15.01  As discussed in the previous chapter, a defining characteristic of post-Financial Crisis regulatory reforms is the focus on reinforcing individual accountability. That is not to say that the reforms supplant the sound policy and legal bases on which an institution, its agents, and/or other commercial counterparties to financial market transactions might rightly be held to account. Rather, the reforms have generally aimed to bridge a perceived ‘evidentiary gap’ in situations where there is a case for placing personal responsibility on individuals within (certainly large, multifunctional) financial institutions in relation to misconduct manifested within their area of responsibility, but due to the structural (p. 270) and operational complexities of the institution, an enforcement action/prosecution is not likely to succeed.² Failing this, the reforms aim at least to instil a greater ‘sense’ of accountability and emphasize the importance of ethics-led decision making and the risks inherent in under-supervized or unaccountable delegation.

15.02  These issues ran pervasively through the PCBS’s inquiry and recommendations.³ This lacuna in individual responsibility was referred to in the summary to the PCBS Final Report, which stated that:

Too many bankers, especially at the most senior levels, have operated in an environment with insufficient personal responsibility. Top bankers dodged accountability for failings on their watch by claiming ignorance or hiding behind collective decision-making. They then faced little realistic prospect of financial penalties or more serious sanctions commensurate with the severity of the failures with which they were associated. Individual incentives have not been consistent with high collective standards, often the opposite.⁴

15.03  This chapter summarizes the most salient of ‘individual accountability’-focused reforms, either under consideration or fully/partially implemented. This includes a new, enhanced, framework for the assessment of individuals’ fitness and propriety and the internal (and/or regulatory) approval of them to perform certain roles; subtle changes to the enforcement approach of the Financial Conduct Authority; the introduction of new criminal offences for misconduct in senior office and the facilitation of financial crimes; and the reinforcement of whistleblowing procedures within firms.

15.04  As discussed in Chapter 14, the Financial Services (Banking Reform) Act 2013 (the Act), amending the Financial Services and Markets Act 2000 (FSMA), introduced, among other key reforms, a new regulatory framework for individuals working in certain firms operating in the UK. The regime, referred to as (p. 271) the Senior Managers and Certification Regime⁵ (SM&CR) came into force on 7 March 2016. It was aimed at raising standards of governance, increasing individual accountability and helping to restore confidence in the banking sector. The background to the regime was summarized in the FCA’s consultation paper on the regime,⁶ in which the regulator observed that:

The behaviour and culture within banks played a major role in the 2008–09 financial crisis, in conduct scandals such as Payment Protection Insurance (PPI) misselling, the attempted manipulation of LIBOR and failings in regard to the spot foreign exchange (FX) market. Under the statutory and regulatory framework in place at the time, individual accountability was often unclear or confused, undermining public trust in both the banking system and in the regulatory response.

15.05  The regime has three elements, the Senior Managers Regime (SMR), the Certification Regime (CR) and the Conduct Rules, and applies to UK banks, building societies, credit unions and PRA-designated investment firms⁷ (as well as branches of foreign banks operating in the UK).⁸ In 2018, the regime will be extended to all firms that are authorized under FSMA,⁹ replacing the Approved Persons Regime (APR). HM Treasury, citing the findings of the PCBS and the Fair and Effective Markets Review,¹⁰ described the need for the SM&CR and in particular its application across the UK financial services markets in the following terms:

(p. 272)

Many firms beyond the banking sector—such as large investment firms, insurers and those involved in shadow banking—can pose a threat to financial stability. Misconduct by firms of any size can have serious impact on the welfare of consumers or on market integrity, which will in turn harm consumers, investors and the businesses that depend on fair and effective markets. Such misconduct can be caused by similar failings to those identified by the PCBS in banks. The government has decided, therefore, to extend the SM&CR to all sectors of the financial services industry, including insurers, investment firms, asset managers, insurance and mortgage brokers and consumer credit firms.¹¹

15.06  The key features of the SM&CR are:

1. (1)  an approval regime focused on senior management, with requirements on firms to submit robust documentation on the scope of these individuals’ responsibilities (the ‘SMR’, see below);

2. (2)  a statutory requirement for senior managers to take reasonable steps to prevent regulatory breaches in their areas of responsibility (the ‘duty of responsibility’);¹²

3. (3)  a requirement on firms to certify as fit and proper any individual who performs a function that could cause significant harm to the firm or its customers, both on recruitment and annually thereafter (the ‘Certification Regime’, see below);

4. (4)  a power for the regulators to apply enforceable Rules of Conduct to any individual who can impact their respective statutory objectives (the ‘Conduct Rules’, see below).

15.07  The SMR directly replaced the APR as it applied to persons performing senior roles within a firm. Responsibilities of senior managers under the SMR are defined by reference to both Senior Management Functions (SMFs) and Prescribed Responsibilities (that relate to an SMF); with primary responsibility for granting pre-appointment approval divided between the PRA and the FCA depending on the firm/function. Section 59ZA of FSMA defines an SMF as one that:

(p. 273) 15.08  There are twenty SMFs specified by the regulators,¹³ ranging from board directors, executive committee members and overseas/EEA branch management, to heads of key functions such as risk, internal audit, compliance oversight, money laundering reporting, or heads of a key business area. Anyone planning to take up an SMF must prepare and submit an application to the regulator for approval prior to performing that function; and such approval may be subject to limitations (say with respect to a specific period or the completion of training or a qualification).¹⁴ Having said that, the FCA’s Supervision Manual, section 10C.3.13 R provides that where a firm appoints an individual to perform a function on a temporary basis (or such an appointment was reasonably unforeseen) and the appointment is for less than 12 weeks (in a consecutive 12-month period) the relevant senior management function does not apply; thus negating the need to obtain pre-appointment approval.

