Regulatory enforcement mini-series part 6: What would you change about the Senior Managers and Certification Regime (SMCR)?

Nathan:

Hello and welcome to the Ashurst Regulatory Enforcement Podcast. I'm Nathan Willmott and I'm joined here in the Fruit & Wool Exchange in London by two fellow specialists in FCA and PRA regulation. My colleagues Lorraine Johnston and Adam Jamieson. Thanks very much, Lorraine and Adam for joining me today.

Lorraine:

Thanks, Nathan.

Adam:

Thank you.

Nathan:

Now together we've quite a few years of grappling with regulators on tricky regulatory matters representing all types of financial services firms as well as their senior management. And our mission for this podcast series is to share with you the new approaches and strategies that we're seeing from the financial regulators to highlight areas of concern about how the regulators are carrying out their role and to suggest what they should be doing differently to ensure that they act both fairly and effectively. And our topic for today is SMCR, the senior managers and certification regime, which of course replaced the previous approved person's regime some eight years ago for banks and insurers, and then more recently for solo regulated firms.

And coupled with that, both the PRA and the FCA did their own consultation exercises, and that has somewhat gone into abeyance it seems, with the upcoming election. And so I thought this would be a good opportunity for us to discuss, well, what would we like to see change in relation to SMCR? What's working well, what needs to go and what could be done better? So perhaps I could kick off with you, Adam, with your ideas in terms of what's going well in terms of SMCR. What do you think has really helped to push up standards within the industry?

Adam:

There were a lot of different considerations, I think as part of that review. In terms of what's gone well, I think generally industry, and we see this in our practice as well, took the view from a cultural perspective. SMCR have been quite successful. It's quite high profile within firms. People tend to understand it both at a senior management level and at a lower level. And it has led to lots of positive conversations about allocation of responsibility and understanding who around the exec table in particular is responsible for which area, what steps are they taking to discharge that duty?

Probably better engagement between the first line and the likes of compliance and risk in the second line around how risks are managed across the rganization. Not just that they're all dealt with within compliance and risk or within audit, but actually the business taking responsibility and how people work together. And I think SMCR put skin in the game and made sure that everybody was focused on what they were responsible for and how they sort of discharged those duties. And my feeling was from a cultural perspective, lots of people say they think it's been very positive.

Nathan:

So just to sum that better, clarification of what individuals are particularly accountable for.

Adam:

Yeah. And I think the statements of responsibility, for example, being brought in for senior managers, it's written down what somebody is responsible for in regulatory terms. Now, look, people have had job descriptions for years. Sometimes those were reflective of people's responsibilities. Sometimes they were more job adverts and they weren't. But having that regulatory statement that goes in, something that's reviewed on a periodic basis, I think does focus the mind on who's responsible for what. And the management responsibilities, maps and mapping across different senior managers, again, does give that clarity.

Lorraine:

I think that's right. I think from my experience actually what SMCR has done practically, is open up those discussions at a much earlier periods of time. When I'm talking to clients around about what exactly is a statement of responsibility, I often describe it as "their document". They have to be comfortable as a future senior manager who's going to be approved by the regulator with what is set out in that as their responsibilities will be what they are held accountable for. If they're not sure, if they have questions, if there's nuances where actually there's an overlap and it's not quite clear where that perimeter is, that's when that discussion should have... Because once it's on their statement of responsibilities, that's a document that the regulator is going to look at if something does go wrong. So absolutely, I think much more transparency, much more precision and detail about what it is that you'll be held accountable for.

Nathan:

Yeah. And on that topic of what you're being held accountable for, how do you feel prescribed responsibilities, which obviously were new with SMCR? Do you think that they've worked? Do you see those featuring in those day-to-day conversations?

Lorraine:

So actually quite recently, I've had exactly that conversation. Where should prescribed responsibility (d) for financial crime sit? Actually, is it an MLRO or is it a CEO, for example? Those are really common discussions to have. Obviously it depends on the type of firm, the activity, the sector. But there isn't a one size fits all. I think the key aspect, however, is that those prescribed responsibilities and the allocation of them lead to a more practical and operational discussion, i.e. okay, well, if I'm going to be held accountable for financial crime control, how, what is my role in terms of policy review, policy frameworks? Do I need board sign off? How am I going to get comfortable that I will have the budget and resourcing in order to be able to discharge this responsibility?

And I know that might be part and parcel of say, an MLROs or a head of compliance's job, but actually to drill down into those discussions a fairly premature or early time in that sort of appointment process is really, really important. And actually, I think creates a better governance structure in practice.

