Are you ready for SMR or SMCR as it is also known? Regulatory change never stops. Alongside the countdown to GDPR in 2018, runs the countdown to SMCR or the Senior Managers and Certification Regime. This will replace the Approved Persons regime in much of financial services regulated by the FCA – or at least those who were not covered by the first rollout in March 2016 to banks, insurers and large investment firms.
But how different is it from the Approved Persons regime and how seriously should it be taken? At TCF we contend it should be taken seriously, that it is actually tougher, even if it looks lighter at first sight. We also think it has enormous potential to be over-engineered by firms and advisors and for getting the FCA stuck logistically as it tries to handle a vastly greater number of submissions than they have had before.
The initial application of this new regime, which was first proposed by the 2013 Parliamentary Commission on Banking Standards, to banks and other key firms was a direct response to the crash. It was motivated by the need to improve transparency and accountability. The Commission trashed the existing Approved Persons regime, calling it “a largely illusory impression of regulatory control over individuals, while meaningful responsibilities were not in practice attributed to anyone. As a result, there was little realistic prospect of effective enforcement action, even in many of the most flagrant cases of failure.”
Those of us who have been grappling with the policy and practical issues of accountability of individuals instantly saw this as the shape of things to come for other areas of financial services and in October 2015 the Government announced that they wanted to apply it to all of financial services and provided the powers to do this in the Bank of England and Financial Services Act 2016.
So what does this mean? And is this the bogey man that some would have you believe? First, a little bit of explanation and then we will give you our deeper thoughts on what this may mean for firms and for the regulators.
The Approved Persons regime – which will continue operating for these remaining firms until such time as it is replaced in 2018 – focuses chiefly on making a specified range of functions and the individuals who carry them out accountable directly to their regulator, requiring them to be approved in advance and registered on the FCA’s register, and liable for their actions. Anyone who has ever been an Approved Person (and taken this seriously) will tell you that this is not a comfortable position to have.
Its primary weaknesses have been twofold. The first is the prevalence of collective decision making, where it is harder for the regulator to pin responsibility for a firm’s failings on a single person or a small group of individuals. The second is that many firms, other than the very largest, barely see a supervisor and their Approved Persons candidates may often not be interviewed. Accordingly it was always easy for such firms to dismiss the Approved Persons regime as not terribly meaningful and therefore not feel the pressure to shoulder accountability which was its core purpose.
Accordingly, firms and individuals’ experiences of the Approved Persons regime have varied massively. Some firms and individuals have faced tough scrutiny and sometimes rejection whereas others appear to have sailed through the FCA’s approval process, declaring the process dead easy, and attributing their success to the power of their brand or the personality and experience of the candidate. The truth has been more mundane. The FCA has lacked the resource to bring the same level of scrutiny to everybody.
The SMCR is a very different kettle of fish. It creates a tougher regime despite sharing some of the same weaknesses of the existing one.
In summary, it replaces Approved Persons with Senior Managers who also require approval from the regulator. However, it reduces the number of potential roles affected to a shorter list of prescribed ones. Each Senior Manager requires a Statement of Responsibility to be lodged with the regulator that details their specific responsibilities, meaning that if something goes wrong at the firm, the PRA or FCA will be able to reach for this and directly allocate accountability to an individual. So, far so good. Clearly it’s potentially tougher for those who are covered by the prescribed roles but is this a let off for everyone else?
Absolutely not. The SMCR’s additional teeth come into play because it makes the firm responsible for “certifying” a much wider and deeper range of people, the so-called certified people. It then goes further by applying conduct rules, which look a bit like a granular version of the Principles and Treating Customers Fairly, to the Senior Managers, the ‘certified people’ and pretty much everyone working for the firm unless they are in an entirely ancillary role such as security, reception work or cleaning.
In addition, the firm has to submit, have approved and then maintain a Responsibilities Map setting out responsibilities and governance across the firm. Certified people will have to be reassessed and checked every year. Evidenced training must be provided to all staff who have to comply with the conduct rules.
Overall this creates a significantly greater internal oversight and verification burden for the firm which includes:
HR processes which smart firms will already have aligned with the processes under the Approved Persons regime will need to be improved.
