Background and findings
Kasim Garipoglu, a Turkish national, was the ultimate beneficial owner of a regulated firm and at various points between 2012 and 2017 its CEO and sole or dominant member of its Board.
The FCA’s investigation initially focused on AML controls concerns but pivoted to individual conduct and culture concerns as the FCA discovered internal communications in which Garipoglu was found to have instructed or encouraged staff to adopt unsafe onboarding procedures, ignore or circumvent AML checks, and prioritise profit over compliance. This was despite repeated warnings from the firm’s compliance and management team in relation to multiple issues, which Garipoglu both failed to heed and directly challenged. The FCA also found evidence that Garipoglu misled the FCA, including by making misleading statements and by creating and using forged documents. According to the FCA, his philosophy was to “act first and defend later”.
Insights
Creating a culture of compliance
The FCA found that Garipoglu fostered an environment where compliance with regulatory principles was considered to be either unimportant or secondary to commercial considerations, fines were thought to be an acceptable cost of doing business, and it was acceptable to risk regulatory breaches. This led to a systematic disregard for regulatory requirements.
The FCA continues to place significant emphasis on culture. Its publications and enforcement decisions reflect its focus on culture as a driver of conduct and compliance and the foundation for a healthy firm. In the words of the FCA’s then COO Emily Sheppard in a 2025 speech entitled “Culture is Contagious“, “culture drives conduct and decision-making, which directly impact outcomes for consumers, markets, and our economy”. Similarly, the FCA’s 2024 Approach to Supervision stresses its view that “a firm’s senior managers are responsible and accountable for its culture, strategy and for preventing harm”.
The Garipoglu decision sits squarely within this narrative and in the immediate context of other recent FCA individual accountability actions, including its decision to fine and ban Crispin Odey. In that decision, which is disputed and is currently being challenged before the Upper Tribunal, the FCA noted that a failure to address inappropriate workplace behaviour can give rise to a wider culture in which employees are reluctant to report issues, ultimately putting consumers and markets at risk.
Empowering compliance, risk and legal teams
In this case there was a structural divide between the London head office (which contained the compliance officers and UK senior management responsible for compliance across the company, including its branches) and the Turkey branch (which was the operations centre and was the focal point for business development and new marketing strategies). This divide, combined with Garipoglu’s emphasis on winning new business over regulatory compliance, created a culture where even junior employees based in Turkey challenged and disregarded the views of the London compliance and senior management team, which impeded them in performing their roles.
Firms should ensure that control functions are properly empowered to challenge first-line non-compliance, which can be made more difficult where first- and second-lines straddle jurisdictions or are otherwise not physically co-located. Firms need to ensure strong governance, visible senior managers setting the right tone from the top, robust oversight mechanisms, clear escalation paths and consequences for those who disregard or try to circumvent regulatory requirements or the firm’s policies and procedures.
Don’t follow the crowd
Garipoglu sought to justify potential regulatory breaches to the firm’s compliance and management team by pointing to the alleged conduct of competitors. He argued that breaches were acceptable where others were doing the same and that competitors must have found ways to circumvent regulations, pushing them to do the same. The FCA unsurprisingly rejected this, clearly indicating that firms should prioritise conducting business in a compliant way rather than following their peers in the face of advice that to do so would put the firm in regulatory breach.
Express remorse
In deciding whether to make a prohibition order, the FCA will consider the risk an individual presently poses to customers and the wider market. The length of time since any misconduct is relevant here, but may be outweighed if the individual has not learned from their actions. This means decisions need to be made at a relatively early stage whether to acknowledge shortcomings and even make early admissions. Adopting a uniformly defensive posture throughout may prove counterproductive.
Here, although Garipoglu’s conduct was largely historical, he did not admit failings until relatively recently and after he received the Warning Notice and the FCA had found that he engaged in misconduct during the FCA’s Enforcement investigation. This was despite despite multiple prior opportunities to acknowledge those failings. The FCA therefore said that the passage of time did not alleviate its concerns about the risk that he posed and made a prohibition order.
This question of whether to acknowledge previous shortcomings is not only important in relation to possible prohibition orders. Recent Upper Tribunal decisions (see Donaldson and Arden) and Final Notices suggest that greater mitigation might be available to individuals for cooperation during the investigation phase than had previously been the case. In the recent Final Notice against Richard Howson, the former Chief Executive of Carillion, he received a 20% discount to penalty for cooperating with the FCA’s investigation and for not contesting allegations against him in related proceedings.
Undertakings ruled out
The FCA refused Garipoglu’s request to accept undertakings in respect of his and his firm’s future activities in UK financial services, together with a sum in escrow to secure this undertaking, instead of a prohibition order (here, Garipoglu’s concerns about the reputational impact that a prohibition order might have on his other businesses appears to have been a factor in him offering this alternative).
The FCA acknowledged that its predecessor, the FSA, had in sometimes accepted undertakings in Enforcement investigations but said that it had not identified a case since 2010 when it had done this and that it is no longer the FCA’s practice.
The FCA noted that an undertaking, unlike a prohibition order, does not provide important safeguards including the obligation on other firms to take reasonable care not to allow Garipoglu not to undertake functions related to regulated activity, a publicly-available record of disciplinary action and criminal liability. The FCA refused to be placed in the position of needing to monitor Garipoglu’s and his firm’s ongoing compliance with the undertaking.
Key takeaways
- The FCA expects firms to treat regulatory compliance as a base expectation, not just a cost of doing business – and to embed this within their culture.
- Culture begins at the top; the FCA expects senior individuals to model good practice.
- It is important that structural divides between business and compliance functions do not erode the effectiveness of regulatory controls, particularly where these functions are in different locations.
- Contrition, remediation and early admissions (where appropriate) help to mitigate enforcement risk for firms and individuals alike.
