Senior Managers and Certification Regime (SMCR): Don’t overlook the operational impacts!
The start of 2019 signals an important year for the financial services industry, with the Senior Managers and Certification Regime (SMCR) already implemented for deposit-taking banks and insurers, it is now the turn of the rest of the industry to prepare for SMCR. However, with a go-live date of December 9th 2019, almost three years after the initial implementation for deposit-taking banks, solo-regulated firm are in the fortunate position of being able to leverage key learnings from firms who have already implemented SMCR compliant solutions. This will enable them to be better prepared for implementation and more likely to achieve a compliant solution in a more time and cost-efficient manner.
For those new to the regime, SMCR consists of three parts: Senior Managers Regime, Certification Regime and Conduct Rules. The Senior Managers Regime aims to hold top level executives and Non-Executive Directors individually accountable for their part of the business, for which they must be assessed as fit and proper and receive regulatory approval. The Certification Regime requires firms to identify all individuals performing ‘significant harm functions’ and certify them as fit and proper to perform their role on an annual basis. Lastly, the Conduct Rules require a wide range of staff to perform their role and responsibilities in line with a new set of conduct standards. Breaching any one of the regimes can lead to punitive penalties for both firms and individuals.
Whilst many firms impacted by the regime extension will have already started to determine who their Senior Managers will be and what they will each be accountable for, this is just one challenge firms are faced with. Based on significant experience at numerous banks, I have observed a clear correlation between those that were best prepared and the time and effort they allocated to design and mobilise a BAU operating model to support the regime ahead of time. This enabled them to manage unforeseen changes to in-scope populations, allowed time for processes and tools to be refined, and gave those responsible time to develop hands-on experience of their new responsibilities, thereby increasing the likelihood of ongoing compliance with the rules. Unfortunately, this is something that can be easily overlooked.
Based on lessons learnt from deposit-taking banks, there are a number of key operating model focus areas and associated complexities that need to be considered. Each one introduces significant process change and additional responsibilities, many of which will fall on HR functions:
- Identification and ongoing monitoring of people and structural changes, preventing them from happening unless the correct SMCR processes have been followed. Where a Senior Manager change occurs, firms must ensure that they reallocate the outgoing Senior Manager’s accountabilities to the most appropriate They must also ensure complete accuracy of and alignment between multiple mandatory regulatory artefacts, including Statements of Responsibility, Management Responsibilities Maps and Handover Certificates. Whilst these top-level changes can be infrequent and are usually carefully planned, they often result in knock-on impacts to the Certification population below, which can be a sizeable challenge for firms to identify and control. Furthermore, given the greater population within the Certification Regime, it is usually subject to more frequent and significant change. New processes and controls must be designed and implemented wherever a change could bring an individual into scope, which could be as unnoticeable as meeting a qualifying ‘Material Risk Taker’ criteria, or a management line change at a lower operational level in the organisation.
- Firms must annually assess the Fitness & Propriety (F&P) of their Senior Managers and Certification staff, which most banks aligned to their annual appraisal process. New processes and controls must be in place to prevent these individuals continuing in their role until all required vetting results, competence, Regulatory References and Conduct Rule breaches have been assessed. Firms must prepare themselves for any adverse findings, particularly ahead of the regime commencement where these more stringent checks could require previously undisclosed disciplinary or regulatory proceedings to be taken into account.
- Firms are required to both obtain and provide Regulatory References for all Senior Managers and Certified individuals, ensuring they contain the necessary information over a 6-year period, and that they are received and provided at the right time. However, in practice this has been operationally challenging due to complexities such as moves between jurisdictions, the obligation to update previously provided references once the outcome of undisclosed investigations is known, and differing timelines or levels of urgency between firms. Unintentionally, this has often resulted in delays to key individuals starting new roles and taking on formal ownership of their Senior Manager accountabilities, which must then be temporarily allocated elsewhere.
- Conduct Rules have proven to be one of the most contentious areas of the regime, which is understandable given that they can give rise to personal implications and sanctions. Organisations must spend adequate time developing and delivering suitable training for impacted individuals, and updating the supporting processes and artefacts. This includes disciplinary investigations, Regulatory References, regulator notifications and remuneration decisions. In addition to process change and operational control points, new committees may need to be established to bring together specialist knowledge, ensure consistency when determining whether a Conduct Rule breach has occurred, and to provide formal evidence of the decision-making process.
- Whilst HR have always been the central location of personnel files and documentation the function is now becoming perceived as the golden source for SMCR regulatory artefacts and it plays a vital role in ensuring ongoing compliance with the rules. This includes capturing clear audit trails of decision making in relation to the upfront Senior Manager allocations, and ensuring ongoing alignment between a wide range of related documentation, including employment contracts, employee handbooks, new SMCR offer letters, interview notes, F&P attestations and Conduct Rule breach investigation findings. This is in addition to the more clearly prescribed regulatory artefacts such as Statements of Responsibilities, Management Responsibilities Maps and Handover Certificates. For each artefact, records must be kept to ensure adherence with the rules, whilst maintaining compliance with other record-keeping legislation and internal policies, which can create substantial administrative burden on HR teams.
These are just some of the operational complexities and consequences of the regime that must be considered, and so it is vital that firms impacted by the extension of the SMCR do not get overly distracted by debating the allocation of Senior Managers and their accountabilities.
Instead, they must allocate sufficient time and resources to ensure the operating model changes required to support the regime in BAU are clearly defined and embedded. An acceleration of the implementation ahead of official regulatory go-live will allow more time for training individuals and testing the changes. This is much more likely to result in the firm achieving the right design for their organisation and full compliance with the rules.
The volume of operating model change (including processes, systems, controls and management information) must not be underestimated. Instead, it must be prioritised and urgently progressed, learning lessons from the banks that have already implemented the required changes wherever possible. Allocating Senior Manager roles and accountabilities is just the tip of the SMCR iceberg.