This is a preview. To continue reading please log in or Register to read this article

Approved Persons, Senior Manager and Certification Regimes: financial services

Updating authors: Paul Ellison
Consultant editor: Nick Thorpe and David Palmer

NOTE: The Senior Managers Regime (SMR) and Certification Regime (CR) apply to all UK-incorporated banks, building societies, credit unions and PRA-regulated investment banks (s.71A Financial Services and Markets Act 2000) and replace the Approved Persons Regime for individuals working within those firms. The SMR and CR were extended to insurers on 10 December 2018, and will be extended to all FCA-authorised firms, which includes asset managers, brokers and consumer credit firms, from 9 December 2019. The SMR and CR will be extended to benchmark administrators at a later date, which will be announced in due course.

Summary

  • In firms where the Approved Persons Regime still applies, individuals performing controlled functions must be approved in advance by the Financial Conduct Authority (FCA) as approved persons (s.59 of the Financial Services and Markets Act 2000). (See Approved Persons Regime)
  • A list of controlled functions is included in the FCA Supervision sourcebook. (See What are controlled functions?)
  • Approved persons must be assessed as fit and proper. (See Requirement to be a fit and proper person)
  • The standards of behaviour that the FCA expects of approved persons are set out in the Statements of Principle and Code of Practice for Approved Persons. (See Statements of Principle and Code of Practice for Approved Persons)
  • Failure to comply with the Code of Practice for Approved Persons may result in enforcement action by the FCA. (See Enforcement)
  • The Senior Managers Regime (SMR), which currently applies to all UK-incorporated banks, building societies, credit unions, investment banks and insurers, requires senior managers of relevant firms who carry out senior management functions to be pre-approved by the PRA or FCA. (See Senior Managers Regime)
  • The SMR and Certification Regime (CR) were extended to insurers and reinsurers on 10 December 2018. The extended regimes replace the Senior Insurance Managers Regime and the revised Approved Persons Regime for insurers. (See Insurers - Senior Insurance Managers Regime)
  • Prescribed responsibilities set by the PRA and FCA must be allocated between senior managers. (See Prescribed responsibilities)
  • Each senior manager must have a statement of responsibilities that sets out what he or she is responsible for and what prescribed responsibilities he or she undertakes. (See Statement of responsibilities)
  • Depending on the type of firm under the regimes, firms must also keep up-to-date management responsibilities maps that record which senior manager is responsible for which prescribed responsibility and ensure that there is no gap in the allocation of responsibilities. (See Management responsibilities map)
  • Firms must certify persons performing types of functions as fit and proper to perform the function/role under the CR. (See Certification Regime)
  • Conduct rules apply to senior managers, certified staff and other staff. (See Conduct rules)

Future developments

New directory

On 4 July 2018, the FCA published a consultation paper on its proposal to introduce a new directory, which will sit alongside the financial services register (FCA CP18/19: Introducing the Directory). The directory will contain the details of a wide range of individuals working in financial services, including those not approved by the FCA (such as financial advisers, traders, portfolio managers and additional directors). The FCA's intention is that the information contained in the directory will be accessible and user friendly for firms and found in a single public location.

The FCA summarised the feedback it received during the consultation in its policy statement on the directory, which it published on 8 March 2018 (FCA PS19/07: Finalising the Directory). The policy statement also contained the final rules on establishing the directory. The FCA said that, while 99% of the respondents to the consultation were in favour of establishing a directory, many suggested ways in which the FCA could improve its proposals. The FCA made changes to its proposals in response to this feedback, which it set out in table two of the policy paper.

On 26 July 2019, the FCA published a policy statement, which among other matters, incorporated the final rules on the application of the directory set out in FCA PS19/7 (FCA PS19/20: Optimising the Senior Managers & Certification Regime - Feedback to CP19/4 and Final Rules). Banks and insurers must upload information to the directory by 9 March 2020, and by 9 December 2020 for all other FCA-authorised firms. The FCA says that banking firms and insurers will be able to start submitting data on directory persons using either its online system, Connect, or the multi-entry facility, from around September 2019. All other FCA-authorised firms are able to submit data from 9 December 2019.

