Senior managers, certification and conduct regime

On July 26, 2017, the Financial Conduct Authority (FCA) published its long-awaited Consultation Paper (CP 17/25) setting out its proposals for introducing the Senior Managers, Certification and Conduct Regime (SMCR) to the majority of firms operating in the UK financial services industry.

On October 15, 2015 HM Treasury published a policy paper, Senior Managers’ and Certification regime: extension to all Financial Services and Markets Act 2000 “FSMA” authorised persons, stating that the SMCR would in the future be applied to all sectors of the financial services industry during 2018. HM Treasury stated that the principle of proportionality would be particularly important and that the extended regime would “reflect the diverse business models operating in the UK market”. The FCA subsequently said that it would consult on the extended regime during the course of Q2 2017 although in fact the regulator delayed publishing its much anticipated proposals until late July 2017.

The policy announcement in the HM Treasury paper that the SMCR would be extended to all financial services firms was expected as it was previously trailed in reports criticising the Approved Persons Regime. Following the papers published by the Commission led by Sir John Vickers that looked into the UK banking industry the House of Commons approved a joint resolution on July 16, 2012 which established a Parliamentary Commission on Banking Standards the “Parliamentary Commission”.

The Parliamentary Commission published its final report, Changing banking for good, on June 19, 2013. Arguably, this report is one of the most important papers published after the 2008 financial crisis and it was particularly critical of the UK’s banking industry. In relation to the Approved Persons Regime the Parliamentary Commission observed that the regime had “created a largely illusory impression of regulatory control over individuals, while meaningful responsibilities were not in practice attributed to anyone”. The Parliamentary Commission added that, as a result, “there was little realistic prospect of effective enforcement action, even in many of the most flagrant cases of failure”. In light of these failings, the Parliamentary Commission recommended the creation of a new individual accountability regime that would become the SMCR. It also called for a more effective sanctions regime against individuals arguing that such a move was essential for restoring public trust and confidence in the UK banking sector. A key component of the new sanctions regime would be a new criminal offence that would apply to senior persons carrying out their professional responsibilities in a reckless manner with the power to fine or imprison individuals on conviction.

Importantly, the Parliamentary Commission’s final report noted that the deficiencies that it had found in the Approved Persons Regime were not limited to the banking sector. The final report stated: “There may be a strong case for applying some of the reforms to other areas of the financial services sector and it is plausible to suppose that the deficiencies of the Approved Persons Regime are replicated beyond banking”. However, the Parliamentary Commission also noted that a wider review of individual accountability in the financial services industry was outside the scope of its remit and that such work could delay any reforms to the UK banking industry. It stated:

“there is a risk that an extension of reform would delay the timetable for reforms, both due to the wider interests involved and the operational flaws of the current Approved Persons Regime.We therefore recommend that the arrangements for a Senior Persons Regime, for a Licensing Regime and for a register, reflecting the operation of these regimes, be put in place in the first instance separately from the Approved Persons Regime, which should cease to apply to banking. It is for the regulators to advise on the merits of the new schemes’ wider applicability.”

The Government broadly accepted the recommendations of the Parliamentary Commission in a paper co-published by HM Treasury and the Department for Business Innovation and Skills in July 2013. In particular, the Government shared the Parliamentary Commission’s concerns that the failures of the Approved Persons Regime were not limited to the banking sector but that to undertake a wider reform programme would delay the reforms to the banking industry. The Government paper stated:

“While the Commission’s recommendations relate to standards in the banking sector, they consider it plausible that the weaknesses of the Approved Persons Regime affect not just the banking sector but other parts of the financial services industry too. The Government agrees with this and notes that many of the failures identified by the Commission were not limited to the banking sector. The Commission proposed that, to avoid delay to banking reforms, the Commission’s recommendations should initially be put in place for banking only. In fact, because the relevant FSMA provisions apply to all parts of the financial services industry, it would be simpler legislatively and operationally to apply any reforms to the framework for regulating individuals to the financial services industry as a whole. The Government will therefore consider with the regulators whether to amend the relevant FSMA provisions to allow for wider application of the proposed reforms.”

The Government also accepted the Parliamentary Commission’s recommendation on introducing a criminal sanction for reckless misconduct in the management of a bank. In
particular, the Government agreed with the Parliamentary Commission that only individuals performing the functions of a Senior Person would be criminally liable for this offence.

It is worth briefly mentioning that both the Parliamentary Commission’s final report and the Government’s response advocated a “reversal of the burden of proof”, whereby a senior manager could be found liable for a regulatory breach if he/she could not show the regulator that he or she took the steps that it was reasonable for a person in their position to take to prevent the breach occurring or continuing (i.e. assumed guilty until proven innocent), thus reversing the normal burden of proof. However, this approach, understandably, caused some concern in the market and ultimately the Government changed its position to mirror what has always existed under the Approved Persons Regime, namely that an Approved Person/Senior Manager has a regulatory responsibility to take reasonable steps in discharging their duties. Further, that it is for the FCA to prove that a Senior Manager had not taken such reasonable steps (i.e. innocent until proven guilty). The only change that the Government did make to the existing Approved Persons reasonable steps duty in the SMCR was to elevate it from being a purely regulatory duty to a statutory duty described in the HM Treasury policy paper published in October 2015 as the “duty of responsibility”.

The SMCR was implemented for Banks and significant insurance firms (i.e. those entities regulated by both the FCA and PRA) in a first phase on March 7, 2016 with subsequent phases of implementation occurring thereafter the “Bank Regime”

Bank regime thematic reviews

As it is relevant to commentary that follows in this note, it is worth commenting on the additional work that the FCA has done since implementation of the Bank Regime.

Immediately following the first phase of implementation, the FCA and/or PRA (but primarily the FCA) wrote to in-scope banks/insurers with queries/concerns as to how they had implemented the requirements of the Bank Regime “First Soft Thematic Review”. This was not a formal thematic review and the output of the FCA’s concerns/queries was a very short web article.¹ However, the FCA’s expectations of firms were highlighted in their supervisory work.

Secondly, simultaneously with the implementation of the second phase of the Bank Regime (namely for certification staff), the FCA conducted a formal thematic review of in-scope firms’ preparedness for the certification regime “Second Thematic Review”. The key elements from that thematic review are noted in this Bulletin. As at the date of this note, the FCA has not formally presented its findings back to the industry.

The FCA has yet to conduct a thematic review into how firms have implemented the final phase of the Bank Regime, in relation to Conduct Staff.

Which firms are in-scope of the SMCR?

The Government legislation which mandated the extension of the SMCR (discussed above) stated that it would apply to “all authorised persons”.² This means that the SMCR applies to all regulated financial services firms authorised under the Financial Services and Markets Act 2000 operating in the UK or into the UK through a branch. Although the consultative rules are unclear, this should exclude firms such as, without limitation

• Certain overseas firms operating into the UK.
• Payment services firms (as they are authorised under the PSRs).
• E-money firms (as they are authorised under the EMRs).
• Appointed representatives and other exempt entities (although the FCA has said that this may be revisited) “out of scope firms”.

