Five years ago, on 7 March 2016, the Senior Managers and Certification Regime (SMCR) came into force. At first it applied only to dual-regulated banks, those which are regulated both by the FCA and PRA. The regime has since been extended to dual-regulated insurers and on 9 December 2019 it started applying to most solo-regulated firms.
A product of the financial crisis, the SMCR was aimed at increasing both responsibility and accountability within the professional financial services sector. To a large degree, it was intended as an enforcement tool - a mechanism through which senior individuals could be sanctioned for systemic failings and serious misconduct that occurred on their watch.
Five years on, however, there is little evidence that the SMCR has been used as the stick that was first envisaged. Optimists might believe that it has been sufficiently effective at changing culture and behaviour as to render its punitive function largely redundant, although many would be more circumspect. But from any reasonable perspective, the SMCR is a positive change which appears to have played a role in raising standards across the industry.
The Blueprint - Parliamentary Commission on Banking Standards
The SMCR was Parliament's solution to an accountability deficit in the financial services industry following the 2008 banking crisis. In July 2012, Parliament set up a Commission to recommend improvements in banking sector standards. At that time, dust from the financial crisis was still being kicked up by conduct which would come to be emblematic of the period. That same month, the UK's Serious Fraud Office announced it was launching an investigation into LIBOR manipulation. The Commission, chaired by Lord Tyrie, was asked to review the standards and culture of the UK banking sector and to make recommendations for legislative and regulatory change.
One of the Commission's resulting reports, 'Changing Banking for Good', found that inadequate responsibility in the regulatory system had been a cause of the financial crisis, which in turn had further exposed ineffective accountability. The problem, the report found, was "an environment with insufficient personal responsibility" which allowed executives either to plead ignorance or hide "behind collective decision-making". Curing this defect required a new approach. The existing model (the Approved Persons Regime) had "created a largely illusory impression of regulatory control over individuals, while meaningful responsibilities were not in practice attributed to anyone". Central to the proposed reforms was the prescriptive allocation of responsibility to senior individuals, and the obligation on institutions to ensure that their staff were fit and proper to perform their jobs.
However, the Commission was committed to strengthening the ability of the Regulator to take action against individuals, believing that the FSA had proved unable to "penetrate an accountability firewall of collective responsibility". Whilst this aim would be advanced by requiring firms to document the allocation of management's responsibilities, the report went further, recommending that the burden of proof be reversed in the Regulator's favour. Where a regulatory failure occurred in a firm, the relevant Senior Person would need to demonstrate that they had taken all reasonable steps to prevent or mitigate its effects. This proposal, if ultimately adopted, would have proven a potent weapon for the authorities to enforce regulatory failings.
The Features of the Regime
The central features of the Commission's proposals for reform were broadly retained by Parliament in the legislation that enacted the SMCR. There are three constituent parts to the SMCR: the Senior Managers' Regime, the Certification Regime and the Conduct Rules.
The Senior Managers' Regime requires a firm to allocate all applicable prescribed responsibilities to one of its Senior Managers. The FCA generally expects that firms will not split the allocation of any prescribed responsibility. Additionally, firms are required to ensure that every area of its activities falls under the responsibility of one of its Senior Managers. The allocation, organisation and division of these responsibilities must be documented on 'management responsibility maps' and expressed through statements of responsibilities, which each Senior Manager is required to agree. Essentially, these measures allow the FCA to place its crosshairs on the Senior Manager who was responsible for the area of the business in which a failing occurred.
However, Parliament ultimately (and fortunately) resisted the Commission's proposal to reverse the burden of proof in cases where a failure had occurred under a Senior Manager's responsibility. Instead, liability operates where: there has been a regulatory breach at the firm; the Senior Manager was responsible for the activities in relation to which the failure occurred; and that Manager failed to take reasonable steps to avoid the breach or prevent it from continuing. All elements need to be proven by the FCA to the civil standard (on the balance of probabilities) before a sanction can be imposed.
The Certification Regime places on firms the responsibility to certify annually that their employees are fit and proper to perform their individual roles and functions. Not all employees require certification - only those who perform a designated certification function, which by legislative definition must involve activities that present a risk of significant harm to the firm or to any user of its services. Responsibility for the certification process is of itself an FCA prescribed Senior Management function.
