Counting the cost of compliance: the proposed new conduct rules regime

• United Kingdom

• Financial services

20-01-2015

The changes that have recently been proposed to the rules of conduct for individuals working at deposit taking institutions and PRA-regulated investment firms (referred to as “relevant firms” for the purposes of this article) are the most significant development in the regulation of individuals working in UK financial services since the Financial Services and Markets Act (FSMA) was enacted 15 years ago. 

A key purpose of the new regime is to ensure that senior managers are held personally accountable when things go wrong at the firms they manage and it is expected that regulatory enforcement action against such individuals in the future will be made materially more straightforward by the imposition of a new “presumption of responsibility” on senior managers in circumstances where the regulators have successfully proved a contravention against a relevant firm.

The proposed changes seek to implement the provisions of the Financial Services (Banking Reform) Act 2013. They are essentially a response to the findings of the Parliamentary Commission on Banking Standards (PCBS), which reported in June 2013. The PCBS report “Changing banking for good” concluded that the existing UK regime for approved persons that has been in place since FSMA (and which is enshrined in the APER section of the FCA Handbook) is unfit for purpose (at least insofar as regards relevant firms).

Essentially, the PCBS determined that the APER regime does not impose sufficient clarity around the scope of responsibility of senior managers, and the lack of clarity around the personal accountability of senior managers has impeded the regulator from holding such individuals to account for the kind of competence-based misconduct which (in the view of the PCBS) was a significant cause of the various banking failures that occurred during the last financial crisis.

Consequently, the PCBS concluded that a new regulatory regime is required for employees of relevant firms, which will clarify the scope of responsibility of the individuals managing those firms and facilitate the process of holding such individuals personally accountable for competence-based misconduct in the future.

The Government accepted the conclusions of the PCBS and Parliament subsequently passed the Financial Services (Banking Reform) Act 2013 in December 2013. CP 14/13 is the consultation paper on the new rules which the FCA and the PRA propose to introduce during the course of 2015 and 2016 to implement the new conduct regime for relevant firms. The consultation period has now close and a policy statement setting out the new rules is expected in the first half of next year.

The proposed new conduct regime

There are essentially three constituent parts of the proposed new regime for individuals at relevant firms: a new regime for senior managers, a new certification regime and a set of new conduct rules.

The new senior managers regime

The new regime for senior managers will introduce a range of new senior management functions (SMFs) that will replace the existing significant influence function (SIF) regime for the top two tiers of management at relevant firms (i.e. Board level and the top level of executive management that reports directly to the Board). The purpose of the new SMFs is to identify key functions and the key risks within relevant firms and to ensure that responsibility and accountability for them is clearly allocated to specific senior managers.  The SMF descriptions will be supplemented by:

• responsibility statements that relevant firms will be required to produce for each SMF manager;
• responsibility maps which each relevant firm will need to produce, mapping responsibility for all key risks across its business; and
• handover certificates which will need to be produced by outgoing SMF managers for the benefit of their successors.

The presumption of responsibility 

Under the existing APER regime, the test for establishing personal culpability against an approved person is one of reasonableness and the burden of proof is placed on the regulators.  However, the effect of the new concept of “presumption of responsibility” is that, following the establishment of a regulatory breach against the firm, the burden of proof will be reversed. This means that the onus will then be on the individual senior manager with responsibility for the management of the part of the business where the breach occurred to satisfy the regulator that he/she took such steps as could reasonably be expected to avoid the breach occurring (or continuing). 

This is a significant development because it means that, in order to avoid regulatory liability, senior managers will need to make a positive case demonstrating why they have acted reasonably in all the circumstances, rather than the onus being on the regulators to demonstrate that they have acted unreasonably. This shift in the onus of proof from the regulator to the individual will significantly increase the personal regulatory exposure of senior managers under the new regime. In future, senior managers participating in key decision-making would be well advised to consider what records they should personally maintain in order to evidence the reasonableness of their actions, which they may subsequently be required to justify years after the event. (Notably, the limitation period for taking action against such individuals is being increased from 3 to 6 years).  The implications of this development for the process of decision-making and record-keeping in order to help managers protect themselves from future enforcement action are important and discussed in further detail below.

The certification regime

The second constituent part of the new regime for individuals at relevant firms is the certification regime. Essentially, all individuals who risk causing significant harm to the firm or its customers by virtue of their role will require to be certified by their employer as fit and proper to perform such a role in the future.  It is expected that a wide range of staff who interface with customers will be covered by the certification regime, from the management levels immediately below the top two tiers caught by the senior managers regime down to in-branch financial and mortgage advisers.

The regulators will not be the gatekeeper or the policeman in respect of the fitness and propriety of these individuals. Instead, it will be the responsibility of the relevant firm to assess the fitness and propriety of its certification staff on at least an annual basis and to report to the regulator accordingly. Ironically, it appears that one of the effects of the certification regime will be that it will remove from the regulatory approval process the majority of the individuals whose conduct came to the regulators’ attention during the LIBOR and FX rate fixing scandals. Such individuals will no longer require regulatory approval to carry out their roles unless they fall within the scope of the senior managers regime. Their fitness and propriety will instead be assessed by their employers, who will be incurring regulatory liability where they cannot demonstrate that they are assessing their employees effectively.

The new conduct rules

The new regime will impose five new conduct rules on individuals carrying out “qualifying functions” at relevant firms. In addition, there will be four new conduct rules that will apply exclusively to senior managers. These senior manager conduct rules essentially reflect the key requirements underlying the existing APER principles 5-7, which currently apply to SIFs.

More significantly, however, CP 14/13 clarifies that the five new conduct rules that will apply to individuals carrying out “qualifying functions” will apply to all staff at relevant firms who perform anything other than a mere ancillary role – i.e. a role that would be the same irrespective of whether they were employed by a financial institution or an entity in another industry sector (that is to say cleaning or catering staff, IT support, receptionists and security staff). Consequently, the five new conduct rules will apply not just to senior managers and certification staff, but to all employees at relevant firms who have any interaction with customers relating to the activities of the firm. This population potentially comprises tens of thousands of additional staff from in-branch cashiers upwards. These five new conduct rules are as follows:

1. You must act with integrity.

2. You must act with due skill, care and diligence.

3. You must be open and cooperative with the FCA, the PRA and other regulators.

4. You must pay due regard to the interests of customers and treat them fairly.

5. You must observe proper standards of market conduct.

Nothing controversial there, you may say, or that goes beyond what all such individuals should be doing in their day-to-day jobs already. That is correct. But, by applying the conduct rules to these extra staff, the regulators hugely extending the scope of their disciplinary jurisdiction and imposing very significant extra training, compliance monitoring and reporting burdens on relevant firms, which are already struggling to cope with the weight of new incoming regulation, both domestically and internationally – see below.

Implications of the new regime for relevant firms and their employees

Most bankers and their advisers would agree with the general principle of personal accountability and that importing a greater degree of clarity into the scope of responsibility of senior managers from a regulatory perspective is a good idea. This is particularly in view of the shift in focus of the FCA’s enforcement priorities since the last financial crisis to taking more action against individuals rather than firms as the best way of changing behaviour and culture.  It is clearly in everyone’s interests, particularly in light of the new presumption of responsibility for senior managers, that the scope of responsibility that senior managers have agreed to take on and for which they will be held personally accountable is clearly understood.

However, the most pressing concern for the Legal, Compliance and HR departments of relevant firms is likely to be the significant extra compliance monitoring, reporting and training burdens that will be placed on these firms as a consequence of the decision to apply the five proposed new conduct rules to all employees at relevant firms who do not perform a mere ancillary role. This means that tens of thousands of additional staff will be subject to the new conduct rules and will need to be appropriately trained and monitored by their employers as to their compliance with the rules going forward.

Training obligations

Relevant firms will be required to ensure that their employees who are subject to the conduct rules are notified of the rules that apply to them and to take all reasonable steps to ensure such employees understand how the rules apply to them. This includes the provision of suitable training to ensure that employees have an awareness and broad understanding of the rules and a deeper understanding of the practical application of the specific rules relevant to their work (C-CON 2.3R).

