Senior Managers & Certification Regime – what it means for solo-regulated firms
3 August 2017
The FCA has published a consultation paper setting out how it intends to extend the Senior Managers & Certification Regime (the ‘SM&CR’) to the wider financial services industry.
In the aftermath of the Global Financial Crisis, the previous regulator – the FSA – was widely criticised for its inability to hold senior bank executives to account for the failures that led to the (quasi) collapse of a number of UK banks and building societies.
The Parliamentary Commission on Banking Standards (the PCBS) subsequently published a report highlighting some of the main drivers for the financial crisis and recommending a number of measures to help prevent similar failures occurring in future, namely:
- A new regime for senior individuals, with much greater clarity as to who is responsible for what within organisations;
- A remuneration framework that is better aligned with long-term risk-reward and the financial stability of the business; and
- An enforcement framework for holding senior individuals to account for failures that occur on their watch.
The PRA and FCA introduced a new regime for individuals, to replace the Approved Persons Regime within banks, building societies and other dual-regulated firms. This new regime – the Senior Managers & Certification Regime (the SM&CR) – came into effect for those firms on 21 March 2016.
What is it and how does it apply to you?
The FCA has divided the population of solo-regulated firms into three categories:
- Enhanced SM&CR Firms – the 350 or so largest and most complex solo-regulated firms (e.g. Significant IFPRU Firms, Large CASS firms, Wealth Managers with £50bn or more in Assets Under Management, etc.)
- Core SM&CR Firms – the vast majority of financial services firms
- Limited Scope SM&CR Firms – firms who are currently subject to a limited application of the Approved Persons Regime, such as sole traders or limited permission consumer credit firms
The SM&CR broadly consists of three layers, as explained below:
1) The Senior Managers Regime
This applies to the most senior people who perform key roles (‘senior management functions’ or SMFs). The FCA has defined seven SMF roles, such as SMF1 (Chief Executive) or SMF16 (Compliance Oversight). Firms will need to ensure that senior managers are fit and proper both at the time of appointment and on an ongoing basis. As part of this, firms will be required to carry out criminal records checks on individuals they are proposing to appoint as senior managers.
Senior managers will need prior approval from the FCA before they can perform an SMF role, and each senior manager will need to have an individual statement of responsibilities that clearly sets out what they are responsible (and ergo accountable) for.
The FCA has also defined a list of seven ‘prescribed responsibilities’ that are applicable to all firms (other than ‘Limited Scope SM&CR Firms’), and which will need to be allocated to an approved senior manager.
Finally, the regime introduces a ‘duty of responsibility’ whereby if a breach were to occur, the senior manager with responsibility for that area could be held accountable if they did not take ‘reasonable steps’ to prevent or stop the breach.
Enhanced SM&CR firms will also have to:
- Seek approval for individuals carrying out a further eleven SMF roles (where applicable)
- Allocate an additional seven prescribed responsibilities to an approved senior manager
- Ensure that every area or activity of the business is under the ultimate oversight and responsibility of an approved senior manager
- Produce a management responsibilities map, setting out the firm’s governance arrangements and how responsibilities have been allocated across the population of approved senior managers
- Put in place adequate handover procedures to ensure an incoming SMF has access to all necessary information to perform their role
2) The Certification Regime
The Certification Regime will apply to those staff who are not senior managers, but whose role may pose a risk of significant harm to the firm or its customers.
Staff caught by the Certification Regime (i.e. performing ‘certification functions’) will not need FCA approval. Rather, firms are required to put in place a robust framework for assessing the fitness and propriety of certified individuals both at the point of appointment and on an ongoing basis thereafter. This assessment will need to focus on both honesty & integrity / financial soundness considerations and also the individual’s wider competence and capability to perform the role.
As part of this process, firms must also try to obtain ‘regulatory references’ from all previous employers over the past six years – these regulatory references are required to disclose certain information going back six years, including details of any disciplinary action taken due to breaches of the Conduct Rules and any findings that the person was not fit and proper.
Once a firm has deemed that the individual performing a certification function (or a senior manager function) is fit and proper, the firm must issue the individual with a certificate of fitness and propriety to perform a specific role. This certificate must be renewed on at least an annual basis.
3) The Conduct Rules
The existing statements of principle for Approved Persons will be replaced by a new set of Conduct Rules. Critically, these new Conduct Rules apply not just to individuals performing a senior management or certification function, but also to almost every other person within the firm, barring those performing a purely ancillary function such as catering or security.
The Conduct Rules are intended to drive up standards of individual behaviour across financial services and critically, enable the FCA to take action against individuals at any level, for the breach of a Conduct Rule.
Where a firm takes action against an individual for the breach of a Conduct Rule, the firm will need to report this to the FCA (within seven days for senior managers, or annually for everyone else). Firms are also required to provide details of the Conduct Rule breach and subsequent investigation / action taken, in any regulatory references they provide to future employers of that individual.
There are also rules preventing firms from entering into agreements with an outgoing individual, that conflict with their regulatory reference disclosure obligations (such as Non-Disclosure Agreements).
The intention here is clear: the FCA wants to ensure that ‘bad apples’ are unable to circulate around the financial services industry.
The following diagram captures the key aspects of the new regime:
When will the SM&CR come into force?
The consultation does not state when the regime will come into force. However, previous communications from the FCA and HM Treasury have indicated that the expected implementation of the new regime will be from 2018. The FCA’s consultation runs until 3 November 2017, after which the FCA will consider the feedback it has received before publishing its final rules in the summer of 2018. This means that any implementation will not be before Q4 2018 – possibly with some sort of transitional arrangement carrying over into 2019.
What should you do?
Given the above timeframes, it may be tempting to put SM&CR on the back burner, and focus on other more pressing regulatory priorities (e.g. MiFID II, GDPR, etc.). However, whilst the core concepts within the regime are relatively straightforward and easy to understand, the devil is in the detail. In our experience, mapping out who is responsible for what within an organisation can be easier said than done – especially within firms who are part of larger / international groups and/or with matrix management structures. Whilst identifying who is the responsible senior individual for XYZ may seem obvious, persuading that individual that they are indeed accountable is not as trivial as it seems. And drafting clear and succinct statements of responsibilities can be challenging. At a more operational level, defining clear and practical processes for e.g. assessing and certifying fitness and propriety, investigating and reporting conduct rule breaches or requesting and providing regulatory references, all take time.
And who should take responsibility for all of this work? In our view, some kind of combined working group involving Legal, Compliance, HR and potentially the CEO/Chairman works best for all but the smallest / most simple firms.
How can Bovill help?
Bovill worked with a number of banks, helping them implement the SM&CR, as well as helping our clients with numerous other significant regulatory change projects. We have extensive experience of some of the challenges that can arise and the importance of progressing matters in a structured and timely manner.
- Project manage your SM&CR implementation
- Provide SME advice on the regime and how to implement the new requirements
- Facilitate workshops to get the appropriate buy-in and engagement from key stakeholders (e.g. the SMFs)
- Provide training on the new regime and what it means for individuals affected
- Provide the required conduct rule training for staff at all levels within the business
- Help prepare and draft individual statements of responsibilities and management responsibilities maps
- Define and articulate key processes to underpin the new regime
There is much to be done, and many decisions to be made. The sooner you start thinking about this, the better.