Extension of SMR and CR to all FCA-authorised firms

The Bank of England and Financial Services Act 2016 extends the Senior Managers Regime (SMR) and Certification Regime (CR) to all firms that are authorised under the Financial Services and Markets Act 2000. This will include financial advisers, asset managers, brokers and consumer credit firms and will see the SMR and CR replace the Approved Persons Regime. The provisions extending the scope of the SMR and CR will come into force on 9 December 2019.

On 26 July 2017, the FCA published a consultation paper setting out its proposals to extend the SMR and CR to all FCA-authorised firms (FCA CP17/25: Individual Accountability: Extending the Senior Managers & Certification Regime to all FCA firms). The FCA proposed a three-tier system for the application of the SMR and CR:

  • "Core" regime - to apply a standard set of requirements to all firms regulated by the FCA only. A new set of conduct rules will apply to employees within these firms, even those who fall outside the SMR and CR.
  • "Limited scope" regime - to apply a reduced set of requirements for a group of firms that the FCA defines as limited scope. These firms will not need to apply the prescribed responsibilities to senior managers. Limited scope covers all firms that currently have a limited application of the Approved Persons Regime, including:
    • limited permission consumer credit firms;
    • sole traders;
    • authorised professional firms whose only regulated activities are in non-mainstream regulated activities;
    • oil market participants;
    • service companies;
    • energy market participants;
    • subsidiaries of local authorities or registered social landlords;
    • insurance intermediaries whose principal business is not insurance intermediation and who only have permission to carry on insurance mediation activity in relation to non-investment insurance contracts; and
    • internally managed alternative investment funds.
  • "Enhanced" regime - to have additional requirements for a small number (less than 1%) of FCA-regulated firms whose size, complexity and potential impact on consumers warrant more attention. These firms will need to apply all of the requirements under the core regime, as well as additional senior management functions and additional prescribed responsibilities. Enhanced firms include, but are not limited to:
    • firms with assets under management of £50 billion or more;
    • firms with total intermediary regulated business revenue of £35 million or more per annum;
    • firms with annual regulated revenue generated by consumer credit lending of £100 million or more per annum; or
    • mortgage lenders (that are not banks) with 10,000 or more regulated mortgages outstanding.

For incoming branches of non-UK firms, the FCA proposed a tailored version of the SMR, which differs depending on whether the firm is European Economic Area (EEA) or non-EEA. The CR and new conduct rules will apply equally to employees of branches of both EEA and non-EEA firms as well as UK firms. The consultation closed on 3 November 2017.

On 13 December 2017, the FCA published further consultation papers on the extension of the SMR and CR (FCA CP17/40: Individual accountability: Transitioning FCA firms and individuals to the Senior Managers & Certification Regime and FCA CP17/42: The Duty of Responsibility for insurers and FCA solo-regulated firms).

FCA CP17/40 deals with the extension of the SMR and CR to all FCA-authorised firms, except banks (which are already subject to the regimes) and insurers (the FCA consulted separately on this- see Extension of SIMR to all insurance firms). The FCA proposed the following:

  • Approved persons at core or limited-scope firms who are currently approved to perform a controlled function (CF) for which there is an equivalent SMF, will automatically convert via a function-mapping table. These firms will not need to submit any documentation to the FCA, except in the case of a non-executive chair (currently approved under the non-executive director (NED) function, CF2), where the firm must submit a conversion notification (Form K) to convert the NED to the SMF 9 chair function. If a Form K is not submitted for the non-executive chair, the individual's approval will lapse at the start of the new regime.
  • Enhanced firms will be required to submit a conversion notification (Form K) together with a statement of responsibilities and a management responsibilities map for all proposed conversions (see Statement of responsibilities and Management of responsibilities map).
  • The conduct rules will apply to certified staff on the implementation date, but firms will have one year from the start of the regime to complete their fitness and propriety assessments of certified staff and prepare the necessary certification paperwork.
  • Core, limited-scope and enhanced firms will have 12 months from the implementation date to get ready to apply the conduct rules to members of staff who are subject to the rules in the FCA's code of conduct for staff (COCON), but who do not hold an SMF or certification function.

