PwC / London Capital & Finance: What Every Auditor Should Learn

What LCF was and how the fraud worked

London Capital & Finance plc sold unregulated mini-bonds to retail investors between 2013 and 2019. The bonds promised returns of 6.5% to 8% per year. Around 11,600 bondholders invested a total of £237 million. LCF obtained FCA authorisation in January 2016, which (as the Gloster Report later found) gave the firm a “halo effect” of regulatory credibility despite the fact that the mini-bonds themselves were not regulated products.

LCF lent bondholders’ money to a network of borrowing companies. Those companies were connected to a small group of individuals associated with LCF’s management. The largest borrower, London Oil & Gas, owed £124 million. The administrators later found that millions of pounds had flowed from bondholders through the lending chain to LCF’s directors and associates. Court documents revealed that the money funded properties, luxury watches (Rolex, Patek Philippe), a Porsche 911, gold bullion, a Rolls Royce Dawn, and other personal items.

The High Court ruled in November 2024 that LCF was a Ponzi scheme. Former CEO Michael Thomson had “wanted to take out as much money as possible,” was “recklessly indifferent” to bondholders, and had knowingly misled PwC during the audit. The administrators are seeking more than £177.5 million in damages from the former directors.

LCF entered administration on 30 January 2019 after the FCA ordered it to stop promoting its bonds. Investors recovered a fraction of their money. The UK government paid approximately £120 million in compensation to around 8,800 bondholders through a one-off scheme. Three separate audit firms had signed opinions on LCF’s accounts in the years running up to the collapse.

The audit timeline: three firms, three failures

Oliver Clive & Co audited LCF for the one-month period ended 30 April 2015. PwC audited the full year ended 30 April 2016. EY audited the year ended 30 April 2017. All three were sanctioned by the FRC in May 2024.

Oliver Clive’s audit covered only a single month, but the FRC found numerous breaches of fundamental requirements. The firm’s audit report was declared non-compliant with relevant requirements.

PwC was brought in for the 2016 audit. During that year, LCF issued a further £9.2 million in bonds and was growing rapidly. PwC admitted eight breaches (detailed below). The FRC imposed a financial sanction of £7 million, discounted to £4.9 million for admissions and early disposal, plus a severe reprimand. The audit engagement partner received a separate sanction.

EY audited the 2017 financial statements. The FRC imposed a £7 million fine (discounted to approximately £4.4 million for admissions and early disposal, with an extra 10% discount for “exceptional” cooperation). PwC had resigned as LCF’s auditor in October 2017, and EY took over for that final period before the collapse.

No findings of dishonesty were made against any of the auditors or engagement partners. The failures were failures of competence and professional scepticism, not integrity.

PwC’s eight admitted breaches

The FRC’s Final Settlement Decision Notice stated that PwC admitted eight breaches covering the following areas. Each maps to specific ISA requirements that apply to every audit engagement.

Risk identification and assessment. PwC failed to obtain an adequate understanding of the nature of LCF’s business and the company’s internal controls (ISA 315.19, ISA 315.25). This was the most significant breach. Without understanding that LCF was a connected-party lending operation funded by unregulated retail bonds, the risk assessment was built on a false foundation. Every subsequent procedure inherited that error.

Professional scepticism regarding fraud. PwC did not apply sufficient professional scepticism, particularly regarding fraud risk (ISA 240.12, ISA 200.15). LCF’s management was actively uncooperative. A senior individual at LCF acted aggressively towards the audit team. The company provided inaccurate and misleading information. These are textbook fraud risk indicators under ISA 240 Appendix 3. The team saw them but did not adjust the audit response accordingly.

Loan debtors. The audit work on loan debtors (LCF’s primary asset class) was insufficient. LCF’s entire business depended on whether the borrowing companies could repay their loans. The audit did not adequately test recoverability or trace the use of loan proceeds (ISA 500.A31, ISA 540 in relation to loan impairment estimates).

