Authorised financial services firms are mid-way through the transition to a new three-tier regime for the regulation of individuals. This update looks at enforcement risks for the top-tier only. Separate updates will look at the other two tiers and further specific risks and issues from an enforcement perspective.
We look at:
- the background to the new regime
- the role of new senior management functions
- the main new requirements
- enforcement risks
- how to minimise these risks.
Background to regime change
The operation and supervision of senior roles within authorised firms have previously been regulated under the Approved Persons regime where the roles were known as Significant Influence Functions. The aftermath of the financial crisis in 2008 revealed the weakness of this regime, which, due to systemic weaknesses and ineffective ongoing supervision, left regulators largely unable to hold individuals accountable for the systemic failure of the institutions that they were responsible for managing.
The Approved Persons regime is therefore in the process of being replaced by the Senior Managers and Certification Regime (SMCR) which is designed to address this lack of accountability. The SMCR sets out functions/roles and responsibilities that are crucial to the running of financial institutions and demands that these institutions identify the particular individuals responsible for their ongoing management. Each function must be allocated to an identified SMF Manager who has a duty of responsibility in respect of compliance by the firm in its activities in his or her area of accountability. This allocation must be disclosed to the regulators in a "Responsibilities Map". By clarifying the allocation of accountability the new regime seeks to make it easier to hold individuals to account.
For banks, building societies and large investment firms (Relevant Authorised Persons or "RAPs"), the SMCR has been in force since March 2016. The SMCR will be rolled out and is currently intended to apply to all authorised firms from a date in 2018. Consultation by the Regulators is still ongoing.
The administration of the SCMR is divided between the FCA and the PRA (together, the "Regulators"). The regime is established by statute and fleshed out in the Regulators' rule books.
The role of SMF Managers
The SMCR allocates accountability for the key activities carried out by firms to SMF Managers via a complex series of functions and prescribed responsibilities.
Senior Management Functions (SMFs)
SMFs require the individual performing them to be responsible for managing an aspect of the firm's affairs. Not all of the functions will be relevant to every firm. For example, whilst all firms require a Chief of Finance (SMF2), not every firm will require a Group Entity Senior Manager (SMF7).
Certain responsibilities are pre-assigned to these roles by the Regulators. For example, the Chief Executive Function (SMF1) is responsible "under the immediate authority of the governing body… for carrying out the management of the conduct of the whole of the business of a firm".
Prescribed Responsibilities
These areas must be assigned to a senior manager of the firm's choice. Responsibilities may only be shared in exceptional circumstances.
For example, one Prescribed Responsibility demands that an SMF Manager must be given "responsibility for the firm's performance of its obligations under the senior management regime". Another allocates accountability for compliance with the firm's obligations in relation to its management responsibilities map.
Firms must identify and allocate responsibilities to individuals for Senior Management Functions. All major activities and risks of the firm’s affairs must be allocated to key individuals.
Key deliverables- what do you need to do?
Pre-approval and ongoing assessment of SMF Managers
Firms must have a procedure in place to assess the fitness and propriety of SMF Managers before their appointment. SMF Managers must also be pre-approved by one or both of the Regulators (depending upon the SMF) before the individual is appointed to the role. Firms must reassess the suitability of each SMF Manager at least once a year and report to the Regulators if there is any cause to doubt the individual's suitability for the role.
Statement of Responsibilities
In support of their application for regulatory pre-approval each SMF Manager must submit a signed statement setting out the responsibilities that will fall within their proposed remit. Should these change significantly then the Regulator must be notified and the relevant statements resubmitted.
Firms should have a procedure in place to govern any transition between roles.
Responsibilities Map
Each firm must submit a Responsibilities Map showing how each relevant SMF and Prescribed Responsibility has been assigned amongst the SMF Managers. The firm must annually confirm with the Regulators that there are no gaps in the allocation of responsibilities.
Reporting disciplinary action to the Regulator
If firms take disciplinary action against an SMF Manager in relation to a breach of the conduct rules, then the firm must notify the regulator.
The duty of responsibility
The FCA is currently consulting on proposals to amend the Decision Procedure and Penalties manual that gives guidance on how the 'duty of responsibility' will be enforced.