Adam:

I mean, from an enforcement perspective as well, I think the FCA and the PRA do look at the prescribed responsibilities too, both in terms of thinking about who they need to speak to, where they're investigating a firm and how they can learn more about the framework that was in place. But also thinking about individual accountability and are individuals accountable for this particular issue. And if somebody's plainly got the prescribed responsibility for it, then that's somebody who might come into focus as part of that investigation and that process.

Lorraine:

I think from my perspective, what's a little bit cheeky by the regulator and in particular the PRA is when they drop in particularly on their supervisory statements, other responsibilities that they believe ought to be allocated to senior managers. So one of the most remarkable ones was where they declared that there should be a senior manager responsible for climate risk to the business. And I think that's really difficult, because it's not handily contained. You've got to make sure that you've gone through all of the different communications. Not all of them are going to be right for your business as well.

Adam:

It's quite hard to track them all, isn't it? If they're not all in the rule book, these are the prescribed responsibilities you need to allocate, but within supervisory statements, that is quite a difficult exercise, I agree.

Lorraine:

The good news is that you might have a handy law firm like Ashurst who might have done that exercise for you.

Nathan:

I mean, linked with that, there've been a couple of enforcement cases fairly recently where either the firm or individuals have been criticised for not specifically allocating responsibility for particular regulatory responsibilities to particular SMFs. So we've seen it in relation to the large exposures regime where there was criticism that responsibility for compliance with that regime was not allocated to a particular SMF. Similarly, we've seen it in relation to responsibility for designating individual bank accounts as to whether they are within the Financial Services Compensation Scheme. Two things that I think most people would've thought those was an aspect of granularity that was beyond what would be expected by the regulators, have you seen firms becoming more granular as a result in how they do those statements?

Lorraine:

So I think it's quite interesting to see that development, because if we zoom out and look at different ways that regulators are looking at firms and regulatory obligation identification and then compliance and control framework, I think what's interesting is that we on the US side are seeing a real change, a real shift in the expectations of firms in no (1), what are your regulatory obligations? No (2), how have you mapped them to your control frameworks, your policies and your procedures? And no (3), who is accountable for that?

Now that's obligations up. I think what we're seeing from the UK regulators is responsibility down. And actually I think you need a mixture of both, because I think it's really difficult to slice and dice your regulatory obligations in such a granular way using the SMCR regime. It just doesn't quite fit. It's far too detailed. But if you had an obligation's identification responsibility, then you could see how that actually maps. But similarly for banks, you've also got the overall responsibility i.e. that there can be no gaps in accountability. I think we sometimes forget that. And I think that is arguably more powerful than trying to slice and dice different regulatory requirements.

Adam:

And it doesn't always make sense anyway, to be looking at individual regulatory requirements that are going to apply to lots of different parts of the business that lots of different individuals are responsible for. So there's a range of individuals who, for their business area, will need to ensure that they comply with the same obligation.

Lorraine:

Yeah. And we had that on consumer duty as well. So consumer duty, the FCA came out very forcefully and clearly to say consumer duty is not a single senior manager's obligation, it should filter through the whole DNA of the firm. It should be reflected in each senior manager in terms of the business or the area for which they're responsible for. So I think that's absolutely key, how as a regulated firm would you know this is something that should be throughout the firm, whereas actually this is set for one particular senior manager?

Adam:

Yeah, if you'll forgive me for hijacking your agenda, Nathan. I think one other quite interesting question in the context of SMCR, how's it work? Should it change? Is what impact do we think it's had on conduct more broadly? And that feels quite difficult to measure. Obviously, you know, lots of individual firms will know how many conduct rule breaches, for example, they found. It gives firms a lever to talk to staff about conduct and give training and give scenario-based training, which feels very positive. But I don't know what intel the FCA have got, but it does feel quite difficult to measure to say, "Well, look, has conduct actually improved?"

Nathan:

That's right. I mean, I think this issue of firms themselves assessing conduct is, I think, an unintended, I might be wrong, an unintended consequence of the combination with SMCR of applying conduct rules to all staff, all meaningful staff, and the obligation to do breach reporting, either periodically or in some cases in response to the event itself. You put those two things together and where there is an incident, then it becomes particularly one that leads to disciplinary action, there then becomes the next step is, do we assess this as being a breach of a conduct rule? Now, pre SMCR, if a senior individual who was an approved person had misconduct, there would be disciplinary action, but firms wouldn't typically go through that assessment. Do we think it is a breach of the Statements of Principle for Approved Persons? That would've been considered something that was the regulator's job to assess that. But because now you've got a much bigger community subject to individual obligations and perhaps more importantly, the duty to report on any breaches of those conduct rules, that has led to this real outsourcing of investigating and reporting on conduct rule breaches, which I don't think was part of the design of SMCR. You might have a different view, I think, Lorraine, you do.

