Britain’s financial services industry is bracing for new rules that will significantly broaden the scope of senior executives who will be personally held to account to U.K. regulators for failures that occur under their watch.

Since March 2016, a subset of U.K. firms—U.K. banks, the U.K. branches of foreign banks, building societies, credit unions, and dual-regulated investment firms (those regulated by both the Financial Conduct Authority and Prudential Regulation Authority)—have had to meet the stringent requirements of the FCA’s Senior Managers and Certification Regime.

On July 4, 2018, following three years of consultation on what the rules should look like and how they should be applied, the FCA published 412 pages of what it called “near-final rules” for how it plans to extend those same principles of responsibility and accountability to the remainder of FCA-regulated firms. No major revisions are expected, absent subsequent FCA Handbook changes, for example those relating to the U.K.’s exit from the European Union.

“The Senior Managers and Certification Regime sets clear standards for the conduct that consumers and regulators expect from all financial services staff,” said Jonathan Davidson, executive director of supervision, retail, and authorizations at the FCA. “These standards of behavior are central to the FCA’s priority of promoting healthy cultures in firms.”

Under the Senior Managers Regime (SMR), those performing “senior management functions” must first receive pre-approval by the FCA or PRA for each function an individual has, “as this will make the roles they perform clearer,” the FCA said. The FCA Handbook and the PRA Rulebook more clearly describe what roles constitute senior management functions but include, generally, the chief executive officer, executive director, chair, partner, compliance oversight, and money laundering reporting officer.

The SMR further requires that covered firms include all of a senior manager’s responsibilities in one “Statement of Responsibilities,” a requirement that has many in the industry feeling on edge. Once these statements of responsibility are created, in the event of a compliance failure, the FCA will clearly be able to see who is responsible for what. “As a result, I suspect that there will be reluctance on the senior manager to take on responsibility for anything beyond what they see as strictly being their role,” says Zac Mellor-Clark, an associate at the law firm Fried Frank.

In a recent speech, FCA Chief Executive Andrew Bailey called the Senior Managers Regime one of the most important developments in recent years for creating incentives for good culture in the financial services industry. “The basic principle of the Senior Managers Regime is that of responsibility and accountability: A senior manager has to take responsibility for the activities under their control. Likewise, they should be accountable for that responsibility,” he said.

With the expanded scope of the SMR, others in the U.K. financial services industry to fall under its scope will include all solo-regulated firms—those regulated by the FCA only. In addition to solo-regulated firms, the SMR will extend to all insurance and reinsurance firms regulated by the FCA and the PRA. The SMR for insurers will replace the current Senior Insurance Managers Regime (SIMR) and the Revised Approved Persons Regime for insurance firms.

The SMR also will apply to branches of non-U.K. firms that carry out regulated activities in the United Kingdom. The SMR will effectively replace the current “Approved Persons Regime,” which regulates the suitability of people in key management jobs.

“As a result, I suspect that there will be reluctance on the senior manager to take on responsibility for anything beyond what they see as strictly being their role.”
Zac Mellor-Clark, Associate, Fried Frank

With respect to solo-regulated firms, the extension of the SMR will impact a diverse range of firms—from sole traders to the largest and most complex global firms—and includes, for example, asset managers, investment firms, and consumer credit firms. Solo-regulated firms have until Dec. 9, 2019 (approximately 18 months) to prepare, whereas insurance firms have until Dec. 10, 2018, to come into compliance.

From a compliance standpoint, firms will want to decide what applications for approval will be needed for individuals taking up senior management functions leading up to the new regime. To help with this process, the FCA said it will make the new forms available before commencement of the rules, “so that firms can get these individuals approved as quickly as possible.” The FCA has further published a guide on its website to help firms understand what they need to do to prepare.

Certification Regime 

Complementing the SMR is the Certification Regime, which applies to individuals whose role can cause “significant harm” to the firm or customers, the FCA said. Such individuals may include, for example, investment decision makers, customer advisers, and material risk takers (e.g., traders).

Although certified persons do not need to be approved by the FCA, the onus is placed on firms to check and certify that these individuals are “fit and proper” to perform their role, the FCA said. This certification must be done at least once a year.

This requirement addresses the FCA’s concern of “bad apples rolling,” in which individuals who engaged in misconduct at one firm traditionally have been able to freely move to another firm in the sector, with the hiring firm having no visibility into that past behavior.

