Legal development

Criminal background checks for controllers: FCA Quarterly Consultation (CP24/11)

16 July 2024

Share Share
Insight Hero Image
Share

    On 9 July 2024, the FCA published its 44th Quarterly Consultation Paper (CP24/11). This contains a number of proposals affecting firms, the most significant being the proposed introduction of criminal background checks on owners and controllers at the authorisation’s gateway. This is to apply to those making an application for authorisation or registration with the FCA and for a notice of an intended acquisition or increase in control.

    It is important for those who may acquire or set up financial services businesses to understand these obligations as these may have an impact on transaction timetables. If you are thinking about establishing or increasing control in a financial services business you will need to be prepared to comply with this obligation at an early stage (before exchange has occurred) given the timeframes involved.

    Under the proposals, applicants or notice givers will be asked to confirm to the FCA that a DBS check for controllers has been undertaken within the last 6 months when submitting the relevant application or CIC notification (the FCA may also ask for a copy of the DBS certificate when deemed necessary). Where an authorised or registered firm is not involved in an application, the FCA is proposing that a basic DBS check is requested by the individual. For those applying with an authorised or registered firm (or where firms are seeking authorisation or registration) then a standard DBS check will be required.

    What is a DBS check?

    A DBS check is a criminal background check based on information held on the Police National Computer. There are different levels of check available, although the most detailed (enhanced) is generally only used for those working with vulnerable individuals (such as children) DBS checks are used by employers in the financial sector as part of an assessment of a person's suitability for a role such as a senior manager in a regulated firm. Basic checks show any unspent convictions and details of cautions (or the lack of any such records). A standard DBS check will contain details of both spent and unspent convictions, cautions, reprimands, and warnings.

    There are equivalent checks available in most other jurisdictions, which show similar data on criminal records.

    It is likely that applicants would be required to disclose this information to the FCA anyway, given the questions on the FCA forms. This is therefore a mechanism for verifying that information, rather than a new restriction on who can and cannot be a controller.

    Who will be required to get a DBS check?

    The proposals will apply to the following persons:

    • potential controllers submitting a CIC notice under Part XII of FSMA;
    • controllers of firms applying to become authorised persons under FSMA (new firm authorisations (both MiFID and non-MiFID);
    • individuals with a qualifying holding in a payment institution or e-money institution;
    • beneficial owners of Annex 1 financial institutions and cryptoasset businesses registered under regulation 54(1A) of the MLRs;
    • persons submitting a CIC notice in accordance with the MLRs, PSRs and the EMRs; and
    • controllers submitting an application or notification made to the PRA where the FCA is required to provide its consent or consultation (excluding appointed representatives).

    The FCA's proposals will not apply to controllers of any authorised representatives under FSMA or agents under the PSRs and EMRs and will not replace any existing processes for Senior Management Functions’ holders who may also propose to be a controller within these areas.

    The requirement is expected to apply for all new applications or notifications submitted from January 2025 onwards. The FCA confirms that from January 2025, a new DBS check will not be required where an individual has submitted an application/notification within the preceding 6 months and a DBS check was carried out. The FCA would not expect a DBS check for a VoP process in respect of firms already authorised/ registered. Firms would, however, be expected to continue to ensure the fitness of its controllers and owners.

    The FCA is acting on an FATF recommendation aimed at preventing criminals and their associates owning or controlling financial institutions, and it considers that the plans would not be unduly burdensome for firms and controllers or inhibit applications for authorisation, registration or the approval of a CIC notice. It considers that its proposals are consistent with the requirement for criminal records checks to be carried out as part of approved persons' applications under the SMCR.

    In the consultation paper, the FCA does not appear to distinguish between natural person controllers and other controllers such as corporations and partnerships. Only natural persons can obtain a DBS.

    The proposed amendments are set out in draft instruments in the appendices to CP24/11. The deadline for comments is 12 August 2024.

    Does this change who can be a controller?

    In short, no. Most of the information that will be disclosed on a DBS check is required to be self-disclosed to the FCA today. This appears to be a way of independently verifying those disclosures. Convictions that appear on the DBS do not prevent a person from being a controller.

    What happens if a controller is overseas?

    An equivalent check will be required to be undertaken, noting that most jurisdictions have similar regimes for running criminal record checks.

    The FCA notes that a DBS equivalent may not be able to be obtained where there are "jurisdictional limitations". In these circumstances, the FCA plans to carry out a risk-based assessment.

    Implications for transactions

    This new obligation may be problematic on transaction timelines without adequate preparation. It can take up to 14 days to receive a DBS check, but it can take longer depending on service demands. Typically on transactions on exchange the buyer has 5 days to file a change in control application with the FCA. This means DBS checks will need to be applied for weeks (and preferably months) before exchange occurs or a longer period is negotiated to complete the FCA applications after exchange (which will also delay completion).

    For those based outside of the UK, an equivalent to the DBS check needs to be done in the jurisdiction the controller is in. Those checks can take significantly longer.

    We hope that the FCA will be pragmatic in these circumstances, in particular where there is a short timeframe for a change in control. However, buyers may want to consider negotiating terms into SPAs if, through no fault of their own, DBS checks do not come back in a timely fashion and FCA applications are delayed.

    Private equity firms and other entities that are often acquiring financial services businesses may want to periodically refresh their DBS checks.

    For new authorisations, which take months, there will be a small additional cost but given the long lead time of obtaining authorisation this will have less impact.

    Privacy and employment law implications data / privacy / employment considerations

    Given the relatively detailed controller forms that require disclosure of various criminal convictions, it is likely that much of the information on the DBS check would be the same as a controller would need disclose on the forms today. Where there is a disclosure that needs to be made, those coordinating and submitting the application will need to continue to take care that information is not shared with more people than is strictly necessary and that adequate security measures are taken to protect the underlying data.

    It is often the case that multiple controllers (across different corporate groups) are making joint submissions where the natural persons are either employees or just shareholders. Where there are disclosures being made, these will need to continue be treated cautiously and careful consideration given to who has access to the information, who it is discussed with and where any data is sent to/from (as with any data sharing situation). As criminal convictions can (but not necessarily do) reduce the likelihood of a successful application to the FCA it may need to be discussed internally and externally with compliance, HR, legal and outside counsel as well as relevant individuals on deal teams and persons who decide whether to pursue the transaction. However no presumptions should be made and data privacy obligations should be a key consideration, noting the extreme sensitivity (and also legal obligations) which attach to criminal records data.

    It is possible that the DBS may disclose information that the employer was previously unaware of. Whether the disclosure impacts the employment relationship will depend greatly on the nature of the criminal conduct, it's relevance to the employee's ability to carry out their role (taking account of any regulatory requirements) and whether the employee has in any way misled their employer. The simple existence of a conviction or caution will not necessarily warrant disciplinary action (such as termination).

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts