SMCR Reform Five important changes that need to be made to the UK personal accountability regime

The industry has until 1 June 2023 to respond to the parallel call for evidence and discussion paper by HM Treasury, the PRA and the FCA on the effectiveness of the UK system of personal accountability contained in the Senior Managers & Certification Regime (SMCR) and propose enhancements they would like to see made to the regime.

In many respects SMCR has been a great success. It has undoubtedly led to greater clarification of personal responsibilities within financial services firms and, as a result, an improvement in the steps that individuals are taking to ensure that risks are identified, assessed and managed effectively within areas of the business that they are responsible for.

Although the duties owed by senior managers under SMCR are in essence the same as those that have been owed since the approved persons regime was introduced on 30 November 2001, SMCR created a greater focus on defining the scope of each individual’s responsibilities and enhancing the systems to support the system of individual responsibility – including regulatory references, fitness and propriety assessments, statements of responsibilities, reasonable steps frameworks, and handover requirements. In addition, SMCR extended personal regulatory duties to individuals at all levels of financial services firms, significantly extending the range of potential targets for disciplinary action when problems occur.

However SMCR is far from perfect and there are a number of important changes that need to be made to ensure that the UK regime for personal accountability is fit for purpose. In this article we identify five areas in which amendments to the current regime should be made to ensure that all those responsible for operating SMCR – regulated firms, individuals within those firms, financial regulators, and the disciplinary committees and tribunals responsible for enforcing those provisions – are clear about the scope of duties and standard of care required under the regime.

1. Should non-financial misconduct amount to a breach of the Conduct Rules?

Back in December 2018 the FCA’s Christopher Woolard boldly declared that “Our message to firms is clear: non-financial misconduct is misconduct, plain and simple”. A simple message but unfortunately one that was very wide of the mark when it comes to assessing whether improper conduct amounts to a breach of the Conduct Rules.

The FCA’s rules are complex and far from clear in relation to the key issue of whether non-financial misconduct (examples of which given by the FCA include sexual harassment and misconduct, racism, bullying, homophobia and other forms of discrimination) amount to a breach of the Individual Conduct Rules (ICR) – in particular the duty to act with integrity (ICR1).

While the FCA is clear that it would like firms to be treating individuals as in breach of the Conduct Rules if they discover non-financial misconduct by their employees, the relevant rules do not always give firms the ammunition to do so. As a result, some firms who wish to convey a hard line on non-financial misconduct have felt compelled to apply the spirit rather than the letter of COCON in order to meet the expectations of their supervisors. This has led to an uneven playing field in which the same conduct in two different firms will be treated very differently. Where a Conduct Rule breach is upheld by the firm (even where the letter of the rules/guidance may not support this), the finding will stay with the individual indefinitely as it will need to be raised in regulatory references when the person moves jobs and in the context of future assessments of their fitness and propriety. Our experience is that the regulators are placing significant supervisory pressure on firms to determine that non-financial misconduct by their employees is to be treated as a breach of the Conduct Rules. To create a much more consistent, and therefore fairer, approach to assessment of these issues the following three changes need to be made:

a) Provide examples of non-financial misconduct that would constitute a breach of the Conduct Rules.

COCON 4 provides a non-exhaustive list of the types of conduct that would amount to a breach of each of the different Conduct Rules - none of which are examples of non-financial misconduct. If it is intended that non-financial misconduct should be treated as a breach of the Conduct Rules, then COCON 4 should include examples of those different types of misconduct. Conversely, if no such examples are included then the regulators should not be putting pressure on firms to hold individuals to be in breach of Conduct Rules as a result of non-financial misconduct (whether in the workplace or outside it).

b) Convert examples of misconduct in COCON 4 into Evidential Rules in order to give them legal effect.

When SMCR was introduced, the examples of misconduct amounting to a breach of each Conduct Rule was largely copied across from the equivalent Statements of Principle for Approved Persons (known as “APER”). However under APER the examples of misconduct were included in the FCA Handbook as Evidential Rules, whereas in COCON 4 they were included as Guidance. This difference is important in practice – Evidential Rules are to be used when determining whether or not a binding rule (such as a Conduct Rule) has been broken, whereas Guidance is not binding and does not need to be followed (GEN 2.2.3 and page 11 of the FCA  Reader’s Guide: an introduction to the Handbook (January 2019)).

c) Amend COCON 1 so that the scope of the Conduct Rules is the same for all regulated firms.

