07 May What public statements really tell us about individual accountability in GFSC enforcement
Insight, but not the whole picture
Public statements can be very useful on individual accountability. They can also be easy to over-read.
That is because they are one of the few public sources that show how a regulator attributes responsibility in practice. They show what the regulator was prepared to criticise publicly, how it framed the failings, which roles it treated as significant, and what kinds of conduct attracted financial penalties, prohibition orders or other public sanction. For boards, senior managers, control-function holders and their advisers, that makes them worth reading closely.
The difficulty is that they are often treated too simplistically. A published enforcement outcome can look like a complete account of who was blamed, how seriously, and why. In practice, it rarely is. Public statements show the cases the regulator has chosen, or is able, to put into the public domain at a particular point in time. They may say as much about settlement, mitigation, evidential issues and procedural context as they do about relative culpability. That does not make them less useful. It means they need to be read carefully.
The recent GFSC public statement on Utmost Worldwide Limited, Mr Leon Steyn and Mr James Watchorn is a good example.
The Commission imposed financial penalties on the firm, on Mr Steyn and on Mr Watchorn, and prohibited Mr Watchorn from acting as MLRO/MLCO for one year and five months, in addition to issuing the public statement. But the statement also expressly records that the Licensee, Mr Steyn and Mr Watchorn assisted fully during the investigation and settled at the earliest opportunity. That matters. It means the statement is useful on individual accountability, but it may not represent the full personal-exposure picture arising from the wider matter.
Why public statements matter
Public statements matter because they are one of the few public sources that show how a regulator approaches responsibility once a matter has become serious enough to justify formal sanction. They do more than record the outcome. They provide insight into how the regulator framed the case, what it considered important and where it chose to direct criticism.
That is particularly useful in cases involving individual accountability. For boards, senior managers, control-function holders and their advisers, public statements can offer a clearer sense of the behaviours, judgments and oversight failures that are most likely to attract regulatory attention when matters escalate.
Used properly, that is valuable regulatory intelligence.
What public statements can show
What a public statement can show, in practice, is how the regulator has translated its thinking into findings. It may reveal whether the regulator treated a particular issue as one of weak oversight, poor escalation, inadequate challenge, flawed judgment or failure to act on known risks. It may also show how the regulator distinguishes between firm-level failings and personal failings and how it allocates responsibility across senior management, boards and control functions.
That level of detail is often where the real value lies.
The Utmost statement is useful on all those fronts.
In relation to Mr Steyn, the GFSC identified what can fairly be described as executive oversight failings. These included not ensuring appropriate and effective policies and procedures for relationship risk assessment, not ensuring effective procedures and controls relating to suspicious activity reporting, not ensuring appropriate oversight of a major third-party broker linked to forged proof-of-address documents, and not ensuring compliance with the 2019 transitional provisions.
The criticism relating to Mr Watchorn was narrower but still significant. The Commission said he failed, at all times, to consider the implications of money-laundering red flags with the competence and diligence expected of a nominated officer / deputy MLRO, and that he had expressed views which downplayed red flags identified by staff.
That distinction is instructive. It shows the GFSC framing accountability differently depending on role. For senior executives, the focus may be on oversight, systems, escalation and governance. For financial-crime control-function holders, the focus may be more directly on judgment, scepticism and the quality of decision-making in the face of red flags.
What public statements do not necessarily show
This is where some caution is needed.
A public outcome can tell us a great deal about the regulator’s case against the parties who are named in the public statement. What it does not always tell us is whether those are the only individuals of regulatory interest, whether other matters remain live, or how the regulator might have framed its case against others in different circumstances.
That point is especially important in Utmost.
The current public statement applies to the Licensee, Mr Steyn and Mr Watchorn – in other words, the parties who settled. It should therefore be read as a settled outcome for those parties, not necessarily as the complete picture of individual accountability arising from the wider matter.
That is not an artificial reading. The GFSC has publicly recognised split settlements as part of its enforcement practice and has indicated that it will continue to negotiate split settlements where circumstances allow. Against that background, it is entirely reasonable to recognise that the current Utmost public statement may not be the final public account of all individuals connected with the case.
That is why public statements are often best treated as windows into regulatory reasoning, rather than complete maps of the entire accountability landscape. They can be highly revealing but they do not always tell the whole story.
A more useful way to read the comparison cases
Utmost is easier to understand when read alongside other GFSC public statements, not because those cases produce a neat tariff of personal liability, but because they show the different ways in which individual accountability can arise.
