The Senior Manager and Certification Regime (SM&CR) came into law in the U.K. on 9 December 2019. The new regulation applies to all firms that are solely regulated (solo-regulated) by the Financial Conduct Authority (FCA), including the firms’ European Economic Area and third-country branches. The purpose is to reduce harm to consumers and strengthen market integrity, presenting a unique opportunity to set a new standard of personal conduct for all market participants.1 The law has been in effect for banks, building societies, credit unions and Prudential Regulation Authority-designated investment firms since March 2016; however, asset managers and hedge funds now need to comply as well.
The SMCR in a nutshell
The genesis of the SM&CR was the 1995 collapse of Barings, the world’s oldest merchant bank. The bank’s senior managers in the U.K. claimed they were unaware of the bank’s fraudulent investments in Asia, and they were not convicted of any wrongdoing at the time. Since then, the FCA has been working to broaden managers’ responsibility for whatever happens underneath them, even if they do not know about it.
The SM&CR is intended to improve conduct at all levels of a financial firm and raise governance standards. The regulation ensures firms and their staff clearly understand the tasks of all employees and can demonstrate that employees act responsibly. In addition, the FCA is putting more pressure on firms to ensure that senior managers and other employees are suitable for the role before being hired.
Anyone who performs a senior management function under the Financial Services and Markets Act – whether they are based in the U.K. or overseas – needs to be approved by the FCA before they can start their role. Every senior manager must have a statement of responsibility (SoR) that clearly sets out their role and responsibilities. Each senior manager will also have a duty of responsibility, meaning that if the firm breaches a requirement, the senior manager responsible for that area could be held accountable if they did not take reasonable steps to stop or prevent the breach. . Firms may outsource the function, but they cannot outsource the accountability for the function. Where a partner performs a senior management function, their prescribed responsibilities must be clearly set out in their SoR.
Roles that may be classed as senior managers include the chief finance, risk and operations officers, as well as the head of internal audit. Others are the chairs of the risk, audit, remuneration and nomination committees, the senior independent director and the group entity senior manager.
The Certification Regime covers specific functions that are not senior management functions but can have a significant impact on customers, the firm and market integrity. The FCA does not have to approve these people, but firms need to certify at least once a year that they are suitable to do their job. The certification takes into account whether the person has obtained a qualification, has undergone or is undergoing training and possesses a level of competence. The certificates issued by the firms must state that the person is fit and proper to perform a function, and set out the aspects of the firm’s business in which the individual will be involved. The Certification Regime may apply to individuals with significant responsibility for a business unit, proprietary and algorithmic traders, advisers, investment managers, people who supervise or manage a certified function and material risk takers.
The impact on firms
Firms from both the sell side and buy side need to carefully review their current processes and put some new ones in place. Ultimately, they must be able to demonstrate that senior managers have been approved for their role, and they take reasonable steps to understand what is happening within their organization.
Previously, the regulatory burden of proof focused on key measures including the number and types of alerts generated by a regulatory compliance or trade surveillance system. However, the SM&CR is shifting the focus toward management information and reporting. To this end, senior managers need to be familiar with trading reports and understand the people and departments under them, including new businesses. Firms must be able to demonstrate that alerts were generated correctly, and there is a process for informing senior managers, who do not look at the alerts daily, and ensuring that they have enough information to take reasonable steps to mitigate risk. If reports have not shown any exceptions, the onus is on the senior manager to figure out whether something was wrong with the reports and whether the person who generated the report is suitable for their role.
The technology needed to comply
Nasdaq Buy-side Compliance can help asset managers and hedge funds ensure that senior managers and other employees comply with the SM&CR. This trade surveillance and case management solution leverages behavioral analysis to understand people’s actions within the context of their role. It also enables firms to structure their compliance program so it is adaptive and specific to the risks and individuals within their organization.
Firms can monitor activity to ensure that staff are not engaging in market abuse, acting with negligence or breaching fiduciary duties. Instead of relying on random sampling, spreadsheets and simple rule-based alerts, they can automate surveillance processes, empower analysts to prioritize alerts and leverage artificial intelligence to make sense of employees’ behavior.
The top-performing asset managers and hedge funds are already doing this. Importantly, the regulators benchmark the industry against these top performers, and may be more likely to scrutinize firms that they perceive as being laggards. The SM&CR gives laggards a strong incentive to catch up. When managers have to take the rap for any wrongdoing by their team, they will be quick to deploy solutions that give them better insight into the conduct risk within their business.