How to navigate a skilled person review

Current trends and practical guidance to navigating a skilled person review.

Overview: Section 166 powers

The FCA and PRA have the power to require an authorized person (or any member of the authorized person’s group or partnership of which the authorized person is a member) to appoint a “skilled person” to provide the regulator with a report or to “collect or update information”. They can also directly appoint a skilled person (as opposed to requiring the firm to appoint one).

These powers may be used where the FCA or PRA has concerns regarding a firm’s risk framework and/or the effectiveness of its systems and controls and considers it is appropriate to obtain expert analysis and recommendations for areas of improvement and/or remediation.

The section 166 tool may be used by the regulators to achieve a variety of objectives, including for diagnostic purposes, to identify and assess certain risks, to review a firm’s systems and controls in light of certain risks that have been identified, or to prevent or reduce those risks from crystallizing by obtaining recommendations for improvements or enhancements to a firm’s systems and controls. Skilled persons may also be appointed to develop and oversee remedial action where risks have already crystallised (for example such as the design and monitoring of a customer redress exercise).

Current trends

At a time where the regulatory narrative is increasingly around implementing more assertive, proactive supervision and intervention, it is not surprising that we have seen an increase in the use of section 166 powers by the FCA: in the year 2022-2023, the FCA used the section 166 power in 44 cases (up from 38 in 2021-2022) with the vast majority relating to the retail investments sector.

With regards to the PRA, six skilled person reviews were commissioned in Q2 2023/24 (the quarter ending August 31, 2023), with the majority in “Governance, accountability, strategy, and culture”, and “Controls and risk management frameworks”. This was up from five reviews in Q1 2023/24 (the quarter ending on May 31, 2023). Interestingly, in Q1 2023/24 there were no reviews relating to accountability or culture, with the majority of the reviews relating to “Controls and risk management frameworks” (three in total).

Key points when managing reviews

The response to, and the management of, a skilled person review can be challenging, costly and time-consuming for firms, so in this briefing note we aim to set out some key points for firms to consider when dealing with a skilled person review requirement imposed by the FCA or PRA, from the initial stages of negotiating the scope of the requirement, managing the skilled person and regulator during the review, and then through to the closure of the review.

Early engagement, scoping and planning

  • Early engagement: Responding promptly to the section 166 requirement notice and making sure the firm has properly understood the crux of the FCA or PRA’s concerns and rationale behind its decision to appoint a skilled person (or to require the firm to appoint a skilled person) is critical to establishing a productive relationship with the regulator from the outset. The regulator will generally provide a draft notice in the first instance and, as referenced further below, this gives the firm a valuable opportunity to consider the issues and communicate with the regulator including to deal with any misunderstandings and to set the tone for the firm’s approach to the review. The timeline for the review will also need to be considered and there is balance between a natural impetus to ensure the process is concluded swiftly and allowing sufficient time for the firm to respond including through conducting any immediate remedial activity and providing comments on the draft report.
  • What is the ultimate outcome for the regulator? It is easy (and understandable) to become embroiled in the day-to-day management of responding to the review, but it is important to keep the end goal in sight, which is usually that the firm is able to demonstrate to the regulator that the regulator’s concerns have been addressed and any necessary improvements have been made. On receipt of the section 166 notice, consider: will the way the notice is drafted achieve the regulator’s objective or should amendments be made to the scope and/or timeframe? Are there any fundamental issues with the scope of the review that should be discussed with the regulator?
  • Skilled person selection and contract: If the firm is responsible for appointing and contracting with the skilled person (as opposed to the regulator directly contracting with the skilled person), the process of short-listing and selecting the skilled person should be approached carefully and with a number of key criteria in mind. It is usually necessary to balance a number of factors and significant senior management time may be required before a selection is made. Consider also appointing internal or external legal counsel to review the contract to ensure the relevant regulatory requirements and legal provisions appropriately reflect the requirements of the section 166 requirement notice.
  • Internal governance: Consider implementation of a “working group” to manage the skilled person process and any correspondence with the regulator. A clearly defined working group comprising of specific individuals not only demonstrates good governance and oversight in relation to the review, but can assist with asserting privilege over communications between external or internal counsel and members of the working group for the purpose of seeking or giving legal advice in connection with the review (and protecting this material from disclosure to a regulator or third party). Consideration can also be given by the working group to how to manage aspects of the review such as responding to future information requests, including beginning to collate potentially relevant materials.
  • Preparation for the review: In parallel with any scoping and selection activity, firms should take the opportunity to assess whether they can take any immediate steps to resolve the regulators’ stated concerns. Depending on the nature of the concerns raised by the regulator and time available, this may include limited remediation activities, scoping out/conducting an initial review of the documents that are likely to be requested by the skilled person and thinking ahead to preparation for any meetings and interviews with the skilled person. This can provide firms with the opportunity to start the review with their best foot forward and provide the regulators with the most accurate representation of the firm’s business.

