Extension of the senior managers and certification regime

The Financial Conduct Authority (FCA) has published its fi nal consultation on extending the senior managers and certifi cation regime (SM&CR) to all fi rms. The FCA’s proposals will apply new FCA rules to a signifi cant number of additional employees in the fi nancial services sector and increase the accountability of senior managers. The industry knew the change was coming, but now proposed rules are fi nally available, what do they say and exactly how “proportionate” is the FCA in its plans? Expanding on our initial summaries SM&CR: FCA proposes extension to all firms (July 2017) and SM&CR Extension 2019 (December 2017), in this briefi ng, we consider the detail of the FCA proposals in CP17/25 and CP17/40, which will apply to most firms except for banks and insurers in 2019. General The SM&CR has applied to banks, building societies, credit unions and PRA-designated investment fi rms (“relevant fi rms”) since March 2016. Additionally, a separate senior insurance managers regime (SIMR) applies to insurance companies. In May 2016 Parliament made the necessary legislative changes to extend the regime to the wider fi nancial services community (approximately 47,000 fi rms) and empower the FCA to make relevant rules. The proposed regime will replace the existing approved persons regime, but will not normally apply to Appointed Representatives. The FCA proposals have similar foundations to the SM&CR for relevant fi rms, comprising: — the senior managers regime (SMR); — a certifi cation regime; and — conduct rules. However, the FCA states that, wherever possible (as some legislative requirements cannot be relaxed), it wants the new regime to be proportionate and fl exible enough to accommodate the different business models and governance structures of fi rms. Therefore, the FCA suggests three tiers of application: — a Core Regime which will apply a baseline of SM&CR requirements to the bulk of FCA solo-regulated fi rms, except for limited scope fi rms; — the Enhanced Regime will apply extra rules to a small proportion of FCA solo-regulated fi rms (approximately 350) with a size, complexity and potential impact on consumers which the FCA says warrants greater attention; and — the Limited Scope Regime, which will apply fewer requirements to fi rms that currently have a limited application of the approved persons regime. In the following pages we consider these proposals in greater detail. Limited Scope Firms The following fi rms fall under the proposed Limited Scope Regime: — limited permission consumer credit fi rms; — sole traders; — authorised professional fi rms whose only regulated activities in are non-mainstream regulated activities; — oil market participants; — service companies; — energy market participants; — subsidiaries of local authorities or registered social landlords; — insurance intermediaries whose principal business is not insurance intermediation and who only have permission to carry on insurance mediation activity in relation to non-investment insurance contracts; and — internally managed AIFs. Extension of the senior managers and certifi cation regime Enhanced SM&CR fi rms Unless a fi rm has successfully applied for a waiver from the FCA, the following fi rms will fall under the proposed Enhanced Regime: — Signifi cant IFPRU fi rms (defi ned in IFPRU 1.2.3); — CASS large fi rms (defi ned in CASS 1A.2.7); — fi rms with assets under management (AUM) of £50bn or more (at any time in the last three years)*; — fi rms with a total intermediary regulated business revenue of £35m or more per annum*; — fi rms with a regulated revenue generated by consumer credit lending of £100m or more per annum*; — mortgage lenders (that are not banks) with 10,000 or more regulated mortgages outstanding*; and — fi rms required by the FCA to comply with the Enhanced Regime, for example, to mitigate the risks posed by the fi rm. * Calculated on a solo basis. Limited Scope Firms, EEA or non-EEA branches will never fall under the Enhanced Regime, even if they meet one of the above criteria. In addition, the FCA proposes to exclude from the Enhanced Regime: — a full scope alternative investment fund manager (AIFM) of (a) an unauthorised alternative investment fund (AIF); or (b) an authorised AIF only marketed to professional clients; and — a fi rm exempt under article 2(1)(j) of the Markets in Financial Instruments Directive (MIFID) with permission only to bid in emissions auctions. Senior Managers Regime - Core Regime The SMR applies to individuals who hold senior manager functions (SMFs) which the FCA prescribes. The FCA identifi es SMFs because, in relation to the fi rm’s regulated activities, the individual performs a role that could involve a serious risk of consequences for the fi rm, or for business or other interests in the UK. The SMR applies to anyone who performs an SMF, whether they are based in the UK or overseas. The FCA proposes the following SMFs for the Core Regime, all of which are approved persons under the current approved persons regime: Governing functions — SMF1: Chief Executive — SMF3: Executive Director — SMF9: Chair (Non-executive) — SMF27: Partner Required functions — SMF16: Compliance oversight — SMF17: Money laundering reporting offi cer (MLRO) — SMF29: Limited Scope Function (relevant to some Limited Scope Firms only) - this replaces the current “Apportionment and Oversight Function” under the approved persons regime. Firms must fi ll the required functions. However, if no-one performs the other roles, the FCA says that a fi rm does not need to reorganise itself or appoint someone. In reality, fi rms may fi nd a degree of internal reorganisation is necessary, particularly once the allocation of prescribed responsibilities is also