SMR : Are firms taking sufficiently reasonable steps to comply?
A whitepaper which provides insights from Medius Consulting as we approach the first anniversary of the initial implementation of the Senior Managers Regime in the UK.
It questions whether the full implications of the new regime have yet to be fully appreciated and addressed and is therefore relevant both to those firms and individuals already subject to the regime as well as those to whom it will apply in 2018.
In The Senior Managers Regime (‘SMR’) and Certification Regime came into force on 7 March 2016 for a small but significant number of regulated firms – notably banks, designated investment firms and building societies. This first wave is now referred to as Accountability 1 (‘A1’) and will be followed at some point in 2018 by all other regulated firms – Accountability 2 (‘A2’)
The SMR has been introduced as a consequence of the heavy criticisms made of the Approved Persons Regime by the Parliamentary Commission on Banking Standards. The Commission proposed a new regime designed “to ensure that the most important responsibilities within banks are assigned to specific, senior individuals so they can be held fully accountable for their decisions and the standards of their banks in these areas”. As applied in A1, this has consisted of:
- A number of Senior Management Functions (‘SMFs’) that must be allocated to senior executives and Directors
- A set of Prescribed Responsibilities (‘PRs’) that must be owned by SMFs
- Statements of Responsibilities (‘SoR’) for each SMF setting out the scope and nature of their prescribed and other responsibilities
- A Management Responsibilities Map (‘MRM’) that describes the firm’s management and governance arrangements in great detail
- A statutory duty of responsibility that requires SMFs to be able to evidence that they have taken ‘reasonable steps’ to avoid regulatory breaches within their areas of responsibility
Regulatory developments post-implementation
Since 7 March, the regulators have published further consultation papers setting out guidance on the duty of responsibility and proposing some amendments to the regime. Some firms have also been provided with direct feedback on what they submitted at implementation. They key points worth highlighting are:
- FCA and PRA stating that “competing priorities” (in other words, having an excessive workload) will not be a defence when assessing whether SMFs had taken reasonable steps
- A proposal to create a new SMF covering responsibility for “managing, and ensuring the operational continuity and resilience of the internal operations, systems and technology of a firm”
- A proposal to create a new PR for “operational resilience and operational continuity”
- Clarification of what is expected in relation to the contents of SoRs and MRMs whilst reiterating the importance of both documents
- An emphasis on how MRMs need to clearly identify the relationships between the legal entity and the wider group of which it is part
Very little information has been provided to date in relation to the substance or timing of A2 – the roll-out of the regime to c.52,000 regulated firms in 2018. All that has been officially stated is that the first Consultation Paper should come out in Q2 2017 and that, by virtue of the scale of the task, implementation will take place in a series of stages (akin the approach used for consumer credit authorisations).
In the absence of any additional information, we are assuming that the application of SMR under A2 will be a further development of the distinction between larger and smaller firms under A1 and that those core elements referred to in the introduction will remain consistent i.e. there will be SMFs, PRs, SoRs and MRMs along with the duty of responsibility.
Positive Impact of SMR
Few of us who have worked in the financial services industry of late would argue that the concepts of clearer accountability and risk ownership are anything other than (a) good things and (b) long overdue. Based on our experience at Medius and discussions with our peers, it has been heartening to hear that the majority of CEOs, Chairmen and other Senior Managers “get it” and have welcomed the benefits and insights derived from the proper application of the SMR. In particular, SMR has helped highlight weaknesses in the existing governance arrangements in ways that firms’ existing audit or other review mechanisms had not.
Typical weaknesses identified by SMR include:
- Gaps in the governance framework where no-one regarded themselves as having ultimate responsibility
- Overlapping responsibility (such as in joint-venture situations) where there was no clarity as to who had responsibility for what
- Some lack of clarity in relation to exactly who was responsible for what in highly sensitive areas like cyber-security, fraud and client money
- Senior managers who “don’t get it” i.e. are possibly not culturally suited to remaining in their current roles under the SMR
Two Key Lessons from Accountability 1
The most powerful way of illustrating two critical lessons from A1 centres on the SMF on whom the new regime has had the single biggest impact:
The Chief Executive (SMF 1) function is defined as being the individual “having responsibility, under the immediate authority of the Board, alone or jointly with others, for carrying out the management of the conduct of the whole of the business of a firm”.
The Prescribed Responsibilities (‘PRs) one would expect to see allocated to the CEO would include:
- Performance of obligations under the SMR
- Compliance with obligations in relation to the MRM
- Allocation of all prescribed responsibilities
- Performance of obligations under the Certification Regime
- Adoption of the firm’s culture in the day-to-day management of the firm
- Development and maintenance of the firm’s business model
- Monitoring the effective implementation of induction, training and development of (executive senior management)
These are just the PRs owned by a typical CEO – his / her SoR would also include additional (‘other’ and / or ‘overall’) responsibilities. In many cases, the same CEOs would have additional, equivalent responsibilities for other legal entities within the overall group.
Of the PRs listed above, I expect most CEOs would agree that those in black described responsibilities they already felt accountable for. That might extend in some cases to the green PR (although if asked the direct question pre-SMR, I suspect most would have regarded the accountability as falling squarely within the remit of their Head of HR). However, no CEO would have regarded themselves as accountable for four of the seven PRs (those in red) for the simple reason that those responsibilities did not exist prior to the regime coming into force.