Therefore, out of scope firms will still need to comply with the existing Approved Persons Regime or similar regime under the different authorising legislation, to the extent it applies to them.

Approach to extension

Consistent with legal expectations, the FCA’s approach to the SMCR is

• To apply all of the key elements of the Bank Regime to firms in scope of the SMCR (this is discussed in further detail below).
• Not to apply the exact detail and scale of those key elements to firms in scope of the SMCR in the same way as they were applied to banks. Instead, the detail of each of the key elements would be varied depending on the type of firm using “the tools and principles from the banking regime to create consistency across financial services, but tailor them to reflect the different risks, impact and complexity of firms subject to the extension”.³ Therefore the key elements will be applied in a proportionate way.

Proportionality in practice

Consistent with the Government’s original intentions (discussed above), the FCA is proposing to implement the SMCR in a manner that is proportionate, taking into account the varied nature of the approximately 50,000 firms in the non-bank financial services industry, which range from consumer credit sole traders to the largest of global asset managers and wholesale brokers. The FCA has kept this intention proposing that “the new regime … be proportionate and flexible enough to accommodate the different business models and governance structure of firms”.⁴

In order to achieve this proportionality, the FCA is proposing to divide firms into three categories. The basic elements of the SMCR will then be applied in a basic way or a more detailed way depending on which category a firm falls into.

The Consultation Paper includes a flowchart on page 14 (which will be replicated in an Annex to SYSC when finalised) for firms to check which category they are in. The categories are as follows

Limited Scope SMCR Firm “limited scope firm”

This is proposed to apply to firms who conduct regulated activities as an ancillary activity to their primary business activity and who are not MiFID investment firms. These types of firms should include

• Limited permission consumer credit and debt advisory firms.
• Sole traders.
• Authorised professional firms whose only regulated activities are in non-mainstream regulated activities (e.g. law firms).
• Oil market participants.
• Service companies.
• Energy market participants.
• Subsidiaries of local authorities or registered social landlords.
• Insurance intermediaries whose principal business is not insurance intermediation, and who only broke non-investment insurance contracts.
• Internally managed AIFs that meet certain criteria.

In addition, UK branches of EEA firms are excluded from some of the same requirements that limited scope firms are excluded from so as to be essentially treated as a limited scope firm.

There appear to be a number of exclusions proposed from being an Enhanced Firm, including

• Firms that obtain a waiver from the FCA.
• Firms that would be SMCR firms but which are overseas firms.
• Full-scope AIFs that meet certain criteria.
• Art.2(1)(j) of MiFID exempt firms that meet certain criteria.
• Firms that are near the threshold to qualify as an Enhanced Firm in certain circumstances.

Waivers

For firms who satisfy the test to be an Enhanced Firm but who already have a waiver, or presumably who qualify for a waiver, from the FCA (such as, for example, from certain CRR requirements like needing to have a risk committee), the FCA has stated that firms can apply to the FCA for a waiver from being categorised as an Enhanced Firm. The FCA has not finalised the detail on how the waiver regime will apply. In practice, this means that firms that receive a waiver will be a Core Firm. There does not appear to be a guarantee that a waiver will be given in all cases but, where relevant, there is the ability to apply for such a waiver. It is hoped that the parameters in which the FCA will provide a waiver will be confirmed in the final policy statement as it is currently unclear and is, understandably, of utmost importance to firms to know whether they are within scope of the very detailed requirements of the Enhanced Regime or the lighter touch Core Regime. The FCA has not stated from when firms can start applying for waivers.

Firms that qualify as a core firm but meet the threshold tests to be an enhanced firm and vice versa

The FCA has proposed measures for where a Core Firm subsequently satisfies the test to be an Enhanced Firm and vice versa. For example, a non-bank mortgage lender might have fewer than 10,000 regulated mortgages outstanding (so being a Core Firm), but then has over 10,000 regulated mortgages outstanding (so being an Enhanced Firm).

• Core to Enhanced: The FCA is proposing a simplified notification regime for firms moving from Core to Enhanced (although it is currently unclear how this will work in practice). In addition, the FCA is proposing to allow firms six months from the “qualification date” (the date that Core Firms met the threshold tests to be Enhanced Firms) to comply with the enhanced requirements of being an Enhanced Firm.
• Enhanced to Core: The FCA is proposing to continue to apply the Enhanced Firm requirements to Core Firms for one year following a firm moving from Enhanced to Core.

The FCA proposals are currently unclear on how Core Firms are treated when they meet the thresholds to be an Enhanced Firm (and so have the six-month transitional period), but then subsequently do not meet the thresholds to be an Enhanced Firm within that six-month window. The proposed rules state that they remain a Core Firm however this proposal may see firms submitting approval applications for senior managers to then have to withdraw them. It is hoped that the FCA will consider this in its final policy statement as filing and subsequently withdrawing applications for approval can have wider consequences for senior managers seeking other regulatory approvals.

Groups with both core firms and enhanced firms

The Consultation Paper does not address how the SMCR applies to a group of companies that have both Core Firms and Enhanced Firms in the group. The proposed rules reiterate that the regime applies on an entity-by-entity basis (as it did in the Bank Regime). However, if the SMCR is applied in this way in a group context there will be a number of challenging consequences for firms. For example, there may be some senior managers within the group carrying out functions for both the Core Firm and the Enhanced Firm, yet their responsibilities will be more limited in scope for Core Firms and wider in scope for Enhanced Firms; they will have different Statements of Responsibilities; and the duty of responsibility/reasonable steps will apply to some parts of their role for one firm but not the other. It is hoped that this will be clarified in the final policy statement.

The key elements of the Regime

As expected, the key elements of the Bank Regime relating to senior managers, certification staff and conduct staff have been retained. These can be broken down into the following categories, each of which is commented on in further detail later in this Bulletin.

Senior managers

• Senior Manager Functions
• Statements of Responsibilities
• Prescribed Responsibilities
• Overall Responsibility
• Duty of Responsibility/reasonable steps
• Senior Manager Conduct rules
• Management Responsibilities Map
• Handover Procedures
• Regulatory References

Certification staff

• Significant Harm Functions
• Annual Certification
• Fitness and Propriety
• Regulatory References
• Conduct rules

Conduct staff

• Conduct rules
• Notification of Breaches

The extent to which the various elements apply to a firm depends on whether they are a Limited Scope, Core or Enhanced Firm. In addition, the requirements of the elements that do apply vary depending on a firm’s category. The table below summarises which elements are applicable at all to the various categories of firms

Senior manager functions

These functions replace the current controlled functions under the Approved Persons Regime. Firms within the scope of the SMCR must ensure any senior manager carrying out one or more function is approved by the FCA before carrying out that function.

The functions only need to be allocated to the extent a firm has a senior manager carrying out that function or to the extent that the trigger for that function (e.g. compliance with a particular FCA requirement) is met. The FCA has decided to approach the labelling of the required functions by using the same SMF categorisation as was given to these functions in the Bank Regime. This will allow senior managers who could potentially move between banks and non-banking firms to have familiarity with the senior manager functions.

