Fuelled by political and public concern about trust, standards and culture in the banking industry, sweeping changes to the way the UK financial sector is regulated are gathering pace. The need to reshape corporate culture is underpinned by 3 tiers of new regulation: the Senior Managers Regime, the Certification Regime and Conduct Rules allied to the new Remuneration Code.
The problem has been identified in the following high-level terms:
“Too many bankers, especially at the most senior levels, have operated in an environment with insufficient personal responsibilities. Top bankers dodged accountability for failings on their watch by claiming ignorance or hiding behind collective decision-making. They then faced little realistic prospect of financial penalties or more serious sanctions commensurate with the severity of the failures with which they were associated. Individual incentives have not been consistent with high collective standards, often the opposite.”1
The key words that fly out from this citation are: personal responsibilities and accountability. They feature vividly throughout the regulators’ review of banking standards and are at the hub of the new regulatory process.
Firms affected are UK incorporated banks, building societies, credit unions and PRA designated investment firms. It now seems a racing certainty that the regime will also extend to branches of foreign banks operating in the UK. The new regime will not immediately apply to insurers, fund managers, investment funds, asset managers or other financial institutions which are not PRA designated firms, but this is likely to be short-lived given the highly critical comments of the current regime by the Treasury Committee in its report on Project Verde:
“While the Approved Persons Regime will be abolished for the banking industry, it will be retained for many in the remainder of the financial services industry, including insurance and asset management. Given its manifest failings, this appears hard to justify. Clive Adamson, Director of Supervision at the FCA, appeared in oral evidence to agree with this view. The government and the regulators should at the earliest opportunity make proposals to extend the coverage of the Senior Managers and Certification Regimes to, and remove the application of the Approved Persons Regime from, other parts of the financial services industry.”2
Under the new regime for banks OUT goes the concept of ‘Significant Influence Functions’ which applies to existing senior approved persons under the Approved Persons Regime (“APER”) and OUT goes the APER Statements of Principle and Code of Practice which applies to senior persons approved by the PRA and FCA to carry out regulated activities. APER still applies at present to fund managers and other parts of the financial services sector but given APER has been discredited it is as well to know what is replacing it for banks.
IN comes the new Senior Managers Regime specifically designed to ensure there is an individual Senior Manager who becomes personally accountable for every aspect of a firm’s regulated activity. The PRA lists 20 ‘Prescribed Responsibilities’ and the FCA 27 ‘Key Functions’ which need to be allocated to a Senior Manager who will be required to perform one or more of 18 Senior Management Functions. Significantly there will be a need to appoint a Senior Manager with personal responsibility for implementing the new Regime – to ensure the firm is fully compliant with it and personally accountable to the regulators if it is not.
Senior Managers will be drawn from a firm’s top-levels of management and decision makers and must be approved by the regulators. The term ‘decision makers’ is an important one. If a person outside the UK (sitting for example on the Parent Board) takes strategic decisions which impact directly on a firm’s UK regulated activities, and ‘de facto’ performs a Senior Management Function, that person must be approved as a Senior Manager. The reluctance to loosen parental control may be tempered by the requirement for those exercising control to be subject to UK regulatory oversight and salary restrictions imposed by the new Remuneration Code!
As part of the process for seeking approval for Senior Managers, firms need to submit to the regulators a Management Responsibility Map. This sets out the firm’s management and governance arrangements – very specifically, who is responsible for what? It is designed to satisfy the regulators that the allocation of PRA Prescribed Responsibilities and FCA Key functions is complete, with no gaps and needs to be accompanied by a Statement of Responsibilities for each Senior Manager. Make no mistake: the Statement of Responsibilities is designed to inform the regulators whose door to knock down in the event of regulatory breach.
There are obvious sensitivities in terms of Senior Managers seeking to minimise their personal responsibilities, whilst firms looks to plug the gaps and allocate greater responsibility. The key to resolving tension are detailed job descriptions with clear demarcation lines of the areas of responsibility, as well as providing resources and guidance to Senior Managers to perform their regulated functions.