“This intends to tackle that problem by shifting the focus onto recruiting firms, whereas currently the FCA is effectively the gatekeeper,” Mellor-Clark says. “Under the current framework, a firm applies to the FCA for an individual to be an approved person. The certification regime changes the dynamic. Except for senior managers, it’s now on the firms themselves to certify that an individual is ‘fit and proper’ to hold a certification function without reference to the FCA. It’s all about firms taking responsibility for the behavior and culture within their firm.”

The sort of measures a firm must take when making its assessment includes a new requirement of carrying out a criminal record check as part of the application for approval of a senior manager. Although not necessarily a burdensome requirement, “it’s an additional item that will have to go on the compliance checklist of things that will need to be addressed,” says Gregg Beechey, partner in Fried Frank’s asset management practice in its London office. Another compliance obligation firms must start doing, if they aren’t already as a matter of best practice, is obtain regulatory references for senior managers, certification staff, and non-approved non-executive directors before appointing them.

Three tiers

The FCA has designed the new rules to apply proportionately to the size, type, and complexity of the firm. As such, the following three tiers make up the SMR:

Core: Firms in this tier will have to comply with the baseline requirements.

Enhanced: This tier applies to a small number of firms whose size, complexity, and potential impact on consumers or markets warrant more attention. These firms must comply with additional requirements.

Limited scope: This tier applies to firms who already have exemptions under the Approved Persons Regime. Such firms will be exempt from some baseline requirements and will typically have fewer senior management functions than firms in the core regime. Examples include FCA-regulated energy market participants and oil market participants.

With these tiers in mind, the first step solo-regulated firms and insurers should take in preparing for the new rules is to find out which tier of the regime applies to them to determine what steps they will need to take to prepare, the FCA said. Firms can do so by either using the “firm checker tool,” or by reading the FCA’s guide for solo-regulated firms, or its separate guide for insurers.

Senior Managers Regime best practices

David Biggin, financial services expert at PA Consulting, describes some best practices for complying with the Senior Managers Regime, as well as poor internal practices to avoid.
 Proactive measures to take now:
Identify the senior managers and certified persons population. Firms should identify whether they fall into the enhanced or core regime, should identify those senior managers who will be caught by the regime and indicatively allocate responsibilities to individuals.
Establish your program with senior level sponsorship. The SMCR affects a large proportion of most firms’ executive teams. This requires a coordinated program, sponsored by a senior executive, ideally the CEO, who can shape the organizational response to the rules and provide leadership to the group of senior managers affected.
Assess the impact on your operations. The SMCR can affect a myriad of internal processes across HR, compliance and in front-office functions. Firms should decide how the SMCR will be embedded into IT and operations to understand where the biggest changes will be. In some cases, for example performance management or maintaining governance maps, the organization may choose to invest in new tools to support compliance.
Define your interpretation of the rules. A number of elements of the regime are open to interpretation, for example “reasonable steps” or “fit and proper.” Each firm must decide what these mean in the context of their business in order to shape their response to compliance.
Poor internal practices to avoid:
Management Information. In many cases, senior managers will seek to rely on management information (MI) to demonstrate that they are maintaining control of their business area. This information is often incomplete, out of date or of poor quality. Poor quality MI can lead to “blind spots” in the control environment and lead to long term issues building up in a business area without oversight from the responsible senior manager.
Unclear delegation. Senior managers cannot comply with the regime alone. In most cases they will rely on direct reports to fulfil some of their responsibilities. This delegation must be clearly set out and agreed by both the senior manager and the person or people he/she is delegating to in order to avoid responsibilities falling down the cracks”.
Poor operational processes. HR processes must be bulletproof. Every time a senior manager moves roles or leaves the organization, or every time a certified person is subject to a fit and proper assessment, the accompanying processes must be efficient, effective, and auditable. 
Lack of focus on culture. SMCR implementation programs can often be driven by the letter of the regulation. However, this misses the opportunity to drive real cultural change in the organization to change the way employees act and think. By giving greater focus on the cultural element, firms are more likely to avoid rule breaches of all kinds, not just those related to the SMCR.
Source: David Biggin

Enhanced firms, for example, have an explicit “overall responsibility” requirement. “This means that an enhanced firm will need to ensure that every activity, business area, and management function has a senior manager with overall responsibility for it,” the FCA said. “This is to prevent unclear allocation of responsibilities that could result in issues falling between the cracks.”