taken into consideration and Senior Managers begin considering their Statements of Responsibilities. Wherever possible, the FCA proposes to automatically convert most of the approved persons at Core and Limited Scope fi rms into the corresponding new Senior Management Functions.1 This means the majority of fi rms will not need to submit anything to the FCA to make conversion happen. However, in a process more aligned with the regime for banks, Enhanced fi rms will need to submit a conversion notifi cation and accompanying documents (Statements of Responsibilities and Responsibilities Map) for all conversions. To maximise the transition period, the FCA proposes to keep open the deadline for conversion notices until one week before the start of the new regime. If conversion notices are not received by this time, the individual’s approval will lapse at the start of the new regime. In this event, re-application 2 1 In CP17/40 the FCA proposes function mapping tables for this purpose: Table 3: Proposed function mapping for Core and Limited Scope firms (page 16) and Table 6: Proposed function mapping for Enhanced firms (page 25). Firms must check the Financial Services Register is correct following commencement of the new regime. 3 for approval would be necessary, involving the full SM&CR application process, including mandatory criminal records checks and regulatory references. The fi rm may also be in breach of FCA rules by failing to have the required approved individuals for a period. Firms will fi nd that the number of employees requiring pre-approval from the FCA is lower than under the existing approved persons regime. The FCA estimates that this will save fi rms approximately £4.4m a year. This is because there are fewer SMFs than existing controlled functions. However, the Certifi cation Regime (discussed below) will apply to those for whom FCA-approval is no longer necessary. Under the SM&CR, managers must: — be approved by the FCA before starting their role, in the same way as the approved persons regime; — have a Statement of Responsibilities that clearly indicates what they are responsible and accountable for in their role; — have a “duty of responsibility”; and — follow Senior Manager Conduct Rules. Firms must: — be satisfi ed that the person is fi t and proper to perform the relevant roles (see the section later on “Fit and proper assessment: Senior Managers, certifi ed staff and NEDs”); — submit the application for approval to the FCA; — update and re-submit Statements of Responsibilities whenever there is a signifi cant change; and — assess that the Senior Manager is fi t and proper at least once a year. An individual may hold more than one SMF, although the Statement of Responsibilities relating to that individual must cover their all their roles. If desirable to advance its objectives, the FCA may apply conditions and time limits when approving Senior Managers. This could be the case, for example, where the FCA links conditions to remedial action to be undertaken by a fi rm, or a time limit is to facilitate recruitment of a permanent replacement. Prescribed responsibilities: Core Regime The FCA proposes seven “prescribed responsibilities” which must be given to Senior Managers to ensure they are accountable for key conduct and prudential risks. These are set out in the table below. They apply to fi rms under the Core Regime and, as discussed later in this paper, the Enhanced Regime. The obligation on fi rms to allocate prescribed responsibilities does not apply to Limited Scope Firms. The FCA does not propose the appointment of a “whistle-blower champion” as is required under the banking and insurance regimes. Prescribed responsibilities: Core Regime — PR1: Performance by the fi rm of its obligations under the Senior Managers Regime, including implementation and oversight. — PR2: Performance by the fi rm of its obligations under the Certifi cation Regime. — PR3: Performance by the fi rm of its obligations in relation to the Conduct Rules for training and reporting. — PR4: Responsibility for the fi rm’s policies and procedures for countering the risk that the fi rm might be used to further fi nancial crime. — PR5: Responsibility for the fi rm’s compliance with FCA Client Assets sourcebook (CASS), where applicable. — PR6: Responsibility for ensuring the governing body is informed of its legal and regulatory obligations (this prescribed responsibility does not apply under the Enhanced Regime as it is replaced by additional prescribed responsibilities). — PR7: Where applicable, responsibility for an authorised fund manager’s value for money assessments under the Collective Investment Schemes sourcebook (COLL), independent director representation and acting in investors’ best interests. (This originates from recommendations of the FCA Asset Management Market Study and discussed by the FCA in CP17/18.) A Senior Manager’s Statement of Responsibilities (discussed below) should include details of their prescribed responsibilities. Firms need to allocate prescribed responsibilities to the most senior person responsible for that issue, and ensure the person has suffi cient authority and an appropriate level of knowledge, skill and competence to carry out the responsibility properly. When fi rms submit Senior Manager applications to the FCA, this will be an area subject to close scrutiny. If there is only one Senior Manager, the FCA states that the fi rms should allocate all the prescribed responsibilities to this person. Normally the FCA will expect fi rms to allocate each prescribed responsibility to only one person (that is, not shared). However, in limited circumstances it is possible to share or divide a prescribed responsibility where the fi rm can demonstrate to the FCA that it is appropriate and