What is it?
As discussed above, the duty of responsibility is a statutory duty and applies to all firms as follows
- For senior managers in applicable Limited Scope Firms, it applies to the performance by senior managers of their inherent responsibilities.
- For senior managers within Core Firms, it applies to the inherent responsibilities and also to each prescribed responsibility allocated to them.
- For senior managers within Enhanced Firms, it applies to the inherent responsibilities and prescribed responsibilities and also to activity within the firm for which they have overall responsibility.
The duty of responsibility requires senior managers (those approved to perform a senior manager function) to take reasonable steps in discharging that responsibility. This is the same duty that currently applies to those individuals within a financial services firm who are approved persons. However, the Bank Regime caused senior managers to refocus their minds on this existing duty.
“Reasonable steps” is an objective test, namely: what steps is it reasonable to expect a senior manager in that role and with those areas of responsibility to have taken in order to prevent an issue/breach from occurring or continuing?
The FCA has provided a body of guidance and commentary on their expectations of what amounts to reasonable steps, which is found in DEPP. In addition, there have been some cases from the Upper Tribunal at the FCA (the appellate body from the FCA’s primary enforcement tribunal) which have also reinforced the standards (see Pottage v FSA  Lloyd’s Rep FC 16 (2012)).
In practice, it can be diagrammatically shown as follows
Are these reasonable and can the senior manager evidence that he/she took them/decided not to take them?
What is it not?
Importantly, taking reasonable steps does not mean taking every step feasible or possible. It is those steps that it is reasonable to expect a senior manager, in that position, with his/her allocated responsibilities, to take.
Nor does it mean that a senior manager must personally carry out their responsibilities themselves— senior managers can of course delegate their responsibilities but taking reasonable steps in relation to delegation arrangements would require the delegation to be appropriate, to a sufficiently appropriate person with the senior manager receiving management information of a sufficient quality and with sufficient frequency to be aware of what is occurring in relation to that area, that escalation processes are in place and appropriate oversight is retained, and so on.
Reasonable steps and non-executive directors
The reasonable steps that are expected of non-executive directors carrying out senior manager functions are different to those expected of executive senior managers. The FCA reiterated as part of the Bank Regime that non-executive directors are not expected to act like executive directors. Their primary role is to effect challenge within board meetings and to chair identified committees competently and effectively. The FCA has set out a set of reasonable steps for non-executive directors when they chair a committee.
From the Bank Regime, it is clear that there is an increased focus on the need for senior managers to demonstrate compliance with the regime. The FCA’s mantra has been for some time now that “if you cannot evidence it, you did not do it” and firms need to support their senior managers in ensuring that there is a greater focus on evidencing reasonable steps. In practice the nature of this support will in part depend on the senior manager, his/her areas of accountability and how he/she prefers to work. There is no one-size-fits-all approach to reasonable steps—some senior managers organise themselves with documentation and processes, others may prefer to work from tablets. In the Bank Regime different forms of support were offered to senior manager populations including new software (which it was reported was not always used effectively or consistently) through to newly created departments, additional human resource and supporting processes such as an internal system of upwards attestations. All of these have their pros and cons.
There is no mandated way for a senior manager to ensure he/she is documenting reasonable steps, but there are some important points to bear in mind
- A reasonable step needs to be recorded (whether in email, manuscript notes in a note book or recorded in the minutes of a meeting).
- It must be able to be reproduced to the FCA as evidence.
With the increased focus on reasonable steps, a number of trends were seen in banks after implementation of the Bank Regime. These included
- Board minutes becoming more detailed.
- Some senior managers wanting board minutes and committee discussions to record attribution of comments.
- Non-executive directors wanting board minutes to show more detail around the challenge that occurs.
Senior manager conduct rules
In addition to the individual Conduct rules (discussed below), it is proposed that senior managers in Limited Scope, Core and Enhanced Firms are required to comply with four additional conduct rules that apply to senior managers only. These are the same rules that currently apply to individuals approved in the existing Approved Persons Regime. They are
- SC1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
- SC2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
- SC3: You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
- SC4: You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice. Senior managers must be trained on how these conduct rules apply to them, their functions and their responsibilities.
Senior managers must be trained on how these conduct rules apply to them, their functions and their responsibilities.
Management responsibilities map For Enhanced Firms only, there is an additional requirement to put in place and maintain a Management Responsibilities Map. The map must be a standalone document which is intended to allow someone unfamiliar with the firm to obtain a complete understanding of what the firm does, how it arranges itself, what governance oversight and systems and controls it has in place to manage its risks and run its business, who the senior managers and certification staff are and how responsibilities have been divided across the senior management population.
The form of this map is not prescribed. However, it must comply with certain requirements set out in SYSC. In summary, the requirements include
- A structure chart of the firm and the group in which it is located.
