It goes without saying that the global financial crisis of 2008-2009 thrust the operations of the financial services industry into the limelight. Yet despite the damaging economic effects on the global economy, the fallout from the crisis provided new prospects for radical change. Global outrage intensified the need to enhance and develop existing frameworks, rules and practices to prevent future calamities. A dramatic change in the culture of the industry was required, and intrinsic to this was the overwhelming need to strengthen corporate governance and risk management, as well as individual accountability following the financial crisis and what has transpired thereafter.
A decade later, waves of new regulations aimed at preventing similar collapses continue to be introduced. In the UK, senior managers in the financial services industry will be giving their full attention to the FCA’s new Senior Managers Certification Regime (SMCR), which places individual accountability beyond the boardroom at the forefront of the regulators’ mission statement. We can also see that SMCR is being introduced by other regulators globally. In Hong Kong, the Securities and Futures Commission is introducing the Manager in Charge of Core Functions regime, which has some similarities. In the US, the New York City Department of Financial Services has introduced a certification regime for the Bank Secrecy Act/Anti-Money Laundering laws, which requires a certifying senior officer to file an annual certificate to confirm compliance. A certifying officer who files an incorrect or false annual certification may also be subject to criminal penalties for such a filing.
Historically, regulatory attention-including supervision and enforcement matters-had been focused primarily on the corporate entity, but it has moved on to seeking to hold boards and individual directors to account. It has now moved down another level. One of the frustrations of politicians and the public in the wake of the financial crisis was the failure to identify and hold accountable individuals who were responsible for the problems. Penalizing the corporate entity simply meant shareholders took the hit while boards of directors could claim they were insufficiently sighted on individual malpractice beneath them.
Part of the answer? The SMCR, which introduces a statutory ‘duty of responsibility’, in which senior managers are required to take all reasonable steps to prevent regulatory breaches in their respective areas. Given that the relationship between the board and senior managers, who are largely responsible for implementing the board’s decisions, is vitally important for effective corporate governance and risk management, the added element of statutory responsibility, over and above regulatory expectations for accountability and governance, should significantly sharpen the focus on senior managers’ actions.
What this means in practice is that actions which senior managers undertook daily, most likely without even thinking, will now need to be formally allocated, properly understood and monitored. Indeed, applications for individuals to hold senior management functions require the submission of responsibilities to either the FCA or PRA before approval is granted. Overlapping or unclear responsibilities will need to be separated out and delineated between staff. These changes do not happen overnight and will require some time to embed culturally but the direction of travel clearly points towards an environment where there will no longer be any ambiguity about who was responsible for oversight of decisions-decisions which will now lead directly to the board.
The SMCR is more than just developing another set of checklists and ticking a few more boxes. In order to show that the SMCR is working effectively there are a number of building blocks on which it must be built. The first is an understanding of what a business does, how it does it and who is accountable for decisions made within it. This may sound simple but in larger organizations with different departments that may be located in different jurisdictions and which may have centrally provided services, there is a risk of silos developing and of fingers being pointed in opposite directions when things go wrong, unless accountability is well understood and documented. Outsourcing is also another area that is potentially problematic. It has long been an article of faith among regulators that tasks can be delegated but accountability for them cannot be. Outsourcing arrangements, which have grown in popularity due to the efficiency savings, will now carry an extra edge to them. Common functions that we have seen being outsourced relate to AML/CFT monitoring and sanctions screening but there are pitfalls that seem all too common, such as the failure to apply jurisdictional-specific requirements or to appreciate that sub-outsourcing arrangements might need to be monitored and notified to the regulator.
Finally, there is the ‘reasonable steps and evidence’ requirement which is needed to show how a decision was reached. Sometimes evidencing a thought process can be challenging and often forgotten in the heat of the moment but it will be increasingly important as regulators start to call for records in support of supervisory visits. Directors of regulated entities have become used to having their decision-making processes scrutinized as part of reviews of corporate governance. Now it would seem it is the senior managers’ turn.
Accountability at All Levels
Above all the SMCR is designed to drive a change in culture within firms by ensuring that senior managers are held accountable for their actions. In turn, this should manifest itself in a greater level of awareness of responsibilities among junior staff as they are also held to account. Recent reports suggest that banks have paid $321bn in fines since the financial crisis, whereas profits have been estimated at $1 trillion. Cultures need to change, from a ‘how can we find a way to do this deal’ to ‘what are the risks and if there are any doubts, let’s not do it’.