Although the commencement of the global financial crisis was over eight years ago, the consequential impact on global regulatory change and political/social expectations on financial services firms continues to escalate and reverberate on a near daily basis.
Since 2007, firms and regulators have uncovered multiple examples of poor conduct and behavior, mis-selling, market manipulation and unethical actions by both firms as a collective and individuals. Due to matrix organizational structures and committee decision making, regulators were unable in most cases to specifically pinpoint a member of senior management deemed responsible or accountable for these actions.
Research from the CCP Research Foundation indicates that conduct related costs were over £200 billion globally between 2010 and 2014. These costs span failures across retail, corporate and wholesale and impact the spectrum of financial services from banks and insurers to asset managers and intermediaries.
Undoubtedly, since 2007, global regulators especially the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have undergone a paradigm shift in mentality to focus on culture, conduct and individual responsibility and accountability.
Nowhere is this seen more starkly than the imminent ‘go-live’ date of the Senior Managers and Certification Regimes (SM&CR) on 7 March 2016.
To recap, following recommendations made in 2013 by the Parliamentary Commission on Banking Standards (PCBS), the FCA and PRA have sought to implement changes to the way individuals working for relevant firms are supervised and held accountable for the roles they perform through the SM&CR.
The SM&CR affects banks, building societies, credit unions and PRA-regulated investment firms, including UK subsidiaries and branches of overseas firms.
Furthermore, HM Treasury announced in October 2015 that the regime would be extended to all FSMA authorized firms during 2018, including investment firms, asset managers, mortgage brokers and consumer credit firms. We will cover the likely impact and next steps for these firms in future briefings.
Summary of changes
There are four parts to the SM&CR:
Senior manager functions
- Applies to individuals who hold key roles or have overall responsibility for whole areas of relevant firm
- Requires ‘Statements of Responsibility’ and a ‘Management Responsibilities Map’
- Requires pre-approval by regulators
- 'Statutory duty of responsibility’ applies, i.e. if a breach of a regulatory requirement occurs, the FCA must prove that the senior manager did not take reasonable steps to prevent the breach
- Potential criminal sanctions
- Applies to other staff who could pose a significant risk of harm to the firm or any of its customers
- Must be certified as fit and proper by the firm annually
- Potential civil sanctions
Assessment of fitness and propriety
- Requires firms to assess fitness and propriety of senior managers and certified staff on at least an annual basis
- Applies to senior managers, certified staff and non-ancillary staff
- Need for tailored and role specific training to ensure relevant staff are aware of the conduct rules and how they apply to them
- Requires firms to put in place processes to identify / notify breaches of conduct rules
Are you ready for 7 March 2016?
With less than 2 months to go until the effective date, firms have either completed their regulatory change program to ready themselves for SM&CR or are in the final stages of design and implementation of relevant changes to policies and procedures, staff training and governance frameworks.
Assuming your regulatory change program went according to plan, by this stage you will have reached some key milestones:
- Defined reporting lines and assigned responsibilities;
- Identified the population of senior managers and certified functions;
- Apportioned the PRA/FCA Prescribed Responsibilities amongst the Senior Managers
- Prepared, submitted and obtained approval for statements of responsibility and responsibilities maps to the FCA/PRA;
- Created a database of individuals performing a certified function and designed a framework to keep it updated;
- Designed an ongoing framework to assess the fitness and propriety of senior managers and certified staff;
- Redefined board and committee structures and escalation arrangements where necessary to ensure these are appropriately designed to address the risks and responsibilities assigned to senior managers and certified staff;
- Developed appropriate and effective MI to enable senior managers and certified staff to monitor compliance with clearly-defined and articulated risk appetites, including conduct risk;
- Developed proportionate and sufficient MI for boards and other relevant committees to monitor compliance with the SM&CR;
- Sought to implement and embed cultural change focusing on individual accountability through training, improved documentation, changing recruitment and performance management processes, objective setting, job descriptions, communication and oversight from Senior Managers and certified staff; and
- Designed appropriate frameworks across the three lines of defense to ensure ongoing compliance.