People new to roles will need to have explained what the implications are for them and handover certificates will need to be provided by the previous incumbent.
Suitability for Senior Manager and certified roles should be assessed when external recruitment or internal appointments are undertaken.
Performance management and disciplinary arrangements and records will need to be scrutinised.
Training and performance records will need reappraisal.
Checks on staff will need to be rigorous and the risks mitigated, particularly as large numbers of CF30s such as advisors, will apparently ‘disappear’ from the FCA Register creating the potential for unwary firms inadvertently to participate in the phoenixing of firms and individuals, even though the FCA acting CEO, Tracey McDermott, in 2016 claimed the new regime would help to reduce phoenixing.
However, much as the introduction in 2018 of GDPR will expose gaps in current data protection arrangements, SMCR will test how far firms and individuals really were complying with the current Approved Persons regime which ought by rights to provide firms with a starting point.
For many firms the Responsibility Map needs to be viewed as an opportunity to review and clarify governance and decision making. Coupled with Statements of Responsibility, it can help managers faced with corporate fudges and turf wars break through internally to get more clarity on who is responsible for what.
For the very largest firms, SMCR has meant a huge reduction in the number of Senior Managers having to go through regulatory approval compared to the number specified as Approved Persons. This, firms tell us, makes little difference to how they work but does make it much clearer who is responsible for what. For smaller firms, the difference in numbers of individuals being approved will be much less stark.
SMCR may be more of a challenge for the smaller and newer firms for whom decision making is a bit less corporate or formal. Based on our experience though, handled right, the FCA will be more concerned about clarity on how the firm works rather than trying to replicate the bureaucracy of a large bank. It has already said that it will aim to be proportionate but has not said quite what that means. Our advice to firms would be to get on and think about starting your Responsibility Map now.
As far as guidance is concerned, time is running out on the publication of the FCA’s promised Q2 2017 consultation on SMCR, (though those familiar with FCA consultations know a lot can happen in the last month or week) and therefore there isn’t tailored guidance yet for the firms to which SMCR will apply from 2018. TCF, however, still believes firms can already get a lot out of considering what their Responsibility Map would look like. Most firms, in our experience, have a good idea of where responsibilities may be vague or short term fixes have become long term positions.
We would also suggest trying to see this as something potentially useful which can increase the efficiency of decision making rather than just something to please the regulator. Why? Because the logistics for the FCA of trying to process anything in the region of 50,000 firms and their management, even if there are plenty of one man bands in there, is huge. Internal sources in the FCA suggest to us that in the first wave of the implementation of the SMCR a number of firms were still madly working on the final day to submit the necessary paperwork to the FCA and that some 90% of the submissions received were not up to the standard the FCA wanted. So getting your core thinking straight early is good preparation, no matter what the formal guidance says, and not relying on detailed feedback from the regulator anytime quickly is sensible.
What effect will it have on firms? Aside from the administrative burden, it should focus a much wider group of staff on their responsibilities to the firm, customers, the FCA and each other. There is nothing quite like potentially being on the hook for ensuring that someone is more diligent in what they do and what they expect from others.
To get started we recommend you focus on the basics. Our sources tell us that one firm in the first SMCR wave, found itself having to justify how it had nominated a fairly junior member of staff as the most senior in an area when the consultant working for them on this had to work on the basis of what they did not realise were out of date telephone lists and HR records and this individual was the one stable name they had. Simple things like ensuring your HR records are up to date is important. Establishing exactly who works for you and when is not only a challenge for larger firms. It can be a real challenge for smaller ones too where record keeping has not been a priority.
So in summary, SMCR looks a bit like it has the potential to resemble flatpack instructions. The chances are that however complete the regulatory instructions are, you will find important information missing which you will have to complete for yourself. Don’t under-estimate the time it will take – create some decent read in, planning and implementation time. Always keep in mind the picture on the box so you focus on what you aiming at, not just the individual steps. Finally, we recommend giving this real thought because it could provide you with something really worthwhile – just don’t over-complicate it.
If you think we can help you do this, or you would like to share your thoughts, we’d be delighted to talk.