FCA consulted (CP17/25 & CP17/40) on the extension of the Senior Managers & Certification Regime (SM&CR) to FCA firms. The feedback to those consultations was contained in PS18/14 which tweaked the FCA consultation papers; for example by removing one of the proposed Prescribed Responsibilities. This briefing focusses on the Core Firms. FCA has now set an implementation date of 9 December 2019.
SM&CR is the product of the failure of the banking system in 2008 and the ensuing Parliamentary Commission on Banking Standards which strongly criticised what it saw as the lack of personal accountability due the controlled functions regime not attributing meaningful responsibilities to specific individuals. The Commission’s findings were enacted in the Bank of England and Financial Services Act 2016; in particular Schedule 4. The extent to which the root causes of failure in banks are carried over to the root cause of failure in FCA solo regulated Core Regime firms is a topic worthy of separate debate.
The detail of SM&CR is contained in the Individual Accountability (FCA-Authorised Firms) Instrument 2018 with its changes to the SYSC, COCON, COND, APER, FIT, IFPRU, COBS, CASS, SUP, DISP and CREDS sections of the FCA’s Handbook.
Headline Provisions of SM&CR
There is a clear iteration of what the responsibilities and accountabilities of senior managers are as well as an extension of the regulatory footprint, not only to the new categories of certification people but more generally with the Conduct Rules.
Senior Managers will all have inherent duties as well as any prescribed responsibilities which are allocated to them. They will also need to comply with the Senior Management Conduct Rules and take reasonable steps to comply with their statutory duty of responsibility.
Certification Staff will need to be identified within firms, principally by an assessment as to whether they undertake significant harm functions. They will be subject to annual certification of their fitness and propriety, have to comply with the Conduct Rules and will fall within the regulatory reference regime.
Firms will need to provide notification of any Conduct Rule breaches resulting in disciplinary action to FCA. Regulatory reference rules are also being tightened up to report on those who leave ticking time bombs. SM&CR has very limited application to Appointed Representatives given restrictions to the scope of Bank of England and Financial Services Act 2016.
Senior Management Functions
These are set out in the proposed SUP 10C.4 and will replace the existing controlled functions (CF’s). Logically, these people are seen as being those whose errant actions are most likely to have consumer and market detriment. SUP 10C.4 segregates “FCA governing functions” which only apply if firms have people undertaking those roles from “FCA required functions” which are roles a firm needs to appoint people to. For core firms, there are only two required functions; the compliance oversight function (SMF16) and the money laundering reporting function (SMF 17). The FCA governing functions for UK core firms are CEO (SMF 1), Executive Director (SMF 3), Chairman (SMF 9), and Partner (SMF 27).
Some of the controlled functions are not carried over into the SMF regime; CF 10a (CASS oversight), CF30 (customer function) and CF40/50 (benchmarking functions). The removal of CF30 has given rise to the law of unintended consequences given that consumer visibility of those people via the online FCA register could disappear. This is particularly relevant given some of the comments made into the Parliamentary enquiry into the British Steel defined benefit pension transfers and is an aspect FCA is looking into. Non-executive directors who do not undertake a senior management function, whilst they were CF2’s under the approved persons regime, fall out of the new SMF regime but will need to be certified.
Senior Manager Responsibilities
These are inherent to each particular senior management function and, as such, come with the territory of being appointed to such function. Compliance with them is a statutory rather than just a regulatory duty. These duties cannot be watered down or waived. Senior managers can be held liable for any failures within the areas for which they are responsible if they did not take “reasonable steps” to prevent or stop any such breach. Non-compliance is, therefore, not a matter of strict liability and the burden of proof falls upon FCA “to show that a senior manager did not take the steps a person in their position could reasonably be expected to take to avoid the firm’s breach occurring” (CP17/25, para 4.21). DEPP will make clear the parameters FCA will apply in taking disciplinary action for breaches of these duties.
