The FCA’s Senior Managers and Certification Regime (SM&CR) is topping the list of regulatory challenges for financial institutions in 2019, with the December 9 deadline throwing up new challenges and concerns around the way firms must handle their duties, process their data and implement internal procedures. Martin Lovick, Senior Principal Consultant at governance, risk and advisory solutions provider ACA Compliance, talks us through six common themes emerging from SM&CR project implementation.
1. Governance structure and culture
The Financial Conduct Authority has disarmingly assured firms that SM&CR should not require them to change their governance structure or hire additional staff. At the same time, it has repeatedly advised that SM&CR is above all a project that will require a change of culture to ensure that all staff understand where responsibility lies, and who will be held to account when something goes wrong (referred to by the FCA as “breaches”).
We agree that firms with robust governance structures are in a strong position to implement SM&CR. However, many firms, particularly those that have evolved from start-ups in recent years, may not have the formality and, therefore, certainty, to ascribe responsibility in the way that SM&CR requires. Points to consider here are likely to include an internal structure chart, terms of reference, management information, and documenting the decisions of management bodies.
Easier said than done, though – the FCA is surely right to emphasise that the culture of firms implementing such processes will have to adapt.
2. Prescribed responsibility – collective or individual?
The new Senior Managers Regime aligns the new Prescribed Responsibilities closely with the concept of a Duty of Responsibility. Although the FCA accepts that the burden of proof lies with it in establishing that a Senior Manager did not take reasonable steps to prevent breaches, the emphasis on the individual is paramount. Each one of the Prescribed Responsibilities (four at most firms) must be assigned to a single Senior Manager.
This represents a major challenge for firms used to operating under dual or collective responsibility frameworks – for example, between two or more owner-managers. The problem is likely to be exacerbated within partnerships where collective responsibility is enshrined within members’ agreements.
Many firms will need to take a good step backwards before determining where ultimate decision-making and oversight responsibilities lie. As with the governance question, the result may be an overall reconsideration of the firm’s senior management framework.
3. Documenting individual roles: Statements of Responsibility, job descriptions and employment contracts
The FCA places a lot of emphasis on written documents to evidence where key responsibilities lie. This aims to ensure transparency and clarity within firms, but the sub-text is to facilitate enforcement actions against individual Senior Managers when breaches occur.
The main focus is on the Statements of Responsibility (SoR) that must be provided for every person holding a Senior Manager Function. These documents must be clear and succinct and contain references to other documents. They must be kept up to date (e.g. to reflect any changes in responsibilities) and in future will have to be provided to the FCA as part of new applications for approval of Senior Managers. Writing these documents (which must be approved by the Senior Manager themselves) is expected to be one of the major challenges of SM&CR implementation.
A further challenge is to ensure consistency between the SoR and other legally-orientated documentation surrounding the role of the Senior Manager – including any job descriptions which may exist, as well as the employment contract or partnership agreement. Firms may well choose to employ external advisors to ensure harmony across these documents.
4. Fitness and Propriety assessments, regulatory references and criminal records checks
SM&CR demands that firms take a much more rigorous approach to the initial and annual assessment of Fitness and Propriety – a key component of both the Senior Managers and the Certification Regimes. Yet it is leaving it up to firms (or perhaps industry bodies) to determine exactly how such an assessment is carried out.
The FCA has not expanded on the previous definition of Fit and Proper, which divides this into a) honesty, integrity and reputation; b) competence and capability; and c) financial soundness. Currently, many firms lean heavily on the Section 5 of the Form A (for FCA Approved Persons) for evidencing such checks, as alongside initial background screening and periodic attestations on a range of regulatory requirements.
SM&CR specifically focuses on the evidence to be collected for Senior Managers, notably Regulatory References and criminal records checks. Note that firms are required to take reasonable steps to obtain references from past employers over the previous six years, even where these fall outside the regulated sector. Many firms seem likely to expand both sets of requirements to their Certification staff or even wider this is a relatively easy solution for obtaining hard evidence to support the conclusion that a member of staff is Fit and Proper.
5. Record-keeping: aligning the requirements of Compliance, HR and Legal
Firms keep many kinds of records about individual members of staff, ranging from Compliance records about Approved Persons, HR payroll and attendance records, and legal employment contracts.
SM&CR requires that such records are readily accessible across the firm (to the extent permissible under Privacy Policies). From Statements of Responsibility, to the assessment of Fitness and Propriety, as well as any records of disciplinary actions.
Aligning these records for consistency and multiple use will be a challenge for firms but those who do so successfully will be in a much better place to address requirements across the entire lifecycle of the individual employee.
6. Code of Conduct breaches and disciplinary processes
SM&CR does herald a greater focus on breaches and the reporting of breaches both at an individual and a firm level. At present, many firms will have only rudimentary procedures in place to address such events – perhaps in the Employee Handbook, as well as a Breaches Policy in the firm’s Compliance framework documents.
With breach reporting (within seven days for Senior Managers, and an annual report via GABRIEL for all other Conduct Staff) now a fact of life, firms will need to review carefully their Policy and Procedures to determine:
a) what types of behaviour are covered; and
b) the process to investigate and determine follow-up actions.