Limited scope firms

For Limited Scope Firms, the required functions differ depending on: (i) the nature of the firm and its FCA licences (e.g. limited permission consumer credit firm); (ii) whether it is a UK firm or an EEA firm; and (iii) the activities it carries out. The various functions that need to be allocated (where applicable) can be found in proposed SYSC 7.1R–7.5 G, however the various functions require clarification as there appear to be some inconsistencies.

Most firms (but not all) will need to have approved any senior managers carrying out

• SMF 29: Limited Scope Function (current Apportionment and Oversight function)
• SMF 16: Compliance Oversight
• SMF 17: MLRO
• Additional SMFs for certain types of Limited Scope Firms

No Senior Manager Functions need to be allocated to: not-for-profit debt advisory bodies, incoming EEA firms in certain circumstances and internally managed AIFs.

Core firms

For Core firms, the required functions differ depending on whether the firm is a UK firm, EEA firm, non-EEA firm or a MiFID exempt firm whose only permission is bidding in emissions auctions. It is currently proposed that the following are the required functions (see Table in SUP10C Annex 1 5.2R)

Enhanced firms

For Enhanced Firms, the required functions are all of those set out above for Core Firms (excluding SMF 19 and SMF 21), as well as

• SMF 2: Chief Finance Function
• SMF 4: Chief Risk Function
• SMF 5: Head of Internal Audit
• SMF 7: Group Entity Senior Manager
• SMF 10: Chair of the Risk Committee
• SMF 11: Chair of the Audit Committee
• SMF 12: Chair of the Remuneration Committee
• SMF 13: Chair of the Nominations Committee
• SMF 14: Senior Independent Director
• SMF 18: Other Overall Responsibility
• SMF 24: Chief Operations Function

Inherent responsibility

Each of the functions above comes with a responsibility which is inherent to that function. For example, the inherent responsibility of the CEO (SMF1) is having responsibility for the conduct of the whole of the business (or relevant activities) of the firm. These inherent responsibilities are set out in the FCA’s Handbook next to where the function is described or in the Glossary. Each senior manager must understand his/her inherent responsibility and its importance as it cannot be excluded or amended. The duty of responsibility (discussed below) applies to these inherent responsibilities.

Mapping the existing approved persons population into the senior manager functions

Save in respect of SMF 21 (EEA branch senior manager), SMF 7 (Group Entity Senior Manager) and SMF 18 (Other overall responsibility), mapping an existing senior manager approved to carry out a controlled function into their senior manager function should be a relatively simple exercise for most firms. The FCA has even stated that it intends to approach transitioning firms into the new regime by “auto-converting” some existing Approved Persons within in-scope firms into their respective Senior Manager functions. The FCA has said that the detail of this auto-conversion will be included in the technical paper which is due out after November 3, 2017.

In relation to SMF 21, SMF 7 and SMF 18 (described above), or indeed allocating any function to a new senior manager, the FCA has reiterated that the test for who carries out that function is who is ultimately accountable to the board for that area. The FCA draws a distinction between the responsibilities of senior managers (which can be a wide set of responsibilities) and what he/she is accountable for, and it is the latter that should be the focus for applying the test.

Lessons learnt

There are a number of lessons learnt from the Bank Regime, including those set out below.

Other than in relation to SMF 3, SMF 7, SMF 18, SMF 27 and SMF 29, the FCA would prefer that one manager carries out a senior manager function. The only situations where the FCA accepted that more than one manager can carry out the same senior manager function in the Bank Regime is where a function is subject to a formal job sharing arrangement or where there were co-heads of a function (e.g. Co-CEOs).

A senior manager can hold more than one function (and this is expected in Limited Scope firms as is currently the case under the Approved Persons Regime). The FCA does, however, require that a single senior manager does not have too many functions such that a conflict is created or the individual does not have sufficient time to dedicate to all of them (which goes to reasonable steps). This is a judgment matter depending on the situation within a firm and should be assessed on the facts.

Reporting lines need to be clearly explained and documented. For example, where a senior manager (A) reports into another identified senior manager (B), yet senior manager A reports into senior manager B on a particular area (X) but not on another area (Y), and on area Y senior manager A reports directly into the board, the detail around this reporting line will need to be clearly explained to the FCA. The FCA’s presumption is that if senior manager A reports into senior manager B, then senior manager B is the only senior manager. However, this is not always the case in practice.

Non-executive directors

Some non-executive directors within firms will not be chair of one of the identified board committees but they will still be a non-executive director (e.g. a board member). This means that they will not hold a senior manager function. In the Bank Regime, the PRA referred to these non-executive directors as “notified NEDs” or “non-SMF NEDs”. The PRA required that firms notify these notified NEDs/non-SMF NEDs to the PRA notwithstanding that they did not need to be approved by the PRA. In the Consultation Paper, there is no discussion about whether the FCA will require these non-SMF NEDS within Core or Enhanced Firms to be notified to the FCA as in the Bank Regime. Regardless of this uncertainty, non-SMF non-executive directors in Core Firms and Enhanced Firms will still need to comply with a firm’s fit and proper requirements, criminal record checks and conduct rules, and be subject to regulatory reference requirements.

Prescribed responsibilities are a set of regulatory responsibilities within a firm that the FCA requires firms to allocate amongst one or more senior managers (where applicable). These will be new to those senior managers currently approved as approved persons. All prescribed responsibilities must be allocated amongst the approved senior managers where they apply to a firm. However, those senior managers holding SMF 18 cannot hold any prescribed responsibilities save for item number 5 of the Core Firms below.

Unlike in the Bank Regime, the FCA does not appear to be proposing restrictions on which type of senior manager can be allocated certain prescribed responsibilities. In the Bank Regime, some prescribed responsibilities could only be allocated to a non-executive senior manager.

Limited Scope Firms

Limited Scope Firms have no prescribed responsibilities that must be allocated.

Core firms

It is proposed that Core Firms must allocate the following prescribed responsibilities

1. Performance by the firm of its obligations under the Senior Managers Regime, including implementation and oversight.
2. Performance by the firm of its obligations under the Certification Regime.
3. Performance by the firm of its obligations in respect of notifications and training of the Conduct rules.
4. Responsibility for the firm’s policies and procedures for countering the risk that the firm might be used to further financial crime.
5. Responsibility for the firm’s compliance with CASS (if applicable).
6. Responsibility for ensuring the governing body is informed of its legal and regulatory obligations.
7. Responsibility for an AFM’s value for money assessments, independent director representation and acting in investors’ best interests.

It is proposed that Enhanced Firms must allocate all of the prescribed responsibilities described above for Core Firms (excluding prescribed responsibility 6), as well as:

8. Compliance with the rules relating to the firm’s Responsibilities Map.
9. Safeguarding and overseeing the independence and performance of the internal audit function (to be allocated to a NED where a firm has NEDs).
10. Safeguarding and overseeing the independence and performance of the compliance function (to be allocated to a NED where a firm has NEDs).
11. Safeguarding and overseeing the independence and performance of the risk function (to be allocated to a NED where a firm has NEDs).
12. If the firm outsources its internal audit function, taking reasonable steps to ensure that every person involved in the performance of the service is independent from the persons who perform external audit, including
    1. Supervision and management of the work of outsourced internal auditors.
    2. Management of potential conflicts of interest between the provision of external audit and internal audit services.
13. Developing and maintaining the firm’s business model.
14. Managing the firm’s internal stress-tests and ensuring the accuracy and timeliness of information provided to the FCA for the purposes of stress-testing.