15.09  In addition to the defined SMFs, the SMR extends to individuals that have ‘overall responsibility’ for activities, functions or areas of the business. The FCA’s indicative list of a firm’s main business activities and function in Annex 1G to SYSC 4 is likely to be useful in ensuring that the firm has allocated overall responsibility for every activity of the firm. A firm does not have to assign overall responsibility for those areas where a Prescribed Responsibility exists and these are already assigned to senior managers.

15.10  As under the APR, applicants are subjected to fitness and propriety checks that relate to his/her qualifications, training, competence and personal characteristics (such as their honesty, integrity, reputation and financial soundness). The SMR, however, goes beyond the APR insofar as it requires firms to have in place appropriate procedures to assess the fitness and propriety of individuals before applying for approval (and thereafter, at least annually) and to collect evidence of the assessment as part of that process.¹⁵ This requirement also reflects the systems and controls necessary for the new ‘certification regime’ (see para 15.20). As a result, the FCA’s ‘Fit and Proper test for Approved Persons’ (FIT) manual, within its Handbook, was amended to reflect the new SM&CR’s scope¹⁶ and, from 7 March 2017, applied to not only those performing an SMF, but also, crucially, to all employees performing an FCA-specified significant-harm function pursuant (p. 274) to the certification regime (as well as the person proposing to certify an individual under that regime).

15.11  Following closely in hand with the SMFs is the new concept of Prescribed Responsibilities which requires the allocation of specific, and more granular, responsibilities to senior managers. The Prescribed Responsibilities are set out by the Regulators, and firms are required to assign all of them to various individuals, who will be personally accountable (alongside another individual where the responsibility is shared) for the discharge of that responsibility. Prescribed Responsibilities include, for instance, responsibility for the firm’s performance of its SM&CR obligations (including the Management Responsibilities Map (MRM) and financial crime risks; for the adoption of firm culture within day-to-day management; and for the allocation and maintenance of capital. The specific Prescribed Responsibilities applicable to a firm will depend on its size (and the activities it undertakes), with certain responsibilities being reserved for non-executive directors.¹⁷

15.12  As a matter of good corporate governance and risk management, and in order to demonstrate (to the regulator(s)) that no ‘accountability gap’ exists with regard to the allocation of key responsibilities within firms, firms are expected to produce an MRM¹⁸ and associated Statements of Responsibility (SoR).¹⁹ The MRM must describe a firm’s management and governance arrangements, providing details of the reporting lines and lines of responsibility, as well as those individuals who are part of the arrangements and their responsibilities. The MRM must also be consistent with the Statements of Responsibility issued with respect to each individual performing a SMF and show clearly how any responsibilities are shared or divided between different persons.²⁰ Firms’ MRMs must not only be comprehensive, but also up-to-date;²¹ requiring systems and processes that are ‘by design’ set up to capture events relevant to the efficacy of the MRM and prompt review and re-issue. The FCA, for example, has applied the SMR to its own governance and oversight arrangements and published its MRM (and SoRs), available at: https://www.fca.org.uk/publication/corporate/applying-smr-to-fca.pdf.

15.13  The SoRs are a key ingredient in the SMR framework, underpinning the accountability of individuals and linking that accountability with the firm’s governance and oversight arrangements, in a way that is more explicit and pervasive. The (p. 275) closest precedent for this within the financial services sector was the regulator’s use of ‘attestations’. An attestation, as the regulator explains it, is a ‘firm’s formal statement that it will take, or has taken, an action [it] requires [of the firm]’. Attestations are ‘used as a supervisory tool to ensure that regulated firms—and senior managers within them—are clearly accountable for taking the actions the regulator requires on specific issues and focuses on putting things right, often without the regulator’s ongoing regulatory involvements’.²² Attestations cover: agreements to notify the regulator (notwithstanding their Principle 11 obligations) where, generally, an emerging risk changes in nature, magnitude, or extent; undertakings to take specific action; self-certification that risks have been mitigated or resolved; and verification that a firm has resolved an issue or mitigated a risk (and that this has been verified (eg by internal audit)).

15.14  The SoRs under the SMR do not specifically replace the use, by regulators, of attestations—indeed the trend in the use of such ‘supervisory tools’ can be seen within global financial regulation as exemplified in the Basel Committee on Banking Supervision’s regulation 239: ‘Principles for effective risk data aggregation and risk reporting’.²³ Rather, the SoRs are statements issued by a firm detailing the responsibilities of an individual performing a SMF and which must be filed with the regulator at the time of applying for pre-approval and/or in the case of a material change.²⁴ The precise contents of the SoR will of course vary from appointment to appointment. However, the FCA provides general guidance at SUP10C.11.23 emphasizing the need for SoRs to show clearly how the responsibilities of the senior manager fit in with the firm’s overall governance and management responsibilities and are consistent with the firm’s MRM.

