In the FCA’s own words, the Senior Managers & Certification Regime is being introduced to “make sure firms and staff clearly understand and can show who does what” and to create “a system that enables firms and regulators to hold people to account”.
Yet it has decided to only impose the “overall responsibility” requirements on firms falling within the Enhanced regime, which will amount to less than 1 per cent of those it regulates.
This requirement places an explicit obligation on firms to ensure a senior manager is allocated overall responsibility for every business area, activity and management function – there can be no gaps.
When all the firm’s activities are mapped, it and the FCA must be able to readily identify which senior manager has overall responsibility for each area of the business.
This goes to the very heart of why the SM&CR was introduced in the first place – making firms responsible for ensuring nothing falls through the gaps, with a highly motivated and accountable individual appointed to keep a keen eye on each area.
Any area of the business for which a senior manager is responsible will be listed in their Statement of Responsibility and they will be held personally accountable should any issues arise within it.
Mind the gap
The FCA justified its decision to only impose the overall responsibility requirement on Enhanced firms on the basis it would be disproportionate to impose the requirement on all.
So, what does this mean for Core firms – which comprises the vast majority of firms, other than those with limited permissions – and for the SM&CR more broadly?
Senior managers in Core firms will only be accountable for:
- The area that falls within their senior manager function. For instance, the senior manager holding SMF16 (the compliance oversight function) will be responsible for the compliance function in the firm and reporting to the governing body on this.
- Any of the prescribed responsibilities that have been allocated to that senior manager by the firm.
- Those areas of responsibility set out in their Statement of Responsibility, as determined by the firm itself.
Crucially, this means a Core firm has no duty to ensure that overall responsibility for every business area, activity and management function is allocated to an individual senior manager. This means there is the potential for gaps.
Of course, there is nothing preventing Core firms from carrying out an analysis of their business areas and activities, and allocating responsibility for each to a senior manager (as is required of Enhanced firms) in their agreed Statements of Responsibility. Indeed, it could be argued this approach represents best practice.
However, this approach will potentially impose more responsibility and accountability on senior managers than is strictly required by the new regime. As such, Core firms could be tempted to avoid it.
But would the FCA take the view that no senior manager is personally accountable for each area of the business (which would appear to dilute the effect of the SM&CR) or would it take the view that all executive director senior managers share responsibility for each business area? Is it really that easy for the executive directors to avoid personal accountability?
The situation is slightly different for those firms with a senior manager carrying out a chief executive role (currently the CF3 controlled function).
Under the current regime, where an individual is responsible (either alone or jointly with others) under the immediate authority of the governing body for the conduct of the whole of the business, that person must become an approved person with the chief executive function. Consequently, many firms do not currently appoint a chief executive function, as responsibility is shared among board members.
Under the SM&CR, it is still not compulsory to appoint a chief executive senior manager unless someone is actually fulfilling that function. However, if a firm does appoint a chief executive, that individual will have to state they are responsible for the conduct of the whole of the business (or relevant activities) in their Statement of Responsibility.
This means that, if something goes wrong across any area of the business, the FCA will investigate whether the chief executive senior manager took the steps a person in their position could reasonably be expected to take to avoid the breach occurring. If there is no other senior manager who has accepted responsibility for a particular area of the business the chief executive may carry the can alone.
It is therefore likely that, for those firms, the chief executive will want to carry out their own analysis of its business activities and delegate responsibility for different areas to different senior managers. Where that responsibility is then detailed in the senior manager’s Statement of Responsibility, the FCA is likely to take enforcement action against that senior manager (either in addition to or instead of the chief executive) if any breaches occur in that area.
As mentioned, though, not that many firms decide to have a chief executive, meaning this is unlikely to apply to many within the Core regime.
Without the overall responsibility requirement for those firms falling within the Core regime, the real impact of the SM&CR is currently unclear.
Firms would be well advised to consider this issue carefully when implementing the regime. The FCA may challenge an approach that does not allocate responsibility for areas of the business to a senior manager and does not appoint a chief executive – or it may simply take the view that the board of senior managers share that responsibility, notwithstanding that it is not dealt with in their Statements of Responsibility.
Clarification of the FCA’s view and proposed approach would be welcome, as this appears to be a gap in the information currently available.
Alan Hughes is partner at Foot Anstey LLP