Our newest RegTech Associate and Conduct Risk Expert, Emma Parry, talks about some of the challenges and opportunities firms are facing as they address the requirements of the emerging Accountability regimes. With input from John O’Dwyer of Axiom HQ.
With focus on the extension of the Senior Managers and Certification Regime (SM&CR) in December 2019 to cover all FCA solo-regulated financial services firms and replacing UK Approved Persons Regime (APR) entirely, it’s timely to consider what we’ve learned so far about SM&CR, alongside considering what’s on the horizon for accountability regimes.
Three things we’ve learned so far …
Don’t underestimate the scope
The geographic scope and extra-territorial impact of SM&CR took some large firms by surprise. SM&CR applies at a legal entity level which adds significant complexity for firms with multiple entities within their group.
This brings into scope – for example – a Group Chief Operating Officer (COO) who is accountable for setting technology strategy and determining software choices including for an international branch in London. Whilst the COO is based overseas, they have significant influence. The upshot? They don’t need to be an employee of the London entity to be brought into scope.
Additional complexity exists where Certification staff act in roles across multiple entities within the group. All these elements need to be defined, monitored and maintained on an ongoing basis.
It can be operationally intensive
Accountability regimes can impose significant operational requirements on firms, across multiple functional silos (eg. HR / Learning & Development, Compliance, Legal), both during the implementation and as ongoing business as usual activities. And, whilst the technical requirements may be of low complexity, functionality rich technology solutions can help firms to mitigate against a cottage industry of administration.
RegTech providers are now seeing interest from firms who initially addressed the SM&CR requirements leveraging existing systems and supported by external artefacts (eg. Word documents, spreadsheets). These firms are now looking for a strategic solution. Maturity of SM&CR product offerings may be helping drive this, alongside a realisation that the administrative burden is not sustainable. In addition, Compliance review teams, or conduct risk maturity assessments, may have identified weaknesses or gaps. These firms will now have open points they need to close – but with ammunition to support a business case for technology investment.
Working from a strong conduct risk framework certainly helps
The firms that were ahead of their peers in the first wave of SM&CR leveraged strong foundation elements. These included a well-defined conduct risk framework and risk appetite statement, alongside a clear definition of conduct risk as it applies to the firm and what constitutes a conduct breach.
The importance of having a strong base from which to work is echoed by John O’Dwyer, Founder and CEO of Axiom HQ:
“We are seeing firms start to realise that SM&CR compliance is not something they can simply buy ready-made as a point-solution. The reasonable steps requirement, for example, puts the onus on firms to design an appropriate framework which will be unique for their markets and products. Any technology choice needs to support a highly flexible and customisable approach to workflows, evidence and MI. There is no one-size-fits-all.”
In the first wave of SM&CR, even if firms had an existing conduct risk framework, many took the opportunity to review them as part of their implementations.
One global bank undertook a governance ‘spring clean’. They reviewed their committees and questioned whether the purpose and focus of each was clear. They focused on which committees escalated into others, reviewed what was being escalated and in what level of detail. Finally, they questioned whether they had the right attendees at the table. In the end, the bank demoted some committees to meetings (i.e. where no decision making was actually taking place) and even abolished others.
What’s next for accountability regimes?
The conduct risk supervisory agenda is gathering global momentum
In a bid to win the war against misconduct, regulators around the world are placing ever more focus on individual accountability, alongside ensuring firms assess and certify that their personnel are ‘fit and proper’ for the roles they discharge.
The Financial Stability Board (FSB) set the tone in April 2018 with the publication of its ‘Strengthening Governance Frameworks to Mitigate Misconduct Risk: A Toolkit for Firms and Supervisors’. However, in the last year, we’ve seen the launch of the Australian Bank Executive Accountability Regime (BEAR) and the Senior Executive Accountability Regime (SEAR) in Ireland. In Hong Kong, a Managers-in-Charge (MIC) regime was instituted by the Securities and Futures Commission (SFC) in 2017. This has now been complemented with a Hong Kong Monetary Authority (HKMA) initiative aimed at Bank Culture Reform.
And, on 6 June 2019, the Monetary Authority of Singapore (MAS) announced plans to extend the scope of the Individual Accountability and Conduct Act (IAC Guidelines) to include all financial institutions under its jurisdiction, including card issuers, fund managers and trustees, recognised market operators and clearing houses, and payment services licensees, among others.
Where these accountability regimes have extra-territorial reach, the task of implementing and then overseeing them will become ever more complicated, with potential overlap across jurisdictions creating even greater complexity.
RegTech solutions that enable firms to visualise which legal entities and personnel are impacted – and by which regimes – and then providing drill down into key artefacts (eg. statement of responsibilities, fit and proper certifications) will become increasingly important as the regulatory complexity grows.
In addition to visualisation tools, Axiom HQ notes that clients are searching for solutions that provide ‘data mining and predictive analytics for a more effective view of compliance risk and gaps.’
Synergies are emerging
Accountability regimes have clear rules, but they are largely framed by principles and guidance, meaning firms need to interpret the regulation in the context of their business.
Not surprisingly perhaps, firms operating in numerous jurisdictions are starting to identify synergies across accountability regimes and looking to create global best practises. A case in point is ‘reasonable steps’ which is, for example, integral to both SM&CR and BEAR. In this case, the best practice might include a standardised approach that comprising an initial gap analysis of current systems, controls and governance arrangements coupled with an action plan to implement improvements. Tracking the action plan through formalised governance will form part of the reasonable steps framework. Having a common RegTech platform to support the global teams is the logical next step.
Axiom HQ highlights:
“We are lucky to operate under one of the most forward-thinking regulators in the world and we’ve seen in both client money rules and now conduct and accountability that other regulators often follow the FCA’s lead. Some global firms are therefore wary of investing in an SM&CR specific solution for the UK market and are instead taking a step back and embedding the principles of SM&CR across all jurisdictions where they operate using one enterprise-wide toolset and improving governance globally.”
Ultimately, accountability regimes are component parts of how firms grow and manage ethical businesses.
With the conduct risk supervisory agenda gathering momentum, the landscape is becoming more complex. But firms that have a solid conduct risk framework, alongside a robust RegTech solution strategy, will be well placed to meet the intensity of the challenges ahead.