The low down
Why did no one in the City carry the can for the global financial crisis? How did senior bankers escape formal censure? With banks propped up by billions in public funds, the lack of answers to these questions stacked up. One response was the Senior Managers and Certification Regime, first introduced for banks four years ago and extended to most firms regulated by the Financial Conduct Authority last December. The FCA’s focus on individual accountability predates the regime, but lawyers say the risk of personal liability has focused the minds of senior executives on potential breaches on their watch. Yet just one individual has been sanctioned under the regime so far. Is it simply the case that the deterrent has worked, or do misdeeds and slack controls still abound?
Since the collapse of Lehman Brothers in 2008, regulators around the world have sharpened their focus on corporate culture in financial services by switching attention from firms to individuals. In the UK, the Financial Conduct Authority ramped up efforts to pursue ‘the people who can make a difference, the senior management’ with rules introduced in March 2016. Initially only for banks and other dual-regulated firms, the Senior Managers and Certification Regime (SMCR) was extended to the insurance sector in December 2018, and to the rest of financial services firms the FCA regulates a year later. Controversially, the senior managers regime treats general counsel differently and they are excluded from the requirement to be approved as a senior manager (tinyurl.com/rpgok6o). This recognises that, in the FCA’s words: ‘As so much of the head of legal’s work relates to legal advice, the laws of legal privilege may restrict us, in practice, from using our powers over senior managers and carrying out our usual supervisory processes relating to senior managers’.
‘Implementation of the regime has been a costly and time-consuming exercise,’ says Chris Brennan, London partner in White & Case’s global commercial litigation practice. ‘It does place a large record-keeping burden on firms.’
Jonathan Cary, a partner and specialist in banking and finance disputes at RPC, says: ‘There is no getting away from it, the SMCR has increased the complexity of compliance and the volume of paperwork has enlarged considerably.’
This has been amplified by the way financial firms have reacted to the new regime. ‘We have seen an initial period of “over-correction”, where senior managers have sought to update procedures to allow them to have closer oversight and have been assiduous in their record-keeping of their decision-making,’ Cary observes. ‘This has taken its toll on legal and compliance teams, who have seen a markedly increased workload as a result of the SMCR. It is likely that it will take a little bit of time for the correct balance to be struck.’
WilmerHale counsel David Rundle says: ‘From speaking to institutional clients, particularly the larger firms, the main challenges have been around framing the statement of responsibilities. These are required to be quite short, relative to complexity of the organisations in which the senior managers are operating.’ Furthermore, ‘the FCA is not keen on shared responsibility. That is understandable to some degree, given the regime’s objective, but can be impractical and inappropriate for complex international firms’.
Reflecting the FCA’s ‘top-down’ approach is the certification part of the regime, which applies to a wider range of employees and roles including mortgage and investment advisers. Financial firms now have an obligation to assess and certify employees as ‘fit and proper’. Rundle says: ‘That process, and the conclusions it produces, presents a distinct regulatory risk to firms.’
‘Firms face difficult decisions on fitness and propriety, especially around conduct outside the workplace,’ Brennan says. ‘Historically, any potentially relevant issues would be referred to the FCA for a decision. It now falls on firms to make what are often very fine judgements. The problem for employees is that firms will naturally feel inclined to take the safest option and dismiss the employee where there is any doubt about fitness and propriety.’
The regulatory burden differs depending on the size and type of firm. In its 2017 consultation on extending the rules to the rest of the firms it regulates, the FCA said it wanted to ‘tailor them to reflect the different risks, impact and complexity of firms subject to the extension’. Peter Wright, a Fox Williams litigation partner specialising in financial services regulatory issues, says: ‘Many solo-regulated firms are incredibly small businesses, and actually it is a very simple statement of responsibilities.
‘The ongoing cost is much greater in larger firms where they now have to operate much more complex certification processes on an annual basis.’
The SMCR, which has applied to banks and deposit-takers for nearly four years, ‘has created a lot more demand for advice from our regulatory and employment teams on dealing with incidents or issues that come up with staff,’ Wright explains. He cites potential conduct breaches, disciplinary consequences, and how these may affect ‘regulatory references’.
These were introduced in March 2017 for senior managers and certified persons, and must cover the last six years of employment. This requirement prompted financial firms to review how they recruit staff and share information on former employees with other firms. The regulatory reference regime has been ‘one of the major challenges’, according to Wright. ‘Employers in the regulated sector, especially banks, became highly conscious that if they were aware of any adverse matter they ought to be putting it on references, and the difficulties that may cause for their employees in the future. It has meant that many firms are having to take [external] advice on a variety of situations whereas in the past HR would have dealt with it.’