Revenue. Revenue recognition procedures were inadequate given LCF’s business model, where revenue derived from interest on loans to connected parties (ISA 240.27, the presumed revenue recognition fraud risk). If the loans weren’t genuine arm’s-length transactions, the interest income wasn’t genuine either. Revenue from connected-party lending is not the same assertion as revenue from external customers, and the procedures needed to reflect that distinction.

Financial instrument disclosures. LCF’s bonds and loans required disclosure under IAS 32 and IFRS 7. The audit work was insufficient.

Going concern. The audit did not adequately consider whether LCF could continue as a going concern (ISA 570.10). A bond-funded lending business concentrated in connected parties with no independent income carries inherent going concern risk. LCF depended on continuously issuing new bonds to fund interest payments to existing bondholders. That dependency alone should have triggered a specific going concern assessment, and it didn’t.

Related party transactions. The connected-party nature of LCF’s borrowers was the central feature of the fraud. The audit work on related party identification and disclosure was inadequate (ISA 550.11, ISA 550.A30). This failure is directly linked to the business model gap: if you don’t understand the connections, you can’t audit them.

Why the FCA fine changes everything for auditors of regulated firms

The FRC’s £4.9 million fine was a traditional audit quality enforcement action. The FCA’s £15 million fine was something different entirely.

PwC suspected fraud at LCF during the 2016 audit. The FCA’s Final Notice records that PwC encountered multiple red flags. Management was hostile. Information was inaccurate. PwC consulted its own internal legal team on whether a draft email to LCF might tip off the client about the fraud suspicions. At some point during the engagement, PwC formed a reasonable belief that LCF might be involved in fraudulent activity.

Under Regulation 2 of the Financial Services and Markets Act 2000 (Communications by Auditors) Regulations 2001 and section 342(6) of FSMA, auditors of FCA-regulated firms have a statutory duty to report such suspicions to the FCA “as soon as possible.” PwC did not report. It eventually satisfied itself that the 2016 accounts were accurate and resigned as auditor in October 2017. But the FCA’s position was clear: even if the auditor concludes the accounts are accurate, the duty to report suspected fraud persists. The suspicion itself triggers the obligation. Waiting to confirm or disprove the suspicion before reporting is a breach.

This distinction matters for every firm that audits FCA-authorised entities, whether those entities are banks, insurance companies, investment firms, or (as in LCF’s case) firms with FCA permissions that don’t directly relate to their primary business activity. The FCA stated that this fine was the beginning of “an enduring enforcement focus on audit companies that breach their regulatory obligation to report suspicions of fraud.”

If your firm audits any FCA-regulated entity in the UK, your internal escalation process needs a specific step for regulatory reporting that is separate from the audit quality response. ISA 250 Section B (UK) already covers this, but the LCF case shows that firms treated the reporting duty as discretionary. It is not.

Worked example: Van Leeuwen Capital Partners B.V.

Scenario: Van Leeuwen Capital Partners B.V. is a Dutch AFM-regulated investment firm with €22 million in client assets. It raises capital through fixed-rate bonds sold to retail investors and deploys the proceeds into a portfolio of real estate SPVs. During year-one engagement acceptance, you identify that the firm’s CEO is also a director of two of the four borrowing SPVs. The prior auditor resigned mid-engagement without explanation.

1. Engagement acceptance: assess fraud risk before you accept (ISQM 1.30, ISA 220.21)

The prior auditor’s unexplained mid-engagement resignation is a red flag under ISA 300.A8 and your firm’s quality management policies. Contact the predecessor auditor. If they decline to respond or cite “professional reasons,” document this as a fraud risk indicator. Assess whether your firm has the resources and expertise to audit a bond-funded connected-party lending structure.

2. Map the cash flow and identify connected-party concentration (ISA 315.19, ISA 550.11)

Draw the flow: bonds issued to retail investors, proceeds lent to four SPVs, two of which share a director with Van Leeuwen’s CEO. Calculate concentration: if the two connected SPVs hold 58% of total loans outstanding (€12.8 million of €22 million), this is both a related party risk and a fraud risk factor under ISA 240.A26.

