Financial institutions initially underestimated SM&CR but are beginning to realise its profound impact and the level of change it requires, according to Carl Redfern, co-founder and compliance director at Redland.
SM&CR, which is the senior managers and certification regime, was introduced by the UK’s Financial Conduct Authority (FCA) in 2016. It was established with two goals, the first to encourage a culture of staff at all levels taking personal responsibility for their actions. Secondly, it aims to ensure firms and staff clearly understand and can demonstrate where responsibility and accountability lies. This regulation currently applies to banks, deposit takers and insurers but is being extended to all FCA regulated firms in December 2019.
One of the core requirements of SM&CR is that senior managers have a clear statement of their responsibilities in which they are accountable for. In addition to this, the certification regime element of SM&CR requires any employees which have a role that means they can cause significant harm to the firm or its customers must have an annual assessment to certify they are ‘fit and proper’ to perform the role.
On the face of it, this might not appear to be as challenging to prepare for compared with other more prominent regulations, but that is the problem, according to Carl Redfern. When the regulation initially dropped in 2016, he believes that many financial institutions misunderstood or underestimated the sheer impact SM&CR would cause on the daily and essential business operations. They saw the accountability requirements as efficient practice management, so compliance would be simple and rather little impact on them.
He said, “SM&CR does look a little like it is just good governance practice and most firms probably believe that they’re being well run, and for many firms that will be true. However, there’s perhaps a difference between something that is being well run and something which is robust enough and rigorous enough to stand up to the scrutiny of some form of supervisory investigation.
“If somebody does wrong in your firm you must turn to your evidence base and your recordkeeping to look for evidence that justifies you were taking the right steps and that you were making the right decisions on behalf of the customers and that your management team were well informed when they were making decisions. Quite often there are gaps. I think that was one of the things that caught a number of firms out as they hadn’t appreciated what being subject to accountability meant and what the potential scrutiny would mean for their business.” It is also worth noting that at a recent conference speech, a representative from the FCA said, “Things go wrong by mistake more often than misconduct. Accountability [SM&CR] will ensure senior managers are directly responsible for the results, regardless of whether it was a mistake or malpractice”.
Not only does the regulation appear to simply be good governance, it is also fairly similar to the existing Approved Persons Regime. An example of this, given by Redfern, is the Conduct Rules. These look like they just need to be refreshed annually and in a similar fashion to the Approved Persons Regime; however, SM&CR conduct rules are much more potent and require a lot closer scrutiny of accountability.
As things got closer to the deadline, there was a realisation in a lot of firms that SM&CR needed a lot more work and was not as simple as it appeared, Redfern claimed. Due to senior managers being clearly and personally accountable to any problems which surfaced, they began wanting a lot more confidence that their areas of the business was not causing any issues and would not going forward. To do this, they needed a lot more information and analysis to ensure everything was operating as it should. However, this was not easily available as the assessments required a lot of manual processes and robust accountability regime infrastructures had not been implemented.
In reality, there are hundreds of policies and processes in a firm which are affected by the SM&CR. Senior managers are obviously accountable, but so are a number of employees and this then cascades down to people working with them, eventually leaving the majority of a business subject to SM&CR. This means firms need to be aware of the changes and ensure they are reviewing how they record governance arrangements and decision making.
He added “Part of the challenge under SM&CR is that actually the regime is not very tolerant of gaps in reporting information arrangements. You need to be much more proactive in managing the risk of breaches or adverse events in order to avoid creating issues which then become reportable under SM&CR and might therefore expose the senior managers personally being accountable and responsible for those issues. They must ensure that any issue that arises is well marked up, well corrected and any adverse outcomes for customers are properly managed and the customers are properly treated properly and considered throughout.”
Three years on from its introduction, Redfern can see the market is starting to see the genuine benefits that SM&CR can make to the financial services industry. Arguably, the regime was created to build more individual accountability, but it is helping to improve customer outcomes, market safety and a cultural change within institutions to ensure there is greater trust, scrutiny and avoidable mistakes are not made.
He added, “Both the FCA and PRA have made it very clear that they will continue to prioritise cultural change in financial services over the coming years, and that SM&CR is one of the primary tools in their kit bag for delivering that cultural change.”
The FCA has really stepped up in trying to help companies with compliance, Redfern stated. A lot of the technical aspects of the regulation require interpretation by your business and how you assess risk assessments and approaches to accountability. Many firms didn’t realise quick enough the regime revolved around their decisions and approach to complying. To help companies overcome these misunderstandings and ensure they got comfortable with the new levels of risk, the FCA has released various pieces of guidance and intend to publish further guidance in the run up to December of this year.
An unintended consequence of clearly documenting and highlighting lines of responsibility has made it easier for firms to conduct future decision making and restructuring of governance arrangements, as its now very clear who is responsible for what. If an institution wants to extend operation activities, launch new products or advance customer bases, it has become much simpler to identify who in the company needs to be involved and what the impact will be. This sense of forensic understanding of responsibility is not just improving customer experiences but also operational efficiencies and decision making, he said. Going even further, staff development and retention can be boosted, as firms can clearly see what they need to be doing and how individuals can be successful in their role.
Leveraging technology to boost compliance
To effectively meet compliance for SM&CR, companies need a holistic overview of their business, with access to a considerable amount of data. This all revolves around big data and AI technology solutions. Under the regulation’s certification regime, which requires staff to be assessed on whether they are fit and proper for their role, a RegTech can replace manual burdens of finding relevant information with an automated solution.
For a human to physically look holistically across a business to make an accurate judgement, it would take masses of time and effort to do. Whereas, a tech solution can quickly access data around whether a person has made mistakes, been involved in a breach, implicated in complaints and whether they need any additional personal development and performance monitoring.. This can then be collated and given to a manager so they can conduct informed risk assessments on whether a person is fit and responsible for a role. When a firm has their accountability policies in place and how they want to assess or judge employee behaviour, they can essentially use technology to risk assess everyone in the business on all transactions and customer outcomes..
“What you don’t want technology that tells you that last month some staff failed to comply with their accountability obligations, even if it’s officially produced AI that’s automatically delivered to your inbox, that’s too late. What you want is some proactive technology that tells you that this small collection of individuals look like they’re beginning to drift off track. Before appropriate remedial action is taken, investment in these people can be undertaken to keep them on track. It can keep them on the straight and narrow to preventing that regulatory breach to occur. This kind of proactive management of accountability is exactly what technology can deliver, and it isn’t sort of bleeding edge stuff. The heavy lifting here is done by appropriate record keeping in your performance management and appraisal processes.”
Companies like Redland provide just this. Its platform is a people-centric application which fits seamlessly in with an organisation’s existing infrastructure. This enables the platform to understand everybody’s role within a business, their responsibilities and reporting lines, making it easy to identify and highlight any transactions which need monitoring or checking. It also alerts businesses to any employee that needs development to stay on track or even anyone which needs additional coaching in their position.
“When you boil it down, our application does four simple things, it distributes policy consistently across diverse communities, it automates processes, implements efficient and effective record keeping and offers proactive oversight.”
To hear more from Carl Redfern, co-founder and compliance director at Redland, he will be speaking at the Global RegTech Summit on 15th May in London on ‘SM&CR – why RegTech is the only workable solution’. He will also be speaking on a panel with other RegTech leaders to discuss how AI and machine learning is helping with regulatory compliance.
Copyright © 2018 RegTech Analyst