Senior Managers & Certification Regime – The Journey is Just Beginning
Finance Monthly hears from Julie Pardy, Director of Regulation and Market Engagement at Worksmart, who reflects on the whirlwind few years that the team’s had and discusses the top five challenges firms can expect when implementing and managing the Senior Managers & Certification Regime (SM&CR) - a programme designed by the FCA to improve 'trust in financial services' by making the right people in financial services firms accountable for their decision.
Little did we know that when SM&CR was just a glimmer of an idea at HM Treasury, it would have such an impact on the industry and, in doing so, it would change Worksmart so substantially. Borne out of the ‘Changing Banking for Good’ review led by MP Andrew Tyrie back in 2013, the idea of greater Individual Accountability and Conduct Standards for all landed in the form of the SM&CR in March 2016 for banks, building societies, credit unions and the largest designated investment firms.
Led by the PRA and the FCA, the regulation has had and continues to have, a major impact on these firms in a way foreseen by only a few a number of years ago. I recall my conversations with banks during this time when many firms saw the incoming regulation as a relatively minor additional piece of reporting required by the regulators; how wrong they were.
Unlike most people, the Worksmart team had a rather different take on the incoming regulation. With the overlay of additional corporate governance requirements that SM&CR brings alongside the requirements to manage, maintain and update a Management Responsibilities Map (MRM) and associated Statements of Responsibilities (SORs), the technologists amongst us knew what’s coming. The in-house view was that the new regime needed to be supported and underpinned by technology that not only helped firms meet their regulatory responsibilities but also offered genuine business process improvement capability. As a result, we invested heavily in every area of our business, from re-platforming our SM&CR solution and moving to a SaaS model, to growing our regulatory consulting capability. We also worked hard to deepen our relationships with the trade bodies that support the affected sectors of the market place.
Borne out of the ‘Changing Banking for Good’ review led by MP Andrew Tyrie back in 2013, the idea of greater Individual Accountability and Conduct Standards for all landed in the form of the SM&CR in March 2016 for banks, building societies, credit unions and the largest designated investment firms.
In what seems like the blink of an eye, we became the SM&CR supplier of choice for the then British Banking Association (now UK Finance). In turn, this led us to become the ‘leading supplier of SM&CR solutions’ in the UK. And from there it was a very short, but very proud, step to winning a clutch of ACQ5 Global awards in 2018 for our work in the industry.
All very nice you might say, but how does that help me? Using our experience gained over the last four years, this article highlights the top five challenges you can expect to face as you implement and then manage the regime in BAU. With more SM&CR implementations within the affected markets under our belt than we can now even remember, we’re confident that we’ve encountered most of the challenges the new regime presents.
Challenge 1: Sorting out the Senior Manager Regime (SMR) won’t be as easy as you initially think.
The regulation requires firms to identify which Senior Manager Functions (SMFs) and Prescribed Responsibilities apply to their firm. To help, the regulators provide a list of the SMFs for each type of firm under the new regulation, i.e. Enhanced, Core or Limited, and Prescribed Responsibilities for Enhanced and Core firms.
Sounds straightforward and, indeed, for the most part, it is. However, beyond the standard Control Functions such as SMF1 (CEO) and SMF3 (Executive Director) and the Required Functions – SMF16 (Compliance Oversight) and SMF17 (MLRO), Enhanced firms need to decide whether other SMFs apply to them, e.g. SMF18 (Overall Responsibility) and if so, how many individuals are affected. Easy? Maybe, but maybe not. Add into the mix firms that have been regulated for many years, with individuals involved in areas of the business for which they may not be approved (but in a function that requires approval), and things start to get a bit more complicated.
However, the task that was consistently underestimated through the banking implementations involved senior executives scrutinising the detail of their proposed SMFs and responsibilities and reviewing, even renegotiating, their personal Terms & Conditions in return for this (perceived) greater accountability. As a Programme Manager in a major building society said to us: “We’ve only just got sign off on what we proposed to the exec team a year ago”; so be warned!
When agreed internally, firms need to inform the regulator which executives are transitioning to the SMF equivalent of their existing Control Functions (CFs) and seek approval for executives that wish to take up roles that aren’t directly mapped. Additionally, Enhanced firms need to submit a Responsibilities Map that shows how the firm’s governance arrangements fit into place. Where the regulated firm is part of a group and services are shared across the group, then they must explain how this arrangement operates in practice. Add into this a Statement of Responsibility for every individual holding an SMF Function, regardless of whether they grandfather across or have to submit a new application, and it becomes clear that setting up and agreeing on the component parts of the Senior Managers Regime in your firm is not a small task.
The FCA has learnt lessons from the first tranche of firms’ subject to the new regime and has helped by providing feedback both on Responsibilities Maps and Statements of Responsibility, but even with this type of assistance, nothing ever is straightforward, so expect to plan for the unexpected.
