An s166 review is an integral element of the regulatory toolkit and helps the regulators assess compliance and good practice. The process can be daunting and expensive for businesses, however, so knowing what to expect can help you plan ahead and fully realise the benefits of the review.
The PRA and FCA have already commissioned more s166s this year compared to last. Why the sudden increase?
David: A few things. Coming out of the pandemic, regulators can take a step back from a crisis management scenario and return to business as usual. There’s an element of making up for lost time.
Regulators are also using s166s more broadly now, so their purpose is shifting slightly. Despite the stigma, they’ve never been a punitive measure, and there are no automatic fines or enforcement activity as result. They’re really just supervisory tools to help regulators get a better idea of what’s going on in a business, or to get clarity over a particular topic.
Can you give us some examples of how regulators are using them?
Kantilal: Generally, the regulator will do a review or a supervisory visit and want to do a deeper dive on a particular area. The goal will be one of four things:
The regulators can use those findings to understand any recurring issues across the sector, inform future regulation and feed into market feedback through Dear CEO letters or similar.
What topics are the regulators most interested in at the moment?
David: Controls and risk management is always a key one. This year the PRA has really stepped up its focus on risks for deposit takers, clearing houses and investment firms. The FCA has also been looking at conduct of business and financial crime measures. Over time that focus will shift, and will probably cover more topics like diversity and inclusion, ESG, consumer duty, and board governance and effectiveness.
With more banks getting s166s, can you tell us a little more about how they work in practice? What happens when one’s commissioned?
Kantilal: The regulators have a skilled person panel, made up of 12 subject categories called ‘lots’. They cover topics such as client assets and safeguarding, financial crime, or technology and information management. Within each lot, there’s a list of approved suppliers.
You’ll get a requirement notice which will tell you what the s166 is for. That’ll include its objective, the lot, scope, type of opinion, details of the report and the timeline. Then you need to appoint your skilled person to carry out the review, and there are two ways of doing this:
It’s up to the regulator to choose which option is best. If you run the tender process, you can put forward three firms for consideration – stating your top choice – and the regulator will choose one. You can name firms that aren’t on the panel, but the regulator will check them for suitability.
You mentioned the type of opinion needed; can you tell us a little more about that?
Kantilal: There are three levels of assurance and the regulator will tell you which one it needs. There’s ‘agreed upon procedures’, which is the lightest-touch version, with limited sampling of your processes. Then there’s ‘review and recommend’, which looks at systems and controls, sampling up to 10% of your process outputs. Finally, there’s ‘reasonable assurance’, which is more extensive and could look at anything from 25-40% of process outputs, specifically focusing on material items. This is looking at the completeness and accuracy of your data. With this level of assurance, the skilled person needs to give a positive or negative opinion over your current processes and practices.
So, once the skilled person’s appointed, how does it work in practice? Who does what?
David: To start with, you’re going to need a few meetings with all three parties: your regulator, your skilled person team and your own business. From here you can agree a detailed work plan, timelines and discuss the materiality of the area under review.
Then the skilled person and their team can start the fieldwork. This includes document reviews, process walk-throughs, interviews and sample testing. You should get regular status updates and news on material findings or impact assessments. The skilled person will be in contact with the regulator during this time.
Finally, there’s a draft report, which the skilled person will share with you and the regulator at the same time. Everyone can check it for accuracy before it’s finalised. It’ll include any conclusions, findings, red-amber-green (RAG) ratings, recommendations and action plans to address any material findings. Then there’s usually a close out meeting to set next steps and set remedial actions.
How can firms get the best out of an s166?
David: While s166s aren’t a punitive measure, you do have to cover the cost and they can be expensive. Try not to see it as a negative, and actively work with the skilled person and the regulator to make the most of it. You really need to cooperate and fully engage with both parties to fully realise the benefits.
Be open and honest with the skilled person – they aren’t there to catch you out, they’re there to help. If you have any known issues, tell them. As with any engagement, make sure you’re following the usual rules for best practice. Agree your scope, make sure everyone is aware of any limitations, and keep tabs on the cost and timeline to prevent the project from slipping.
What are the benefits?
Kantilal: It’s easy to forget that the regulators asked for an s166 because it was area of concern. So, in reality it’s probably an area where your firm was struggling. By the end of the review, you’ll have a better idea of regulatory expectations and wider industry benchmarks. You’ll have a plan of action for the next year to fix any issues, and a good case for further investment from senior management. During the s166 your team can also learn a lot from the skilled person, generally through informal training but it’s quite common to have formal training sessions too.
For more insight and guidance, contact Paul Garbutt, Kantilal Pithia or David Morrey.
