Who Do You Trust?
Firms must consider whether they need to do credit and criminal records checks on all staff as a matter of routine.
You’d like to think that you can trust your employees – after all, not only have they been through a rigorous due diligence process at appointment – they’ve also been under your watchful eye since the day they joined the firm.
The rules are reasonably clear. You’re required to do a DBS criminal records check on senior managers when they are appointed. SYSC 23.4.2 is clear on that point. There’s no rule requirement to repeat this check at any point in the future. This is explicitly stated in SUP 10C.10.23A – “[the rule] does not require a firm to carry out a criminal records check for the purposes of its annual assessment of the fitness and propriety of its SMF manager…”. And whilst there’s no explicit rule requirement to do a credit check on anyone, it is largely implicit in the FIT 2.3 requirement that the firm determine a person’s “financial soundness”.
Of course, if at any point in your relationship with an employee you have concerns that all might not be what it seems, you’re perfectly within your rights to ask them for an updated DBS or credit check – or to get one yourself. Just to be sure.
But that’s not what’s happening. We’re finding an increasing number of firms who are now carrying out both of these checks on a routine basis after appointment, both for senior management and for certification staff. Typical cycles seem to be annually for senior managers and every two to three years for everybody else.
Our initial reaction to this trend was one of dismay. How can a protocol originally designed as a child protection measure now come to be used as a standard tool of routine staff management? Isn’t it only bad managers who would need an external agency like DBS to tell them what any good manager should already know about their team? Doesn’t this run directly counter to FCA’s desire that we create trusting organisations, where the employee trusts the firm not to victimise them if they speak up? If the employee is entitled to that trust, isn’t the firm entitled to trust the employee in return?
Sadly, that doesn’t seem to be the case. We’ve heard a number of horror stories of firms who only found out bad stuff about an employee when they read it in the newspaper. And of long-standing employees who just went off the rails. The precautionary advice is “bad things happen to good people”.
All of that said, this may still seem a step too far for the smaller firm where, say, everybody works in the same room, or where there is no client money or access to bank accounts. But even if that is the case, it’s as well to come to a positive conclusion as to why you’re not doing this.
Our recommendation to all clients is that this should be discussed at Board level and a positive conclusion reached, based on the risks faced by the firm.
Covid-19 – what’s your plan?
You’ve probably already thought about this, but if not, now’s the time. FCA will expect you to be sufficiently resilient to continue to deliver a service to your clients.
During this difficult period, Fulcrum Compliance will be checking in with retained clients to make sure that planned meetings are still appropriate. When this isn’t the case, we’ll be making maximum use of video conferencing and scanned documents.
Beware FCA scams – a virus of a different sort
People will try to profit out of a crisis. Whilst your eyes are elsewhere, take extra care with emails seeming to come from FCA. A client recently received a SPAM e-mail which purported to be from the FCA with an attachment that contained a potentially harmful virus.
The e-mail is reasonably well drafted, may be addressed to you and refer to your firm. You may even be expecting an email from them. I understand that the individual from whom the individual purports to be from does actually work at the FCA. However, the e-mail designation being used @report-fca.orf.uk is not a valid FCA e-mail address.
If you receive this e-mail, or another like it, or one requesting unusual information i.e.’…The letter needs to be certified. It would be great if you could provide a response before the end of today…’ then please DO NOT open the attachment. For more details for what to do see FCA’s web page.