Recent data derived from the Financial Conduct Authority (FCA) shows that it is investigating 58 directors as of December 2018. This represents more than double the 24 identifiable targets in 2016 when the new Senior Managers & Certification Regime (SM&CR) came into force.
The SM&CR aims to enhance accountability and culture within financial services firms against a background of governance concerns ranging from the mis-selling of payment protection insurance to rate rigging. The FCA is extending the SM&CR to solo-regulated firms from 9 December 2019 with the aim of strengthening market integrity. This broadens the net of individual exposure and heightens the continued corporate exposure for regulatory failings.
Holding individuals accountable has always been a priority for the FCA, even before the SM&CR. However, to date the FCA’s record in terms of the number of enforcement investigations it has started in relation to individuals has been relatively modest. An FCA response to a request under the Freedom of information Act 2000 (FOI5805) indicates that as at June 2018 the FCA had five open enforcement investigations into Senior Managers and ten open investigations into Certified Persons.
The recent data collected by external law firm RPC indicates a ramping up of enforcement action. This suggests that claims of a paradigm shift towards greater accountability are real and must be managed across the organisation.
The SM&CR comprises two complementary frameworks for employees of financial services firms. First, the Senior Managers Regime covers the most senior personnel (Senior Managers) who perform key roles (Senior Management Functions). These people will need to be approved by the FCA before they start their roles and they will need to have a statement of responsibilities that explains their duties.
Second, the Certification Regime applies to employees who are not senior managers but who can have a significant impact on the firm or its customers (Certified Persons). These people do not need to be approved by the FCA but firms will need to confirm or ‘certify’ that these persons are fit and proper to perform their roles at least once a year.
The impact of the SM&CR will differ depending on the type of firm: Core (where baseline requirements will apply); Enhanced (additional requirements for the largest and most complex firms); and Limited Scope (firms that currently are subject to limited application of the Approved Persons Regime).
There are two sets of Conduct Rules. The first is a general set of rules that applies to most employees (First Tier). The second set applies only to Senior Managers (Second Tier).
The SMC&R puts personal accountability on senior directors/managers in respect of their negligence or lack of diligence in managing controls, compliance, risk and conduct. These individuals risk sanctions or personal fines, which cannot be reimbursed by their organisations.
The way in which the SM&CR has been implemented by firms could also engage other of the regulators’ broader rulebook requirements. For example, FCA Principle 3 and PRA Fundamental Principle 6 both require a firm to organise and control its affairs responsibly and effectively.
Effective compliance requires coordination between compliance, HR and senior management. These people will need to work together to identify, assess and map responsibilities in a manner that properly reflects how the business operates and the risks it faces. A gap assessment can be a useful first step in identifying what remediation work needs to be done. The following are among the key steps that should be considered and regularly reviewed:
- Identify Senior Managers and determine what Senior Management Functions they perform. Consider any individuals in the group or externally who exert decision-making influence or who may be based abroad but have responsibility for the UK business.
- Prepare a statement of responsibilities for each Senior Manager and a responsibilities map where required.
- Identify all Certified Persons. Consider if each employee who is not a Senior Manager meets the fit and proper person test and arrange for additional training where necessary.
- Review and update HR operational and disciplinary procedures relating to suspension/termination/leave to ensure that relevant functions can be managed by an appropriate other individual where a person is not available to perform their function.
- Use the FCA’s firm checker tool to determine which firm type a firm falls under. The scope of obligations will vary depending on the type of firm.
- Ensure that there are procedures in place for Senior Managers and others to recognise and identify breaches of the Conduct Rules. Design and implement training programmes to ensure that all employees understand their obligations.
- Review and update directors and officers liability insurance and consider whether the scope of cover is permissible and appropriate.
- Regularly consider how the rules impact the firm’s overall compliance framework and culture and how governance arrangements may need to be modified. This may include improved procedures to allow for real-time information to be made available to Senior Managers to ensure that they are acting on the most reliable information.
The SM&CR is symptomatic of a global trend towards greater personal accountability of senior executives in financial services firms. Similar regulation is developing in Hong Kong, Japan, Singapore and Spain, among others. The Australian Banking Executive Accountability Regulation (BEAR) is modelled on the SM&CR. Multinational financial services firms can derive synergies and efficiencies through an integrated compliance effort and there is much inspiration on which to draw for others.
The FCA’s Policy Statement PS18/14 summarises the feedback that the FCA received to its consultation on extending SM&CR and includes the FCA’s response. This emphasises that individual and corporate accountability is here and it is not going to go away. While this may seem daunting for solo-regulated firms, the FCA’s SM&CR guide contains a useful ‘SM&CR readiness checklist’ to help a firm move forward.
The regulation goes beyond an HR function, emails and procedures documents and is not a box-ticking exercise. It is a governance framework which requires all financial services firms to accept that personal accountability should be embedded in the culture of compliance from the top down and bottom up.