Amending prescribed responsibilities

Once the final policy statement is issued, the precise wording of the prescribed responsibility as listed above cannot be changed by a senior manager or a firm. A senior manager cannot, for example, make amendments to the wording of the prescribed responsibility as listed in the Statement of Responsibilities. Therefore, if firms have concerns about how a prescribed responsibility is worded, they are encouraged to respond to the consultation.

Best practice in allocating prescribed responsibilities

The FCA’s preference is for a prescribed responsibility to be allocated to one senior manager. However, while this is the FCA’s preference, there will be some prescribed responsibilities that naturally fit within the responsibility of more than one senior manager (as was the case with the Bank Regime). In this situation, a firm should use the free text space in the Statement of Responsibilities to clearly describe what part of the prescribed responsibility the first senior manager is accountable for and what part of the prescribed responsibility the second senior manager is accountable for and so on.

Lessons learnt

There are a number of lessons learnt from the Bank Regime, including in relation to how prescribed responsibilities can be shared/split. Firms are structured differently and so some allocations of the prescribed responsibilities might be to senior managers where the FCA may consider it unusual. Where an allocation of a prescribed responsibility is likely to be viewed by the FCA as being unusual, it should be explained clearly to the FCA why it is appropriate to the firm.

Overall responsibility

For Enhanced Firms only, the FCA has an additional requirement, namely that Enhanced Firms must also allocate “overall responsibility” for every business unit, activity or area of the firm to one or more senior managers bearing in mind the “no gaps” principle. What this means in practice is that a firm needs to map out all the different business units, activities and areas of the firm, including both front office and back office functions and those provided from branches. A firm then needs to work through the various tests in SYSC, to determine which senior manager(s) has overall accountability for that unit/activity/area to the board. Where the accountable senior manager is not already proposed to hold a senior manager function, he/she will need to be an approved senior manager holding SMF 18 (for senior managers within a firm) or SMF 7 (for senior managers within the wider group) for that “overall responsibility”.

“No Gaps” principle

The “no gaps” principle means that every business unit, activity, area of a firm is allocated to one or more senior managers such that there are no areas in the firm that are not allocated to a senior manager. If an issue were to occur in a particular area of a firm, the FCA should be able to determine from the Statements of Responsibilities which senior manager(s) they wish to discuss the issue with.

Lessons learnt

There are a number of lessons learnt from the Bank Regime, including those set out below.

Allocating to ensure no gaps

The FCA provided a list in the Bank Regime in SYSC 1 Annex 1 of the various areas of a regulated bank that the FCA would expect it to have what it needs to allocate. However, this list is guidance only so while Enhanced Firms can use it as a starting point, it is by no means an exhaustive list and firms should add to this list all the other various departments/units/ activities/areas that exist within the firm.

Unnecessary allocations

An Enhanced Firm does not need to assign overall responsibility for a unit/activity/area that is already covered by a senior manager function and its inherent responsibility. For example, SMF 2 is the senior manager that carries out the finance function. There is no need to also allocate overall responsibility for the Finance function to the senior manager already approved as SMF 2.

Reporting lines

Although a firm might look to its reporting lines in order to determine overall responsibility, care needs to be taken. Reporting lines within a firm are often an HR tool and are linked to an individual’s reporting for performance management/appraisal purposes. Firms typically have either “dotted” or “hard” reporting lines—hard being for performance management purposes (i.e. a line manager, someone to whom a direct report is provided) with dotted being a second line manager or equivalent. Determining overall responsibility is not necessarily aligned with a person’s reporting lines—dotted or hard. Within the SMCR, firms should think about reporting in terms of functional business reporting lines and awareness reporting lines.

Describing the overall responsibility

An element of description needs to be included to describe the nature of the overall responsibility over the business area/activity/unit/department. In the Bank Regime the FCA did not consider that simply stating “Head of X Department” (i.e. a manager’s job title) was sufficient to convey the level of detail that the FCA needed to understand what was involved in that responsibility. This is particularly the case as firms structure themselves in different ways and so a particular department may not have a uniform scope across firms. This is also important as a senior manager should describe what is excluded from that responsibility and identify within which other senior manager’s remit responsibility for that excluded item falls.

No gaps or overlapped responsibilities

As noted above, for Enhanced Firms there can be no gaps in the responsibilities allocated across the senior management population. This exercise can be challenging due to: (i) “horse-trading” amongst senior managers to delineate the boundaries between responsibilities; and (ii) the fact that Statements of Responsibilities are dynamic, so a change to one Statement of Responsibilities may necessitate a change to others. In the Bank Regime, firms necessarily tasked one individual/department to ensure that there were no gaps across the Statements of Responsibilities and then to ensure that any changes made to the Statements of Responsibilities were reflected in the Management Responsibilities Map (discussed below—note this only applies to Enhanced Firms).

Statements of responsibilities

Statements of Responsibilities are a regulatory form which the FCA requires a firm to ensure their senior managers carrying out senior manager functions complete and file when seeking to be approved. In addition, the FCA also requires a firm to ensure that these Statements of Responsibilities are kept up to date (discussed below).

How to complete a statement of responsibilities

The FCA has yet to consult on the form that will be mandated but it is expected to be identical to that in the Bank Regime (save for the change to functions and prescribed responsibilities that there are in the SMCR and the different requirements that apply to Limited Scope Firms, Core Firms and Enhanced Firms). Therefore, on this assumption, in the form a senior manager will be required to

• (All firms excluding some Limited Scope Firms) tick which senior manager function he/she carries out and state whether it is shared or not.
• (Core and Enhanced Firms only) tick which one or more prescribed responsibilities the senior manager has been allocated.
• (Enhanced Firms only) list and describe which overall responsibilities and other responsibilities a senior manager has. Each additional overall responsibility should include a reference so that an Enhanced Firm is able to identify the responsibility in its Management Responsibilities Map (discussed later).

For Core Firms and Enhanced Firms, in respect of prescribed responsibilities, there is the ability to include additional text to explain where there is more than one senior manager responsible for a prescribed responsibility.

For Enhanced Firms and in relation to overall responsibilities, additional wording should be included to describe the extent/scope of the overall responsibility and, importantly, what is excluded from the responsibility (see the discussion under Overall responsibility above).

In the Bank Regime, the FCA introduced a word limit for this additional text of a maximum of 300 words and it is expected that the FCA will introduce something similar (if not exactly the same) for firms in-scope of the SMCR. If this is introduced, note that in the Bank Regime, the word limit applies per responsibility; it is not an overall word limit for the entire Statement of Responsibilities.

Keeping the statements of responsibilities up to date

Similar to the Bank Regime, the FCA is proposing that firms ensure that senior managers keep their Statements of Responsibilities up to date. This will necessitate firms needing to refile the Statement of Responsibilities with the FCA where there is a material change to the details included in the Statement of Responsibilities. Therefore, firms will need to consider what resource they need to ensure that senior managers are supported in complying with this requirement.

