Replacing the Approved Persons Regime (APR), banks, building societies and other financial institutions adopted the regime in 2016. With the legislation having been extended to all FCA-regulated firms, in this blog we look at common questions around SMCR compliance – helping to protect your business from staff misconduct, financial penalties and the negative publicity that might follow.
Our handy Q&A explains everything you need to know about the new regulations and the impact of COVID-19, so you can plan recruitment as businesses look to the future post-pandemic.
What is SMCR?
According to the FCA, the purpose of the SM&CR legislation is to ‘reduce harm to consumers and strengthen market integrity by creating a system that enables firms and regulators to hold individuals to account.’ In other words, it’s designed to ensure those in senior roles have the skills, knowledge and integrity to act in the customers’ best interests, while setting a new standard of personal conduct for everyone working in financial services.
Who does the SMCR apply to?
SMCR was first introduced in the banking sector in March 2016 to create greater accountability for those with responsible roles, and then to dual-regulated insurance providers in 2018.
The regime was extended to all FCA regulated firms from 9 December 2019 including investment managers, product distributors, insurance brokers and consumer credit providers. However, due to the COVID-19 pandemic, the implementation deadline for some requirements of SMCR has been extended to 31 March 2021, to give firms more time.
What does SMCR involve?
1. The Senior Managers Regime
The first part of the legislation, the Senior Managers Regime, states that those at the top level must be FCA or PRA approved, before taking up a position and certified at least once a year. A company then assigns each senior manager a ‘statement of responsibilities’ leaving them in no doubt about their obligations. According to FCA guidelines, a company must be satisfied that their Senior Manager is fit and proper to perform the role. There are a number of checks that the FCA suggest as helpful and important, for example, a criminal record check, directorship check, credit check, etc.
“The regime embraces a very simple proposition – a senior manager ought to be responsible for what happens on his or her watch.” Mark Steward, Director of Enforcement and Market Oversight at the FCA
2. The Certification Regime
The second part of the legislation, the Certification Regime, ‘applies to employees whose role means it’s possible for them to cause significant harm to the firm or its customers’. While these people do not have to be FCA or PRA approved, businesses still have to ensure they are ‘fit and proper’ to do their job, both when they start and then once a year or more going forwards. Although certified employees aren’t required to undergo a criminal record check under SM&CR, it’s usually good practice to do so.
The Conduct Rules – improving standards throughout your organisation
The Conduct Rules are a new set of enforceable rules that set basic standards of good personal conduct, against which the FCA can hold people to account. They apply to all employees and are designed to help shape firms’ culture, standards and policies and encourage positive behaviours. There are two tiers of Conduct Rules, rules for all staff, and specific rules for senior managers. The aim of the rules is to improve both individual accountability and company-wide awareness of conduct issues.
First Tier – Individual Conduct Rules
- You must act with integrity
- You must act with due care, skill and diligence
- You must be open and cooperative with the FCA, the PRA and other regulators
- You must pay due regard to the interests of customers and treat them fairly
- You must observe proper standards of market conduct
Second Tier – Senior Manager Conduct Rules
- SC1 – you must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
- SC2 – you must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
- SC3 – you must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
- SC4 – you must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.
How has COVID-19 impacted the rollout of SMCR?
The FCA has extended the deadline for some requirements of SMCR to 31 March 2021, recognising that firms may have had to furlough key staff for example, or that training for certified staff may not be available.
“We recognise that firms affected by coronavirus will need to keep their governance arrangements under review. Where we can, we intend to provide flexibility to firms.” The FCA
The FCA has proposed delaying the following SMCR requirements:
- the date the Conduct Rules come into force
- the deadline for submission of information about Directory Persons to the Register
- references in their rules to the deadline for assessing Certified Persons as fit and proper (which has been agreed by the Treasury)
The FCA told the Financial Times:
“These proposed changes recognise the exceptional stress placed on financial services firms by the COVID-19 pandemic and the importance of firms to fully and properly implement the certification regime and to train staff effectively in the conduct rules.”
A cultural shift
The FCA stresses that SMCR compliance should not simply be seen as a ‘box-ticking exercise’ but a cultural shift towards transparency in the financial services sector. The deadline for some requirements may have been extended, but the FCA can still take action against senior managers and certified persons for misconduct during the coronavirus pandemic, and firms can still be held accountable under SMCR rules.
Why has SMCR been introduced?
SMCR replaced the Approved Persons Regime, which came under scrutiny from the Parliamentary Commission on Banking Standards (PCBS). These criticisms included ambiguity around senior management responsibilities.
The new regulation aims to set out clearly who is responsible for what and encourage honesty and best practice across the organisation.
What are the disciplinary actions following a breach?
Individuals, rather than the business, are now held accountable for a breach that falls in their area of responsibility. Under SMCR, the FCA must prove that the senior manager did not take reasonable steps to prevent the breach.
But, as we have seen, the onus is on firms to perform adequate checks on their employees before they join the company and at regular intervals afterwards.