The learning from the banking sector is clear – planning and gaining approval for your proposed Senior Manager Regime arrangements takes time. The challenges across the wider financial service sector may vary a little, but the lesson learned by the banks remains true; namely start early and expect things to take longer than planned.
“As part of the senior
managers regime, it was essential
that we had a robust system to
evidence how we have met the
regulatory requirements. Worksmart
has been core to ensuring that we
have met the requirements
of the rules”.
Lisa Nowell, Chief Risk Officer, Masthaven Bank
Challenge 2 – Sorting Out the Certification and Conduct Rules Regimes will also take longer than you plan for.
If the message is about getting started early with your Senior Manager community, then it is equally true for the newly introduced Certification Regime. Many firms in the banking sector simply underestimated the amount of time it would take to define and gain agreement on what roles were caught by Certification. When we ask customers how many members of staff are in their Certification Regime, we often got answers like “anything between 10 and 150” or “we’re still deciding”. Depending on the interpretation of the rules, both responses can be equally valid when an organisation comes to the regime for the first time, however, the discussion on the interpretation of the definition of certified roles will eat into your project timeline. And of course, expect a second-time delay to then occur when allocating which Certification Functions applies to each role. Whilst the guidance is clearer for the wider financial services market, deciding what roles are caught by Certification and what roles fall into Conduct Rules should not be underestimated.
Once decided, planning the design and delivery of training activities for certification staff will again take time. Not only will there be the need to design, organise and deliver the training both on the new regime and the impact of the newly introduced conduct rules, in order to assist each role holder in clearly understanding the conduct rules in the context of their role, training must be as roles specific as possible. Experience over multiple implementations has taught us that training is often an afterthought on the project plan. If this is the case, then your training will probably be delivered late, leaving you exposed to the risk that staff are not fully aware of their responsibilities under the new regulations.
Finally, because the regulator expects competent, not just compliant behaviour from those subject to the Certification Regime, there will also be a debate about what evidence you will need to gather in order to demonstrate competence. If your firm has a fully functioning performance appraisal process, then this may well be a huge step in the right direction. However, if your firm does not have a robust performance appraisal process in place, I suggest the new regulation will be the tipping point to implementing one.
Like SMR, the learning is clear that implementing and embedding Certification and Conduct Rules into a firm will take time, focus and resource to do properly. So be prepared.
Challenge 3 – SM&CR will require a ‘root and branch’ review of some supporting processes.
In the early days of your SM&CR project, the main focus will be on defining communities, assigning functions, etc. However, when the implementation team takes the planning to the next level, questions will almost certainly be asked about the efficacy of the firm’s underlying processes, particularly in the area of HR. These questions come from two areas; the need to have robust processes for recruiting staff into Senior Manager and Certification roles and the need to demonstrate that individuals in those regimes are competent to undertake their role on an ongoing basis. From experience with the banking sector, the processes that are most likely to be challenged are:
- References: The new rules require firms to gain positive work references for the last six years before an individual can be appointed into an SMF or Certification Role. Experience from the banking sector showed the process of requesting, and being able to provide, references was patchy. However, the new rules are clear, satisfactory references for the last six years are mandatory. Therefore, a firm’s processes need to be stringent on seeking and being able to provide regulatory references for all external hires. Expect that effort will need to be put into tightening up your referencing process.
- Job descriptions (JDs): Although the best practice is for job descriptions to be regularly updated, change is such a constant in organisations that JDs are often out of date. Added to that, SM&CR will force attention on accountability, competence etc., and the need to make explicit any new accountabilities taken on as a result of SM&CR. Combined, this means that it is very likely that there will need to be a significant overhaul of JDs across large parts of your firm. Time should be assigned to create and gain agreement to these updated JDs.
- Employment contracts: Our experience in the banking sector was that as soon as JDs were updated, many individuals started discussions, which sometimes led to a negotiation, about employment contracts. Increased pay to reflect the increased accountability was the most common discussion point, particularly for those holding SMF Functions. However, similar discussions were also had in key roles in the Certification Regime.
- Fit & Proper (F&P) checks: Like JDs, the approach to F&P checks varied widely between banks. However, the incoming SM&CR regulation is clear, firms must satisfy themselves that every individual in SMR and Certification is fit and proper to undertake their role each year. Some organisations assumed that F&P checks were all about financial soundness when in practice F&P covers three key areas, Financial Soundness, Competence & Capability and Integrity. This means that any F&P check introduced as part of your Certification Regime must be multi-faceted and not just focused on the financials. Firms in the wider financial services sector need their fit and proper checks to be robust. There is lots of guidance out there in the market place now the regime has been in operation for some time. However, we would advise firms to consider the wider market advice on this topic before they decide on what the fit and proper component of their response to SM&CR might look like.
Also a small, but often overlooked point is ensuring that the sensitive data underpinning F&P checks needs to be held securely, with a balance struck between tight control over access and visibility for those needing oversight.