Lessons learnt

There are a number of lessons learnt from the Bank Regime. The Statements of Responsibilities need to be clearly drafted, sufficiently detailed, focused and consistent with the Management Responsibilities Map (for Enhanced Firms). From an employment law perspective, they also must be consistent with a senior manager’s job description. Any sharing of responsibilities, especially where it may be viewed as unusual by the FCA, needs to be clearly explained. Finally, the senior manager population needs to be educated on the purpose of the Statement of Responsibilities namely that they are a regulatory form reflecting accountability to the board, and do not need to replicate a senior manager’s full job description.

What is it?

As discussed above, the duty of responsibility is a statutory duty and applies to all firms as follows

• For senior managers in applicable Limited Scope Firms, it applies to the performance by senior managers of their inherent responsibilities.
• For senior managers within Core Firms, it applies to the inherent responsibilities and also to each prescribed responsibility allocated to them.
• For senior managers within Enhanced Firms, it applies to the inherent responsibilities and prescribed responsibilities and also to activity within the firm for which they have overall responsibility.

The duty of responsibility requires senior managers (those approved to perform a senior manager function) to take reasonable steps in discharging that responsibility. This is the same duty that currently applies to those individuals within a financial services firm who are approved persons. However, the Bank Regime caused senior managers to refocus their minds on this existing duty.

“Reasonable steps” is an objective test, namely: what steps is it reasonable to expect a senior manager in that role and with those areas of responsibility to have taken in order to prevent an issue/breach from occurring or continuing?

The FCA has provided a body of guidance and commentary on their expectations of what amounts to reasonable steps, which is found in DEPP. In addition, there have been some cases from the Upper Tribunal at the FCA (the appellate body from the FCA’s primary enforcement tribunal) which have also reinforced the standards (see Pottage v FSA [2013] Lloyd’s Rep FC 16 (2012)).

In practice, it can be diagrammatically shown as follows

Are these reasonable and can the senior manager evidence that he/she took them/decided not to take them?

What is it not?

Importantly, taking reasonable steps does not mean taking every step feasible or possible. It is those steps that it is reasonable to expect a senior manager, in that position, with his/her allocated responsibilities, to take.

Nor does it mean that a senior manager must personally carry out their responsibilities themselves— senior managers can of course delegate their responsibilities but taking reasonable steps in relation to delegation arrangements would require the delegation to be appropriate, to a sufficiently appropriate person with the senior manager receiving management information of a sufficient quality and with sufficient frequency to be aware of what is occurring in relation to that area, that escalation processes are in place and appropriate oversight is retained, and so on.

Reasonable steps and non-executive directors

The reasonable steps that are expected of non-executive directors carrying out senior manager functions are different to those expected of executive senior managers. The FCA reiterated as part of the Bank Regime that non-executive directors are not expected to act like executive directors. Their primary role is to effect challenge within board meetings and to chair identified committees competently and effectively. The FCA has set out a set of reasonable steps for non-executive directors when they chair a committee.

Evidence

From the Bank Regime, it is clear that there is an increased focus on the need for senior managers to demonstrate compliance with the regime. The FCA’s mantra has been for some time now that “if you cannot evidence it, you did not do it” and firms need to support their senior managers in ensuring that there is a greater focus on evidencing reasonable steps. In practice the nature of this support will in part depend on the senior manager, his/her areas of accountability and how he/she prefers to work. There is no one-size-fits-all approach to reasonable steps—some senior managers organise themselves with documentation and processes, others may prefer to work from tablets. In the Bank Regime different forms of support were offered to senior manager populations including new software (which it was reported was not always used effectively or consistently) through to newly created departments, additional human resource and supporting processes such as an internal system of upwards attestations. All of these have their pros and cons.

There is no mandated way for a senior manager to ensure he/she is documenting reasonable steps, but there are some important points to bear in mind

• A reasonable step needs to be recorded (whether in email, manuscript notes in a note book or recorded in the minutes of a meeting).
• It must be able to be reproduced to the FCA as evidence.

Trends

With the increased focus on reasonable steps, a number of trends were seen in banks after implementation of the Bank Regime. These included

• Board minutes becoming more detailed.
• Some senior managers wanting board minutes and committee discussions to record attribution of comments.
• Non-executive directors wanting board minutes to show more detail around the challenge that occurs.

Senior manager conduct rules

In addition to the individual Conduct rules (discussed below), it is proposed that senior managers in Limited Scope, Core and Enhanced Firms are required to comply with four additional conduct rules that apply to senior managers only. These are the same rules that currently apply to individuals approved in the existing Approved Persons Regime. They are

• SC1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
• SC2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
• SC3: You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
• SC4: You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice. Senior managers must be trained on how these conduct rules apply to them, their functions and their responsibilities.

Senior managers must be trained on how these conduct rules apply to them, their functions and their responsibilities.

Management responsibilities map For Enhanced Firms only, there is an additional requirement to put in place and maintain a Management Responsibilities Map. The map must be a standalone document which is intended to allow someone unfamiliar with the firm to obtain a complete understanding of what the firm does, how it arranges itself, what governance oversight and systems and controls it has in place to manage its risks and run its business, who the senior managers and certification staff are and how responsibilities have been divided across the senior management population.

The form of this map is not prescribed. However, it must comply with certain requirements set out in SYSC. In summary, the requirements include

• A structure chart of the firm and the group in which it is located.
• The board/management body.
• The board committees and their members.
• The executive committees and their members.An organogram of the firm showing
• All business units, areas and activities of the firm. Reporting lines between departments and individuals and senior managers.
• A description of the systems and controls in relation to each responsibility.
• A description of the governance arrangements and oversight arrangements and systems and controls in place to manage the risks facing a firm.

The Management Responsibilities Map needs to be kept up to date and refiled with the FCA together with every filed Statement of Responsibilities (remembering that Statements of Responsibilities are filed together with an application to approve a senior manager and whenever a senior manager’s responsibilities have materially changed). There is no additional requirement to attest that the Management Responsibilities Map is up to date annually, as was initially proposed in the Bank Regime but not proceeded with.

Lessons learnt

There are a number of lessons learnt from the Bank Regime. There can be no cross-referring to other documents that are located outside of the map. What this means in practice is that the map can reference the identity of a policy document in order to comprehensively explain the controls in place. However, a firm cannot refer to a policy document for information that needs to be included in the map, or refer to a part of a policy document for more information.

If policies are to be appended to the map (which it is acceptable to do), they need to be kept up to date so references to “Approved Persons” would need to be changed (unless a group of companies still has group entities subject to the Approved Persons Regime).

The terms of reference of any committees will need to be included and these should be up to date. The map needs to be easily understandable and easy to navigate. The map needs to be sufficiently detailed, especially regarding the governance arrangements and reporting lines.

Although the day-to-day updating of the map will likely be delegated to the compliance function and signed off by the board and owned by the CEO, the FCA is the audience. So it is prudent to consider the tone and content of the map and align the tone with the FCA’s wider expectations, including treating customers fairly, conduct risk, culture (particularly a culture of challenge in this context) and their focus on management information.

