The financial sector saw a big increase in s166 reviews in 2023. The increase could be due to a renewed focus on day-to-day operations post-pandemic, and it’s interesting to note that the majority are for controls and risk management frameworks. Conduct and prudential issues – for banks, clearing houses and PRA-designated investment firms – are close behind, however.
Six common s166 triggers
Section 166 reviews can be daunting but it’s important to remember that they aren’t punitive. They aim to give the regulator a better understanding of your operations and your regulatory compliance in order to maintain quality standards across the financial sector. That said, s166s are expensive and resource-heavy. To reduce the potential for a costly review, it’s important to fully understand the key triggers:
1 Regulatory concerns
If there are concerns around a firm’s regulatory requirements, an s166 review will assess the situation and ensure businesses protect consumer interests.
2 Misconduct concerns
If there are any regulatory breaches, the regulators can investigate these further to identify the root cause.
3 Risk management
Poor risk management and internal control failures can trigger an s166 report to help regulators assess the efficiency of a firm’s risk management framework and governance structure.
4 Financial stability
Concerns around a firm’s financial reliability, risk exposures, solvency measures and overall liquidity may trigger a review to mitigate the risk and ensure the firm can function effectively under the circumstances.
5 Compliance with specific regulation
As regulation evolves and changes, firms must conduct annual audits and remain transparent with their data. If firms don’t comply, regulators may commission a report.
6 Market abuse
If regulators suspect market abuse or misconduct, they may trigger an s166 to confirm that there's no malpractice taking place.
Remaining compliant
While there are a range of areas that can prompt a regulator to commission an s166 report, it’s hard to tell where the exact trigger threshold lies. As such, you need to make sure your regulatory compliance processes are fit for purpose, with controls that are designed appropriately and operating effectively.
If you do find any issues, you need to address them promptly, before they can escalate. This includes good use of internal audit, risk assessments and effective oversight frameworks.
The board also has a key role to play, helping firms embed a risk management culture and actively support compliance processes across every department.
How to respond to an s166 review
If the regulators commission an s166 report for your business, what happens next?
Firstly, you’ll need a 'skilled person' to conduct the review and there are two options here. Either you can put forward your preferred choice for the regulator to approve (firm-appointed), or the regulator can appoint them directly. If the latter, the regulator will find the most suitable candidate based a on range of factors and required skill sets.
Once the skilled person is in place, you’ll need to engage with them constructively throughout the process. This means providing full access to documentation, information and personnel, to remain fully transparent, and promptly replying to any queries with the skilled person or the regulator. Where they identify any remedial action, you need to free up the resources to prioritise the work and address deficiencies. At this stage it’s essential to document your activities and maintain effective records for regulatory review.
One last thing to consider: when going into an s166 review, keep a positive outlook. An s166 review isn't a negative or a regulatory rebuke. Instead, try to think of it as mechanism that can provide an organisation-specific benchmark for what good looks like in the long term, and something that can add value to your organisation.
For more insight and guidance, get in touch.