In FCA CP17/42, the FCA set out how it proposed to apply the duty of responsibility to insurers and FCA solo-regulated firms. The FCA proposed to take action against a senior manager where:

  • there was a contravention of a relevant requirement by the senior manager's firm;
  • at the time of the contravention or during any part of it, the senior manager was responsible for the management of any of the firm's activities in relation to which the contravention occurred;
  • the senior manager did not take such steps as a person in his or her position could reasonably have been expected to take to avoid the contravention occurring or continuing; and
  • extend its current guidance on the duty of responsibility (currently this guidance applies only to banks and PRA-designated investment firms), contained in its Decision procedure and penalties manual in the FCA Handbook, to all firms that will be subject to the SMR and CR by amending the definitions in the glossary of the FCA Handbook.

The consultations closed on 21 February 2018.

On 1 July 2018, the FCA published a guide for FCA solo-regulated firms on how the SMR and CR works, what firms need to do under the new regime, and how the FCA will move firms and individuals from the existing Approved Persons Regime to the new SMR and CR (FCA: The Senior Managers and Certification Regime: Guide for FCA solo-regulated firms).

On 4 July 2018, the FCA published its near-final rules on the extension of the SMR and CR to all FCA-authorised firms (FCA PS18/4: Extending the Senior Managers and Certification Regime to FCA firms - Feedback to CP17/25 and CP17/40, and near-final rules). The near-final rules broadly reflect the proposals put forward in the consultation papers, subject to a few technical changes. Most notably, the prescribed responsibility requiring a senior manager of a Core firm to inform the governing body of its legal and regulatory obligations has been removed.

On 26 July 2019, the FCA published its final rules on the extension of the SMR and CR to all FCA-authorised firms (FCA PS19/20: Optimising the Senior Managers & Certification Regime - Feedback to CP19/4 and Final Rules). In general, the FCA has implemented the proposals it set out in its consultation paper (FCA CP17/25). The main changes to the FCA's existing rules, include:

  • confirmation that the head of legal function is not required in the SMR;
  • amendment of the intermediary revenue criterion for the enhanced regime;
  • clarification of the requirements and scope of the CR (in particular, the scope of the client dealing function and the application of the systems and controls roles); and
  • the extension of senior manager conduct rule 4 to non-approved executive directors at limited scope firms.

FCA-authorised firms (except benchmark administrators) must ensure that they have all necessary arrangements in place to comply with the SMR and CR on 9 December 2019. For benchmark administrators, the FCA has agreed a later implementation date with HM Treasury because it needs to consult separately on sector-specific considerations. HM Treasury will announce the revised implementation date for benchmark administrators in due course.

Background

The Parliamentary Commission on Banking Standards was established to consider the culture and professional standards of the UK's banking sector following the 2008 financial crisis and the series of scandals that followed. The Commission reported in June 2013 that the Approved Persons Regime was a complex confused mess leading to an unclear allocation of individual responsibility. It concluded that a new framework for approving and holding individuals to account was needed within the UK's banking sector as a means to restore trust and to improve culture.

On 30 July 2014, the FCA and PRA published a joint consultation paper (FCA CP14/13 and PRA CP14/14: Strengthening accountability in banking: a new regulatory framework for individuals) setting out proposals to create a new regulatory framework to encourage individuals to take greater responsibility for their actions and to make it easier for both firms and individuals to be held to account. The FCA and PRA proposed to replace the Approved Persons Regime for individuals working in the banking sector with:

  • a stronger regime for the regulation of senior managers - known as the Senior Managers Regime (SMR);
  • a Certification Regime (CR) for more junior employees who could pose a significant risk to the firm or its customers, under which the firm would be responsible for certifying that the employee is a fit and proper person to carry out his or her job; and
  • a set of conduct rules applicable to employees within the scope of the SMR and CR to replace the Statements of Principle and Code of Practice for Approved Persons (APER).

