In a conference room overlooking the 02 earlier this summer, two women sat face-to-face discussing regulation. One, in the guise of a fictional FCA inspector, challenged the other, in the role of a bank CEO, to outline exactly what their faux institution was doing to prepare for the tranche of legislation due to arrive in 2018.The CEO’s responses were deliberately vague, non-committal and lacking in detail, as the inspector became increasingly exasperated at the CEO’s evasiveness and dismissiveness. This role play, led by our compliance partners FSTP, may have been acted out with tongues firmly in cheek for the benefit of delegates at Unicorn’s Summer Client Forum, but the message was clear; all this is coming and you must address it now!
Brexit doesn’t mean Brexit
You might be a firm impacted by the second Markets in Financial Instruments Directive (MiFID II), which takes effect on 3 January 2018 and will fundamentally change the way capital markets in Europe operate, by focusing on increased investor protection through a more transparent market for investment services and activities.You must definitely comply with the General Data Protection Regulation (GDPR) from 25 May 2018, to enforce every individual’s privacy rights and the transparent disclosure of personal data breaches.Meanwhile 52,000 firms outside of the banking sector will also be preparing for the arrival of the Senior Managers Regime and Certification Regime (SMCR) in 2018, with the deadline date TBC.
When confronted with such pervasive and complex regulation, which have substantial implications for your policies, processes and procedures, the temptation to bury your head in the sand and hope it goes away is almost understandable.After all, what’s the point in enforcing EU law when we’re coming out of Europe? And there isn’t even a date for the Accountability 2 consultation paper yet, so that’s not going to be ready to launch in 2018…is it?
Yet as Julia Kirkland, partner at FSTP and the hapless fictional bank CEO, explained to forum delegates, Brexit is irrelevant for MiFID II and GDPR as these are gold-plated standards the UK has led on and they won’t be abandoned. And Accountability 2 WILL happen at some point in 2018, so delaying preparation isn’t an option.
So what should you be doing?
Whether getting ready for SMCR, GDPR, MiFID II or all three, you should be looking at your relevant policies, procedures and processes and asking lots of questions. How will this work in my firm? Where are the gaps? If we’re still waiting for certain detail, what information have we got to move the project forwards now? Are our systems and/or technology ready? Who is running the project? What are the reporting procedures? Do we have defined roles and job descriptions? How can we prove individuals are competent to do their jobs? How can we evidence compliance? How do our interactions with Third Party suppliers potentially impact on GDPR compliance? What forms do we need and what needs to be on these?
This list is merely the tip of the iceberg, especially for firms faced with all three pieces of regulation. After all, the regulator’s bite isn’t getting less fierce when you consider, for example, fines for GDPR non-compliance could reach €20m or 4% of worldwide annual turnover of the previous financial year for the severest breaches.
While each differs in their specific objectives and scope, SMCR, GDPR and MiFID II have a golden thread â€“ they are about changing cultures and affecting behaviours to bring about better outcomes for customers.
Don’t be fooled into thinking there is a technological shortcut to all this either. Good systems will get you so far, but it.s people who will keep you compliant. So, the most pressing question you should be asking is ‘How are we training our staff?’
‘The fish rots from the head down’
A lovely phrase and one that’s never been more relevant to compliance and training and competence thanks to SMCR. SMCR demands, more than ever before, that culture comes from the top and board members and senior managers must walk the walk, not merely talk the talk. Yet it goes far further as FSTP shared anecdotes of firms visited by the regulator where staff at all levels can be asked searching questions on the issues that matter. With the clock ticking, rushing staff through a plethora of ‘tick box’ eLearning will doubtless hold a certain appeal. But, in terms of cementing the behavioural and cultural changes these regulations set out to address, and proving compliance and evidencing competency over time, short-term gain will only equal long-term pain.
Whilst eLearning can be an important element of the solution, it must be effective and it must meet the shifting expectations of today’s learners. Thankfully, the days of the annual 60 minute compliance eLearning course are numbered – the content long forgotten, but the tedium forever etched in learners’ minds.
Today’s learners are busier than ever, the rate of change is growing constantly and learning can no longer be conducted wholly outside of the workplace. Learning is the workplace so must be available on demand and in appropriate, digestible ‘chunks.’
SMCR, GDPR and MiFID II have a golden thread – they are about changing cultures and affecting behaviours to bring about better outcomes for customers
Increasingly, corporate learning has to deliver the sort of user experience we take for granted in our personal lives, through social media and online shopping, which deliverers contextual and highly-personalised content, where and when we need it.
When you put it like that it’s simple…Give me a campaign-based approach to learning where a compliance topic, such as MiFID II, SMCR, GDPR etc, consists of a series of distinct activities I can fit around my daily tasks when it suits me. A short video to engage me and break down potential barriers to learning, for example, what are the consequences if I don’t do this, some microlearning modules focusing on a single outcome, contextual case studies and scenarios so I can practice applying knowledge in a life-like situation. Then give me a reminder of the key points as I’m going to forget half of this if I don’t apply it quickly.
In the last few years, many firms have made significant shifts towards this kind of workplace-based model of learning, which is largely self-directed, yet retains the vital element of some centralised control, because, let’s face it, we don’t always know what we don’t know.
Appreciating the role of games and apps
Expect a different approach when thinking about how to train your staff in new regulation, with a clear focus on developing and embedding new behaviours, and please can we have some fun along the way? Contrary to the traditional image of compliance training equaling hours spent at the desktop, mobile learning, apps and games are starting to help shape user engagement in all this. Apps can help with behavioural change, especially in compliance training where learners are typically disengaged with ‘pushed’ content. Such mobile learning needs to fit into people’s lives in a way they are already familiar with, so small nuggets of information accessible at the point of need or ‘just in time’ works best.
For compliance topics, product knowledge or company information, learning reinforcement apps can help engage learners by creating short, sharp pieces of fun and easy to digest content. Apps can also support ongoing competence by enabling learners to record and track their CPD activities on the move. For the frazzled T&C, L&D, HR and/or compliance managers tasked with managing staff through the SMCR, GDPR and MiFID II minefields, the key is being able to deploy content, monitor, report, automatically assign learning, send email reminders and create role-based pathways to deliver the right learning to the staff that need it.
Our Compliance Serve solution was designed to do just that, and this year additional functionality is being added so that keeping track of who is responsible for what under SMR, and evidencing competence for staff who fall under the Certification Regime, is about to get a whole lot easier.This includes recording and assigning Senior Managers Functions (SMF), Prescribed Responsibilities and Statements of Responsibilities for SMF holders, generating and exporting the SMR organogram, defining and managing the criteria for competence, tracking individual progress against criteria and an enhanced dashboard to deliver an at-a-glance oversight of compliance at team and business level.
Accountability II, GDPR and MiFID II are all major projects with significant work for those affected, and there are bound to be questions the regulator will ask your firm. So, how well prepared are your senior managers to give the right answers?
Don’t be the hapless CEO in the role play…