From: RegTech Analyst
The UK rules for ensuring accountability among financial services firms are not always easy to follow.
This is something 47,000 British firms are about to learn after the Financial Conduct Authority (FCA) extended the Senior Managers & Certification Regime (SM&CR) to include solo-regulated firms on December 9.
The FCA and the Prudential Regulation Authority introduced SM&CR in March 2016 after the UK Parliament passed legislation in response to serious shortcomings of the financial services industry that were unearthed during the fallout of the Great Recession.
“This is the regulators’ final push, to ‘close the door’ on the last financial crisis – a way of ensuring that the same mistakes won’t be made again,” explains Chris Finney, partner at Fox Williams, the law firm, to RegTech Analyst.
“Where once it was difficult to prove exactly where responsibility for misconduct lay, meaning individuals or organisations could not be held responsible, SM&CR allows regulators to work out exactly who is responsible for particular failures, before taking targeted action against them.”
SM&CR replaced the Approved Persons Regime which had proved unfit for purpose. “The rules place a much greater emphasis on the individuals working for regulated firms than we’ve had before and include annual fitness and propriety checks, and a more rigorous pre-employment reference system that will make it harder for the ‘rolling bad apple’ to move from one job to the next,” Finney says.
Having previously applied to banks and insurers, it will now, as mentioned, also cover solo-regulated firms. “[Now] SM&CR will cover almost every part of the UK’s financial services industry – and almost every employee working in that sector,” Finney continues.
“The net effect should be an improvement in culture and standards across the UK’s financial services industry as individuals who don’t meet the industry’s standards are gradually identified and encouraged to improve or leave.”
But that does not mean that it is easy to follow the rules.
“[SM&CR] is hugely challenging for firms because it’s asking them to become compliant in a very different way to before,” David Clee, CEO of MirrorWeb, the RegTech100 firm that has created a guide to help businesses follow these new rules, tells RegTech Analyst. “Instead of ticking boxes and filing off forms, the SM&CR is requiring firms to embrace this regulation and become compliant with the spirit as well as the letter of the law.
“This means, to mention just a few things, introducing thorough governance systems and processes, ensuring the most influential people in the business are right for the job and instilling responsibility and accountability throughout the organisation.
“The worst thing firms could do? To simply treat this like regulation that has gone before it. As the name suggests, senior managers need to fully engage with this regulation not least because non-compliance would result in punishments levied at them, not the business.”
Slipping up could land firms and their employees in some serious trouble, which was something Barclays’ CEO Jes Staley learned the hard way when he tried to use the bank’s resources to try and identify a whistleblower, thus breaching the rules set out under the SM&CR.
While Staley could keep his job, the FCA fined him £642,430 and Barclays cut £500,000 of his bonus over the issue.
There are several ways a firm might fail to live up to these standards. “If the firm doesn’t discover poor standards when it ought to have done so or it finds them, but [doesn’t] take appropriate action, the regulators might investigate and fines could follow,” Finney explains.
“If the firm does find poor standards and it’s over-zealous in its response, to the point where an individual loses their job unfairly or a libelous reference stops them getting another, compensation claims are likely to follow instead. So, for businesses, this creates a new set of legal and regulatory risk.
“Regardless of its precise mistake, a company that gets things wrong under SM&CR could also significantly damage its reputation. Not only in the wider industry, but among potential employees. After all, who would want to work for a business that does not trust or properly understand and train its workforce?“
So what do firms get wrong? “The risk for companies under SM&CR is that many organisations – for instance, those in areas such as FinTech – are not used to the degree of scrutiny that comes with financial regulation,” Finney says. “Currently, organisations without the right experience or advice can see the regime as unclear, uncomprehensive or even contradictory. They can also think it doesn’t (or at least shouldn’t) apply to them.
“As a result, ensuring that the regime is being applied consistently and to the right employees will be difficult. Many organisations might over-react and bring every employee into the regime when they don’t need to, while others might do the opposite and not include employees who should be covered.”
A second issue that many firms get wrong is that they fail to identify and act on evidence of wrongdoing. To help out the FCA has created a list of prescribed questions that potential employers must ask previous employers, when they go through the usual referencing process.
“In some cases answering the questions will be easy,” Finney says. “In others, it will be extremely high risk. Ultimately, deciding whether an employee is ‘fit and proper’ will depend on their position, their role and the nature of their misconduct. With the potential consequences for misapplying the regime including regulatory penalties and legal action, businesses need to be certain that they are acting correctly. Legal advice – whether from a partner or an in-house professional – will be crucial to minimise risk.”
SM&CR might cover more ground in the future.
In October, the Treasury Committee published a report about on the IT failures of the financial services sector. It noted that several financial services firms had suffered digital service outages.
The committee cited figures from the FCA showing that the number of reported incidents had increased by 187% in 2018.
With this increase in mind, the Treasury Committee suggested that the SM&CR should be expanded to also cover financial market infrastructure firms.
On top of this, the committee suggested that the sanctions available under SM&CR should also be expanded.
Copyright © 2019 FinTech Global
