The SM&CR - nearly one year on
The aim of the SM&CR is to reduce harm to consumers and strengthen market integrity, with a focus on staff taking personal responsibility for their actions.
The regime came into force in response to the global banking crisis and the realisation that it was very difficult to hold individuals, particularly senior management to account for poor conduct within a business. The previous Approved Persons regime was labelled by a Parliamentary Commission as a "confused mess", with no clear expectations set for key function holders. This resulted in a makeover of the regime, that was rolled out in 2016 to firms in the banking sector and extended to (re)insurers in December 2018. The regime comes into force for solo-regulated firms (intermediaries) on 10 December this year.
The SM&CR establishes individual responsibility across a wider population of employees, so that regulators are able to take appropriate enforcement action for conduct failings. As the regime was adopted less than twelve months' ago by (re)insurers, there is limited publicly available information assessing its impact on governance and individual behaviour at such firms. According to the FCA's 2019 fines table, since the SM&CR came into force there has been no enforcement action taken against individuals in the insurance sector relating to culture/governance or fitness/propriety breaches, although the regulatory enforcement process can take a number of years to reach conclusion (with criminal cases taking longer to resolve). According to the PRA's last business plan, the PRA is due to begin to evaluate the effectiveness of the SM&CR (and remuneration policies) for (re)insurers in 2019/2020.
In August 2019, the FCA published a report on the implementation of the SM&CR in the banking sector. The report notes, among other things, that some firms are struggling to embed the regime below the senior manager level, identifying potential weaknesses in the articulation of the conduct rules and a lack of tailored or job-specific training. The report also highlights that firms are not always consistent in recording breaches of the conduct rules, which is causing issues in the context of dealing with regulatory references and that firms find it challenging to measure culture in an appropriate way.
Following the adoption of the new regime, we have observed changes to group governance dynamics between non-UK group undertakings and UK authorised (re)insurers and increased engagement by individual board members with the detail of corporate governance matters as a result of the SM&CR. We have advised on a number of SM&CR related issues, such as how to approach regulatory references, what constitutes "reasonable steps", how to manage conflicts of interest in the context of whistle-blowing and issues with 'non-financial' misconduct. We have also seen an increase in instructions to conduct corporate governance reviews. In our experience, conducting governance reviews is just as important for smaller firms as larger complex groups, as smaller firms often have less frequent access to their regulators and are therefore exposed to greater hindsight bias risk, if/when an issue arises.
Looking ahead, (re)insurers and now intermediaries may face practical challenges with corporate governance compliance fatigue, but improving culture and governance at firms is a cross-sector priority for both the FCA and the PRA. The FCA has recently said it will increase supervisory focus on the conduct rules and the PRA has said that effectiveness of governance and control arrangements at firms is central to its supervisory approach. Firms should review the FCA's banking sector SM&CR report and note the expectation that firms must move away from "basic rules-based compliance towards embedding the regime in the organisation". Firms should also keep up to date with trending regulatory topics, such as culture, diversity and inclusion and reflect on how they could impact both the firm's and individual SM&CR related obligations.
A firm's senior management must appreciate that the SM&CR is not just another regulatory requirement for the legal/compliance department to tick-off their list; individual accountability is here to stay.
This article first appeared in Insurance Day