It seemed a long time in the making, but finally, 9 December and the implementation of the SMCR for solo-regulated firms is upon us. Firms will have spent months preparing for implementation and should now be breathing a sigh of relief at what they have achieved. But it's not all over – there is still work to be done, not to mention general ongoing compliance. In this article, originally written for Compliance Monitor, Emma Radmore looks at what experience has identified as thorny points in SMCR implementation to date and to what 2020 has to offer for the SMCR
What should firms have done?
In order to meet the 9 December deadline, there were many strands of the SMCR that firms needed to consider.
Categorisation of firm
First, firms needed to assess whether they fell within the enhanced, core or limited scope firm categorisation for SMCR purposes. For most firms, hopefully this was not difficult, but for some, there were issues to consider.
The baseline for firms is to assume they are core unless they meet the criteria for either enhanced or limited – or if they choose to opt up. Firms that may choose to opt-up would normally fall into one of two buckets – those that are not of themselves enhanced firms but are in a group with enhanced firms and it is easier for compliance to treat all firms the same; or firms who are close to key thresholds.
Two categories of enhanced firm are based on an absolute – those that are "significant IFPRU firms" and those that are "CASS Large firms". All the other categories depend on amounts of business – firms with £50 bn or more AUM on a three year rolling average, firms with total intermediary regulated business revenue of £35m or more per annum on a three year rolling average, firms with annual revenue generated by consumer credit lending of £100m or more on a three year rolling average, or a non-bank mortgage lender or administrator with 10,000 or more regulated mortgages outstanding.Firms with business in any of these areas that do not currently exceed the limits would have needed to consider whether it is likely in the short-term that they may do so. If the answer is "yes", then they may have decided to comply with the rules for enhanced firms from the start, rather than potentially needing to recategorise themselves. The downside to this is that once a firm has notified FCA of its decision to opt-up, it has to comply with all the rules applicable to enhanced firms – which, by their nature, are more onerous than those applying to lower categories, to reflect the fact that enhanced firms are considered to present greater regulatory risk.
Firms that are not enhanced firms, then, would be core firms unless the nature of their permissions means they are limited scope firms. All these tests are absolute, and take into the limited scope bucket:
- Limited permission consumer credit firms
- Insurance intermediaries whose principal business is not insurance intermediation and who have permission to carry on insurance distribution activity only for non-investment insurance contracts
- CMCs that carry on only CMC business or are also insurance intermediaries and/or may advise on P2P agreements
- CMCs that are also limited permission consumer credit firms
- Sole traders
- Authorised professional firms, such as lawyers and accountants, whose only regulated activities are non-mainstream regulated activities
- Oil and energy market participants whose principal purpose is to carry on activities other than regulated activities and who are not MiFID investment firms
- Service companies
- Subsidiaries of local authorities or registered social landlords or
- Authorised internally managed AIFs
Notably, firms that fall within two or more of these categories, such as firms whose permissions are for secondary credit broking and insurance distribution are not limited scope firms.
Deciding the SMFs and discussing the SORs
The next step that firms had to undertake was deciding who would be appointed to each Senior Manager Function (SMF). Again, this was not necessarily as easy as it sounded. For most firms, the starting point, of course, was to consider which individuals were in controlled functions, and whether these would just map across to the equivalent SMF. The intention of the SMCR was not to require firms to appoint individuals to positions which have a pre-SMCR equivalent that did not apply to firms – for instance, if firms were not required to have a money laundering reporting officer as a controlled function, they would not need to appoint one to the equivalent SMF. But some firms will undoubtedly have taken a step back to assure themselves that they had appointed individuals to the relevant controlled functions to start with.
This part of the process would also entail also discussion with the relevant individual on what responsibilities the role would encompass, by means of agreeing with them their Statement of Responsibilities (SOR).The SOR comprises Prescribed Responsibilities (PRs), each of which must be allocated to an SMF holder, and other responsibilities. Some controlled function holders may have baulked at seeing their responsibilities described in this manner, especially those in firms whose compliance culture was not ideal, or who had taken on the controlled function without fully understanding its implications. So in some cases, firms will have had to appoint new individuals, whether because their assessment of the incumbent suggested the individual would not be the appropriate person to take the position forwards, or because the incumbent refused. If firms needed to make changes, they will have tried to make the change at Approved Person level, so that the replacement individual would map across to the SMCR, rather than having to make an application under the new SMCR format.
Additionally, some firms will have needed to consider whether they actually have a chair – the one position in core firms that would be occupied by a non-executive director that would be an SMF.
