Senior Managers and Certification Regime

Ian Mason: Hello and welcome to this Gowling WLG Podcast on the FCA Senior Managers and Certification Regime. My name is Ian Mason. I am a Partner in Gowling and Head of the Financial Services and Regulatory Team.

Jonathan Chamberlain: And I am Jonathan Chamberlain. I am a Partner in the Employment Labour and Equalities Team, and I am going to be talking about some of the people aspects of how these new regimes will be implemented.

Ian: And I am going to be talking about FCA Compliance issues.

Why do you need to worry about the FCA Senior Management Regime? The FCA published its near final rules and guidance on the Senior Managers and Certification Regime in July 2018 for FCA solo regulated firms and insurers. The SMCR applies from 10 December 2018 for insurers and re-insurers and from 9 December 2019 for solo regulated firms, which is going to be most FCA regulated firms. The original Senior Managers Regime was rolled out to banking firms in March 2016 and it has now been extended to all 58,000 firms regulated by the FCA and the near final rules were published in the summer after extensive consultation so nothing much is likely to change, and although December 2019 sounds like a long way away, there will be significant preparation required and our experience is that many clients are now kicking off their projects.

So what is the FCA seeking to achieve? The Senior Managers Regime is a reaction to the financial crisis of 2007/8 on which the perception is that very few individuals at banks and other institutions were held responsible, and one of the reasons for that was that it was not always clear who was responsible at a particular firm, responsibilities were merged or there was no single person responsible. One of the main objectives of SMCR is to impose greater individual accountability, so that it is clear who is responsible for a particular area.

It is also about improving the standards of conduct. Financial Services firms have not covered themselves in glory in areas like LIBOR or the mis-selling of payment protection insurance (PPI), and you hear a lot from the FCA nowadays about culture and tone from the top, and it is also about having documentation in place to show that you understand what your responsibilities are.

So who does the SMCR apply to? Basically if you operate a regulated business which is authorised by the FCA, it will apply to that regulated firm. SMCR applies to all firms in the UK that are authorised under the Financial Services and Markets Act 2000 and regulated by the FCA as well as EEA and third country branches with permission to carry out regulated activities in the UK, but SMCR will not apply to firms that are not authorised under the Financial Services and Markets Act but are payment services firms, and it will not apply to appointed point representatives. Instead those firms will continue to be subject to the approved person's regime. So if you are only an appointed representative of a firm which is FCA authorised, that is you are operating under that firm's regulatory umbrella, it will not apply to you. The FCA has differentiated between the level of regulation under the Senior Managers Regime which applies to you depending upon what type of firm you are. There are three tiers of classification, enhanced, limited scope and core. Enhanced firms are the larger regulated firms, for example, with assets under management of £50 billion. I do not suppose there are too many firms out there that satisfy this category, and the heaviest burden will apply to enhanced firms.

Most firms will be core firms. Those firms will need to comply with the Senior Managers Regime, the Certification Regime and the Conduct Rules, and I am going to explain shortly what these are, and some firms will be limited scope firms, for example, limited permission consumer credit firms, and firms in that tier will be subject to fewer rules than core firms.

Let us have a look now at the senior management function. The most senior people in a firm, those with the greatest potential to cause harm or to impact upon market integrity, are required to hold senior management functions and these break down into governing functions like CEO, executive director and chairs of committees. There are also required functions such as compliance oversight and the money laundering reporting officer, there are additional systems and controls functions, for example, head of internal audit. Any person holding one of these roles will need to be approved by the FCA before they can start their role. I mentioned earlier on that there are certain documents and related materials that you need to have to show that you understand your responsibilities as a senior management function holder. A statement of responsibility is a single document that every senior manager will need to have clearly setting out their roles and responsibilities. There is also a responsibilities map but that only applies to enhanced firms. That is a single document that sets out the firm's management and governance arrangement. Every senior manager also has a duty of responsibility. That is not a document but it basically means that if something goes wrong in an area for which you are the senior manager responsible, you could be held accountable and to impose liability the FCA need to show that you did not take reasonable steps in discharging your responsibility and they will take into account all the circumstances of the case.

