7 March 2016 has passed – what now?
So your firm has got over the initial hurdle of SMCR implementation on 7 March 2016. What next?
What will the regulators expect on an on-going basis from firms and individuals under the SMCR?
- Ensure that the Responsibilities Map and individual Statements of Responsibility remain current and accurate at all times. The Board will have to attest to their accuracy every year.
- Personnel, organisation and responsibility changes must be reflected promptly in the SMCR Responsibilities Map, Statements of Responsibility, etc
- A process to review and sign off any changes is required.
- An appropriate version control process is required which records which full version of the Map was in force at any point in time.
- The firm must certify all Control Function holders as suitably skilled and qualified to do their jobs on an annual basis. There is a Requirements for formal annual reviews to be performed for individuals subject to the Certified Regime.
What are the activities that your firm should be taking to remain compliant?
Firms need to put in place mechanisms to make sure that their staff are adhering to the Conduct Rules.
Managers should understand how intrusive checks and training are imperative to satisfy both themselves and the regulators that they have taken reasonable steps to ensure that the functions they are responsible for are fit for purpose and compliant with all relevant laws and regulations.
The Firm will have an obligation to attest annually that it has complied with the SMR obligations.
Under the regime, Senior Managers will have to confirm that all of the key functions they are responsible for have also remained compliant, including that any breaches of CERT or COND rules have been investigated, addressed and reported.
This will require a thorough review of the governance, risk and controls in place across the business to satisfy the relevant SMF holders that they can personally attest and be happy to be accountable for their areas of operations.
In order to successfully monitor compliance with the new regime, existing systems may need to be enhanced to enable them to report along the clarified reporting lines of the SMR structure. It may be that new MI needs to be introduced to ensure that management reports provide the information required to support the new regime.
What is required to demonstrate compliance?
The regime require robust and well-evidenced governance frameworks including clear articulation of legal entity-level committee structures and their respective roles and responsibilities. Enhanced management information, escalation points and attestations will be necessary to underpin governance and achieve an optimal organisational structure that is correctly integrated. [There is a hook here for the Board MI case study from ICAP]
One of the key challenges is that the new regime is legal-entity focussed and considers management responsibility and accountability from that perspective. Most global banks put more emphasis on global and regional governance and might have several legal entities covered by one governance structure. Large overseas banks will have to demonstrate how they manage risks at a UK legal entity level rather than just at a global level.
Responsibilities Map & Statements of Responsibilities
Firms are required to map the responsibilities and reporting structures within the firm. Firms will need to consider and document the framework and how responsibility is allocated within the organisation. Shared or unclear reporting structures should be remedied. The firm’s Board will need to provide annual confirmation that there are no gaps in the allocation of responsibilities within the firm.
Firms are required to develop and document a clear list of responsibilities for Senior management. The list will need to reflect the responsibilities that will be included in the FCA handbook and PRA rules, and be tailored to a firm’s governance structures. Once allocated, Statements of Responsibilities showing these will need to be provided as part of any application for approval by the FCA and PRA.
Breach of Conduct Reports
Breaches or suspected breaches of the Code of Conduct by Senior Managers need to be notified to the regulators within seven business days. Consequently the timeframe within which to investigate and come to a preliminary conclusion regarding a breach is short and will require specific procedures to ensure it is conducted effectively. For all other employees subject to the Code of Conduct, notification is made on a quarterly basis to the FCA (who will pass onto the PRA if relevant).
The regulators have confirmed that attestations have been introduced as a formal supervisory tool and are aimed at ensuring clear accountability amongst senior managers.
People, Culture, Human Resources and Recruitment
One of the key aims of the new regime is to transform the culture and raise standards in banking. As a result, the SMCR necessitates changes to capabilities, culture and HR processes to underpin behavioural change.
The SMCR has implications for all aspects of the employee lifecycle, from organisational design to performance management, as well as recruitment and selection.
Each firm will need a standard process to assess the fitness and propriety of individual employees, particularly those holding Certified roles and to assess and manage the aftermath of breaches and failures.
Individual employees will need evidence to back up their decisions and if they don’t agree with the decisions or actions of their senior colleagues or peers, they will be well-advised to document and escalate their concerns.
When hiring personnel who will hold Senior Manager or Certified positions consideration should be given to the new compensation and claw-back rules, the greater due diligence required by both employer and candidate before a hire is agreed, new contractual arrangements and legal protections for individual managers.
What opportunities does the SMCR present to improve governance and controls within your firm?
Banks should focus on improving the clarity, process and documentation of their existing governance framework rather than building a parallel framework just to comply with the new regime.
In order to enable Senior Managers to attest that their areas of responsibility are being conducted properly and are compliant with all necessary laws the firm will need to invest time in making sure that processes are properly mapped and understood and that controls are effective. This will be a particular challenge where parts of a process are outsourced or executed by another group entity.
The Conduct Rules within the SMCR also create a requirement for personnel to “act with due skill, care and diligence” and for senior managers to ensure that the businesses they manage are adequately controlled and that delegation is to appropriate personnel. Firms should take the opportunity to ensure that all personnel clearly understand their roles and are adequately trained to carry them out.