12 November 2015
R.Raphael & Sons plc has been fined £1.2m by the PRA for failures in relation to outsourcing of various aspects of its finance functions to other companies in the same group. The failures persisted for over seven years and (amongst other matters) enabled unauthorised transfers from Raphaels to another group company, to such an extent that Raphaels' compliance with its regulatory capital requirements were impacted.
Raphaels owns a large number of ATM's in the UK. In around September 2006, it entered into an informal and un-documented joint venture agreement with another company ("company C") in the same group. Under the agreement, company C (and another group company) were to provide various services for Raphaels including stocking ATM's, and Raphaels was to reimburse these companies accordingly. The agreement was not formalised in a written document until around 21 months after company C had started to provide services.
In addition to failing to embody the agreement in writing from the start, the PRA found that Raphaels had either conducted inadequate due diligence or no due diligence at all before allowing company C to perform services for it. Further, when the formal written agreement with company C had actually been entered into, it was inadequate in that it failed to provide for a division of responsibility between Raphaels and company C and failed to make provision to allow Raphaels to oversee the conduct of company C.
The PRA stated that, whilst a regulated Firm may out-source important functions, Principle 3 of the PRA's Principles for Business (organising affairs responsibly and effectively), and the systems and controls rules (in SYSC), require that it must also take the following steps:
- It must be mindful of its regulatory obligations and give regard to the impact of the outsourcing on those obligations;
- It must conduct suitable due diligence into the Firm being delegated to;
- It should properly document a clear division of responsibility and mechanisms for oversight.
The PRA found that Raphaels had failed to take these steps in breach of Principle 3 and the SYSC rules.
This would have been bad enough, but the PRA also determined that these oversight failures enabled employees of company C to access Raphaels' accounts and to make large unauthorised transfers to cover a deficit in company C cashflow. In 2014 alone, these transfers were over £9m. Whilst no loss was incurred (as the funds remained within the group and could be reimbursed), the PRA noted that the transfers impacted Raphaels' regulatory capital and that, if company C had become insolvent, the impact on Raphaels Bank would have been severe. Similarly, the unauthorised transfers meant that Raphaels Bank had been misreporting its capital position.
The PRA concluded that Raphaels had been in long-term breach of Principle 3 and SYSC (in relation to its delegation) and SUP and BIPRU (in relation to its capital position and reporting). Raphaels received a stage 1 discount for early settlement; otherwise its fine would have been £1,825,950.
You can read the Final Notice here.
The idea that Firms need to take care when delegating out important functions will be familiar to many readers and is clearly set out in the rules and in Principle 3. The fact that company C was in the same group as Raphaels (and no doubt this contributed to the casual approach to documenting the joint venture) had no impact on the PRA's findings (save for indirectly in relation to the ability of Raphaels to recover the money). In that sense this case represents an interesting variant to the £2.275m fine imposed on Zurich plc covered in Enforcement Watch 2 "Zurich fined for data loss in South Africa". In that case, Zurich plc outsourced data processing to Zurich South Africa that in turn outsourced to an unrelated third party company in South Africa. Zurich plc was fined because of its failure to monitor both Zurich South Africa and its onward outsourcing in South Africa. The message seems clear, Firms delegating within their group need to use the closer links as an opportunity to ensure proper monitoring, not as a reason to relax. That said, whilst not mentioned in the present case, SYSC 8.1.10R does allow Firms delegating to a group company to take into account at least to some extent the degree to which they can control or influence the actions of that company in ensuring proper compliance with the outsourcing requirements in the rules.