SM&CR -- Don't Overlook Operational Risks!

SM&CR: Don’t Overlook the Operational Impacts!

By Dan Ridler, Managing Director at BCS Consulting

As we head into the last quarter of 2020, most solo-regulated firms are working through their final implementation activities required under the Senior Managers and Certification Regime (SM&CR). Whilst the FCA has extended the deadline for issuing Fitness and Propriety (F&P) certificates and training all staff on the expectations and obligations of the Conduct Rules to 31st March 2021, a large proportion of firms will still be planning to complete these activities in line with internal annual performance cycles before year-end, which is the approach recommended by the FCA. After almost a year since the initial phase of SM&CR went live, this first annual cycle and the final implementation activities will be the first real test of how robust and compliant firms SM&CR operating models actually are.

Whilst all solo-regulated firms will have identified their Senior Managers and have continued to actively manage changes to this population throughout 2020, some firms are having to revisit their Certification population who they initially trained on SM&CR prior to regime go-live in December 2019. With the unprecedented remote working arrangements firms have found themselves in during 2020, there is likely to have been significant changes in people, roles, and responsibilities across businesses which will have impacted Certification and Conduct Rule populations. Firms who have not been able to keep on top of these population changes in a controlled and coordinated manner will find these final implementation activities far more complex and time-consuming than initially anticipated.

“We have observed a clear correlation between those that were best prepared for all aspects of SM&CR and the time and effort they allocated to designing and mobilising an effective BAU operating model to support the completion of the final implementation activities.”

Based on our extensive experience of supporting firms with SM&CR across all sectors, we have observed a clear correlation between those that were best prepared for all aspects of SM&CR and the time and effort they allocated to designing and mobilising an effective BAU operating model to support the completion of the final implementation activities. This enabled them to manage unforeseen changes to in-scope populations, allowed time for processes and tools to be refined and embedded, and gave BAU teams time to develop hands-on experience of their new responsibilities, thereby increasing the likelihood of ongoing compliance with the rules. Unfortunately, this is something that many firms have overlooked.

Managing Operating Model Challenges and Complexities

There are a number of common operating model challenges and complexities that firms are still struggling to effectively manage, which require a careful and diligent implementation. Each one introduces significant process change and additional responsibilities for existing teams, many of which will fall on HR functions. These include:

  • Identification and ongoing monitoring of people and structural changes, preventing them from happening unless the correct SM&CR processes have been followed. Where a Senior Manager change occurs, firms must ensure that they reallocate the outgoing Senior Manager’s accountabilities to the most appropriate individual. Whilst these top-level changes can be infrequent and are usually carefully planned, they often result in knock-on impacts to the Certification population below, which can be a sizeable challenge for firms to identify and control. Furthermore, given the greater population within the Certification Regime, it is usually subject to more frequent and significant change. New processes and controls must be designed and implemented wherever a change could bring an individual into scope, which could be as unnoticeable as meeting a qualifying ‘Material Risk Taker’ criteria, or a management line change at a lower operational level in the organisation.
  • Firms must annually assess the Fitness & Propriety (F&P) of their Senior Managers and Certification staff, which most banks have aligned to their annual appraisal process since the banking go-live in 2016. Although the FCA have extended this date to 31st March 2021 for Certification staff in solo-regulated firms, most are still planning to complete this by the end of 2020 to also align with their annual appraisal cycles and the Senior Manager F&P deadline. New processes and controls must be in place to prevent these individuals continuing in their role until all required vetting results, competence, Regulatory References, and Conduct Rule breaches have been assessed. Firms must prepare themselves for any adverse findings where these more stringent checks could require previously undisclosed disciplinary or regulatory proceedings to be taken into account.
  • Firms are required to both obtain and provide Regulatory References for all Senior Managers and Certification staff, ensuring they contain the necessary information over a 6-year period, and that they are received and provided at the right time. However, in practice this has been operationally challenging to implement for solo-regulated firms due to the different standards that apply to different populations under the regime. As Senior Managers and Certification staff have been subject to the Conduct Rules since December 2019, breaches should be disclosed on references for individuals within these populations. However, if individuals have not yet been issued with an F&P Certificate, should firms be disclosing issues on Regulatory References prior to this process taking place? At what point did SM&CR apply to an individual who have moved between sectors that went live at different dates? Also, what should firms disclose on a Regulatory Reference if an individual departs the firm whilst under investigation for a potential Conduct Rule breach? These key questions have proved challenging for firms and often required external guidance or counsel prior to responding formally to Regulatory Reference requests.
  • Conduct Rules have proven to be one of the most contentious areas of the regime, which is understandable given that they can give rise to personal implications and sanctions. Organisations must spend adequate time developing and delivering suitable training for impacted individuals and updating the supporting policies and processes. This includes disciplinary investigations, Regulatory References, regulator notifications, and remuneration decisions. In addition to process change and operational control points, new committees may need to be established to bring together specialist knowledge, ensure consistency when determining whether a Conduct Rule breach has occurred, and to provide formal evidence of the decision-making process.
  • Whilst HR have always been the central location of personnel files and documentation, the function is now becoming perceived as the golden source for SM&CR regulatory artefacts and it plays a vital role in ensuring ongoing compliance with the rules. This includes capturing clear audit trails of decision-making in relation to Senior Manager allocations and responsibility changes, and ensuring ongoing alignment between a wide range of related documentation, including employment contracts, employee handbooks, new SM&CR offer letters, interview notes, F&P attestations, and Conduct Rule breach investigation findings. This is in addition to the more clearly prescribed regulatory artefacts such as Statements of Responsibilities, Management Responsibilities Maps, and Handover Certificates. For each artefact, records must be kept in adherence with the rules, whilst also maintaining compliance with other record-keeping legislation and internal policies, which has created substantial administrative burden on HR teams.

These are just some of the operational complexities and consequences of the regime that must be considered, and so it is vital that firms preparing for final SM&CR implementation activities do not get overly distracted by focusing too narrowly on the Senior Manager population and the management of their accountabilities.

“Solo-regulated firms should review the maturity of their operating models and refine these prior to completing the final SM&CR implementation activities so that they are correctly set up to maintain ongoing compliance and operational efficiency.”

Solo-regulated firms should review the maturity of their operating models and refine these prior to completing the final SM&CR implementation activities so that they are correctly set up to maintain ongoing compliance and operational efficiency. This must include being prepared for significant periods of change in their business models and ways of working as a result of COVID-19 and other external industry factors, including unexpected senior resignations and mergers and acquisitions. Preparing for these periods of heightened activity will enable firms to remain compliant and ultimately help to protect the Senior Managers who are accountable for SM&CR and the impacted areas of the business. Those firms who do not acknowledge the importance of this are likely to experience operational and compliance issues for a long time to come.

The volume of operating model change, including processes, systems, controls, and management information, must not be underestimated. Instead, it must be prioritised and urgently progressed, learning lessons from the banks that have already implemented the required changes wherever possible. Allocating Senior Manager roles and accountabilities is just the tip of the SM&CR iceberg.

BCS Consulting has extensive experience of supporting firms with all aspect of SM&CR and has carefully developed standardised tools and templates, post implementation review methodologies, training, and eLearning. To find out more, please contact Daniel.ridler@bcsconsulting.com

To see how ComplySci’s Workflow Management Solution can help your firm comply with SM&CR, request a demo today.