‘Reasonable steps’ for senior managers

• United Kingdom

• Employment law
• Financial services and markets regulation
• Financial services - Senior Managers and Certification Regime

05-12-2018

The following article was published by Compliance Monitor www.compliancemonitor.com on 4th December 2018, Eversheds Sutherland Partner Gregory Brandman and Principal Associate Barrister Ruth Paley were delighted to provide commentary and insights in Compliance Monitor’s article ‘Reasonable steps for senior managers

With the onerous Duty of Responsibility being extended to high-level staff right across the financial sector, Gregory Brandman and Ruth Paley review the regulators’ formal guidance as well as best practice principles to help senior personnel manage and mitigate their personal risk.

The Senior Managers and Certification Regime (SMCR) was introduced for banks and Prudential Regulation Authority-regulated investment firms in March 2016 and further legislation was enacted bringing into effect a new statutory ‘Duty of Responsibility’ for senior managers at those firms with effect from 10 May 2016. The Financial Conduct Authority has recently confirmed that the SMCR (including the Duty of Responsibility) will be extended to insurers and FCA solo-regulated firms from December 2019, a development which will have the effect of applying the SMCR to the whole of the regulated financial services industry in the UK, although the impact of the regime will be tailored by reference to the size and resources of each firm.

For individuals working at these firms, however, the effect will be that all non-ancillary [1] staff will be brought within the disciplinary jurisdiction of the FCA and required to comply with the five individual conduct rules, [2] while all senior managers will also be subject to the four senior manager conduct rules [3] and the Duty of Responsibility for senior managers. The training, monitoring and reporting obligations on firms arising from this expansion of the FCA’s disciplinary jurisdiction will be considerable.

The political momentum for the SMCR arose from the need (identified by the Parliamentary Commission on Banking Standards) to improve governance, culture and accountability in banks following the financial crisis of 2008/9. The PCBS declared that the APER regime in the FCA Handbook imposing rules around approved persons’  conduct (which still largely applies to approved persons outside the banking sector) was not fit for purpose and so the SMCR was introduced to heighten focus on the accountability of a smaller number of senior individuals at the top of financial institutions and to enhance the regulators’ ability to hold these individuals to account (if necessary through enforcement action) when things went wrong in the future. The intended effect of the new regime was to improve governance by clarifying key individuals’ responsibilities and to encourage the development of a better culture, especially in banks, by making senior managers understand they would be personally held to account for regulatory failings that occurred ‘on their watch’ where it was appropriate to do so.

Originally, it had been proposed to introduce a ‘Presumption of Responsibility’ for senior managers as part of the SMCR, whereby senior managers would be deemed culpable for a regulatory breach that occurred in a part of the business for which they were responsible, if they could not satisfy the regulators that they had taken reasonable steps to prevent the breach either occurring or continuing.

This proposal would have placed the burden on senior managers to satisfy the regulators that they had acted reasonably and proved to be so controversial that, eventually, HM Treasury announced that the Presumption of Responsibility would be discarded and replaced instead with a new Duty of Responsibility, applicable in similar circumstances, but where the burden would remain on the regulators to prove that senior managers had failed to act reasonably. It is with this Duty of Responsibility, and how senior managers can demonstrate compliance with it, that this article is concerned.

The basis on which disciplinary action can be taken by the FCA and PRA against senior managers

For those firms currently subject to the SMCR, and for all authorised firms with effect from December 2019, the FCA and the PRA may take disciplinary action against a senior manager for regulatory misconduct on any of the following grounds:

0. breach of any of the five individual conduct rules
0. breach of any of the four senior manager conduct rules
0. being ‘knowingly concerned’ in the contravention by a firm of a relevant requirement
0. breach of the Duty of Responsibility for senior managers

We are now starting to see the first regulatory outcomes emerge resulting from FCA and PRA enforcement action against senior managers under the SMCR and it is important to understand the focus which the regulators have on the importance of achieving these outcomes against senior managers. Such outcomes are considered by the FCA, in particular, to be central to its credible deterrence strategy and to be the most effective way of changing culture for the better in financial services. The enforcement and market oversight division of the FCA has for some considerable time now been opening more investigations into individuals than firms and senior managers are firmly in the cross-hairs. [4] In particular, where the FCA has opened an investigation into a firm for a suspected systems and controls failing, it is now more or less the default position of the FCA also to open an investigation into relevant senior manager(s) at the firm in order to determine whether they are personally culpable or knowingly concerned in the firm’s suspected failing. [5]

The Duty of Responsibility

With effect from 10 May 2016, under sections 66A(5) and 66B(5) of the Financial Services and Markets Act 2000 (as amended), the FCA and the PRA may take action against senior managers where:

0. there has been a contravention of a relevant requirement by the Senior Manager’s firm [6]
0. at the time of the contravention or during any part of it, the Senior Manager was responsible for the management of any of the firm’s activities in relation to which the contravention occurred [7]
0. the Senior Manager did not take such steps as a person in their position could reasonably have been expected to take [8] to avoid the contravention occurring or continuing

The burden of proving that all three limbs of the test have been satisfied is on the regulators – the evidential test being ‘on the balance of probabilities’ (ie, more likely than not). As regards the third limb of the test, it is clear that a senior manager will not be in breach of the Duty of Responsibility where they can show that they have taken reasonable steps to avoid the ‘contravention’ by the firm occurring or continuing.

Decisions about whether to take enforcement action based on the Duty of Responsibility will be made by the FCA with reference to its published criteria in DEPP (see below). The FCA will look at all the circumstances of the case, including the seriousness of the breach, the relevant individual’s position, responsibilities and seniority as well as the need to use enforcement powers effectively and proportionately.

The FCA and the PRA have stated that they will not apply standards retrospectively or with the benefit of hindsight. [9] Both regulators have said that when they apply the Duty of Responsibility, they will consider what steps a competent senior manager would have taken at that time, in that specific individual’s position, with that individual’s role and responsibilities in all the circumstances.

The FCA and the PRA have both clarified that the Duty of Responsibility will apply to senior managers’ individual contributions to collective decisions and their implementation insofar as those contributions are in scope of their senior manager responsibilities. [10]

It will have been noted by the reader that the requirements of ‘reasonableness’ and ‘reasonable steps’ are not new in terms of compliance with the FCA’s conduct rules. The FCA Handbook continues to provide that a person will only be in breach of a conduct rule where they are ‘personally culpable’. This means where the person’s conduct was either deliberate, or where the person’s standard of conduct was below that which would be reasonable in all the circumstances . Unless the regulators can satisfy this standard for assessing personal culpability, an individual cannot be held liable for breaching either the individual conduct rules, or the senior manager conduct rules (or the APER Statements of Principle for Approved Persons, while they continue to apply).

The reader will also be aware that the concept of ‘reasonable steps’ is fi rmly embedded in the drafting of three of the four new senior manager conduct rules under the SMCR:

0. SMCR 1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
0. SMCR 2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
0. SMCR 3: You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
0. SMCR 4: You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.

The FCA has provided extensive guidance on compliance with the conduct rules, including a non-exhaustive list of examples of conduct that may be in breach of the rules. [11] The PRA also provides some helpful guidance in its supervisory statement. [12]

In relation to the Duty of Responsibility, the regulators have supplied considerable guidance as to their expectations in terms of compliance. The FCA’s guidance is set out in DEPP 6.2.9-A G to 6.2.9-F G. This guidance includes a non-exhaustive list of considerations that may be relevant when determining whether (i) a senior manager was responsible for the management of the firm’s activities in relation to which the contravention occurred; and (ii) a senior manager took the steps such a person in their position could reasonably have been expected to take to avoid the contravention occurring or continuing.