- The board/management body.
- The board committees and their members.
- The executive committees and their members.An organogram of the firm showing
- All business units, areas and activities of the firm. Reporting lines between departments and individuals and senior managers.
- A description of the systems and controls in relation to each responsibility.
- A description of the governance arrangements and oversight arrangements and systems and controls in place to manage the risks facing a firm.
The Management Responsibilities Map needs to be kept up to date and refiled with the FCA together with every filed Statement of Responsibilities (remembering that Statements of Responsibilities are filed together with an application to approve a senior manager and whenever a senior manager’s responsibilities have materially changed). There is no additional requirement to attest that the Management Responsibilities Map is up to date annually, as was initially proposed in the Bank Regime but not proceeded with.
There are a number of lessons learnt from the Bank Regime. There can be no cross-referring to other documents that are located outside of the map. What this means in practice is that the map can reference the identity of a policy document in order to comprehensively explain the controls in place. However, a firm cannot refer to a policy document for information that needs to be included in the map, or refer to a part of a policy document for more information.
If policies are to be appended to the map (which it is acceptable to do), they need to be kept up to date so references to “Approved Persons” would need to be changed (unless a group of companies still has group entities subject to the Approved Persons Regime).
The terms of reference of any committees will need to be included and these should be up to date. The map needs to be easily understandable and easy to navigate. The map needs to be sufficiently detailed, especially regarding the governance arrangements and reporting lines.
Although the day-to-day updating of the map will likely be delegated to the compliance function and signed off by the board and owned by the CEO, the FCA is the audience. So it is prudent to consider the tone and content of the map and align the tone with the FCA’s wider expectations, including treating customers fairly, conduct risk, culture (particularly a culture of challenge in this context) and their focus on management information.
Enhanced Firms are required to ensure that there are handover arrangements in place for the senior management population. These are not prescribed and there is no mandated “handover certificate” as was originally mooted for the Bank Regime. It is an expected part of a senior manager’s reasonable steps that an outgoing senior manager ensures that the role/ function and responsibilities are handed over to an incoming senior manager in a diligent, fulsome manner.
There are a number of lessons learnt from the Bank Regime. One of the key risks that needs to be considered is how a firm ensures sufficient handover can occur in unexpected situations/ emergencies (e.g. if a senior manager is unexpectedly taken ill with a long-term illness or dies). In the Bank Regime, banks approached this aspect in different ways. The most common approach was for firms to require their senior managers to maintain a “living will”; in essence a document that is revisited frequently to note how issues that were ongoing at the time of the previous update had been resolved or managed and where key documents could be found and what new issues were ongoing and how they were being addressed.
Significant harm functions/certification staff
Limited Scope, Core and Enhanced Firms will need to identify their staff who can cause significant harm to the firm, the market or customers. The FCA has stated in the Consultation Paper that they do not expect Limited Scope Firms will have any certified staff.
Certified staff will include
- Significant management.
- Proprietary traders.
- Those conducting CASS oversight.
- Benchmark submission and administration.
- Functions that are subject to qualification requirements (e.g. mortgage advisers, financial advisers)— see the T&C Sourcebook.
- Client dealing function.
- Algorithmic traders (which includes those who approve the deployment of the algorithm, a material part of the algorithm, a material amendment to an algorithm and who monitor the algorithm or decide to use the algorithm).
- Material risk takers.
- Anyone who supervises or manages anyone performing one of the functions above but is
not a Senior Manager (noting there is no territorial limit).
The territorial scope of this element of the regime is not solely UK focused. Staff in overseas branches and subsidiaries of a firm can come within scope. The FCA has introduced a territorial limitation, see “territorial limitation” below. Identifying staff who can cause significant harm is an ongoing obligation and must be constantly assessed as staff change, move between roles or take on additional roles and where the line managers of certified staff change. In addition, the FCA is proposing that firms should certify senior managers for aspects of their role that are outside their senior management function but which are a significant harm function.
Second thematic review
As part of its Second Thematic Review, the FCA queried banks’ arrangements for contingent labour (e.g. contractors, consultants, etc).
Once the certified staff population is identified, it is recommended that an early communication campaign is given to this population. There will be some key changes affecting their roles and they should be informed of these as early as is sensibly possible. In particular, in the Bank Regime this population was keenly focused on certain key areas of change, including
- Losing their regulatory status (e.g. CF30). There appears to be a certain kudos attached by some members of this population to their regulated status. On this point, the FCA is deciding what to do about the register as any existing approved persons in the Bank Regime that became certified staff members show as “inactive” on the FCA register. This may not be helpful for some sectors in the SMCR where it is important that consumers/ other interested bodies are able to check whether, for example, their financial adviser is appropriately authorised. The FCA has said it will revert on this aspect.
