Why Are Finance Companies Issued Section 166 Notices? The FNZ Case File

On the 10th December 2024, my daily CityWire news dropped in my inbox with the headline; “Revealed: FCA restriction blocks FNZ from taking on new clients”. This got me thinking because within last 12 months before hearing this news, I had met at least six former employees of FNZ who had left the company and went to work for a client I was working with at the time.

I had not come across the company before that and was not too surprised at the headline because when you have people leaving your business in droves to go work for a competitor, it’s a sign of a fundamental control flaw. Just to be clear, I’ve never had any business with FNZ or had any relationship with them, so my analysis in this article is an objective one highlighting some of the reasons that leads to regulatory sanctions. Let’s dive a little deeper.

When the Financial Conduct Authority’s (FCA) sanctions a financial services provider, it would have received or know of several deficiencies in the firm and sees the firms operations becoming a threat to financial stability of its customers, the financial market and the organisation itself.

Fundamentally, it’s an indication of significant or critical flaws in the organisation’s risk and control environment. Often, in most financial services organisation, risk is practiced as simply a ‘paint brushing’ over a list of potential problems or common threats (risk) applicable to the sector as opposed to what is applicable to the organisation itself. Over a period of time, the paint washes off and the real issues become more difficult to manage potentially leading to the regulator intervening. The first signs of a looming S166.

What is a Section 166 Notice?

If you don’t have a banking and finance background, you are probably wondering what a Section 166 is. A Section 166 Notice (or Skilled Person Reviews) is a notice given to a financial services provider such as Banks, Wealth Management firms, Asset Management firms or any financial regulated entity to scrutinise their operation or you could say perform a detailed threat assessment of the firm and in some cases restrict the trading of the firm until the issues are resolved. As you can tell, this can be a double edge sword in the sense that it can further damage the reputation of the firm or could be an opportunity to repair the fundamental flaws that led to the S166 being issued.

What Events Lead to a Section 166?

Let’s examine a few reasons:

1. Multiple Ongoing Issues: Ongoing Issues like inaccurate reporting, incessant customer complaints due to breaches, market surveillance irregularities, whistleblowing and a not so friendly looking risk register, signalling potential problems to the regulator.
2. Initial Engagement and Informal Warning Issued: The early warning indicators mentioned in the concern above leads the FCA to raise concerns during reviews or supervisory visits where they request further information and dig deeper into the ongoing issues. This is a hairy time for companies going through this and you can feel the uneasiness in the air even if you are not directly involved.
3. Increased Supervision: Increased scrutiny by the regulator when they send their agents to your site or through activities holding you accountable, and there is the famed “Dear CEO” letters. Finance company CEOs and Chief Risk officers know what I’m referring to.
4. Breach of Regulatory Standards: Firms breach of key regulatory requirements, such as financial adequacy, extensive CASS failures, poor AML controls, or customer protection, signalling deeper systemic issues.
5. Formal Supervisory Action: Formal interventions, including firm-specific “Dear CEO” letters and mandatory remediation plans, escalate when control failures persist, or corrective measures prove inadequate.
6. Warning of Serious Deficiencies: Persistent failures or new concerns indicate systemic risks or harm to customers and markets, demanding urgent corrective action.
7. Pulling the Section 166 Trigger: The FCA invokes Section 166 to assess deficiencies, obtain independent verification, recommend remediation, and address potential systemic threats.

As you can see, it’s a series of events and warning shots are fired by the regulator before issuing the S166. What then happens when a section 166 is issued? Read on.

What happens when a Section 166 is issued to a firm?

A few things happen when a Section 166 Notice (Skilled Person Review) is issued by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA) I should add. Here is a step-by-step list of events that happens and should happen:

1. Notification of the Section 166: The FCA/PRA informs the firm in writing that a Section 166 Notice has been issued in a letter outlining the specific areas of concern (risk management, compliance and other breaches).

2. Appointment of the Skilled Person (external auditor): The firm, in consultation with the regulator, appoints a skilled person from an approved list, or the regulator may directly appoint one to conduct a review or detailed audit of the organisation. Typically, an auditor like Deloitte, KPMG or Mazars.

3. Conduct Review: The skilled person or external auditor carries out an independent and in-depth review of the specified areas outlined in the S166 examining where the control failures are. Having worked alongside some of these auditors in the past, it’s quite a detailed process as you can imagine even more so when it’s a S166.

4. Reporting of Findings: The skilled person or external auditor then prepares a detailed report outlining their findings which will include:

   • deficiencies found and areas of non-compliance,
   • highlight threats to customers, markets, or the firm itself,
   • provide recommendations for remediation and timelines for making the corrections,
   • the report is then shared with the regulator and the firm.

5. Regulator follow-up: Based on the findings by the Skilled Person (auditor, always a firm not a singular person), the regulator decides on the next steps, which could include: mandating a remediation plan resolve the identified problems, imposing restrictions on operations therefore limiting or suspending certain activities (e.g., taking on new clients as was reportedly the case with FNZ), which is normally done to ‘stop the bleeding’. They may also issue a financial penalty if breaches are severe and order compensations to make good on the detriment to the customers impacted (this is referred to as Risk to Customer in ICARA terms).

With all this going on, the firm is now on the regulators watchlist with ongoing monitoring until they are satisfied the firm is operating efficiently with a more effective risk and control environment.

The Root of all ‘Financial Evil’ is Risk – The Continued Failure of Risk Management to be precise

I’m not a soothsayer neither do I have supernatural powers but one power I have is the common sense to guarantee that the failure to operate risk correctly is what leads to avoidable problems. The continued failure of proper risk operations continues to deprive firms like FNZ of resilient growth affecting its purpose viability.

MosgGovernance, insufficient oversight, inadequate risk frameworks, operational risk management; these are just word salads, unless you understand your core purpose as a business and know that your organisation is the risk and how you direct and run the organisation determines the outcome you get.

Lessons from the FNZ Case

One thing I will give FNZ credit for is that it has a clearly defined purpose ‘Opening Up Wealth Together’. Somewhere along the line, they may have taken their eyes of the ball to that purpose. Was it aggressive sales tactics by financial advisers? Who knows? It’s either that or it does not understand how to fire all the cylinders of risk that would propel them to really ‘open up’ wealth for its clients, the economy and itself is my view.

As I often say, “Risk is powerful force for success”. To unearth the success risk offers, organisations need to stop expecting success if following the same old outdated risk approaches. Chief Risk Officers must think and act outside the box to be influential ‘actors’ of resilient growth and not just figure head with little or no clout. It’s 2025 and I hate to ask this rhetorical question, which significant bank or financial service company will fail this year? It’s almost a given, with the state of risk.

Ready to Take Risk to the Next Level?

If you’re tired of the same old approaches to risk and want to build a resilient risk organisation that truly drives results, let’s talk. My team specialises in Corporate Risk Restructures that help organisations 2x, 7x, or even 10x their operational efficiency and performance.

Check out the services section or reach out directly to me.

Look out for new insights every Wednesday.

Take Risk. Achieve Purpose!

Your Risk Champ,

Chizubel Beluchi