The Financial Conduct Authority (FCA) is consulting on extending the senior managers, certification and conduct rules regime (SMCR) to all authorised firms operating in the financial services sector.
The SMCR regime was brought in to impose real legal responsibility on individuals. It was initially applied to banks, building societies, credit unions and Prudential Regulation Authority regulated investment firms from 7 March 2016, but will now be extended to other financial firms, including IFAs.
Draft rules are expected to be published later this year with a view to implementation in 2018.
The key components of the SMCR are as follows:
All senior manager appointments or role changes require regulatory pre-approval.
Firms must demonstrate they have effective overall governance and management arrangements via a responsibilities map and responsibilities statements.
A statutory duty of responsibility is imposed on senior managers to ensure they take reasonable steps to prevent regulatory breaches for the areas in which they are responsible.
All staff undertaking significant harm functions (whether or not senior managers) must be certified as fit and proper on joining and annually thereafter.
Actual or suspected breaches of the conduct rules by senior managers must be notified by a firm within seven business days. Actual or suspected breaches by other staff members must be reported annually.
Owners of IFA firms and networks may be taking false comfort from FCA statements that the rules will be applied subject to the principle of proportionality. This implies an ‘SMCR-lite’ regime will be available for smaller firms and that this would result in a lower impact on IFAs.
However, implementation must be viewed in the context of the broader regulatory and strategic environment.
The SMCR is being brought in hot on the heels of implementation of Mifid II – on 3 January 2018 – and also around the time firms will be grappling with the general data protection regulation (GDPR), which will be implemented by 25 May 2018.
Mifid II is an extensive regulatory regime covering areas including product governance and suitability; particular areas of focus for IFAs.
The GDPR extends the scope of EU data protection law to all foreign companies processing personal data of EU residents, harmonises EU states’ data protection laws and significantly increases penalties for non-compliance.
IFAs hold sensitive personal data and will need to review their data protection policies and procedures, as well as security.
Mifid II, the GDPR and the SMCR will affect people, processes, products and systems. The whole of a firm’s operations will be affected in a relatively short timeframe.
Implementation of the SMCR will require detailed analysis and documentation of a firm’s governance and management structures, and outsourced arrangements. It presents an opportunity to re-evaluate and refine roles and responsibilities.
Early planning and engagement by management and training for senior managers will be essential. Firms will also have to establish effective processes and documentation for certifying that relevant staff satisfy the fit and proper test.
Given the timing and breadth of the incoming regulatory changes, firms can take a strategic approach to implementation, assessing the viability of their business model and management structures and the overall effect of cultural change.
Blair Adams and Rosalyn Breedy are partners at Wedlake Bell.