SMCR – unanswered questions
17 / 10 / 2017
With the FCA consultation now underway and the broad structure of the SMCR regime more or less established, some difficult questions emerge. This article thinks ahead to implementation and explores how SMCR will require firms to combine an understanding of regulatory and employment law issues as never before.
The certification regime is light on structure, leaving firms to make enormously significant decisions in something of a regulatory vacuum.
Amongst the key issues that will arise are the following:
- Which staff are covered? The definition of “employee” in the rules extends well beyond directly employed staff and so firms will need to have a good understanding of:
o their outsourcing, contractor and agency worker relationships
o the law on employment status, which is currently in a fluid state as a consequence of the “gig” economy cases going through the Courts and Tribunals
- Who will make the decision about fit and proper (“F&P”) status? Is this an appropriate task for a direct line manager, or indeed any single individual?
- Is it appropriate to assess F&P status in the context of a routine annual appraisal, particularly if there are concerns, or should there be a separate process?
- What are the legal boundaries of F&P status and is every conduct rule breach or disciplinary matter also an F&P issue?
- What data is relevant to F&P status and how should it be stored under GDPR?
- How will employment contracts address the consequences of F&P certification being withdrawn?
Senior Managers regime
- The SM regime has greater structure to it and imposes less of a decision-making burden on firms. However, just beyond the mandatory framework of SM functions and responsibility statements lie some tricky practical issues, for example:
- Are additional systems necessary to give the SM visibility of activities in their area of responsibility?
- Given that SMs will have an onerous new duty to disclose to the regulator anything that it may reasonably want to know:
o how and where should an SM keep records of potentially disclosable information?
o how and when will a recruit into an SM function be briefed on relevant issues, particularly concerns about breaches?
- Would it be negligent or a breach of regulation to omit concerns about F&P status from a reference if certification was not actually withdrawn?
- Should the reference cover disciplinary matters or conduct rules issues that do not relate to the firm’s authorised activities?
Firms that have addressed these and other difficult questions and developed appropriate policies, systems and processes in advance will be better placed to cope with the impact of introducing and applying SMCR. Firms will need to develop an all-round approach to implementation that takes into account employment law rights, as well as other regulatory and legal duties.
On a positive note, the current stream of regulatory and legal change provides an opportunity to approach it in a way that embeds compliance culturally, and takes advantage of it, rather than simply imposing yet more new obligations on staff without obtaining genuine buy-in.
Affected firms won’t need reminding about MIFID, but should now also be preparing for GDPR which takes effect in the UK on 25 May 2018, regardless of Brexit, as businesses, public authorities and charities are expected to be compliant with its provisions from day one.
GDPR imposes stringent requirements upon organisations that hold information about individuals, whether they are employees, clients, customers or suppliers. It also confers more extensive rights upon individuals in relation to their personal information. In the UK, the GDPR will be supplemented by the Data Protection Act 2017 which, among other things will introduce a number of criminal offences and imposes personal liability for directors and officers of companies that misuse personal data.
Furthermore, a new corporate criminal offence of failure to prevent facilitation of tax evasion was created with effect from 30 September 2017 under the Criminal Finances Act 2017. It applies in respect of UK tax but also non-UK tax (if the entity is incorporated in the UK, has a place of business in the UK, or any aspects of the offence occurs in the UK).
The offence carries an unlimited financial penalty for the business, as well as a public record of conviction. It requires an element of dishonesty or fraud and cannot be committed by accident. A defence exists if the business can demonstrate reasonable prevention measures i.e. a clear effort to comply, risk assessment, top level commitment, an initial communication plan, and an implementation plan for tackling the risk in a proportionate and timely manner.