Julian Sampson, Chartered FCSI, Director of Fulcrum Compliance and former Chairman of the CISI Compliance Forum, says that the UK’s Senior Managers and Certification Regime can be just as tedious and time-consuming as anything emanating from Brussels
Complaining of regulatory overload is the common currency of the age. Ever-increasing expectations from regulators and a public environment still largely hostile to the financial services sector means that there are no advocates for reducing the burden of regulation. When it comes to government initiatives for reducing red tape, financial services firms are seemingly exempt.
Brexiteers might claim to have slain this dragon – at least post Brexit. Once we’re out, we’ll be able to pick and choose which regulations we adhere to and no longer be subject to the many-headed hydra of EU-inspired regulation.
If that turns out to be true, there are many who will raise three cheers – and probably the odd glass or two – to Nigel Farage. And yet the biggest onslaught of regulation yet to hit UK firms is not from Europe – it is home grown. It emanates from our sovereign UK Parliament, acting independently of Brussels, and promises to tie smaller UK firms up in knots, with only remote benefits to consumers.
Thus it is that the Senior Managers and Certification Regime (SMCR) will be implemented across all UK regulated firms, at some as-yet-unspecified date in 2018. HM Treasury announced the extension of the SMCR from the banks and insurers (where it is already in place) to all investment firms back in October 2015.
One of the key elements of the SMCR is ascribing specific responsibilities to specific people. One can understand how in a large and diverse organisation like a bank, this is not always clear. Even where it is apparently clear, enforcement cases have shown that bank CEOs can still evade responsibility. The SMCR aims to clarify this.
But is that really necessary in a smaller firm? Won’t all roads always lead to the CEO or senior partner? Does so much time and effort need to be expended on determining what we already know?
Another key element of the SMCR is the Responsibilities Map. This shows in diagrammatic form who is responsible for what. The FCA wants to see in the map that the firm has clear and appropriate governance arrangements and reporting lines. These maps must be kept up to date and sent to the regulator with certain applications. The FCA is quite particular about the level of detail that should be on the map.The purpose of the Responsibilities Map is to help the FCA identify "who it needs to speak to about particular issues and who is accountable if something goes wrong"
While this might sound straightforward, it might be new for a smaller firm. Many firms manage quite well without such a chart in place. Indeed, if the firm is small and everybody is used to working with each other, such documents add little value. However, that presupposes that the map is actually meant to benefit the firm – it’s not. As the FCA makes clear in SYSC 4.5.6, the purpose of the map is to help the FCA itself identify “who it needs to speak to about particular issues and who is accountable if something goes wrong”.
Preparation for the potential roll-out of the Responsibilities Map is, at this stage, relatively easy. If you’ve already got an organisational chart, consider how it can be enhanced by adding job titles or descriptions, or key elements of responsibility. If you don’t have such a thing in place, start thinking about one now.
The map is accompanied by a related document, the Statement of Responsibilities (SoR). This is intended to show the responsibilities that the senior manager has as part of their role. Again, the FCA is particular that it should be a succinct, clear description of each responsibility and should not cross-refer or include links to other documents.
If an SoR looks and sounds like the job description, that’s good. They should look like that. However, many smaller firms will not have a job description in place. Staff at smaller firms will often have nothing more than a contract giving them a title and reporting line. Management objectives and responsibilities may have been agreed informally, be undocumented and have been arrived at without full consideration of any gaps or overlaps with other management team members. But somehow, it all still works.
Perhaps the biggest change brought about by the SMCR is the pushing back of responsibility for ensuring the competence of staff – and their fitness and propriety – from the FCA to the firm. In reality, this is where that responsibility always lay. However, this has now been made explicit under the SMCR.
The current regime now requires banks and insurers to obtain references for all senior management roles, to consider their skills in the context of the board as a whole, as well as assess their fitness and propriety. All of these would have been done anyway, without the need for FCA encouragement. This requirement for references is extended to all those ‘significant harm’ functions covered by the parallel Certification Regime. The upshot of this is that the smaller firm will now have to pay closer attention to how it evidences its recruitment processes.
However, recruitment at the smaller firm is often a much more informal process. If references are taken, they are frequently verbal. More importance may be placed on existing team members having worked with the candidate previously. Criminal record checks will not necessarily be carried out. And the documentation held by the firm supporting the decision to appoint a candidate will be much less substantial.
Time spent now revising recruitment procedures and documents is likely to be well spent
This is the area likely to require most attention at the smaller firm. Most of these firms will lack a dedicated human resources function and as such be reliant on the recruiting manager or another shared resource to carry out these checks. But it is anticipated that this aspect of the SMCR regime may be implemented as it currently applies to banks and insurers – so time spent now revising recruitment procedures and documents is likely to be well spent.
Other aspects of the SMCR could prove similarly testing for smaller firms. Currently in-scope entities are required to have handover procedures, where the individual vacating a position has to prepare a comprehensive set of handover notes for their successor. Given the difficulty of managing mismatched notice periods and ensuring that judgments in these notes are supportable, one would hope that the FCA would see that the implementation of these in smaller firms is problematic.
Similarly, with the requirements to notify the FCA, banks are now obliged to submit a revised SoR to the regulators if there has been a significant change in a senior manager’s responsibilities. If the FCA is to insist on such notifications being made by firms currently out-of-scope, one can only hope that it is geared up for the increase in notifications they receive.
Notification requirements also apply to breaches of the behavioural standards as set out in the new Code of Conduct (COCON). These apply widely, and firms currently in-scope are required to notify the FCA immediately of breaches by senior managers and annually of breaches by all other individuals subject to COCON if those breaches have led to disciplinary actions. Again, if the FCA really wants to be advised of these events by all firms, those firms are entitled to expect the regulator to be ready to receive them.
Although the FCA speaks of the need for proportionality in implementation, it has given no indication of which of these areas might not be implemented in smaller firms. The FCA has conducted a cost benefit analysis, which shows that they are looking at the costs of implementing the entire regime, unchanged, across the whole financial services sector.
So when we next complain of regulatory overload, let’s not immediately blame Brussels – at least this time. And let’s remember that sovereign parliaments are quite capable of enacting tedious and time consuming legislation, all of their own initiative.
Views expressed in this article are those of the author alone and do not necessarily represent the views of the CISI.