Achieving SM&CR Compliance The Right Way
The extension of the Senior Managers and Certification Regime (SM&CR) to FCA solo-regulated firms takes place on 9th December 2019 it's more important than ever for firms to appreciate the spirit of this regulation as well as the letter. This is an opportunity for your firm build a culture of accountability and responsibility. Don't lose it.
“Greed is good” Gordon Gekko said in the 1987 film Wall Street. And in Michael Lewis' book The Big Short, securities salesmen knowingly selling overpriced securities disparaged their customers as “the idiots in Dusseldorf”.
Thankfully, those are the sentiments of a bygone era. No responsible person in financial services today would want to be associated with it.
In keeping up with the times, the Senior Managers and Certification Regime (“SM&CR”) ushers in the spirit of in individual accountability for the financial services industry in the UK. This is a framework to help regulated firms demonstrate that they have good corporate governance and risk management practices.
This should help firms - and their customers - to better understand how well their business is managed. And this is critical - as if a firm doesn't keep its business partners, suppliers, employees and customers happy - then they may go elsewhere - and a far lot quicker than any regulator can even think of acting.
Put simply, the SM&CR is about preventing harm
Firms must show that they've actively considered how conduct within their organisations has been and can continue to be improved to prevent harm.
The SM&CR requires that firms are able to demonstrate that they've got acceptable practices with regard to their:
- Corporate governance
- Risk management
- Management accountability
None of these should be alien to well-run firms - whether they operate in the restaurant, sporting, travel or financial services sectors. In fact, they should be considered as 'basic hygiene' factors.
Which means that the SM&CR is not a 'one-off' process to be done and then be forgotten about, but rather an ongoing way of firms thinking about and being able to 'show and tell' the way they make sure that:
- The firm is actively planning on being around, at least for the medium term - which is good for their owners, employees, and customers; and
- That they genuinely recognise that putting their customers' interests at the heart of their business model is nothing other than good business sense.
A firm that plans on surviving and thriving is much more likely to take more sensible management decisions that positively impact everyone that they come interact with.
What do firms actually have to do to reach SM&CR nirvana?
The answer must be nuanced because, like so many questions - such as 'how far is it to Tipperary' the answer depends - critically - on where they're starting from.
And it is difficult to be prescriptive - as each firm must work out how to create an environment of openness where individuals feel empowered to do the right thing and to escalate conduct risks where they observe them.
What is critical is that the senior management team 'walk the talk' and are seen to actively demonstrate the desired behaviours themselves - in a practical way and on a day-to-day basis. And that poor behaviour from perceived 'star' players - whether they are money-making traders or Premier League footballers - is evidenced to be not tolerated and be actively punished.
But returning to what needs to be done now - the answer is that often not a huge amount of effort is necessary: as much depends upon the storytelling - in that boards need to be able to easily articulate why they believe that they're in a good place. But obviously, the story must be truthful.
The first - and most - important thing is for firms to look at their whole business model: from the board down to the most junior employee and from sales to people to finance to financial crime to distribution to business partners (especially for firms with expanded models where some (or much) of the business activities are performed by other firms) - and consider how well they can explain the basis on which they - personally and collectively - gain sufficient comfort that everything is working as it is expected to.
This is often from a combination of management information, written reports, risk or compliance assessments, verbal briefings and walking around the office talking to people. All of these practices are common in large and in small firms.
As an example, let us consider the firm's most important asset - their people. How might a board determine if they need to do much for SM&CR?
If the firm already has a complete suite of policies and procedures that sufficiently cover how they recruit, motivate, manage, reward, monitor, and promote their people - and have enough data to make sure that they've got the right people, doing the right roles, and having all the skills that they need - then all the firm needs to do when it's writing up its SM&CR plan - which is really just a big covering note to what they actually do - is to say, when explaining how it manages its people, something like 'please see the firm's HR policies as found in the manual / on the intranet.'
As simple as that.
However, if the board think that it needs, for example, to provide greater clarity around how they motivate their people to put customers' needs first, then the HR team (or whoever the board asks) will need to draft that policy and then get it agreed by the senior management team and the board.
It is imperative that your firm considers all of the other relevant areas of its activities
To help it do so, many firms now use an SM&CR risk-mapping exercise to help them to identify both the various sources of their risks (such as in marketing, or finance, or financial crime); and what needs to be done; and who is going to do it; and with what resources; and by when; and who will check that it's been completed to the standards set by the board; and what management information will be produced to enable the senior management team and the board to keep an eye on things.
But what is absolutely critical is that the policies and processes and risk management actions must be tailored to the unique circumstances of each firm. As to take an obvious example, it would be pointless for a new consumer credit firm to have anything like the risk assessment or policies or procedures of a high street bank.
There is no 'one size fits all' approach - whatever some consultancies might suggest. Instead, firms should aim for a 'fit-for-purpose' approach that satisfies the requirements of both its regulators and its board.
Firms must be able to show the communication lines that enable information to travel up from the shop floor, ultimately to the board, as necessary for consideration - and management decisions and policies to flow in the opposite direction - with all accountable individuals identified so that, in the case of any regulatory incident, the FCA know to whom they should direct their questions, in the first instance.
And this will not normally be the firm's compliance personnel: it will usually be the relevant business line executive(s) - such as the Sales Director or the Head of Trading.
The best way to succeed in SM&CR planning & implementation is to keep it as simple as possible
The FCA (and the PRA, if involved) will not thank you one iota for making your business look more complicated than it is.
But they will expect you to have thought through all the relevant factors that might impact upon your business model - and these should, today, include non-financial factors such as gender diversity in your senior management team(s) and workforce - as an example.
Senior regulators have commented regarding the SM&CR that “Culture is like DNA. It shapes judgements, ethics and behaviours” and that successful implementation would ultimately mean that regulators eventually “find ourselves out of a job because doing the right thing has become part of the DNA” of regulated firms. But that ideal is probably some way ahead in the future.
The task of firms today preparing for the SM&CR is to show that they are taking culture and conduct and individual accountability seriously.
As one would expect given the current lack of trust in the financial services sector and regulated firm's critical need to show that they have heard what their customers want: much greater senior management accountability.
Want to know more about SM&CR?
If you've any further questions or concerns about SM&CR, just leave us a comment below this blog. We are happy to help!