It’s less than a year to go until the UK Senior Managers Regime (SMR) comes into effect (the official date is March 7, 2016). The regime, part of the Financial Services (Banking Reform) Act 2013, aims to counter the toxic behaviour within financial services firms that led to the crippling 2008-2009 financial crisis. The new rules will make it significantly easier for the U.K. Financial Conduct Authority (FCA) and the U.K. Prudential Regulation Authority (PRA) to hold individuals to account for any gross misconduct at financial services organisations doing business in the U.K.
Even though March 2016 seems a long way away, UK banks, building societies, credit unions and PRA-designated investment firms—including UK branches of foreign firms—will need to be preparing for the changes right up to the deadline. The near-final rules were released this past March, giving employers some much needed insight on what to expect when the final rules are released in spring/summer this year.
While most affected organisations are focussing on the government requirements related to identifying senior managers and mapping their responsibilities, the SMR will also have a huge impact on governance and reporting processes, and raises significant training and management issues. As part of the preparation in addressing the SMR, employers should not forget the importance of a strong ethics and compliance programme that includes clear and accurate audit trails—particularly when the personal liability of its managers is at stake.
Burden of Proof Falls to Senior Managers
Under the SMR, senior managers will be held accountable for the conduct of all of the employees under their remit. Though this point was challenged by firms that feel it is too burdensome to apply conduct rules to all staff, the FCA stayed strong in its response:
“We think it is very important that staff at all levels of an organisation are subject to minimum standards of conduct and held accountable for their actions. The importance of conduct issues should be understood throughout an organisation, it should not stop below a certain level of seniority.”
"Increased senior manager accountability should be backed by compliance management tools that empower them to fulfil their obligations, mitigate risk and create a culture that helps minimise misconduct"
For failures of conduct, it will be assumed that the senior manager is responsible unless they can prove they took reasonable steps to prevent misconduct in the first place. It’s a “guilty until proven innocent” mentality requiring senior managers to keep detailed records of their business decision-making within their respective areas. This will serve as an audit trail if misconduct does take place.
Firms are also required to notify regulators within seven days of when they become aware of or suspect that a person has breached the conduct rules.
The stakes are high for senior managers who face up to seven years imprisonment and/or an unlimited fine.
Put the Right Compliance Solutions in Place to Protect Your Senior Managers
The increased accountability of senior managers should be backed by compliance management tools that empower them to fulfil their obligations, mitigate risk and create a culture that helps minimise misconduct—and that is looked on favourably by regulators. The five practical core solutions organisations will need to have in place are:
- Policy Management Systems
Policy management software can not only help automate the distribution of policies, it can track and store employee attestations of policies. Integration between policy management and incident management systems can also provide crucial information when an issue does arise—allowing senior managers (and regulators!) maximum visibility into compliance.
- Whistleblower Hotline & Incident Management Solutions
Employees across the organisations should have means to report suspected misconduct anonymously through a whistleblowing hotline. An incident manager can consolidate hotline, web-based and open-door reports, giving senior managers immediate visibility into risk and creating a permanent audit trail.
- Third Party Risk Management
Organisations also need to ensure they are doing due diligence on third parties—from suppliers all the way down to customers. The critical risks here are around anti-money laundering and The UK Bribery Act. An automated third party risk management platform houses all third party identity, discovery and due diligence information in one online repository, enabling greater visibility into risk.
- Awareness and Training
Organisations should require and document completion of ongoing appropriate training for all employees. This is essential to communicate and reinforce standards and can help change behaviour and reduce instances of wrongdoing through prevention. Online training can also be linked directly to policies and vice versa through policy management software.
- Culture and Compliance Risk Assessments
Organisations need to thoroughly understand the legal, compliance and reputational risks they face—if a formal culture and risk assessment has not been undertaken, now is the time. Undergoing a culture or a risk assessment will help organisations appropriately identify potential trouble areas and allocate resources and define (and document) an effective risk management strategy.
On the last page of their March report, the FCA ominously writes:
The FCA expects senior management to take responsibility for ensuring firms identify risks, develop appropriate systems and controls to manage those risks, and ensure that the systems and controls are effective in practice. Where senior managers have failed to meet our standards, the FCA will, where appropriate, bring cases against individuals as well as, or instead of, firms.
And just today, Bank of England governor Mark Carney advocated for longer prison sentences for bankers who break the law, saying, "the age of irresponsibility is over."
Time is running out for organisations to ensure that their senior managers have confidence and a clear audit trail to provide them with regulatory relief. The stakes are high—but with a strong and integrated SMR programme, as part of a broader ethics and compliance programme, organisations and their senior managers can significantly mitigate their risk with confidence and clarity.