(Another) Final Countdown: SMCR Looks to Further Increase Accountability at Financial Firms
This article was originally published in TabbFORUM. By Saeed Patel.
In the wake of the 2008 financial crisis, the UK government sought to improve governance and accountability in the financial sector by replacing the UK Approved Persons Regime (APR) with a regime that was more focused on senior managers and individual responsibility for any failures that adversely affect customers. This resulted in the creation of a new Senior Managers and Certification Regime (SMCR), which has been in force for banks, building societies, credit unions and RAP (Relevant Authorised Persons)-designated investment firms since March 2016.
The FCA has previously indicated that these conduct rule changes signify a critical step in changing culture and individual behaviour within financial firms, and we have already seen an increase in the number of enforcement cases in the first phase of SMCR. The reputational risk to individuals and firms for non-compliance has been raised to new levels. On 9 December 2019, the SMCR requirements will be extended to cover all FCA solo-regulated services firms, affecting the most senior management including board members, and executives with significant influence such as non-executive directors.
The extension signifies a sea change in the way conduct in the UK financial services sector is regulated. As of 9 December, nearly every person who works in financial services – approximately 47,000 FCA authorised organisations including brokers, proprietary traders, hedge funds, asset managers and non-bank FCMs – will be subject to the new regime, which affects all firms regardless of size.
With three months to go, firms’ preparations should be well underway. However, as is often the case, numerous market participants have had to delay their preparations for the SMCR deadline due to other priorities, such as Brexit planning and post-MiFID II implementation issues. Despite the approaching deadline, industry SMCR preparedness remains remarkably low. According to a recent survey by Acuiti, only 29 percent of firms currently have the knowledge and expertise in house to provide the appropriate level of training needed to comply, compared with 41 percent of firms who are looking to outsource all or part of the training process. What is more, 42% of firms have not considered the impact of annual and on-going fitness and propriety assessments, or do not see this as a priority until 2020.
There are several elements that firms need to urgently focus on now in order to meet the December deadline.
SMCR defines three firm categories or types: limited scope, core and enhanced regime. As a first step, it is key for firms to determine which category they fall into – at a legal entity level as opposed to a group level – as this will dictate the rules that will apply to them and necessary steps for compliance. Significant differences exist in terms of the obligations each type of firm will be subject to. Those failing to determine the relevant category themselves by 9 December will be assigned one by the FCA.
Training will be critical to ensuring compliance with these new regulations. It is therefore essential that firms have in place a well-documented, robust training programme to show that reasonable steps have been taken to achieve the levels of competency required by the regulations. Given the December timeline, outsourcing will be the best option for many firms, especially as building internal training programmes that meet industry standards can be both time consuming and costly.
Technology can be a great facilitator in reducing the time, complexity and costs required for the preparations. Unfortunately, too many firms continue to rely on legacy tools to manage this process and will likely find the preparations extremely cumbersome and risk falling short of complying with the core regulatory requirements. Today numerous firms continue to use their existing HR tools that are unfit for purpose from an SMCR perspective. Crucially, in the event of a breach a firm will need to demonstrate to regulators that it has an effective and continuous process of managing its SMCR obligations, including up to date responsibility statements, responsibility maps, training records, and evidence of fitness and propriety assessments as part of the individual certification evaluation process. By managing all related documentation pertaining to the designated senior management functions and certified individuals, complete with audit trails, through one central platform, firms can demonstrate to regulators that appropriate steps were taken to ensure compliance.
SMCR not only considers professional conduct at work by individuals but also personal conduct inside and outside of the work environment. Regulators are taking note of the advances in technology which allow firms to complete thorough background checks that extend much further than the criminal and regulatory checks that are part of the usual employment process, as part of the annual fitness and propriety assessment. For example, firms may conduct checks on individuals’ online presence across all publicly available information including the deep and dark web for any concerning material.
Whilst regulators have allowed for a transition period for certain elements of the extended requirements, these are mere exceptions and should not be considered as an excuse to delay preparations further. Increasing scrutiny of conduct in the financial marketplace is a clear direction of travel, with a growing expectation amongst market regulators and consumers that all financial services providers act with integrity, skill, diligence and in the best interest of customers. Firms should be mindful of this new approach as they evolve their activities, in order to avoid operational challenges and cost pressures that could have been easily eliminated with early planning.
SMCR checklist ahead of the 9 December deadline
Define your firm type: limited scope, core, enhanced
Brief board-level and other senior executives likely to be subjected to SMCR
Create implementation plan including activities, timelines, resourcing requirements, dependencies and available technology solutions
Identify which senior managers will have prescribed responsibilities and prepare responsibility statements
Identify individuals performing certified functions who will require certification by the firm
Ensure employment contracts, management structures and job specifications reflect current responsibilities
Notify the FCA of any changes to certified individuals with prescribed responsibilities and submit senior manager’s FCA applications for approval
Update internal appraisal and recruitment processes to include Fit and Proper assessments and appropriate background checks
Ensure handbook policy and procedures comply with regulations
Raise company SMCR awareness through training and company-wide roll out