All of this goes to help illustrate the first simple lesson:
Complying with SMR is difficult
Key observations in this respect include:
- Responsibilities such as those for the MRM and the Certification Regime in particular equate to accountability for complex, administratively demanding tasks. They typically require significant reliance on multiple functions, people and systems. The bigger and more complex the firm, the bigger the challenge. (The scope of the MRM alone illustrates the scale of the challenge)
- Responsibilities of this nature require a significant degree of delegation on the part of the CEO. (As FCA and PRA were very keen to remind us throughout the roll-out of SMR, SMFs can delegate responsibility but cannot delegate accountability.)
- If asked prior to March 2016, I don’t expect may CEOs would have admitted to having any extra time in their working week to assume any material new responsibilities. Even allowing for a degree of delegation, it does beg the question of how CEOs have found sufficient additional time to effectively discharge their new responsibilities.
The second lesson that follows from these observations is:
Meeting the Duty of Responsibility is Difficult
Put simply, the task of evidencing reasonable steps becomes more challenging as both the number and inherent complexity of PRs increases. In the case of the CEO in particular, that challenge is exacerbated by the broadly-defined scope of SMF1 (“carrying out the management of the conduct of the whole of the business of a firm”). Whilst the Chairman and other Board members within the scope of the regime are assisted to some degree by virtue of the formal governance frameworks (notably the standard meeting timetables, terms of reference and minute-taking required by relevant legislation), CEOs and the senior executives reporting to them typically have far less in the way of formal structure.
Executive SMFs – and CEOs in particular – should therefore pay particular attention to:
- Delegation: Ensuring that their delegation framework is clearly documented i.e. what aspects of their various responsibilities have they delegated and to whom have they been delegated.
- Reporting: If not in place already, instituting appropriately regular meetings with all direct reports including anyone to whom they have directly delegated responsibilities. Executive Committees alone will not be sufficient and should be supplemented with regular bilateral meetings. The frequency of these meetings will be dictated by the perceived risk associated with individuals’ areas of responsibility, including the extent and nature of any delegated tasks. Meetings may be minuted if practical but at the very least, should be supported by some form of action tracking that provides evidence of key decisions, agreed actions and the effective tracking of those actions through to resolution.
- Management information: Good MI is clearly one of the best ways of evidencing reasonable steps as it can provide tangible evidence that delegation is operating effectively and it can be utilised proactively in SMFs’ regular meetings with direct reports. To be effective, SMFs will need to be able to demonstrate that they have actually read the MI and, where appropriate, acted upon it. With that in mind, it is vitally important that they ensure the MI they do receive remains appropriate from both a quantity and quality perspective. As touched on earlier, FCA has clearly stated that excessive workloads will not be a defence against failure to take reasonable steps. SMFs have to understand that investigators will scour inboxes for any evidence to support their case and pleas of “I shouldn’t have been copied on that mail” or “how could I have reviewed a 500-page document?” will not constitute any sort of defence.
A significant amount of work went into firms’ preparations for A1 – the largest institutions engaged multiple advisors on major projects that lasted up to 2 years. A1 was that much more challenging because regulators, firms and their advisors were familiarising themselves with new regulations that continued to change (often very materially) in period to implementation (and, as noted earlier, they continue to do so post-implementation). In most cases, firms were also having to create their own SMR tools as there were no sufficiently comprehensive vendor solutions available (notably in relation to the challenge of creating responsibilities maps).
The effort (and associated cost) that went into meeting the March deadline may in part account for a concern that firms have – for many of the reasons referred to earlier – underestimated the scale of the challenge that ongoing compliance with SMR represents. Our particular concerns are that firms may not have invested sufficiently in:
- People: CEOs need to consider whether they are able to fulfil their new responsibilities – notably the responsibility for the firm’s obligations under SMR – with the existing dedicated resource available to them. Whilst some larger firms already had an ‘Office of the CEO’ or equivalent function (e.g. within the office of a Chief of Staff or COO) and have expanded its remit and resourcing, others did not operate this way and have not materially changed their structure or resourcing since the regime came into force.
- Systems: In the absence of vendor solutions capable of managing the volumes of data and numbers of different, often complex, moving parts that characterise the SMR, most have typically relied quite heavily on spreadsheet-based solutions to date. Spreadsheets have obvious limitations given the demands of SMR – particularly for larger firms with matrix reporting and specifically in relation to the need to constantly update MRMs. New and enhanced vendor solutions designed specifically for the new regime (as opposed to reengineered T&C systems) are now becoming available and should be considered.
The SMR does represent a very significant shift in the regulatory landscape with implications for senior individuals that are yet to be fully grasped. With that in mind, I want to conclude by summarising what we may well expect from the first enforcement actions under SMR come the next LIBOR / FX / PPI / Adoboli / London Whale etc.
If the firm in question has implemented SMR effectively and the SMF with responsibility for the area in question is deemed not to have taken reasonable steps, that SMF (‘Mr. X’) will face disciplinary action.
However, if the firm has not implemented SMR effectively, Mr. X may well escape for the very reasons (inability to attribute accountability because of opaque governance arrangements) that the new regime was introduced. The big difference under SMR is that, in this scenario, the FCA gets a second bite at the cherry. That failure to implement SMR effectively is a breach for which an SMF is directly accountable – the SMF in question being the CEO.
Whilst nothing will quite have the effect of that first, real enforcement case under SMR, I hope this paper will encourage some CEOs (already in place under A1 or who will be in place under A2) to take a fresh look at how they are discharging their responsibilities under the Senior Managers Regime.