These are the additional responsibilities which a firm must decide which senior managers should undertake. They will also apply to non-executive directors who are not senior managers. These duties are in addition to the inherent responsibility senior management role holders have and are:
- Performance by the firm of its obligations under the Senior Managers Regime, including implementation and oversight
- Performance by the firm of its obligations under the Certification Regime
- Performance by the firm of its obligations in respect of notifications and training of the Conduct Rules
- Responsibility for the firm’s policies and procedures for countering the risk that the firm might be used to further financial crime
- Responsibility for the firm’s compliance with CASS (if applicable).
- [Authorised Fund Managers only] Responsibility for value for money assessments, independent director representation and acting in investors’ best interests
The proposed rules specify what each of the above responsibilities will include (but, by implication, not be limited to). Consistent with the principle of individual accountability, FCA’s starting point is that each Prescribed Responsibility should “normally be held by one person”. It does, however, recognise that this may not always be practicable so will allow a firm to divide or share a Prescribed Responsibility but only “in limited circumstances and where a firm can show that this is appropriate and justifiable”.
Statement of Responsibilities (SOR)
This is a regulatory document which will set out each senior manager's role and responsibilities. It will need to be reviewed on an ongoing basis. In addition to the SOR needing to be submitted in support of any regulatory application for approval of a senior manager, it provides visibility to each senior manager of his or her responsibilities. In addition to CP17/40, FCA published a guidance consultation on October 2018 (GC18/4) which seeks to assist in the preparation of SOR's.
Senior Management Conduct Rules
Unlike the prescribed responsibilities, they are generic in nature and are very much an extension of the general regulatory principles (e.g. Principle 11).
SC1 You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively
SC2 You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system
SC3 You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the responsibility effectively
SC4 You must disclose appropriately any information of which the FCA would reasonably expect notice.
This is where the most impact will be felt within FCA solo regulated core firms as it will require them to identify which of their people undertake Certification Functions. Whilst these individuals will not require FCA approval to perform their role, each firm will need to undertake ongoing fit and proper assessments in respect of them.
Significant Harm Functions
Firms will need to analyse which of their employees undertake significant harm functions. The core of this analysis will comprise of an impact assessment based on potential harm of each of their actions on the firm itself, the market (more generally) or the firm’s customers.
FCA’s non-exhaustive risk of significant-harm functions includes CASS oversight, benchmark submission and administration, proprietary trader, significant management, functions requiring qualifications, managers of certification employees, material risk takers, client-dealing and algorithmic training.
Firms will need to monitor which individuals undertake those activities on an ongoing basis and should be able to provide evidence of their assessments. Where a balance judgement needs to be made, it is probably better for firms to err on the basis that such employees will require certification. Given the need to identify managers of certification employees, a bottom up rather than top down approach will be required.
Examples of who are likely to be included in this regime, to the extent that they do not undertake any senior management functions, are customer services managers with line management responsibility, those who were previously CF30's, heads of IT, HR etc.
All conduct staff, including senior managers, certified staff and all other staff working for a firm other than those with purely ancillary functions not specific to financial services (a non-exhaustive list of such is contained in paragraph 7.14 of CP17/25) will need to comply with high level conduct rules. For those who are obliged to comply with the senior management conduct rules, these rules are in addition to those more prescriptive rules.
These first tier set of rules are an encapsulated version of the general FCA Principles and the effect of their implementation is to cascade these standards throughout the financial services industry at a personal level; again consistent with the ethos of individual accountability.
These rules are:
||You must act with integrity
||You must act with skill, care and diligence
||You must be open with the FCA... and other regulators
||You must pay due regard to the interests of customers and treat them fairly
||You must observe proper standards of market conduct
Some issues we envisage the implementation of SM&CR to raise are:
- need to amend job descriptions with employment law implications,
- synchronisation of HR and compliance activities,
- reticence of some individuals to undertake increased personal responsibilities and liabilities,
- increased reporting to FCA of misconduct,
- manner in which FCA will monitor the implementation and operation of SM&CR within firms,
- drafting of statements of responsibilities,
- ensuring that this is not seen as a mere bureaucratic, box ticking exercise,
- training requirements at all levels,
- potential effect on PI premiums,
- review of directors & officers liability insurance cover,
- demarcation disputes as to responsibilities between various senior managers within some firms including how the prescribed responsibilities are to be applied,
- increased cost of compliance, and
- interdependencies between senior manager functions.