The guidance provided by the PRA on the Duty of Responsibility [13] is generally consistent and aligned with the FCA’s guidance, and the steps reasonably expected of senior managers under both sets of guidance are essentially the same. Neither set of guidance is prescriptive, however, and the steps that should be taken to comply with the Duty will vary from case to case.

The PRA proposed in CP14/17 that its guidance for the application of the Duty of Responsibility to insurers would reflect its existing guidance for the application of the duty to deposit-takers and PRA-designated investment firms. This approach appears to be confirmed by the PRA’s policy statement 15/18 and the July 2018 update to supervisory statement 35/15. [14]

Examples of some of the factors that the regulators have said they will take into account when assessing the reasonableness of senior managers’ actions are as follows:

0. whether they exercised reasonable care in considering information and reached a reasonable conclusion on which to act
0. whether they took reasonable care to inform themselves appropriately when participating in collective decision-making
0. the knowledge they had/should have had about regulatory concerns and whether they responded appropriately if they were put ‘on inquiry’
0. whether they were/should have been aware of possible regulatory breaches and took reasonable steps to ensure they were dealt with in a timely and appropriate way
0. whether they acted in accordance with their statutory and common law as well as other legal obligations
0. whether they took reasonable steps to effect an orderly transition of responsibilities and/or whether they delegated their responsibilities reasonably and appropriately
0. whether they failed to take reasonable steps to understand and inform themselves about the firm’s activities for which they are responsible;
0. whether they failed to seek adequate explanations when reasonably required
0. whether they took reasonable steps to implement adequate systems and controls
0. whether they failed to obtain independent expert opinion where appropriate, including from outside the firm

The guidance on ‘reasonable steps’ that has been provided by the regulators, although fairly extensive, is deliberately expressed at a high level. As the FCA has itself noted, “ The guidance is not prescriptive about the steps that a Senior Manager should take to avoid a firm contravention occurring or continuing, as the steps reasonably expected will vary from case to case depending on the circumstances. Nor, for this reason, does it set out examples of the steps reasonably expected of Senior Managers at specific types of firms.”

This has prompted senior managers and their compliance officers to reflect on what may constitute ‘reasonable steps’ in any given set of circumstances and on what ‘best practice’ might be in respect of recording and preserving the best possible evidence of the reasonableness of their conduct in the event of subsequent challenge by the regulators.

Evidencing reasonableness: the importance of record-keeping

The regulators have indicated the type of records that they will seek to examine, in the event of a regulatory contravention by a firm, in order to determine whether relevant senior managers have acted reasonably. Inevitably, the key governance documentation that firms and senior managers are required to put in place under the SMCR, including senior manager statements of responsibilities and the management responsibilities map, will be the regulators’ usual point of departure. But other documentation to which regulators may seek access includes organisation charts, board and committee meeting minutes, training records and regulatory correspondence.

However, as many senior managers will recognise, board and committee meeting minutes often record only a fraction of the discussion and challenge at those meetings (and not always in a very helpful or transparent way). Further, in many cases much of the challenge, discussion and debate leading to major business decisions occurs outside the forum of the meeting itself and is seldom recorded in a formal way.

The reality is that, post the implementation of the SMCR, authorised firms and their senior managers are going to need to get much better at recording the process of governance and decision-making if they are going to help senior managers mitigate the personal regulatory risk that could arise from a challenge by a regulator, which might occur several years after the event. In the absence of adequate record-keeping, it can prove very difficult (if not impossible) to reconstruct the rationale for individual management actions (or omissions) or decision-making and to defend the reasonableness of relevant actions or decisions taken by reference to the information that was available at the time.

