar breaches, then the Authority may increase the
penalty.
6.17. The Authority considers that the Step 3 figure of £14,177 represents a sufficient
deterrent to Mr Allin and others, and so has not increased the penalty at Step 4.
Step 5: settlement discount
6.18. Pursuant to DEPP 6.5B.5G, if the Authority and the individual on whom a penalty
is to be imposed agree the amount of the financial penalty and other terms, DEPP
6.7 provides that the amount of the financial penalty which might otherwise have
been payable will be reduced to reflect the stage at which the Authority and the
individual reached agreement.
6.19. The Authority and Mr Allin reached agreement at Stage 1; therefore a 30%
discount applies to the Step 4 figure (of £14,177).
6.20. Step 5 is therefore £9,900 rounded down to the nearest £100.
6.21. The Authority therefore imposes a total financial penalty of £9,900 on Mr Allin for
breaching Statement of Principle 4.
7.
PROCEDURAL MATTERS
Decision maker
7.1.
The decision which gave rise to the obligation to give this Notice was made by the
Settlement Decision Makers.
7.2.
This Final Notice is given under, and in accordance with, section 390 of the Act.
Manner of and time for Payment
7.3.
The financial penalty must be paid in full by Mr Allin to the Authority by no later
than 18 March 2015, 14 days from the date of the Final Notice.
If the financial penalty is not paid
7.4.
If all or any of the financial penalty is outstanding on 19 March 2015, the
Authority may recover the outstanding amount as a debt owed by Mr Allin and
due to the Authority.
7.5.
Sections 391(4), 391(6) and 391(7) of the Act apply to the publication of
information about the matter to which this notice relates. Under those
provisions, the Authority must publish such information about the matter to which
this notice relates as the Authority considers appropriate. The information may
be published in such manner as the Authority considers appropriate. However,
the Authority may not publish information if such publication would, in the opinion
of the Authority, be unfair to you or prejudicial to the interests of consumers or
detrimental to the stability of the UK financial system.
7.6.
The Authority intends to publish such information about the matter to which this
Final Notice relates as it considers appropriate.
Authority contacts
7.7.
For more information concerning this matter generally, contact Allegra Bell (direct
line: 020 7066 8110) or Matthew Finn (direct line: 020 7066 1276) of the
Enforcement and Market Oversight Division of the Authority.
Financial Conduct Authority, Enforcement and Market Oversight Division
ANNEX A
RELEVANT STATUTORY AND REGULATORY PROVISIONS
1.
RELEVANT STATUTORY PROVISIONS
1.1.
The Authority’s statutory objectives, set out in section 1B(3) of the Act, includes
the integrity objective.
1.2.
Section 1D of the Act is the integrity objective: “protecting and enhancing the
integrity of the UK financial system.”
1.3.
Section 66 of the Act provides that the Authority may take action against a
person if it appears to the Authority that he is guilty of misconduct and the
Authority is satisfied that it is appropriate in all the circumstances to take action
against him. A person is guilty of misconduct if, while an approved person, he
has failed to comply with a statement of principle issued under section 64 of the
Act, or has been knowingly concerned in a contravention by a relevant authorised
person of a relevant requirement imposed on that authorised person.
2.
RELEVANT REGULATORY PROVISIONS
Statements of Principle and Code of Practice for Approved Persons
2.1.
The Authority’s Statements of Principle and Code of Practice for Approved Persons
(“APER”) have been issued under section 64 of the Act.
2.2.
Statement of Principle 4 states:
An approved person must deal with the FCA, the PRA and other regulators in an
open and cooperative way and must disclose appropriately any information of
which the FCA or the PRA would reasonably expect notice.
2.3.
The Code of Practice for Approved Persons sets out descriptions of conduct which,
in the opinion of the Authority, do not comply with a Statement of Principle. It
also sets out factors which, in the Authority’s opinion, are to be taken into
account in determining whether an approved person’s conduct complies with a
Financial penalty
2.4.
The Authority’s policy for imposing a financial penalty is set out in Chapter 6 of
DEPP. In respect of conduct occurring on or after 6 March 2010, the Authority
applies a five-step framework to determine the appropriate level of financial
penalty. DEPP 6.5B sets out the details of the five-step framework that applies in
respect of financial penalties imposed on individuals in non-market abuse cases.