UK financial regulator widens its net
The financial regulators are already enforcing breaches of the Senior Managers and Certification Regime, aimed at supervising more financial services employees.
The Financial Conduct Authority is cracking down on companies not abiding by the rules with more investigations already. On 26 July 2017, the FCA published its consultation paper on the extension of the Senior Managers and Certification Regime (SM&CR). The paper envisages a widening of the SM&CR to all firms (big or small) authorised to provide financial services under the Financial Services and Markets Act 2000 (FSMA). This 'new' regime is to come into force in late 2018 and its aim is to reduce harm to consumers and strengthen market integrity.
Outline of the revised regime
Following a recognition by the FCA of the need for flexibility in the new regime, the proposals introduce different levels of obligations. The core regime will apply most widely; whereas smaller firms (currently subject to a limited application of the approved persons regime) will be subject to fewer requirements; larger, complex, "enhanced" firms will have additional requirements. The impact on each element of the regime can be summarised as follows:
1) Senior Managers Regime
The new proposals extend the Senior Management Functions ("SMF") for key responsibilities. The FCA refers to the individuals holding these SMFs as "Senior Managers". The "core" SMFs will apply to all firms except limited scope firms (those currently subject to a limited application of the approved persons regime). These include "governing functions" such as a chief executive or executive director, and 'required functions' such as compliance oversight and a money laundering reporting officer.
SMFs will differ for each firm depending on their nature; sole traders will only need compliance oversight, whereas consumer credit firms and insurance intermediaries must have the "limited scope function" of apportioning responsibilities under the FCA Handbook; and the establishment and maintenance of controls.
"Enhanced" firms will need to fill additional SMFs including chief finance, chief risk, and head of internal audit.
The FCA also stipulates a set of "prescribed responsibilities" such as "responsibility for ensuring the governing body is informed of its legal and regulatory responsibilities" which firms must distribute between Senior Managers. These will be extended to all "core" firms, with "enhanced" firms being required to allocate these and additional responsibilities.
Under the extended regime, each Senior Manager will still need to be approved by the FCA before starting the role. They must submit a "statement of responsibilities" to the FCA, setting out their role and responsibilities. Significantly, the firm must keep these documents up-to-date and notify the FCA of any changes, ensuring the FCA has immediate knowledge of the individuals who have, or should have, responsibility for each SMF.
2) Certification regime
The proposals will also extend the current "certification regime". Where individuals are not Senior Managers but the functions of their role allow them to potentially cause significant harm to the firm or consumers (as defined under s. 63E(5) FSMA), the firm will now need to certify to the FCA that the individual is "fit and proper" to perform their role at least annually. It should be noted, that there will therefore be no FCA register of individuals under the certification regime, and that if a role is not filled, there is no requirement for the firm to certify someone for it. One corollary of this is that in very small firms, there may be no one within the certification regime.
"Regulatory references" will also be extended whereby the firm must receive references from the individual's previous 6 employers to ensure they are fit for the role and unfit individuals are not recycled through new employment. These increased verification steps place a greater burden on firms to ensure fit and proper checks are effective.
3) Conduct rules
The new proposals also envisage an expansion of the conduct rules stemming from FSMA (set out in COCON, the FCA Handbook). They will apply to all Senior Managers, certified functions, non-executive directors who are not senior managers, and all other employees except ancillary staff. For the avoidance of doubt, these "baseline rules" will apply to all firms, including "limited scope" firms.
There will be two tiers of "Enforceable" Conduct Rules. The first five individual conduct rules will apply to most employees. They must: act with integrity; act with due skill, care and diligence; be open and cooperative with the FCA, the PRA and other regulators; pay due regard to the interest of customers and treat them fairly; and observe proper standards of market conduct.
The second tier applies to Senior Managers only. They must take reasonable steps to ensure that the business of the firm for which they are responsible is controlled effectively, and that it complies with relevant requirements and standards of the regulatory system. They must also take reasonable steps to ensure that any delegation of responsibilities is to an appropriate person and that they oversee its discharge effectively. Finally, they must disclose appropriately any information which the FCA or PRA would reasonably expect.