15.15  To complement the governance and regulatory framework around accountability—and in an effort to add greater clarity and predictability to the prospects of disciplinary actions against individuals—senior managers are subject to a ‘duty of responsibility’.²⁵ This is significant as the regulator will rely on a firm’s SoRs and MRM to identify the individual(s) responsible and take enforcement action on the basis of this duty (or for being knowingly concerned in a firm’s contravention of a regulatory requirement, or for breach of the Conduct Rules, see para 15.27). Under the duty of responsibility, the regulator (whether that be the PRA or FCA) ‘can take action against a senior manager if they are responsible for the management of any activities, and they do not take such steps as a person (p. 276) in their position could reasonably be expected to take to avoid the contravention occurring (or continuing)’.²⁶

15.16  A statutory duty was not, however, the mechanism originally intended. A central recommendation of the PCBS (and fully supported by the regulators) was, in fact, the imposition of a ‘presumption of responsibility’ that effectively reversed the burden of proof in enforcement actions against senior managers where a contravention occurred ‘on their watch’ (or, more aptly put, in an area for which they were responsible). In this situation, it would be for the senior manager to prove to the regulators that he/she took all reasonable steps to prevent the breach. Despite the evidential burden having been given a statutory footing in section 66A(6) of FSMA, this was later repealed and replaced by the ‘duty of responsibility’ in section 66A(5)(d) FSMA. And while the duty simply codifies the existing position in relation to regulatory enforcement actions, the regulators lamented the loss of the evidential advantage, with the FCA stating:

15.17  Whilst it is perhaps in somewhat diluted form, the duty of responsibility nevertheless focuses the legal (and conduct) risk on the individual. Guidance as to the effective mitigation of this risk by, essentially, taking ‘reasonable steps … ’²⁷ is arguably limited. The FCA have confirmed that, inter alia:

• •  it would not apply standards retrospectively;

• •  it would apply the regime in a manner consistent with the PRA’s approach;

• •  senior managers will not be bound by a finding of the Regulatory Decision Committee, a court or a tribunal to which they are not a ‘party or privy’. Leaving aside the definitional challenges to what ‘privy’ means in this context (merely being ‘aware’ of an investigation into the firm would surely be too broad an interpretation), this statement may be of limited comfort to senior managers in circumstances where the FCA is not required, for instance, to take enforcement action against a firm before it may be declared that the firm is in contravention of a regulatory requirement.

• (p. 277) •  it may be necessary to look beyond the SoRs and MRM in analysing how the firm operated and responsibilities were allocated in practice; and what actions the individual took (and the documentary evidence of this; be that minutes, emails, recordings etc.). This reinforces the need for the clear drafting of the SoRs—something inherently challenging given the often overlapping areas of responsibility, collective decision making and the ability to include only limited explanatory information within the SoRs. Such an approach also risks creating a defensive culture that may not be conducive to sound decision making and prudence.

• •  an outgoing senior manager will have to take reasonable steps to ensure an orderly handover (this despite the fact that a senior manager may not be leaving on amicable terms making the obligation therefore difficult to satisfy).

15.18  In a speech by Mark Steward, Director of Enforcement and Market Oversight at the FCA on 26 April 2016, the regulator expressed a view on what reasonable steps means, observing that:

It has been said that a person who takes reasonable steps is one who does not exhibit a negligent or reprehensible state of mind, who is conscientious, exhibiting, through diligence, a keen and watchful eye on his or her field of responsibility, observing, asking questions and so informed and informing, being vigilant, deciding, guiding and monitoring, oversighting, delegating when safe to do so to those who are well-placed, and only acting beyond expertise and experience with competent expert advice. Sounds good. This is not exhaustive and denotes a person not only in terms of qualities—skill and competence—but also in terms of how the person should behave and the behaviour is described with doing words, verbs (these verbs are really the tools of responsibility).

In other words, doing nothing, in circumstances where reasonable steps requires something to be done, will not suffice.

15.19  One would not take issue with this approach. Although its helpfulness, in practical terms, is clearly limited. There is no exhaustive list of factors that the FCA will consider as constituting reasonable steps—the phrase is generic; and relative. While the steps senior managers will be expected to take will be largely common sense—behaving with integrity, delegating appropriately, making sure he/she understands their business area, and complying with the common law, existing rules, and legal obligations²⁸ the challenge will be the demonstration of this.

15.20  The Act also amended FSMA to introduce a certification regime which effectively transferred responsibility for approving an individual’s appointment to a controlled function, from the regulator—as is the case under the outgoing Approved (p. 278) Persons Regime—to the firm; save that SMFs will remain subject to pre-approval by the regulator. The certification regime applies to ‘material risk-takers’,²⁹ that is staff who are subject to the dual-regulated firms Remuneration Code (SYSC19D) and other staff who pose a risk of significant harm to the firm or any of its customers. This, for example, will include staff who give investment or mortgage advice, those who administer benchmarks or are involved in client dealing, and notably, anyone who supervises or manages a certified person—unless that person holds an SMF.³⁰

15.21  At the time of writing, the certification regime was subject to a phased implementation, with banks (and certain other large PRA-regulated firms) having until 7 March 2017 to assess certified individuals. The regime will then apply to the remaining population of regulated firms (under the so-called ‘Accountability II’ phase) ‘from 2018’, subject to HM Treasury’s determination on application dates. Notably, the regime will be risk-based, adopting the guiding principles of clarity, simplicity, consistency and proportionality’ when applying to all firms.