There are also prescribed responsibilities so these are specific responsibilities that a firm must give to a senior manager. These include responsibility for the firm's policies and procedures to prevent financial crime and responsibility for client assets.

Turning now to the Certification Regime, this a new requirement and the Certification Regime covers specific functions that are not senior management functions, but could still have a significant impact on customers, the firm or market integrity, and that will include financial advisors as part of the client dealing function. The firm is required to state that they consider the person is fit and proper to perform the certification function and this must be done at least annually. As Jonathan will explain later on, what this means is at the firm you are the regulator and it is your responsibility at the firm to make that judgment and not the regulators.

Turning now to fitness and proprietary, this applies to all firms, and fitness and proprietary includes honesty, integrity and reputation, competence and capability, and financial soundness and you can guess there might be some grey areas here. For example, if a person is convicted of a speeding offence, what impact will that actually have on the performance of their day to day role? Senior managers are also subject to a criminal records check and firms are required to seek a regulatory reference from previous employers for senior managers and staff in certification functions.

Let us now look at the Conduct Rules, and there are two tiers of Conduct Rules that apply to all firms. There is a general set of rules that apply to most employees and directors in a firm. For example, you must act with integrity. You must act with due skill care and diligence and you must be open and cooperative with the FCA. Those of you who are familiar with the FCA Principles will recognise that those rules are very similar. There is also a second tier of rules that apply to senior managers. For example, you must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively and firms are required to train their senior managers and their certification staff on these new Conduct Rules.

Firms are also required to notify the FCA when disciplinary action has been taken against a person for a Conduct Rules breach so this might mean issue of a formal written warning, suspension or dismissal of a person or the claw back of remuneration. Note that this also applies to the firm's unregulated as well as regulated business, so the scope is really quite broad. So that is an overview of the compliance scope. Jonathan is now going to have a look at the people issues.

Jonathan: Thanks Ian. What I would like do is to talk to you about the underlying drivers that are behind the new regime and how it is that you are going to need to take these into account in the way that you manage your people.

I am going to start off with a single word and that word is culture. The FCA published a discussion paper on culture and it contains various essays from all sorts of business thinkers and academics and practitioners on what is culture. I am not going to try and summarise that because the writers will have different perspectives and it is a really interesting read in its own right and I would strongly urge you to have a look at it. My own definition of culture for what it is worth is that culture is what happens in an organisation when no one is looking. What the FCA says about the importance of culture though is crucial. They say culture in financial services is widely accepted as a key root cause of the major conduct failings that have occurred within the industry in recent history, causing harm to both consumers and markets. For markets to work and firms to be successful, it is critical they are seen as trustworthy. Social expectations have changed, I will come back to that a bit later on in this talk, and public interest has raised questions of trust in firms and in the industry as a whole. To increase competence firms need to demonstrate that they are working in the interests of consumers and the market.

So that is what the FCA says about culture, it is critical, but how does that work itself out through the rules. How does that turn itself into a concrete requirement of things that you are supposed to do? Well there are two things we can look at here. Firstly it is the rules themselves, the concepts that lie behind them and secondly, we do now of course have some worked experience of how these rules have been applied in practice because the first tier of institutions in crude summary, the big banks, have already been operating under these regimes for a while now and what I would like to do is share our experience from working with clients who have already been working with these rules, and the first thing to do is to pick up on a couple of points that Ian has mentioned. He set out the framework of the rules here and explained that the Senior Managers Regime is designed to give transparency and accountability and that sitting alongside that and underpinning it, the Conduct Regime is meant to drive behaviours. Now the key thing to appreciate here is this is not simply a transcription of the old regime, the old approved person's regime has not just been bolted on to the Senior Management Regime or vice versa, although a lot of the concepts remain the same, "fit and proper" for example, this is a new way of doing business, an improved way of doing business and organisations which do not understand that are not going to meet the new requirements.