Since record-keeping is key to evidencing the reasonableness of senior managers’ conduct either in respect of their contributions to collective decisions (which may since have transpired to have been misconceived) or in respect of their involvement in managing, mitigating or otherwise responding to the risks emerging from the part of the firm’s business for which they are responsible, we have set out below some of the critical questions that senior managers ought to be asking themselves and their firm about record-keeping practices and how they interrogate, record and deploy the management information that flows out of their firm’s governance framework in order to ensure that they are in the best possible position to evidence the reasonableness of their conduct in the event that they should subsequently be subjected to scrutiny by the regulators.

• Record-keeping generally : how does your business record challenge and decision-making? How does your business document actions and outcomes? Is this sufficient? Are record-keeping requirements clearly explained and complied with? How do you record your own decision-making? Do you take notes of your one-to-one meetings? Do you document actions and track follow-up with your line reports? How do you record your own challenge? (Asking the right questions is only half the job. What about the answers? Are they satisfactory? If not, have you chased these down and recorded them?)
• Statements of responsibility : Do you understand the scope of your responsibilities and your reporting lines? Are these clear and up-to-date? Are you new-inrole? Have you received/given an adequate handover? Have you carried out a robust ‘initial assessment’ of the business for which you are responsible within the first two months of your new role? [15] Would you say following this initial assessment that you have a good working understanding of the business for which you are responsible and the applicable regulatory requirements, the risks arising from the business and how they are mitigated? Do you have adequate management information to support your oversight responsibilities? Do you have sufficient bandwidth to fulfil your responsibilities?
• Handover process and documentation : Has the firm produced internal guidance for senior managers in respect of handover procedures and the orderly transition between senior managers? Is there a process for recording the handover so that it is clear what information was provided between the parties? What assessment is made of the handover material to ensure that the transition is founded on information that is accurate, practical and helpful, so that the new senior manager can prioritise actions and attend to urgent issues?
• Management information : is it fi t for purpose? Is it timely and accurate? (Note the importance of quality over quantity). Does it tell you what you need to know? Is it aligned with the key risks facing your business? Is your risk reporting only backward-looking or is it forward-looking as well? Are you interrogating it critically (both your own management information and what you produce for others)? Are you using it to challenge what you are being told by your line reports and/or other lines of defence?
• Delegation : where you have delegated responsibility, is this recorded appropriately? Can the reasonableness of your decision be evidenced? Can you evidence the appropriateness of your ongoing oversight and monitoring?
• Performance management : Do you document one-to-one meetings with your line reports and agreed actions/objectives arising? Do you track follow-up? Can you demonstrate that you effectively challenge and hold your line reports accountable through the annual Performance and Development Review processes?
• Organisation charts : Are these up to date? Do they reflect clear reporting lines/areas of responsibility and are you able to articulate these when asked?
• Board and committee meeting minutes : How effectively do these record discussion and challenge in key decision-making? If they do not, do you record and maintain your own records of your participation in collective decision-making? If not, how do you expect to reconstruct the rationale for key decisions and your own involvement in them up to six years after the event (which the regulators may require you to do)? What are the arrangements for circulation and review of draft committee minutes? Are committee members given an appropriate opportunity to make clarifications or amendments, where appropriate?
• Other communications : Where decisions are taken outside a formal structure, do you memorialise agreed actions in an email or briefing document that is circulated to relevant stakeholders to ensure ownership is apportioned and agreed? Does your firm ensure that emails and document management systems are archived properly and made accessible?
• Training and CPD records : Are you attending all relevant training and recording your attendance in an accessible log?
• Response to emerging issues : Regulators assess the robustness of a fi rm’s culture and governance in particular by reference to its response in moments of crisis. Is the firm being open and transparent in its dealings with regulators in respect of notifiable events within the part of the business for which you are responsible, including systems and controls inadequacies? Are you taking prompt and thorough remedial action in respect of such issues? Is the customer impact arising from such incidents being appropriately considered and mitigated? Are you engaging SMEs where appropriate (whether internal or external) to provide advice and assurance, carry out root cause analysis and appropriate remediation? If so, are you implementing their recommendations appropriately? If not, what is your rationale for not doing so and is it reasonable in the circumstances? Have you learned the lessons from prior incidents and are you reading them across to other parts of the business? Is relevant correspondence with regulators being conducted with openness and transparency? Are key areas of interest or focus by the regulator being kept under close scrutiny and review?
• Resourcing in the second and third lines of defence : are you confident your second and third lines are resourced appropriately and performing effectively? Are you challenging them on the scope and delivery of their annual monitoring and audit plans? Is second and third line headcount increasing in step with the expansion of your business? Are you responding appropriately to requests for additional resource? If you are refusing such requests, what is your rationale? Is it reasonable?