In Safehaven, the Commission imposed penalties on a number of individuals as well as the firm, with significant prohibitions in some cases. The point was not simply that individuals were sanctioned, but that the GFSC was prepared to examine personal responsibility closely where the business itself carried obvious and inherent financial-crime risk. The public statement records cooperation, but does not, on its face, expressly state that the outcomes were settled.
In Confiànce, the Commission imposed substantial penalties on executive directors, a smaller penalty on the non-executive director, and lengthy prohibitions on certain executives. That case is useful because it shows the GFSC focusing sharply on senior management responsibility in a case involving repeated failings, while also expressly recording cooperation, very early settlement and a discount in the financial penalties.
In Zedra, the GFSC imposed a personal financial penalty and prohibition even though the findings related to one client file and were described as serious but not systemic. That is a reminder that individual accountability is not reserved for only the largest or most obviously systemic cases. The public statement records cooperation and remediation, but does not, on its face, expressly state that the outcome was settled or discounted.
The value of those comparisons is not that they produce a simple ranking of blame. They do not. Their value is that they show the GFSC taking a role-specific approach to responsibility. In some cases the emphasis falls heavily on executive oversight. In others it falls on the conduct of control-function holders, or on the position of individuals operating within a particularly high-risk business model.
That is why headline comparisons between personal penalties are often misleading. Individual outcomes are shaped by role, function, proximity to the failings, the seriousness of the wider risk environment, duration, cooperation, mitigation, settlement status and prohibition risk. The more useful question is not who paid more, but what the public statement shows about how the regulator analysed responsibility in that case.
What Utmost adds
Utmost adds something more specific to that wider picture.
It suggests that where the GFSC considers a firm to have fundamentally underestimated its own financial-crime risk, the Commission is prepared to articulate distinct and role-specific bases of accountability within that wider systemic case.
On the Commission’s account, the firm-level issues were not merely technical breaches. They pointed to a control environment that was not properly calibrated to the real financial-crime risk of the business. Against that background, the personal cases against the CEO and the control-function holder were framed differently, but coherently: one focused on executive oversight and governance; the other on judgment and the handling of red flags.
That is an important point of emphasis. It means public statements are most useful not as definitive rankings of personal blame, but as evidence of how the GFSC allocates responsibility across the firm, senior management and control-function holders in a settled enforcement outcome.
That is a much more useful form of regulatory insight than the headline numbers alone.
What this means for senior individuals
For senior executives, the lesson is that personal exposure does not depend on being the technical owner of every financial-crime control. The regulatory focus may instead be on whether obvious risks were properly understood, whether systems and procedures were fit for purpose, whether important issues were escalated and whether known weaknesses were actually addressed.
For board members, the lesson is that reliance on management assurance at a high level is rarely enough. The better protection lies in evidence of challenge, insistence on clarity where the picture is uncertain, and a willingness to test whether remediation is addressing the underlying problem rather than simply improving the presentation of progress.
For MLROs, MLCOs and nominated officers, the lesson is more exacting still. These roles carry not just procedural responsibility, but judgment responsibility. Public statements suggest the GFSC expects disciplined analysis of red flags, an appropriately sceptical mindset, and decision-making that can withstand later scrutiny. Where those qualities are absent, personal criticism may follow, even where broader governance failings sit elsewhere in the organisation.
The real value of public statements
The real value of public statements lies in how they help firms and advisers understand regulatory thinking.
They show what the Commission is willing to say publicly about executive oversight, control-function judgment, response to red flags, and failures to turn knowledge into action. That is useful because it gives a clearer indication of where the GFSC is likely to focus when individual accountability comes into view.
That, in turn, helps firms and senior individuals think more clearly about exposure before matters become more serious.
The broader message emerging from cases like Utmost is that where familiar financial-crime failings persist over time, the Commission is increasingly prepared to look not only at the firm, but at who was responsible for governing, challenging, escalating and acting on the risk.
For firms and senior individuals facing issues of this kind, the challenge is rarely just technical remediation. It is also a matter of judgment: understanding what the GFSC is really concerned about, framing issues properly, addressing difficult RMPs, managing enhanced supervisory engagement, and discussing matters with the Commission in a way that is clear, credible and strategically sound. Through ConsultGC, I help clients understand and navigate exactly those issues, drawing on deep regulatory and legal experience to bring greater clarity, structure and confidence to difficult situations.