These milestones mark a fundamental shift not just in organizational hierarchy and operational management but also in employee mindsets and daily working practices. From 7 March 2016, Senior Managers will be personally accountable based on their Statements of Responsibilities with potential criminal sanctions. Undoubtedly, this will change the nature of governance and approach to risk taken by said individuals.
Unfortunately, firms are unable to rest on their laurels from 7 March onwards.
Whilst structural changes can be put in place, the time required for embedding and normalization will vary on a firm by firm basis. As time progresses, firms must re-assess whether the approach taken continues to meet regulatory expectations and crucially whether it is capable of working efficiently in line with the business model. In this regard ongoing challenge and oversight of how these arrangements are administered and embedded is of critical importance.
Over the coming 12-18 months, we expect firms to ask a number of questions including:
- Following implementation and a period of embedding, should the SM&CR framework be reviewed independently to assess effectiveness and a gap analysis undertaken?
- Is the revised organizational structure effective in both meeting business strategy and compliance with the SM&CR and who in the firm is responsible for assessing the effectiveness?
- Are governance arrangements sufficiently robust to provide appropriate oversight and control of the key activities and risks of the business?
- What are the control gaps in compliance with the SM&CR? What can be done to further strengthen Senior Manager and board oversight of SM&CR?
- Can the SM&CR framework adapt to changes in the business model, structural changes or sizeable staff changes?
- Are Senior Managers confident in monitoring their areas of responsibility? Are changes required to the MI received?
- How are you retaining and training current and potential Senior Managers given the increased level of personal responsibility?
- How are you retaining and training current and potential Certified Staff given the changes in approach to assessing their fitness and propriety on an annual basis?
- With senior staff personally responsible for any actions of junior staff, how are you managing this relationship to ensure a successful working environment? Is your performance appraisal process strong enough to cope?
- How does your Conduct Risk program and SM&CR framework interlink and are there any potential conflicts? What specific steps have been taken to consider this key area?
- Have you completed the design and testing of the framework to assess certified individuals as fit and proper by 7 March 2017?
- How will you develop a framework to embed the conduct rules and monitor compliance with the conduct rules for relevant staff, including processes and controls over breach identification and reporting?
- Have you amended your policies and procedures to reflect the changes in the FCA Handbook/PRA Rulebook e.g. the removal of APER?
- Do you have a formalized Board and Senior Manager ongoing training program in place?
- How are HR practices impacted including hiring (use of contractors, temporary staff and third parties), performance management and training and competence?
- Are there sufficient skills and resources to adequately support the Senior Managers to adequately oversee the various business lines? How have you defined accountability and ownership?
- Are compliance monitoring tests and internal audit work programs of the SM&CR framework sufficient and effective?
- Duff and Phelps Regulatory Consulting is experienced in navigating the external and internal complexities of getting firms ready for the SM&CR and is acutely aware of the ongoing obligations that Senior Managers and firms have in ensuring ongoing compliance.
- If the milestones outlined above in readiness for 7 March 2016 have yet to be reached in full or some were not included in your regulatory change program, we can assist you on a project or secondment basis to undertake a gap analysis and help remediate where necessary.
As we move to an era of ‘living the SM&CR’, we can help you with:
- Undertake a gap analysis of your regulatory change program for SM&CR against FCA requirements and best practice and assist with the remediation of any issues found;
- Conduct a bespoke review of your SM&CR framework following a period of embedding and identify any recommendations against FCA requirements and industry best practice;
- Review of roles and responsibilities mapping, including statements of responsibility and responsibilities maps for Senior Managers to ensure that they are appropriate and reflect the reality of operational processes;
- Evaluate the framework for assessing the fitness and propriety of relevant staff on an ongoing basis including undertaking sample testing on annual reviews and mock interviews;
- Review the governance framework to ensure it is designed in a way that enables Senior Managers and Certified Staff to monitor the risks and responsibilities assigned to them;
- Assess the adequacy and effectiveness of the oversight and challenge provided by the board and other management committees including an assessment of the MI produced;
- Review the embedded process for identifying and reporting breaches with respect of the SM&CR including the conduct rules;
- Design and deliver tailored training for senior managers, certified staff and general staff in relation to regulatory expectations and conduct rules.