Enhanced firms must also create and maintain a “responsibilities map,” which generally should clearly describe the firm’s management and governance arrangements. Although a responsibilities map is required only of enhanced firms, “all firms may find it helpful to use the principles and practice of the responsibilities map,” the FCA said.

In addition to inherent regulatory responsibilities, senior managers in a core or enhanced firm must be allocated “prescribed responsibilities,” which must be recorded in the statement of responsibilities. “It is for firms to consider which senior manager is the best person to hold each prescribed responsibility,” the FCA stated in the guide. “Prescribed responsibilities should not be shared across different lines of defense.”

The FCA recognizes, however, that large global firms with complex governance structures may have difficulty in defining individual responsibilities. Thus, the FCA has provided guidance on how to allocate prescribed responsibilities, especially where they may be divided across different departments.

The FCA specifically cites financial crime as an example. Where a money laundering reporting officer, for example, is not responsible for all aspects of financial crime, then the prescribed responsibility for financial crime should be allocated “to the senior manager accountable for all financial crime matters,” the FCA said.

During the consultation process, some firms asked whether they could apply the enhanced senior management functions, even if they were in the core tier, to which the FCA responded that it has made it easier for firms to opt into the enhanced tier “as a whole.” It stressed that firms cannot adopt only parts of the enhanced tier. “We think this could obscure accountability if there is only an ad hoc application of the enhanced rules,” the FCA said.

Conduct rules

The FCA has also set out five conduct rules that apply to almost everyone in the U.K. banking sector. These high-level standards of behavior call on individuals to “act with integrity; act with due care, skill, and diligence; be open and cooperative with regulators; pay due regard to customer interests and treat them fairly; and observe proper standards of market conduct,” the FCA said.

Other conduct rules apply only to senior managers. Those rules require that senior managers:

Take reasonable steps to ensure that the business of the firm for which they are responsible is controlled effectively;

Take reasonable steps to ensure that the business of the firm for which they are responsible complies with the relevant requirements and standards of the regulatory system;

Take reasonable steps to ensure that any delegation of responsibilities is to an appropriate person and that they oversee the discharge of the delegated responsibility effectively; and

Disclose appropriately any information of which the FCA or PRA would reasonably expect notice.

Early planning is crucial to ensure the smooth implementation of the SMR. “In our experience, achieving compliance with the rules takes much longer than anticipated,” says David Biggin, financial services expert at PA Consulting. “Defining the remit of a senior manager is often easier said than done, particularly if roles have developed over time and no specific mandate for the role exists. Many executives have clear “top-line” responsibilities for revenue and profit, but responsibilities with regards risk or operational management can often be undefined. In some cases senior managers may be uncomfortable with their responsibilities and may even seek their own legal advice before committing to their statement of responsibilities.”

“Firms couldn’t start preparing before now, because they didn’t know the exact shape of the rules,” Beechey says. While personnel may change and roles and functions may change leading up to the new regime, it’s prudent for firms to start preparing now, even if that’s only preliminary preparations.

Another reason why it’s prudent for firms to start preparations now can be summed up in one word: Brexit. “Depending on what happens with Brexit, financial services firms may be very busy next year dealing with the fallout from that,” Beechey says.

Firm should identify now who will be on the SMR project team. Large global firms, especially, will need to decide who from senior management should champion the effort and who is going to be involved from HR, legal, and compliance and whether external advisors should be involved, Beechey says.

HR and compliance have a key role to play. They will need to decide which policies and procedures need to be reviewed and revised. This will inevitably include recruitment, appraisal, and disciplinary processes. Prior to implementation, training, too, will also need to be rolled out for all staff on their obligations under the new regime, including how the conduct rules apply to their roles.

Additionally, firms will have an obligation to conduct fitness and propriety assessments annually, “which is going to have to be formalized and codified to comply with the new regime,” Beechey says. The FCA will need to be notified of any conduct rule breaches.

Concurrently with publication of the near-final rules, the FCA on July 4 proposed a new directory to help consumers and firms check the status and history of individuals working in financial services. The directory will include all those who hold senior manager positions requiring FCA approval and those whose roles require firms to certify that they are fit and proper. This includes those in consumer-facing roles, such as mortgage and investment advisers.

The FCA has published a basic prototype version of the directory for comment. Additionally, it’s seeking feedback on which individuals to include in the directory; what information to publish about each person; and when firms need to submit and update information about their employees under the new system. The consultation closes on Oct. 5, 2018.