On 31 March 2021, Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA delivered a keynote speech on compliance, culture and evolving regulatory expectations to an audience at NYU Law School’s virtual conference on Compliance, Culture, and ESG. Given the conference focused on how companies achieve meaningful cultural change and meet evolving regulatory and stakeholder expectations, Mr Steward spoke about the role of the UK’s Senior Manager and Certification Regime (SMCR) and the FCA’s five conduct questions programme (5CQs) – the annual self-assessment exercise for wholesale firms.

We discuss some of the key messages and implications for firms in more detail below, but highlight the following takeaways:

  • The FCA’s expectations around culture have developed from the initial focus on “tone from the top” to “tone from within”, and firms must work to embed a strong compliance culture which ensures that all employees are accountable and engaged.
  • The SMCR aims to engage senior managers by imposing personal liability on them, which means that it is in their own self-interest to avoid liability and thus enforcement. Mr Steward referred to this as a “virtuous circle: what protects senior management from liability also reduces (though cannot guarantee) the risk of non-compliance more generally within firms“.
  • The FCA is considering expanding the 5CQs to include an sixth question, which will focus on diversity and inclusion (D&I) and force firms to consider whether they provide the right environment for employees of all backgrounds to speak up.

Raising senior manager standards

The SMCR has applied to banks and PRA investment firms since March 2016 and to all FCA-regulated firms since December 2019. By way of reminder, it imposes: obligations on firms to map key responsibilities or functions to specific senior managers; a statutory duty of responsibility for senior managers to take reasonable steps to ensure compliance; an obligation to conduct fit and proper certifications for other employees whose role means they might cause harm; and individual conduct rules.

Indeed, as Mr Steward explained, the SMCR has led to significant changes in the way firms allocate responsibilities, align those responsibilities to relevant controls and ensure oversight as to how these controls operate. Moreover, it has pushed firms (often at the instigation of the relevant senior manager) to closely assess their control systems and functions for possible vulnerabilities that could lead to failure. It is in such vulnerable areas where firms must focus their efforts and build reasonable steps for senior managers in order to prevent non-compliance.

Covid-19 and remote working present an unusual environment for firms and provide an example of where firms will need to continue to ensure that their controls are robust and that senior managers stay on top of possible vulnerabilities, so that they are able to take all reasonable steps to avoid failure. The FCA has highlighted at various points during the pandemic that it expects firms’ control environments to adapt appropriately to the current circumstances; for example, the latest Market Watch publication specifically focuses on recording telephone conversations and electronic communications when alternative working arrangements are in place, including increased homeworking.

It’s clear from the latest report from the FCA’s Cyber Coordination Groups, that firms are also very alive to the challenges posed by remote working – not least the expansion of firms’ security perimeters, ability to monitor activities, and the strain placed on traditional systems and controls when these are transitioned to remote working.

The 5 Conduct Questions journey

The 5CQ aim to help firms pinpoint areas for, and implement, effective change as well as allowing the FCA to monitor their progress. The 5CQ require self-reflective answers to the following:

1. What proactive steps do you take as a firm to identify the conduct risks inherent within your business?

2. How do you encourage the individuals who work in front, middle, back office, control and support functions to feel and be responsible for managing the conduct of their business?

3. What support (broadly defined) does the firm put in place to enable those who work for it to improve the conduct of their business or function?

4. How does the Board and ExCo (or appropriate senior management) gain oversight of the conduct of business within their organisation and, equally importantly, how does the Board or ExCo consider the conduct implications of the strategic decisions that they make?

5. Has the firm assessed whether there are any other activities that it undertakes that could undermine strategies put in place to improve conduct?

Mr Steward noted that the FCA is considering the addition of a sixth conduct question for all firms: “Is your management team diverse enough to provide adequate challenge and do you create the right environment in which people of all backgrounds can speak up?”. For more detail on the introduction of a sixth conduct question please see our previous blog post here.

In considering the assessment of and progress reports on 5CQ, Mr Steward reflects that the 5CQ assessment has been developing from a top-down approach (senior management delivering “the tone from the top”), through a stage of “tone from above” (an example being set by one’s immediate line manager), to now focus on the “tone from within”. This requires individuals to consider their own “mindset, preferences, beliefs, habits and pre-dispositions” rather than just being aware of “how the CEO or line manager might respond in a situation”. It will only be once “cultural awareness and stewardship” have been embedded at all levels of an organisation that firms will “avoid culture fatigue and backsliding”.

Embedding behavioural change

Mr Steward explained that the SMCR and 5CQ push firms to adopt a different approach because these regimes require firms and individuals to consider how behaviour, or non-compliance, might lead to failure. In particular, the statutory duty of responsibility that is placed on senior managers requires them to consider failure as a result of non-compliance meaning that they then take steps to avoid or prevent such failure. In other words, the SMCR aims to get “under the skin of a firm”. Likewise, the 5CQ now push firms to consider ideas for transformational change from within, from the top to the roots.

In conclusion, Mr Steward asked: “can the law really change the mores of an organisation? The optimist in us must say there is a good chance of that. But… the point of failure is not necessarily a failure of compliance and, for us enforcers of the law, it is human nature that is the real challenge.” It is therefore for firms, and all of their people, to consider both their own and collective actions in order to effect real cultural change, either as a result of the threat of enforcement or cultural awareness and stewardship. However, human nature will still lead some people to act in a non-compliant manner, however inexplicable that might look from the perspective of those in control functions, or the regulator.