With the current regulatory focus on individual accountability, it is more important than ever that staff understand their personal regulatory duties. Hidden within the guidance for the Conduct Rule to act with due skill, care and diligence is an onerous standard for junior and middle managers. We offer our insights on the scope of this duty, and tips for navigating it, below.
Perhaps the most onerous personal duty imposed on Senior Managers under the Conduct Rules (for banks and insurers) and the Statements of Principles for Approved Persons (for all other authorised firm) is the requirement, when appointed to a new role, to undertake a detailed initial assessment of the risk management framework as it applies to the relevant area of the business, to ensure that it is designed properly and is working effectively in practice.
This requires proactive steps to be taken by the Senior Managers themselves, so that they are able to come to their own view on the adequacy of risk management systems in place. Where an individual does not conduct any such initial assessment, the FCA (and where relevant the PRA) will treat them as having failed to take reasonable steps to ensure that risks within the area of the business for which they are responsible are being managed effectively, and therefore liable to personal disciplinary action.
This duty upon taking up a new approved role remains poorly understood by Senior Managers. The PRA and FCA do not clearly communicate to Senior Managers what is required of them, but will not hesitate to take disciplinary action against them when problems occur within the area of the business for which they are responsible.
Yet within banks (and, from next year, for all authorised firms), this same personal duty has been introduced – seemingly through the back door - for every employee who has any form of managerial responsibility within the firm.
Extension of duty to conduct initial assessment
The most far-reaching aspect of the Senior Managers and Certification Regime (SMCR) for banks, introduced in March 2016, was the imposition of personal regulatory duties on all staff (save for limited categories of ancillary staff such as receptionists, security guards and caterers). For the first time ever, binding personal duties have been imposed on more junior employees who were not required to be pre-approved by the regulators to perform their role. Employees who breach the conduct rules, or who are knowingly concerned in a regulatory breach by the firm, will be liable to personal disciplinary action.
The same set of conduct rules will apply to equivalent staff within the whole financial services industry when the regime is extended to all firms in 2018.
On their face, the duties imposed on employees who are not Senior Managers seem to be high level and simply reflect standards that individuals would expect to adhere to. These are (COCON 2.1 – individual conduct rules):
- You must act with integrity.
- You must act with due skill, care and diligence.
- You must be open and cooperative with the FCA, the PRA and other regulators.
- You must pay due regard to the interests of customers and treat them fairly.
- You must observe proper standards of market conduct.
However, the FCA has introduced new guidance on the duty to act with due skill, care and diligence which very significantly increases the steps that employees with any form of managerial role within the firm are required to take. The new guidance – contained at COCON 4.1.8 - goes well beyond what was expected of Approved Persons under APER 2, the equivalent duty under the Statement of Principles to act with due skill, care and diligence.
In particular, the guidance now imposes on all employees with any form of managerial responsibility within the firm the same oversight and management responsibilities that are imposed on Senior Managers. The new FCA guidance states that every individual with management responsibilities (at any level) is required to take reasonable steps to ensure that the area of the firm for which he or she has responsibility as a manager:
- is controlled effectively;
- complies with the relevant requirements and standards of the regulatory system applicable to that area of the business; and
- is conducted in such a way to ensure that any delegation of responsibilities is to an appropriate person and is overseen effectively.
These rules will look familiar to SMFs, because they effectively mirror Senior Management Conduct Rules 1, 2 and 3 respectively. So the FCA have covertly imposed the onerous senior management conduct rules on all conduct rules staff when acting in the capacity as a manager.
As a result, individuals appointed to any form of managerial role at a bank (and, from 2018, in any authorised firm) will be required to perform a detailed initial assessment to assess for themselves the design and operational effectiveness of the risk management system as it applies to the area of the bank for which they are responsible.
Given that such onerous responsibilities are now being imposed on middle and junior managers of banks, it is both surprising and concerning that the FCA has introduced these new proactive responsibilities without highlighting and explaining the scope of these new responsibilities to firms and their employees.
Impact for junior and middle managers
The breadth of this rule creates the potential for an unfair standard of conduct to be applied to thousands of junior and middle managers, many of whom will have very little influence or control over the strategy, direction and high level decision-making of the business for which they are, at least in the eyes of the regulator, “responsible”. For example, a senior IT manager (who previously had no personal regulatory obligations) now effectively has the same regulatory duties as a Senior Manager in relation to their own part of business.
In order to mitigate the personal regulatory risk, as these managers will not be SMFs (and will therefore not have a formal Statement of Responsibility document), we would strongly recommend that they ensure that their role description and responsibilities are clearly defined in their role profile / job description documents, and that they accurately reflect the person’s level of responsibility within the business.
When taking on a new managerial role within the firm, individuals will need to understand what is expected of them in conducting a detailed initial assessment of the risk management framework, and given the support that is required to complete this effectively and document the steps taken.
In addition, junior and middle managers will need to be ready to challenge their senior managers more often on important decisions and compliance issues to ensure they stay on the right side of the line, and avoid becoming personally exposed to an unwelcome regulatory sanction.
Finally, firms are under a statutory duty to provide “suitable” training to ensure that all conduct rules staff “understand how these rules apply in relation to them”. In our view, that statutory duty will require firms to educate their junior and middle managers on the surprisingly wide scope of their new personal regulatory duties, as they apply to their management of others - as well as their own personal conduct.