The Senior Managers and Certification Regime (SM&CR) will be applicable to all UK financial services firms in 2019. The regulatory change means that firms need to review their structural, governance and business practices to ensure they meet the requirements of SM&CR.
It should be stressed that the SM&CR is more than simple form filling. Governance, structures and organisational issues are among those that must be addressed. We were heavily involved in Phase 1 of the Regime, which included banks, building societies and credit unions, providing organisations with advisory, assurance and resource augmentation to help address the significant and complex components of the Regime.
Set on the path now
Although at the moment this timeline appears generous, the major lesson learnt from Phase 1 of the Regime was that “you can never start too early”. The extensive structural, governance and business practices that need to be reviewed, aligned and clarified across the senior management and certified populations require significant time investment. This will ensure the organisation structure is fit for purpose and individuals are aware of the Regime’s requirements and impact. This becomes even more complex when organisations have international operations – the Regime has no geographic borders.
When we engage with organisations, we start by asking simple questions such as ‘what do you do, and who is responsible?’. These questions force organisations to perform a root and branch review of their roles and responsibilities. This is what SM&CR is all about. Individuals will be held personally accountable and therefore need to know their precise responsibilities.
Where firms have international linkages to subsidiaries or group head offices, reporting lines and organizational structures can bring in foreign individuals within the Regime. Dual reporting lines, both internationally and locally, can be a cause of confusion with regard to ultimate responsibility.
Know the risks
This added complexity can be particularly contentious when it comes to strategy discussions and international programmes. These issues need to be addressed early in the Regime’s design to ensure that all the captured individuals are aware of their responsibilities and outcomes if some egregious issue arises within their function. These outcomes can include remuneration claw back, unlimited fines and even jail terms.
We have worked with human resources and compliance functions to embed conduct rules and fitness assessments, as well as ensuring an appropriate communications/ training programme is rolled out across an organisation. The Regime requires the supporting infrastructure to include documentation retention capability for all captured individuals, e.g. qualifications, CVs, annual assessments, job descriptions and statements of responsibilities.
Policies and procedures that capture the requirements of the Regime need to be rewritten and communicated across the organisation.
Nobody is out of bounds
SM&CR has an impact across the three lines of defence model in that it captures individuals from all of these lines. If an event takes place, a number of individuals may end up being associated, even tangentially. Therefore, an effective three lines of defence model would have embedded controls and safeguards to provide the SM&CR population with an infrastructure on where they can place reliance.
Some firms do have a chief controls officer (COO) and delegated risks and controls teams within the various lines of defence to support their senior managers. Although this does provide an additional layer of control, these firms need to be clear about the roles and responsibilities of not only the COO but also internal audit operational risk and, where applicable, Sarbanes Oxley frameworks. Duplicative testing is not necessarily a robust safeguard and value- added testing, by each function, should be the aim. Ultimately, this should enable the senior managers to gain comfort that effective controls are in place within their function.