Key notification and reporting obligations contained in the proposed new rules

Relevant firms will be required to notify the FCA if they know or suspect that any relevant staff have failed to comply with any of the conduct rules (C-CON 2.3.3G). There is no materiality threshold for the making of such a notification.  Further, if a firm takes disciplinary action against an approved person for breach of the new conduct rules, the firm will be required to notify the FCA. A notification must also be made if a firm subsequently takes disciplinary action against the individual for a breach of the new conduct rules after the original notification is made. Further, where the firm changes its view that the employee has breached a conduct rule or determines that another provision has been breached than that which was originally notified, the firm will be required to inform the FCA under P11 (SUP 15.11.8G).

Conduct rule breaches by senior managers will need to be reported within 7 business days of the firm becoming aware of the breach.  For breaches by certification staff or other conduct rules staff, aggregated notifications will need to be made to the regulators on a quarterly basis (see SUP 15.7 for further guidance).

If a firm becomes aware of information which would reasonably be material to the assessment of an FCA-approved person’s or candidate’s fitness and propriety, it will need to inform the FCA as soon as possible. Failing to disclose relevant information may be a breach of s398 FSMA (and therefore a criminal offence) (SUP 10C.12.23 R).

At least once per year, each relevant firm must consider, for every SMF manager it employs, whether there are any grounds for the FCA to withdraw approval and, if the firm thinks there are such grounds, it will need to notify the FCA. (This applies to PRA approved persons too) (SUP 10C.12.27 G)).

A firm will also need to notify the FCA where, in any 12 month period, it has upheld three complaints about matters relating to activities carried on by any one employee when acting as a retail investment adviser, or where it has upheld a complaint against such an adviser and the redress paid exceeds £50,000. In each case the timing for notification is 20 business days after upholding the complaint (SUP 15.12.1R).

A relevant firm assessing the continuing fitness and propriety of an approved person is required to notify the FCA, if it forms the opinion that there are reasonable  grounds on which the FCA could withdraw its approval (see SUP 10C.12.28R). In this regard, before any notification is made, the relevant firm should take into account how relevant and how important the matter is that suggests the employee may not be fit and proper (FIT 1.3.4A G). (Note that the PRA has its own rules on this – see Annex 7.5 to CP 14/13).

The requirement to provide a regulatory reference

A current or former employer (B) will need to provide to a prospective new employer (A), on request, a regulatory reference (containing all relevant information of which B is aware) where A is considering employing a person to perform any FCA controlled function (SYSC 5.3.4R). In this context, B will owe a duty of due skill and care in preparation of the reference both to the current/former employee and to A (SYSC 5.3.5G).  Frank and honest views may be given, but only after taking reasonable care as to factual content and any opinions expressed. Any information on which opinions are based will need to be verified. Firms must not enter into any compromise agreements that may conflict with their duties under this section. A must ask B to include in the reference details of any conduct rules breaches by the person notified to the FCA in the last 5 years, any disciplinary action in consequence and the outcome.

The cost of complying with the proposed new rules and related training, monitoring and compliance obligations

A key concern for relevant firms will be the cost of enhancing systems, processes and procedures in order to ensure that they are able to comply with the proposed new rules and the monitoring and reporting obligations which they impose. It is anticipated in the cost benefit analysis that is enclosed with CP 14/13 that the lion share of the costs for smaller firms will be attributable to the impact of the senior managers regime, while at larger firms, the majority of the costs will arise from the obligations imposed by the conduct rules and the related notification and reporting obligations.

However, the position is unlikely to be this straightforward in practice. The larger, more complex firms will probably need to include additional managers below the top two tiers of management (Board level and those reporting directly to the Board) within the scope of the senior managers regime. The complexity of assigning key responsibilities to specific individuals across a complicated management matrix will mean that the situation at larger firms is more complicated (and more expensive to map out). The annual costs of reviewing responsibilities maps and individual responsibilities statements to ensure that all key responsibilities have been appropriately mapped and allocated and that the relevant individuals are managing them effectively are likely to be significant.

There are real concerns within the industry about the impact of the new rules on the efficiency of internal decision-making processes with many anticipating this may lead to a shift towards more collective decision-making (or at least a requirement for sign-off of decisions by multiple senior managers) and greater bureaucracy around internal monitoring and controls in order to provide the audit trail that may be required to protect individuals in due course from regulatory liability in view of the new presumption of responsibility.  In an attestations context, this could lead to firms routinely requiring that individual attestations be provided back-to-back by each member of line management, to mirror the attestation signed by the senior manager who has been nominated by the regulator. This increased bureaucracy is likely to slow down without necessarily improving the quality of decision-making within relevant firms.

