FCA's consultation paper (CP 17/25), published in July, sets out its proposals for extending the Senior Managers and Certification Regime (SMCR) to all FCA-regulated firms. Once implemented, it will bring an extra 47,000 firms within the scope of the regime which is currently limited to banks and (in a modified manner) insurers.
The paper seeks to unite the Approved Persons regime and the SMCR (in force since 7 March 2016), bringing all authorised firms under the same regime.
The headline changes are twofold:
- A new system of classification for all firms
- The SMCR regime, comprising:
- Senior Managers Regime (SMR)
- Certification Regime
- Conduct rules.
How are firms classified?
FCA has such a diverse regulated community in terms of size of entity, and scope and nature of business, that it would be impractical and unreasonable to impose a "one-size-fits-all" model on all firms. As a result, it has proposed making the level of regulation proportionate to a firm's size, classifying all firms into three categories:
- Enhanced SMCR firms: the largest firms (constituting fewer than 1% of those affected, around 350 firms), comprising consumer credit lenders with over £100m regulated revenue, non-bank lenders with more than 10,000 outstanding regulated mortgages, firms with assets under management exceeding £50bn, significant IFPRU firms, CASS large firms and intermediaries with £35m or more regulated business revenue per year;
- Core SMCR firms: every solo-regulated firm that does not fall within any other category. This category will include the majority of solo-regulated firms; and
- Limited Scope SMCR firms: smaller firms currently subject to a limited application of the existing Approved Persons regime, such as Limited Permission Consumer Credit Firms, secondary insurance intermediaries, sole traders, internally managed AIFs, EMPs, OMPs, authorised professional firms and service companies.
The SMCR will apply in principle to all classifications of firm, but with greater requirements on enhanced SMCR firms and disapplication of certain rules for Limited Scope SMCR firms.
Tranche 1: Senior Managers Regime
The SMR applies to individuals in senior management positions within a firm, and seeks to recognise the responsibility of these individuals with appropriate levels of accountability. It is not territorially restricted, so it can apply to an individual who is overseas if they perform a relevant function for the regulated business of a relevant firm.
FCA has specified a list of senior management functions (SMFs) and the extent of their application will depend on how a firm is classified. For instance, SMFs specific to Enhanced firms reflect the complexity of the firms, and the potential for associated threat to consumers.
The governing functions:
- Chief Executive (SMF1)
- Executive Director (SMF3)
- Chair (SMF9)
- Partner (SMF27) (if relevant)
and the required functions:
- Compliance Oversight (SMF16)
- Money Laundering Reporting Officer (SMF17).
will apply to all Enhanced and Core firms. Limited scope firms are not subject to all these SMFs, and the ones they are subject to will depend on their business. FCA has created a bespoke SMF (29) as the Limited Scope Function (which should be allocated to the person who currently holds CF8 – apportionment and oversight). This is the only function which limited permission consumer credit firms and secondary non-investment insurance intermediaries will need. Other limited scope firms will additionally need the SMF16 and 17 functions, with the exception of sole traders with no employees, which will need only the SMF 16.
The following SMFs apply additionally to Enhanced firms (where relevant):
- Chief Finance Function (SMF2)
- Chief Risk Function (SMF4)
- Head of Internal audit (SMF5)
- Senior Independent Director (SMF14)
- Chair of the Remuneration Committee (SMF12)
- Chair of the Risk Committee (SMF10)
- Chair of the Audit Committee (SMF11)
- Chair of the Nominations Committee (SMF14)
- Group Entity Senior Manager (SMF7)
- Chief Operations Function (SMF24)
- Other Overall Responsibility (SMF18) (if performed by an individual not performing any other SMF)
Although the SMFs are designed to cover executive functions, some NEDs may be caught within the regime under SMF9 (Chair) and SMFs10-13 (Chair of Risk/Audit/Remuneration/Nominations Committee). As with the existing SMR, the regulators are keen that many NEDs will fall outside scope, not least as NEDs are an important control mechanism and the appetite for the position would wane if the SMR applied to the individual in each firm for which they provided a NED function.
Within the SMR, FCA expects a clear allocation of responsibilities within each firm, spanning responsibilities inherent in the definition of SMFs, and "prescribed responsibilities" to be allocated among individuals performing SMFs. Each Senior Manager must have a Statement of Responsibilities, which must be supplied to FCA when the manager takes on the post and when there is any significant change in responsibilities. Additionally, FCA has set six prescribed responsibilities which apply to all firms except for Limited Scope firms, relating to the firm's performance of its role under the SMR, Certification regime and Conduct Rules, as well as responsibilities in relation to financial crime prevention, CASS compliance (if relevant), education of the governing body and, for authorised fund managers, responsibility for value for money assessments, independent director representation and acting in investors' best interests. Firms must allocate each of these responsibilities to the most appropriate Senior Manager, and this should be reflected on the Statement of Responsibilities. Senior Managers may share a prescribed responsibility only where the firm can show it is appropriate and justifiable (such as where there is a job-share). Seven further prescribed responsibilities apply to Enhanced Firms, mainly relating to the Enhanced Firm SMFs, but some more general, such as responsibility for developing and enhancing the firm's business model.
Each Enhanced firm must record its allocation of responsibilities on a "Responsibilities map", and report to the FCA on an annual basis to confirm that the allocation remains accurate and that all appropriate functions are filled. Although only required of Enhanced firms, it would be good practice for all firms carry out these reviews and keep these records internally.