And, when firms were considering their SORs, they will have needed to consider a number of matters, not least:
- A key aim of the SMCR is to ensure it is possible to hold an individual to account for a failing in the firm.Hence, FCA is not keen on shared responsibilities.If a responsibility is to be shared, firms need to be clear on the reason (such as a job share), and, equally the SORs for the relevant individuals need to be clear; and
- How to draft the SOR clearly and succinctly for individuals holding more than one SMF.
Firms must also always bear in mind that any significant change to an SMF holder's responsibilities will entail an update to the SOR, and notification to FCA.
For most firms, the biggest challenge is presented by the Certification Regime. At first sight, this was not obvious. The rules were clear that Certification Functions comprised:
- The Significant Management Function (CF29)
- Proprietary traders
- The CASS Operational oversight function and
- Functions subject to qualification requirements.
But, the more firms thought about this, some problems became apparent.First, when firms considered the Significant Management Function.The easy route was merely to consider that those currently approved to CF29 were the only individuals who would meet this criteria.But in many firms this probably was not the full picture – for example, in firms whose main business is not regulated business, such as retailers, individuals with significant responsibility for a business unit on which regulated business touched would seem to fall within the category, although firms may not have considered this under the approved persons regime – rightly or wrongly.
Even more problematic in some ways is the category of "functions subject to qualification requirements". This does not map neatly across from "just" all current CF30s. There are a number of areas of regulated business where qualifications are required that are not "designated investment business" – so there was quite an exercise to be carried out there for some firms.
Firms needed also to check they had included any non-SMF holder who supervises or manages a Certified Function, and also any SMF holders who carry on a Certified Function distinct from their SMF – which may happen, although probably only rarely.
This matters because of both the need to assess each person in a Certification Function against the fit and proper requirements, but also because they will need in future to be included in the new Financial Services Directory – introduced as a result of concern that, given CF30 function holders will no longer be on the Financial Services Register, customers would not be able to check whether the person they were dealing with was, on the face of it, competent to perform the function. But the consequence of the extension of the Certification Function to non-CF30 function holders (and the possible wider interpretation of the significant management responsibility) is to require firms to submit information to the Directory on many more individuals than are contained on the Register under current rules.
Fitness and Propriety – Initial and Ongoing assessments
Having put in place their SMF holders and decided on their Certification Function staff, firms will have had to work on their processes that will ensure that staff remain fit and proper.This will have included registering with the Disclosure and Barring Service, and then deciding which staff to check against it. The procedures will need to be sufficiently fluid so they are not just a box-ticking annual review or activated when a new employee joins the firm, but will kick in when, for example, an employee transfers roles or takes on an additional responsibility which brings them within a Certification Function for the first time or is a significantly different function from their current one. It will also need to recognise events that may happen that might call an individual's fitness and propriety into question – such as a criminal conviction or bankruptcy.
Firms must also remember that the Fit and Proper test applies to NEDs, and, where they have overseas operations, have considered how the regime and the test may apply to overseas staff.
The final piece of the SMCR jigsaw is the Conduct Rules. By now, firms should have assessed which employees (which will be the majority) are subject to the Conduct Rules and made this clear to them and, of course, which are subject to all the rules and which subject to just the first tier. All SMCR and Certification Staff have to have been trained by 9 December and be compliant with the Conduct Rules.
What's left and ongoing?
As part of what firms had to do before 9 December, various amendments to policies and procedures will have been made.Not least employment contracts and employment handbooks will already have been updated. But there will still be work do be done, and kept up to date. Not least:
- Firms must have in place their policy and procedure for the giving and receiving of regulatory references – with appropriate amendments to employment contacts and handbooks and disciplinary procedures.Firms must understand when references will be required, when they should be updated, and how to act if giving or receiving a reference for a problematic employee;
- As already mentioned, firms will need to ensure appropriate measures are in place for regular and event-driven fit and proper checks on senior managers, NEDs and certification staff – and that triggers are in place so checks are done at appropriate event-driven times;
- Firms should be working on adapting and updating training programmes so that those staff who did not have to be trained in the Conduct Rules before December 2019 will be trained over the next year, and that there is then an appropriate programme of induction and refresher training for all relevant staff;
- Firms should have in place procedures for understanding the new FCA Forms for new applications for SMFs and building appropriate time into any recruitment process; and
- Generally, firms need to be confident they will review SORs to ensure all responsibilities have been properly apportioned, and recognise if a change in business will lead to changes in responsibilities or, more fundamentally, a change in SMCR categorisation; and
- Gathering information for entry in the Directory.
Most firms ought to have spent some significant time on preparing for SMCR – getting their houses in order and putting in place appropriate paperwork to show they have met initial deadlines. But they should not now down tools, as it is important to keep the momentum going, not only to complete the work which they have until December 2020 to do, but also to make sure SMCR compliance is hard-wired into all systems and controls going forwards.