A lot has been spoken, and for that matter written, about the new Senior Management Regimes in both banking and insurance. The majority of it has been very helpful especially when re-iterating the key elements of the legislation that has been implemented by both the PRA and FCA this year. However, when I was asked to write this article, I thought that now firms had overcome the “Day 1 Compliance” requirements of the regime, it was time to focus on the future and how firms might evidence their practical application and compliance with the regime, when asked to do it either via an invitation into a regulatory activity such as a Thematic Review, or via a Supervisory visit by either the PRA and/or FCA.
From a recent briefing that I attended at the Bank of England, both the PRA and the FCA were quick to point out that due to the volume of data/information that was being submitted by firms across every element of the new regime, there would be little time for qualitative assessment of a firm’s submissions at the outset of the regime. They advised that the initial assessment would be of a quantitative basis only and that the qualitative review of a firm’s implementation would come through interaction mainly with the supervision teams towards the end of 2016 and throughout 2017.
But it’s fair to say that with any new piece of legislation there are always “unintended consequences.”
A logical approach for sure, but with this whole new piece of legislation, isn’t it realistic for firms and the individuals responsible within them to want to know whether they had “got it right” sooner rather than later. And in the eyes of the regulator, if firms and individuals haven’t then for sure they will want a quick resolution and response to any feedback given.
We all know exactly what the new Senior Managers Regime aims to achieve and, in theory, the changes that this new legislation brings to bear on firms should support what the regulator is looking for with regards to personal responsibility and accountability. But it’s fair to say that with any new piece of legislation there are always “unintended consequences.” The reality of implementation within firms especially around the internal Certification Regime is likely to find firms running multiple systems that all in some way touch on competence and capability, when in an ideal world they would just run one that would cater for all regulatory and internal HR and personal development requirements.
We know that (in brief – for fear of repeating what has gone before on this topic) the new regime(s) asks the following of firms:-
- Allocate the new SMF/SIMF function(s) to relevant personnel
- Develop a Responsibilities Map and keep it up to date at all times
- Allocate the Prescribed Responsibilities as required by the PRA/FCA and relevant to the type of business that you are
- Submit a Statement of Responsibility for each Prescribed Responsibility holder (SMR only)
- Identify those staff within the organisation that will fall into the newly created Certification Regime (SMR only)
- Implement a new Certification Regime for those staff classed as one of the 9 Significant Harm Functions that the FCA/PRA have identified
- Ensure that the new regime can evidence the Fitness and Propriety of those within it
- Annually certificate staff to evidence that they remain “competent” for the role that they undertake
- Apply the new Conduct Rules to the majority of staff from March 2016
- Train all staff in a “role relevant” manner in how the conduct rules apply to them
- Commence annual reporting on Conduct Rules breaches in addition to the breach reporting requirements that already exist for Senior Managers
This isn’t of course an exhaustive list, but one that it is worth referring to, so we can remind ourselves of the complexity of the legislation that firms are being asked to implement.
Let’s take a look at how new regulation, interwoven with existing legislation and a firm’s in house desire to instil greater standards on its employee’s can mean that firms end up with complex sets of systems, controls and processes all that deliver partial oversight of connected topics. Typically this usually comes with limited MI or MI that does not provide a firm with data that helps them manage the risks that they might have.
For the purposes viewing SMR and its impact on firms, let’s look at a typical scenario in the banking world:-
A relatively mature banking institution that operates on a regional basis through a combination of branch offices and also a Call Centre operation for its mortgage and insurance sales has been wrestling with the conundrum of how to most effectively manage SMCR alongside existing regulatory requirements. Bearing in mind that the output they are looking for is personal accountability, effective people management, robust record keeping and last but not least effective, business centric processes that deliver what the regulator is looking for and what a firm must evidence.
The firm itself employs approximately 400 individuals across all sites and elements of its operation. The firm, through its network of offices and call centres provides mortgage and insurance advice to retail consumers, but it does not provide advice on investments, pensions and equity release.