IN comes the Certification Regime, which introduces a new class of Certified Persons who must be approved (or certified) as ‘fit and proper’ to perform their role adopting FIT – the handbook which describes the criteria that regulators expect to be considered when assessing the fitness and propriety of those performing regulated activities. The PRA and FCA FIT handbooks will be amended but are not expected to change significantly: the underlying substance will remain the same. What does change is the evidence required to assess and certify that the fitness and propriety standard has been met.
Notably, certification is not by the regulators – but by the firm itself: Senior Managers must assume responsibility for the internal assessment and certification process. Certification must take place annually and anytime the Certified Person’s role changes.
The population caught by the Certification Regime will be significantly wider than those performing existing Significant Influence Functions. Broadly, those conducting functions that might involve a risk of significant harm to the firm or its customers - described by the PRA as “material risk takers” as defined for remuneration purposes under Articles 3 and 4 of the Commission Delegated Reputation (EU) No. 604/2014. It includes those currently performing customer-facing roles with a qualification requirement and anyone who manages or supervises a Certified Person. Since they need to be approved separately by the regulators, Senior Managers are not required to be certified.
IN comes the new Conduct Rules (“C-CON”) which, at first glance bear a striking resemblance to the existing principles under the Approved Persons Regime. The Conduct Rules are yet to be finalised but there are two key areas where the differences will be material: scope and accountability.
In terms of scope, the PRA Conduct Rules will apply broadly to the same set of individuals who are PRA approved persons under the existing regime. However, the FCA Conduct Rules will apply to all employees other than those performing a role that is unrelated to the financial services activities of the firm, for example, secretaries, receptionists, reprographic, security and catering staff.
Accordingly, the FCA will expect its rules to apply to the vast majority of staff working in relevant firms, unlike under the existing regime which apply only to senior approved persons. The rationale for the wider application of C-CON is the FCA’s stated belief that if relevant firms are to achieve cultural change there needs to be a common understanding of what is acceptable and unacceptable behaviour at all levels of a firm.
In terms of accountability, the key difference between the existing and the new regime is the reversal of the burden of proof placed on Senior Managers. Under the existing regime, regulators would have to prove that a holder of a Significant Influence Function was “knowingly concerned” in a contravention or behaved in a way contrary to the principles for an approved person. This was a relatively high hurdle, evident in the length and cost of regulatory investigations undertake since the financial crisis. Under the Senior Managers Regime, the onus will be on the Senior Manager to evidence that he had taken such steps as a person in his position could reasonably be expected to take to avoid the contravention occurring or continuing – or otherwise face sanction.
The importance of this cannot be understated. The concept of ‘innocent until proven guilty’ appears to have disappeared. No longer will it be plausible to state that a breach of regulation was down to an individual or isolated group of employees, and not the fault of the Senior Manager.
This places the onus squarely on Senior Managers both to ensure that all staff are fully aware of what is and what is not acceptable conduct for their specific function and to monitor and gather evidence that staff actually comply with these standards in their everyday interaction with customers, markets, colleagues and regulators. Breaches or suspected breaches of C-CON by Senior Managers need to be notified to the regulators within 7 business days; breaches by other employees quarterly. The use of Attestations – written statements from senior management certifying that their area of the business is compliant with regulatory requirements – is here to stay.
Two final points: First, the change that has grabbed all the headlines: the creation of a new criminal offence of reckless misconduct that causes a financial institution to fail. This has caused certain board members to question “Is it worth it?” (witness the HSBC UK board departures reported in the FT 8 October 2014).
Secondly, when does the new regime come into effect? This has yet to be announced but the best estimates are that transitional arrangements (including ‘grandfathering’) will be in force by the end of Q3 2015, Q4 2015 at the latest.
To conclude, there is a sense that the regulators have been backward-looking, responding to events after they have taken place. The new regime is for more forward-looking - to prevent risks crystallising before they materialise; and when they materialise, ensuring that those personally responsible are held to account. Firms are to become ‘mini regulators’, assuming primary responsibility for the appropriateness of all its regulated staff. Effective management information, guidance and training to support a more robust approach to fitness and propriety will be key. Cultural change does not happen overnight but the shift in emphasis to personal responsibility and accountability is a huge step in that direction.