The Senior Managers and Certification Regime (“SM&CR”) is new set of requirements that will affect all firms regulated by the Financial Conduct Authority in the UK. Whilst those with no footprint in the UK will not be affected, there are plenty of US firms (and those based elsewhere) who have some presence in the UK. And because SM&CR touches on the way firms are governed, it has potential implications for senior managers and some other staff in such firms including, in some cases, those located in the US parent.
Why is SM&CR being introduced now?
As with so much new regulation in recent years, the roots of SM&CR go back to the financial crisis of 2008 and its political aftermath – anger plus a need to assign blame for what had happened. When enforcement actions were initiated against key senior managers, regulators found themselves unable to penetrate the cloak of collective responsibility within many governance structures.
SM&CR was first introduced to the banking sector (from March 2016) where the worst examples of wrong-doing were perceived to have taken place. The next phase of SM&CR which will apply from 9 December 2019 fulfils a commitment to extend the regime to all FCA-regulated firms.
The key themes of SM&CR derive from this political context: codifying the precise roles, responsibility and accountability of senior managers; fostering a “culture of accountability” which gives all employees the correct incentives to improve their standards of conduct; and greater liability in the event that conduct breaches occur.
I am a US firm – how is this relevant to us?
The short answer is that SM&CR is only relevant if you have a UK-based subsidiary or affiliate which maintains a separate authorization by the FCA. As such, the UK firm is subject to FCA’s rules on governance and organization, also known as the Senior Management, Systems and Controls requirements (“SYSC” for short).
Although SM&CR does not change the fundamental legal requirements for such UK affiliates, it does change the balance somewhat for the senior managers of the parent entity, wherever they are located, who play a significant role in the management of the UK firm. Previously, the FCA emphasized the need for “hearts and minds” in the UK – individuals who the FCA can hold to account for the regulatory performance of the UK firm.
SM&CR changes this balance by emphasizing that there is no territorial limitation on the senior manager function – in principal it should apply to anyone who performs a senior management role in the UK firm, whether they are based here or overseas (e.g. in New York).
So senior managers based in the US could be subject to the new regime?
Yes, they could although the logic of this should only be taken so far. The FCA have provided helpful guidance that “where an overseas manager’s responsibilities in relation to the UK are strategic only, they won’t need to be a senior manager. However, if they are responsible for implementing that strategy, and have not delegated that responsibility to a senior manager in the UK, they are likely to be performing a senior management function.”
In our experience, the distinction between these two positions is not always clear cut. Many US firms are using SM&CR as a catalyst for clarifying the allocation of responsibilities between local managers and their reporting lines to the US parent.
Does this affect the liability of senior management?
When SM&CR for the banking sector was first being formulated, the FCA argued for a Duty of Responsibility where the burden of proof would fall on the senior manager to show that they had taken all reasonable steps to prevent a regulatory breach occurring, or to close down the breach as soon as possible once it had started. Although burden of proof was subsequently reversed and now lies with the FCA, it is an interesting insight to how they intend to pursue wrong-doers once they have been identified.
The implications, particularly for senior managers physically located outside the UK, are not to be underestimated. Those holding the key Prescribed Responsibilities in particular will want to consider what taking reasonable steps actually means in practice. They will also want to understand what level of management information, resources and authority is at their disposal to allow them to be confident about assuming this heightened level of regulatory scrutiny.
Is anyone else affected apart from senior managers?
Below the level of senior managers, SM&CR introduces a new category of staff: Certification Functions whose role is such that they have the potential to cause significant harm to the firm, any of its customers, or to market integrity generally. There is a degree of similarity with the current CF30 (Customer) role, but it will apply to other individuals such as significant management and those with key responsibilities in algorithmic trading. Such individuals will no longer have to be approved by the FCA; instead they will be assessed by the firm itself to ascertain whether they are “Fit and Proper” to perform their role.
For the most part, Certification Functions only apply to individuals who are based in the UK (and the current 30-day rule carries over into the new regime – i.e. individuals spending less than 30 days in the UK in any 12-month period will not need to be certified). The one exception is Material Risk Taker – a concept which currently applies to certain staff in the context of remuneration arrangements. Therefore, a senior trader based in the US who deals on behalf of UK clients may be caught by this function. Note also that the definition of Material Risk Taker also needs to consider all types of risk, including prudential, operational, conduct or reputational.
How different are the new Conduct Rules under SM&CR?
SM&CR has given the FCA new powers to set Conduct Rules applicable to all employees within a firm apart from those whose role is peripheral to financial services (referred to as “Ancillary”). The new Rules are not dissimilar to the current Statements of Principle for Approved Persons (i.e. applicable to those currently registered with the FCA), but are intended to represent a meaningful change in the standards of conduct expected from those working in such firms.
At the more trivial end of the spectrum, this could be an inadvertent breach due to lack of senior management awareness of the new obligations that SM&CR places on firms. For example: a failure to produce clear Statements of Responsibilities and thereafter update them, or incorrectly set up Certification arrangements, such as shortcomings into the process for assessing competency and fitness and propriety.
More seriously, the FCA is encouraging firms to interpret the fitness and propriety of individuals much more widely, and that would include unacceptable behaviours such as discrimination and sexual harassment.
OK, so we think we’re in scope – what should happen next?
The first thing to do is to view SM&CR as a regulatory implementation project in its own right, and assign appropriate ownership and resources for that task. As an implementation project, there are three distinct regimes to be addressed: the Senior Managers, the Certification and the Conduct Rules regime.
Duties and obligations under each strand should be understood, including the classification of your relevant SMCR firm type. Understanding the key concepts of SMCR is also essential, including: Statements of Responsibility, Prescribed Responsibilities, Fitness and Propriety, training requirements and regulatory references. These concepts must then be made real across the UK firm (if necessary, in the context of US processes) in the form of updated policies, procedures and a program of training.
How ACA can help?
We have a dedicated compliance team in London devoted to addressing and implementing SM&CR. Whether you need ad hoc advice on how you are affected or a tailored solution to implementing the new requirements, we’d be pleased to speak with you.
For more information
Visit our dedicated webpage to access further SM&CR resources.