The Senior Managers and Certification Regime (SM&CR) aims to create a culture of accountability and responsibility within regulated firms and to act as a credible deterrent for misconduct. SM&CR already applies to UK banks.
Just before Christmas, the FCA and the PRA confirmed that SM&CR will be extended to insurers in late 2018 (with final rules and a commencement date expected to be announced in the summer). They also confirmed that SM&CR will not apply to solo-regulated firms (those regulated only by the FCA) until mid-to-late 2019.
Therefore, whilst SM&CR is likely to be an immediate priority for insurers, we expect many solo-regulated firms (particularly those that are not part of larger insurance groups) will not focus on it until later in the year.
Many insurers will already have implemented the Senior Insurance Managers Regime (SIMR), which is a half-way house to SM&CR. With that in mind, this article focuses on the steps that insurers will need to take to transition from SIMR to SM&CR.
1. SIMR "optimisations"
The PRA has proposed a number changes to SIMR (what it calls "optimisations") which will require firms where relevant to designate Chief Operations and Head of Key Business Area SIMFs; to allocate an outsourced operational functions prescribed responsibility; to re-consider the firm's key function designations; to prepare a diversity policy; and to ensure that all board and committee chair roles are performed by non-executive (as opposed to executive) directors. The PRA is yet to confirm when it expects firms to implement these changes (its initial intention was to implement in Q1 2018, but the ABI amongst others is lobbying for the changes to be implemented at the same time as SM&CR).
2. Duty of responsibility
When SM&CR comes into effect senior managers will be under a new statutory duty to take reasonable steps to prevent or stop a regulatory breach in their area of responsibility. However, they already have (and should have been trained on) conduct rules obligations to take reasonable steps to ensure the business for which they are responsible is controlled effectively and complies with regulatory requirements and to delegate effectively. We do not, therefore, think that the new statutory duty significantly expands these pre-existing obligations.
3. Senior Managers Regime
By the SM&CR commencement date, firms will need to decide whether to designate two new FCA senior manager functions, including an overall responsibility function, as well as new prescribed responsibilities. Scope of responsibilities statements become "statements of responsibility" and will need to contain a fuller description of duties than required under SIMR. Governance maps become "responsibilities maps" and should be updated to reflect new designations. Firms will need to create handover policies and update termination procedures to ensure incoming senior managers have an appropriate handover.
Firms will need to identify and record their certified persons by the commencement date, noting the different PRA and FCA definitions of significant harm function. Some firms will already have identified some of these people for other purposes e.g. Solvency II firms will already have identified material risk takers for Solvency II remuneration purposes. Once identified, firms should assess certified persons as fit and proper on recruitment and annually and issue a certificate. Firms have a year from the commencement date to carry out the first assessments. As SIMR already requires firms to assess the fitness and propriety of key function performers annually, the assessment process should be familiar to many firms. However, we anticipate that many firms will want to update current fitness and propriety processes to reflect differences in the number of people that need to be assessed as well as helpful guidance and experience from the banking sector.
5. Conduct rules
Under SIMR, senior managers, key function holders and key function performers are subject to and should have been trained on PRA/FCA conduct rules. Under SM&CR, more staff will be subject to and have to be trained on the conduct rules. For some firms this will be a significant exercise give the increase in the number of staff and types of roles covered and the fact that training must be tailored to the particular role. Firms have 12 months from commencement to deliver the training to individuals who are not senior managers or certified persons. Senior managers and certified persons will need to have been trained by the commencement date (and certified persons will need to be informed that the PRA and FCA will, for the first time, also be able to enforce the rules directly against them). SM&CR also introduces notification requirements in relation to conduct rule breaches which firms will have to reflect in their regulatory notification policies.