A senior manager is guilty of breaching their duty under the SMCR if:
- there was a regulatory contravention by the firm;
- the senior manager was responsible for the activities in relation to which the contravention occurred; and
- the senior manager did not take such steps as would have been reasonable to avoid the contravention.
Enforcement risk areas
Ensuring full coverage and co-ordination of the relevant functions and accountabilities – risks for firm and individual
The new regime puts the onus on firms for identification and allocation of all relevant SMFs and Prescribed Responsibilities. The scheme is complex and this process is a new one for firms. The Statements of Responsibility and the Responsibilities Map must describe accurately and comprehensively the responsibilities and their allocation without any gaps. Particular risks also arise when a senior manager leaves the firm and there is a handover to another individual.
In addition, as mentioned above, there will be a senior manager who is given 'responsibility for the firm's performance of its obligations under the senior management regime'. In the event of a failure by the firm to identify and allocate responsibilities as required, this individual will themselves be at risk of breach of the duty of responsibility if he/she failed to take reasonable steps to avoid the failure.
Three potential routes to personal liability
The new regime governing individual responsibility of SMF Managers will exist alongside the two other ways in which an individual may attract regulatory liability: (i) through his or her own breach of a Principle (which will be a “conduct rule” in the new regime) or (ii) being knowingly concerned in a breach of conduct rules by the firm (ss66A and 66B of FSMA).
Penalties against individuals who fail to meet the expected standard of conduct or who cease to be fit and proper continue to include prohibition/withdrawal of approval, fines and other disciplinary sanctions and warnings.
In practice, the new duty of responsibility is unlikely to make much difference to the level of competence required of a senior manager. However, there is a practical impact in terms of demonstrating compliance.
Evidence of compliance
For some time, the Regulators were considering a reversal of the usual burden of proof such that in the event of a failure of compliance in a particular aspect of the firm’s activities, the SMF Manager would be presumed to be in breach of his/her duty of responsibility unless they could prove otherwise.
To widespread industry relief, this proposal was dropped after consultation. However, for any SMF Manager faced with an allegation of breach of the duty of responsibility, the key practical point remains that he/she will need to be able to show that reasonable steps were taken to avoid the contravention. Wherever possible, the most compelling way to do this is through the production of contemporaneous documents and records, including internal communications and minutes showing the steps taken and the reasons why they were reasonable. Record-keeping will be key.
Limitation
The time limit for disciplinary action by the Regulator after misconduct is committed has been extended from three to six years.
What you need to do
Scoping, planning and implementation of compliance with the new regime
The potential impact of the regime change is very extensive. Authorised firms which are not RAPs and therefore not yet subject to the regime should keep a close eye on regulatory consultations, proposed rules and guidance on the roll-out and wider implementation of the new regime. Lessons are being learned from the application of the regime to RAPs. We will look at some of these in a later update.
A properly planned process needs to be devised and implemented for the identification and allocation of responsibilities to senior managers.
In our view, this process will need to be led and overseen by the senior management and the Board. As noted above, for RAPs the correct implementation of the new regime by the firm itself falls within the scope of a Prescribed Responsibility. In other words, there is potential senior management accountability for any non-compliance with the new rules. We would expect the similar requirements and sanctions to be integral to the regime for all authorised firms in due course.
Produce clear Statements of Responsibility and a Responsibility Map
These are the key specific documents which are expressly required under the new regime. They need to be comprehensive and clear.
Both the FCA and the Bank of England ("BoE") have voluntarily produced Statements of Responsibility and Responsibility Maps. The FCA and BoE documents are more detailed and extensive than would be required for many firms but nonetheless provide a useful lead for the format and content of these important documents. They can be accessed via these links:
Record-keeping
Ensure that all deliberations and decisions about senior management responsibilities are identified and documented. These records which may include committee minutes, correspondence and/or advice must be safeguarded and easily retrievable for at least the required period.
Annual reviews and handover
Continuing compliance of SMF Managers with the pre-approval requirements on suitability, fitness and propriety must be re-assessed annually so the Board-led and approved implementation of the new processes should incorporate reminders and actions for these annual reviews.
On departure of an SMF Manager from the firm, there should be a constructive and clear handover to the identified replacement with sufficient lead time to allow identification of any difficulties or problems.