The Conduct Rules set out the standards of behaviour which all persons in the industry are expected to meet, such as acting with integrity and exercising due skill, care and diligence. These rules codify good behaviour and, to that extent, one may assume provide little illumination to the majority of the industry. However, the conduct rules apply to all employees, except those who entirely perform ancillary or support functions, and therefore extend enforcement coverage beyond the population of persons who were 'approved' under the SMCR's predecessor regime.
An appraisal of the SMCR; prevention over cure?
Five years on, how effective has the SMCR proved? It is not unreasonable to consider whether the criticisms levelled at the previous system by the Parliamentary Commission have ostensibly been addressed. That is difficult. In large part the Commission's attention, unsurprisingly given the prevailing public mood, was aimed at enforcement outcomes. It wanted a system which not only identified the person ultimately responsible for any failure, but also enabled the Regulator to take action successfully. By that yardstick, it is hard to argue that the SMCR has been successful.
The number of financial penalties imposed on individuals by the FCA has consistently reduced over the period, from 17 in 2015/16 to 3 in 2019/2020.1 Furthermore, whilst Senior Managers have been subject to enforcement action, their status has been incidental to the action itself: the cases have typically concerned their own conduct breaches. The type of enforcement case envisaged by the Commission - a Senior Manager being held accountable for a failure happening "on their watch" – has yet to emerge. Why?
The ambition of the Commission was principally directed at large banks, which have complex organisational structures and extended hierarchies. In that context, proving that a Senior Manager failed to take reasonable steps to avoid a firm's regulatory breach is particularly challenging. An investigator must first assess whether the Senior Manager knew or should have known about the conduct, failing or its root causes. Ultimately, the Regulator will need to identify traces or symptoms of the failure - red flags that something might be wrong - and show that they percolated up to the Senior Manager. Although such evidence may be found, whether it can be judged as having reasonably put the person on notice of misconduct or some systemic failing is a separate matter. Clearing that evidential hurdle, the Regulator is left to prove that the Manager's response was inadequate, such that they failed to take reasonable steps to prevent the misconduct. The objective lens through which that assessment is made rightly takes into account the context and circumstances of the Senior Manager's role.
An alternative, far more charitable view, is that the culture and conduct of the financial services sector has improved (by the SMCR or otherwise), and there are less enforceable regulatory breaches committed by individuals. The Regime has perhaps produced a less fertile environment in which misconduct and systemic failings can take root. Many may think that a naïve view. However, empirically at least, plenty of industry insiders comment on how the requirements of the Regime focus the mind. The process of mapping out responsibilities, listing them and signing one's name compel senior executives to consider carefully what they are accountable for, and prompt them to identify areas of the business which are at risk of being in shadow. The regulatory nature of the process only increases the care taken in performing these exercises.
Similarly, a process of annual employee certification inevitably sharpens the scrutiny a firm applies to its employees, their conduct and competence. It instills in employees the need for ongoing professional development. That the architects of that process might themselves be sanctioned if it is proven defective, enhances the rigour applied to its implementation.
In recent years, 'culture' has been dominant in the language of financial services regulation. Whilst it was far from absent during the post-mortem of the financial crisis, it has increasingly been presented both as a litmus test and a by-product of a firm's regulatory health. In the FCA's eyes the SMCR is central to the fostering of good culture:
"The SM&CR is a catalyst for change – an opportunity to establish healthy cultures and effective governance in firms by encouraging greater individual accountability and setting a new standard of personal conduct."
As such, the SMCR has come to be seen as more preventative, less punitive, than the Parliamentary Commission intended. It should still prove to be a compass by which investigators can navigate the landscape of an apparent regulatory failing, but there is certainly no evidence that it has allowed the FCA to sanction individuals more easily. However, the SMCR represents an improvement on the previous framework and has proved successful in instilling a greater level of responsibility and accountability in the industry.
This article was first published by Compliance Monitor on April 7, 2021.
1. The figures for the intervening years were: 9 in 2016/17, 10 in 2017/18 and 8 in 2018/19
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.