- Competence: As discussed above, because the regulator’s expectations are for competent, not just compliant staff and senior managers, it is up for firms to be able to evidence this. Expect robust discussions about competence and, in the first instance, whether your performance appraisal process is ‘up to the job’. If so, that’s great; if not, however, something needs to be implemented that evidences employee competence on an ongoing basis.
Ensuring robust SM&CR records will ask searching questions of your supporting processes. Anticipate the need to review, and probably, strengthen your processes. If not, the quality of your records, and so decisions, may well be at risk.
Challenge 4 – SM&CR will start to fundamentally change how you operate.
Being compliant with the new rules is not just about providing accurate and up-to-date records, ultimately SMC&R is about a cultural change within financial services. The FCA, our conduct regulator, has been clear on their views and expectations on this. For firms that think they will just implement SM&CR as per the rule book then walk away, they are very much mistaken. It’s no understatement when I say that SM&CR is fundamentally the greatest change in regulation that I’m likely to see in the remainder of my working life.
When talking with senior executives in the banking sector, it’s clear that there is a far greater focus on corporate governance and personal conduct. Whilst many firms are not formally required to adhere to the Corporate Governance Code, SM&CR challenges firms to ask themselves questions such as: Are we effectively governed?; Do our committees and processes deliver the business results we want?; Are our committees effective or are they just ‘talking shops’? This focus on corporate governance is significant and certainly has increased since 2016. Alongside this, there is far more interest in the personal conduct of individuals at all levels in firms by senior executives. One could be cynical and say this new level of interest is the direct result of certain senior managers being personally accountable for the conduct of individuals in the Senior Manager Regime and Certification Regimes. Whilst there may be some truth in that cynical view, the reality remains that personal conduct is, and will remain, under scrutiny like never before.
It is true that culture in a firm is multi-dimensional and often elusive to define and so monitor. However, it is clear the changes brought about by SM&CR in the banking sector go beyond minor upgrades to internal processes and record keeping.
Whilst, in the early days of implementing SM&CR, the focus will inevitably be on defining communities, modifying processes and tightening up record keeping, in the medium to long term SMC&R will force attention to switch to individual conduct and culture change.
Being compliant with the new rules is not just about providing accurate and up-to-date records, ultimately SMC&R is about a cultural change within financial services.
Challenge 5 – Keeping SM&CR records will not be as straightforward as you expect.
The final challenge you can expect is that of record keeping. I expect the immediate reaction of your firm, like many banks, is to use existing systems to store your SM&CR records. However, doing this poses significant challenges, even if they don’t surface immediately.
Banks typically initially held SM&CR records in a variety of places, e.g. F&P records in the HR system, records of committee structures and meeting minutes in a governance system, appraisal records in another system, a record of the Management Responsibilities Map (MRM) on Excel etc. However, keeping records in this way created major challenges for central teams with the responsibility for oversight. The regulator expects ‘point in time’ reporting, i.e. for a firm to explain in detail which exec was accountable for what on any given date once the regime has commenced. So, fast forward a year or even a few months, and managing SM&CR via an Excel spreadsheet will unravel as board members leave, new ones join and others switch role (and so SMFs and responsibilities). As one Operations Director put it: “If you ask me what our MRM was in late September or early November I can tell you, but we completely lost track of what happened in October”.
SM&CR requires firms to model, map and record their governance arrangements, and ‘date stamp’ every change. Add to this the requirement to ensure continued compliance with SM&CR by maintaining records and completing tasks to time and to standard, there is no simple way or shortcut to comply. That is why the team at Worksmart decided to re-platform and upgrade the SM&CR offering taking into account the lessons learnt in banking.
Financial services firms need to think hard about their existing systems and whether they are up to the demands of SM&CR before they go live. And if an existing supplier tells you that their HR/E-Learning/Appraisal system can manage the complex and newly introduced SM&CR requirements, that’s great – but exceedingly unlikely. Your response should be “show me – in real time” or even “let me play with the system for half a day to see how intuitive and capable it really is.” If the solution provider is unable or unwilling to do it, then you should take this as a sign that maybe it’s not all it’s cracked up to be.
In the desire to get SM&CR implemented, record keeping is seldom ‘front of mind’ for the project team. However, the message is clear, if the quality of record keeping isn’t anticipated and confronted, major problems will bubble up after ‘go live’, and the longer sub-standard systems are relied on post live, the bigger the problem will become.
Since 2015, the Worksmart team have been involved in multiple SM&CR implementations in the banking and insurance sectors. Whilst not claiming to be the definitive list, these five challenges were by far the most common we experienced. Our hope is that by being aware of these challenges, your implementation project team will ‘land’ SM&CR without hitting the potholes encountered by many in the banking sector.
My job, with the help of all the Worksmart team, is to continue to support firms implement both the letter and the spirit of the regulation as speedily and painlessly as possible. It’s going to be a very busy year!