It should be apparent from the foregoing paragraphs that there are a number of practical steps that senior managers can take to ensure that (i) they have readily available to them evidence that they are carrying out appropriate oversight of the part of the firm’s business for which they are responsible and (ii) that such evidence is recorded in a durable medium such that it can easily be accessed in the future, in the event that should be necessary.

Notes

[1] See COCON 1.1.2R of the FCA Handbook for an explanation of this term. Essentially, ancillary staff are those who would be carrying out the same role, whether or not they worked for an authorised firm, such as cleaners, caterers and receptionists.

[2] These are set out at COCON 2.1. All are applied by the FCA. But, note that the PRA only applies the first three conduct rules to those within its disciplinary jurisdiction.

[3] These are set out at COCON 2.2.

[4] According to a Freedom of Information Act request dated June 2018, the FCA enforcement division had 306 open investigations into individuals (compared with 221 open investigations into firms). Of the 306, it appears that 128 relate to approved persons under the old APER regime. Under the SMCR, there are five open investigations into senior managers and 10 into certified persons. Meanwhile, the PRA had 14 open investigations into individuals and eight into firms.

[5] This approach was confirmed in the FCA’s ‘Approach to Enforcement’ document in March 2018.

[6] Consequently, liability cannot arise under the Duty of Responsibility without associated misconduct by the firm.

[7] This will be a question of fact in each case and the regulators have reserved the right to ‘look beyond’ senior managers’ statements of responsibilities to ascertain the true position, if appropriate. So, while statements of responsibilities will be relevant considerations in this regard, there will be other relevant considerations, according to the regulators. Some of these are set out by the FCA at DEPP 6.2.9-C G.

[8] DEPP 6.2.9-E sets out a lengthy, but non-exhaustive list of considerations which the FCA will take into account in assessing whether a senior manager’s actions were reasonable in all the circumstances. The PRA’s guidance as to its own expectations in this regard is contained at paragraphs 2.76 and 2.77 of SS28/15. The PRA and FCA both accept that the steps a senior manager in a non-executive role could reasonably have been expected to take may differ  from those reasonably expected of a senior manager in an executive role. In determining whether a senior manager has complied with the duty, the PRA and the FCA will consider their respective guidance, and whether the senior manager has acted in accordance with their statutory, common law and other legal obligations, including but not limited to the conduct rules and other relevant PRA and FCA rules.

[9] See DEPP 6.2.9-D G.

[10] DEPP 6.2.9-E G (15); SS28/15, paragraph 2.67.

[11] See COCON 4.1 and 4.2.

[12] PRA SS28/15.

[13] This is set out at paragraphs 2.59 ff of PRA SS28/15, dated May 2017.

[14] See para 1.15 of FCA PS18/16.

[15] In the case of Financial Services Authority v John Pottage (2012), the Upper Tribunal held that a senior manager should carry out a thorough initial assessment of the risk management framework in place for the area of the business for which they are responsible. Notwithstanding that the FSA lost its case against Mr Pottage, the tribunal held that Mr Pottage had a regulatory duty to carry out an initial assessment of the fi rm’s risk management framework within two months of taking up his role.

Published by Compliance Monitor http://www.compliancemonitor.com 4th December 2018