justifi ed, for example, where there is a job share in place or where a particular area is run by two Senior Managers. Where responsibilities are shared (as opposed to divided), the FCA expects each relevant Senior Manager to be jointly accountable. Senior Managers affected should ensure that Statements of Responsibilities should leave no doubt on whether a Senior Manager is responsible for only part (and which part) of a responsibility, or jointly responsible for the entire area. Partnerships The FCA proposes that all partners in a fi rm will be Senior Managers, similar to the existing approved persons regime. However, the FCA bases this on the assumption that a partner is likely to have infl uence over the running of the partnership. If a partner is not involved in the management of the partnership - for example, in the case of a silent partner or junior partners - and therefore “does not meet the overarching FSMA defi nition of a Senior Manager”, then the FCA states that the partner function will not apply and the partner need not be a Senior Manager.2 The FCA includes helpful guidance to this effect in its proposed rules at SUP 10C.3.11-12G and SUP 10C.5.21G. As the proposals are currently drafted, it would appear possible that a partner who does not meet the criteria for “Senior Manager” but also does not carry on a Certifi cation Function (see further below), will not require any preapproval by the FCA or the fi rm. Statement of Responsibilities Every Senior Manager (including those automatically converted to the Senior Managers Regime from the approved persons regime) must have a Statement of Responsibilities which sets out their role and what they are responsible for. The Statement must be: — submitted on an application to the FCA for approval of a Senior Manager; — kept up-to-date and re-submitted to the FCA whenever there is a signifi cant change to the Senior Manager’s responsibilities. A signifi cant change would include, for example, the addition, removal or re-allocation of a prescribed responsibility or signifi cant change to the person’s job, or the sharing or dividing of responsibilities not originally shared or divided. In CP17/40, the FCA consults on the form and content of Statements of Responsibilities.3 Duty of responsibility Senior Managers will have a statutory “duty of responsibility”. This means that the FCA could hold the Senior Manager accountable for their area of responsibility if there is a breach of the regulatory rules and the FCA can show that the manager did not take reasonable steps to prevent or stop the breach. In considering whether a Senior Manager is responsible for the relevant breach, the FCA will consider the manager’s Statement of Responsibilities. Therefore, it is unsurprising that the drafting of the Statement of Responsibilities (and the Responsibility Map where applicable - this is considered further below) across a fi rm can be a contentious and protracted process. In deciding whether or not to take action against someone based on their duty of responsibility, the FCA will consider criteria set out in its Decision Procedure and Penalties manual (DEPP). The FCA proposes applying the same criteria as it applies to banks (DEPP 6.2). 4 2 Section 59ZA(2) of the FSMA says that a function is a “senior management function”, in relation to the carrying on of a regulated activity by a firm, if: (1) the function will require the person performing it to be responsible for managing one or more aspects of the firm’s affairs, so far as relating to the activity; and (2) those aspects involve, or might involve, a risk of serious consequences: (a) for the firm; or (b) for business or other interests in the United Kingdom. 3 The template for the solo-regulated firms appears at page 521 of CP17/40. 5 The duty of responsibility puts on a statutory footing a standard of care that has familiarities with that which exists already under the approved persons regime. However, expressing it as a clear statutory duty will apply the minds of Senior Managers to their obligations in a more focussed way. This, combined with the requirement to have Statements of Responsibilities, means that it is less likely that a Senior Manager can claim something is not their responsibility, or that something is a collective responsibility - both of which were causes of criticism under the approved persons regime. Interestingly, the FCA recognises in its cost benefi ts analysis for the proposals in CP17/25 an element of indirect costs incurred by fi rms for recruitment may result from individuals leaving fi nancial services. It remains to be seen if this will be a real consequence of the new rules, but a risk that fi rms should be alert to. On a more positive note, Senior Managers will be relieved that the criminal offence applying to banks and relating to a decision which causes a fi nancial institution to fail, will not apply to any solo-regulated fi rm under current proposals. Certifi cation regime The objective of the Certifi cation Regime is to reinforce that fi rms, not the FCA, are responsible for ensuring their staff are fi t and proper. Firms must identify employees within the Certifi cation Regime, assess and certify that the person is fi t and proper to do their job. They must reassess and renew this certifi cation annually. This obligation will require fi rms to develop a framework for certifi cation, and to have in place stringent systems and controls to ensure that these assessments are carried out and relevant information about each employee is shared appropriately with the assessor. The Certifi cation Regime applies to employees who are not Senior Managers, but whose role means it is possible for them to cause signifi cant harm to the fi rm or its customers. The FCA calls these roles “Certifi