15.22  Under the regime,³¹ a firm must take reasonable care to ensure that no employee of the firm performs a significant harm function, unless the employee has a valid certificate issued by the firm to perform that function.³² Under section 63F FSMA, a firm may issue a certificate to a person only if the firm is satisfied that the person is a fit and proper person (to perform the subject-function). In assessing fitness and propriety, a firm must have regard to, in particular, whether that person:

1. (1)  has obtained a qualification;

2. (2)  has undergone, or is undergoing, training;

3. (3)  possesses a level of competence; or

4. (4)  has the personal characteristics, required by general rules made by the FCA.³³

15.23  The FCA provides guidance to firms on the criteria that the regulator expects the firm to apply in assessing the fitness and propriety of an individual under the regime in its FIT sourcebook at section 1.3.

15.24  The assessment for certification purposes must be carried out not only when an individual starts the role, but also on, at least, an annual basis. The regime’s scope is subject to territorial limitations, that is the function for which certification is required must be performed by the person from an establishment of the firm in (p. 279) the UK or that person is dealing with (including merely having contact with) a client in the UK from an establishment of the firm overseas.³⁴ There are also exclusions with respect to ‘emergency appointments’ where a certified person’s absence is reasonably unforeseen and the cover appointment is for less than four weeks and the function does not require a specific qualification.

15.25  The application of the certification regime will prove to be a major administrative burden for many firms (with the regulatory requirement to have defined policies and process to effect and manage the certificate process³⁵). Moreover, the shift in regulatory risk will be palpable for all firms. While under the Approved Persons Regime, firms had to satisfy themselves as to the fitness and propriety of applicants, the approval process was nevertheless reserved to the regulator. Whereas, under the certification regime, this regulatory concern is delegated to firms; reflecting generally the tenor of the PCBS recommendations that regulation (and the regulators) ought to focus more on senior management.

15.26  In an effort to promote professionalism across the banking sector, the Banking Standards Board (BSB) carried out a consultation and published ‘good practice guidance’ for firms putting in place procedures to assess the fitness and propriety of staff under the certification regime. The BSB published both a ‘Statement of Good Practice—Fitness & Propriety Assessment Principles’, as well as ‘Supporting Guidance’³⁶ that contains i) definitions of the various elements to the fitness and propriety assessment process, ii) potential sources of information that could be taken into account, and iii) an example assessment record template.

15.27  For those individuals within firms subject to the SM&CR from 7 March 2016, the Statements of Principle and Code of Practice for Approved Persons (APER) has been replaced by a set of conduct rules (‘Conduct Rules’). The Conduct Rules applied to Senior Managers and certification staff from 7 March 2016, and everyone else within scope at a relevant firm (see reference to ‘Accountability I’ and the phased implementation of the SM&CR, noted above) since 7 March 2017.

15.28  In contrast to APER, the Conduct Rules apply to a much broader range of individuals within a firm. So while the direct regulatory resources (and pre-approval process) has narrowed to focus on senior management and responsibility for certification delegated to firms themselves, the regulatory scope has widened with respect to those who can be held to account for a breach of regulatory (p. 280) obligations. As the FCA emphasized, ‘[w]e think it is very important that staff at all levels of an organisation are subject to minimum standards of conduct and held accountable for their actions. The importance of conduct issues should be understood throughout an organisation, it should not stop below a certain level of seniority.’³⁷

15.29  The legislative basis for the Conduct Rules can be found in sections 64A and 64B of FSMA.³⁸ The final rules, published in July 2015,³⁹ followed a lengthy consultation phase, in which the regulators gave the following policy basis for the Conduct Rules:

15.30  The PRA applies the Conduct Rules to those individuals approved as senior managers and who fall within the PRA’s certification regime; with the rules set out in the ‘Conduct’ section of the PRA Rulebook. Whereas, the FCA’s Conduct Rules⁴¹ are wider in scope, applying to all employees of the firm, save those classified as ‘ancillary staff’.⁴²

15.31  The Conduct Rules are high-level and in many respects reflect the Statements of Principle in APER. The core five rules are:

• Rule 1: You must act with integrity.

• Rule 2: You must act with due skill, care and diligence.

• Rule 3: You must be open and with the FCA, the PRA and other regulators.

• (p. 281) Rule 4: You must pay due regard to the interests of customers and treat them fairly.

• Rule 5: You must observe proper standards of market conduct.

15.32  Rules 1 to 3 are applied by both regulators, with the final two applied by the FCA only. Following on from the core five (or ‘First Tier’), are a set of ‘Second Tier’ rules (applied by both regulators but only with respect to senior managers). These include requirements to take reasonable steps to ‘comply with the regulatory standards applicable to’ and to ‘control effectively’ the business of the firm for which the senior manager is responsible; to delegate appropriately and oversee the discharge of delegated responsibilities and to disclose information of which the regulators would reasonably expect notice.⁴³ The FCA has published guidance on the individual Conduct Rules within COCON 4.1 and on those applicable to senior managers within COCON 4.2.⁴⁴ Firms are expected to train⁴⁵ staff on the Conduct Rules, assess⁴⁶ their compliance, and report breaches.⁴⁷

