The Senior Managers and Certification Regime (the “SM&CR”) is the tough new regulatory framework for individuals working in the banking sector, under which the UK regulators seek to increase individual accountability. The SM&CR, which came into force on 7 March 2016, applies to UK-based subsidiaries of non-EEA banks and also extends, in slightly modified form, to UK branches of non-EEA banks. Accordingly, non-EEA banking groups which have UK subsidiaries, UK branches, or a combination of the two, are affected by the SM&CR.
The need for approval as a Senior Manager under the new regime is based upon an individual’s role in practice, not their job title or location. This means that non-EEA banking groups with a UK presence must think carefully about who is in scope, and senior individuals located outside the UK cannot assume that these UK reforms do not apply.
Importantly, anyone carrying on a Senior Management role is subject to a “duty of responsibility” and faces potential disciplinary action for misconduct if something goes wrong in relation to one of their allocated responsibilities. Penalties for misconduct could include public censure, fines, the imposition of limitations or restrictions on an individual's approval, and ultimately a ban on performing certain roles. It is therefore crucial that anyone who is a Senior Manager under the new regime fully understands their UK regulatory obligations, particularly if the individual is based outside the UK.
The UK banking industry has seen a great deal of change in the post-financial crisis era, but none that seems to have attracted quite so much personal interest from those at the top as the SM&CR. Although this is purely a UK (rather than European) initiative, the SM&CR has attracted international attention for its strict approach towards personal liability, particularly as it affects individuals working for overseas banking groups with a UK presence.
The direction of the reform was set when the Parliamentary Commission on Banking Standards published its June 2013 report ‘Changing banking for good’. It pronounced the existing UK regulatory framework for individuals working in regulated financial services (the Approved Persons regime) a “complex and confused mess”, and stated that this regime had “created a largely illusory impression of regulatory control over individuals, while meaningful responsibilities were not in practice attributed to anyone”. This voiced the frustration among many that, despite all of the apparent misconduct and mismanagement in the banking sector prior to the financial crisis, ultimately it seems that senior individuals who oversaw these events will escape any sort of sanction. Under the Approved Persons framework it has been very difficult for the regulators to attribute responsibility to a single individual, particularly in cases where, rather than having committed some positive wrongdoing, an individual had simply failed to act.
Originally, the SM&CR was to include a controversial “reverse burden of proof”, which would have resulted in Senior Managers being deemed guilty of misconduct in relation to regulatory transgressions that occurred within an area of their responsibility, unless they could show that they took all reasonable steps to prevent or stop that transgression. Although it was announced in October 2015 that this element would not be implemented, it is still expected that Senior Managers will be held to high standards and will need to be able to evidence and justify their actions to prevent the regulators finding them guilty of misconduct when things have gone wrong in an area for which they are responsible. The SM&CR also features a new criminal offence which will make those Senior Managers regarded as responsible for the failure of a bank potentially subject to prison sentences of up to seven years. This contrasts sharply with the normal law on business failures, even though successful prosecutions are expected to be rare.
The new regime involves some significant changes in the way that individuals at affected firms are overseen, and held accountable, both by the regulators and by the firm itself. The SM&CR requires individuals performing specific “Senior Management Functions” to be pre-approved by the regulators and to have their responsibilities formally recorded and provided to the regulators so that they can be questioned (and potentially disciplined) if something goes wrong in an area for which they are responsible.
It also requires firms to certify the fitness and propriety of other key staff (in practice comprising a broad population of individuals), referred to as “Certified Persons”, both at the time of appointment and, more significantly, on an annual basis thereafter, which has in practice required substantial changes to firms’ processes and procedures. Further, the SM&CR introduces new high-level Conduct Rules for Senior Managers, Certified Persons and most other staff employed by the firm (except those whose role has no relation to financial services, such as caterers and IT support staff), and requires firms to report breaches of these rules to the regulators within prescribed time limits, which could then trigger disciplinary action against the individual.
Scope of the regime
The regime for UK branches is intended to be proportionate, so fewer Senior Management Functions apply to branches and not all of these are compulsory for every branch (smaller branches may need only one or two approved Senior Managers). Senior Managers in branches are subject to the provisions in relation to misconduct, although they are not within scope of the new criminal offence. For branches of banks which are based in another European country, the regime is less intrusive, as European legislation dictates that certain matters must be reserved to the home-state regulator.