cation Functions” and proposes a list of relevant roles where they exist within a particular fi rm. These Certifi cation Functions are listed in the folllowing table. The Certifi cation Regime applies to all fi rms except for internally-managed AIFs. Certifi cation Functions — Signifi cant management function - this will capture individuals currently performing the controlled function CF29. It applies to people with “signifi cant responsibility for a signifi cant business unit”. A signifi cant business unit can include an internal support department like HR or IT. — Proprietary traders - this will capture individuals also currently performing CF29. — CASS oversight function - this will capture individuals currently performing CF10a. — Functions that are subject to qualifi cation requirements - for example, retail investment advisers; a full list appears in the FCA’s Training and Competence sourcebook (TC). — Client dealing function - an expanded version of the current CF30. — Algorithmic traders. — Material risk takers (AIFMD, UCITS, IFPRU and BIPRU remuneration code staff). — Anyone who supervises or manages anyone performing any of the functions above (directly or indirectly). If there is no-one in these roles (for example, a small fi rm which has Senior Managers only), then the Certifi cation Regime will not be relevant. If one person performs two roles, this is permissible, but the fi rm must certify the person for both roles. As not all existing approved persons fall under the Senior Managers Regime, some approved persons will now fall under the Certifi cation Regime instead and, as the rules are currently proposed, will no longer appear on the FCA Register. This may make it more diffi cult for fi rms to verify employment applications for the affected roles. While fi rms can verify candidate experience through the regulatory references regime, this will be more time consuming and something that is generally taken up at a later stage in a job application process. This may be something that HR teams need to reconsider. The FCA acknowledges the potential problem asking, in CP17/18, if respondents think that the identity of any Certifi cation Function holders should be made public by fi rms. In CP17/40, the FCA does not offer a fi nal solution but indicates that it is considering its next steps in this regard. It would be more useful to the industry if the FCA continues to maintain a central register, so long as the fi rm to FCA notifi cation obligations are reasonable. While the scope of the Certifi cation Regime is said to apply to individuals who are not Senior Managers, the FCA makes an exception to this. If the Senior Manager carries on a Certifi cation Function which is very different to what they are doing as a Senior Manager, then they will also need to be certifi ed as being fi t and proper to do the Certifi cation Function. However, the FCA says that it does not expect such a dual capacity to be common in practice. Overseas employees The Certifi cation Regime applies to all material risk takers, wherever they are located. However, for the remainder of the Certifi cation Functions, there is a territorial limitation. For the Certifi cation Regime to apply, the relevant individuals must be based in the UK or deal (in the broader sense) with a UK client. Fit and proper assessments: Senior Managers, certifi ed staff and NEDs FSMA requires fi rms to ensure that anyone performing an SMF or a Certifi cation Function is fi t and proper to perform their role. The FCA proposes to extend this assessment to non-executive directors (NEDs) too, even if they are not Senior Managers. General rules In making their assessment of individuals, fi rms must consider relevant FCA rules on qualifi cations, training, competence and personal characteristics. The FCA proposes to apply the existing guidance in its sourcebook, Fit and Proper test for Approved Persons and Specifi ed signifi cant-harm functions (FIT), to Senior Managers and certifi ed staff in solo-regulated fi rms. The assessment must be carried out before the person begins their role - so at the point of recruitment, or before they transfer internally into the particular role. In addition, fi rms should assess the person on an ongoing basis and at least once a year. In its transitional provisions, the FCA proposes to give fi rms 12 months from the start of the new regime to complete their fi tness and propriety assessments of certifi ed staff and get the certifi cation paperwork in place. Criminal record checks In addition, the FCA proposes that fi rms carry out criminal record checks for all Senior Manager and, except for Limited Scope Firms, NED applications. This is likely common practice already and should not be particularly onerous for fi rms. However, where an individual has spent a “considerable amount of time” living or working outside the UK, the FCA suggests that fi rms should consider undertaking an equivalent check with the appropriate overseas agency. Regulatory references While fi rms will not be required to obtain regulatory references for existing employees who will be performing the same role after the start of the new regime, the FCA proposes that all fi rms be required to: — take reasonable steps to obtain appropriate references from the current employer, and all previous employers in the past six years, for people applying for roles as Senior Manager, certifi ed staff and NEDs; — share information between fi rms in a standard template, with references normally produced within six weeks of a request; — disclose information going back six years, including details of any disciplinary action taken due to breaches of the Conduct Rules and any fi ndings that the person was not fi t and proper; — disclose any other information the fi rm considers