As a follow-on from the previous article, the experts at ACA Compliance Europe survey the implications of the Senior Managers and Certification Regime – soon to apply to wealth management firms outside the banking sector as well as in – for 'conduct' rules, training, breach reporting and the new directory of financial service workers.

Changes are coming to the Financial Services Register and there is to be a new directory of financial service workers. The FCA is consulting interested parties about the directory. Certain individuals will be removed from the Financial Services Register and this is a result of them not being approved by the FCA any more. Technically speaking, this includes people who perform the CF2, CF30, CF28 and CF29 ‘controlled functions.’

As a consequence, the Financial Services Register will soon only hold the details of senior managers of whom the FCA has approved. Because of that, the directory can be said to be the firm's register; it will hold the details of those individuals who are certified by the firms themselves. The directory will include the whole spectrum of certified staff, plus any non-executive directors and any sole traders and appointed representatives and their personnel.

The directory is designed to be helpful in a retail context. Firms will, of course, have to bear the extra burden of feeding information to the directory.

Regulated firms are expected to have submitted all the relevant data to the directory by 9 December 2020. Any firm that makes no notification within a 12-month period will be asked to confirm that there have been no changes.

New functions and old

Which controlled functions will automatically ‘map across’ from the old regime to the new? The answer is the CF1 (the director function), the CF4 (the partner function) and the CF3 (the chief executive function). The CF2 will not automatically map across. A firm will only have to register a CF2 with his new senior manager function if he is to be the chairman. This does not matter if the CF2 is based overseas or is a director of a parent company overseas; it is only if he is the chairman.

‘Conduct’ rules

In our previous article, we dwelt on two main pillars of the new regime: an outline of the Senior Managers’ Regime and an outline of the Certification Regime. What about ‘conduct’ rules, the last of the three legs of the regime? It is tempting to view these rules in the same light as the current statements of principle for approved persons, or APER, but there are some significant differences.

‘Conduct’ rules come into force for senior managers and certified staff on the commencement date of 9 December 2019. However, for non-executive directors and all others save ancillary staff, the rules come into force one year later, i.e. on 9 December 2020.

Conduct rules for all staff

There are five 'conduct rules' that apply to all 'conduct staff': senior managers, certified staff, non-executive directors and all other employees except ancillary staff.

Rule 1: You must act with integrity.

Rule 2: You must act with due skill, care and diligence.

Rule 3: You must be open and co-operative with the FCA and other regulators.

Rule 4: You must pay due regard to the interest of customers and treat them fairly.

Rule 5: You must observe proper standards of market conduct.

The conduct rules are the key element of the SM&CR that seeks to build a culture in which staff at all levels take personal responsibility for their actions. Of course, firms should be cautious of this wide expansion of regulatory rules to almost all personnel. This development might raise reasonable queries from people who were not previously captured by rules of a regulatory nature or origin. Firms should therefore be prepared to expect questions and answer them. People might ask questions about their own responsibilities and accountability under the new regime; or about insurance coverage; or about employment contracts; compensation; regulatory references; or background checks.

Only ancillary staff are excluded. This broad term covers all employees whose jobs are not relevant to the financial services industry, such as cleaners. It is not 100% certain that this specific exclusion of cleaners is prudent, as many of us remember Oliver Stone's film Wall Street, in which Charlie Sheen disguises himself as a cleaning company supervisor in order to obtain inside information.

In any case, the FCA has provided a non-exhaustive list of ancillary staff. This includes receptionists, cleaners, IT support and food caterers.

As we have said, conduct rules apply to all staff. There is an additional tier of conduct rules, however. These are the four conduct rules that apply exclusively to senior managers.

SC1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.

SC2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.

SC3: You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.

SC4: You must disclose appropriately any information of which the FCA or Prudential Regulation Authority would reasonably expect notice.

Training

The SM&CR emphasises the importance of training as a means of ensuring that 'conduct staff' and senior managers understand their responsibilities and know how the rules in COCON (the part of the FCA’s rulebook that contains a code of conduct) apply to them. Responsibility for training is one of the four prescribed responsibilities for core firms. FCA guidelines state that suitable training should ensure that conduct staff have a broad understanding of the rules. They should also have a "deeper awareness" of how these apply to their jobs.

The readers of Compliance Matters are familiar with general compliance training, which might include topics such as market abuse, money laundering, bribery and so on, but SM&CR training might differ from routine compliance training.

Each firm should train people to deal with the SM&CR every year by both category and topic. Different firms might want to stage different training sessions according to people’s jobs, or they might wish to emphasise different aspects of the regime. For example, senior managers should understand what is meant by the legal terms of "duty of responsibility" and "reasonable steps." At the same time, trading staff need ought to understand rule 5, about proper standards of market conduct, in detail. People who deal with customers ought to have a detailed understanding of rule 4, which insists on due regard to customers' interests and fair treatment for them.

