Personal accountability in financial services isn't a new concept. But the UK's Senior Management & Certification Regime (SMCR) is going to bring about sweeping changes to how it's done.
The new rules — firms will need to comply in full by 31 March 2021 — require employees who have roles in regulated activities to get certified yearly. Everyone except ancillary staff, that is staff like caterers and cleaners, who aren't involved in regulated business, will have to follow the FCA's code of conduct. And individual senior managers will be personally responsible for wrongdoing.
Which means the buck truly stops with one person.
In our latest webinar, Accountability compliance — SMCR, governance, risk, and compliance expert Michael Rasmussen and ICSR's director John Moffat sat down with us to discuss:
● The challenges of complying with SMCR, as well as other accountability regulations
● The cultural changes regulators expect firms to make
● How to make compliance with accountability regulations more efficient, effective and agile
Here are the key takeaways.
"I think the biggest material change," says Moffatt, "will be in the way a board or management committee might think about how they run the business.
"We're used to doing things collegially. But how does consensus fit when you're defining a regime of 'I'm only accountable for these things'? There's a risk of gaps, if it's done badly. And also of people sitting behind their job descriptions to protect themselves."
It's a valid concern, and one that could have unintended consequences if firms don't think carefully about how they implement the rules.
Senior regulatory consultant Lorraine Mouat, for instance, has argued that individual responsibility could lead to "Senior managers [feeling the need] to more closely manage processes..." This could cause tension with junior staff. Even the Bank of England has called for more guidance, particularly when it comes to the handling of new and emerging risks.
On this point, Rasmussen notes that the importance of defining what's expected of everyone cannot be understated.
"Complying with SMCR," he says, "requires deep cultural change, because everyone except ancillary staff like receptionists and caterers are bound by the organisation's policies and conduct rules. To really build this culture of compliance, you need to be able to communicate what is expected of individuals as clearly as possible."
But trusting people to follow through is equally key, especially in a world where most teams can no longer be physically in the same building together.
"To maintain good governance and oversight over people sitting at home in their spare bedrooms," says Moffatt, "one of your biggest tools has to be that you trust them."
Of course, trusting your staff to comply is one thing. But regulators want to see cold, hard evidence that this is really happening.
"It's easy to say you have the right culture," says Moffatt, "but very hard to evidence it. You've got to match the statements that you make to the culture that actually exists in your business, and that's quite a learning curve for some senior managers."
"First off," says Rasmussen, "you need good policy management. Communication, training, and also the ability to track who has actually read your policies."
But that's only the start. With senior managers now individually responsible for their area of responsibility, Rasmussen argues it's also critical to have visibility.
"As a senior manager, if we miss something and the regulator fines us, that fine is going to come out of my personal bank account now. So I need to make sure we're dotting our Is and crossing our Ts... perhaps through a dashboard where I can see at a glance how we're doing in all these different areas."
"Absolutely. And, hand in hand with policy management and training, there's also exception reporting and monitoring across your business, so that you can gather evidence that the things you've written down in your policies are actually being followed, because that's your control environment."
With personal fines — and the possibility of prison time — now at stake, and 27% of workers saying they rarely or never want to work in the office post-Covid, it's clear that Word and Excel can no longer cut it. Technology has a crucial part to play both in creating a culture of compliance and in simplifying the practical tasks being compliant entails.
"Technology," says Rasmussen, "can make things more efficient, save money, save time, prevent things from slipping through the cracks... and help us be more agile and dynamic through greater accuracy."
That said, for technology to be successful, it's important not to get carried away.
"For me," says Moffatt, "technology is simply adopting more modern, flexible practices that create more time in your diary... You've got to be able to tell employees: 'We're not checking up on you. We're helping you do your job.'
"Some time ago one of the big consultancies got itself in a very negative position because they installed keystroke software so they could see how often people working from home were touching the keyboard... that doesn't sit well in a culture where there's supposed to be trust and accountability."
"SMCR," says Rasmussen, "is the regulation of all regulations... you can outsource responsibility, but you can't outsource accountability."
This means regulated firms are going to have to rethink their culture and the way they do things, especially when it comes to the processes they use to prove compliance.
"When there are over 200 regulatory change events every business day," says Rasmussen, "we can't be taking six months to update a policy... we need more collaborative technologies... and stronger audit trails and systems of record."
"Do you expect to be held accountable for your actions?" concludes Moffatt, "Of course you do. And 95% of that compliance is that good people turn up to do the job well. The extra 5% is evidencing it... and having a control framework that the business can rely upon."
Want to learn more about SMCR, its impact on the industry, and how technology can help you tackle it more efficiently so you have stronger systems and more accountability?
Watch our free webinar Accountability Compliance — SMCR