In December 2014, the FCA and PRA issued a joint consultation paper (FCA CP14/31 and PRA CP28/14: Strengthening accountability in banking: forms, consequential and transitional aspects), to be read in conjunction with their July consultation paper, setting out:

  • the transitional arrangements;
  • the new forms to support the SMR and CR; and
  • consequential changes required to existing rules and guidance.

On 16 March 2015, the FCA set out how it will implement the new SMR and provided further information on its plans for a CR and new conduct rules (FCA CP15/9: Feedback on FCA CP14/13 / PRA CP14/14 and consultation on additional guidance). On 23 March 2015, the PRA provided details of how it will implement the new SMR and CR (PRA PS3/15: Strengthening individual accountability in banking and insurance - responses to CP14/14 and CP26/14).

The PRA and FCA published their final rules on the SMR and CR in July 2015 (PRA PS16/15: Strengthening individual accountability in banking: responses to CP14/14, CP28/14 and CP7/15 and FCA CP15/22: Strengthening accountability in banking: Final rules (including feedback on CP14/31 and CP15/5) and consultation on extending the Certification Regime to wholesale market activities). A series of further consultation papers and policy statements followed, leading to the introduction of the new regime on 7 March 2016.

On 7 June 2016, the Bank of England and Financial Services Act 2016 (Commencement No.3) Regulations 2016 (SI 2016/627) were published. The Regulations brought into force ss.22 to 25 of the Bank of England Financial Services Act 2016 on 6 July 2016. These provisions make amendments to the Financial Services and Markets Act 2000 relating to the SMR and CR.

On 26 July 2017, the FCA set out how it intends to extend the SMR and CR to all FCA-regulated firms (FCA CP17/25: Individual Accountability: Extending the Senior Managers & Certification Regime to all FCA firms). On the same day, the FCA and PRA published consultation papers containing their proposals for the extension of the SMR and CR to insurance firms not previously covered by the Senior Managers Insurance Regime (FCA CP17/26: Individual Accountability: Extending the Senior Managers & Certification Regime to insurers and PRA CP14/17: Strengthening individual accountability in insurance: extension of Senior Managers & Certification Regime to insurers) (see Future developments).

On 3 November 2017, the FCA set out its proposals for establishing a general approach to supervising and enforcing the SMR and CR rules for the unregulated activities of authorised firms (FCA CP17/37: Consultation paper on industry codes of conduct and Discussion Paper on FCA principle 5.

On 13 December 2017, the FCA published three consultation papers on the extension of the SMR and CR to most financial services firms (FCA CP17/40: Individual accountability: Transitioning FCA firms and individuals to the Senior Managers & Certification Regime; FCA CP17/41: Individual accountability: Transitioning insurers and individuals to the Senior Managers & Certification Regime; and FCA CP17/42: The Duty of Responsibility for insurers and FCA solo-regulated firms) (see Future developments).

From 3 January 2018, the FCA and PRA have the power to remove a person from a management board of an investment firm, credit institution or a recognised investment exchange, regardless of whether or not he or she is an approved person or senior manager (reg.38 of the Financial Services and Markets Act 2000 (Markets in Financial Instruments) Regulations 2017 (SI 2017/701)).

On 16 March 2018, the chief executive of the FCA, Andrew Bailey, gave a speech in which he emphasised the FCA's commitment to improving culture within the financial services industry. He said that the purpose of the SMR and CR is to "embed responsibility and accountability" and "senior managers should know what they are responsible for, as should key board members and the map of responsibilities should go right across the firm".

On 4 July 2018, the FCA published its near-final rules on the extension of the SMR and CR to all FCA-authorised firms (FCA PS18/4: Extending the Senior Managers and Certification Regime to FCA firms - Feedback to CP17/25 and CP17/40, and near-final rules). The SMR and CR will apply to these firms from 9 December 2019.

Approved Persons Regime

The Approved Persons Regime continues to apply to all FCA-authorised firms not covered by the new Senior Managers Regime (SMR) and Certification Regime (CR). (The SMR and CR applies to all UK-incorporated banks, building societies, credit unions and investment banks (s.71A Financial Services and Markets Act 2000 (FSMA 2000)) and replaces the Approved Persons Regime for individuals working within those firms.) Therefore, the Approved Persons Regime currently applies to asset managers, brokers and consumer credit firms.