Handover procedures

Enhanced Firms are required to ensure that there are handover arrangements in place for the senior management population. These are not prescribed and there is no mandated “handover certificate” as was originally mooted for the Bank Regime. It is an expected part of a senior manager’s reasonable steps that an outgoing senior manager ensures that the role/ function and responsibilities are handed over to an incoming senior manager in a diligent, fulsome manner.

Best practice

There are a number of lessons learnt from the Bank Regime. One of the key risks that needs to be considered is how a firm ensures sufficient handover can occur in unexpected situations/ emergencies (e.g. if a senior manager is unexpectedly taken ill with a long-term illness or dies). In the Bank Regime, banks approached this aspect in different ways. The most common approach was for firms to require their senior managers to maintain a “living will”; in essence a document that is revisited frequently to note how issues that were ongoing at the time of the previous update had been resolved or managed and where key documents could be found and what new issues were ongoing and how they were being addressed.

Significant harm functions/certification staff

Limited Scope, Core and Enhanced Firms will need to identify their staff who can cause significant harm to the firm, the market or customers. The FCA has stated in the Consultation Paper that they do not expect Limited Scope Firms will have any certified staff.

Certified staff will include

• Significant management.
• Proprietary traders.
• Those conducting CASS oversight.
• Benchmark submission and administration.
• Functions that are subject to qualification requirements (e.g. mortgage advisers, financial advisers)— see the T&C Sourcebook.
• Client dealing function.
• Algorithmic traders (which includes those who approve the deployment of the algorithm, a material part of the algorithm, a material amendment to an algorithm and who monitor the algorithm or decide to use the algorithm).
• Material risk takers.
• Anyone who supervises or manages anyone performing one of the functions above but is
  not a Senior Manager (noting there is no territorial limit).

The territorial scope of this element of the regime is not solely UK focused. Staff in overseas branches and subsidiaries of a firm can come within scope. The FCA has introduced a territorial limitation, see “territorial limitation” below. Identifying staff who can cause significant harm is an ongoing obligation and must be constantly assessed as staff change, move between roles or take on additional roles and where the line managers of certified staff change. In addition, the FCA is proposing that firms should certify senior managers for aspects of their role that are outside their senior management function but which are a significant harm function.

Second thematic review

As part of its Second Thematic Review, the FCA queried banks’ arrangements for contingent labour (e.g. contractors, consultants, etc).

Lessons learnt

Once the certified staff population is identified, it is recommended that an early communication campaign is given to this population. There will be some key changes affecting their roles and they should be informed of these as early as is sensibly possible. In particular, in the Bank Regime this population was keenly focused on certain key areas of change, including

• Losing their regulatory status (e.g. CF30). There appears to be a certain kudos attached by some members of this population to their regulated status. On this point, the FCA is deciding what to do about the register as any existing approved persons in the Bank Regime that became certified staff members show as “inactive” on the FCA register. This may not be helpful for some sectors in the SMCR where it is important that consumers/ other interested bodies are able to check whether, for example, their financial adviser is appropriately authorised. The FCA has said it will revert on this aspect.
• The new regulatory references regime which has caused, and continues to cause, unease to this population. In the Bank Regime, firms re-evaluate their disciplinary processes in an effort to help this aspect of the regime for its employees as disclosures in the regulatory references are only triggered by disciplinary action taken by a firm.
• The mechanics around how their certificate is issued and what they need to do and by when.

Certification

For Certified Staff, Core and Enhanced Firms must issue a certificate to each certified member of staff. There is no prescribed form for the certificate, but there is prescribed wording that must go into the “certificate” which is set out in FSMA. A Certified Staff member must hold a valid certificate which relates to the role for which he/she needs to be certified at all times while carrying out the role that warrants his/her needing to be certified. The certificate can only last for a maximum of one year and so firms must, at a minimum, reissue the certificate annually. As the certificate requires firms to state that the staff member is fit and proper to carry out that role, this necessitates that the firm reassess that staff member’s fitness and propriety.

Grace periods

There are permitted grace periods within which staff can temporarily carry out a certified staff role without being certified where certain conditions are met which are similar to the current Approved Persons Regime. In addition, there are arrangements for staff temporarily visiting the UK.

Second thematic review

In the Second Thematic Review, the FCA focused on, amongst other items

• Who owned the decision to certify the individuals as fit and proper.
• Whether firms were carrying out re-certification checks where individuals changed role/ functions.
• How the firm would identify and manage situations where individuals should no longer be certified.

Lessons learnt

Firms will need to plan for situations when they need to issue a conditional certificate and what that may address. Conditional certificates are permitted for items that are not as material to fitness and propriety such as completing a required training course.

Firms will also need to ensure that, in drafting the certificates, that they think about what rights they may need to revoke the certificate should the employee no longer be fit and proper during the period covered by the certificate. This was not addressed by FSMA nor covered in the FCA’s rules for the Bank Regime and was an element that firms found difficult.

Fit and proper requirements

Firms are required to ensure that their senior managers are fit and proper before submitting an application for approval for that senior manager to carry out a senior manager function and to keep their fitness and propriety under constant review. The standard for assessing a senior manager’s fitness and propriety remains that set out in the FIT chapter in the FCA’s Handbook. Firms must also ensure that their certification staff are fit and proper before starting to carry out the significant harm role and to reassess their fitness and propriety at least annually. In reality, certification staff will need to be reassessed each time they move within roles, take on an additional role, etc. as well as being assessed annually.

Fit and proper in practice

The fit and proper standard that applies to firms when conducting this assessment is set out in the FIT chapter of the FCA Handbook. However in the Bank Regime, firms added to the requirements for what being “fit and proper” to work at that firm meant to that firm. The additional elements typically included items that related to the firm’s ethos, culture and business standards.

How to run a best practice F&P assessment process

• The annual performance management appraisal cycle commences using amended appraisal forms, the amendments seeking to capture some of the fit and proper requirements – in the SMCR it is critical that appraisals occur, on time and that they are meaningful.
• The appraisal is reviewed by a separate person/committee to ensure that the appraisal is comprehensive and appears unbiased and is signed off – there may be layers to this process depending on the firm.
• The certified staff member completes a fit and proper questionnaire (the questions in which replicate those included in the Long Form A as well as additional questions to match the firm’s fit and proper policy).
• The certified staff member provides a declaration or attestation about the truthful completion of the questionnaire (a breach of which is linked to a breach of their employment contract).
• The line manager/direct report signs off on their competence and capability (or notes what needs to be improved) and, importantly, on their personal characteristics (which although a nebulous concept it is easy to spot a personal characteristic that will not allow a line manager to provide this sign off).
• HR and Compliance then assess and sign off on completion of all mandatory training, that references were found to be satisfactory (where applicable) and that there have been no notified breaches of the Conduct Rules or the fit and proper policy.
• The certificate is issued and signed by the person who has had this responsibility delegated to them from the senior manager with the prescribed responsibility for compliance with the certification regime (see “prescribed responsibilities” above) or by the senior manager with this prescribed responsibility themselves.
• HR or Compliance then work through a list to ensure that all required documentation/information has been obtained/held about the individual and that nothing is missing.
• The complete pack is then provided to the person/senior manager/committee that considers the pack to confirm that certification can occur.
• A copy of the “certificate” (in whatever form it is contained) is sent to the certified staff member and a copy retained by HR.

