In the aftermath of the financial crisis, regulators globally recognized a need to reduce risks by ensuring that firms set rules of behavior for their staff and monitored their actions on a regular basis. The UK introduced some of the strictest standards of conduct in late 2019, with full implementation taking place in 2020. Regulators in other jurisdictions, such as Ireland and Singapore, are likely following suit soon.
The UK's program, known as the Senior Managers and Certification Regime (SM&CR), is an evolution of the previous monitoring program, the Approved Persons regime. SM&CR has applied to banks since 2016 but will now impact firms solely regulated by the Financial Conduct Authority (FCA), including most asset managers.
The SM&CR’s global reach
While the FCA is based in the UK, key aspects of the new rules can apply to senior managers in other countries when they are responsible for business operations of their UK firm. As a result, senior managers of US or Asian firms with UK subsidiaries need to be aware of their responsibilities under the regime.
SM&CR rules came into force for investment managers on December 9, 2019, but this will be followed by a one-year transition period to train staff that are not senior managers or certified staff and assess certification personnel for their suitability.
The conduct rules will apply to senior managers and what are deemed certification staff — people who are not senior managers but whose jobs could have a significant impact on customers, markets, or the firm. The rules will also apply to all other employees other than those who do not perform a role specific to financial services.
The SM&CR places asset managers and other firms solely regulated by the FCA in one of three buckets:
- Enhanced — the largest and most complicated firms
- Core — the majority of firms
- Limited Scope— which will have fewer requirements than corehttps://www.handbook.fca.org.uk/handbook/COCON
The FCA has published a guide to SM&CR that explains how to determine which category your firm is in, and what the differences are in requirements.
Under the new rules, firms will have to ensure that every affected area of their business has a senior manager responsible for that activity, that senior managers have a “statement of responsibilities" that states what each senior manager’s responsibilities are, as well as a duty of responsibility, meaning that they have to take reasonable steps to avoid a violation of the rules or they could be held accountable by the FCA. Significantly, there is no territorial limitation for enhanced firms. So, a senior manager in New York who oversees a business area in London could be subject to these rules.
A senior manager's responsibility also extends to any third parties the firm uses for things like back office functions. Managers must be able to demonstrate that they are overseeing the outsourced function through such steps as collecting data and conducting on-site due diligence visits and cannot assert pure reliance on the third-party firm as a defense to breach.
For employees below senior manager level, but who hold so-called certification functions, such as traders who could cause harm to customers, the firm, or markets, the firm is required to assess their performance on an annual basis and “certify” that the employee is “fit and proper” to perform the function.
In the current transition period, firms are required to train their employees on how conduct rules — like acting with integrity — apply to their specific job functions. There also are specific rules of conduct for senior management functions.
What the SM&CR rules require
The new rules are expected to have a major impact on human resources departments at covered firms. When a new senior manager or certified employee is hired, for example, the firm is required to request a regulatory reference from every firm the person has worked for in the past six years. While this will become standard practice in UK financial firms, it could be problematic if the employee did not work in financial services previously or worked in another country. The FCA has said firms must take sufficient steps in their due diligence process in this regard. However, if a reference is not forthcoming despite these efforts, a record of emailed and telephoned requests could be used to document due diligence with regard to this requirement.
Disciplinary cases that relate to a breach of the conduct rules also must meet specific FCA requirements. Firms have seven days following the conclusion of a disciplinary process to notify the FCA if it resulted in disciplinary action against a senior manager such as dismissal, a reduction in pay or a claw-back of bonuses, or if the senior manager received a written warning about a breach of the conduct rules. For other employees that fall under the scope of the conduct rules, the firm need only to submit a report of conduct breaches once a year. Importantly, the conduct rules are not limited to the financial operations of the firm — a breach can occur for sexual harassment or poor behavior in the office.
In perhaps a good sign but unintended consequence, during implementation over the past three years, some firms actually filed too many regulatory reports about minor infractions. Applying best practice in relation to disciplinary issues, as set out by the Advisory, Conciliation and Arbitration Service (Acas), and making informed and educated determinations regarding reportable disciplinary cases, will ensure these new rules will bring about the intended results without unnecessary personal and professional consequences. The FCA is creating a register of employees, which will allow firms to quickly review and verify any senior management or certification functions, as well as positions under the previous regime, held by potential hires in their past and any regulatory sanctions or prohibitions issued against them.
The FCA is making clear that these new rules are an evolution, not a revolution. Some banks spent vast sums overhauling their HR systems, which later proved not to be the most effective approach. The important thing is to consistently update your firm's knowledge about what is required, including any relevant feedback from the industry and regulators, and which employees will be specifically affected.