The ability of relevant firms to recruit for senior roles may also be impacted as a consequence of the “double whammy” currently being experienced by senior managers working in the sector – namely, the effect of the remuneration code which is negatively impacting the present value of deferred remuneration for senior managers while at the same time the personal regulatory exposure of such individuals at relevant firms is increasing significantly as a consequence of the proposed new conduct regime.  Many believe the presumption of responsibility, in particular, is a step too far and that it is likely to make working in a senior role in UK financial services significantly less attractive than working in other places such as Paris, Frankfurt, Milan or Zurich.

Senior managers may wish to engage independent legal advisers to review the responsibility statements to which relevant firms will be obliged to require them to sign up and some staff may even require independent legal advice on whether the terms of their employment contracts need to be reviewed in view of the notification and reporting obligations which the new rules are placing on their employers to report suspected breaches by their staff. In the case of senior managers, such reports will need to be made within 7 business days. This time frame leaves relatively little time for investigation and notifications may need to be made to the regulators before issues have been fully investigated or the individual under suspicion has been given the opportunity to tell his side of the story. Given the scope for notifications under the new rules to impair the future careers of senior managers (who will of course require regulatory approval to hold similar roles in the future at other regulated firms), it is not difficult to see how the employment implications of the proposed new regime have the potential to become a legal minefield.

While it is possible that some of the rule changes may result in costs savings in some respects, it is likely that any saving that may be achieved by, for example, limiting the requirement to obtain regulatory approval to SMF managers, will be offset by the increased costs of submitting applications to approve SMF managers (for which far more information will now be required) and the additional cost of firms (i) having to determine whether their staff fall within the scope of the certification regime and, if so, (ii) monitoring and reporting on their fitness and propriety on a continuing basis. The additional costs arising from the requirement to obtain formal regulatory references are also likely to be significant, in view of the potential legal (and, of course, regulatory) liability arising from this new requirement.

The scope of application of the new conduct rules, which it is currently proposed will apply to all bar purely ancillary staff, will draw tens of thousands of additional staff within the disciplinary jurisdiction of the FCA.  The cost of training these individuals on the rules and how they apply to their day-to-day work will be considerable – as will the cost of setting up the necessary systems and processes to monitor and report on their compliance with the rules. It is likely that a variety of different training programmes will need to be developed for different types of employee operating in different parts of the relevant firms’ business. Training will also need to be provided to those individuals responsible for deciding whether a particular act or omission constitutes a breach of the conduct rules such that it needs to be reported to the regulators, or not.

It is in this area that the proposed new regime appears to bear least scrutiny from a cost benefit perspective. Would the FCA really be interested in taking disciplinary action against a junior financial adviser or bank cashier for breach of a conduct rule causing little or no customer detriment ? If not, then why is the regulator requiring that this information be aggregated and reported on a quarterly basis ?  Such requirements entail considerable cost for the regulated community and, some would argue, accrue minimal benefit to the regulators.

While there is a general acceptance across the banking industry that all staff in customer facing roles (and more widely) should already be adhering to the five core conduct rules, in view of the compliance and logistical challenges described above, there is a growing consensus that it would be more proportionate to provide that only individuals falling within the scope of the senior managers and certification regimes and, possibly, those who manage such individuals should be brought within the disciplinary jurisdiction of the FCA and have their compliance with the conduct rules monitored and reported upon. 

The proportionality of applying the new conduct rules to all non-ancillary staff at relevant firms, with all the monitoring and reporting burdens that would entail, is questionable. It would not only be very expensive for the larger firms, but would impose a disproportionate burden on the smaller credit unions and building societies, in particular. The regulators have listened sympathetically on the whole to the concerns raised by the industry during the consultation period, but the reality is that the Financial Services (Banking Reform) Act has left them relatively little room for manoeuvre on many of the core principles underlying the proposed new conduct regime. So, we can probably expect to see a policy statement in due course that will not depart materially from the proposals in CP 14/13.

First published on Thomson Reuters Accelus on December 10, 2014.