How does that work itself out in practice? Well as Ian said, the questions of fitness and proprietary are in the first line, no longer questions for the regulator, although obviously in enforcement, they will be but questions for the firms themselves. You are the regulator. It is your decision as to whether someone is fit and proper. Now what does that mean in practice? It means two things, one I think following from the other. The first is that under the old regime where the regulators were resource constrained and therefore what they would take into account in fitness and proprietary was resource constrained because the burden has been moved on to individual firms, as far as the regulator is concerned you are an infinite resource. They can simply direct that this is what you do and you will have to adjust your budget to fit, they do not run up against their own cash limits so previously when one looked at questions of fitness and proprietary then putting it crudely, one would look at questions of financial misconduct, did an individual have their hand in the till, were client monies safe, was there financial exposure to the organisation? When the questions of conduct were generally seen as private matters between employer and employee, not something with which the regulator would generally get involved and in one sense that remains the case under the new regime. The regulator will only step in and intervene and take enforcement action within the scope of its own powers and it will be looking at financial regulation funnily enough but in terms of whether a firm is complying with its duty to certify the relevant persons as fit and proper. It expects those firms to take into account much wider questions.

Now how can I be certain of this and can I give you a worked example? Yes I can and it comes conveniently from a letter which the FCA wrote to the chair of the Women and Equalities Committee as recently as September where they make it absolutely clear in their submission to the Committee and its report on sexual harassment in the workplace that sexual harassment is misconduct which can drive a poor culture. It is if you like and this is my paraphrase, not the wording of the FCA, the canary in the coalmine, because someone who is a bully is likely to be someone who does not have due regard to the standards, the standards of behaviour which the FCA have identified as critical in maintaining public confidence in the financial services sector and which have led to the major failures of 10 years ago which, as Ian has explained, all these regimes, all that is in these regimes, is designed to avoid ever happening again. So if you have a trading floor and if you always seen it as just banter and that is what goes on there and you have got to have a pretty think skin and the fact is as you look across the floor it just so happens that 95%25 of the people on it are men and women do not last very long, you could have a problem, you are very likely to have a problem and it is a problem that the FCA will expect you to tackle.

How can you do that in practice, you are a compliance professional? Where are the necessary skills to change people's behaviours around these sorts of issues? They are to be found in your HR department and if you are a compliance professional working in the organisation, then your HR colleagues are about to become your new best friends and vice versa. If you are the HR professional, then wrap your arms around the compliance people, hold them tight and do not let go. You are now under this regime joined at the hip. HR have to consider the regulatory implications of all employee conduct. Compliance have to consider the regulatory implications of all employee conduct and the big banks who are implementing this regime will tell you that that is what they are doing. We have not yet had the cases coming through the enforcement systems which either means the Employment Tribunals or the FCA's own disciplinary Tribunals on cases about impact of certification of fitness and proprietary being withdrawn but that is only a matter of time and one of the reasons we have not seen them yet is that the big banks are really into this issue, and if an amber warning light in terms of an employee's conduct is flashing then they will jump on that straightaway and either the employee will change their behaviour or they will be managed out of the organisation and we have seen lots and lots of examples of that and in that sense, we can see that the regimes are already working.

There are other ways in which incidentally we can see that they are already working as one head of compliance put it to me, everyone else now has my best lines. Compliance used to be the last item in the management board's agenda whereas now every single senior director of the bank deals with the compliance issues that apply to them as part of their agenda and the compliance officer deals with the systems and processes that support them in that and helps in their dealings with the regulator, writes points on that if you like. So that is a major practical difference to the way organisations manage themselves.