relevant to assessing whether a candidate is fi t and proper, from the past six years; — disclose any “serious misconduct” relating to a candidate, whenever it occurred; — retain records of disciplinary and fi t and proper fi ndings going back six years; 6 7 — not enter into arrangements that confl ict with these disclosure obligations; and — update regulatory references given by the fi rm where new, signifi cant information comes to light and the subject of the reference still works for, or is still applying to work with, the recipient of the reference. Except for “serious misconduct”, this obligation ends six years after giving the reference. This obligation to update references does not apply to references given before the regime begins. These two-way obligations facilitate the provision and receipt of relevant information. However, as the obligation to give references will bind regulated fi rms only, it is to be hoped that the potential diffi culty in obtaining references from unregulated employers will be recognised when assessing whether reasonable steps have been taken. As always, documenting procedures taken will be crucial. The disclosure obligations may require fi rms to exercise diffi cult case by case judgements, for example, in assessing if conduct is “serious misconduct” (on which the FCA gives some additional guidance in SYSC 2.2.5.10- 11G). There will also be a delicate balance to be made where disciplinary proceedings are incomplete. The FCA indicates that the rules do not necessarily require disclosure of information that has not been properly verifi ed, such as incomplete disciplinary action; however, fi rms may include such information should they wish to. Firms will need to decide whether to have a fi xed policy on this or appoint someone to make the case by case assessments. The proposed FCA rules state that the obligation to disclose information in a reference applies notwithstanding any arrangements or agreements made to limit this disclosure. This is clearly intended to restrict the impact of arrangements such as non-disclosure agreements (NDAs). Firms must be prepared to review NDAs entered into over the past fi ve to six years to consider their position under them. Conduct rules: Most staff and NEDs The FCA proposes to apply to most employees of fi nancial services fi rms, and NEDs, new overarching standards. The Conduct Rules will apply to Senior Managers and certifi ed staff from the fi rst day of the new regime applying, but the FCA proposes to give fi rms 12 months to apply the Conduct Rules to their other conduct rules staff. The FCA intends to replace the existing Statements of Principle and Code of Practice for Approved Persons (APER) with Conduct Rules for all fi rms. It proposes a fi rst tier of rules that apply to most employees in a fi rm except ancillary staff (who are exhaustively listed in in the table below), and a second tier of rules applying additionally to Senior Managers. Firms should consider if the list of excluded ancillary staff adequately refl ects staff in their own organisation who the FCA should reasonably carve out of the application of the Conduct Rules. Ancillary staff The Conduct Rules will not apply to: — receptionists; — switchboard operators; — postroom staff; — reprographics / printroom staff; — property / facilities management; — events management; — security guards; — invoice processing; — audio-visual technicians; — vending machine staff; — medical staff; — archive records management; — drivers; — corporate social responsibility staff; — data controllers and processors under the Data Protection Act; — cleaners; — catering staff; — personal assistants and secretaries; — information technology support (that is, helpdesk); and — human resources administrators / processors. While the Conduct Rules set out a basic standard of conduct which is similar to that under the Statements of Principle of Approved Persons, the fi rst tier of Individual Conduct Rules will apply to a much wider employee base than under any previous regime. The FCA proposes that the Conduct Rules will apply to a fi rm’s regulated business, but also its “unregulated fi nancial services activities”, for example, an activity carried on in connection with a regulated activity. The Conduct Rules for banks apply without distinction between regulated and unregulated business, therefore, this proposal for solo-regulated fi rms is a lighter, albeit slightly vague, application. The Conduct Rules apply to all tiers of fi rms. Firms must: — notify all relevant staff of the rules that will apply to them; — take reasonable steps to ensure the staff understand how the Conduct Rules apply to them. This will require effective training and assessment of staff about the Conduct Rules; and — notify the FCA when formal disciplinary action is taken against a person for breaching the Conduct Rules. For Senior Managers, this notifi cation must be made to the FCA within seven business days of the fi rm becoming aware of the matter. For other employees, the FCA proposes an annual notifi cation process. Firms should be mindful that their obligation under Principle 11 still stands, which could include notifying the regulator about concerns relating to an individual’s conduct. Firms are also under a general obligation to notify the FCA of signifi cant rule breaches, which may include breaches of the Code of Conduct sourcebook (COCON). The obligation to train and formally supervise these employees will be onerous and also will require fi rms to implement an objective assessment process. In CP17/25, the FCA stresses that it expects fi rms to be able to demonstrate that they apply the spirit as well as the letter of the Conduct Rules, for example, in ensuring that their staff understand what the rules mean to them in the context of their particular fi rm. This is likely to require a degree of tailoring of training and reference resources for staff. In particular, the proposed rules require fi rms to provide training that gives individuals “a broad understanding of all the rules in COCON, and that they also have a deeper understanding of the practical application of the specifi c rules which are relevant to their work”. First Tier - Individual Conduct Rules 1 You must act with integrity. 