During the review

  • Document and data review: Most skilled person reviews will involve a substantial document review which will often comprise a broad range of data, including emails, messaging platforms such as Teams or WhatsApp, and might also involve imaging of employees’ devices. Firms should consider seeking legal advice where relevant material may be held on personal devices or be encrypted and ensure compliance with any relevant data protection laws when processing personal data. Advice on legal privilege and the extent to which material may be protected from disclosure may also be needed. A document review platform can be beneficial in providing tools to easily search, sift and scrutinise potentially relevant material.
  • Interviews: The section 166 requirement notice might anticipate interviews with members of key personnel including senior management. It is important to bear in mind that the skilled person ultimately reports to the regulator and interviewees should be mindful of this and prepare accordingly, for instance by reviewing relevant materials and reminding themselves of key information. Consideration should also be given to seeking legal advice and holding preparation sessions in advance of meetings with skilled persons. Some meetings with the skilled person may not be billed as formal interviews but all interactions with the skilled person can feed into the report to the regulator and so should be approached accordingly (and as with any meeting with the regulator itself).
  • Monitoring emerging issues: As the review progresses, issues may arise which can be addressed quickly and without the need to wait until the conclusion of the review. Firms should take proactive steps throughout the review to identify these issues and rectify them accordingly or feed them into any remediation plan.
  • Record keeping: Key steps and decisions taken throughout the review (including any changes to the scope of the requirement notice at the outset) should be properly documented; this will assist in responding to regulatory queries or information requests at a later stage regarding the rationale for a certain decision at a particular stage of the review. A clear audit trail of the steps taken by the firm and its senior management during the review will assist in demonstrating to the FCA or PRA that there was appropriate governance in place, that it was adhered to throughout the review, and that any recommendations made by the skilled person were appropriately implemented.
  • Updating the regulator: Ensure regular updates are provided to the regulator throughout the review (whether or not this is a formal requirement set out in the requirement notice), including in relation to progress on implementation of any recommendations arising from the skilled person report or subsequent remediation exercise.

On conclusion of the review

  • Notification obligations: In light of the findings of the skilled person following completion of the review, firms should consider if they have an obligation to immediately notify regulators and/or insurers and/or law enforcement (if there is sufficient suspicion to give rise to the requirement to report a SAR for example). However, the firm’s reporting obligations should be monitored throughout the review to ensure that any issues arising which may have a serious regulatory impact on the firm are notified to the regulator immediately after the firm becomes aware. This consideration should extend to other jurisdictions relevant to the firm as regulators there may require notification.
  • Skilled person report: Ensure there is the opportunity for senior management to review and comment on the draft report, with advice from internal or external legal counsel, before it is finalised and submitted to the regulator in accordance with the agreed timeline.
  • Implementation of recommendations: Even before the report has been delivered to the regulator, the firm should be considering the next stage in the process which may include ensuring proper implementation of any improvements/enhancements recommended by the skilled person, including taking a proactive remediation approach (where appropriate or recommended to do so). Failure to manage effectively this phase carries a high risk of further consequences including subsequent skilled person reviews, regulatory intervention and potential enforcement action.

Katie Stephen, is co-head of the Contentious Financial Services Group; Rebecca Dulieu and Joe Bamford are financial services lawyers based in London Norton Rose Fulbright.