Broadly, a best practice F&P assessment follows this process although there may be additional levels of oversight built into the process depending on the firm.

Breaches of fitness and propriety

There are a number of employment law related challenges with the above that are worth bearing in mind. In particular

• What is the process for employees that the firm cannot certify as being fit and proper— Suspension? Supervision?
• The process for employees who breach the conduct rules or fit and proper policy within the term of a certificate—revocation of certificate? Gardening leave?
• The process for employees under investigation (where the investigation has not completed).

Second thematic review

In the Second Thematic Review, the FCA focused keenly on the F&P assessment process seeking confirmation from firms on a wide variety of issues including

• What criteria and processes were being used for making the fit and proper assessment?
• Whether appropriate oversight and controls are in place for this process?
• How would a firm evidence that the decision-making process in the F&P assessment is independent and unbiased?

Lessons learnt

This element of the SMCR should be started as early as possible. It is important for firms to know if they will be able to certify their identified certification population. Further, it helps to familiarise a firm’s line managers and senior managers with the new process and helps to ensure that any deficiencies have been addressed prior to implementation. In addition, firms will need to ensure that performance appraisals are being conducted to a consistent standard across the firm. This can be challenging, given the different personalities, working styles, backgrounds of those managers typically conducting performance appraisals.

Regulatory references

Regulatory references remain one of the most controversial parts of the SMCR. Firms with in-scope staff are required to provide a regulatory reference (which is a prescribed regulatory form) which confirms to the employee’s next employer (and next employer for the next six years and possibly longer in certain circumstances) whether there were any breaches of the conduct rules or fit and proper requirements that resulted in disciplinary action being taken by the firm. Firms are prohibited from entering into compromise/settlement agreements that cut across this requirement.

Practical issues

The regulators received significant negative feedback from the industry on this aspect of the regime (mostly in relation to the difficulties with making this requirement work with employment law requirements). As such, the regulators delayed implementing this element of the regime for almost a year as part of the Bank Regime. In the end, the requirement was introduced without clarity provided on how the regime fits with employment law requirements. This aspect comes with numerous challenges including in relation to data protection laws and employment laws. The FCA has said that it is considering how the SMCR works with the upcoming GDPR and is liaising with the ICO on this aspect.

Criminal record checks

The SMCR requires new evidential requirements to be satisfied when assessing candidates for SMF positions and Certification roles. Both firms and any candidates have to declare any criminal record, including any spent conviction the employer should legally be aware of and firms are required to carry out criminal records checks as part of each application.

Practical issues

Firms will either need to be registered with the Disclosure and Barring Service (DBS), or the equivalent bodies in Scotland and Northern Ireland, or pay to use an umbrella organisation as an intermediary to run these checks.

Conduct regime/conduct staff

Firms will need to identify those employees within the firm/branch/group that will be conduct staff (i.e. all senior managers, all certified staff, all non-executive directors and all other employees of the firm (including in branches), excluding those employees whose role is not specific to the financial services industry (e.g. cleaners, security guards)).

Once identified, firms need to ensure those staff are trained on the high-level rules that are the conduct rules and refresh the training annually.

Lessons learnt

An early communication campaign is beneficial to this population as even those who work in a regulated workplace can be anxious about what it means for them in practice. There was a level of anxiety amongst this population in the Bank Regime that they were suddenly subject to direct oversight by the FCA and possibly regulatory action. In addition, combining the communication with additional information about the whistleblowing procedures was found to be beneficial in order to avoid non-specific whistleblowing claims being made due to a Conduct Staff not wishing to report any Conduct rule issues in accordance with the internal breach reporting procedure. Whistleblowing claims that are vague, unclear and unspecific incur significant resource and cost to a firm to investigate them.

Firms also need to think about the culture within their firms. One possible unintended consequence of the regime is the risk of hidden wrongdoing by Conduct Staff.

Conduct rules

There are two sets of rules: there are five rules which apply for all Conduct Staff (discussed below) and the additional four Conduct rules which just apply to senior managers (although one of those four will also apply to non-executive directors who are not also senior managers) (discussed above).

They are as follows:

• Conduct rule 1: You must act with integrity.
• Conduct rule 2: You must act with due care, skill and diligence.
• Conduct rule 3: You must be open and cooperative with the FCA, the PRA and other regulators.
• Conduct rule 4: You must pay due regard to the interests of customers and treat them fairly.
• Conduct rule 5: You must observe proper standards of market conduct.

The rules apply when conduct staff carry out regulated and unregulated activities of a firm and activities which are ancillary to a firm’s regulated activities. This is narrower than the Bank Regime where the conduct rules applied to everything conduct staff did in relation to their job at the bank. It is not yet clear how this restriction will work in practice. It is expected that the FCA intended to draw the line more definitively and it is hoped that this will be clarified in the Policy Statement.

Breaches of conduct rules

A firm must also notify the FCA when taking formal disciplinary action resulting from a breach of a conduct rule. The timing of the notification is the same as currently applies to banks, namely annually for all staff (excluding senior managers) and within seven days for senior managers albeit subject to the overriding obligation under Principle 11 for notifications in respect of all staff where the materiality threshold is met.

Firms are required to have internal breach reporting arrangements for staff to report breaches of the conduct rules.

Appointed representatives

The FCA has not yet decided how it might apply the SMCR to those firms who are appointed representatives. The FCA is proposing to consult on what, if any, requirements it may introduce for appointed representatives and has not given a timetable for this consultation. Therefore, currently the Approved Persons regime will continue to apply for this population.

UK branches

Currently, the FCA is proposing to treat UK branches of EEA firms in a similar way to Limited Scope Firms, whereas UK branches of non-EEA firms have a wider set of senior manager functions and prescribed responsibilities so will be Core or Enhanced Firms. In addition, with UK branches, the territorial limitations discussed above are further enhanced such that staff are only certified staff or conduct staff if they are based in the UK branch.

Outsourced services/offshored services

It is intended that responsibility for outsourced functions is allocated among senior managers in Enhanced Firms, notwithstanding that the firm as a whole must still comply with SYSC 8. It is currently unclear how the FCA is proposing that firms (other than Enhanced Firms) deal with outsourced services as there is no requirement for Core Firms to allocate overall responsibility amongst their Senior Managers.

Territorial limitation

Staff in branches (whether local or overseas) or regulated or unregulated subsidiaries can be in-scope of the SMCR. For senior managers, there is no territorial limitation. For certification staff, the territorial limitation operates such that the relevant staff member must be based in the UK or “deal with” UK clients, and there are some exclusions. For conduct staff, the territorial limitation operates such that the relevant staff must be based in the UK.

Head of legal/General counsel

In Enhanced Firms, the Head of Legal/General Counsel does not need to be approved as a senior manager but this is subject to further discussion by the FCA (DP16/4). There is a new prescribed responsibility of ensuring the governing body is informed of its legal and regulatory obligations but the FCA has stated that it does not expect this to be allocated to the Head of Legal.