Of course, the type of penalties imposed will depend on the seriousness of the breach and the FCA could take action against the individual, company or both. Still, it is worth reiterating the breadth of enforcement powers the regulator has, which include withdrawing authorisation, court action and fines – all of which could be crippling for an individual and/or the company.
How should I review compliance processes in line with the new legislation?
Navigating any new legislation can feel like a minefield, so it’s important to have clear compliance processes in place from the start.
The first step is to identify what your senior manager roles are and establish the checks that need to be carried out and when. Then decide who is responsible for these checks, including whether they are performed in-house or outsourced. Background screening on candidates is crucial, but you should also have a framework for re-screening existing employees within the company.
Why is employment screening important under SMCR?
Pre-employment and employment screening are one of the ways in which you can help protect your organisation and mitigate conduct risk. Screening under SMCR is something we’re really familiar with at Experian, as we’ve been working with banking clients who are already governed under SMCR for a number of years. Our employment screening solutions are geared up to ensure simple, yet robust screening is in place once you’ve identified the definitions of responsibility for senior managers.
As part of adhering to the SMCR framework it is required that the individuals placed in roles within this framework are screened adequately and your organisation can certify that these individuals are ‘fit and proper’ to carry out their roles.
Your employment screening process under SMCR
We work with a range of clients governed under SMCR and each organisation will have its own process for screening regulated roles. There are different levels of checks that may be deemed adequate for these roles and it’s important to have a process in place to ensure you’re carrying out the right checks for the right roles. As employment screening specialists under SMCR, a member of our team can come into your business to review your process and advise on how this might be set out to ensure a robust screening process is in place.
It’s important to note that your process should also include internal promotions and regular re-screening. Promotions to roles governed under SMCR should be tracked, so that adequate screening can be done prior to the person starting the new role.
Tips for screening under SMCR
- Determine your senior manager roles. Set out which checks need to be carried out for the relevant roles and when.
- Clearly define who will be responsible for conducting the checks. Outsourcing this work to Experian can save a lot of time and help you to reduce cost, improve efficiency and deliver a positive candidate experience, whilst giving you peace of mind.
- Set out robust, compliant processes to help mitigate risk to your business and protect your employees.
- Be clear on your best practice for screening both SMCR roles and the rest of your workforce. There are a range of background checks applicable for all types of roles to help mitigate business risk and our consultants can review this with you.
What all regulated and non-regulated firms need to know about SMCR
Ensuring compliance with the new regime could involve a lot of work. However, all firms are currently obliged to issue regulatory references to an individual’s new employer if he/she is carrying out a CF30 role. In line with the proposals in the Fair and Effective Markets Review (FEMR), firms will now be obligated to issue regulatory references to an individual’s new employer if he/she is taking on a Certification role or Senior Management Function (SMF).
Regulatory references should provide an overview of the individual’s conduct record. Firms will be required to share a standard template which includes the following information:
- Details regarding the certified function held.
- Information relating to whether the individual has at any time within the last six years been in breach of Conduct Rules.
- Whether the individual has failed to be classed as fit and proper for certification within the last six years.
- Any record of disciplinary action including the basis and outcome.
This information will support firms in assessing the fitness and propriety of new candidates to take on Senior Managers and Certification roles. However, for the firm providing the reference it could raise a number of legal and operational considerations. Firms should ensure they have appropriate policies in place to determine the appropriateness of information to be included in a regulatory reference.
The wider roll-out of SMCR has put employee screening firmly in the spotlight and for good reason. Professional misconduct can cost a firm hundreds-of-thousands, if not millions, of pounds in FCA fines, on top of the reputational damage and any lost business that results from it.
Compliance is business critical, but demand for key skills means businesses are also under pressure to recruit and promote staff quickly – and hiring managers must have the mechanisms in place to carry out background checks as required quickly and efficiently.
Data-driven employee screening
Data-driven employee screening, delivered by an FCA-regulated business, is one of the most effective ways of establishing an individual’s competence and integrity, in line with SMCR and should be carried out on both candidates and existing employees.
We can help you carry out all the relevant checks quickly and provide the level of support needed to deal with senior members of your organisation.
Typical checks may include:
- Senior managers (new roles) – ID, adverse, standard DBS, 6-year occupational history including regulatory referencing if applicable, highest education, directorship, peps and sanctions, gap identification, adverse media, gap analysis, statutory excuse, professional qualification and FCA check.
- Certification Regime (new roles) – ID, adverse, basic CRC, 6-year occupational history including regulatory referencing if applicable, peps and sanctions, directorship, gap identification, gap analysis, professional qualification and FCA check.
- Senior managers (re-vetting) – Adverse financial, standard DBS, directorship, peps and sanctions, adverse media.
- Certification Regime (re-vetting) – Adverse financial, basic CRC, directorship, peps and sanctions.
Our SMCR experts can help you to review your screening process in line with the new regime and support your business throughout the COVID-19 pandemic. Simply get in touch with us to find out more.