How to Avoid a Scandal: Embedding SMCR Conduct Rules

Anuprita Jagtap

8th December, 2020

In response to the financial crisis in 2008, and recent financial scandals including PPI mis-selling and LIBOR rigging, the UK regulators introduced the Senior Managers and Certification Regime (SMCR) to “reduce harm to consumers and strengthen market integrity by setting a new standard of conduct for everyone working in financial services”[1]. SMCR consequently went live for the banking sector in 2016, for insurers in 2018, solo-regulated firms in 2019 and, lately, benchmark administrators in 2020.

A key component of SMCR are two tiers of Conduct Rules, which apply to almost all employees and directors of firms included within the regime: the Individual Conduct Rules, targeted at all employees and Non-Executive Directors (NEDs), and the Senior Manager Conduct Rules, which broadly apply to designated Senior Managers and NEDs. These rules collectively seek to improve organisational culture by increasing personal accountability across the Financial Services sector.

Individual Conduct Rules

Rule 1: You must act with integrity.

Rule 2: You must act with due skill, care and diligence.

Rule 3: You must be open and cooperative with the FCA, the PRA and other regulators.

Rule 4: You must pay due regard to the interests of customers and treat them fairly.

Rule 5: You must observe proper standards of market conduct.

Senior Manager Conduct Rules

SC1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.

SC2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with relevant requirements and standards of the regulatory system.

SC3: You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.

SC4: You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.

As Will Hartshorn’s recent blog on Purposeful Cultures explains, understanding the needs of customers, employees and communities should play a fundamental role in shaping and defining an organisation’s culture and controls if it is to maintain good conduct. This principle is closely linked to the core objectives of SMCR – to avoid harm to customers and to protect market integrity. Therefore, by embedding the Conduct Rules, firms can keep on track with meeting their purpose.

This argument is reinforced by the FCA’s Stocktake Report, published in 2019, which observed that those banking sector firms that had adopted SMCR found that it had enabled them to improve their controls, which they predicted, in turn, would lead to positive changes to their organisational cultures.

The Report, however, also underscored the implementation of Conduct Rules as an area of significant weakness: “Many firms were often unable to explain what a conduct breach looked like in the context of their business”. So, whilst banks have been operating under SMCR for over 4 years, significant improvements are still required – particularly to the embedding of the Conduct Rules. As solo-regulated firms complete the final implementation activities, they must learn from the experiences of the banking sector and avoid falling into the trap of thinking that SMCR is “done”. The cultural impact of successfully embedding the Conduct Rules should not be underestimated.

How can firms effectively embed Conduct Rules across their organisation?

The concept of the Conduct Rules is not new. However, SMCR introduces more prescriptive obligations on firms to train their employees, as well as their NEDs, on the applicable rules and ensure that there are controls in place to proactively monitor for any breaches.

The broad spectrum of a firm’s population to which the rules apply (entry level employees to Senior Managers and Directors), and the principled nature of the Conduct Rules, require firms to carefully design how they will be incorporated into the organisational culture in order to drive the right behaviours and standards. Prior to adopting SMCR, some firms undertook a culture change activity to align their values to the Conduct Rules. Whilst this is a step in the right direction, firms need to go further by linking their purpose to their culture and values, before linking these, in turn, to the Conduct Rules. Without this crucial link, firms will be constantly conflicted between the need to fulfil their purpose and the requirement for regulatory compliance.

Once these are aligned, firms can focus on developing controls to help embed their purpose-driven culture. In the context of the Conduct Rules, there are five key factors that firms must consider when developing such controls:

A clear and consistent understanding of the Conduct Rules amongst staff at various levels and across different departments requires a tailored training programme. Firms must carefully consider each SMCR population type in order to determine the right training approach for each one. For example, while instructor-led sessions can be useful for smaller groups, they require more planning and management, and there is a risk that certain individuals are not able to attend, thereby exposing the firm to regulatory risks. On the other hand, it is difficult to roll out instructor-led training for new joiners. As a result, eLearning is often the most suitable solution for firms, although efforts must be made to tailor training to an individual’s role; the best training will include nuanced scenarios or case studies which cover realistic situations that the individuals may face in their role.
A robust framework to monitor for potential Conduct Rule breaches. A tailored Conduct Rules training programme is not enough to ensure that the right behaviours and standards are maintained; it must be complemented by a robust framework to monitor for potential Conduct Rules breaches. The ability to demonstrate proactive monitoring for breaches requires firms to consider the broadest definition of “conduct”, going well beyond personal and financial misconduct. Firms must review existing controls across their organisation, such as operational incidents logs, policy breach records, whistleblowing cases, customer complaints, etc. in order to assess how these can be leveraged to monitor for potential Conduct Rule breaches.
A consistent framework for managing potential breaches, including processes to quickly determine whether a rule has been breached. Determining whether a Conduct Rule has been breached is best done centrally and incorporating inputs from relevant experts, to bring consistency to the process and avoid unfair assessments based on different interpretations of the rules. As a breach stays on an individual’s record for six years, an incorrect assessment could have a long-lasting impact on their career, sofirms must be able to demonstrate a robust decision-making process with appropriate governance.
How disciplinary actions are determined for a Conduct Rule breach. To achieve efficiency and align with employment law requirements, existing HR processes and frameworks for disciplinary and consequence management should be leveraged. It is critical that any disciplinary actions are consistently applied and are proportionate. Firms must also have processes in place to notify the regulator of breaches in line with reporting timelines.
The accountable Senior Manager must oversee Conduct Rule training.Whilst the day-to-day running and management of the Conduct Rule training programme can be delegated to HR or Compliance departments, the accountable Senior Manager must understand the training approach and have sufficient visibility of training completion and effectiveness. This can be achieved through periodic reporting and effectiveness reviews.

These are some of the key considerations that firms must address as they roll out SMCR Conduct Rules across their organisation. For solo-regulated firms and benchmark administrators, of course, the complexities of implementing the rules are amplified, as firms deal with the psychological and financial pressures of the COVID-19 pandemic and the environment it has created in which individuals are perhaps more susceptible to cutting corners and breaching rules. Those firms that acknowledge this, and embrace the opportunity to integrate the Conduct Rules into their purpose and culture, will stand to gain as they navigate through this period of uncertainty.

Please follow BCS Consulting on LinkedIn if you would like to read further blogs in this series.

[1] https://www.fca.org.uk/firms/senior-managers-certification-regime/solo-regulated-firms

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_89840630_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.