On 5 August 2019, the FCA published its ‘Senior Managers and Certification Regime Banking Stocktake Report’. Should anyone be under the misapprehension that this document is only of concern to the banking sector, the regulator is at pains to point out that it will be of interest to all SM&CR firms, including solo-regulated businesses coming into the Regime in December this year.
In other words – ignore the report at your peril!
To its credit the FCA has produced a succinct, easy to read round-up of the key issues and challenges faced by the banking sector and how well – or not – the 15 firms interviewed have dealt with these since they entered the Regime in 2016. Input was also sought from trade associations, the Banking Standards Board and the PRA. Whilst it is not a full post-implementation review and no policy changes are planned on the back of it, as a guiding light for firms still feeling their way in the dark it serves a very important purpose.
On the whole, the overriding message is a positive one delivered with an encouraging tone. As the report notes,
relying on a purely generic, one-size fits all approach to Conduct Rules training simply does not cut the FCA’s mustard
“The industry has made a concerted effort to implement the Regime. Most firms are taking actions to move away from basic rules-based compliance towards embedding the Regime in the organisation.”
The review covered SM&CR’s key elements:
- Senior management accountability
- Certification
- Regulatory references
- Conduct rules
- Impact on culture
- Unintended consequences
Of these, the area singled out by the FCA for its most ‘constructive feedback’ is Conduct Rules – or, more specifically, the training that is provided on that subject. Firms interviewed were of the opinion that their employees generally have a good grasp of the Conduct Rules. Conversely, from the FCA’s perspective the evidence points to the fact that firms have not always been good at tailoring Conduct Rules training to specific job roles.
Be assured about this point – relying on a purely generic, one-size fits all approach to Conduct Rules training simply does not cut the FCA’s mustard.
To reinforce this message, we are reminded that the Financial Services and Markets Act (FSMA) requires firms to:
- Notify all relevant persons of the conduct rules that apply in relation to them
- Take all reasonable steps to ensure that those persons understand how those rules apply in relation to them.
This must include the provision of suitable training.
So, generic training has its place, but only when it is backed-up by a role-specific element. Think job family-related case studies and you will be well on the way to addressing the FCA’s concerns.
Furthermore, the FCA notes that while many firms are using their own values to articulate how they bring Conduct Rules to life, there is insufficient evidence to demonstrate that Conduct Rules have been mapped to the values espoused by those firms. A good point and one that raises a question that all firms should invest some time in considering their response to –
“We have values, but do they really ‘live and breathe’ in the business and how effectively do we make the connection, particularly when we are training our people?”
Understandably the regulator is at pains to make the connection between Conduct Rules, conduct of individuals and organisational culture. In fact, throughout the report every opportunity is taken to reinforce the close bond between SM&CR and ‘healthy’ organisational culture.
For example, the FCA notes that all the senior managers to whom its researchers spoke were clear about their individual accountability. They were also able to explain their responsibilities as leaders in their respective organisations. So far, so good! However, things became somewhat trickier when it came to senior managers explaining their personal ‘duty of responsibility’, articulating their ‘reasonable steps’ and explaining what they believe ‘good’ to look like. Many lacked the confidence to do so with any real conviction.
For these senior managers the solution appears to lie in the FCA providing further guidance – albeit that this would mean introducing a higher degree of prescription than the (current) regulator is ever likely to countenance. The FCA’s bottom line is that senior managers should be doing what they reasonably can to prevent misconduct in their firms, not just through the application of appropriate systems and controls, but also by nurturing healthy cultures.
Let us not forget that SM&CR is the FCA’s big lever – some may call it a battering ram – for affecting cultural change in and across the Financial Services industry. As such, it is interesting to note the report’s reflections on the Regime’s impact on culture in the banking sector.
We discover that most firms interviewed had embarked on culture change programmes before SM&CR was implemented, with many describing a stronger tone and clearer ownership from and at ‘the top’. The FCA was encouraged to hear all the firms it approached talk about working to develop cultures which encourage challenge and escalation whilst creating environments where employees will feel ‘safe’ if and when they feel the need to speak up.
So, everything appears to be going in the right direction, but the report does flag a couple of bumps in the road. Firstly, the FCA states that it is not clear to what extent the Regime has been linked to culture – the default position for many firms is to look at SM&CR purely from the point of view of process and controls and how these might be used to improve conduct; i.e. the mechanistic rather than organic. Secondly, firms have found it challenging to find appropriate ways of measuring culture.
On that last point, here at FSTP we take the view that the complexity of culture and the nature of predictive human behaviour mean that their measurement requires a very different technique to the traditional Q&A-based surveys and box-ticking methods, which we are so familiar with. Traditional methods of measurement often fail to expose cultural risks satisfactorily. Behaviour is a true indicator of risk and any assessment, or measurement of culture must be designed to identify emergent risk so that Management can act before the risk emerges and becomes a reality.