15.33  The regulators have confirmed the applicability of the Conduct Rules to ‘notified NEDs’, that is, NEDs that are not subject to pre-approval under the SMR. Such NEDs are subject to the Conduct Rules set out in COCON 2.1 and to the senior manager’s conduct rule 4 relating to disclosure obligations to the regulators. The consequential amendments to the FCA Handbook and the PRA Rulebook took effect from 3 July 2017.⁴⁸

15.34  Inevitably, since its introduction, the scope and application of the SMFs within firms has been the focus of debate, further consultation and amendment. Clearly, the effect of the SM&CR is to instil a greater sense of accountability in individuals performing senior roles and to bridge the evidentiary gap that existed prior to the regime. Still, the regime undoubtedly gives rise to significant institutional legal risk, exemplified by this policy objective but also in its practical application; for instance, with responsibility placed on firms to assess the fitness and propriety of staff under the certification regime. Moreover, the regulator will now look to firms’ policies and procedures on certification; the construct and operation of their MRMs and associated SoRs, alongside their conduct risk management and culture frameworks more generally, when judging compliance. And there’s a risk (p. 282) that this may be assessed with some benefit of hindsight following a conduct rules breach or some other failing (whether or not it gives rise to a demonstrable loss to clients).

15.35  The scope of the SMFs has also been the subject of concern for the regulators. Indeed, in September 2016, the PRA issued a consultation paper proposing the introduction of a new SMF23, applying to ‘individuals with overall responsibility for managing, and ensuring the operational continuity and resilience of, the internal operations systems and technology of a firm.’⁴⁹ This was in response to regulatory initiatives that exposed the ‘relative lack of maturity in firms’ IT risk management capabilities’; identified cyber risk as a key risk to the financial system; and the importance of operational continuity in recovery and resolution scenarios.⁵⁰ There have also been concerns as to the scope of the SM6 function (head of key business area) given the difficulties in establishing the quantitative thresholds for determining whether a person falls within the scope. Perhaps most notably with regards to legal risk inherent in the SMR is the question of when does a breach/misconduct become a ‘cultural issue’. Why is this important? Because ‘leading the development of the firm’s culture by the governing body as a whole’ and ‘overseeing the adoption of the firm’s culture in the day-to-day management’ are both Prescribed Responsibilities.

15.36  There is also the debate concerning whether or not the SMR ought to extend to firms’ general counsel and/or the ‘legal function’. At the time of writing, the FCA has closed its consultation on this issue, having opined that the principle of the SM&CR that a senior manager must have ‘overall responsibility’ for each area of the firm’s business, would include the management of the legal function.⁵¹ This would require an individual to be appointed head of the function as an SMF18 (if they are not otherwise captured by the other SMFs). This is distinct from the application of the Conduct Rules to in-house lawyers, as employees of the firm, and the designation of the head of the legal function as a ‘material risk taker’ for the purposes of the Certification Regime.⁵² Issues in debate included:

(p. 283)

• •  The legal function, in providing independent advice to the business cannot be viewed as an ‘activity, business area of management function’ of the firm and is therefore outside the scope of SYSC 4.7.8R. This has been disputed by the FCA.

• •  The legal function provides advice and does not undertake a management role, the result being that the function cannot be designated as an SMF under section 59ZA FSMA. The FCA disagreed with this argument, relying on the fact that it is the management (not the provision of advice) that is within scope.

• •  The flexibility to allocate ‘overall responsibility’ for the legal function permits firms to designate its General Counsel as fulfilling an SMF, which may impact on the ability to provide independent and impartial advice. While accepted as a risk, the FCA argued that the legal function could present a risk to the firm where it is inappropriately managed, through inadequate training, weak processes or poor resource management; concerns distinct from the quality of specific legal advice—which is not regulated by the FCA.

• •  That the inclusion of the legal function within the SMR will prejudice legal privilege, which is an issue where a senior manager needs to rely on privileged material to demonstrate ‘reasonable steps’, and/or could lead to pressure to waive privilege in order to demonstrate that the advice given was pursuant to the legal function first having exercised ‘reasonable steps’ in providing the advice. This could lead to a conflict between the interests of an individual (in need of the privileged advice) and the interests of the firm (who may decide not to waive privilege). The FCA questioned the relative weight of privileged material in discharging the duty of responsibility. Furthermore, the FCA referred to section 413 FSMA’s effect on Rule 4 of the senior manager Conduct Rules that requires disclosure to the regulators, in relation to the protection of legal privilege.

15.37  Following on from this, and possibly the most marked legal risk issue in the SM&CR, is the ability of firms/individuals to evidence ‘reasonable steps’. How reasonable is ‘reasonable’?⁵³ While the preparation of MRMs has focused firms’ consideration of their corporate and organizational structures (in most cases to the benefit of operational—including legal—risk), its production has nevertheless proved a significant challenge; certainly for large institutions.⁵⁴ The apportionment of responsibilities among senior management and agreement on these responsibilities has the potential to give rise to conflict, extra-territorial issues and a significant amount of paperwork for firms.⁵⁵ Taken together with the (p. 284) requirements to undertake fitness and propriety reviews of senior managers (and certified staff) and the concern to ‘evidence reasonable steps’, there is inevitably a legal risk impact to the regime. Notably, there is an increased need for timely, accurate and actionable management information (not just for the purposes of the efficient operation of the business, but for the firm to evidence that its systems and controls are appropriate and effective for senior managers to utilize in discharging their duty of responsibility). The management of risk arising from, say, inadequate data capture, inefficient (or improper) information flows and out-of-date documentation will be of concern to firms; not to mention the individual whose ‘prescribed responsibility’ is the firms’ performance of its obligations under the senior management and/or employee certification regime or the production of the MRM.⁵⁶

