There might be a temptation for banks to think that the senior managers and certification regimes (SMCR) are old news, and they can just get on with the business of compliance. There are two main reasons, however, why banks may have to revisit their understanding of the SMCR. The first is a raft of changes already announced by the Prudential Regulation Authority (PRA), and due to come into effect in November. The second is the roll-out of the SMCR to all authorised firms by the Financial Conduct Authority (FCA), as proposed in its consultation paper CP17/25 (the CP). Whilst the proposed extension has been well publicised, the draft rules accompanying the CP make changes to the rules and guidance for banks, not all of which are mentioned in the CP itself.
The bare fact of the extension of the SMCR is arguably positive for banks – having faced an additional regulatory burden for the last few years, as they sought to prepare for and implement the SMCR, banks will now be able to watch as other firms (which may be competitors in some areas) go through the same process. That does not necessarily mean that the new rule changes will be cost-free for banks.
New prescribed responsibilities
The FCA intends to introduce a new prescribed responsibility for the firm's obligations in relation to conduct rules for both training and reporting. This responsibility will need to be allocated to someone approved to perform a Senior Management Function (SMF). This applies to banks as well as non-banks, and is a significant addition.
The PRA is also to introduce a new prescribed responsibility with effect from 12 November 2017. This will be a prescribed responsibility for the firm's performance of its obligations under new rules on outsourcing that the PRA is introducing.
Non-executive directors (NEDs) to be subject to the conduct rules
The FCA proposes to make NEDs who are not approved persons subject to all the FCA's individual conduct rules and one of the senior manager conduct rules (disclosing appropriate information to the regulator). This change will apply to banks as well as to firms regulated by the FCA only (solo-regulated firms). The PRA already requires NEDs to adhere to its own conduct rules, which mirror those of the FCA, but are fewer in number.
There is also some ambiguity in the FCA's draft rules as to whether the FCA has extended the requirement to obtain regulatory references to the notified NEDs of banks as well. That would appear to be the effect of the change the FCA has made to SYSC 22.2.1R(1), but it appears from later amendments to the relevant rules that, in fact, this requirement applies only to solo-regulated firms.
Format of the FCA's rules
This is a change to form rather than substance, but banks will need to engage with it nonetheless. The FCA has, for understandable reasons, decided against creating a standalone set of SMCR rules for banks. As a result, however, those individuals within banks who are charged with their compliance with the SMCR will have to familiarise themselves with a completely different landscape in terms of the relevant sections of the Handbook. Many rules have moved, and some of the terminology requires care. In particular, there are now portions of the SMCR rules that do not apply to banks, and navigating these may be difficult. By way of example, most of the FCA's new rules on NEDs only apply to solo-regulated firms, and therefore not to banks. Banks are neither "core" nor "enhanced" scope firms under the new terminology adopted by the FCA, so requirements for enhanced scope firms, for example, will not apply to banks either. The FCA has also changed the referencing for its prescribed responsibilities, and removed the guidance mapping each responsibility to its PRA equivalent.
The need for care is particularly pronounced for UK branches of overseas banks, in respect of which the FCA has both changed some of the terminology it uses and amalgamated some previously separate rules and guidance into the rules applicable to UK firms.
The 12-week rule provides that where an individual is appointed to perform what would otherwise be an SMF as cover for an SMF manager whose absence is temporary or reasonably unforeseen, and the appointment is for less than 12 weeks, the individual does not perform an SMF and therefore does not need to be approved. There are two new points to note in this regard.
The FCA says, in the CP, that it has extended the 12-week rule so that it now applies to the allocation of overall responsibility. This relates to the existing rule requiring banks to ensure that an SMF manager has overall responsibility for each activity, business area and management function of the firm. An individual with such overall responsibility must be approved to perform the SMF18 (Other Overall Responsibility) function if he or she is not approved to perform any other SMF. The FCA's new rule and guidance say expressly that, where a firm appoints someone under the 12-week rule to provide cover for an individual who has overall responsibility for an activity, business area or management function, the firm may, while that appointment is ongoing, allocate the relevant responsibility to the same or a different person, without that person needing to be approved. This is a slightly curious rule change, in that, arguably, the rules allowed this in any event. Nonetheless, the clarification should be welcome.
The FCA has also clarified its position in relation to another area of the application of the 12-week rule, without specifically drawing attention to it. In new guidance, the FCA says that firms cannot use the 12-week rule in order to allocate a prescribed responsibility to someone other than an SMF manager. In other words, if an SMF manager is ill, the firm can appoint someone who is not an approved person to perform the SMF, but that person cannot take on the absent SMF manager's prescribed responsibilities. This may be difficult for firms in practice, in that, if an SMF manager is away, the firm will need to identify which aspects of that person's role are prescribed responsibilities, which are responsibilities inherent to the SMF, and which come under the "overall responsibility" heading, and will have to parcel them out accordingly.