Section 59 of the FSMA 2000 requires that FCA-authorised firms should seek to ensure that no individual performs a controlled function unless he or she has been approved by the FCA. The system under which FCA approval for an individual to perform a controlled function is obtained is known as the "Approved Persons Regime" and an individual whom the FCA authorises to perform a controlled function is known as an "approved person". Individuals can be approved to perform more than one controlled function.

Failure by a firm to ensure that no individual performs a controlled function unless he or she has been approved by the FCA may result in the FCA imposing a financial penalty on the individual and taking disciplinary action against the firm.

There is no maximum number of approved persons who can work within a particular firm. The number will depend on the size and organisation of the firm and the regulated activities for which it has Part 4A FSMA 2000 permissions.

What are controlled functions?

The FCA has identified a number of functions that are either:

  • "significant influence functions", where the individual exercises a significant influence on the firm's regulated business; or
  • "customer functions", where the individual deals with clients or customers or the property of clients or customers of a firm.

The FCA has classified these functions as controlled functions. Any individual wishing to perform a controlled function will need to obtain FCA-approved person status before doing so.

The controlled functions are listed in the Supervision sourcebook (SUP) in the FCA Handbook. FCA SUP 10A.4.4R sets out the FCA-controlled functions. They are also set out in the table below.

Significant influence functions

Significant influence functions are functions that are likely to enable the persons responsible for their performance to exercise a significant influence on the conduct of the authorised firm's affairs, so far as relating to the authorised firm's regulated activities (FCA SUP 10A.5.3R). Within SUP, the significant influence functions are further divided into four categories (FCA SUP 10A.5.1G and SUP 10A.6-9). The four categories are:

  • governing functions such as directors, non-executive directors, chief executives, partners, directors of unincorporated associations and small friendly societies (CF1 to 6);
  • required functions such as apportionment and oversight, compliance oversight, CASS oversight and money laundering reporting (CF8, CF10, CF10a and CF11);
  • systems and controls functions such as finance, risk assessment and internal systems and controls, procedures and policies (CF28); and
  • significant management functions in a designated investment business, other business operations, insurance underwriting, financial resources or settlements (CF29).

It is important to note that the FCA requires the individual appointed to the compliance oversight function (CF10) to be someone of appropriate seniority and sufficient experience, for example a senior manager or director (SYSC 3.2.8R).

Further, the FCA expects firms to assess whether or not their proprietary traders fall within CF29 (FCA SUP 10A.9.3G). This is because, in the FCA's opinion, all proprietary traders have the potential to be able to exercise significant influence on their firms.

Customer functions

The customer functions (CF30) cover a range of individuals, such as investment advisers, corporate finance advisers and investment managers who give advice on investments, deal, arrange or manage investments for clients or customers of the firm (FCA SUP 10A.10.7R).

A table showing the controlled functions for FCA-authorised firms is set out below:

Controlled functions for FCA-authorised firms (SUP 10A.4.4R)
Type CF Number Description of FCA-controlled function
FCA-governing functions 1 Director function
2 Non-executive director function
- 3 Chief executive function
- 4 Partner function
- 5 Director of unincorporated association function
- 6 Small friendly society function
FCA-required functions 8 Apportionment and oversight function
- 10 Compliance oversight function
- 10a CASS operational oversight function (Client assets sourcebook)
- 11 Money laundering reporting function
Systems and controls function 28 Systems and controls function
Significant management function 29 Significant management function
Customer-dealing function 30 Customer function

Requirement to be a fit and proper person

A candidate for approved person status must be a fit and proper person to perform the controlled function to which the application relates (s.61(1)(a) Financial Services and Markets Act 2000 and FCA FIT 1.2.1G). When assessing the fitness and propriety of a person to perform a particular controlled function, the FCA will have regard to a number of factors, in particular the person's:

  • honesty, integrity and reputation;
  • competence and capability; and
  • financial soundness (FCA FIT 1.3.1BG).