Lorraine:

Yeah. So I slightly disagree, because I think if you go way back to when SMCR was being consulted on, one of the key objectives of the new rules was to stop the rolling bad apple. It was to ensure that where an issue arose, that person could not just resign and go nextdoor to their peer firm and get the job there and continue and continue and continue. And that idea that actually that created an industry that was rotten to the core was one of the key objectives I think of SMCR and also of putting that onus on the firms themselves to make that assessment. And I completely take your point, however, because I think there's a massive unforeseen consequence of that change in who is assessing behaviour, because there is no one size fits all. We know from our clients, we know from the work that we do that some clients have very, very high standards in terms of what will trigger a disciplinary action, what a conduct rule breach, a notifiable conduct rule breach will look like. It's not the same across industry.

But what the SMCR rules have done, including the reg references part of it, is actually almost create a one strike and you're out. And I think that unforeseen consequence in terms of it could apply to a very young professional in the market just starting out, not necessarily having the structure around them to know what's right, what's wrong, what's the right behaviour. Just starting out in that development either makes one mistake actually that creates a very closed environment for that person's development. Because if something does happen that ends up on their reg reference, there are lots of firms that will look at that and say, "Well, actually that candidate's not for me. I'm not going to take that risk, or I don't have the energy to control that risk that person presents as a candidate." I think that's really difficult.

Adam:

Yeah. That's a really good point. I've always felt that the FCA should have done more, from a fairness perspective, to clarify the fact that whilst something might be material to the assessment of fitness and propriety, which is I think the main standard for the reg references piece, that doesn't mean to say that because it's been disclosed that person is not fit and proper. And otherwise you end up with a prohibition through the back door for someone who might have had a relatively minor issue lead into a written warning and they can never work again.

Which of course from an enforcement perspective, if you were looking at banning someone, for example, would never happen. It would have to be a serious sort of integrity issue generally. And that just is inherently incredibly unfair. And firms, I think lots of firms feel they need to take a cautious approach, because they think, "Well, look, this is the purpose of this regime, and if I get adverse information on a reference, then no, thank you, not for us." But it feels like that must be an unintended consequence in a large number of cases.

Nathan:

And so SMCR really extended that regulatory reference obligation, didn't it? Because for a long time there was the obligation to respond fully to a regulatory reference if asked and SMCR really introduced the obligation to ask and to go back a number of years. Do you feel that's been a good thing, albeit that you've identified some problems with how it's operating in practice?

Lorraine:

Good question. Do I think it's a good thing?

Nathan:

You talked about the rolling bad apples, and I think that was one of the things that was really aiming to manage that issue.

Adam:

Could they, if they had a higher threshold, for example, of things that needed to be included on a reg reference, for example, obviously dismissal or a breach of the integrity conduct rule.

Lorraine:

It's a Question G, isn't it? So we all talk about Question G. Is there any information which the recipient of the reference ought to know in making that decision as to this individual? That's a big one. And obviously I don't want to do ourselves out of a job, because it's really great to advise clients on what that should look like, what the right balance between employment rights and regulatory obligations is. But that is where you see that diversity of approaches between different firms, both in providing that information and also on receipt of that information. Because fundamentally, if you've got that box filled out, it becomes an unclean reg reference. It has something that you're put on notice as a recruiting firm that has happened in relation to that individual and particularly where that individual might be performing certain roles or in relation to customers, direct customer facing roles. That means that you would have to do something to add a layer of supervision. And some firms will absolutely want to do that, and other firms just won't have the resources to do that.

Nathan:

And then another element of SMCR was the hard-wiring, the handover obligations. How do you feel that that's working in practice? I know, Adam, that you've seen some interesting issues on the enforcement side in terms of handovers and sometimes that desire for responsibility to be handed over as soon as possible, even though a new SMF may not yet have been approved.

Adam:

I think handovers was quite intentionally put in to SMCR. I do think pre SMCR, you did see it as an issue from an enforcement perspective. You would see important projects not being properly allocated after people left or people not fully understanding what they were inheriting and what the history was and that led to things falling through the gaps. And it was really hard then, I think, for the regulators to say, "Well, look who's responsible for this? Is it the person who's left? Is it the person who's come in?" If there aren't clear rules saying, "This is what the expectations are for handovers." But they're difficult. I think handovers are really difficult to manage in practice. And this flows through to when issues then arise, in particular where there are people overlapping in roles? There are extended handover periods where perhaps there are people shadowing the role.

