![UT-2022-00097 - [2024] UKUT 00352 (TCC)](https://backend.juristeca.com/files/emisores/logo_ICfrj4g.png){kind=logo}
Step 2: The seriousness of the breach
Step 2: The seriousness of the breach
The Authority will determine a figure that reflects the seriousness of the breach. In many cases, the amount of revenue generated by a firm from a particular product line or business area is indicative of the harm or potential harm that its breach may cause, and in such cases the Authority will determine a figure which will be based on a percentage of the firm’s revenue from the relevant products or business areas.
In those cases where the Authority considers that revenue is an appropriate indicator of the harm or potential harm that a firm’s breach may cause (as it is common ground is the position in this case), the Authority will determine a figure which will be based on a percentage of the firm’s “relevant revenue”. “Relevant revenue” will be the revenue derived by the firm during the period of the breach from the products or business areas to which the breach relates.
Having determined the relevant revenue, the Authority will then decide on the percentage of that revenue which will form the basis of the penalty. In making this determination the Authority will consider the seriousness of the breach and choose a percentage between 0% and 20%. This range is divided into five fixed levels which represent, on a sliding scale, the seriousness of the breach. The more serious the breach, the higher the level. For penalties imposed on firms there are the following five levels:
level 1 - 0%;
level 2 - 5%;
level 3 - 10%;
level 4 - 15%; and
level 5 - 20%.
The Authority will assess the seriousness of a breach to determine which level is most appropriate to the case.
In deciding which level is most appropriate to a case involving a firm, the FCA will take into account various factors, which will usually fall into the following four categories:
factors relating to the impact of the breach;
factors relating to the nature of the breach;
factors tending to show whether the breach was deliberate; and
factors tending to show whether the breach was reckless.
Factors relating to the impact of a breach committed by a firm include:
the level of benefit gained or loss avoided, or intended to be gained or avoided, by the firm from the breach, either directly or indirectly;
the loss or risk of loss, as a whole, caused to consumers, investors or other market users in general;
the loss or risk of loss caused to individual consumers, investors or other market users;
whether the breach had an effect on particularly vulnerable people, whether intentionally or otherwise;
the inconvenience or distress caused to consumers; and
whether the breach had an adverse effect on markets and, if so, how serious that effect was. This may include having regard to whether the orderliness of, or confidence in, the markets in question has been damaged or put at risk.
Factors relating to the nature of a breach by a firm include:
the nature of the rules, requirements or provisions breached;
the frequency of the breach;
whether the breach revealed serious or systemic weaknesses in the firm’s procedures or in the management systems or internal controls relating to all or part of the firm’s business;
whether the firm’s senior management were aware of the breach;
the nature and extent of any financial crime facilitated, occasioned or otherwise attributable to the breach;
the scope for any potential financial crime to be facilitated, occasioned or otherwise occur as a result of the breach;
whether the firm failed to conduct its business with integrity; and
whether the firm, in committing the breach, took any steps to comply with the Authority’s rules, and the adequacy of those steps.
In following this approach factors which are likely to be considered ‘level 4 factors’ or ‘level 5 factors’ include:
the breach caused a significant loss or risk of loss to individual consumers, investors or other market users;
the breach revealed serious or systemic weaknesses in the firm’s procedures or in the management systems or internal controls relating to all or part of the firm’s business;
financial crime was facilitated, occasioned or otherwise attributable to the breach;
the breach created a significant risk that financial crime would be facilitated, occasioned or otherwise occur;
the firm failed to conduct its business with integrity; and
the breach was committed deliberately or recklessly.
Factors which are likely to be considered ‘level 1 factors’, ‘level 2 factors’ or ‘level 3 factors’ include:
little, or no, profits were made or losses avoided as a result of the breach, either directly or indirectly;
there was no or little loss or risk of loss to consumers, investors or other market users individually and in general;
there was no, or limited, actual or potential effect on the orderliness of, or confidence in, markets as a result of the breach;
there is no evidence that the breach indicates a widespread problem or weakness at the firm; and
the breach was committed negligently or inadvertently.
- Heading
- Introduction
- Applicable law and regulatory provisions
- Step 1: Disgorgement
- Step 2: The seriousness of the breach
- Step 3: Mitigating and aggravating factors
- Step 4: Adjustment for deterrence
- Step 5: Settlement Discount
- Evidence
- Findings of Fact
- Background
- The Solo Business
- Onboarding of the Solo Clients
- Client Categorisation
- Transaction monitoring
- Regulatory Failings
- Assessment of the financial penalty
- Step 1 – disgorgement
- Steps 2 to 5 - General
- Step 2 - The seriousness of the breach
- Step 3 - Mitigating and aggravating factors
- Step 4 - Adjustment for deterrence
- Step 5
- Conclusions