Importantly, the regime is not limited in its scope to apply to individuals based only in the UK, or within the UK subsidiary or branch, and therefore captures certain individuals who are based overseas and/or within a different legal entity. As the regime applies on a legal entity basis, rather than by business lines, non-EEA banking groups must identify individuals responsible for the UK subsidiary and/or branch in question, regardless of where those individuals are located.
There are, however, certain inherent limitations to the scope, as individuals outside the UK subsidiary or branch itself and/or based abroad may be less likely to meet the relevant criteria to be performing a Senior Management Function in the first place. However, branches with only limited staff in the UK may find it inevitable that individuals based overseas need to be approved, particularly if the branch is centrally managed and governed.
To demonstrate their intention to capture individuals outside of the UK subsidiary or branch, the UK regulators have developed a general Senior Management Function for individuals with a certain level of influence over the UK subsidiary or branch, who work for the entity’s parent or another group company. The overarching principle is that an individual who is responsible for implementing strategy or overseeing transactions in the UK (rather than those merely responsible for setting strategy at a group level) is likely to be performing this Senior Management Function and so to require approval.
It is also possible that an individual outside the UK subsidiary or branch may perform a specific Senior Management Function directly on its behalf, for example an individual in a group company who acts as Chief Risk Officer for several group entities, including the relevant subsidiary or branch, could need to be approved to perform the Chief Risk function on its behalf. Although the regime has flexibility to avoid banking groups needing to adopt identical, prescribed organisational structures, this flexibility also means that applying the regime in practice and working out which individuals need to be approved is a challenging task. This is particularly difficult in large and complex groups; especially when the group is run by business lines rather than on a legal entity basis.
Some non-EEA groups have sought to ensure that individuals within scope of the new regime are all contained within the UK. Such structuring can help to make oversight and administration easier and avoid individuals being subject to more than one regulatory regime. This approach could result in responsibility for implementing group strategy being delegated to a Senior Manager in the UK and individuals in the UK being given responsibility for roles which would ordinarily be performed at a group level. Otherwise, it may be challenging for the UK business to ensure that individuals based outside the UK are trained adequately and that systems are implemented to enable appropriate compliance oversight. However, for some groups it is not possible to concentrate responsibility in the UK in this manner, as it may not be appropriate to share all of the “prescribed responsibilities” between only a few individuals.
Another difficult area for non-EEA banking groups has been working out who is within scope of the Certification Regime, which captures a much broader population than the Senior Managers Regime. Thankfully the final rules make life simpler for branches of overseas firms than originally proposed, as they include a territorial limitation so that the Certification Regime applies only in respect of employees of the UK branch who are physically based in the UK. For UK subsidiaries, however, some functions do not have any territorial limitation, whereas others apply only in respect of employees who are either based in the UK or dealing with a client in the UK. A wide meaning of “dealing with” is used in this context, so that it includes almost any contact with a client (and certainly does not need to amount to carrying out any particular activity on behalf of a client), making the scope of the regime potentially very broad.
Fortunately, the regulators listened to consultation feedback and have replicated a useful exemption used under the Approved Persons regime, in order to permit individuals ordinarily based overseas to perform certain activities in the UK under appropriate supervision for a limited period each year without needing to be certified. This ought to prevent UK subsidiaries of non-EEA banks with employees based outside the UK needing to certify individuals “just in case” or to place arbitrary restrictions on the activities of overseas employees in relation to UK clients.
Although the focus to date has been on implementation, soon the focus is likely to switch to enforcement, as we wait to see how quickly the regulators take action under the new framework and in what circumstances they succeed in holding individuals to account.
These are developments that non-banking groups will be watching with interest. A parallel Senior Insurance Managers Regime for the insurance sector is also in place and there is new legislation under consideration which would extend the SM&CR to all UK regulated financial services firms, from investment firms to consumer credit firms.
Although it is not expected that such an extension would take effect before 2018, giving time for the regulators to draft the detail of a version of the SM&CR which is appropriate and proportionate for all firms, the message is clear that the SM&CR is here to stay. It is not yet clear whether or how UK branches of non-banking groups will be affected, and so the development of the proposals will be followed closely by non-EEA financial services groups doing business in the UK.
These reforms and their results will also be watched carefully by financial services regulators outside the UK, particularly in the U.S. where regulators have indicated an intention to take a harder line against individuals, and in Hong Kong where the regulators are known to take a fairly strict approach and already have a track record for pursuing senior managers over conduct failings. That said, there are few signs at present of other jurisdictions looking to implement such major reform, or in some cases even seeking to take a more robust approach towards individuals in general. We will wait to see what, if any, influence these UK reforms have on the regulatory approach elsewhere.