Conduct staff should appreciate the effect of conduct rules and the potential for enforcement action. In general, training should include specific examples of good and bad behaviour that might apply to certain categories of people in relation to one or more parts of the SM&CR. At the end of the day, the onus is on firms to take reasonable steps and ensure that staff know how the rules ought to apply.

Senior managers and staff in the certification regime must have received the proper training by 9 December 2019, whereas conduct staff must have received the appropriate training by 9 December 2020.

Breach reporting – a brand new aspect of the SM&CR

Every firm will be required to tell the FCA when it has disciplined someone for breaking the FCA's conduct rules. It should continue to report the breaches of senior managers on the Form D on Connect (the regulator’s so-called user management system on which firms submit applications and notifications) within seven business days of the conclusion of the breach. For all other conduct staff, it ought to make annual notifications on the new REP008 on GABRIEL, the FCA's online system for collecting and storing regulatory data submitted by firms. The reporting year for REP008 (otherwise known as a Notification of Disciplinary Action) will run from 1 September to 31 August, with the due date being two months later. In the event of no notifiable breaches, the firm will still have to send off a 'nil' return.

It is well-known to anyone who follows the enforcement cases of the FCA that it has been successful in quite a few high-profile enforcement cases that involve people in senior positions. These people have been banned from financial services for conduct that bespoke a lack of fitness and propriety. Under the SM&CR, in addition to reporting any breaches to the FCA, firms are required to include any relevant breaches in their regulatory references.

The objective here is obvious. A breach might not be severe enough to justify the FCA opening an enforcement case against someone, but the FCA wants to deter such people even from minor misconduct.

There are two problems here. On the one hand, employees will run the risk of being accused of breaking the rules without any confirmation from a regulator. On the other hand, firms will have to grapple with the concepts of, for instance, honesty and integrity, and their conclusions will be quite subjective and inconsistent. Legal and HR (human resources/personnel) departments will have to co-operate with compliance departments on this matter.

Non-financial misconduct

The conduct rules are enforceable and they empower the FCA to take action over any kind of misconduct, financial or otherwise. In this respect, it is worth mentioning that Christopher Woollard, the FCA's executive director of strategy and competition, recently stated the following.

"The way firms handle non-financial misconduct, including allegations of sexual misconduct, is potentially relevant to our assessment of that firm, in the same way that their handling of insider dealing, market manipulation or any other misconduct is."

Here we have plenty of evidence that the FCA is progressively placing non-financial misconduct on the same footing as traditional financial misconduct. Nobody knows how this will affect firms in the near future.

A stand-alone project

So far we have covered the rules and requirements of the SM&CR, but how do firms go from here to full compliance by 9 December?

One important step is to realise that the SM&CR should be treated as a regulatory implementation project in its own right – maybe not quite of the order of an AIFMD or MiFID II, but as a significant one nevertheless. At ACA we have helped several firms through these projects. The ones that have gone through most smoothly have realised the importance of setting the SM&CR up as a stand-alone project in its own right.

This entails such precautions as establishing a project team with the necessary authority to make changes; giving it appropriate resources in terms of time and expertise; and spending large amounts of time discussing the required changes to policies and procedures with the entire senior management team.

Who might be on such a project team? This will of course vary from firm to firm. It is inevitable that the compliance officer will play a leading part, but it would be unwise for the firm to leave everything to him. Operations, legal and personnel are just some of the departments that are likely to be included here.

When should a firm start on its project? A recent survey reported that 80% of firms plan to start their implementation project in Q1 or Q2 this year, which is probably about right. Larger firms ought to have already had this on their radar for some time, but smaller firms should not panic as there is enough time for them to do the necessary things.

Five steps to heaven

There are five phases that are crucial for a successful SM&CR implementation. They are as follows.

Phase 1: Understanding and impact analysis. We've already partly covered this. It's about putting that project team together. Engaging with the requirements, understanding the key impact points, and gaps to your current processes.

Phase 2: Briefing the senior management team about the implications of the SM&CR. Let us be clear; the SM&CR does have the potential to ruffle a few feathers. Most of us like being in a position of power and authority; we are probably less keen on the idea of being held accountable.

Phase 3: Implementing the key processes that have to be in place. These include assessments of people for their "fitness and propriety," certification and the investigation of breaches. Planning and support also play their parts here.

Phase 4: Updating existing compliance documents while also supporting SM&CR collateral. The documents include compliance manuals and policies. This is the stage at which one creates some of the new collateral, such as the required statements of responsibility.

Phase 5: Dedicated training about conduct rules for senior managers and all other staff. The thinking here is that you probably want to consider at least two training sessions - one for each of these groups.

Timescales

We now have a little over ten months to go. Without being too trite about it, we believe that if you, the compliance officer, were to plan your firm’s implementation project with the aim of taking about two months for each phase, you would probably not be too wide of the mark.

* ACA Compliance Europe can be reached on +44 207 042 0500