3. Design fraud-specific procedures for the connected SPVs

For loan existence: confirm directly with each SPV’s bank (not with SPV management, since SPV management overlaps with the client’s CEO). For recoverability: obtain independent property valuations for the real estate held by each SPV. For use of proceeds: select a sample of loan disbursements and trace them from Van Leeuwen’s bank account to the SPV bank account to the property acquisition or development expenditure.

If any loan proceeds were used for purposes unrelated to real estate (personal transfers, payments to unrelated third parties), treat this as a suspected fraud indicator. Do not wait to complete the audit before considering your reporting obligations.

4. Consider AFM reporting obligations

Under Dutch law (Wet toezicht accountantsorganisaties, Article 26), auditors must report to the AFM if they identify indications of fraud that could affect the reliability of the financial statements. If your procedures reveal that loan proceeds were diverted to the CEO’s personal accounts, the reporting obligation is triggered. Document the basis for reporting (or for concluding that reporting is not required) in a separate memo.

A reviewer sees engagement acceptance that flagged the risk before the firm committed to the audit. Fraud procedures traced directly from the connected-party business model. Regulatory reporting considered as a separate workstream. This file structure addresses every failure identified in the PwC/LCF enforcement action.

What to change in your practice

1. Add a predecessor auditor inquiry step to your engagement acceptance checklist that specifically asks about fraud concerns, not just audit scope disagreements. If the predecessor declines to respond, record this as a risk factor (ISA 300.A8).
2. Before the engagement team fraud discussion (ISA 240.16), require the team to prepare a one-page cash flow diagram showing how money enters and leaves the entity. Connected-party concentrations become visible on paper in a way they don’t in a narrative memo.
3. For every assessed fraud risk, document the specific procedure designed to address it. If the only fraud procedure in your file is journal entry testing under ISA 240.32, the file will not survive regulatory inspection.
4. Separate your regulatory reporting assessment from your audit quality response to fraud indicators. If you audit FCA-regulated entities (UK) or AFM-regulated entities (Netherlands), create a standalone memo that records whether the reporting obligation was triggered and what action was taken.
5. When management is hostile, uncooperative, or provides inconsistent information, treat this as a fraud risk indicator (ISA 240 Appendix 3), not as a difficult-client management issue. The LCF case shows that firms compartmentalised client behaviour as a relationship problem rather than an audit evidence problem. ISA 240.A7 does not require you to accept management’s explanations when those explanations contradict other evidence.

Common mistakes from the LCF enforcement outcomes

• All four audit engagements across three firms (Oliver Clive, PwC, EY) failed to understand LCF’s connected-party lending model before designing their audit procedures. The FRC declared all three audit reports non-compliant with relevant requirements. One planning-stage cash flow diagram would have made the connected-party concentration impossible to miss.
• PwC consulted internal lawyers about fraud concerns during the LCF audit but did not escalate those concerns to a formal regulatory report under FSMA section 342(6). The FCA’s Final Notice made clear that the duty to report arises when the auditor forms a reasonable suspicion. Waiting for certainty is not permitted.
• EY received a 10% cooperation discount beyond the standard 30% admissions discount, bringing its fine from £7 million to approximately £4.4 million. Firms under FRC investigation should note that genuine cooperation during the investigation process has a quantifiable financial benefit.

Related tools and reading

Put audit concepts into practice with these free tools:

Related reading

Frequently asked questions

Source references

• FRC Final Settlement Decision Notice – PwC / London Capital & Finance plc, May 2024
• FCA Final Notice – PwC, £15 million fine for breach of FSMA section 342(6), August 2024
• London High Court ruling – LCF declared a Ponzi scheme, November 2024
• Gloster Report – Independent investigation into the FCA’s regulation of LCF
• ISA 315, ISA 240, ISA 550, ISA 570, ISA 505 – IAASB
• Financial Services and Markets Act 2000 – Section 342(6), Communications by Auditors Regulations 2001