15.38  Further, the issue of regulatory attestations may remain in spite of the virtues of the SM&CR. As Martin Wheatley (the then chief executive of the FCA) observed when giving evidence to the Treasury Select Committee on 10 September 2013, ‘[it] has been hard to nail an individual against responsibility because matrix organization structures and committee decision making means that individuals can always defuse responsibility.’ And, in spite of the SMR, regulators may still use attestations where, say, a particular problem has been identified but not addressed and where a prior attestation would make it easier to take enforcement action. Another, related aspect is that, although non-EEA branches are not required to submit an annual attestation of compliance with SYSC,⁵⁷ they are nevertheless expected to notify the regulator of any known or suspected regulatory breaches of SYSC-related requirements pursuant to applicable regulatory Principles.⁵⁸ This requirement to self-report (as well as that prevailing under the Conduct Rules), while undoubtedly a critical component of supervisory and enforcement policy, is not without its unintended consequences. The legal risk implications of such high-level principles are perhaps obvious—a jurisprudential (p. 285) analysis of FCA enforcement actions would readily identify a persistent reliance on breaches of principle, without necessarily citing a specific rule infraction that would arguably carry a higher evidential burden. It is, however, when one observes how this translates into the conduct risk sphere that issues of regulatory neurosis⁵⁹ creep in; potentially exacerbated by the SMR, and leading to a greater risk of conflict between the firm’s interests in any misconduct event/enforcement action and the interests of the individual(s) concerned.⁶⁰ And this could have unintended consequences on enforcement actions, which is perhaps an odd situation given the enforcement objectives of the SMR. As one of the author’s observed in an article on third party rights challenges in regulatory enforcement actions in an ‘SMR era’:

It is conceivable that FCA proceedings could be undermined, or their scope limited, in situations where the Authority seeks to anonymise individuals in order to manage s.393 rights/risks. A balance will need to be struck between the need to substantiate the allegations against the firm with reference to specific facts and circumstances, and the implications of either omitting references to key individuals altogether or the need to comply with s.393, on the prospects of a successful enforcement action.

However, this is (potentially) not so easily achieved in an SMR era. Significantly (and, on balance, most commendably), the SMR introduces a requirement that senior managers sign a Statement of Responsibility and submit this as part of an application to perform a senior management function (updating periodically as necessary). The statement must set out clearly the areas of the firm for which that senior manager has responsibility.

While it is true that the SMR—together with the Conduct Rules, new criminal offences for facilitation and recklessness management of a failed bank, as well as strengthened regulatory requirements surrounding whistleblowing—is aimed at raising standards of conduct, the ownership of risk and a more personal sense of responsibility for market conduct, these reforms also conspire to raise the prospect of successful enforcement action when things go wrong. And, consequently, they increase the likelihood that third-party rights are engaged in the inevitable action against the individual’s firm because those responsible are more readily identified on the evidential weight of the Responsibilities Map and, in particular, the Statement of Responsibility. However, it should be noted that there remains a question mark over whether, in practice, this is a material improvement on the regulator’s use of ‘attestations’; save perhaps that the FCA’s enforcement of the new duty of responsibility might have a noted effect on enforcement actions against individuals.

The shift from a predominance of institutional enforcement actions to the pursuit of individuals responsible is, as yet, undeterminable. Indeed, it is too early to tell (p. 286) whether third-party rights concerns over the efficacy of enforcement policy are borne out. There always has been (and will continue to be) the potential for conflicts of interest to arise between the firm and the individual (implicitly or otherwise) responsible during an enforcement action. And where (by virtue of the SMR, or simply the broadening of the test), third-party rights are increasingly engaged, the incidence of that conflict is likely to increase, with attendant consequences on the FCA enforcement practice/proceedings.

15.39  As with any new regulatory measure, there will be unintended consequences (albeit not always unwelcome ones). The SM&CR is no different. While, at the time of writing, the regime is in its infancy, there are early indications of its effects on legal and conduct risk, and the behaviour(s) of those to whom it applies. Whether as a result of a new SMF-designation and associated Prescribed Responsibilities (backed up by a statutory duty and Conduct Rules), or simply a culmination of the above, leading to a greater sense of accountability, individuals may feel that they must take action in response to matters within their sphere of responsibility, that they would not necessarily undertake. Examples might include management information appraisals, increased (documented) interactions with direct reports, issues and resolution reporting, risk management feedback, and human resource assessments. This may indeed, be to the benefit of the firm and its customers. Equally, however, this may give rise to unnecessary documentation, conflict and ultimately inefficiencies. Of course, we would expect to see boardroom challenges to senior management to be more robust and circumspect. However, there is a risk that challenges will be injudicious and serve only for the benefit of the minute book; as evidence that they have questioned management (as discharged their duty of responsibility). This reflects the more acute sense of personal accountability under the SM&CR; precisely its policy objective. But it should not be reduced to another matter for compliance. Firms’ governance, policies, and culture will need to play a significant role in promoting substance over form. Senior managers must be supported by the firm in the discharge of their duties.