There are some other individual proposed changes to the FCA's guidance on the SMCR that may be of interest to banks.
- SYSC 4.7.21G(1), which said that overall responsibility for an area could be allocated to someone "relatively junior", provided they were sufficiently senior and credible, and with adequate resources, has been deleted. This is unsurprising perhaps, in that the FCA's Feedback Statement 16/6 indicated that its preliminary view of the implementation of the existing SMCR was that some banks had allocated responsibilities at too junior a level.
- There is new guidance at SYSC 26.2.2G and 26.2.3G in relation to the position of the chief executive in the context of the "no gaps" principle – essentially, the FCA says that any responsibilities that are not specifically allocated fall to the chief executive by default, and the aim of the FCA's rules is to avoid responsibilities being allocated by implication or by default. In addition, the guidance states that, even where responsibilities are allocated to an SMF manager other than the chief executive, the chief executive remains responsible for managing that person's performance.
- For banks that used SYSC 4 Annex 1G as a checklist in terms of ensuring that overall responsibility for all business areas, activities and management functions of the firm were allocated, it is worth noting that the FCA has changed the composition of this list to some extent. The list is now at SYSC 25 Annex 1G. IT has been removed as a business area or management function (presumably because of the addition of the Chief Operations role as an SMF), but there are three new additions (issuing commitments, processing and administration of insurance).
- The FCA has made changes to various other pieces of guidance that apply to banks, for instance that relating to the management responsibilities map. Whilst these changes appear minor, it is not always easy to tell what wording will be significant, and banks should scrutinise the changes and take action where appropriate.
New Chief Operations function
From 12 November 2017, the PRA will designate a new SMF for banks, which is Chief Operations (SMF24). This is defined as the function of having responsibility for the internal operations and technology of a firm. The PRA has included more guidance on this role in an updated version of its Supervisory Statement 28/15. Little of this guidance focuses on the internal operations element of the SMF, but more detail is given in relation to technology. It is clear that the PRA expects this SMF to include responsibility for business continuity, cyber security, IT, internal operations, operational continuity, outsourcing and shared services. Following consultation, the PRA has said expressly that it anticipates that some firms will wish to split this SMF between individuals performing different roles (e.g. between a Chief Operations Officer and a Chief Information Technology Officer, if both individuals are equally senior), but it would not expect the split to be between more than three individuals.
Changes to Head of Key Business Area (SMF6)
The PRA is, from November 2017, changing the criteria by which firms should determine whether they have anyone performing the SMF6 role. Under the current rules, a business area or division will only be a key business area for these purposes if it: (a) has gross total assets equal to or in excess of £10 billion; and (b) either (i) accounts for more than 20 per cent of the firm's gross revenue; or (ii) where the firm is part of a group, accounts for more than 20 per cent of the total gross revenue of the group. This definition has caused confusion ever since it was introduced, as the group criterion seemed redundant.
From November, the PRA will change this such that a key business area will be one which either satisfies both the following quantitative criteria, or satisfies only one of them but performs a critical function. The quantitative criteria are that the business area: (1) has gross total assets equal to or in excess of £10 billion; or (2) accounts for more than 20 per cent of the firm’s gross revenue. A critical function is defined in the Banking Act 2009, and means activities, services or operations the discontinuance of which is likely: (a) to lead to the disruption of services that are essential to the economy or (b) to disrupt financial stability, due to the size, market share, external and internal connectedness, complexity or cross-border activities of a bank or a group which includes a bank (with particular regard to the substitutability of those activities, services or operations).
Smaller banks (which might not have any business area with gross total assets in excess of £10 billion) might have welcomed some amendment to the PRA's original definition, but it seems unlikely that the amendment that has now been made will help them particularly. It is likely to remain the case that the head of a business area which is significant for the firm (i.e. accounting for more than 20 per cent of its revenue) but does not command gross total assets of more than £10 billion will continue to require approval under the FCA-designated Other Overall Responsibility SMF instead, with the consequence that such individuals cannot be allocated any prescribed responsibilities.
It is undoubtedly the case that banks face much less of a headache in the context of the SMCR than those firms trying to get to grips with its probable requirements for the first time. Nonetheless, the SMCR is still relatively young, and it is undergoing a major set of revisions – banks should be prepared for some of those revisions to affect them.