James Kaufmann, partner and investment funds specialist at Howard Kennedy, says that most of his FCA-regulated clients were brought into scope of the rules in December 2019, with most of those being ‘core’ firms.
A change for the better?
The Senior Managers and Certification Regime (SMCR) is based on recommendations in the 2013 report ‘Changing banking for good’ by the Parliamentary Commission for Banking Standards (PCBS), set up in response to the 2007/08 banking crisis. It is enshrined in the Financial Services and Markets Act 2000 (FSMA), as amended by the Bank of England and Financial Services Act 2016, and the FCA Handbook.
The SMCR replaced the Approved Persons Regime, which the PCBS criticised for being ‘a complex and confused mess’ and for making ‘no attempt to set clear expectations for those holding key roles.’
Initially introduced for banks, followed by insurers, the rules were extended to 47,000 FSMA-authorised firms on
9 December 2019. The FCA said this would be ‘proportionate and flexible enough to accommodate the different business models and governance structures of firms’. To this end, firms have been classified into ‘core’ (most of them), ‘enhanced’ and ‘limited scope’.
The SMCR has three key components: the senior managers regime for those who hold ‘senior management functions’ such as board members or the senior level executive level below it. Senior managers must be approved by the FCA or Prudential Regulation Authority and have ‘prescribed responsibilities’ (set out by the FCA) as well as ‘overall responsibilities’, depending on whether they are ‘core’ or ‘enhanced’ firms; these must be set out in a ‘statement of responsibilities.’
Every senior manager has a statutory ‘duty of responsibility’, whereby if a firm breaches one of the FCA requirements the senior manager responsible for that area could be held personally liable for that breach if they failed to take ‘reasonable steps’ to prevent or stop that breach.
Next is the certification regime, which applies to staff who are not senior managers but have a ‘significant harm function’. Upon hiring them, and then on annual basis, firms must certify that such individuals are ‘fit and proper’ to carry out their functions.
The third plank is the conduct rules, which apply to nearly all employees within FCA-regulated firms.
‘The indirect impact of SMCR on our practice has been more significant than its direct impact,’ he says. ‘We’ve seen more work and greater concern over the consequential and knock-on effects of operating in an SMCR environment than on implementation of SMCR itself.’
To ease the transition from the Approved Persons Regime (APER, which the SMCR replaces) the FCA has given firms a 12-month period ending 20 December 2020 to train all other staff, other than the senior managers and certified function holders, on the conduct rules (see box). In this context, ‘the larger challenges have been, and will continue to be, surrounding communication with staff’ Kaufmann says. It is also ‘vital’ to engage and support all personnel with their additional accountabilities, he says.
It seems clear that the SMCR has led to an increase in advisory work on the application of the regime, particularly around conduct breaches. But what about enforcement?
Rundle, whose practice focuses on financial crime and regulatory enforcement, says: ‘While there has been a general increase in investigative activity, this is not a product of the regime itself, but of a shift in the FCA’s philosophy of when formal investigations should commence and how they should be used.’
Brennan, whose practice centres on contentious regulatory cases for firms and individuals, has seen an increase in the number of individuals referred to his practice, but he observes that ‘a policy decision to pursue enforcement action against individuals was implemented long before the advent of the SMCR.
‘The SMCR has had little impact on the volume and type of work. The fact is that beyond clarifying the scope of responsibility, very little has changed. The legal test for personal culpability remains the same [as under APER]. Did the individual take reasonable steps?’
The SMCR should make it easier for the FCA to spot those who might be guilty of a regulatory breach, but ‘it does not make the process of holding those persons accountable any easier, and rightly so,’ Brennan observes. It has not reversed the burden of proof, which rests on the regulator.
There are almost 400 individuals under investigation by the FCA, according to Brennan. That is across the board: from retail conduct, to financial crime and insider dealing. The number of investigations pursued under the SMCR is much smaller: responding to an FoI request last April, the FCA said that it had opened 19 investigations since the senior managers regime came into force on 7 March 2016; nine of these investigations were still ongoing (as of 28 February 2019).
Only one individual so far, Barclays’ chief executive Jes Staley, has been fined under the SMCR: £642,430 by the FCA and Prudential Regulation Authority in May 2018. In their joint press release, the regulators said that this was the first case brought by them under the senior managers regime, but lawyers the Gazette spoke to say that is not entirely accurate. ‘That really was a whistleblowing case,’ Wright says.
