How to Evidence your SM&CR Competence
It's not rocket science to say that effective training and competence are critical to SM&CR compliance. But don't underestimate the scale of the challenge this can be.
Since the extension of the Senior Managers and Certification Regime (SM&CR) in December 2019 to include all FCA solo-regulated firms, it has become even more important that firms follow the spirit as well as the letter of the regulation. It's an opportunity for your firm build a culture of accountability and responsibility. Don't lose it.
If you cannot articulate what is adequate and competent within the context of your firm, you simply cannot evidence compliance when the FCA comes knocking.
What does the FCA expect?
Ensuring that staff qualifications and competencies align the T&C regime is at the core of the regulation’s annual certification process. However, all too often, the Certification Regime (CR) aspect is forgotten.
"A firm must not assess an employee as competent to carry on an activity in TC Appendix 1 until the employee has demonstrated the necessary competence to do so and has (if required by TC Appendix 1 attained each module of an appropriate qualification."
The key issue here is the FCA does not actually explain what competent means. This leaves firms deciding for themselves what constitutes competence for those falling within the category of Certified Persons.
The Senior Management Arrangements, Systems and Controls sourcebook (SYSC) states that those within the scope of the regime need ‘some level of competence’ .
While not that helpful, at least it reinforces the idea that the FCA is stubbornly persistent that you put in place whatever makes sense for your business. And you need to be able to defend that position if the Regulator asks you to do so.
Who should own the Certification Process?
Almost invariably, the HR and Compliance teams are trading responsibility for defining what constitutes appropriate training and what defines competence within their firm for those Certified Persons.
That is an impossible model.
Inevitably first-line management need to own that process, with input from other stakeholders such as HR and compliance, who should provide second-line challenge, not own the process.
If a firm’s front-line management cannot articulate what they believe to be an adequately trained and competent employee, the whole certification regime will become a farce, with companies ticking pointless little boxes.
What evidence does the FCA need?
Most firms now religiously complete their training records as evidence of an effective training regime. Pass rates and completion dates all recorded within a well-formatted dashboard.
Dashboards are great, but unless the firm has defined what competence is in a meaningful way, the evidence becomes nothing more than data in a software application.
When the FCA fined Standard Chartered Bank, it made it clear that their staff received inadequate training. What training they did receive, followed poor policies and procedures. It highlighted that training alone means very little and 'evidence' based on first-time pass rates, means little-to-nothing.
But what exactly is competence?
First of all, it is about time that we agree on the word competence, one of the most abused words in the worlds of education and learning.
Competence is a combination of two things:
- Having specific knowledge and the ability to apply it in your day to day work.
- Applying this ability within the context of defined policies and procedures
If you can achieve this, not are you competent, but also compliant.
Let's take the example of anti-money laundering and counter-terrorism financing (AML & CTF).
I have met people who believed that their qualification in Anti Money-laundering (AML) not only made them qualified, but also competent as a Money-laundering reporting officer (MLRO). Unfortunately, neither is true. Sure, a diploma give you a solid theoretical grounding, but as yet, there is no such thing as a qualified MLRO.
Are online assessments sufficient proof of competence?
Often companies believe that they have documented evidence of staff competence in AML. Passing an online AML course may be a necessary condition, but is it sufficient? All that this demonstrates is that staff can successfully retain information for around 45 minutes. That does not constitute competence.
For a regulated firm to use the scores and completion dates of online courses to demonstrate AML competence is ludicrous. Such courses only provide a basic level of awareness of AML and CTF; they are just the first part of the training obligation as per money-laundering regulations.
You must also demonstrate that staff are applying this AML knowledge to recognise potentially suspicious activity and record and report it.
Don't get me wrong. I believe a good quality online course is an essential first step of a longer overall training path. But there are three reasons why standard online assessments are not sufficient:
- The subject matter is in isolation during the evaluation, i.e. you know that you are doing an AML assessment, so your mind is tuned to the topic.
- The information is fresh in your mind having just finished the training.
- The practical questions relate word-for-word to case studies you've just read.
If only the criminal community would agree to only approach organisations for laundering purposes between 10 and 11 am on Tuesdays, all would be okay. Unfortunately, the world does not work quite like that.
How can you make sure that training becomes evidence?
Organisations are assessing their systems and controls all the time. However, when it comes to knowledge and competence, they simply check the presence of a training package and judge its effectiveness by staff enjoyment and high first-time pass rates.
If your training provider assesses the effectiveness of their courses, this creates a conflict of interest. Ideally, you need your training provider to test whether learners can apply what they have learned at a later date.
Any assessment should focus on actual decisions that come with the job and cover a variety of areas of product knowledge and regulation. However, the risk remains that the same knowledge may not be correctly applied when taken out of a controlled learning environment.
This approach delivers insight into whether staff are demonstrably competent in applying the knowledge that their training provided. It also provides important management information about the areas in which staff lack understanding, helping to prevent compliance breaches or loss of revenue.
Want to know more about SM&CR?
If you've any further questions or concerns about SM&CR, just leave us a comment below this blog. We are happy to help!