2 You must act with due care, skill and diligence. 3 You must be open and cooperative with the FCA, the PRA and other regulators. 4 You must pay due regard to the interests of customers and treat them fairly. 5 You must observe proper standards of market conduct. Second Tier - Senior Manager Conduct Rules SC1 You must take reasonable steps to ensure that the business of the fi rm for which you are responsible is controlled effectively. SC2 You must take reasonable steps to ensure that the business of the fi rm for which you are responsible complies with the relevant requirements and standards of the regulatory system. SC3 You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively. SC4* You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice. *SC4 applies, together with the Individual Conduct Rules, to NEDs. There is little guidance on how fi rms should assess whether there has been a breach of the Conduct Rules. The FCA indicates that individuals must be personally culpable - meaning a person’s conduct was deliberate or was below that which would be reasonable in all the circumstances. Depending on the size of the fi rm, it may be prudent for a fi rm to form an adjudication committee (perhaps comprising members of compliance and legal teams) to determine whether a breach has occurred that may require formal disciplinary action by the fi rm and notifi cation to the FCA. 8 9 Enhanced regime The Enhanced Regime applies to certain fi rms that are larger in size or have a more complex structure. For specifi c fi rm types included in the Enhanced Regime, see the box on page two of this paper. The FCA proposes that under the Enhanced Regime, all the requirements under the Core Regime apply, but are enhanced by adding: — additional Senior Management Functions (these are listed in a table on the following page); — additional prescribed responsibilities (these are listed in a table on the following page); — a requirement to appoint a Senior Manager with overall responsibility for every area, business activity and management function of the fi rm (the “Overall Responsibility Rule”); — a requirement on fi rms to have a single document that sets out the fi rm’s management and governance arrangements (Responsibilities Map); and — an obligation to ensure new Senior Managers have all the information and material they could reasonably expect in order to do their job (adequate handover procedures). Source: FCA CP17/25, page 15 Enhanced Regime: additional SMFs — SMF2: Chief Finance* — SMF4: Chief Risk* — SMF5: Head of Internal Audit* — SMF7: Group Entity Senior Manager — SMF10: Chair of the Risk Committee — SMF11: Chair of the Audit Committee — SMF12: Chair of the Remuneration Committee — SMF13: Chair of the Nominations Committee — SMF14: Senior Independent Director — SMF18: Other Overall Responsibility (a mop up, applicable where a senior executive is the most senior person responsible for an area of the fi rm’s business but they do not perform any other SMF. The FCA thinks this will be the exception rather than the rule.) — SMF24: Chief Operations * These functions will apply instead of the broad Systems and Controls Function under the approved persons regime. Enhanced Regime: additional prescribed responsibilities — PR8: Compliance with the rules relating to the fi rm’s Responsibilities Map. — PR9: Safeguarding and overseeing the independence and performance of the internal audit function (in accordance with SYSC 6.2).* — PR10: Safeguarding and overseeing the independence and performance of the compliance function (in accordance with SYSC 6.1).* — PR11: Safeguarding and overseeing the independence and performance of the risk function (in accordance with SYSC 7.1.21R and SYSC 7.1.22R).* — PR12: If the fi rm outsources its internal audit function, taking reasonable steps to ensure that every person involved in the performance of the service is independent from the persons who perform external audit, including: – supervision and management of the work of outsourced internal auditors; and – management of potential confl icts of interest between the provision of external audit and internal audit services. — PR13: Developing and maintaining the fi rm’s business model. — PR14: Managing the fi rm’s internal stress-tests and ensuring the accuracy and timeliness of information provided to the FCA for the purpose of stress-testing. * Firms must allocate PR9, 10 and 11 only where fi rms must comply with the relevant SYSC requirement indicated. Where possible, the FCA indicates that fi rms should allocate these Prescribed Responsibilities to a Senior Manager who is a NED of the fi rm, or a partner who does not have management responsibilities. Where there is no NED, the Prescribed Responsibility must be allocated to another appropriate Senior Manager. Firms must not allocate Prescribed Responsibilities to someone performing SMF18, “Other Overall Responsibility”. The only exception to this is the CASS compliance Prescribed Responsibility. 