Statement of Responsibilities
Only Enhanced firms require a Responsibilities Map, but all firms must prepare Statements of Responsibilities. While firms will not need to appoint a person to every SMF if it is not relevant, every person who is appointed to an SMF will need a Statement of Responsibilities. Individuals may be appointed to more than one SMF, and will have to be approved for each function. They will need only one Statement of Responsibilities, which must clearly describe all their responsibilities.
The duty of responsibility
Further individual accountability resides in the duty of responsibility, which senior managers carrying out an SMF (regardless of their firm's classification) may be in breach of if:
- They are responsible for the management of any activities in their firm in relation to which their firm contravenes a regulatory requirement
- They do not take such steps as a person in their position could reasonably be expected to take to avoid the contravention occurring (or continuing).
No guidance has been provided on what constitutes "reasonable steps", and this will likely depend on the context of each purported breach. Depending on the particular case, FCA may decide to take action against the individual, the firm, or both, as is currently the case under the Approved Persons regime. After having aborted original proposals for a 'presumption of responsibility' within the SMR during the consultations for the legislation that enabled the original regime, the burden of proof now rests with the FCA, which needs to demonstrate not only the contravention of a regulatory requirement, but also that the individual was culpable by not taking reasonable steps to avoid the breach.
All managers must keep an individual statement of responsibilities defining any allocated SMFs and/or prescribed responsibilities. This must be updated to accommodate any significant changes in the senior manager's role, for instance a change in role, removal, or reallocation of responsibilities. The format of the statement has not yet been consulted on, though it is expected to be included in the FCA's finalised rules next year.
Tranche 2: Certification Regime
The second tier of the SMCR is the Certification Regime. The CR applies to all individuals whose roles may pose "significant harm" to customers, markets, or the firm. FCA has proposed a list of certification functions, which are:
- Significant management function
- Proprietary trader
- CASS oversight function
- Function otherwise subject to qualification requirements
- Client dealing function
- Algorithmic traders
- Material risk takers
- Anyone who supervises or manages anyone performing any of the above functions
Although many will already have been within the Approved Persons regime, by including material risk takers and managers of certified individuals, the net of regulation has widened. As with the SMFs, one individual can be certified in more than one certified function, but must be certified against the needs of each relevant function.
The requirement to register with and gain approval from the FCA stops with senior managers in SMFs, however. Within the CR, each firm must certify that individuals are fit and proper for their role. Certification must take place on an annual basis, but may be considered a continuing governance focus throughout the year. Assessment of fitness and propriety will have regard to a person's:
- Honesty and integrity
- Competence and capability
- Financial soundness.
These factors might be examined via background checks, self-declarations of fitness and propriety, and regulatory references covering the preceding six years. FCA proposes to require firms to collect evidence when assessing candidates for any SMF, any Certification Function or any NED role, even if the NED will not hold an SMF.
Once a firm identifies the individuals performing certification functions and finds them to be fit and proper, it will issue each individual with a certificate stating:
- The firm is satisfied that the individual is fit and proper for the specified function(s)
- Which aspect(s) of the firm's affairs the individual will be involved in, in performing their function(s).
So there will no longer need to be applications to FCA for certain of the current Approved Persons roles (notably the customer function), and FCA need not be notified if an individual moves from one role falling within the CR to another, but the relevant firm must perform the appropriate certifications for the role.
In principle, the Certification Regime is limited to those based in the UK or who, if outside the UK, deal with UK clients. However, it will apply to all material risk takers without limitation.
Tranche 3: Conduct rules
The conduct rules are the most pervasive element of the SMCR, affecting all individuals working at FCA-regulated firms (including those covered under SMR and CR) apart from ancillary staff who do not perform any financial services-related tasks.
The individual conduct rules applicable to all relevant employees are as follows:
- IC1: You must act with integrity
- IC2: You must act with due care, skill and diligence
- IC3: You must be open and co-operative with the FCA, the PRA and other regulators
- IC4: You must pay due regard to the interests of the customer and treat them fairly and
- IC5: You must observe proper standards of market conduct.
These are, of course, very similar to the current Statements of Principle for Approved Persons. Additional rules will apply only to senior managers:
- SC1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively
- SC2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system
- SC3: You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively
- SC4: You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.
Investigation into alleged breaches may be conducted by either the FCA or the firm itself.
If conducted by the FCA, both the context and the personal culpability (i.e. how deliberate was the breach) will be considered.
If conducted internally, formal disciplinary action might include written warnings, reduction in remuneration, or suspension and/or dismissal. Details of any action must be logged in all regulatory references provided for a minimum of 6 years. Further, every breach must be reported to the FCA at the point of disciplinary action, either within seven days (for SC breaches) or annually in October (for IC breaches).
Firms must ensure all relevant employees understand the new rules and take steps (e.g. training) to ensure individuals know how they apply. The number of individuals now subject to conduct rules is significantly higher, and this should be reflected in a firm's training strategy.
Individuals who are subject to the conduct rules but not the certification process will not need an annual statement, or are they subject to the regulatory references rules.
Although there are three key elements to the new regime, there are many nuances to its application to various firms.
Actions and next steps
The deadline for feedback to the consultation paper is 3 November 2017. Finalised rules will be published in a Policy Statement by the FCA next year.
Preparatory steps to comply with the new regime will clearly depend on the size of a firm and how it is classified. As a matter of course, ensure that senior managers are aware of the changes and the potentially new responsibilities that accompany them. Where accountability gaps are identified, a firm should make sure responsibility is allocated and recorded appropriately.
As Jonathan Davidson, the Director of Supervision – Retail and Authorisations at the FCA, said recently, "there is no off-the-shelf FCA approved culture package that you can download and install in your business." Devising and implementing any new policies tailored to an individual firm may be a lengthy process; with the finalised rules expected in 2018, preparation is key.