By Jane Walshe, CEO of Enforcd
Want to see how Enforcd can help Senior Managers? Watch our short demo video.
Last summer, the Financial Conduct Authority (FCA) published its long-awaited consultation on the extension of the Senior Managers & Certification Regime (SM&CR) to all FCA-regulated firms. The Consultation closed on 3 November 2017 and a Policy Statement is due this summer, with implementation for asset managers now expected mid-to-late 2019.
According to the FCA, “There are many types of firms that will now be under the SM&CR. This ranges from global firms such as large asset managers, to firms with only one person where financial services are ancillary to their core activities.”
Asset managers have been anticipating this development since proposals for the extension of SM&CR to all FSMA-authorised persons were announced by HM Treasury in October 2015. The regulatory structure could not sensibly operate with two distinct systems governing individual behaviour, so the extension of the regime is to be welcomed for the consistency it will create.
The Consultation provides important detail on how the regime will operate for different types of firm, with the intention that it will apply in a proportionate manner, relative to a firm’s size. A common element, however, is the requirement that all senior managers have a Statement of Responsibilities.
Larger (designated “enhanced”) firms will need to draw up Responsibilities Maps, create handover procedures, and make sure there is a senior manager responsible for every area of their firm. In principle, a senior manager’s Statement of Responsibility will make it easier for regulators to establish the link between the individual, the activities under their control and any breach of law or regulation.
Senior managers must also take reasonable steps to ensure that the business areas that they are responsible for are controlled effectively, comply with relevant laws and regulations and identify information that would be of interest to the FCA or Prudential Regulation Authority (PRA), and disclose it.
The new duties on senior managers under the regime are anticipated to lead to a greater number of enforcement actions against individuals. Speaking at the Legal Week Banking Litigation and Regulation Forum in June 2017, Jamie Symington, (then) the FCA’s director of Investigations, said:
“Generally where there are grounds for investigating a matter, there will be a need to investigate the role of senior management in the conduct issues that arise”.
The regime is likely to make it easier for the regulator to take enforcement action against senior managers
A driver behind the creation of the Statement of Responsibility is the need for regulators to more easily identify where decisions have been taken, when the consequences of such decisions turn out to be detrimental to a firm, the markets in which it operates or its customers.
The idea is that senior managers will not be able to hide behind the joint decision-making of a board and will be held personally accountable if things go wrong on their watch, and they can be proved (on the balance of probabilities) to have failed to take reasonable steps to prevent the errors.
It remains to be seen whether the regime will, in fact, lead to more actions against individuals within firms. Nonetheless, senior managers who are going to be caught by the regime when it comes into force are worried.
Enforcement against individuals in 2017 primarily concerns integrity failings
A review of cases taken against individuals last year (excluding threshold conditions cases) shows that the existing Senior Managers Regime (SMR) for banks, building societies, credit unions and PRA-designated investment firms has yet to be used in a concluded case, which is to be expected given the regime has only been in operation since March 2016. Given the time it takes for cases to be investigated and concluded, it will be during 2018 at the earliest before cases under the SMR for those in banks start to come through.
Individuals named and fined by the FCA in 2017
John and Colette Chiesa, the founding partners of Westwood Independent Financial Planners, were fined and banned from working in financial services. The couple sold geared traded endowment policies and went bankrupt to avoid paying GBP5 million redress for some 50 mis-selling complaints. They then lied to the bankruptcy trustee about their assets. While paying his creditors GBP200 per month, Mr Chiesa spent GBP12,000 a month on flying lessons, tennis tickets, football tickets and club membership.
Lukhvir Thind, an accountant, was fined and banned for mis-stating his employer’s cash position, leading to market abuse and a client money shortfall of GBP15.9 million at Worldspreads. Niall O’Kelly was also banned and fined in the same case. Their actions ultimately led to the collapse of Worldspreads in 2012.
Achilles Macris was Head of CIO International for J.P. Morgan Chase Bank, N.A., in London, where he was responsible for the synthetic credit portfolio, at the time of the “London Whale” trades. He was fined GBP792,900 for misleading the FCA about the events.
The above cases all concern fairly dramatic instances of misconduct. In such cases, it is in many ways more straightforward for the regulator to bring a successful action (although Macris fought long and hard in his case). Under the SM&CR, the senior manager responsible for Macris would have been investigated for any oversight failures on their part. Aside from this, the SM&CR probably would not have made much difference to the outcomes above. The cases show that the FCA continues to be kept busy enforcing against those who engage in extremely poor conduct.