- The new regulatory references regime which has caused, and continues to cause, unease to this population. In the Bank Regime, firms re-evaluate their disciplinary processes in an effort to help this aspect of the regime for its employees as disclosures in the regulatory references are only triggered by disciplinary action taken by a firm.
- The mechanics around how their certificate is issued and what they need to do and by when.
For Certified Staff, Core and Enhanced Firms must issue a certificate to each certified member of staff. There is no prescribed form for the certificate, but there is prescribed wording that must go into the “certificate” which is set out in FSMA. A Certified Staff member must hold a valid certificate which relates to the role for which he/she needs to be certified at all times while carrying out the role that warrants his/her needing to be certified. The certificate can only last for a maximum of one year and so firms must, at a minimum, reissue the certificate annually. As the certificate requires firms to state that the staff member is fit and proper to carry out that role, this necessitates that the firm reassess that staff member’s fitness and propriety.
There are permitted grace periods within which staff can temporarily carry out a certified staff role without being certified where certain conditions are met which are similar to the current Approved Persons Regime. In addition, there are arrangements for staff temporarily visiting the UK.
Second thematic review
In the Second Thematic Review, the FCA focused on, amongst other items
- Who owned the decision to certify the individuals as fit and proper.
- Whether firms were carrying out re-certification checks where individuals changed role/ functions.
- How the firm would identify and manage situations where individuals should no longer be certified.
Firms will need to plan for situations when they need to issue a conditional certificate and what that may address. Conditional certificates are permitted for items that are not as material to fitness and propriety such as completing a required training course.
Firms will also need to ensure that, in drafting the certificates, that they think about what rights they may need to revoke the certificate should the employee no longer be fit and proper during the period covered by the certificate. This was not addressed by FSMA nor covered in the FCA’s rules for the Bank Regime and was an element that firms found difficult.
Fit and proper requirements
Firms are required to ensure that their senior managers are fit and proper before submitting an application for approval for that senior manager to carry out a senior manager function and to keep their fitness and propriety under constant review. The standard for assessing a senior manager’s fitness and propriety remains that set out in the FIT chapter in the FCA’s Handbook. Firms must also ensure that their certification staff are fit and proper before starting to carry out the significant harm role and to reassess their fitness and propriety at least annually. In reality, certification staff will need to be reassessed each time they move within roles, take on an additional role, etc. as well as being assessed annually.
Fit and proper in practice
The fit and proper standard that applies to firms when conducting this assessment is set out in the FIT chapter of the FCA Handbook. However in the Bank Regime, firms added to the requirements for what being “fit and proper” to work at that firm meant to that firm. The additional elements typically included items that related to the firm’s ethos, culture and business standards.
How to run a best practice F&P assessment process
- The annual performance management appraisal cycle commences using amended appraisal forms, the amendments seeking to capture some of the fit and proper requirements – in the SMCR it is critical that appraisals occur, on time and that they are meaningful.
- The appraisal is reviewed by a separate person/committee to ensure that the appraisal is comprehensive and appears unbiased and is signed off – there may be layers to this process depending on the firm.
- The certified staff member completes a fit and proper questionnaire (the questions in which replicate those included in the Long Form A as well as additional questions to match the firm’s fit and proper policy).
- The certified staff member provides a declaration or attestation about the truthful completion of the questionnaire (a breach of which is linked to a breach of their employment contract).
- The line manager/direct report signs off on their competence and capability (or notes what needs to be improved) and, importantly, on their personal characteristics (which although a nebulous concept it is easy to spot a personal characteristic that will not allow a line manager to provide this sign off).
- HR and Compliance then assess and sign off on completion of all mandatory training, that references were found to be satisfactory (where applicable) and that there have been no notified breaches of the Conduct Rules or the fit and proper policy.
- The certificate is issued and signed by the person who has had this responsibility delegated to them from the senior manager with the prescribed responsibility for compliance with the certification regime (see “prescribed responsibilities” above) or by the senior manager with this prescribed responsibility themselves.
- HR or Compliance then work through a list to ensure that all required documentation/information has been obtained/held about the individual and that nothing is missing.
- The complete pack is then provided to the person/senior manager/committee that considers the pack to confirm that certification can occur.
- A copy of the “certificate” (in whatever form it is contained) is sent to the certified staff member and a copy retained by HR.
Broadly, a best practice F&P assessment follows this process although there may be additional levels of oversight built into the process depending on the firm.
Breaches of fitness and propriety
There are a number of employment law related challenges with the above that are worth bearing in mind. In particular
- What is the process for employees that the firm cannot certify as being fit and proper— Suspension? Supervision?
- The process for employees who breach the conduct rules or fit and proper policy within the term of a certificate—revocation of certificate? Gardening leave?
