Following the introduction of the Senior Managers Regime (SMR) and the Senior Insurance Managers Regime (SIMR), the regulators’ appetite for pursuing enforcement cases against senior managers is ever increasing.
Having worked on a number of recent high profile FCA and PRA enforcement cases against individuals; both as an FCA investigator (whilst on secondment with the FCA's Enforcement and Market Oversight Division), and as a defence lawyer, I can share some insider tips on what steps you should be taking to fulfil your personal regulatory duties and, ultimately, avoid becoming the subject of regulatory enforcement action.
What do I need to do initially when I commence my role?
On taking up a new role within a financial institution, we recommend that you carry out a documented initial assessment of the risk management framework in place for your area of the business, within the first two/three months. To be clear, no matter how large your firm’s Compliance or Risk function is, the responsibility for regulatory compliance in your area of the business lies with you.
This assessment will involve arranging meetings with the people in the business who have the best knowledge of how your area was managed before your appointment (ideally including your predecessor), and also with Compliance, Risk Management, Internal Audit, and HR. The purpose of this exercise is to satisfy yourself that robust processes are in place to identify and assess each of the various material risks that your area of the business is exposed to. To do this, you need to understand the firm’s risk appetite and how it applies to your area of the business.
You also need to make sure you are clear about which area of the firm you are responsible for from the outset. Your Statement of Responsibility will set that out. Make sure you have a copy to hand and that you are still happy it is an accurate description of your role. If it isn’t, it’s important that you get your firm to update it and send the updated version to the regulators. You should also ensure that the reporting lines in place will allow you to effectively oversee the areas for which you are responsible (including any specific prescribed responsibilities).
How should I approach my duties on an on-going basis?
We recommend carrying out documented annual reassessments of the risk management framework for your business area, even if nothing is going wrong, and you have no reason to think that anything needs improving. These reassessments should include:
- Checking that the organisational structure is operating effectively. Are reporting lines working well? Are important matters being escalated quickly enough?
- Checking that risks are being identified effectively within the framework. Has a particular risk been notified to you late, having come in under the radar?
- Reviewing the competence and capability of your direct reports. Do not rely solely on their annual appraisals – ask yourself, am I happy that they are effective in supporting me to identify and manage the risks in my area of the business?
- Assessing whether the management information you are getting is appropriate – neither too little information, nor too much.
Watch out for ‘red flags’ (for example, critical internal audit reports or concerns which have been raised by the regulators (either specific or sector wide)). A ‘red flag’ may trigger the need to take immediate action.
Finally, remember that you can’t ‘press pause’ on your regulatory responsibilities. Unfortunately, being under pressure of work (e.g. due to a lack of resource or support from the top), or if you’re having personal difficulties, is not a defence in regulatory enforcement proceedings, however unfair this may be.
What should I do if problems occur?
When considering your regulatory duties, perhaps the most critical time for you is when something goes wrong. Mistakes and oversights are often unavoidable. However, your reaction to issues is pivotal in terms of your personal regulatory liability - and may be closely analysed by the regulators after the event.
If a problem arises in area of the business for which you are responsible:
- ensure pro-active steps are taken to investigate and understand it. Where an issue raises significant concerns, act quickly and decisively;
- highlight concerns to internal or external auditors and, if necessary, request that they examine the operation of the relevant controls or business functions;
- consider whether the issue has wider implications in respect of the suitability of the risk management framework;
- ensure that any concerns are appropriately escalated (including to the relevant risk committees, the board, and/or the regulator); and
- keep a written record of your actions, the outcome and the reasoning behind your decisions.
If you are unsure about what your personal regulatory duties require of you, seek legal advice. I would be happy to speak to you about your regulatory position generally, or in light of a specific issue you are facing, so please do get in touch.
Individual Accountability in 2017: Stay alive to the changes ahead
Download our practical report - and get access to over 20 accessible articles on key topics including individual accountability, competition, financial crime, data protection, FinTech, MiFID II and much more…