Where might this be heading? One thing as practitioners that we are all waiting for is the first case in this sector and in these circumstances around the right or not to have lawyers in disciplinary hearings, internal disciplinary hearings, of course lawyers regularly appear in the regulator's own Tribunals, because as the law stands at the moment, as you know, employees do not have the right to bring a solicitor into the office with them to accompany them or represent them in an internal disciplinary hearing. That right is reserved to a colleague from the employer or a trade union official and the organisation does not have to recognise trade unions for the individual to have a right to bring one in, it is just something that obviously does not occur all that often in the private sector, but it is there in the statute book. Now there is an exception to that, there is case law which suggests that if an individual's livelihood is at stake as a result of internal disciplinary proceedings, then they do have the right to legal representation in those proceedings and the case law comes out of instances such as teaching where a teacher is accused of sexual misconduct then they can lose their licence to practice as a teacher if you like and the time when that decision is effectively taken is in the internal disciplinary hearing so they have a right then to have legal representation. You can see straightaway how by analogy this might apply in financial services under this new regime. It has not happened yet but the talk in the City is at some point it is inevitable if things get that far. As I said a moment ago, what is happening right now is that as the amber warning light appears on the dashboard, these issues are being dealt with before they get to that stage but sooner or later that issue is going to come up and it is likely to come up in our view in this next wave of firms to be regulated because of course the big banks have enormous HR and compliance teams and are all over this and smaller organisations just do not have the same level of resource so it could well happen one day, it just has not happened yet.

Ian:Thank you Jonathan. So having looked at the compliance and the employment implications what are they key actions for you at FCA firms? Well first of all looking at the senior management roles, how should your firm be categorised? Is it limited scope, core or enhanced? Now in most cases that should not be too hard to work out. You are also going to need to map the controlled functions to a senor manager's functions to identify any gaps or functions that no longer require approval by the FCA, that will be a detailed task but well worth the investment up front because if you get that wrong, the rest is likely to fall down as well and for each senior manager, you need to define and align the roles and responsibilities and prepare the statement of responsibilities, that is a key document. If you have a chair either exec or non-exec, if they are non-exec, you would seek approval for the SMF9 function.

Turning now to certification. You will need to identify if there are any staff where certification is required. It is possible in many small firms that there will be no one in the certification regime. If there are only a handful of senior individuals who will be senior managers supported by admin staff, but most firms are likely to have staff who will need to be certified and this applies to employees of firms including secondees and contractors but excludes non-executive directors. You will need to assess the fitness and proprietary of a person to be certified. You will need to align that with the HR processes. As Jonathan has said, HR has a very important role here to play and this cannot be done in isolation. Assessments need to take place at least annually and individuals must be assessed on an ongoing basis and ensure that senior managers and all staff are aware of expected conduct standards, implement your conduct training programmes and training relevant staff on the conduct roles is a requirement, not an option. You need to identify ancillary staff to whom conduct rules will not apply so that might for example, include receptionists, post room staff and security guards and this is not a once off project, so you need to develop monitoring processes and procedures for compliance to enable you to do that and to develop monitoring and management information to demonstrate ongoing compliance.

Finally, if you put yourself in the position of a senior manager, what should you be doing? Are you clear on your statement of responsibilities? Watch out for project creep, for example, looking after other manager's responsibilities while they are on holiday, that can sometimes turn from a favour into a permanent responsibility and if something goes wrong whilst you are looking after it, you could be left holding the baby in that situation.

Also, how would you prove that you have discharged your responsibilities and taken the reasonable steps that the FCA require? The FCA has a long list of factors they will take into account in terms of reasonable steps. That includes delegation, the establishment of reporting lines and whether external professional advice was obtained, and what management information you receive. How will you monitor and challenge that information in your role? Our experience is that information is often provided very informally, it is not documented and that looks poor where there is an FCA investigation and you have not got anything to produce, you are empty handed. Have you received a handover statement? A firm is required to take all reasonable steps to ensure that a new senior manager has all the materials and information they need to do their job. The back of an envelope is not likely to satisfy that.

So that completes our Podcast. We hope you have enjoyed listening to it and thank you for listening to it. If you would like to contact us, my email is ian.mason@gowlingwlg.com and Jonathan's is jonathan.chamberlain@gowlingwlg.com, and our details are also found on our website. Thank you very much.