At present the Conduct Rules apply to a broader range of activities at banks than at most other regulated firms. As a result, the same problematic behaviour by an individual may constitute a breach of the Conduct Rules if they work at a bank, but would not amount to a breach if they work for a different type of financial services firm – where, broadly speaking, the Conduct Rules apply only to their performance of regulated activities (and not to other activities that the firm may carry on).

Is there any good reason for this distinction? Assuming that the same standards should apply across the entirety of the financial services sector, then these differences in application should be removed.

In summary, HM Treasury, the PRA and the FCA now urgently need to identify and agree on the circumstances in which different types of non-financial misconduct should amount to a breach of the Conduct Rules, particularly in relation to conduct outside of the office (whether within or outside a work context). Once they reach agreement on these key issues then the changes outlined above each need to be made to ensure that the system is fit for purpose.

2. How bad must a mistake be before it amounts to a breach of ICR 2 (due skill, care and diligence)?

Another area in which widely different approaches are taken by regulated firms is the question of what standard of care is applied when considering whether a mistake or error amounts to a breach of ICR 2 (due skill, care and diligence). This is a topic that since the introduction of SMCR has occupied an increasing amount of time of Compliance, HR, Legal and senior management at regulated firms.

The concept of “due skill, care and diligence” is a hugely subjective one, and therefore one where there is real scope for differences in approach. Everyone makes mistakes – some with more serious consequences than others – but how serious must the mistake be in order for it to be treated as a breach of ICR 2?

The FCA Handbook notes at COCON 3.1 that it will be important to assess the context of any situation when assessing whether a Conduct Rule has been breached, and that in relation to non-deliberate conduct individual culpability will only result where the person’s standard of conduct was below that which would be reasonable in all of the circumstances. In assessing what this means in the context of the duty to act with due skill, care and diligence, a great deal of discretion is therefore left to the firm in each case.

Under the pre-SMCR regime the issue of whether an individual had breached a Statement of Principle for Approved Persons would be a matter solely for regulators in determining whether or not to bring disciplinary action Now, the day to day role in assessing whether or not an individual’s conduct amounts to a breach of the Conduct Rules has now largely been outsourced by the regulator to firms themselves. This has been the consequence of the SMCR-led duty on firms to report any Conduct Rule breaches that lead to disciplinary action, coupled with greater supervisory interest and scrutiny from the FCA in the outcome of internal investigations into individual misconduct. Firms are therefore regularly having to weigh up mistakes by their employees to assess whether they are sufficiently serious to amount to a breach of ICR 2.

As a result, new evidential rules are needed to assist firms in determining whether or not errors by its employees should properly be treated as a failure of the regulatory duty to act with due skill, care and diligence. These rules could be based in part on the provisions at SUP 15.3 which set out the thresholds to be applied by firms in assessing whether an issue is sufficiently serious to merit notification to the FCA under Principle 11.

3. Do individuals who are not SMFs owe exactly the same managerial duties as SMFs?

Senior management who are pre-approved by the PRA / FCA (as appropriate) to perform Senior Manager Functions have onerous personal duties in relation to their management of the business of the firm for which they are responsible. These duties are set out in Senior Manager Conduct Rules 1, 2 and 3.

These Senior Manager Conduct Rules only apply to SMFs and are intended to impose personal obligations on those at the top of an organisation to ensure that the systems and controls in place at the firm are designed and implemented appropriately and are working properly to manage all risks faced by the business in an effective way.

These higher standards on SMFs are justified on the basis that it is critical to a firm’s success, including its effective management of risk, that those at the senior end charged with responsibility for its systems and controls have a proper understanding of them and are personally satisfied that the risk management framework, systems and controls are working effectively. The regulators believe it is extremely important that senior managers have personal accountability in relation to the management of the risks to which the business is exposed.

However under the SMCR regime as currently drafted, the FCA has sought through the backdoor to impose exactly the same managerial obligations on all individuals within a firm who have any form of managerial responsibility, whether or not they are SMFs. The FCA’s guidance at COCON  4.1.8 states that, in performing their duty to act with due skill, care and diligence under ICR 2, any individual who performs a managerial role (i.e. even at a much more junior level) must abide by the same duties as those set out in Senior Manager Conduct Rules 1, 2 and 3. The duties to ensure that the relevant part of the business is controlled effectively, is complying with its regulatory duties (including the duty to ensure that risks are managed effectively), and that delegations of activities are undertaken and overseen appropriately are all included expressly within the guidance as examples of conduct that, if not undertaken to the requisite standard, will amount to a breach of ICR 2 (due skill, care and diligence).