10 11 Overall Responsibility Rule Firms under the Enhanced Regime must consider their own business and ensure that every activity, business area and management function has a Senior Manager allocated overall responsibility, with no gaps. This ensures that the FCA will always be able to hold an individual to account. While the FCA gives some examples of the main business activities and functions in its proposed rules (at SYSC 25 Annex 1G), this is not an exhaustive list and the FCA expects fi rms to scrutinise their own business set ups as the allocation of responsibilities, and the nature of those responsibilities, will differ between fi rms. Firms should ensure that Senior Managers refl ect the results of this exercise in individual Statements of Responsibilities and in the fi rm’s Responsibilities Map. The Overall Responsibility Rule applies to a fi rm’s regulated and unregulated fi nancial services activities, including any related ancillary activities. The FCA notes that under the banking regime, this includes the legal function, but that this is currently under review (as described in Discussion Paper 16/4). Unhelpfully, the FCA gives no indication of the position for in-house legal in this proposed extension of the SM&CR. Presumably it hopes the issue will be resolved ahead of implementation of the extended regime. Responsibilities Map Under the Enhanced Regime, fi rms must have, at all times, a comprehensive and up-to-date document that describes its management and governance arrangements. The FCA describes the purpose of a Responsibilities Map as providing “a single, self-contained overview of your fi rm’s governance, including who is responsible for what”. It should include, for example: — how the Prescribed Responsibilities are allocated; — details on who has overall responsibility for the fi rm’s activities, business areas and management functions; — details of individuals’ and committees’ reporting lines; and — how any responsibilities are shared or divided between different people. Handover Procedures Enhanced fi rms must take reasonable steps to ensure that an incoming Senior Manager has all the information and materials they could reasonably expect to have to do their job effectively. The FCA suggests that one way of doing this could be for the predecessor to prepare a handover note. Firms must decide how best to meet their obligation to take reasonable steps, evidence the approach in a policy explaining how they comply with the requirement, and maintain adequate records of the steps being taken to comply. Opting up and moving between Core and Enhanced Regimes The FCA proposes some detailed transitioning rules that will apply on fi rms crossing thresholds between the Core Regime and the Enhanced Regime. In the proposed rules, there is no “grace period” under which a core fi rm can cross the threshold for the Enhanced Regime for a short period without being fully subject to the Enhanced Regime. The FCA indicates that a fi rm can apply for a voluntary requirement and opt up into the Enhanced Regime if it prefers certainty. As the threshold calculations are calculated on a solo (as opposed to group) basis, it is possible that different SM&CR regimes will apply to different fi rms across a group. In such circumstances, affected groups may want to consider if the opt-up option is available to their group companies to facilitate implementing a single regime across the group. The FCA also fl ags up in CP17/25 that the criteria to identify fi rms under the Enhanced Regime are not exhaustive. Under its proposals, the FCA may require a fi rm to comply with the Enhanced Regime (for example, using the Own Initiative Requirement process) if it considers it appropriate to do so to advance its operational obligations under FSMA (for example, to mitigate risks posed by the fi rm). However, the FCA does not anticipate this happening often. Full-scope UK AIFMs As mentioned in the Enhanced SM&CR fi rms box (on page one), a full-scope UK AIFM is excluded from the Enhanced Regime if its permission is limited to being an AIFM of an unauthorised AIF or an authorised AIF only marketed to professional clients. To the extent that the Enhanced Regime continues to apply to other AIFMs, the FCA excludes from application to a full-scope UK AIFM in relation to its managing an AIF: — Senior Manager handover requirements; and — Prescribed Responsibilities relating to informing the governing body; internal audit; compliance function; risk function; external audit; and business model. Limited scope regime The FCA proposes that fi rms to which the Limited Scope Regime applies (Limited Scope Firms) will have fewer SMFs refl ecting how the existing Approved Persons Regime applies to them now. The SMFs required of Limited Scope Firms varies depending on the type of fi rm under consideration. The FCA summarises them in the table below (reproduced from page 21 of CP17/25). Under the proposals in CP17/25, prescribed responsibilities will not apply to Limited Scope Firms, or the requirements relating to references for NEDs. 12 13 Incoming UK branches For incoming UK branches, the FCA proposes a lighter application of the SM&CR. EEA branches The FCA proposes that only the following SMFs apply to incoming EEA branches, and no prescribed responsibilities: — SMF17: Money Laundering Reporting Offi cer (MLRO) — SMF21: EEA Branch Senior Manager The FCA stresses that SMF21 will apply to anyone who performs a Senior Manager role, whether they are based in the UK or overseas. However, in practice, the FCA expects that most branches will be able to identify someone who is primarily based in the UK. For the Certifi cation Regime, the FCA proposes that it applies in full to EEA branches, but only to employees based in the UK. Finally, the FCA proposes that the Conduct Rules will apply to all in-scope staff of a UK branch, except those who are based outside of the UK. However, the FCA indicates in CP17/25 that the Conduct Rules apply only to the extent that they are compatible with the relevant single market directives. Non-EEA branches The FCA proposes the