15.40  A significant part of the SM&CR (at least, in risk management terms, having regard to its ‘impact’, if not its ‘probability’) is the introduction of a criminal offence of ‘reckless misconduct in the management of a bank’. As noted in Chapter 14, this is a criminal offence carrying a maximum penalty of seven years’ imprisonment. Its premise was a reflection of the general concern to increase the potential for criminal penalty in the search for greater deterrence and ensure senior managers act prudently.

15.41  The offence, created by section 36 of the Financial Services (Banking Reform) Act 2013 came into force on 7 March 2016. The offence has three components. (p. 287) The first is that a senior manager made a reckless management decision or failed to prevent a reckless decision from being taken which caused the financial institution to fail. Secondly, at the time the decision was taken, the senior manager was aware of the risk that it might cause the institution to fail. And, thirdly, that the senior manager’s conduct in relation to the decision was far below what could be reasonably expected of a person in his position.

15.42  In its response to the PCBS’s recommendation to introduce the offence, the regulator noted that ‘the offence should be limited to individuals covered by the new SMR, so that those concerned could have no doubts about their potential criminal liability. And, that the offence should be pursued in cases involving only the most serious of failings, such as where a bank failed with substantial costs to the taxpayer, lasting consequences for the financial system, or serious harm to customers’.⁶¹

15.43  In a briefing paper to the London School of Economics’ Law and Financial Markets Project, Professors Julia Black and David Kershaw⁶² observed that the choice of a ‘reckless’ offence, as opposed to a ‘strict liability’ offence or one founded on the principles of ‘negligence’ would mitigate the lack of any real deterrence effect likely with respect to the other two and would be less likely to deter people from taking up senior positions in financial institutions—due to the prospect of competence and reasonable risk-taking activity being judged in hindsight, after the event. Still, as Black and Kershaw noted, the virtues of the offence may only have a limited life span—leading perhaps in the short term since its inception to a positive signal to society concerning the behaviour expected of those managing financial institutions and even an ‘effect on directors’ or managers’ behaviour.

15.44  And, while the regulators accepted that prosecutions of the offence will be rare, the reason given in the consultation paper on the SM&CR was that this was because ‘changes made to the regulatory structure since the financial crisis are designed to make the failure of banks and building societies less likely than in the past’.⁶³ The professors, however, broadened the analysis and questioned whether the offence would be effective given the resource asymmetries between the regulators and regulated; the evidential difficulties (particularly where risk management systems are in place and the strategy adopted is a rational one for the bank and its shareholders (if not for society), and/or it’s due to collective decision making); the impact of plea bargaining; and the broader reputational concerns to the UK financial industry where criminal proceedings (p. 288) are undertaken. Rather, as Black and Kershaw remark, the most likely preference/optimal approach in circumstances where the offence might be relevant and where engendering good conduct and deterring bad is the underlying regulatory objective, is to utilize other means of holding individuals to account—such as through the SM&CR.

15.45  The criminal law has been used to prosecute the conduct of those operating in the financial services sector in a number of respects. An analysis of the full gamut of potential criminal liability is beyond the scope of this book; but offences such as fraud, insider dealing, bribery and, of course, money laundering are well established (and some, significantly tested). Indeed, the development of facilitator liability under the criminal law was given renewed importance following the events of the Crises. The new offence of reckless risk-taking in the form referred to above is a notable example. It also arguably gave rise to new corporate criminal offences such as section 7 of the Bribery Act 2010 and the most recent offence of failing to prevent the criminal facilitation of tax evasion.⁶⁴ The latter is couched in similar terms to the Bribery Act offence such that, with effect from September 2017, firms will face criminal liability for failing to put in place reasonable procedures to prevent staff from criminally facilitating tax evasion.

15.46  While tax evasion and its facilitation are already criminal offences, the introduction of corporate criminal liability based on a systems and controls failing reflects the difficulty experienced in attributing criminal liability to a corporation. As the Government observes in its draft guidance:⁶⁵

Previously, attributing criminal liability to a relevant body required prosecutors to show that the senior members of the relevant body were involved in and aware of the illegal activity, typically those at the Board of Directors level. This had a number of consequences:

• •  It can be difficult to hold a large multinational organisation to account. In large multinational organisations decision making is often decentralised and decisions are often taken at a level lower than that of the Board of Directors, with the effect that the relevant body can be shielded from criminal liability. This also created an un-level playing field in comparison to smaller businesses where the Board of Directors will be more actively involved in the day-to-day activities of a business

• •  The common law method of criminal attribution may have acted as an incentive for the most senior members of an organisation to turn a blind eye to the (p. 289) criminal acts of its representatives in order to shield the relevant body from criminal liability

• •  The common law may also have acted as a disincentive to internal reporting of suspected illegal tax activity to the most senior members, who would be required to act upon such reporting since otherwise the corporate entity might be criminally liable.