And obviously the outgoing person is very keen usually to hand over the regulatory responsibilities for obvious reasons. And the incoming person wants to understand everything before they take it on. And as to what the status is during that period. I mean, you know, technically speaking until the SMF has been given up on the register, it's that SMFs responsibility, notwithstanding that actually on a day-to-day basis, somebody else might be almost fully, sometimes, sort of performing that role subject to getting their approval.

So it's still not a perfect system in that sense. But I think broadly though, handovers have been really positive. It gives the outgoing person clear evidence from an enforcement perspective of, look, this is what I think the risk areas are. This is how they're being managed. This is what you need to be focusing on. This is where we're up to with it all. This is my evidence pack for my reasonable steps. Great for that person and for the firm. And for the incoming person it gives them a clear roadmap of, well, this is what I'm being told. And if things aren't included within that and then crop up, then obviously they need to deal with those as they arise. They've got a piece of evidence to say, "Well, look, I wasn't pregnant with this risk at that particular point in time."

Lorraine:

I think it's interesting, because I think there's a comparing contrast to handovers between good leavers and bad leavers. I think that's always in the good leaver scenario absolutely agree. Actually you can plan it, you can schedule it accordingly to different dates. I think the handover pack absolutely is key evidentially. I think actually sometimes it's the in-person handover meetings that are most fruitful or the shadowing, for example. But the evidence pack is there for a reason, and that reflects the obligation on the outgoing senior manager.

In the bad leaver scenario, it can be much trickier, but at least it is clear for all of the parties what the responsibility is. And I think then to the enforcement scenario, then there is a case for the regulator going in and say, "Well, show me your handover. Show me what you did." Even in that scenario around about making sure that the table was set for an incoming SMF, even if that person hadn't yet been identified.

Nathan:

And we've seen those circumstances where the SMF has been keen to hand over that role and therefore has delegated those responsibilities or the activities to the new SMF. And we've seen the regulators really scratching their heads as to quite where that leaves the responsibility. And they've referred to the incoming SMF as the "defacto SMF", which I think creates all sorts of issues in terms of where those responsibilities lie. But in terms of, you've talked about that enforcement angle, it feels to me that SMFs now and actually the broader regulated community feel that the risk of enforcement action is a real one, because of the numbers of enforcement investigations that particularly the FCA has brought. Do you think that has led to good behaviour or more defensive behaviour or possibly both?

Lorraine:

So I think, again, if you go back to 2016 when SMCR was brought in for the banks, as we were doing one-to-one training with who would be senior managers under the new regime, that enforcement action, the penalty fine prohibition for example, was always the point at which they sat up before you launched into, and this is what reasonable steps look like. So it's always been that hinge that the regulator dangled as a potential. I think that we are now starting to see those final notices, those enforcement actions in place by both the PRA and the FCA is having an effect. I think senior managers are much more aware. They want to know what those final notices have said. They want to see that flesh of expectation around about the regulatory view of what they should be doing. So I do think it has certainly, again, reiterated that point that this is an important aspect of their role.

Adam:

I actually think, going back to a different debate that we've had on the series, in the context of publicity and the naming and shaming proposals, if the FCA were to go forward with an "Enforcement Watch" type publication with details of the types of issues they were looking at, if they were to give anonymised details of the types of issues they look at in relation to managerial oversight failings and the circumstances by which they might investigate a senior manager for an issue, people would be very focused on that, I think. And it would be discussed at a very high level within most firms.

Nathan:

I still don't know why the regulators don't, at the moment where an SMF is approved to perform a particular role, write to that SMF and convey some of the expectations in a non-exhaustive way of really what the regulators think that that person should be doing as part of that reasonable steps framework. In order to understand the risk management framework, the governance framework, direct reports, the adequacy of those individuals, management information, all those things that in an enforcement actually is asking those questions. It should really be conveying that, in my view, at the time that an SMF is approved, to give them a chance at least to take those steps if the firm isn't supporting them in doing that. And experience within firms varies enormously as to how much support SMFs get in those sort of first two or three months in the role.

Lorraine:

I think that's right. I'm not sure that the FCA or the PRA would thank you in adding to their to-do list. I do sometimes think that that sentiment is shared where there is senior manager interviews as part of the application process, so I completely agree, but not all senior manager applications go to interview. And so I can see that there being merit. But yeah, I'm not entirely sure that the regulator's going to be wholly excited as they're processing all of these senior manager applications with a delay, with some confusion that there's another action point for them to take.

