The PRA and FCA have published a major consultation paper on the overhaul of the Approved Persons Regime (APR) for banks, building societies, credit unions, and PRA-designated investment firms in the UK. The new framework will make senior individuals more explicitly accountable for specific issues through 'statements of responsibility', and a wider range of staff will be subject to a regime of certification and codes of conduct.
The aim of the new framework is to ensure individuals take greater responsibility for their actions, and to make it easier for those individuals to be held to account (both by the regulator and by firms themselves). But there are questions about the practical implications – to what extent will it drive changes in volumes of compliance work, rather than culture? And what effect will it have on the ability UK firms' to recruit risk takers and risk managers, particularly for overseas roles which fall under the regime? The proposals will take time to digest fully, but here we highlight some of the most significant issues.
Management responsibilities map: banks will have to maintain a comprehensive and up-to-date 'management responsibilities map' describing the firm's management and governance arrangements, including reporting lines and lines of responsibility, as well as details about the relevant people and their responsibilities. For the majority of firms, this will require significant enhancements to existing documentation, particularly in relation to the qualitative information that will be required about the delegation of responsibilities. But this isn't just about documentation – disentangling complex webs of responsibilities and understanding how they fit into a firm's overall governance framework is going to be a real challenge, particularly in areas where accountability has never really been bottomed out in the past.
In future, these documents will be an important supervisory and enforcement tool. It is clear that, when something goes wrong, the maps are intended to lead the authorities to the individual with ultimate responsibility for the issue. They will need to be 'living' documents, and firms will have to declare annually that they comply with the requirements. A Senior Manager will have responsibility for the maps, and if the maps don't do their job, that individual is likely to be the regulators' first port of call.
Senior Management Functions (SMFs): between the PRA and FCA there is a combined list of 18 types of SMF. Although the scope of the PRA's framework is narrower than the APR (excluding, for instance, 'generic' non-executive directors (NEDs)), the FCA will require a wider group of individuals to be approved (including such 'generic' NEDs); indeed, as the PRA notes in its impact assessment, it seems that firms are unlikely to experience a "material change" in the overall regulatory scope for approvals. Some individuals based outside the UK will also fall within scope of this regime: it is functionally, rather than geographically, defined.
There are some notable new SMF roles worth highlighting:
- Heads of key business areas: individuals managing very large business areas or divisions, either relative to the size of the firm or in absolute terms. This means an area with gross total assets of at least £10bn or at least 20% of the firm's total, or, where the firm is part of a group, an area which generates at least 20% of the group's gross revenue;
- Group Entity Senior Managers: a category for individuals employed in the parent or other group entity of a relevant firm but who are deemed to exercise significant influence over its affairs (such as a group finance director, but also potentially group NEDs), to be determined on a case-by-case basis;
- 'Significant Responsibility' SMF: to cover roles not otherwise specified as an SMF, but where an individual has 'overall responsibility for a key function and is not otherwise appointed to the board, giving firms flexibility to have non-board senior individuals as SMFs.
With the detail set out in the paper, firms should be able to 'map' their existing approved persons onto the proposed SMFs in order to see the scale of change likely to be required.
Importantly, for any current approved person whose approval maps onto a new SMF, they will be 'grandfathered' into the new regime, meaning, for instance, Chief Executives will not have to be re-authorised as such.
Certification regime: the certification regime puts the onus on firms to identify and annually certify individuals as being fit and proper to carry out certain roles, a process for which a Senior Manager will need to take responsibility. For CRR firms, PRA certification will apply only to 'material risk takers' as per the CRR definition, but the FCA will apply certification more broadly, including to any current approved person who will not in future be an SMF, and a number of customer-facing roles. In geographical terms, the FCA's regime will apply to staff based in the UK or who are dealing with UK clients, while the PRA's approach will capture non-UK material risk takers if they are involved in the regulated affairs of the UK firm, giving certification an extraterritorial element.
Under this framework, banks will actively have to make their own fitness and propriety determinations in line with regulatory criteria – a significant shift in approach.
Codes of conduct: a new set of individual conduct rules will apply to a broader set of staff, and (for relevant firms) replace the APER principles which currently apply to Approved Persons. The PRA will apply its conduct rules only to Senior Managers and certified staff, but the FCA will apply its rules to a far larger set – everyone in the firm based in the UK or dealing with customers in the UK, except those performing completely ancillary activities (such as cleaners and drivers). A significant amount of new training will be required to make bank staff aware of the new rules and the fact that they will be within scope of enforcement action in respect of them.
Branches of non-UK banks: the regulators are waiting for further work from HM Treasury before developing this part of the framework, as further legislation is required to bring non-EEA firms in scope. However, the PRA suggests that it would require at least one individual per incoming non-EEA branch to be approved as an 'Overseas Branch Senior Executive Manager', with a role similar to that of a CEO in relation to a branch. The certification regime would also apply to UK branches of non-EEA firms.
Insurers: while none of this regime applies to insurers, the insurance industry would do well to recall a speech made by Mark Carney, Governor of the Bank of England, back in May, in which he made clear that the Bank is "considering a similar regime for senior persons in the insurance sector." He said this would not mean applying the banking regime "indiscriminately", but that the Bank would work to build a framework which is aligned "in spirit" with that for banking, but suitably tailored for insurers.
There is no firm date for implementation as yet, but the consultation runs until 31 October, and a further consultation on transitional arrangements will be published later this year, with near final rules, guidance and supervisory statements expected around the end of the year.
Transitional periods will be granted to ensure banks can conform to the new standards once they enter into force, but in the meantime banks should begin thinking about preparatory work: they will be able to 'map' their existing approvals onto the new framework, and should be able to identify staff potentially subject to the certification framework. Perhaps most significantly, there is enough detail such that work on management responsibilities maps could begin right away.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.