Partners in a partnership

The current proposals would see all partners within a partnership needing to seek approval for the senior manager function. However, partners play different roles in a partnership. The FCA has stated that it is open to receiving feedback from the market on whether this is appropriate or whether the FCA should only require the senior manager function to apply to those partners who make the decisions (e.g. managing partners).

In addition, the FCA has not yet considered how it will treat corporate partners in a partnership where the intention is clearly not to capture them.

Conversion

The FCA is proposing to consult in its Technical Consultation on how it proposes conversion from the Approved Persons Regime to the SMCR will occur. “Conversion” is the name the FCA proposes to use to replace “grandfathering” used in the Bank Regime. In the Bank Regime, existing approved persons were “grandfathered” into the new regime by firms completing a regulatory filing. The FCA has stated that it is proposing to “auto-convert” some Approved Person approvals for firms, thereby reducing the administrative burden on firms.

The FCA has stated that it is not intending to publish its final rules until the “summer of 2018” meaning that firms can expect an implementation deadline during late 2018 or into 2019. The implementation timeline will be announced by the Government. The FCA has recently stated to a sector of the market that firms can expect implementation in 2018.

There is also, as yet, no visibility on whether the FCA/Government will adopt a phased implementation approach as it did for the Bank Regime where the requirements were implemented over a two-year period.

As stated earlier in this Bulletin, the FCA has not yet addressed certain items which are to be covered in a Technical Consultation Paper due out as soon as the consultation period for the current Consultation Paper ends (November 3, 2017), these are

• How the regime applies to appointed representatives.
• How transitioning to the SMCR might work (i.e. “conversion”).
• How in-flight cases will be dealt with—these are those senior managers for whom an application for approval is ongoing, while the regime implements. In the Bank Regime, the FCA allowed firms to use the new SMCR regulatory Long Form/Short Forms A, prior to implementation date.
• The template form of Statement of Responsibilities (this is expected to look similar to that for the banks).
• How the FCA will enforce the duty of responsibility (expected to be the same as in the Bank Regime which is currently included in DEPP).
• Amendments to the CASS sourcebook to reflect the proposals.
• Notification forms for breaches of the Conduct rules.

In addition, the FCA has not considered how the SMCR ties into the requirements for in-scope investment firms under MiFID II in relation to senior managers.

The risks that firms face will differ depending on their categorisation, but in broad terms, the risks and practical challenges can be grouped as follows

Risks and practical challenges with the SMCR

• It is unclear whether a firm meets the requirements to be a Limited Scope Firm or an Enhanced Firm or the firm may move between the different regimes. The firm is unsure whether it can seek a waiver.
• Governance and oversight arrangements are unclear. Boards or committees may not be operating effectively with non-existent or misaligned Terms of Reference and insufficient evidence of challenge. Delegation arrangements are in place and line reports occur but in an ad hoc manner. Management information has not been tested.
• Job descriptions are out of date and will not match a senior manager’s responsibilities. Statements of Responsibilities need to be drafted to meet regulatory expectations and be kept up to date.
• Employment contracts/service contracts need to be updated to reflect the regime.
• It is difficult to understand the impact of the regime on HR processes within a firm.
• Senior Managers do not fully understand the regime or have not been provided with tailored training. They are unclear on what “reasonable steps” means in practice.
• There are risks that the handover of Senior Manager roles is insufficient and records are not kept; that too much/confidential information is disclosed to an incoming Senior Manager; and information access requests from previous senior managers are not adhered to in a way that protects a firm from legal repercussions.
• Senior Managers want quick access to independent legal advisors if they have a query on an issue that has arisen and whether the steps they are proposing to take are reasonable. It is difficult to identify the certified staff population.
• There is a risk that the fitness and propriety process does not adequately assess that certified staff are fit to carry out their role.

Risks and practical challenges with the SMCR

• The certified population are not aware of what the regime means for them and how they can help senior managers discharge their responsibilities.
• Staff have not been appropriately trained on the conduct rules.
• There is no effective way to identify, escalate and report breaches and make the required FCA notifications.
• There is a risk that complying with the regulatory references requirements breaches data protection requirements and employment law.
• There is a risk that the records required by the regime are not being kept.
• The implementation project requires project management resource.
• The biggest challenge for firms is not the implementation project but ensuring that the regime runs smoothly as part of business as usual.

What should firms be thinking about now and can realistically start now?

The SMCR represents a significant change to firms’ culture and conduct. Therefore, what a firm can start now depends on how comfortable a firm is with their existing governance and oversight arrangements, systems and controls in place within their organisation and accompanying culture and conduct of accountability, challenge and evidencing decisions.

Firms that are not comfortable that their culture and conduct meets FCA expectations could benefit from starting their projects early looking at their governance and oversight arrangements. Changes in culture take a long time to embed and so starting early means that firms might be in a better position by the time the SMCR needs to be implemented.

For firms that are relatively comfortable with their culture and conduct and existing governance arrangements, there are a number of items that firms can start to prepare:

• Determine within which regime the firm may fall—Limited Scope, Core or Enhanced Firm.
• (Enhanced Firms) Start to draft the Management Responsibilities Map—firms can reasonably include their organogram, the relationship between a firm and its group, how a firm structures its compliance/oversight arrangements, key committees and their terms of reference, etc. Banks found that they needed to revisit reporting lines as part of the early process.
• (Enhanced Firms) Map out all of the business areas, activities of the firm and who has responsibility for them as this will be needed for the statements of responsibilities.
• Locate all job descriptions and all employment contracts for those who are suspected to be in the senior management/certification population as these will need to be updated/ amended.
• Start to map the senior manager population and certified staff population.
• Give some thought to what the firm’s position will be if senior managers request to have access to independent legal advice and if any policies need changing.
• Review the firm’s D&O insurance policy.
• Develop a policy and procedures to deal with gaps in roles including during periods of planned absences, unplanned absences (including suspension and garden leave) and where there is a delay in hiring a replacement. A firm could also start its policy on deputies and job shares.
• Ensure there is a succession plan for key senior managers who are likely to be within the regime.
• Start to develop a handover policy and procedures (both for leavers, joiners and role movers).
• Decide internally on what level of DD a firm will permit a senior manager to conduct before deciding to accept a position and ensure a robust NDA is ready.
• Evaluate a firm’s disciplinary processes and whether it is likely that any changes will be needed, particularly with difficult leavers and with certification staff and the new regulatory references regime.
• Start to update template settlement agreements.
• Have the firm’s F&P assessment process in place ready for the appraisal cycle that will occur in 2018 to understand for which certified staff members a firm may have difficulty in certifying so they are given the opportunity to change roles/depart before implementation of the regime

Responding to the Consultation Paper

Firms are also encouraged to respond to the FCA’s Consultation Paper. The FCA has stated that it is not sure if it has got the regime right for all sectors of the financial services industry and so is open to understanding the challenges that firms will face with the SMCR as currently proposed.

This Bulletin does not address all of the myriad employment law-related risks or issues that exist with the SMCR, and the separate workstreams in relation to HR that need to be considered.