Unfortunately, such outliers will always exist. Senior managers who are working in reputable firms and surrounded by fellow professionals may not feel unduly concerned if these cases indicate the sorts of things the regulator is interested in. These managers may feel secure in the knowledge that they would never do something so obviously wrong as lying extensively about numbers to auditors or deliberately misleading the regulator.
The WhatsApp case
The 2017 case of Christopher Niehaus, a managing director at Jefferies, may have had different outcomes had the SM&CR been in force at the time it occurred, and it is instructive to consider it.
Mr Niehaus received a financial penalty of GBP37,198 for breaching Statement of Principle 2 (failure to act with due skill, care and diligence) for sharing confidential client information with a personal acquaintance and client of the firm via WhatsApp.
The FCA found that on a number of occasions between January and May 2016, Mr Niehaus shared client-confidential information that he had received during the course of his employment with a personal acquaintance and a client of the firm who was also a friend. Some of the confidential information disclosed related to a client who was a competitor of this client.
The information was disclosed using WhatsApp, not for the purpose of it being used by the recipients, but because he wanted to impress them. The FCA found that Mr Niehaus breached Statement of Principle 2, and demonstrated a lack of care in disclosing information, without the permission of his clients, in circumstances when there were no reasonable grounds for doing so. None of the recipients of the information needed this information and disclosure served no purpose.
The FCA said Mr Niehaus’s conduct was aggravated by the fact that some of the information disclosed related to a competitor of the client to whom it was disclosed. Mr Niehaus’s disclosure of client-confidential information to a competitor could have conferred an undue advantage to the client and demonstrates a failure to pay due regard to the interests of his client.
Had the matter happened under the new regime, the FCA may well have sought to investigate more senior managers around Mr Niehaus. They may have raised questions about the training he did or did not receive and the extent to which he had been informed of his regulatory obligations, generally. More specifically, the FCA may have probed what he had been told about handling client information, and may have been able to bring a case against the senior manager responsible for training and competence of staff.
Mr Niehaus does not seem to have been alive to the potential conflicts of interest that may have arisen from his behaviour, which may have been a cultural issue, perhaps enabling the FCA to point the finger at the senior manager with the culture-prescribed responsibility.
Another set of questions the FCA may have been able to ask, if the SM&CR had applied, would be about the firm’s policies on the use of technology such as WhatsApp to communicate and the firm’s monitoring of these communications.
Had the SM&CR applied at the time of Mr Niehaus’s misconduct, the FCA may have been able to mount actions against other senior managers. What this shows is that a senior manager can find themself on the hook for a staff member doing something ill advised, even though the senior manager may not have had any direct control (and may not have felt any direct responsibility) for the individual. The senior manager will be liable if the FCA can show he or she failed to take “reasonable steps” to prevent the contravention.
What are the wider benefits of the SM&CR?
The FCA already names and bans individuals, but generally only in those cases where the link between egregious behaviour and culpability is clearest (in cases where, for example, the accountant falsifies accounts, where the independent financial adviser defrauds customers and where there is market abuse).
After the financial crisis, the public and its elected representatives were disappointed by a perceived failure of action against leaders of financial institutions. Statements of Responsibility are a partial answer.
The difficulty is that organisations of any complexity rely on committees and/or working groups of subject matter experts drawn from across the organisation to deal with wide-ranging regulatory change (and take strategic decisions).
Arguably the FCA’s role is not to punish, but to educate and correct. Not all cases that could result in successful enforcement action are pursued, especially if there has been a flurry of similar cases within a particular sector. This policy works in the case of firms, but it is bound to be perceived as unfair when applied to individuals.
There is a problem with organisations that are “too big to fail”. They are too big to manage without significant amounts of delegation. The Senior Managers Regime, both as it is in force now and once it is extended, may be viewed by some as an extended charter for ever greater numbers of internal auditors, providing assurances that enable senior managers to discharge their conduct obligations and ever greater numbers of project managers to remediate issues.
This might draw resources away from the things that matter: up-to-date IT systems generating better management information and effective automated controls, for instance. This is not the regulator’s intention, but in an environment where margins are under increasing pressure and resources are limited, senior managers making decisions on allocation may be inclined to devote funds to areas that mitigate their personal regulatory risk.
