As the FCA looks to extend the SMCR, Matt Hughes, partner at JLT Specialty, examines what it might mean for firms and some of the considerations that businesses should be undertaking in advance
Since the financial crisis, a raft of legislation has been introduced with the stated aim of rebuilding trust and stability in the financial services sector. One particular area of focus was how risk oversight was discharged, and what standards were to be expected. The Senior Managers and Certification Regime (SMCR) was introduced to banks, building societies, credit unions, insurers and dual regulated (FCA and PRA regulated) investment firms in March 2016, replacing the Approved Persons Regime (APR). The overall framework aimed to focus accountability at all levels within a firm, with senior individuals having personal accountability for areas where they have a clear and defined responsibility. The SMCR also extends to those individuals who aren’t ‘senior managers’ but perform activities which mean they could cause significant harm to the firm or its customers (‘certification functions’). As such, any person falling under the scope of the SMCR faces potential liabilities that could lead to a successful claim being made against them.
Higher standards and accountability
The reason for this according to a recent media interview with Jonathan Davidson, executive director of supervision for retail and authorisations at the FCA, was to “ensure that individuals in financial services are held to high standards, and that consumers know what is required of the individuals they deal with,” while also ensuring that “senior managers are accountable both for their own actions, and for the actions of staff in the business areas that they lead.”
The practical implication of all of this has been that firms now have to produce a statement of responsibility outlining every senior leader’s area of responsibility within a firm; establish a firm responsibility map, which aims to show how the people and responsibilities are aligned to each other; and seek pre-approval by the regulator for any person holding a senior role to ensure their suitability. In respect to ‘certification functions’, while the individuals performing these are not approved directly by the FCA, the firm has to certify that they are ‘fit and proper’ persons with the requisite skill and experience to perform such a function.
The next phase of SMCR implementation is now getting underway, with the final consultation into how the SMCR will be extended to all authorised firms nearing completion. This extension is expected to be implemented during 2018; with the deadline rapidly approaching, firms across the sector should now be considering the likely impact of the extension of SMCR on their business and appoint a project team to prepare a plan to ensure the firm is ready for implementation. Firms must clearly understand whether they are in the core, enhanced, or limited scope regime, as well as whether an individual is ‘fit and proper’ to perform a senior management or certification function.
In the event of a claim, there can sometimes be uncertainty as to whether it is a Professional Indemnity (‘PI’) or a Directors and Officers (‘D&O’) matter. For example, a claim against the firm for failure to act in the best interests of a client (or group of clients) would likely fall to a professional indemnity policy. However, if the allegation is made against an individual with responsibility for the implementation and discharge of this duty, the D&O policy could be called in to action.
D&O policies have historically afforded cover to Directors and Officers of the firm, which included those individuals deemed to be an ‘Approved Person’ as defined by the Financial Services Market Act 2000. Market leading D&O policies have since been updated to reflect the new regulatory environment by making specific reference to the SMCR under the relevant definitions. This change increases the number of people who would have access to cover under a D&O policy as cover now includes employees performing these ‘certification functions’.
Taking this into account, firms may wish to review the level of their existing D&O policy limits, given the increased number of people attracting cover under the policy. The majority of D&O policies are underwritten on an ‘aggregate’ basis, meaning the limit you buy is the total amount available during the life of the policy (this includes defence and investigation costs as well as any settlement eventually agreed). Theoretically, the more people covered under a policy increases the chance of a claim and therefore the erosion or exhaustion of the limit purchased, and as D&O policies protect the personal assets of the individuals covered under the policy, a firm would rather have too much than not enough.
Protection against cyber criminals
Firms also need to make sure they are protected against ever-growing cyber threats, as they are particularly lucrative targets for cyber criminals taking into account the data they hold. Cyber insurance policies provide a number of ways to protect against the damage caused by a cyber attack, in particular the first party costs associated with repairing the damage caused by a cyber attack.
With the dual issues of SMCR expansion and rising cyber-dependency, it is vital that firms consider the risk implications and the insurance solutions available to mitigate these exposures. With the enhanced regulatory focus it is conceivable that there is an increased chance of regulatory claims and/or investigations, while a cyber incident can be extremely damaging to a firm, with wide ranging consequences that go beyond merely the immediate aftermath. It will be vital for firms to ensure they are prepared for these growing issues in the future.
Matt Hughes is a partner in the Financial Lines Group at JLT Specialty, a leading global insurance broker and risk consultant. His experience has spanned advising market leading clients in the asset management, wealth management, insurance company and banking sectors.