INSIGHT

The UK's focus on personal accountability for bank employees: a sign of things to come?

By Michelle Levy
Banking & Finance Financial Services Private Capital

In brief

Written by Associate Georgia Cleeve

Last month we talked about one aspect of the UK Parliament and regulators' response to the UK Parliamentary Commission on Banking Standards (PCBS) report into the professional standards and culture of the UK banking sector, 'Changing banking for good'. This month we are discussing the UK's Senior Managers and Certification Regime (SMCR), which forces individuals working in the UK's financial services firms – from the most senior managers through to entry-level staff – to be responsible and accountable for their actions. By ensuring individual accountability, the SMCR is attempting to drive, you guessed it, 'cultural' change within these organisations. Sound familiar?

Where did these rules come from?

For this part of its response to the PCBS report, the UK Parliament passed legislation1 in late 2013 setting out the legislative framework for a SMCR. The Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have been tasked with implementing the regime as prudential and conduct regulators respectively. When consulting on the SMCR, the FCA and PRA said 'The behaviour and culture within banks played a major role in the 2008-09 financial crisis and in conduct scandals such as Payment Protection Insurance (PPI) mis-selling and the attempted manipulation of LIBOR'. ASIC's recent comments on tackling poor culture will therefore sound familiar to an audience who has been following UK reforms in this area. A case in point is ASIC's recent comment that: 'ASIC is concerned about culture because it is a key driver of conduct within the financial services industry. The trust and confidence of investors and financial consumers has been significantly eroded over the past few years due to poor conduct within the financial industry'.2

What firms are caught?

The SMCR will apply to UK banks, building societies and big investment firms, and has now also been extended to non-UK firms with a UK presence. A report recently released in the UK suggests that UK asset managers and broker-dealers may also be brought into its scope.

What does it require?

The SMCR is made up of three key elements, most of which will come into force in March 2016:

  • A Senior Managers Regime, under which the most senior managers of affected firms need to be identified, approved by the regulator, and have their roles defined. The regime also includes various measures to support regulators in taking enforcement action against senior managers. A criminal offence of reckless mismanagement by senior managers has also been introduced, although this only applies where a firm fails. Given its relatively limited application, we have not covered the criminal offence in any detail here. We look at the other aspects of the Senior Managers Regime further below.
  • A Certification Regime, under which affected firms need to ensure that they certify, at least annually, that affected staff (a broader population than senior managers) are fit and proper to perform their roles. The Certification Regime is about shifting back on to firms the onus of ensuring the fitness and propriety of all but the most senior managers (who will continue to be personally approved by the regulator/s under the Senior Manager Regime). While there are some tricky implementation issues associated with the Certification Regime (including its potential extraterritorial impact), the substance of it is relatively straightforward, so we have not discussed it in detail here.
  • A set of conduct rules, to which all staff whose roles have any connection to the firm's financial services need to adhere. We look at these conduct rules further below.

Key aspects of the Senior Managers Regime

Much of the Senior Managers Regime is designed to ensure that the roles of senior managers are clearly defined and that meaningful responsibilities are clearly attributed among them. The measures for doing this include:

  • The regulators have specified a list of senior management functions (eg CEO, Head of Risk, Head of Audit Committee and Compliance oversight function) and the FCA/PRA will need to approve each person (each a 'senior manager') carrying on these functions in affected firms.
  • 'Statements of Responsibilities', in a prescribed form, will need to set out each senior manager's responsibilities and will be relied upon by the regulators as evidence of these responsibilities.
  • A list of prescribed responsibilities must be allocated among the population of senior managers – each responsibility generally to no more than two (eg 'Responsibility for overseeing the adoption of the firm's culture in the day-to-day management of the firm').
  • A 'Responsibilities Map' providing a holistic picture of reporting lines and apportionment of these key responsibilities across the firm/branch will also be required.

