FCA expects SMCR compliance not just in letter, but in spirit as well
This article was first published in Global Risk Regulator
The Senior Managers and Certification Regime (SMCR), which initially came into force for banks in March 2016, is clear evidence of the regulator’s focus on holding individuals to account for their conduct. With this regulation now being extended to all 47,000 Financial Services and Markets Act (FSMA) authorised firms, all those involved need to be thinking not just about compliance, but about how they can create a culture that truly meets the spirit of the requirements.
The new rules are expected to be finalised this summer and the key question for in-scope firms is: “How do I prepare?” For those already subject to the regime, the question will be: “Can I demonstrate that I am fully compliant?” Few firms, however, are asking: “Could I be doing more?” Yet that is the most pertinent question, and the answer, in almost all cases, will be yes.
The regulator has a particular interest in four drivers of behaviour: purpose, leadership, governance arrangements, and approach to rewarding and managing staff. The SMCR tackles the first three, so firms need to address these to be compliant. But the Financial Conduct Authority (FCA) has made it clear that merely ticking off relevant requirements is not enough.
How staff are managed and rewarded also needs to be addressed with equal vigour. Some firms have already removed short-term financial performance targets from reward considerations and updated their balanced scorecards. Given the FCA is keen to take a broader look at all firms’ remuneration arrangements in 2018/19, this kind of approach is likely to become more common as firms seek to demonstrate to regulators that their incentive structures and performance management work in the interests of markets and customers.
Risk management lessons?
In embedding cultural change that meets regulatory expectations, there are some lessons which can be learnt from the post-crisis transformation of the risk function that can help firms.
Prior to the financial crisis, risk was often viewed as the domain of the back office, just there to publish reports convincing the regulator that minimum capital requirements were met. Since then, risk management has taken on a more strategic, enabling role. Those overseeing conduct must now take on a similar focus, to remind the firm of its role in serving customers. The SMCR nudges organisations towards this. The most risky firms will likely be required to allocate a specific responsibility for culture to senior managers. However, they should be doing more. In the same way that organisations now complete risk assessments before developing new products or mobilising new projects, a culture assessment or consideration for how customer needs are supported must be integrated into product and investment decision-making.
HR teams will have a critical role in supporting firms. To achieve SMCR compliance, they will need to ensure employees are ‘fit and proper’, manage regulatory submissions, provide more detailed regulatory references, clarify employees’ roles and responsibilities, monitor breaches of the Conduct Rules, and implement disciplinary sanctions.
But HR also has a role to play in supporting longer-term cultural change. Just as the remit and profile of chief risk officers has increased to support senior management in improving their understanding of a firm’s risk profile, the HR director will have an increasingly fundamental role in supporting senior managers, and monitoring the health of a firm’s culture.
Similar to risk functions leading reviews of both incidents and near misses, it is possible to imagine a world where HR functions lead reviews of poor employee behaviour, complete culture surveys or even conduct breach stress testing. These are all activities which will help firms evidence to the regulator how they proactively identify and address conduct issues, act on whistleblowing intelligence, reflect on behavioural insights and implement lessons learned.
However, this work cannot just be left to HR. Just as responsibility for risk management shifted from the risk function to every employee, the cultural tone from the top must be matched by an equally strong echo from the bottom.
The best risk management performance is achieved when the business plays the leading role in identifying and managing risks. In the same way, firms can achieve better cultural performance when all staff understand they own it and there is real change from the bottom up. From a practical perspective, firms currently have risk management officers embedded across all areas of the business; the same could be done for cultural change across business lines.
Good business sense
It is clear that compliance with the SMCR rules alone will not be sufficient to drive the cultural change that regulators expect. Firms should embrace the opportunity to transform their culture, and properly embed the changes brought by the new regime and there are real benefits for firms who do this. Going beyond SMCR compliance to proactively improve culture will pave the way for more dynamic and effective governance, reductions in the ever-increasing burden of risk and compliance processes, enhanced reputation and improved financial performance.
Laura Boyd is a financial services expert at PA Consulting Group