Consequences for enforcement
There is already considerable scope for the FCA to investigate individual responsibility for breaches at all levels, directly and indirectly through various matrices. The FCA's proposals at least attempt to clarify what it will have regard to in determining whether a Senior Manager is responsible.
The focus will be on: (a) Statements of responsibilities (a statement produced by a firm which accompanies an application for the approval of the Senior Manager by the FCA) and, for enhanced firms, management responsibilities maps outlining how governance and responsibility structures work. (b) The reality of the Senior Manager's role and interaction with other Senior Managers' roles. This could be evidenced by documents such as minutes, telephone conversations, and email exchanges.
However, what is meant by "reasonable steps" has not yet been defined. The FCA states that it will need to be approached on a case-by-case basis. It has, however, released guidance on factors it will be looking to take into account (PS17/9 and Ch. 6.2 of the FCA's Decision Procedure and Penalties manual). The FCA will for example, have regard to:
- The nature and size of the firm
- The roles and responsibilities of the Senior Manager and whether they exercised reasonable care when considering the information available to them, and reached reasonable conclusions;
- The Senior Manager's awareness of the breach, or whether they should have been aware of actual or suspected issues;
- Whether the Senior Manager properly understood the firm's activities for which they were responsible. For example, failing to get expert opinion where appropriate, inadequately monitoring transactions, practices, and individuals, and failing to ensure adequate reporting;
- If the Senior Manager had delegated authority, whether that was reasonable and overseen appropriately;
- What steps were taken by the Senior Manager to satisfy themselves the firm had adequate systems and controls for the areas they were responsible for and following those procedures, as well as implementing them to comply with regulatory requirements and standards; and
- Whether orderly transitions and handovers took place.
From an enforcement perspective, this, along with the fact that the list of factors is neither exhaustive nor prescriptive, means the FCA has a considerable range of factors to determine whether reasonable steps have been taken. In order to evidence this, firms will be expected to keep good records of minutes of board and committee meetings as well as internal meetings, statements of responsibilities and management maps, organisation charts and reporting lines, and any relevant internal materials. Deficiencies in record keeping will not play out well in any investigation process.
In addition, the conduct rules require firms to demonstrate they apply the spirit, as well as the letter of the rules. They will be required to train employees as to the content of the applicable rules. It will be critical, therefore, where there has been a breach, for firms to be able to demonstrate that the relevant individuals have gone through the necessary training programmes.
In sum, it is important to remember the objectives of the FCA in introducing and extending the SM&CR regime. In his speech on 20 September 2017, Jonathan Davidson, Director of Supervision – Retail and Authorisations at the FCA, placed the 'strategy' and 'culture' of firms at the heart of the accountability regime. The FCA wants to understand the business strategies of firms to root out business behaviour that negatively affect consumers and anticipate risks that may emerge in the future, and it hopes to steer the culture of firms in the right direction.
Mr Davidson referred to four 'levers' of how firm culture is 'managed': i) a communicated sense of purpose and approach throughout the firm, ii) the 'tone from the top', that is, behaviours of senior managers seen by the staff; iii) formal governance processes and structures and a well thought-through conduct risk framework; and iv) how personnel-related practices (including incentives and capabilities) affect conduct. Focus on these levers indicates a more holistic approach.
The expansion and additional clarification of the SM&CR is welcome. The new proposals, however, still lack an element of precision and various areas remain open to interpretation. As of April 2017, the FCA has started investigations into two senior managers and 11 individuals who are certified persons under the SM&CR regime since it came into force in May 2016.
Mark Steward, the FCA's Enforcement Head, noted on 20 September 2017 that FCA investigations had increased by 75%. Among other factors, he noted that the FCA has changed its starting point for its investigations. Rather than using investigations as precursors to enforcement and litigation, we can expect to see the FCA to increasingly use expedited investigations as a means to uncover data and evidence of serious misconduct. When the FCA's proposals come into force late next year, the increased level of detail provided by firms to the FCA under the new regime and the new framework for measuring the actions of senior management in particular will likely feed further investigation activity.
Abdulali Jiwaji is a partner, Stephanie Eaton is an associate and Jessica Thomas is an associate at Signature Litigation.