The cumulative effect was an environment that could do more to foster corporate monitoring and self-reporting of criminal activity related to facilitating tax evasion. This meant that bodies that refrained from implementing good corporate governance and strong reporting procedures were harder to prosecute, and in some cases lacked a strong incentive to invest in preventative procedures.⁶⁶

15.47  Interestingly, from a legal risk perspective, in order to be guilty of ‘failing to prevent’, a conviction with respect to the underlying criminal tax evasion and the criminal facilitation of the offence by a person associated⁶⁷ with the firm is not required. Where facilitation of evasion occurs and is associated with the firm, the firm is presumed to be guilty unless it can invoke the ‘reasonable procedures’ defence. There is no requirement to prove the involvement of the ‘directing mind’ of the firm (ie senior management). If found guilty, fines are unlimited and the firm will likely be required to disclose the matter to the regulators as being relevant to regulators’ assessment of suitability, both with respect to the firm’s continued satisfaction of the threshold conditions for authorization and the fitness and propriety of the individuals implicated (whether under the SMR or Certification Regime). Individuals will therefore be concerned about the legal risk presented by the new offence, exacerbated by the accountability of senior managers pursuant to responsibilities prescribed under the SMR. In this respect senior managers’ concern to demonstrate ‘reasonable steps’ (as discussed above) is analogous to the firm’s requirement to demonstrate that it had ‘reasonable procedures’.

15.48  There is no prescribed form of procedures: prosecutors will carry out a holistic investigation based not only on the presence of appropriate controls, but also their effectiveness in the circumstances. This of course does give rise to concern as to a certain degree of hindsight judgement. And while existing financial crime controls around bribery and money laundering will be of value, guidance from (p. 290) HM Revenue & Customs⁶⁸ makes it clear that a risk assessment specific to this facilitation offence is required. Indeed, the need for a risk assessment forms one of the six guidance principles espoused by the Government guidance, alongside proportionality of risk-based prevention procedures, top-level commitment, due diligence, communication (including training) and monitoring and review.

15.49  In any event, the regime is stated as being risk-based. That is, an assessment of ‘reasonable procedures’ will reflect the outcome of a risk assessment for that particular firm and that the controls put in place as a result will respond proportionately to this assessment. As the Government states, ‘[i]f a relevant body can demonstrate that it has put in place a system of reasonable prevention procedures that identifies and mitigates its tax evasion facilitation risks, then prosecution is unlikely as it will be able to raise a defence.’

15.50  Financial institutions’ governance arrangements, systems and controls also became the focus of reforms in an effort to engrain personal accountability within both the regulatory framework and financial market practice. As the PCBS observed:

The financial crisis, and multiple conduct failures, have exposed serious flaws in governance. Potemkin villages were created in firms, giving the appearance of effective control and oversight without the reality. Non-executive directors lacked the capacity or incentives to challenge the executives. Sometimes those executives with the greatest insight into risks being added to balance sheets were cut off from decision-makers at board level or lacked the necessary status to speak up. Poor governance and controls are illustrated by the rarity of whistle-blowing, either within or beyond the firm, even where, such as in the case of Libor manipulation, prolonged and blatant misconduct has been evident.⁶⁹

15.51  Following this insight and the recommendations of the PCBS, the PRA and FCA introduced new rules relating to whistleblowing in October 2015 (and which took effect in September 2016).⁷⁰ The rules⁷¹ aimed to encourage a (p. 291) culture where individuals feel able to raise concerns and challenge poor practice and behaviour. While the rules only apply to deposit-takers with over £250 million in assets, to insurers subject to Solvency II and to the UK branches of foreign banks (subject to thresholds), they take the form of non-binding guidance for all other firms.

15.52  The rules require a firm to:

• •  appoint a Senior Manager as their whistleblowers’ champion. It is anticipated by the FCA that a non-executive director would fulfil this responsibility within the scope of the Group Entity SMF;

• •  put in place internal whistleblowing arrangements able to handle all types of disclosure from all types of person;

• •  put text in settlement agreements explaining that workers have a legal right to blow the whistle;

• •  tell UK-based employees about the FCA and PRA whistleblowing services;

• •  present a report on whistleblowing to the board at least annually;

• •  inform the FCA if it loses an employment tribunal with a whistleblower;

• •  require its appointed representatives and tied agents to tell their UK-based employees about the FCA whistleblowing service;

• •  In light of this, rules on strengthening whistleblowing systems and controls in firms (and to promote a culture where individuals can speak up) came into effect in September 2016;

• •  The regulatory rules around whistleblowing require banks and insurers to introduce internal whistleblowing procedures.

15.53  The whistleblowing rules are the final part of the package of measures, covered by this chapter that reflect the shift in focus by policymakers and regulators to clear the road to individual accountability and ethically-centric standards of conduct in financial markets. The reform efforts epitomize post-Crises concerns that legal obligations, complemented by soft law initiatives and robust regulatory scrutiny, in the right places, can (and must) engender a greater incentive to do the ‘right’ thing and not merely what is ‘legal’ or ‘compliant’. The SM&CR, the new criminal offences and whistleblowing rules will no doubt collectively change the dynamic in terms of decision-making, whether that be at board level, within committees, or in the context of legal and conduct risk management and compliance and at front-office.

15.54  While the increase in legal responsibility for individuals must be applauded and the indirect incentives to improve conduct as a result of the many and varied Conduct Costs⁷² suffered by institutions—as the resultant actions/engagement by bank stakeholders—will also drive good (and accountable) behaviour, there (p. 292) are examples of post-Crises legal developments that have, in fact, reduced legal risk to the institution; and in a way that might arguably be viewed as inconsistent with the general direction and policy of conduct risk management in the industry. We are referring here to legal and redress-related developments in mis-selling cases. These are the subject of the next chapter.