Whether you are an Executive of a large retail bank, a Compliance Manager in an international bank or working in T&C for a Building Society, you will not have failed to notice that the deadlines for implementing the new “Strengthening Accountability in Banking” regime are getting closer.
Supporting the regulatory bodies overarching strategic objective of ensuring the relevant markets function well, the PRA and FCA proposals include introducing:
- A new Senior Managers Regime which will clarify the lines of responsibility at the top of banks, enhance the regulators’ ability to hold senior individuals in banks to account and require banks to regularly vet their senior managers for fitness and propriety;
- A Certification Regime requiring firms to assess fitness and propriety of staff in positions where the decisions they make could pose significant harm to the bank or any of its customers;
- A new Code of Conduct the rules, which take the form of brief statements of high level principle, set out the standards of behaviour for all bank employees.
It would appear that some are reacting quicker than others, with many firms having established and mobilised programmes and project teams driving out requirements and looking at the most effective way to implement the new regulation. These firms now understand the level of complexity involved – from defining who is an employee (what if they sit in a different country / operating company, or are a temporary hire) to defining a potential breach of the rules and the internal impact of a minor breach.
The decommissioning of part of the FCA database of approved persons will change every affected company’s processes for recruitment and how they deal with leavers and provide references
The concern however, is that there are a number who perhaps because they have fewer employees, simple organisational structures and generally good procedures, have not appreciated the detailed processes that may need to be introduced. The decommissioning of part of the FCA database of approved persons will change every affected company’s processes for recruitment and how they deal with leavers and provide references. The level of complexity for all organisations should not be underestimated.
And of course the the penalties for non-compliance could ultimately result in a stay at Her Majesty’s pleasure for responsible executives and/or sizeable fines for the responsible individual and the bank itself.
It is good business practice for senior executives to have clarity on their responsibilities and clear lines of communication to the people that report to them, and most companies have this today. However at the detailed level, the rules for SMR are quite demanding and fewer firms have the management information which, at the touch of a button, can provide executives with early warning signals and details of breaches which have occurred within their reporting line.
Equally, ‘certified’ managers and employees may well have clarity on what is expected from them in their individual roles, but perhaps not yet understand the impact of the new regime. Many banks will be developing new internal policies and procedures to make sure they are compliant with the new regime – and contravention of these policies could again lead to stiff penalties.
Preparation for the new regulation is key; finding the right people to help you map your organisational structure and policies / processes at the outset will go a long way to shortening the overall implementation of your system to support IAR.
The Senior Managers Regime (SMR) may, even for very large banks, only include a few tens of executives and, therefore, prove to be considerably easier to manage than the Certification Regime (CR). The requirement for mapping of responsibilities can, and no doubt will, in some cases be managed through a set of spreadsheets. Well, that’s that box ticked then isn’t it? Well maybe not….
Banks and Building Societies that want to mitigate the risk of fines down the line, and take the opportunity to realise real efficiencies on the back of this pending regulation, would be wise to consider exactly how they intend to create the clear line of sight that the regulator is looking for them to demonstrate. Using spreadsheets for SMR and a disparate system for CR may well end up the choice of many. And no doubt technology vendors in the space will be in a position to assist these organisations in managing the connectivity between the two as far as is possible. The Holy Grail though would surely be to have a single system managing both SMR and CR? And what of HR? Can a system designed to manage core HR activities ever be malleable enough to manage all the complexities of the new regime? For example, how will a potential breach, discovered in another business system, which impacts multiple SMFs and needs to be visible and communicated to multiple reporting lines be managed? Even if the software is technically capable of this, finding a systems integrator who has the experience of this regulatory domain to work out how to make it work in nine months time would be challenging to say the very least.
When selecting vendors (be they internal IT or external suppliers) due diligence, not only to ratify their ability to deliver, but to ensure they fully understand the regulatory landscape and the regime itself, is crucial. From a systems perspective, the vendors that are best placed to deliver will be those whose core business is helping firms to turn regulatory compliance into a competitive advantage. And if they have an “out of the box” solution which addresses both the SMR and CR components of the new Accountability Regime, all the better! Work with your IT partners to ensure the implementation delivers real business benefit beyond simply being able to tick the correct box; facilitating a clear line of sight and open communication between senior executives and their reporting lines.
The timescales have been defined and the “near final” rules published so remember: Plan well ahead of time; be clear on what you want to achieve as well as what the regulator requires you to achieve; and be sure your IT partner can deliver in time.