29 March 2017 by Neil Herbert
The cultural change that the Senior Managers and Certification Regime represents should not to be underestimated
The Senior Managers and Certification Regime (SMCR) rules apply to individuals working at regulated firms in banks, building societies, credit unions, PRA investment firms and foreign banks with branches operating in the UK. The rules, which came into force on 7 March 2016, replace the Financial Conduct Authority’s former Approved Persons Regime (APER).
Not all aspects of the SMCR have come into force just yet, but what is crucial is that by 2018, all Financial Services and Markets Act regulated firms will come under its scope. The regulation currently applies to around 1,000 firms; by 2018 it will be just under 60,000 firms. The culture change that this regulation represents is not to be underestimated.
“SMFs are all going to be under an obligation to keep their eyes open and others in their firm will be watching them”
The new regime is all about encouraging senior managers to take responsibility for their actions, but it is also about holding them accountable. One of the most frustrating outcomes – from a political, social and regulatory perspective – of the financial crisis was that despite a lot of blame being identified, it was almost impossible to pin any of it on any individual. The new regime is designed to overcome this defect, in addition to the perceived defects associated with the APER.
The SMCR applies to all those in senior management functions (SMFs), of which there are currently 20 roles defined. The certification regime, however, captures a far wider body of individuals than the APER, because it encompasses those who pose a significant risk to the firm and its customers – in other words, significant risk-takers within the firm.
The regime could well be described as the ‘documentation regime’, or perhaps, more sinisterly, the ‘Orwellian regime’. SMFs are all going to be under an obligation to keep their eyes open and others in their firm will be watching them.
Although the Treasury removed the obligation to report all conduct breaches to the regulator, there is an ongoing principle of identifying and dealing with such breaches and escalating to the regulator those serious enough to warrant it. Firms still face the challenge of defining what a breach might look like, ensuring that everyone understands that, and then recording, mitigating and dealing with the problem going forward. All of which needs to be recorded internally.
Furthermore, many firms are investing in sophisticated vigilance systems that are watching and monitoring all aspects of conduct risk and behaviour. Some of these vigilance systems are particularly Orwellian. Although the argument of ‘you have nothing to fear if you have nothing to hide’ might well apply, those with risk responsibility need to thinks about the people under their span of control and whether they have nothing to fear because nothing is being hidden. They should question whether they have proper oversight over all of those individuals’ actions and behaviours.
The replacement of the statutory presumption of responsibility with a statutory duty of responsibility for senior managers to take ‘reasonable steps’ to prevent regulatory breaches in their areas of responsibility was a relief to many in the new SMFs. With a firm focus on statements of responsibility and responsibility maps for senior managers, the SMCR has not lost its potency by removing the ambiguity – ambiguity that was previously relied on by some senior managers in their own defence.
“The key to protecting yourself and your firm is to get the documentation right”
The key, therefore, to protecting yourself and your firm is to get the documentation right. The statement of responsibilities is a document that senior managers must have, setting out their accountabilities. Firms are under a duty to identify the regulated activities and ensure that those activities are allocated to a specific senior manager. Senior managers (unlike certified individuals) will still have to be approved by the regulators and the Statement of Responsibilities will have to be submitted as part of that approval process.
It is also important to recognise that this document has to be resubmitted every time there is a change in role, a reallocation of duties, or the removal of a senior manager. It is crucial to get this document right and I know that some senior managers have even resigned because they could not agree with the statement of responsibilities, deeming the personal risk as just too great.
It is therefore important for any senior manager to consider very carefully the responsibilities that he or she is being asked to bear and seek to negotiate with the firm if they are too onerous. If you, as an individual SMF, do not feel you possess the requisite competencies to be responsible for a particular SMF you are being assigned, you should say so.
Additionally, all individuals in an SMF should ask whether the firm – their employer – is sufficiently committed to embedding the processes required in order to ensure they are protected. In short, these requirements are:
The management responsibilities map requires firms to identify all regulated activities and allocate each of these to a senior manager. Firms must also ensure there are no accountability gaps in the management responsibility maps and they have to reconfirm annually to the regulators that there are no such gaps.
“Only those with the right systems and procedures in place will feel safe in such an Orwellian world”
In terms of the handover process, senior managers will now have to engage in a process with which they are unfamiliar. When staff leave we are all familiar with the exit interview, which is a fairly routine procedure lasting an hour or so. Under the SMCR, senior managers will have to provide their successor with a handover certificate, setting out how they should exercise their responsibilities and also identifying any issues about which their successor should be made aware.
It used to be the case that when senior managers left a firm, they were absolved of their responsibilities and the exit process was a formality to which little attention was paid. You now have to protect yourself even on the way out, by ensuring that the handover certificate is thorough. If you have not passed on certain information you could be held responsible, even if you have left that entity.
These requirements represent a significant change in the culture of most regulated firms. Only those with the right systems and procedures in place will feel safe in such an Orwellian world. Those systems must at least be capable of recording and managing the structure of responsibilities and the management structures to which they are assigned up to required regulatory standards.
But this alone is not enough. There must be clearly established benchmarking and monitoring processes in place to establish what ‘reasonable steps’ are and how well they are being taken. Those responsible for the delivery of these steps – and therefore posing a risk to the firm and the SMF in question if they fail to deliver – must be identified and mitigated. All of this requires a sophisticated level of monitoring, assessment and control. This cannot be done by traditional manual methods – an effective automated system is key.