For smaller organisations, challenges will be in successfully implementing what is a fairly complex set of proposed rules. Most buy-side firms will fall under the “core” regime, but many who may regard themselves as low-risk may be captured by the “enhanced” regime, meaning compliance with a greater number of requirements. The need to administer the Certification Regime may also be a headache for firms.
Practical steps firms can take to prepare
In the Consultation Paper, the FCA published three boxes outlining what firms will need to do under each strand of the regime (see details overleaf). These provide clarity and serve as helpful ready reckoners on key obligations not just for senior managers and firm employees, but also for all other staff (bar “ancillary staff”, e.g. catering, premises) bound by the Conduct Rules.
What firms need to do under the senior managers regime
If a person performs a senior management function, the firm will need to. . .
• Satisfy itself that the candidate is suitable, or “fit and proper”, to carry out a senior management function.
• Apply for that person to be approved by the FCA, before the person takes up their role.
• And send the FCA a statement of responsibilities as part of the application.
After a senior manager has been approved, the firm will need to. . .
• Update and resubmit the statement of responsibilities to the FCA whenever there is a significant change to a senior manager’s responsibilities.
• Assess, at least once a year, that all its senior managers are fit and proper to carry out their jobs.
• And, unless it is a limited scope firm where prescribed responsibilities do not apply, make sure it has appropriately allocated all the prescribed responsibilities to its senior managers.
What senior managers need to do. . .
• Anyone who is a senior manager will have a “duty of responsibility”. Senior managers should understand what this means in the context of their jobs.
• Senior managers must ensure that their statements of responsibilities are accurate and up to date.
• And there are also Conduct Rules that will apply to senior managers.
What firms need to do under the certification regime
The Certification Regime will make firms more responsible for assessing that their staff are fit and proper to carry out certification functions. FCA approval is not required for anyone who performs a certification function.
Firms will need to. . .
• Identify employees who perform a certification function.
• Assess whether those employees are fit and proper to perform their roles. Firms need to do this assessment at the point of recruitment (or before a person performs a certification function) and on an ongoing annual basis.
• And issue certificates to employees if they are satisfied that such employees are fit and proper to perform those certification functions.
The certificate needs to. . .
• State that the firm is satisfied that the person is a fit and proper person to perform the function the certificate relates to.
• Set out in what aspect of the firm’s affairs the person will be involved as part of performing their function.
If the firm completes a fit and proper assessment but decides not to issue a certificate to someone, it must give the person a notice in writing setting out:
• What steps (if any) the firm proposes to take in relation to the person as a result of the decision.
• And the reasons for proposing these steps.
Conduct rules: two obligations on firms for other staff
For all other staff bar ancillary staff, firms are also obliged to:
• Train staff.
• And notify the FCA when there has been disciplinary action taken because of a breach of the Conduct Rules.
A firm must also allocate the prescribed responsibility for the firm’s obligations for Conduct Rules in notifications and training.
What individuals need to do
Where the Conduct Rules apply, people need to be aware of and comply with the rules as part of their jobs.
In “Where Next for Investment and Asset Management Regulation?”, a speech made in late September, Megan Butler, the FCA’s executive director of Supervision – Investment, Wholesale and Specialists, said, “We see personal accountability as fundamental to the future of financial services.”
All those who will become senior managers under the new regime need to ensure that they are adequately supported by able staff and that their firms start to consider the regime’s likely impact.
Ultimately, it’s about improving culture and conduct across the industry and, handled well, it may be a force for good governance and organisational efficiency and clarity.
Megan Butler also reassured the industry in her speech about the fact that the FCA will listen to concerns and feedback, saying, “We want the new regime to be proportionate. We also want it to reflect the fact that each of you is different… We are primarily interested in outcomes in this area and we operate in the real world.”
The real world is also a place in which mistakes are made and accidents happen besides being a place where misconduct is the result of deliberately transgressive behaviour. Senior managers under the regime are far more likely to be held to account in more circumstances than they are now, but until some cases start to be heard under the regime and it is put to the test, it is difficult to predict how worried senior managers ought to be. What is certain is that personal regulatory risk can be mitigated by careful and timely preparation.
This article was first published in Citi’s Global Trustee and Fiduciary Services News and Views: Issue 49