To paraphrase the famous quote from Donald Rumsfeld (Feb 12, 2002)…..
“…as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know…. And ….it is the latter category that tend to be the difficult ones.”
In this article I will highlight some of the things that may qualify as ‘unknown unknowns’ within the Senior Manager and Certification Regimes, often referred to as SM&CR, or sometimes, Accountability.
This regime is being extended to include all (almost) financial services Regulated Firms on 9th December 2019, a little less than a year away. This extension has become known as Accountability II, because the regime commenced for Banking Firms in March 2016.
Insurers also transitioned into SM&CR, under Accountability II, with effect from 10th December 2018 and they now have until 10th December 2019 to assess and issue Certificates to all of their staff identified as subject to the Certification Regime.
In a recent analysis, at a mid-sized firm, they identified over 100 policies or processes that needed to be reviewed or created in order to comply with Accountability II, including employment contracts, appraisals, disciplinary processes, recruitment, supervision, competence assessment etc.
Incidentally, T-C News has published a lot of articles over the last few years about SM&CR, sharing insight and clarifications about the impact of the changes and the interpretations of the rules…… As an ‘open question’ to Jeff, perhaps it may be useful to publish a summary of some of them and allow people to request ‘back issues’? (From Editor (Jeff) – All previous articles can be accessed via the web site www.t-cnews.com)
It is therefore essential to engage with and educate Senior Managers, particularly those who are sponsoring the SM&CR programme
I will cover each of the 5 topics some more detail below.
Time and Risk
The real issue here is a slight challenge to Mr Rumsfeld’s erudite phrase in that, I think he missed out the most ‘difficult’ category of knowledge – namely, the ‘Think you Know’ category!
Many banks subject to Accountability I, were certain how their governance arrangements worked until they tried to write them down, sign them off and publish them to the regulator. It was only then that they tried to review, re-document and potentially revise them and found it was a much more complex and time-consuming task than they had anticipated.
At a recent SM&CR briefing, FCA were asking “what can we do to promote early engagement with Accountability II from Chairs and CEOs of Solo Reg Firms?” They are concerned that despite trying to ease the burden of conversion for firms, by proportionate rules and automating a lot of the transition, with so many firms being affected (47,000) they need to mitigate the risk of ‘last minute’ confusion and failure.
The issue is that complying with Accountability II, looks at first sight, like ‘business as usual’ but for most firms it will be more difficult and take a lot longer than expected.
The second element of this is ‘Risk’. By which I mean the ‘Attitude to Risk’ of the Firm and its Senior Managers (not the risk of not complying).
Although many of the new rules of SM&CR are clear and absolute, for example, Senior Managers must have a Statement of Responsibility, a lot of what should be included on that Statement is subjective and contextual. There are also many rules, for example, the definition of ‘employee’ under Accountability II, which will require interpretation within the context of your business, there is no single ‘correct’ answer.
It is therefore essential to engage with and educate Senior Managers, particularly those who are sponsoring the SM&CR programme in order to define an appropriate ‘Tone’ and ‘Approach’ to tackling these questions. What will be the decision making forum within your programme for some of these choices?
In summary: Time and Risk
- It will be more difficult and take longer
- Senior Managers need to be fully engaged and educated in order to set the project’s ‘Tone’
- ‘Attitude to Risk’ of the Firm to the SM&CR programme is critical to timely decision making
- ‘Below the Line’ regulation
This is a developing new challenge for many firms. One consequence of the new Accountability Regime is that it gives the Regulators significantly more flexibility over how they set the rules. Obviously, most rule changes are driven via the time honoured ‘consultation paper’ followed by feedback and Final Rules.
However, under Accountability, firms are being obliged to clearly define and document exactly who is responsible for everything in their firm. This ‘sea change’ gives the regulators the opportunity to mandate changes in behaviour, without having to change the underlying rules.
As an example of this, consider the FCA’s focus on ‘Cyber Security’. In a speech back in 2016, Nausicaa Delfas, Director of Specialist Supervision stated that
“…..we expect ‘a security culture’, driven from the top down – from the Board, to senior management…….by this I mean senior management engagement and responsibility…..”
Under Accountability II, where Senior Managers must have documented Statements of Responsibility (SoR), even in a Core Firm, which of your Senior Managers will have ‘Cyber Security’ defined on their SoR?
There is no Prescribed Responsibility for Cyber Security, it is not part of any Senior Manager Function for a Core Firm (it is included within SMF24 for Enhanced Firms) but it is clear that FCA expect it to be clearly allocated to a Senior Manager, in all firms.