None of this sounds particularly groundbreaking – one would hope that, as a matter of good corporate governance, roles and responsibilities of senior managers are clearly defined and how they fit into the wider firm is well understood. This also sounds analogous to some requirements currently imposed on most APRA-regulated entities in Australia through the prudential standards (eg the requirement for superannuation funds to have role statements for roles relating to investment activities under SPS 530 on Investment Governance). However, what turbocharges these new rules is the fact that there is now a legislative presumption of personal, senior manager responsibility where a regulatory breach occurs in a senior manager's area of responsibility. That is, unless the senior manager can satisfy the FCA/PRA that he/she took 'reasonable steps' to prevent a regulatory breach from occurring in his/her area of responsibility, the senior manager will be personally liable for the breach. How a senior manager can prove this in the context of being solely and personally responsible for 'overseeing the adoption of the firm's culture in the day-to-day management of the firm', for example, remains to be seen.

In the UK, individuals working at regulated firms have, for some time, been subject to rules and behaviour of the regulators that have a similar aim to the SMCR. Namely:

  • An 'approved persons regime' has been in place for some years, which has required regulators to approve individuals carrying on certain key roles, and enabled regulators to take action against them for their part in firm regulatory breaches (but only to the extent they are 'knowingly concerned' in the breach).
  • A trend has developed for the PRA and FCA to require senior managers to attest to the efficacy of controls in their area of responsibility (eg a Head of Operations may be required to attest that the firm's systems and controls for providing annual statements to customers are adequate). The personal risk that individuals are opening themselves up to by attesting as requested is not clear, but the use of attestations has certainly been effective in forcing action and senior management focus on regulators' areas of concern. We suspect this is a trend that our readers would prefer remained on the other side of the world.

So, while the Senior Managers Regime will make it easier, from an evidentiary perspective, for UK regulators to prove individual responsibility in the context of enforcement actions, a common view is that the changes may not actually have any discernable impact on the tendency of the PRA and FCA to take enforcement action against individuals, given that there has arguably always been an expectation that heads of business units/functions should be personally responsible for the conduct in their area. The UK approved persons regime and the regulators' use of attestations has assisted there. The introduction of anything of this nature in Australia, on the other hand, would be a significant change and one that would undoubtedly raise concerns (and D&O insurance premiums!) for bank boards.

Conduct rules

General conduct rules are also being introduced, which are going to apply to the conduct of all individuals working in or for in scope firms with a connection to their UK activities, other than a prescribed list of ancillary staff who do not have any nexus to the provision of financial services by the firm (eg print room staff, security guards or catering staff).

The rules are:

Rule 1: You must act with integrity.
Rule 2: You must act with due skill, care and diligence.
Rule 3: You must be open and cooperative with the FCA, the PRA and other regulators.
Rule 4: You must pay due regard to the interests of customers and treat them fairly.
Rule 5: You must observe proper standards of market conduct.

The clear intention of the regulators in applying these rules so widely is for sound and prudent conduct and culture to be embedded across the firm – from entry-level operations or compliance staff, right up to the heads of key trading desks. The regulatory burdens of applying the rules to such a big group are large, and some of the key challenges will be:

  • providing meaningful and tailored training to all individuals on the rules (how a member of the IT team should go about 'treating customers fairly', for example, will be very different to the steps that a retail financial adviser will need to take to comply with this rule); and
  • managing the process of reporting all breaches (and suspected breaches) of Conduct Rules to the regulators as is required to be done on a yearly basis (or within seven days of a breach by senior managers). For example, identifying what will constitute a 'suspected breach' is a significant exercise in itself, let alone applying this test to conduct being carried out by a potentially huge number of staff across a potentially huge organisation.

The Brits have, until the various scandals that have plagued it over recent years, been extremely proud of the status held by London (aka 'the City') as a respected, trusted and important global financial hub. Arguably, the stakes of poor conduct are therefore higher for UK legislators and regulators than their Australian counterparts – and there is probably more political will to 'banker bash' than exists here in Australia. However, for an Australian Government or Parliament with aspirations to make Australia the financial hub of the Asia-Pacific region, perceived weaknesses in culture and integrity in Australia's financial services firms might continue to gain attention. Whether this may result in an Australian senior managers regime remains to be seen, but we will continue to watch and listen closely.

Footnotes

  1. Financial Services (Banking Reform) Act 2013.
  2. See ASIC Report 444: ASIC enforcement outcomes: January to June 2015.