following SMFs apply to non-EEA branches in the UK: — SMF3: Executive Director — SMF16: Compliance Oversight — SMF17: MLRO — SMF19: Head of Third Country Branch — SMF27: Partner The FCA also proposes to apply to non-EEA branches the Prescribed Responsibilities shown in the box below. Prescribed Responsibilities for non-EEA branches — PR1: Performance by the fi rm of its obligations under the Senior Managers Regime, including implementation and oversight. — PR2: Performance by the fi rm of its obligations under the Certifi cation Regime. — PR3: Performance by the fi rm of its obligations in respect of notifi cations and training of the Conduct Rules. — PR4: Responsibility for the fi rm’s policies and procedures for countering the risk that the fi rm might be used to further fi nancial crime. — PR5: Responsibility for the fi rm’s compliance with CASS. — PR6: Responsibility for management of the fi rm’s risk management processes in the UK. — PR7: Responsibility for the fi rm’s compliance with the UK regulatory system applicable to the fi rm. — PR8: Responsibility for the escalation of correspondence from the PRA, FCA and other regulators in respect of the fi rm to the governing body and/or the management body of the fi rm or, where appropriate, of the parent undertaking or holding company of the fi rm’s group. — PR9: Responsibility for an AFM’s value for money assessments, independent director representation and acting in investors’ best interests (applicable only to AFMs and subject to consultation under CP17/18). The FCA proposes the same scope of application for the Certifi cation Regime and Conduct Rules as for EEA branches, covered above. Next steps The consultation in CP17/25 is now closed. CP17/40, which includes proposals relating to “grandfathering” of existing approved persons, is open for comment until 21 February 2018. The FCA indicates that it will publish a policy statement with fi nal rules in summer 2018. While the date for the implementation of the new rules will be set by HM Treasury “in due course”, the FCA assumes that the rules will apply to solo-regulated fi rms in mid-to-late 2019. In the meantime, fi rms can begin to identify the scope of the regime relevant to their own operations, and still feed into the consultation on transitional provisions and application to appointed representatives, either independently or through trade associations if appropriate. Where they do not exist already, fi rms also may consider setting up an internal SM&CR project team to monitor developments and coordinate impact and ultimate implementation. Experience from the implementation of the SM&CR in banks has shown the broad scope of involvement necessary for implementation, requiring input from members of HR, Compliance, Legal, Risk and Senior Management, at least. Firms should not underestimate the extent of the implementation task. Action points for fi rms — Consider the FCA’s proposals and respond to the remaining open consultation before 21 February 2018 if appropriate. — Identify key internal stakeholders to form a working group, for example, representatives from senior management, HR, Risk, Secretariat, Compliance and Legal. — Engage with senior management to ensure suffi cient levels of “buy-in”. — Review the existing governance structure and reporting lines for adequacy and transparency. — If the Enhanced Regime applies, consider if there will be any gaps in a Responsibilities Map. — Identify which staff will require regulatory approval under the SMR and those which will require certifi cation. — Assess any relevant extra-territorial scope. — Ensure Senior Managers and Certifi cation Staff have up-to-date job descriptions. — Consider how fi tness and propriety assessments of Certifi cation Staff will be carried out and monitored. — Review existing HR policies and procedures in light of the reference obligations and requirements, Conduct Rules and the need to report disciplinary action to the regulator. — Consider if employment contracts will require changes, particularly for Senior Managers. — Consider suitable training packages for all three tiers of staff. 14 15 Contact details If you would like further information or specific advice please contact: Michelle Kirschner Partner Financial services regulation DD +44 (0)20 7849 2227 michelle.kirschner@macfarlanes.com Dan Lavender Partner Litigation and dispute resolution DD +44 (0)20 7849 2606 dan.lavender@macfarlanes.com Paul Ellison Partner Financial services regulation DD +44 (0)20 7849 2744 paul.ellison@macfarlanes.com Yvonne Clapham Senior solicitor and professional support lawyer Financial services regulation DD +44 (0)20 7849 2869 yvonne.clapham@macfarlanes.com January 2018 This note is intended to provide general information about some recent and anticipated developments which may be of interest. It is not intended to be comprehensive nor to provide any specifi c legal advice and should not be acted or relied upon as doing so. Professional advice appropriate to the specifi c situation should always be obtained. Macfarlanes LLP is a limited liability partnership registered in England with number OC334406. Its registered offi ce and principal place of business are at 20 Cursitor Street, London EC4A 1LT. The fi rm is not authorised under the Financial Services and Markets Act 2000, but is able in certain circumstances to offer a limited range of investment services to clients because it is authorised and regulated by the Solicitors Regulation Authority. It can provide these investment services if they are an incidental part of the professional services it has been engaged to provide. ©Macfarlanes 2018 (0118) Macfarlanes LLP 20 Cursitor Street London EC4A 1LT T +44 (0)20 7831 9222 | F +44 (0)20 7831 9607 | DX 138 Chancery Lane | www.macfarlanes.com