This year in March, what has become known as the Senior Manager and Certification Regime (SM&CR) came into force for deposit takers in the UK. In the FCA Annual Report for year ending March 2016, they proudly proclaim this regime applies to “over 41,000 people working in over 1000 Firms”.
It is now well known that this regime will be extended to cover all firms regulated under the Financial Services and Markets Act (FSMA) and when it does it will apply to an estimated further 60,000 Firms and more than 150,000 more people.
The timetable for the extension of SM&CR in still unclear, when it was announced, the clearly stated intention was for it to apply by 2018. This date now looks very ambitious. There will need to be an extensive consultation process, which has not yet started. I don’t know when the first CP will be published but I am certain we can expect it soon.
There are some big issues for the consultation to address and in this article I attempt to highlight some of them.
One of the biggest issues to address is probably ‘Proportionality’.
This is undoubtable going to be a hot topic. To paraphrase one of the primary objectives of SM&CR, it is to make it very clear “exactly who is responsible for what”. For many of the new firms that the regime will apply to, this is already apparent – in a small firm of 1 or 2 advisers with a few support staff, there is little opportunity for confusion. Will firms like this really need a ‘Management Responsibility Map’ or individual ‘Statements of Responsibility’ (SOR)?
The counter argument is that in smaller firms, producing this sort of governance collateral is not going to be difficult either and may be a good discipline. Making it easy and low cost to comply will be critical.
One of the biggest criticisms of both Regulators (FCA and PRA) today is the ever increasing cost of compliance, APFA published some survey results at the end of 2015 suggesting that small and mid-sized firms are spending up to 12% of their income on direct and indirect regulatory costs.
This is one area where applying technology can be an advantage. Innovations in recent years have combined to make IT systems much more affordable and easier to implement than they used to be. Many firms selling GRC (Governance Risk and Compliance) solutions, including my own – Redland, can now implement systems in weeks not months, with annual costs less than 50% of 1 FTE, not hundreds of thousands. These systems can generate material efficiency savings and risk reductions and are therefore worth considering.
Obviously for very small firms, systems may not always be appropriate but the ‘event horizon’ for ROI is much closer than is used to be. For example, we (Redland) are in the process of launching a new solution for automating compliance with Responsibility Maps and SORs (SMROnDemand) that can be switched on in a couple of days and will cost less than a subscription to LinkedIn Premium.
This example highlights that in today’s world, with both regulators supporting and promoting innovation in ‘FinTech’ and ‘RegTech’, firms should try to keep up with developments because traditional assumptions of cost and scale and relative benefits are rapidly changing.
The roles and positions of Senior Managers within ARs need to be tackled, including whether the AR Firm will need to create and maintain its own Responsibility Map
Another significant area to be considered in the SM&CR consultation will ‘Appointed Representatives (ARs)’.
This will undoubtedly be a difficult topic to resolve.
The current SM&CR rules for Banks, try quite hard to avoid the subject of ARs altogether. In SYSC 5.2.22 (in the FCA Handbook) it says:
“A person who works for an appointed representative of a firm may fall into the certification regime. In practice, however, they may not meet the conditions for the certification regime to apply.”
The exact conditions are in some area quite complex, for example the definition of ‘employee’ (SYSC 5.2.21) which requires that the individual a) provides services to the firm and b) is subject to supervision, direction or control by the firm.
I think that ARs and staff working for them will be subject to elements of the new SM&CR but the consultation will have a number of key questions to answer. The roles and positions of Senior Managers within ARs need to be tackled, including whether the AR Firm will need to create and maintain its own Responsibility Map. Are the Board and Executive of the Principle firm ‘Senior Manager Function’ (SMF) holders and everyone else subject to Certification or will the Senior Managers of the AR Firms also hold some form of SMF and have a place in a Map?
Certainly the FCA are currently focused on what they see as the ‘risks’ of the Appointed Representative business model.
All firms that have Appointed Representatives, should ensure that key staff engaged in T&C, HR, Compliance, Operations and Business Quality consider the findings of the recent Thematic Review published by FCA “Principles and their Appointed Representatives in the General Insurance Sector”.
The key regulatory principle of ‘Appointed Representatives’ is that the Principle firm has regulatory responsibility for the AR and must put in place a written contract with the AR; anything that the AR has done, or omitted to do, is treated as having been done, or omitted to be done, by the principal itself.
