SM&CR Implementation – Devils, Details and Duties

Vaughan Edwards gives a fresh and practical guide to the Senior Managers & Certification Regime (SM&CR) which is at the heart of the UK Financial Conduct Authority (FCA) mission to improve culture and governance in financial services through enhanced individual accountability.

Vaughan apologises in advance for the excessive use of “responsibility” and “accountability” in what follows below, but such is the Individual Accountability Regime.

A quick summary

The regime was adopted by the banking sector in 2016, by insurers in late 2018 and will be extended to circa 47,000 “solo-regulated” firms on December 9th, 2019. It consists of the following three elements:

1. The Senior Managers’ Regime (SMR). This requires firms to identify certain senior executives and directors as Senior Management Functions (SMFs) to whom key responsibilities (some of which are prescribed by FCA) must be allocated. These allocations are set out in documents known as Statements of Responsibility (SoRs). SMFs are subject to a “Duty of Responsibility” under which they are expected to take “Reasonable Steps” in discharging those responsibilities. SMFs remain subject to FCA approval, a process which may include formal interviews.

2. The Certification Regime. This requires firms to identify those employees engaged in activities that, to quote FCA, “can have a big impact on customers, markets or the firm” and to certify that they remain fit, proper and competent to perform those roles. Most certification staff will currently be approved persons although the new regime potentially brings others into scope. FCA will cease having any role in approving these individuals for firms from December 9, 2019, onwards, when firms will assume sole responsibility.

3. The Conduct Rules. These “new” rules are essentially an adaptation of FCA’s existing principles for approved persons and apply to essentially all individuals employed in regulated firms. The rules are deliberately broad in scope and include, for example, the need to act with integrity and treat customers fairly. The Conduct Rules ensure that even the most junior employees could be subject to individual disciplinary action.

Application & proportionality

FCA has attempted to accommodate the broad church of solo-regulated firms by applying the SMR in a proportionate way. There are three categories of firm:

1. Enhanced. The largest and most complex firms (according to certain defined criteria) will be required to apply the same regime as the banks. They will have the highest number of SMFs and prescribed (i.e. mandated) responsibilities. Most significantly, they will also be subject to the “Overall Responsibility” requirement whereby all activities of a firm and the associated conduct must, ultimately, be the responsibility of an SMF. It is a comprehensive accountability regime in which there can be no gaps or overlaps.

2. Core. This category is characterised by fewer SMFs and prescribed responsibilities and the absence of the “Overall Responsibility” test.

3. Limited Scope. Firms in this category are considered to pose a very limited threat to FCA’s objectives. There are no prescribed responsibilities and some firms may only need one SMF.

Key messages for Senior Executives – and CEOs in particular

What is FCA seeking to achieve through SM&CR? The first important thing to remember about the regime is that it was the product of damning Parliamentary criticism of the original Approved Persons regime. That criticism reflected the failure by the regulatory bodies to take disciplinary action against any of the most senior executives and directors at institutions involved in the banking crisis and subsequent conduct scandals. One sensed some initial discomfort at FCA and PRA at having these new powers imposed on them, but they have now adapted and view SM&CR as the single most powerful tool in their mission to achieve cultural change in financial services. That, in turn, has been reflected in a desire to characterise SM&CR as being primarily a Supervisory, as opposed to Enforcement, tool. While it can be used very effectively by supervisors, no one should forget the regime’s origins, succinctly summarised by HSBC’s Deputy Chairman in a recent FCA video as giving “the regulator a much easier hook to put people on when things go wrong”.

The Devil does lurk in the detail. Ensuring that the right people remain accountable for the right responsibilities is at the heart of the regime. That is reflected (for enhanced and core firms) in the requirements for the effective operation of SMR, Certification and Conduct Rules to be allocated to the appropriate senior manager – almost certainly the CEO. While CEOs can and should delegate performance of relevant tasks, these are still inherently challenging, data-intensive responsibilities requiring levels of oversight that few CEOs are typically able to commit to. The challenge of evidencing a history of “reasonable steps” in relation to these three SM&CR-specific prescribed responsibilities is arguably the single biggest risk to which CEOs are exposed.

Proportionality – definitely not grounds for complacency. Having fewer SMFs who are allocated fewer prescribed responsibilities will reduce the SM&CR burden at core and limited scope firms. However, there will be cases, notably at more complex core firms, where SMFs (CEOs in particular) may be exposed to proportionately greater personal risk than peers at enhanced firms who are able to delegate their responsibilities more effectively.

Key recommendations

• Invest in a strong, effective implementation project. Getting the foundations, such as accurate data and a strong supporting infrastructure, right at the outset will be critical to your ability to meet the biggest challenge of ongoing compliance.
• Start early. The sooner the firm starts, the sooner it will identify critical issues that do not lend themselves to quick fixes. In particular, are existing HR systems and processes capable of meeting the challenges presented by Certification now the assurance role played by FCA will cease? Also consider the potential impact of SMR implementation on some individuals – there is plenty of evidence (anecdotal and otherwise) of potential SMFs resigning, retiring and moving locations in response. The sooner the process starts and identifies potentially significant systems and people problems the better.
• Invest in dedicated infrastructure and training. Given the risks to which CEOs are directly exposed through their responsibility for SMR and Certification, it is well worth following the lead of most banks and investing in specialist vendor or in-house SM&CR systems. In addition to the mandatory Conduct Rules training for all employees, firms should also commit time to help SMFs understand and adapt behaviours in light of the impact of the Duty of Responsibility.
• Adopt a simple “Reasonable Steps” Framework. While it is for FCA to prove that an SMF did not take reasonable steps, the absence of any evidence that you did will leave you in a very exposed position. SMFs should reassess their current governance and oversight arrangements in light of their responsibilities under the new regime. In particular:
  • Assess how much you do yourself and how much you delegate to others;
  • Where you delegate, document who you delegate to and keep records up-to-date;
  • Document the delegation and get those responsible to acknowledge it;
  • Identify the main MI relevant to the tasks involved and ensure it remains “fit for purpose”;
  • Ensure you can evidence you’ve reviewed and acted (where appropriate) on that MI; and
  • Ensure you can evidence regular oversight of/interaction with your delegates.

Conclusion

The SM&CR does reflect a very fundamental change by exposing employees to a much greater level of individual accountability to FCA. That means you must take primary responsibility for ensuring that your employer is providing you with everything you feel you reasonably need to meet regulatory expectations. In short, individual accountability to FCA requires you take much greater individual accountability for yourself.

Vaughan has lengthy experience in financial services regulation. He started his career as a supervisor at the Financial Services Authority and its predecessors (TSA/SFA). After 12 years as a regulator, he spent a similar period in senior regulatory roles at Credit Suisse and UBS with responsibilities such as regulatory relations oversight and managing regulatory investigations. At UBS, he worked directly for the bank’s EMEA Group CEO on governance, regulatory and reputational risk across the region. He co-founded the regulatory consultancy Medius which became part of Elixirr Partners in 2013. It advises large investment banks through to the financial services arms of motor manufacturers and airlines. Vaughan’s particular expertise includes work with senior executives on governance, particularly in response to the expansion of individual accountability regimes in the UK and elsewhere.