So the moment the financial services industry has been waiting for with bated breath has arrived. The FCA has published its consultation paper setting out proposals to extend the Senior Managers & Certification Regime (aka the SM&CR) to the wider financial services industry.
As you no doubt know, the SM&CR was originally rolled out to banks and other dual-regulated firms in 2016. Not surprisingly, many of the current proposals applying the regime to the remainder of the financial services industry look, smell and feel rather similar to the original. After all, the rationale for widening the regime to the rest of the industry is to ensure that there are a consistent set of standards for individuals – not to mention the more explicit objectives of “raising the standard of conduct for everyone who works in financial services” and “making senior people more responsible and accountable for their actions”.
Notably however, in an attempt at being proportionate, for all but the largest firms, the FCA has narrowed the range of roles which are designated as Senior Manager Functions (SMFs). Similarly, these firms will not be required to produce a Management Responsibilities Map or to ensure that all areas of the business are under the responsibility of an approved SMF.
This watering down of the scope of the regime for the vast majority of firms (at least in respect of the top-level governance arrangements within a firm) will inevitably be criticised in some circles, and welcomed in others – especially among the Chief Risk Officers, Chief Finance Officers and other members of the (senior) management team who might have previously expected to be an SMF, but who under the current proposals will not be subject to any explicit regulatory scrutiny.
It’s worth remembering that the regulators’ increasing focus on individual accountability was born out of the ashes of the financial crisis and the FSA’s apparent inability to hold the likes of Fred Goodwin and other senior executives of failed banking institutions to account. The key objectives of the SM&CR are that:
- Firms are clear as to who is responsible for what
- This allocation of responsibilities is clearly documented
- Firms have appropriate processes in place to ensure that individuals are fit and proper (i.e. competent and with demonstrable personal integrity and financial soundness) to perform their roles, and
- Critically, that when things go wrong, regulators are able (where appropriate) to lay the blame on the individual responsible for overseeing that area of the business.
None of the above should be particularly challenging – or indeed controversial – it’s ultimately about good corporate governance. But the processes to underpin the above can be complex and tricky to put in place.
As mentioned above, under the FCA’s proposals the number of Senior Managers in most firms (barring the 350 or so most significant solo-regulated firms) is limited to the CEO, Chairman, Executive Directors (or Partners), the Compliance Officer and the MLRO. Important roles such as Chief Risk Officer or Chief Finance Officer or Heads of Key Business Units will no longer be subject to FCA approval, or indeed the new ‘Duty of Responsibility’ that is applied to SMFs. In addition, such firms do not need to produce a Management Responsibilities Map or indeed have effective handover procedures in place for incoming Senior Managers.
Many of the nitty gritty, procedural elements of the SM&CR as applied to banks will similarly apply to solo-regulated firms, such as the certification of fitness and propriety of individuals whose role may pose a risk of causing significant harm to the firm or its customers, the application of the new code of conduct to (almost) all staff within a firm, the requirement to request (and provide) regulatory references, etc. However the big ticket individual accountability that the regime is intended to deliver will only apply to a significantly reduced number of senior individuals within the majority of firms – potentially limiting the FCA’s ability to easily hold other senior individuals’ ‘toes to the fire’ in quite the same way, when an issue blows up that is outside of the areas of responsibility of the approved SMFs.
Notwithstanding this apparent dilution of individual accountability, the reality is however that firms will still have to go through a painful change programme to ensure the necessary processes are put in place to underpin the more administrative elements of the SM&CR.
Timeframes for implementation may also be quite tight, and firms should not underestimate quite how much work will be involved in defining and implementing what’s required to ensure compliance with the new requirements. The FCA consultation closes on 3 November, and they intend to publish final rules in the summer of 2018. But they also want firms to formally implement the requirements in 2018. So firms may have, at best, 6 months to consider the finalised rules and work out how to comply.
In our experience, it is usually fairly clear who is responsible for what within a firm. But pinning those individuals down and getting them to agree they are responsible (and ergo accountable) for a specific function is much easier said than done. It’s particularly difficult for firms that are part of larger groups or where the parent entity is unregulated or overseas, because strategic direction can often be imposed from above, by individuals who may not have any real ‘skin in the game’.
Similarly, whilst the processes around certifying fitness and propriety and requesting regulatory references should not, in principle, be a significant departure from existing HR processes, firms are often poor at documenting this – something that will need to change under the new regime.
And the concept of firms being required to disclose (proven) individual misconduct in regulatory references to future employers – and even worse, the requirement to issue updated regulatory references, where an issue subsequently comes to light, for which the (long-since departed) individual was proved responsible does not sit well with some. No doubt employment lawyers will have plenty to do…
Where we’ve already helped banking clients implement the SM&CR it often turned into a ‘bun fight’ between legal, compliance, HR and the board – and all too often it was HR who didn’t duck fast enough and were left trying to decipher the somewhat impenetrable (to the uninitiated) terminology that the regulators use… In practice, a collaborative approach is absolutely essential – but ultimately this needs to start with good corporate governance – and somebody very senior (possibly the CEO or Chairman) needs to take ownership – albeit delegating the implementation of the more functional aspects to legal, compliance and HR as appropriate.
In conclusion, the FCA is clearly trying to come up with a solution that is proportionate and practical for firms to work with. However don’t underestimate how much work it’ll take to successfully implement the new regime. Late 2018 may seem a long way away today, and it’s tempting to concentrate on higher priority issues – like MiFID II implementation. But, leaving everything to the 11th hour is likely to cause all sorts of difficulties in getting over the line. And of course, the FCA will be looking for opportunities to show off its new toys and demonstrate that its powers work in practice.
The FCA has stated that the purpose of the regime is to raise the standard of conduct within the financial services industry and to ensure that senior people are responsible and accountable. As they say, ‘the devil is in the detail’ and ‘the proof is in the pudding’…