The firm has registered 8 individuals as Senior Management Functions holders with the PRA/FCA. With regards to the Certification Regime, the firm have identified that they have 43 individuals that fall into this regime.
Of the 9 Significant Harm Functions, they have identified that they have individuals that fall into 4 of the 9 categories that have been identified by the FCA.
From a Conduct Rules perspective, the organisation has identified that 393 of the staff fall into the “Conduct Rules” category, but have decided that in their view it is appropriate to apply the Conduct Rules to all employees.
There has been much discussion within the organisation about how the new “Certification Regime” might be applied, as there has been concern about what cross over there will be with the current Training & Competence regime if a separate Certification Regime is introduced alongside existing T & C arrangements.
Currently the firm (whilst not needing to) apply a requirement to all staff that require qualifications for their role and/or manage other individuals, and that is that they must undertake, record and evidence at least 25 hours of CPD per year. The details of the CPD activities undertaken and further actions arising as a result of the CPD is recorded in a sub set of an existing HR system.
The wider challenge that this organisation faced in terms of SMCR management is as follows:-
They have a Training & Competence Scheme that covers some but not all of their staff. However the population covered under the Training & Competence Scheme does not align directly with the 43 individuals that they have identified as falling into the new Certification Regime. They have new Conduct Rules that they will apply to all individuals, and will need to commence breach reporting for this new population in March 2017. The final pieces of the jigsaw are that the CPD which is undertaken by only some individuals is recorded on a subset of the HR system and is not linked to the employee Performance Appraisal process. However there is consistency in the application of the Performance Appraisal element of employee competence and oversight as this is undertaken by all individuals within the organisation
This typical scenario of an organisation which has differing populations within it that require the application of slightly differing pieces of legislation is obviously a real challenge for firms. So, what might one do to help remove some of the complexity that a scenario likes this brings?
Well, one approach would be a long term investment in technology that could not only deliver a resolution to the typical conundrum laid out above, but would also add value to business processes and deliver real “people improvement” through implementation.
“That’s just a pipedream I hear many readers say – But is it?”
Absolutely not! Technology platforms exist that can:-
- Apply either 1 or multiple T & C Schemes to differing populations within an organisation
- Apply a defined a time bound approach to T & C activities and/or
- Provide a risk based mechanism that allows each supervisor to undertake relevant development activities aligned to the individual need and not dictated by a “standardised approach to T & C”
- Undertake, record and track CPD to defined levels which could be different by population and which is exportable (where relevant) to align to awarding bodies requirements in order to produce SPS’s
- Run a Certification Regime that is not a separate system to your T & C regime, but is one that runs from the same platform that has activities which blend, and do not duplicate and ultimately allows for “Annual Certification” of individuals through a process that is in tune with your T & C regime and not opposed to it
- Manage the Annual F & P Process that is required for your certification staff and senior managers that is an integral part of your platform and allows you to undertake all regulatory applications for relevant staff
- Align the performance appraisal process within the organisation to have input from T & C activities and Annual Certification checks and complete and store in alignment
- Manage, support, store and on a daily basis be able to produce an accurate, time stamped Corporate Responsibilities Map
I could go on, but I know there is a limit to what can be shared in a short article of this nature, so I will stop here. But looking ahead, as we move towards 2018, when more than 50,000 firms will have this conundrum and not just the 800 + firms that have been affected by this first wave of SMCR regulation, it will be interesting to see just how many forward thinking SMF and Prescribed Responsibility holders there will be. Those that see the value in an amalgamation of their systems and controls to provide them with a 1 stop “people platform” that will help them manage and mitigate people risk. I suspect that those who are already subject to SMCR are already realising it’s a more complex task that many imagined at outset, with the greater complexity of business model adding to the complexity of implementing and managing SMCR.
Many of you that are yet to be affected will realise that the time to get started on your investigative journey into the art of “what’s possible” starts right now! Day 1 compliance for 2018 is imperative, but as I’ve heard many clients say “we focused on that, but did not have our eye on the long term implications of managing this new piece of legislation, if only we’d started our journey earlier………”