The review is pretty damming and draws lots of negative conclusions and has resulted in a ‘Dear CEO’ letter demanding that the CEO and Board of all Principles operating ARs in General Insurance “…consider the contents of the thematic report, and assess whether you can demonstrate how you are meeting our requirements in relation to your appointed representatives….”
The Appointed Representative business model is a significant sector within Financial Services.
The introduction to the Thematic Review states that there are approximately 400 insurers and 5,100 intermediaries, some of whom have accepted responsibility for over 20,000 ARs, which accounts for about 25% of all the ARs registered under the UK regulatory regime.
The FCA conducted an online survey of 190 principals operating ARs, seeking to gain insight into their business model and size, AR activities, governance structures, customer numbers, product types, sales methods and revenues. The 190 firms surveyed reported that they had over 6,000 ARs with 75,000 individual representatives operating at 15,000 locations, selling over 10 million policies and generating annual revenues of over £500 million.
They then went on to examine a sample of 15 Principle firms in more detail, using a risk-based approach to represent a diverse range of business models, products distributed, sales methods and sizes of AR networks. These 15 principals had 783 ARs with 10,594 representatives operating at 1,684 locations.
The review draws many conclusions and the detailed finding are set out in the FCA paper ‘TR16-06’, along with the ‘Dear CEO letter’ and a useful slide deck of an FCA presentation of the results, all of which are on the FCA website. However, a sample of ten of the primary findings is set out below:
- The majority of the principal firms could not demonstrate that they consistently exercised adequate control over their ARs’ activities
- Majority of principals lacked resources to effectively oversee their ARs
- Insufficient staff with appropriate skills or regulatory knowledge
- Absence of appropriate Monitoring framework or support for oversight
- In over half of the firms there was no risk based approach to AR oversight
- Lack of evidence of follow up and decisive action when issues identified at ARs
- Most principles did not consistently exercise effective oversight of their ARs’ sales practices
- Less than a quarter of firms had put in place processes for assessing and improving customer outcomes
- Most principals did not have sufficient MI to enable them to identify key risks and trends within their AR network
- Quality of training and competence regimes varied widely – In many cases there was no effective quality assurance to assess understanding
All of the above are quite serious issues and based on the size of the sample investigated, may represent significant shortfalls across a wide number of firms within the industry. Obviously one consequence of a negative Thematic Review such as this, is that everyone gets a little bit ‘tarred with the same brush’.
Because FCA have found ‘disappointing’ results, they will look harder at everyone else and be less tolerant of ‘nearly good enough’ from everyone else.
Most of the above samples relate directly to Governance, Risk and Compliance or specifically to T&C. So as T&C professionals we should be on top of these areas. If it’s not specifically in our remit, we will be working closely with the teams who are responsible and under SM&CR individual Senior Managers will be allocated specific responsibility for these areas. This should help to improve our communication lines and help to enhance management interest in our work.
Interestingly, the review goes on to also say……
“While this review was focused on the general insurance sector, the findings may also be applicable to principals and ARs operating in other sectors of the UK financial services industry. We expect all principals to consider the findings in this report and to take appropriate action, where applicable, to address the issues that are relevant to them“
So even if your firm does not manage GI ARs, if you operate an AR model in other sectors, or even if you directly employ all of your staff, some of these ‘control observations’ are relevant and suggest that we all need to focus on these areas of our operations, risk frameworks and oversight controls.
To return to the topic of SM&CR and specifically the application of Certification to the wider FSMA firms, the impending consultation process will not result in the ‘reduction’ of standards or a relaxing of regulation. It will need a lot of debate and thought to get it right and make it effective, keep it proportional and manage the operational impact, not least the cost but……
Removing the added burden of liaison with the Regulator over Certified staff should actually help.
I think that in some form, in tomorrow’s world, under SM&CR most if not all current ARs will need to be Certified as competent and assessed as Fit and Proper on an annual basis by the Principle Firm.
We are currently obliged to manage registers of staff subject to Approved Persons and keep on top of T&C and FIT and SPS etc. anyway.
In addition, we need to apply to FCA and keep records up to date on the FCA Register.
In the future, under SM&CR, we may need to apply more rigour to our record keeping and processes (and certainly address any potential ‘gaps’ highlighted by regulatory attention such as the AR Thematic Review) but there are systems to help with that!
You don’t have to be ‘Certified’ to work here – but by 2018, it will help!!!