Is it right that, whether or not you are an SMF, you are required to meet the same onerous standards in managing the area of the business for which you are responsible? If that is the intention, then the correct approach would be to extend Senior Manager Conduct Rules 1, 2 and 3 to apply to all individuals within the firm who perform any type of managerial function. This would bring clarity as to what is expected of those individuals, and enable firms to conduct proper training and systems of support to enable them to fulfil those regulatory expectations.

Conversely, if it is intended that SMFs should be held to more onerous requirements in relation to management of the area of the business than more junior individuals who also perform some form of managerial role, then the current guidance at COCON 4.1.4 to 4.1.8 should be deleted in its entirety.

Either of these two approaches would be acceptable, but the current “half way house” in which duties are imposed by the back door through guidance to ICR 2, and expectations are therefore not properly understood, is both problematic and unfair on those performing managerial roles within regulated firms.

4. Is the requirement for firms to conduct annual reassessments of "fitness and propriety" of their certification staff necessary?

A major change introduced by SMCR was the requirement on firms to undertake an annual reassessment of fitness and propriety of their “certification staff” and to issue a certificate at least annually to those individuals. The key requirements are set out in primary legislation (s.63E and s.63F of FSMA).

This has been successful in making firms focus much more on fitness and propriety issues, rather than viewing the question of fitness and propriety as largely an issue for the regulators in the context of SMF approval applications.

However, in weighing up the benefit of conducting annual reassessments against the significant burden on firms in carrying out these assessments so frequently, we believe that the same benefits could be achieved by moving to a three-yearly reassessment process.

A reassessment every three years would be sufficient to ensure that the firm has a focus on whether the individual remains competent and has the necessary attributes to perform the relevant role. In the absence of suspected breaches of regulatory rules or other material problems occurring, it is unlikely that the firm’s view on the individual’s competence will change over the period of a single year.

In our experience, firms routinely carry out a fresh reassessment of fitness and propriety on an event-driven basis, for example where misconduct is suspected or where other new circumstances arise that may call into question the individual’s fitness and propriety.

As a result, a move from annual fitness and propriety assessments to three-yearly assessments would achieve the right balance between ensuring high standards within the industry while reducing unnecessary levels of bureaucracy on firms.

5. What can be done to better manage temporary SMF appointments?

A common challenge that firms face is how to cover a temporary vacancy in an SMF position, without falling foul of the requirement that individuals performing SMF roles are authorised by the FCA or PRA to perform it.

Currently many firms rely on the ‘12 week rule’ to manage the cover for these vacancies. The 12 week rule allows, in certain circumstances, for an individual to carry on an SMF function for a period of up to 12 weeks, without having the requisite regulatory approval.

In our experience, the scope of the 12 week rule is often too narrow to assist firms and the regulators in managing temporary cover for key SMF roles. Particularly given that most vacancies take longer than 12 weeks to fill a position with a permanent hire (given many individuals have three month notice periods to serve before they can join their new firm).

Currently, in the event that it is expected that the period of cover will exceed 12 weeks, the regulatory guidance suggests that firms should apply for a time-limited approval for the individual covering the role, to perform the function. This process is unduly burdensome from an administrative perspective for both firms and the regulators (who are already managing a deluge of SMF authorisation applications at any one time).

In our view the operation of the 12 week rule could be made more efficient by: (a) extending the period to 24 weeks; and (b) adding additional guidance to the regulatory rulebooks to clarify that the rule can be applied by firms in the event of an unexpected resignation, suspension or dismissal (currently the examples in the guidance are limited to holidays and emergencies).

What to expect from the SMCR reforms

These are the five most significant changes that we feel need to be made to the SMCR regime as part of the current review. Making these changes will undoubtedly lead to a better and fairer system of regulation. Whilst we hope to see some, if not all, of the changes outlined above make their way into the reformed regime, we fear that the real intent of this review is to make much more modest changes that are largely procedural in nature.

Whatever direction is taken, we hope that the reforms will make it easier for firms and senior managers to apply SMCR in practice, in a way that is fair and proportionate. The government must also be cautious to ensure that any changes made do not materially undermine the regime’s core purpose of promoting high standards of conduct through individual accountability, which has undoubtedly had a positive impact on culture at financial institutions.

Authors: Nathan Willmott, Partner; Adam Jamieson, Partner; and Laura Bell, Junior Associate.