How much has the FCA fined in total since 2013?

Since its establishment in April 2013, the FCA has imposed over £4.9 billion in financial penalties across hundreds of enforcement actions. Fine values vary significantly year to year, with 2014 and 2015 seeing the highest totals due to foreign exchange and LIBOR manipulation cases involving major global banks.

How does the FCA calculate fines?

The FCA calculates fines using a five-step framework set out in its Decision Procedure and Penalties Manual (DEPP). It considers the seriousness of the breach, the firm's revenue from the relevant activity, any aggravating or mitigating factors, deterrence, and whether the firm agreed to settle early for a 30% discount.

FCA Fines 2018: Annual Enforcement Review & Analysis

Executive Summary

2018 was a transitional year for FCA enforcement with relatively modest total fines of approximately £60 million across 18 actions. The most significant case was Tesco Bank's £16.4 million fine for failures in responding to a 2016 cyber attack that affected over 9,000 customers.

The year represented a strategic recalibration following the major FX and LIBOR enforcement programmes, with the FCA focusing on cultural change and proactive supervision rather than solely backward-looking punishment.

Regulatory Context

2018 saw MiFID II implementation consume significant industry and regulatory resource. The new transaction reporting requirements and best execution obligations required substantial systems investment, with the FCA prioritising implementation support over enforcement during the bedding-in period.

The Senior Managers and Certification Regime continued its staged rollout, with smaller deposit-takers brought into scope. The regime's effectiveness in driving individual accountability was beginning to be tested through enforcement investigations.

The FCA's Business Plan for 2018/19 emphasised 'transforming culture in financial services' - a recognition that compliance alone is insufficient without underlying behavioural change. This philosophical shift influenced both supervisory approach and enforcement prioritisation.

Key Enforcement Themes

Cyber security emerges as enforcement area
MiFID II implementation prioritised over enforcement
Cultural change emphasis in regulatory approach
Consumer credit firm enforcement continues
Individual accountability investigations progress

Professional Insight

The Tesco Bank case established important precedents for cyber security expectations. The FCA found that the bank failed to exercise due skill, care and diligence in protecting customers from foreseeable risks. Critically, vulnerabilities in the debit card system had been identified internally but not adequately addressed.

For technology and operational risk professionals, this case reinforced that known vulnerabilities create regulatory as well as operational risk. Boards must understand their firm's security posture and ensure adequate investment in remediation.

The relatively quiet enforcement year should not be misinterpreted as reduced regulatory intensity. The FCA was actively investigating cases that would emerge in subsequent years - including the major AML cases against HSBC and NatWest.

The MiFID II implementation experience demonstrated the FCA's capacity for pragmatic enforcement discretion. Firms making genuine efforts to comply received supervisory support rather than enforcement action, while those taking inadequate steps faced increased scrutiny.

Looking Ahead

2018 positioned the industry for accelerating enforcement in subsequent years. The FCA's transformation programme was beginning to deliver enhanced data capabilities that would inform more targeted supervision and enforcement.

The cyber security precedent set by Tesco Bank would prove increasingly relevant as digital banking expanded and threat landscapes evolved.