‘Recent history suggests that the FCA is reluctant to take enforcement action against senior managers of large firms, in particular the big investment banks,’ says Cary. ‘The principal driver for the introduction of the SMCR was the paucity of senior scalps following the global financial crisis and the likes of the Libor, FX and PFI scandals.’
‘As far as we are aware, nine investigations are still ongoing,’ Cary adds. ‘In circumstances where the average length of time it takes the FCA to conclude an investigation has steadily increased in recent years, we are likely to see more enforcement outcomes from this and further SMCR-related activity in the coming months.’
The average length of civil and regulatory cases from the start of the investigation to referral to the FCA’s Regulatory Decisions Committee (RDC) was 50.8 months in 2018/19, compared with 33.6 in 2016/17. The RDC operates independently of the FCA and hears challenges to FCA findings against firms and individuals.
Despite this caveat, a practitioner who prefers to remain anonymous says: ‘The FCA is opening far more cases than it did in the past, but actually it is not moving them forward or progressing them at all. [In many instances] it opens the case, nothing really happens and then it closes it…and that’s because it has opened too many and does not have the resources to run all of them.’ It is not unusual for individuals who were placed under investigation not to be notified that their case was closed with no further action.
‘There are a number of factors at play in looking at the enforcement side of SMCR,’ Kaufmann says, ‘not least that the FCA may have its hands full dealing with Brexit and that the political imperative toward the regulator may no longer be to punish the financial services industry, but rather to seek to help it thrive in a post-Brexit economy.
‘As such, it is difficult to predict how aggressively and actively enforced SMCR will be.’
The FCA has said that enforcement is not the main purpose of the regime. In a speech in April 2016, shortly after the launch of the SMCR, Mark Steward, director of enforcement and market oversight at the FCA, said that ‘the real measure of success is not how effective we are at landing the elephant deal cases, but how quickly we are able to detect problems and nip them in the bud. That does not mean investigation and enforcement is not necessary. If anything, our investigation powers are the things that are designed to enable us to get to the heart of things quickly. What I do mean is if we are really good at what we do, then enforcement cases should get smaller rather than bigger.’
If enforcement is not an end in itself, is the new regime achieving its aim to ‘reduce harm to consumers and strengthen market integrity by making individuals more accountable for their conduct and competence’?
Rundle says: ‘It has had a material effect on personal accountability. The regime has forced people to think about how they are monitoring the areas of the business for which they are responsible, which in turn has probably resulted in greater governance.
‘If the regime itself has brought about better governance and greater oversight, enforcement actions against senior managers would not be a good metric in measuring its impact.’
Regulatory risk now sits at the top of everybody’s agenda. Every executive I meet in my work has a far greater understanding of regulatory expectations than would have been the case 10 years ago
Chris Brennan, White & Case
‘There is no doubt that conduct has improved dramatically as a result,’ Brennan says. ‘Regulatory risk now sits at the top of everybody’s agenda. Every executive I meet in my work has a far greater understanding of regulatory expectations than would have been the case 10 years ago.’
Yet this improvement in culture and governance pre-dates the SMCR. ‘What really changed conduct and culture was the aftermath of the financial crisis,’ Brennan says.
‘There is evidence of firms moving away from basic rules-based compliance to adopting a more open and behaviour-driven approach,’ Cary says. ‘The fact is that nothing focuses the mind like the risk of personal liability.’ If found guilty of breaching their duty, senior managers can be fined, banned from the industry or face criminal charges.
‘We are seeing clients being more sensitive about needing to abide by the spirit of the rules rather than just the letter of the law,’ Kaufmann says. ‘The advent of SMCR has put culture, responsibility and accountability at the forefront of clients’ minds.’
For Jake Green, financial regulatory partner at Ashurst, the SMCR has led to ‘meaningful and positive changes towards culture and conduct’.
He points to a recent study by Ashurst and UK Finance involving more than 25 banking institutions. Among the survey’s findings, 93% of all respondents and 88% of senior managers saw the introduction of the SMCR as a positive development that had led to improvements in behaviours and processes within the firms: 79% of senior managers considered that SMCR had changed culture at their firm for the better, and made their responsibilities clearer; 65% of respondents in governance functions felt the industry had become more risk-averse as a result of SMCR.
Green highlights the intended consequences of the regulatory references: ‘What the FCA promised years ago is that certain individuals would essentially be blacklisted from the financial services industry. The regulator would argue… that the main purpose of the regime is that substandard individuals are essentially blocked from the industry.
‘People are being offered fewer jobs now than they would have been previously where their behaviour is to be questioned, and certainly people have left the space of their own accord.’ He argues that is a ‘far more positive outcome’ than enforcement per se.
Marialuisa Taddia is a freelance journalist