Given the Financial Conduct Authority (FCA)’s recent decision to impose a sanction on an audit firm for failing to comply with reporting obligations, ICAEW is reminding auditors of regulated financial institutions (e.g. banks, financial services, insurance companies etc) that they have a statutory duty under the Financial Services and Markets Act 2000 (FSMA 2000).
In addition to the statutory duty laid out in FSMA 2000, there are further standards and regulations which require audit firms to report to the relevant regulator, i.e. the FCA and the Prudential Regulation Authority (PRA). International Standard on Auditing (UK) 250 (ISA (UK) 250) Section B outlines the auditor’s statutory duty to report to the regulators of public interest entities and other entities within the financial sector, and specifically covers FSMA 2000. The Audit Regulations, namely sections 3.08 and 3.10, require auditors to comply with both the Auditing Standards and the Companies Act 2006, as well as any other relevant legislation.
Financial Services and Markets Act 2000
The FSMA 2000 created the regulatory framework for financial services and the financial markets in the UK which included the creation of the FCA
The act contains the framework under which permissions are granted to allow persons or entities to carry out regulated activities, with these persons or entities being defined as “authorised persons”. Sections 342-343 of the act include a statutory duty for an auditor of an authorised person, or a person with close links to an authorised person, to communicate information that may be important to the regulator. A person with close links to an authorised person may be a parent company or subsidiary of the authorised person.
Caroline Turnbull-Hall, ICAEW Senior Advisor, Regulatory Policy, says: “I’d urge firms to remember that the duty to report is a continuing one and applies even after the end of an auditor’s appointment.”
When should you report?
The circumstances in which an auditor must communicate with the regulator are set out in the Financial Services and Markets Act 2000 (Communication by Auditors) Regulations 2001 (SI 2001/2587) (the Regulations).
Regulation 2 defines the circumstances in which there is an obligation on the auditor (or a previous auditor) to communicate to the financial regulator any information which they have become aware of in their capacity as an auditor, i.e. where they reasonably believe that:
- there has or is (or may have been or may be) a contravention of any relevant requirements that applies to the person concerned; and
- that contravention may be of material significance to the regulator in determining whether the authorised person satisfies and continues to satisfy the conditions in Schedule 6 FSMA 2000 (the threshold conditions); or
- the authorised person is not or may not be or may cease to be a going concern; or
- where the auditor is precluded from stating in the report on the annual accounts (or other financial reports required by statute) that they conform to the applicable legislation.
Regulation 1 defines a relevant requirement as:
- one that is imposed by FSMA 2000;
- one that relates to recognised investment exchanges; or
- a requirement which, if breached, can be prosecuted by the FCA, PRA or Bank of England.
What must auditors do?
Auditors, or former auditors, of authorised persons should be aware that if they have any information obtained as a result of their role or former role as auditor, which they reasonably believe may indicate that there has been a breach of a relevant requirement or that any of the circumstances in Regulation 2 are present, they must report their concerns to the FCA or the PRA.
Turnbull-Hall adds: “It is worth noting that although the auditor must have a reasonable belief that there might be a contravention of the requirements, there is no need for the auditor to prove this. As long as the auditor is acting in good faith and believes that the information they have is of relevance to the regulator, any communication with the regulator will not breach any confidentiality on the auditor.”
The ICAEW Code of Ethics supports the provision that disclosure to the regulator would not breach confidentiality requirements, stating that a professional accountant “should not disclose any such information to third parties without proper and specific authority unless there is a legal or professional right or duty to disclose”.
Failure to communicate with the financial regulator may result in a penalty from the financial regulator, as well as regulatory action from either the Financial Reporting Council (FRC) or ICAEW for a breach of the Audit Regulations and a breach of the ISAs, as both regulators have the authority to bring enforcement action against a firm in circumstances where there is a statutory audit of a regulated financial institution.