Firms Struggle with SM&CR Compliance and Preparations

Many financial institutions, including UK-based asset managers and market structure firms—known in regulatory speak as solo-regulated firms—mandated to comply with the Senior Managers and Certification Regime (SM&CR) by December 9 have yet to fully implement or understand the rule, say industry experts.

As part of the regulators’ SM&CR, the chief operations senior management function 24 (SMF24) states that individuals in top-level roles—such as COOs and CTOs—will be held personally responsible for the operational resilience and the integrity of systems under the regime. SM&CR has applied to banks, building societies, credit unions and dual-regulated Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) investment firms since March 2016, then replacing the Approved Persons Regime. But over the next four months, senior managers and non-executive directors of asset managers and market structure firms will have to implement new practices and training programs to draft out those accountable for the firm’s entire technology infrastructure and operations in the event of a failure.

However, as the deadline looms, many of those at senior management level and below have yet to fully grasp how to comply, including banks that are already in scope. On August 5, the FCA published an SM&CR report on the banking sector, highlighting weaknesses in how the firms have complied with the regime to date. Many of the failures cited pointed to a lack of understanding of the law and the responsibilities of those involved.

“For example, non-executive directors are a bit confused about their roles and think too much is expected of them,” says Amy Bird, senior associate at UK-based law firm Clifford Chance, referring to the report. “As well as that, senior managers are apparently still a little bit unclear about what ‘reasonable steps’ [under SM&CR/SMF24] means to them.”

Under the regime, senior managers are expected to take “reasonable steps” to prevent misconduct and safeguard the integrity of IT systems. According to the report, executives have expressed concern over the ambiguity of the legislation and have difficulty in understanding what is expected of them in the event of a breach. Bird says other challenges with the regulation involve the flow of information downstream from the management level and the delegation of responsibilities. The FCA report stated that the banking sector to date has not always sufficiently tailored its conduct rules according to staff roles, meaning that employees involved in the running of IT systems are lacking the necessary guidance and training on how to comply with the regulation.

“Beneath the senior management level, there is the rest of the population within the organization and [the regulators] are saying that at that level, people haven’t really fully engaged with the implementation,” Bird says.

As part of the regulation, senior management is obliged to fill out a statement of responsibility (SoR) and a management responsibilities map, which illustrates what individuals are accountable for each operation and their competency to carry out the role. Heads of operations and IT are required to ensure that individuals with roles that can harm the firm or clients, otherwise known as “certification functions,” are fit and proper to perform in their jobs.

Operational Resilience

To help comply with the regulation, senior managers are also expected to document and evidence how they are meeting the requirements and safeguarding operations and IT systems—this can include record-keeping such as SoRs, management maps, information on reporting lines and other correspondence with teams. Additional ways of complying with the regulation may include building out or outsourcing technologies that monitor communications, meetings, and documents relating to system performances and responsibilities.

As a way of mitigating tech failures and ensuring operational resilience, Guy Warren, CEO of risk solutions company ITRS, says there are four key pillars: effective change management, thorough testing, a resilient architecture that can recover in the event of a failure, and clear visibility of operations and capacity.

“One of the things that the regulator doesn’t want is for you to give them a capacity report in terms of its central processing unit (CPU) because telling them that a computer is 74% busy is useless,” Warren says. “Tell them how many transactions you can do per minute, what your current peak is, and what your ultimate capacity is. Give it to them in business transaction volumes.”

With over four months to go before the deadline for compliance, Warren says this type of regulation should be taken seriously as it directly holds individuals, rather than firms, accountable. And by December 9, COOs and heads of IT of all FCA-regulated firms will be personally liable for the operational resilience of its IT systems.  

“The fines have only worked so far. After that, you have to hit the individuals and say, ‘You have to fix this or else you will go to prison or I will fine you and make you personally bankrupt.’ Then they will take it seriously, and the regulators know that, which is why they have done it,” Warren says.