Similarly, the recent speech (19th Dec 2018) by Christopher Woolard, Executive Director of Strategy and Competition at the FCA, about ‘Speaking Out: Diversity and Inclusion’ made it very clear
“…. How a firm approaches diversity and inclusion tells us a lot about its culture. And the way firms handle non-financial misconduct, including allegations of sexual misconduct, is potentially relevant to our assessment of that firm, in the same way that their handling of insider dealing, market manipulation or any other misconduct is…..Non-financial misconduct is misconduct, plain and simple….”
This speech does not reflect any change in the rules of Accountability or other piece of regulation but it clearly does clarify FCA’s expectations of behaviour, making it clear that Firms must prioritise these issues with some rigour. If I was writing Statements of Responsibility for my Senior Managers, I would carefully consider whether to include responsibilities for Diversity and Inclusion and / or Speaking Out policies etc.
These are both good examples of where FCA are expecting changes in behaviour by Firms and staff, without specific changes in rules or regulations – this is what I mean by ‘below the line’ regulation and it is increasingly being used, as a tool, by both FCA and PRA.
In summary: ‘Below the Line’ regulation
- Be aware that it is happening
- Develop strategy and policy to read everything and spot when it occurs
- Consider all publications from regulators with an ‘impact on Accountability’ lens
- Some of the ‘Hard Bits’
This is a simple list of the some areas of the rules that will be complex and challenging on most businesses. There is not enough room to cover these aspects in detail in this article but I would be more than happy to discuss these elements further, please feel free to get in touch. In addition, several of these complex areas are covered in Jeff’s ‘Certification’ workshop, which I would recommend.
- Client Dealing Function (note: FCA Regulatory Update on this function Dec 2018, commitment to further consultation in 2019)
- Definition of Employee under SM&CR
- Certification and Trainees and SPS
- Significant Management Function
- No Gaps Rule under CERT
- Fitness and Propriety and Integrity
- Certification and Multiple Legal Entities
In summary: The Hard Bits
- Ensure your plan identifies those that are relevant to your business
- Use a collaborative team (HR, Compliance, Legal, etc.) to work through the issues and impact
- Get Senior Managers on engaged early with clear decision and escalation processes
- BAU, Maintenance and Change
Remember that the regulatory deadlines for SM&CR are commencement dates, not end dates. This may sound obvious but it caught many Banking firms out!
Many of the updated policies or processes will also have implications for BAU. Firms should focus on the ‘target operating model’ – specifically how and most importantly who will own these changes going forward?
Many banks found that there was a lot more frequent change to Responsibility Maps and Statements of Responsibility than they had expected (one bank I worked with update their Map 12 times in the 1st year and made more than 200 updates to SoRs, across 20 Senior Managers). The major challenge was that once the project team had stood down, much of the specialist expert resource moved on as well and the new ‘operational’ teams did not understand SM&CR well enough to cope.
On a specific point, the staggered deadlines for the elements of the regime caused issues in many firms. By the 9th Dec 2019, Solo Regulated Firms, need to identify all Senior Managers and write their SoRs, they also need to identify their Certification population.
Although the Certificate assessments don’t need to be completed for a further 12 months, Movers, Leavers and Joiners to that CERT population will need to be managed from commencement. Again, this caught out many banks, who thought they need not worry about the Certification Regime for a year.
In summary: BAU, Maintenance and Change
- Ensure transition to BAU is planned out, including transfer of necessary expertise
- Think through ‘operating model’ implications and work out who owns what, going forward
- There will be more ‘change’ than you anticipate
- Legal Entities
The SM&CR regimes apply at the Legal Entity level. This can create some complexity for Firms who have multiple entities within their Group.
At the ‘governance’ level, Senior Managers roles across the Group will need to be clearly defined and accurately documented in multiple Statements of Responsibility, without creating any gaps, overlaps or confusion. This can be much more difficult than it appears at first glance.
However, the Legal Entity question becomes even more complex for Certification staff, who act in roles across multiple entities within the Group. For many banks and indeed, more recently, Insurers, being able to define the links between staff, their roles and disparate Legal Entities proved very difficult, with many HR systems just not holding the necessary records.
If you have multiple entities within your Firm (Group), start to tackle these questions early in your plan.
In summary: Legal Entities
- Review and clear up any ‘redundant’ permissions and authorisations (both firms and staff)
- Address any ‘structural’ questions within the Group early on
- Review existing record keeping and systems to find any existing, useful, ‘golden source’ of records
It is thought that the term ‘Unknown Unknowns’ was first coined back in 1955, by two American psychologists, Joseph Luft and Harrington Ingham, who used it within their analysis technique. Donald Rumsfeld, in his memoir, cites NASA administrator, William Graham, as first using a variant of his classifications back in the 1990s.
I hope that this article provides sufficient to reclassify some of the SM&CR Unknown Unknowns, as Mr Rumsfeld so clearly said… “it is this category that tend to be the most difficult!!!”