SM&CR - what is it and why do we need it?

Following the banking crisis in 2008, the Parliamentary Commission for Banking Standards (PCBS) recommended the creation of a new framework focused on increasing senior management accountability. Based on this recommendation, Parliament passed legislation in December 2013 that prompted the primary regulators of the financial services sector, the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA), to implement a Senior Management and Certification Regime (SM&CR).

When this legislation passed the Approved Persons (AP) regime had already been in place for several years. It was designed to ensure that providers of financial services had directors who could manage their businesses with integrity and honesty and had the necessary skillset to ensure consumer protection.

What the Approved Persons regime did not do was hold other employees to account, particularly those who held Senior Management (SM) or Significant Harm (SH) functions.

As such, the SM&CR was created to ensure accountability at all levels within regulated firms. In order to achieve this a number of new areas were created, including;

• Specific Senior Management functions for firms operating within the financial services sector;
• A requirement that Senior Management and Significant Harm functions are certified on an annual basis;
• A set of conduct rules for all employees (with the exception of some ancillary staff);
• A prescribed set of responsibilities that SM functions must take ownership of;
• A requirement to provide six years’ worth of regulatory references for individuals operating in SM and CR functions that detail any issues or disciplinary action taken;
• A Statement of Responsibilities for all SM functions, which details the specific areas of the business they are accountable for.

Following further changes to legislation made by Parliament in May 2016, the SM&CR has now been extended to all Financial Services and Markets Authority (FSMA) authorised firms.

In December 2018 SM&CR replaced the Approved Persons regime for dual-regulated insurers (those regulated by both the PRA and FCA). Further to this, from the 9th December 2019, all regulated financial firms must comply with the SM&CR.

What do firms need to do to prepare?

There are a number of steps firms need to take in order to ensure they are ready for the implementation date set by the FCA.

First, firms must identify which of three categories they fall into. ‘Limited Scope’ accounts for businesses that provide financial services but not as their main operation e.g. sole traders, oil market participants and service companies. There are approximately 33k firms in this category. ‘Core’ is for firms that sell financial services as their main operation. There are approximately 14k firms in this category. Finally, ‘Enhanced’ applies to firms which, due to their size, complexity and possible impact on consumers, are subject to additional regulatory requirements. This includes firms who manage assets of £50 billion or more, mortgage lenders (excluding banks) with 10k or more regulated mortgages outstanding and all Client Assets Sourcebook (CASS) firms. There are approximately 350 firms in this category.

The category dictates the provider’s required action; there are a number of additional elements that Enhanced firms will need to implement. All firms, however, will need to decide which individuals will fall under the Senior Management and Certification functions.

The FCA has indicated that current Approved Persons will be able to ‘Grandfather’ across into the SM functions and have suggested that Approved Persons should be reviewed and validated now, removing the need to make additional applications once SM&CR is implemented.

SM&CR Requirements

Each of the SM functions will require a ‘Statement of Responsibility’. For this, the FCA has produced a template document setting out roles and responsibilities. These must be submitted to the FCA when applying for an SM function to be approved (or converted from an Approved Person).

These Statements of Responsibility must be kept up to date and resubmitted to FCA whenever there is a significant change to a SM’s responsibilities.  

In addition to the requirement Statement of Responsibilities, the FCA has mandated a number of Prescribed Responsibilities. These Prescribed Responsibilities must be allocated to one or more of the SM functions to ensure accountability, but one SM can be responsible for more than one.

The Prescribed Responsibilities are:

• Performance by the firm of its obligations under the Senior Management regime, including implementation and oversight;
• Performance by the firm of its obligations under the Certification rules;
• Performance by the firm of its obligations in respect of notifications/training of the conduct rules;
• Responsibility for the firm’s policies and procedures for countering the risk that the firm might be used to further financial crime;
• Responsibility for the firm’s compliance with CASS (if applicable).

Under SM&CR, firms are required to assess individuals in SM and Certification functions to confirm that they are fit for their roles. In addition, the FCA suggests that firms should assess any non-executive directors who are not Senior Managers.

The FCA is proposing a simple roll out of the existing rules to authorised firms, which are expected to determine their own strategy for assessing competence. This means that firms will need to consider how best they can assess the qualifications, training and personal characteristics of an individual for any Senior Manager or Certification role that they are performing.

As part of this process, there is a new requirement for firms to perform criminal record checks on each Senior Manager applying for approval.

As previously referenced, SM&CR introduces regulatory references for all SM&CR functions.

Firms will be required to obtain references from previous employers on all SM, CR and non-exec directors for a period of 6 years. There is also an obligation on the previous employer to provide references if any significant new information comes to light.

If a reference is requested, the previous employer must disclose whether:

• The candidate ever breached a conduct rule.
• A description of the basis and outcome of disciplinary action in relation to any breaches.
• Any other information that is relevant to assessing whether someone is fit for their role.

A key consideration here is how firms log, monitor and manage this flow of information.

Conduct Rules

Two tiers of conduct rules have been introduced. Tier 1 rules are intended to cover all employees and Tier 2 are specific rules for individuals in an SM function.

Individual conduct / Tier 1 rules

1. You must act with integrity.

1. You must act with due skill, care and diligence.
2. You must be open and co-operative with the FCA, PRA and other regulators.
3. (FCA only) You must pay due regard to customers and treat them fairly.
4. (FCA only) You must observe proper standards of market conduct.

Senior Manager / Tier 2 conduct rules

1. You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
2. You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
3. You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
4. You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.

In order to ensure understanding of these conduct rules and individual requirements, firms are obligated to ensure that full staff training is performed.

Finally, under the Senior Management and Certification Regime, firms are required to report any disciplinary action taken against a person for any breach of the conduct rules to the FCA. For Senior Managers this notification must be within seven business days; for all other individuals notification should be made annually. This notification requirement does not affect firms' existing obligation under Principle 11.

A common misconception is that if a financially regulated firm is outsourcing processes, these updated rules apply only to the outsourcing partner. This is not the case – all financially regulated firms must implement the SM&CR, even if all their financial products are managed externally. 

Despite this, regulated firms working with best of breed outsourced service providers remain at an advantage, as these companies will provide guidance and support throughout the process.

Next Steps

By 9th December 2019, all firms should have identified all their SM and CR individuals and ensured that these individuals are appropriately trained on the requirements, in particular the conduct rules and Prescribed Responsibilities.

By 9th December 2020, all other employees should have received training and be aware of their obligations under the Tier 1 conduct rules, and assessments should have been conducted on the Senior Management and Certification functions.

Although there is much to consider, this is a positive and significant step in ensuring enhanced accountability for the financial services market and, following successful implementation within the banking sector, is expected to strengthen firms and protect consumers.