Nathan:

That's true. That's true. And so now looking ahead in terms of SMCR, I'd be interested to know if there's one thing, perhaps two things that you would really want to change to improve SMCR, what would those things be?

Adam:

Do you want to go first, Lorraine?

Lorraine:

I don't know. But mine are really granular. So mine are, it's really challenging for dual regulated firms to have some of SMCR in the PRA rule book and some of SMCR in the FCA handbook. I think that just is confusing. I think some of the processes, the forms are not fit for purpose. Some, there's confusions around about which forms when, what happens if you've got a transitory transition period between SMFs. You know, again, that different standards and different approaches across industry that do lead to those unforeseen circumstances. So for me, there's little tweaks particularly operationally, particularly at a practical level rather than any sort of large changes. Because I do think SMCR kind of works, I think it's been well received and you can see that where it's been replicated across other jurisdictions. But that's my two.

Adam:

We haven't seen, obviously the breadth of feedback that there would've been from the call for evidence on how it was working. But the general sense did feel to be, look, there were, it was an onerous regime from a compliance perspective, and there were tweaks that could be made to help with that and people in the second line who have to deal with it day to day. But broadly, people like the regime. I mean, I think from a practical perspective, perhaps certification for example, not being an annual requirement and being pushed out, whether it's two years or three years, is something which I'm sure will have been a common theme of feedback, because that will lift some of the strain around the papering and of those assessments.

And of course if something happens, you can do a triggered reassessment, but do you need to go through that quite onerous process every year? Perhaps not. But the interesting thing was nobody was coming up with anything particularly drastic or we need to tear up this part of it to be competitive internationally. And I think perhaps that was a bit of a surprise to the Treasury, because our regime does go a lot further than other regimes in terms of its breadth in particular, of covering almost all employees than other jurisdictions have at the moment.

Nathan:

It's interesting, isn't it? A lot of other jurisdictions have copied the UK regime, but as you say, in a more restrictive way. If you look at Ireland, Australia, Continental Europe, nobody goes as far we go in terms of imposing extremely burdensome obligations actually, when you analyse them properly on such a broad number of individuals, coupled with that threat of personal action and fining. I think when you look at some of those other regimes, yes, there's accountability in terms of identification of who is responsible for what, but I think that the dangers for individuals in some of those jurisdictions is significantly less than we have here.

Lorraine:

And I think that's a fair summary. But I think the slight distinction to be made is that there is a real life event that triggered SMCR here in the UK. That was a global financial crisis. It was the government stepping in to bail some of our largest banks. It was the executive of those banks walking away, as it were, scot-free without being held accountable. And I think because we've been through that journey, actually people, the industry is more accepting of a slightly onerous regime provided that it is not diminishing the talent pool. It's not diminishing the individuals that are going to be able to run our banks or regulated firms. If that was the case, and that was a potential concern as it was coming in 2016, that actually, why would you be a director of a bank if you could go and be a director of a PLC and not subject to this? But I think here actually it's just improved behaviour and people have been comfortable with that, that it's not too onerous, but there's a real enforceability action if you don't take it seriously. I think that's okay.

Nathan:

Yeah. I mean, from my perspective, there are a number of almost accidents of history with SMCR that need fixing in order to make it a fairer regime. I think a more consistent regime across firms, I think changing the scope of the conduct rules to make sure that they are the same for banks as they are for other firms, and not a much broader regime as currently applies. That the slightly peculiar position we have with non-executive directors who don't chair significant committees, the fact that they don't need to be SMFs, I think is a result of some of the lobbying, but it's a distinction without any real difference in liability or potential liability, I think. And so I think that needs fixing. I'd also like to see greater clarification within the conduct rules themselves on what is meant by the evidential examples of breaches of particular rules, obviously that's due to come in relation to non-financial misconduct.

I think that all those examples should be evidential rules rather than guidance to give them the proper weight of law. All these sort of things that I think are, as you say, tweaks to the regime, but to make them work more effectively.

Well, thank you so much for your thoughts on SMCR, Adam and Lorraine. That has been fascinating. I'm afraid that's all we have time for on this podcast. So as always, thanks to you for listening. Please do reach out to us. If there's anything that you've heard that you have your own views on, that you disagree with or would like to comment on, then please do drop us an email or give us a call. We would very much like to hear from you. Thank you very much.