On 26 July 2017, the FCA published its consultation paper on the extension of theSenior Managers and Certification Regime ("SM&CR"). The paper envisages a widening of the SM&CR from the banking sector to all firms (big or small) authorised to provide financial services under the Financial Services and Markets Act 2000 ("FSMA"). This'new' regime is predicted to come into force in late 2018 and its aim is to reduce harm to consumers and strengthen market integrity.What will it mean, however, for the future of the FCA'senforcement actions and investigations?
Overview of the regime
In its proposals, the FCA recognises that any new regime needs to be flexible so that it can adapt to the different sizes and types of firms which exist. For this reason, what is introduced with the extended regime is a gradation of obligations. The "core regime" will apply to most firms.Smaller 'limited scope' firms (i.e. those currently subject to a limited application of the approved persons regime) will be subject to fewer requirements.Larger, complex 'enhanced' firms will be subject to additional requirements. The regime is made up of the following three core elements:
- Senior Managers Regime
The new proposals extend the Senior Management Functions ("SMF") for key responsibilities. The FCA refers to the individuals holding these SMFs as "Senior Managers".
The "core" SMFswill apply to all firms except limited scope firms. These include 'governing functions' such as a chief executive or executive director, and 'required functions' such as compliance oversight and a money laundering reporting officer.
Limited scope firms will be prescribed different SMFs depending upon their nature under the draft SYSC 23. For example, sole traders will only need compliance oversight, whereas consumer credit firms and insurance intermediaries must have the "limited scope function" of apportioning responsibilities under the FCA Handbook; and the establishment and maintenance of controls.
'Enhanced' firms will need to fill additional SMFs including chief finance, chief risk, and head of internal audit.
In addition to the responsibilities inherent in each SMF, the FCA also stipulates a set of 'prescribed responsibilities' such as "responsibility for ensuring the governing body is informed of its legal and
regulatory responsibilities" which firms must distribute between Senior Managers. Under the new proposals, these will be extended to all "core" firms, with "enhanced" firms being required to allocate these and additional responsibilities.
EachSenior Manager under the extended regime will still need to be approved by the FCA before starting the role. Senior Managers will be required to submit a "statement of responsibilities"to the FCA, setting out their role and responsibilities. Significantly, the firm must keep these documents up-to-date and notify the FCA of any changes, ensuring the FCA has immediate knowledge of the individuals who have, or should have, responsibility for each SMF.
Likewise, Senior Managers under the extended regime will have a"duty of responsibility"under section 66A FSMA. This means that, where there has been or continues to be a breach of an FCA requirement,the Senior Manager responsible could be held accountable if they did not take "reasonable steps" to prevent or stop the breach.
- Certification regime
The proposals will also extend the current 'certification regime'. Where individuals are not Senior Managers but the functions of their role allow them to potentially cause significant harm to the firm or consumers (as defined under s. 63E(5) FSMA), the firm will now need to certify to the FCA that the individual is "fit and proper" to perform their role at least annually. In its consultation, the FCA envisages that this process would take place as part of the individual's annual review. It should also be noted, that there will therefore be no FCA register of individuals under the certification regime, and that if a role is not filled, there is no requirement for the firm to certify someone for it. One corollary of this is that in very small firms, there may be no one within the certification regime.
The new proposals also extend "regulatory references" whereby the firm must receive references from the individual's previous 6 employers to ensure they are fit for the role and unfit individuals are not recycled through new employment.These increased verification steps place a greater burden on firms to ensure fit and proper checks are consistently conducted.
- Conduct rules
The proposals extend the conduct rules stemming from ss. 64A and 64B FSMA and are set out in COCON, the FCA Handbook. They will apply to all Senior Managers, certified functions, non-executive directors who are not senior managers, and all other employees except ancillary staff. For the avoidance of doubt, these "baseline rules" will apply to all firms, including "limited scope" firms.
There will be two tiers of "Enforceable" Conduct Rules.
First tier – Individual conduct rules which will apply to most employees in a firm:
- Rule 1: You must act with integrity
- Rule 2: You must act with due skill, care and diligence
- Rule 3: You must be open and cooperative with the FCA, the PRA and other regulators
- Rule 4: You must pay due regard to the interests of customers and treat them fairly
- Rule 5: You must observe proper standards of market conduct
Second Tier – Senior Manager Conduct Rules, applying to Senior Managers only:
- SM1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively
- SM2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with relevant requirements and standards of the regulatory system
- SM3: You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively
- SM4: You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice
There is already considerable scope for the FCA to investigate individual responsibility for breaches at all levels, directly and indirectly through various matrices. The FCA's proposals at least attempt to clarifywhat it will have regard to in determining whether a Senior Manager is responsible. The focus will be on:
- Statements of responsibilities (a statement produced by a firm which accompanies an application for the approval of the Senior Manager by the FCA) and, for enhanced firms, management responsibilities maps outlining how governance and responsibility structures work.
- The reality of the Senior Manager's role and interaction with other Senior Managers' roles. This could be evidenced by documents such as minutes, telephone conversations, and email exchanges.
However,what is meant by "reasonable steps" has not yet been defined.The FCAstates that it will need to be defined on a case-by-case basis. It has, however, released guidance on factors it will be looking to take into account (PS17/9 and Ch. 6.2 of the FCA's Decision Procedure and Penalties manual). The FCA will for example, have regard to:
- The nature and size of the firm;
- The roles and responsibilities of the Senior Manager and whether they exercised reasonable care when considering the information available to them, and reached reasonable conclusions;
- The Senior Manager's awareness of the breach, or whether they should have been aware of actual or suspected issues;
- Whether the Senior Manager properly understood the firm's activities for which they were responsible. For example, failing to get expert opinion where appropriate, inadequately monitoring transactions, practices, and individuals, and failing to ensure adequate reporting;
- If the Senior Manager had delegated authority, whether that was reasonable and overseen appropriately;
- What steps were taken by the Senior Manager to satisfy themselves the firm had adequate systems and controls for the areas they were responsible for and following those procedures, as well as implementing them to comply with regulatory requirements and standards; and
- Whether orderly transitions and handovers took place.
From an enforcement perspective, this, along with the fact that the list of factors is neither exhaustive nor prescriptive, means the FCA has a considerable range of factors to determine whether reasonable steps have been taken. The burden of proof in demonstrating that reasonable steps were not taken lies with the FCA. Firms will be expected to keep good records of minutes of board and committee meetings as well as internal meetings, statements of responsibilities and management maps, organisation charts and reporting lines, and any relevant internal materials. Definciences in record keeping will not play out well in any investigation process.
In addition, the conduct rules require firms to demonstrate they apply the spirit, as well as the letter of the rules, and will have to train employees as to the content of the applicable rules. It will be critical, therefore, where there has been a breach, for firms to be able to demonstrate that the relevant individuals have undergone the necessary training programmes. The FCA expects firms to notify it within 7 days of a breach for Senior Managers, and annually in the case of other individuals. This emphasises the focus on senior management.
The expansion and additional clarification of the SM&CR is welcome. The new proposals, however, still lack an element of precision and various areas remain open to interpretation.
As of April 2017, the FCA has started investigations into 2 senior managers, and 11 inviduals who are certified persons under the SM&CR regime since it came into force in May 2016. Although this may seem a small number, it is limited to the banking sector.The indications are that the level of investigation in this area is picking up in intensity.When the FCA's proposals come into force late next year, the increased level of detail provided by firms to the FCA under the new regime and the new framework for measuring the actions of senior management in particular will likely feed further investigation activity.