What does SM&CR mean for you?

If, amidst the avalanche of regulatory changes coming down the pipeline, the Senior Managers & Certification Regime (SM&CR) regulations have not yet hit your radar, you are probably not alone. As is usual with these regulatory changes, consultation on the final rules is still ongoing and the impact on companies, both in time and cost, is still unknown.

Still, the fact that discussions are ongoing should not be interpreted as an excuse to do nothing. While it is typical of regulatory changes that final rules and interpretations remain unclear even after the legislated effective date, the effective date itself is typically fixed by legislation.

Since the Financial Conduct Authority (FCA) published the final SM&CR rules in July 2014, changes in the form of clarifications continue to be released. Some of these changes are significant, such as the announcement by HM Treasury in October 2015 to extend the applicability of the SM&CR regulations to all financial services firms and not just the banks.

The SM&CR will replace the Approved Person Regime (APR), which was introduced via the Financial Services (Banking Reform) Act 2013 as a series of amendments to the Financial Services & Markets Act 2000 (FSMA). The intent of the APR was to introduce the recommendations of the Parliamentary Commission on Banking Standards (PCBS), but its effectiveness has since been universally criticized, including by the PCBS.

As it stands, the SM&CR came into effect on 07 March 2016 with three key components:

1. The Senior Managers Regime (SMR) will replace the APR and apply to individuals in roles known as Senior Manager Functions (SMFs). Most existing Approved Persons will need to be transitioned into a new SMR role, while any new hires into SMFs or material changes to an existing SMF will require new regulatory approval. Thereafter, these SMF roles will require annual recertification as to the incumbent’s continuing probity.
2. The Certification Regime is similar to the annual recertification of SMFs, except that it applies to a broader base of individuals who, although not deemed SMFs, nonetheless perform a function the regulator deems capable of causing harm to the firm or its customers. These roles are referred to as Serious Harm Functions (SHFs) and the individuals are referred to as Certified Persons. The key difference between SMFs and SHFs is that appointments of individuals to SHFs do not require approval by the regulator as SMF appointments do.
3. The Conduct Rules define behavioural standards to which individuals in SMFs and SHFs will be subject and will need to formally acknowledge. These rules replace the Statement of Principles under the current APR.

The effect of this is that individuals in SMFs will require prior approval by the regulator, while individuals in SHFs will require formal approval by the firm. The  Conduct Rules will apply to both, as will the requirement to recertify these individuals at least annually. The intent is to broaden the base of individuals to whom the Conduct Rules apply, while reducing the number of individuals requiring approval by the regulator.

To allow a manageable transition to the SM&CR, banks will be required to comply with the regulations for new or materially changed SMF roles from 7 March 2016, and within 12 months from then for all existing SMF and SHF roles. Meanwhile, firms are required to provide names of individuals to be transitioned from the APR to the new SMR by February 2016.

The FCA estimates that Senior Managers occupying SMFs will make up around 10 per cent of the total number of approved individuals under the SM&CR, with the remaining 90 per cent being classified as individuals in SHFs. This shift in volume from the regulator to firms will impose costs in three broad forms to be met by firms:

1. Documentation required for Senior Managers in SMFs is significantly more detailed and onerous than for the APR equivalent. It includes a new “Statement of Responsibility” form, which has been the subject of recent criticism.
2. Some roles currently covered by the APR will not be covered by the SMR, but will be covered by the Certification Regime for SHFs, which firms will need to manage. Those roles, plus others defined by the regulator as SHFs, will increase the volume of roles for which firms are responsible, which will require ongoing monitoring and recertification.
3. The cost of training, systems and processes to record acknowledgements by individuals, as well as the recertification of both SMFs and SHFs, will all be additional costs to firms.

The one key difference between the APR and the SM&CR that has been welcomed by banks during the consultation process is the removal of the “reverse burden of proof” that applies under the APR. This imposes an obligation on the individual to prove they took appropriate precautions to prevent a breach or allow a breach to continue. By contrast, the SM&CR places this burden on the regulator, who will be required to show that the individual failed to take appropriate action.

The cost and effort of this new process – and its likely impact on what will probably become an important HR function – should not be underestimated.