The South West region was pleased to welcome Steve Williams, Retail Firms Division Manager of FSA, and Kate Fleming and Philip Ryley of TLT, to talk about risk based supervision and dealing with an FSA ARROW style visit. We also express our thanks to TLT solicitors for hosting the event. We were also grateful to John Bourbon for attending his first event in the South West.

Steve began his presentation explaining how risk-based supervision assists FSA to meet its objectives by embedding the principles of good regulation and focuses on key risks using thematic and other regulatory tools. ARROW is about applying the risk assessment framework and consumer and industry wide themes towards a firm. ARROW stands for Advanced Risk Responsive Operating Framework and uses impact and probability to assess risk. The greater the impact and probability of risk the closer the relationship FSA will have with the firm. If a firm is low impact the FSA does not assess for probability mapping the firm directly to category ‘D’. These firms are assessed through baseline monitoring, thematic work and sampling.

The purpose is therefore to determine the intensity of relationship and drive risk mitigation in a firm. The FSA normally assesses a group as a whole though may assess major business units separately as necessary. The key stages include the business operating environment and the sector the firm operates in using a scoring system. A document on the FSA website provides further detail of the process.

FSA start by including issues they know about then carry out further investigation (discovery). Discovery usually involves a visit to follow up in any gaps in their knowledge. It is not just information gathering but about understanding and clarifying. FSA work out the issues they need to include and those that can be excluded from a risk assessment. There are nine risk groups, four are business risks and five are controls. Each issue is then scored against the risk elements in these groups.

FSA take the probability scores in aggregate to assess a firm and not issue by issue. The same risk elements can refer to different issues to arrive at a total score. Assessments are made at given regulatory periods up to 36 months apart with most of Retail Firms Division’s firms being placed in category B or C. Following an ARROW visit a risk mitigation programme is issued. FSA may not include every risk identified to be dealt with but will focus on the most important ones for the firm. Usually there are a maximum of eight or nine issues (more likely to be 4 or 5 issues) with target dates for improvement depending on the importance of the issue. FSA do not expect a response before the deadline and are not looking for progress reports unless specifically requested. A discussion with your supervisor may be helpful in clarifying and explaining what is expected.

There is an internal validation process to avoid individuals going over board on issues or being too lenient. The risk assessment and risk mitigation programme is addressed to the board and not individually or to the compliance team. It is important to gain ownership and openness in managing the risks identified.


Kate Fleming previously worked with the FSA enforcement team before joining TLT as a regulatory specialist. She began by explaining that ARROW is essentially a risk based audit. Many of the weaknesses identified often relate to weak compliance and audit especially a lack of resources and inadequate controls for outsourcing. It is worth firms thinking about current FSA themes when assessing the purpose of an FSA visit. For example the focus on financial promotions may lead to FSA looking at the processes behind approval and checking of financial promotions. It is worth carrying out an examination of your systems and procedures and whether they are being followed. The key documents that demonstrate processes are in place are therefore essential.

The logical starting point for key documents is the current business plan. This should be a living document and an FSA visit should be a good opportunity to review, update and compare it to peers. Risk analysis should include stress and scenario testing and FSA would expect plans to be in place to mitigate risks. Other key documents would include plans, intermediary contracts, and relationships with principals, outsourcing agreements and sufficient plans to manage risks. Other important documents include details of individual roles, staffing policies, organisation framework and how things work together with senior management responsibilities firmly identified. Remuneration is also a big plank in the current FSA TCF theme.

Board minutes are a good record of whether reporting lines are in place on a day-to-day basis and reveal details of reporting up to the board. However it is no good having the perfect compliance manual in place if it is just gathering dust. Business systems and BCP in particular, IT and other systems need to be kept going in the event of a complete disaster. Some documents will address key risks and some will reflect a broader culture. Cultural issues are likely to be in various documents and not just the compliance manual.

The practicalities need to be addressed including making sure the key personalities are available. Appoint a mini project manager to co-ordinate and act as a point of focus for the FSA. Provide FSA with adequate facilities (but don’t record them!). Make sure notes are taken of interviews especially action points and keep a note of issues as they crop up. Obtain early feedback whilst the team is still there as ongoing contact can help dealing with issues, as you cannot rectify an issue unless you know about it. Focus on the outcome and not the individual action points. Do not just tick off individual points but remember what it is they are seeking to achieve and be open and honest.

Dealing with FSA is a collective effort as well as a collective understanding of personal obligations and wider themes. Senior management bear the responsibility and FSA are less tolerant of poorly managed firms. To quote FSA are looking for ‘soundly managed and well capitalised firms that treat their customers fairly’.

Questions followed including an incident where FSA were apparently reluctant to allow compliance staff to accompany someone at an interview. Stephen Williams suggested that the client should ask why and if there is a reason the FSA should be able to tell you. ARROW 2 was also raised: this will reflect the business operating environment and the risk map for firms, which fits in better with FSA structure including sector leaders. The system is quite complex and FSA are ironing out some of the IT issues. Make sure you get constant feedback from your team. Mini - ARROW visits have been muted? This is a trial process to fine tune issues looking at a narrower range of issues across a sector.

We then worked through a TLT case study. Preparation is key to success and FSA want to see how firms put their information packs together. Essentially they are looking for information on how the executive runs the business. They are not looking for huge appendices and if information is left out make sure you tell FSA what it is and why it has been left out. Tell FSA what you are giving them and why.

Suggesting board minutes cannot be provided because of price sensitive information is not acceptable. FSA are used to handling this kind of information all the time and as Kate also pointed out FSA contracts are very strict on what staff can do with the information once they leave FSA and whilst they are still working there. If information is price sensitive then tell the FSA.

Make sure the information you provide is correct and up to date. Read it and go through it before you send it off. Make sure you also understand and explain it to each other whether the information is put together by the CEO or delegated.

Directors need to understand FSA speak and a pack for the board would be useful. Job descriptions are often notoriously out of date so make sure you look at them and do a reality check. With interviews there may be problems with the knowledge that can be easily rectified. In some cases it may be to do with interview technique where being over confident, could be as bad as a lack of confidence. Training and mock interviews can be very useful in identifying these problems and rectifying them before FSA arrive.

Stephen suggested firms should be active listeners. Concentrate on what is being said, as its quite important and you should listen and think about it. Do not just gloss over it. On past occasions he has criticised a firm only to receive the response ‘OK, not bad then’. Clearly this kind of response demonstrates the client is not listening and this does not help.

Make sure you check what the issues are. What should be done, by when and by whom and check it for accuracy. Start work on it straight away rather than await the formal written feedback as FSA expect you to just get on and do it. Talk it through with your supervisor if you need clarification and only provide a progress report if requested. The worst thing is to write back and say the report is completely wrong because for example FSA should have looked at the ‘blue file’. FSA should be given the relevant information at the time of the visit and not afterwards.

ARROW II should be much easier to manage. Remember FSA are not out to ambush a firm and firms switched on to risk based issues should know what to expect.

John Bourbon gave a final address and expressed his thanks to the South West Committee and TLT for their efforts. Overall a successful event much appreciated from the feedback provided. We aim to have another South West event in Cardiff on Financial Promotions at the end of September – further details to follow.

Anthony Smith