- The process for employees under investigation (where the investigation has not completed).
Second thematic review
In the Second Thematic Review, the FCA focused keenly on the F&P assessment process seeking confirmation from firms on a wide variety of issues including
- What criteria and processes were being used for making the fit and proper assessment?
- Whether appropriate oversight and controls are in place for this process?
- How would a firm evidence that the decision-making process in the F&P assessment is independent and unbiased?
This element of the SMCR should be started as early as possible. It is important for firms to know if they will be able to certify their identified certification population. Further, it helps to familiarise a firm’s line managers and senior managers with the new process and helps to ensure that any deficiencies have been addressed prior to implementation. In addition, firms will need to ensure that performance appraisals are being conducted to a consistent standard across the firm. This can be challenging, given the different personalities, working styles, backgrounds of those managers typically conducting performance appraisals.
Regulatory references remain one of the most controversial parts of the SMCR. Firms with in-scope staff are required to provide a regulatory reference (which is a prescribed regulatory form) which confirms to the employee’s next employer (and next employer for the next six years and possibly longer in certain circumstances) whether there were any breaches of the conduct rules or fit and proper requirements that resulted in disciplinary action being taken by the firm. Firms are prohibited from entering into compromise/settlement agreements that cut across this requirement.
The regulators received significant negative feedback from the industry on this aspect of the regime (mostly in relation to the difficulties with making this requirement work with employment law requirements). As such, the regulators delayed implementing this element of the regime for almost a year as part of the Bank Regime. In the end, the requirement was introduced without clarity provided on how the regime fits with employment law requirements. This aspect comes with numerous challenges including in relation to data protection laws and employment laws. The FCA has said that it is considering how the SMCR works with the upcoming GDPR and is liaising with the ICO on this aspect.
Criminal record checks
The SMCR requires new evidential requirements to be satisfied when assessing candidates for SMF positions and Certification roles. Both firms and any candidates have to declare any criminal record, including any spent conviction the employer should legally be aware of and firms are required to carry out criminal records checks as part of each application.
Firms will either need to be registered with the Disclosure and Barring Service (DBS), or the equivalent bodies in Scotland and Northern Ireland, or pay to use an umbrella organisation as an intermediary to run these checks.
Conduct regime/conduct staff
Firms will need to identify those employees within the firm/branch/group that will be conduct staff (i.e. all senior managers, all certified staff, all non-executive directors and all other employees of the firm (including in branches), excluding those employees whose role is not specific to the financial services industry (e.g. cleaners, security guards)).
Once identified, firms need to ensure those staff are trained on the high-level rules that are the conduct rules and refresh the training annually.
An early communication campaign is beneficial to this population as even those who work in a regulated workplace can be anxious about what it means for them in practice. There was a level of anxiety amongst this population in the Bank Regime that they were suddenly subject to direct oversight by the FCA and possibly regulatory action. In addition, combining the communication with additional information about the whistleblowing procedures was found to be beneficial in order to avoid non-specific whistleblowing claims being made due to a Conduct Staff not wishing to report any Conduct rule issues in accordance with the internal breach reporting procedure. Whistleblowing claims that are vague, unclear and unspecific incur significant resource and cost to a firm to investigate them.
Firms also need to think about the culture within their firms. One possible unintended consequence of the regime is the risk of hidden wrongdoing by Conduct Staff.
There are two sets of rules: there are five rules which apply for all Conduct Staff (discussed below) and the additional four Conduct rules which just apply to senior managers (although one of those four will also apply to non-executive directors who are not also senior managers) (discussed above).
They are as follows:
- Conduct rule 1: You must act with integrity.
- Conduct rule 2: You must act with due care, skill and diligence.
- Conduct rule 3: You must be open and cooperative with the FCA, the PRA and other regulators.
- Conduct rule 4: You must pay due regard to the interests of customers and treat them fairly.
- Conduct rule 5: You must observe proper standards of market conduct.
The rules apply when conduct staff carry out regulated and unregulated activities of a firm and activities which are ancillary to a firm’s regulated activities. This is narrower than the Bank Regime where the conduct rules applied to everything conduct staff did in relation to their job at the bank. It is not yet clear how this restriction will work in practice. It is expected that the FCA intended to draw the line more definitively and it is hoped that this will be clarified in the Policy Statement.
Breaches of conduct rules
A firm must also notify the FCA when taking formal disciplinary action resulting from a breach of a conduct rule. The timing of the notification is the same as currently applies to banks, namely annually for all staff (excluding senior managers) and within seven days for senior managers albeit subject to the overriding obligation under Principle 11 for notifications in respect of all staff where the materiality threshold is met.
Firms are required to have internal breach reporting arrangements for staff to report breaches of the conduct rules.