The FCA still haven’t confirmed timelines for SMCR/Accountability 2 for all Financial Services Sector firms (we now know insurers will be at the end of the year) and whilst that remains the case it seems that many firms – that will come in scope – are deferring plans and decisions in terms of their response to it.
As we know the actual dates for Accountability 2 will depend on the Treasury finding space to push the required legislation through and – as we also know – the legislative timetable and indeed HM Treasury are rather busy right now – with all things Brexit! Add to this the focus of many firms on MiFID II and GDPR (and in the Insurance sector IDD) and it is understandable that there may be slippage in focus on SMCR/Accountability 2. However, the requirements of all these significant slabs of regulation/legislation share many common requirements and – in particular – T&C implications and obligations. Given the more urgent deliveries around the first two it is worth exploring what these are.
Cobbling together solutions using legacy systems that don’t communicate and reside within different business functions – has been a common response from many firms to Accountability 1. Many of those adopting such an approach have come quickly to the realisation that this just doesn’t cut it
If your firm is captured under MiFID ll you must ensure that you have implemented the requirements under Knowledge and Competence and that these were effective from 3 January 2018. There will be some tolerance for ‘works in progress’ – but it would be dangerous to rely too much on that.
The FCA have confirmed that they don’t plan to expand existing TC guidelines around appropriate qualifications. However – under MiFID ll the range of roles impacted by Knowledge and Competence requirements has expanded to include both offering advice and providing information.
Broadly speaking the requirements to ensure that Staff are both qualified and competent are now more detailed and firms are required to define and measure Competencies and KPI’s across a wider role base and should maintain robust evidence of this.
Together with the requirements on firms to certify their own staff under the Senior Managers and Certification regime – there is a need for better:
- assessment of Knowledge, Competence and Conduct
- setting of appropriate qualifications and KPI’s
- recruitment onboarding and probation processes and paths to competence
- appropriate supervision
- prompt proven remediation of risks and shortfalls
Firms must to do more to ensure compliance of staff and to identify and remediate Knowledge and Competence risks and breaches, lack of understanding of – or compliance with – Conduct Rules. It is considered by the FCA that implementation of appropriate processes, monitoring, assessment and MI under SM&CR will be enough to deliver this in the UK and the FCA are therefore making an assumption that ESMA rules will be delivered and adhered to under the new regime.
The date has already passed by which you must ensure that this assumption is correct for your firm!!
This means that you should be looking at – and implementing Knowledge, Competence and Conduct assessment and monitoring processes that are robust with appropriate MI, Senior Management accountability and risks management processes all defined and in place.
Most firms have already realised the scale of what is required and are exploring delivery processes, record keeping and/or technology solutions that can help them achieve full compliance with MiFID ll requirements and ultimately GDPR and SMCR as well. If the FCA expects them to deliver on MiFID II by complying with SMCR then by default – delaying appropriate SMCR responses might mean delays in delivering on MifID II as well.
Further – GDPR has brought into sharp relief the people risks associated with Performance, Compliance and Conduct. Delivering against internally set – and GDPR defined – standards of Information Security and processes that ensure compliance – has become a key objective. You should be ensuring that you monitor (and be able to evidence) standards – and set Delivery, Knowledge and Competence KPI’s against all aspects of your staff’s GDPR compliance
You can track, monitor and assess all of these in relation to GDPR – driving remediation and delivering effective risk management – where required.
Examples of how you could support and achieve this include processes that:
- Select and Assign – through pseudo random algorithms – file checks and assessments to designated Assessors for KYC, onboarding and AML processes – assessing against defined KPI’s and competencies.
- Identify shortfalls and set remediation – i.e. training, new trackable remediation objectives, escalation procedures and reporting.
- Ensure policy is attested to and understood – through policy attestation and knowledge testing
- Ensure training is delivered and understood – outcomes tracked
- Create and automate – through multiple workflows and oversight hierarchies – appropriate processes to manage your risks around your staff’s performance, competence and conduct re GDPR.
Many of the conversations we are currently having with existing and potential clients concern how appropriate T&C platforms and processes can achieve all of this and deliver the required solutions to all incoming legislation/regulation.
Firms must define paths to knowledge, competence and good conduct and ensure their delivery is maintained and recorded.
With this in mind and given the experience of firms captured under SMCR/Accountability 1 and the sheer scale of work, planning, consultation and change in culture that that involved – there is a lot to do!
As with all regulatory changes affecting staff performance and conduct – an accompanying change in culture is required. Buy in from staff – commitment and leading by example from Senior Management – training and awareness – all take time and this should be focusing the minds of all HR and Compliance professional as much as the target deadlines.
Cobbling together solutions using legacy systems that don’t communicate and reside within different business functions – has been a common response from many firms to Accountability 1. Many of those adopting such an approach have come quickly to the realisation that this just doesn’t cut it. When defining – or shopping for – an appropriate system solution every firm should be looking to deliver all aspects of Knowledge and Competence, T&C, responsibilities and reasonable steps, performance management and Certification (not to mention the associated risk management) through one product. Any such platform of course is only as valuable as the degree to which it is properly understood and utilised by the firm’s staff and the quality of the content stored on it. This is why staff engagement and planning to shift that understanding and embed that required culture cannot – in my opinion – start too early.
All phase 2 captured firms should certainly be in their SMCR planning stage by mid-2018 with assigning of SMF’s and training staff to enable that culture change and also reviewing and implementing appropriate systems by the end of the year, if they wish to be in a good place for a likely late 2018/early 2019 FCA deadline.