Senior management within firms is expected to make due and diligent enquiries about the candidates and assess, on a balance-of-risk basis, which checks it will undertake on its staff. Checks include credit references, relevant qualifications, references from previous employers, civil court judgments and criminal record checks (see Recruitment: financial services > Recruitment of approved persons and persons to perform functions under the Senior Managers and Certification Regimes: procedural considerations).

Although the FCA standard vetting process of approved persons does not currently include criminal record checks, it does carry out such checks on a sample basis. Under the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975, the FCA is allowed to take into account all previous spent and unspent convictions. The firm making the application is responsible for gathering sufficient information to convince the FCA that the candidate is a fit and proper person. Therefore, when making the application, the firm should perform due diligence on the candidate and be prepared to share this with the FCA if requested.

Interviews

The FCA will interview, at its discretion, candidates applying to perform significant influence functions and review the competence of persons performing significant influence functions.

Applications for individuals to perform significant influence functions require information to be provided in the answer to question 6 of both the long and short Form A (see Application forms for approved person status and approval to perform a senior management function) about:

  • why the individual is competent and capable to perform the role applied for;
  • why the appointment complements the firm's business strategy, activity and the markets in which it operates;
  • how the appointment was agreed;
  • the directorships held by the individual in the past 10 years; and
  • any other additional information that is relevant to other sections of the form.

Applications for approved person status should be submitted in good time and contain the supporting documentation that the firm has obtained for the application.

The FCA may also require applicants for other significant influence functions to attend an interview at which their competency will be assessed. The level of competence an individual will be expected to demonstrate will depend on the role to be performed and the size and type of firm. The Financial Services Authority (predecessor to the FCA) Dear CEO letter: Approving and supervising significant influence functions provides guidance on the interview process for candidates applying to perform significant influence functions.

The FCA requires firms to ensure that individuals have the skills, knowledge and expertise to perform the role allocated to them. This is known as the "competent employees rule". The minimum expectations of the FCA in relation to the training to be given to individuals, and the level of competence expected, are set out in the Training and Competence sourcebook (see Training and competence > Financial services > The Training and Competence Sourcebook). Senior managers are expected to be able to demonstrate an understanding of the inherent risks in the business and markets and to articulate the plans that are in place to mitigate the risk of failure.

Notification of changes to an approved person's status

Firms are obliged to notify the FCA as soon as practicable if they become aware of any information that would reasonably be material to the continuing assessment of an approved person's fitness and propriety and his or her competence to carry out an activity.

To ensure continued fitness and propriety, it is good practice for a firm to require approved persons to complete the declarations in Form A (see Application forms for approved person status and approval to perform a senior management function) every year, based on their current positions, rather than their positions at the time of recruitment.

If a firm becomes aware of information that would reasonably be material to the assessment of a person as an approved person or regarding his or her fitness and propriety, it must inform the FCA by submitting a Form D (via the FCA's online system for submitting applications, Connect) as soon as practicable (FCA SUP 10A.14.17R). A firm may commit an offence under s.398 of the Financial Services and Markets Act 2000 if it fails to disclose material facts about a person's fitness and propriety. Therefore, if in doubt, a firm should make a disclosure.

Statements of Principle and Code of Practice for Approved Persons (APER)

The standards of behaviour the FCA expects of its approved persons are set out in the Statements of Principle (APER 2) and Code of Practice for Approved Persons (APER 3 and 4).

The FCA statements of principle apply to FCA-approved persons of firms that are not relevant authorised persons, Solvency II firms or small non-Directive insurers. The statements also apply to persons approved to perform a controlled function in SUP 10A.1.15R to SUP 10A.1.16BR (appointed representatives) (APER1.1A.1R).

FCA statements of principle 1 to 4 apply to all approved persons. FCA statements of principle 5 to 7 apply only to those approved persons who are approved to perform an "accountable higher management function" (FCA APER 3.1.7AG). An accountable higher management function is any function that is an FCA significant influence function or a PRA controlled function. In applying statements of principle 5 to 7, the FCA will look at the nature, scale and complexity of the business under management and the role and responsibility of the individual performing the accountable higher management function in assessing whether or not an approved person's conduct was reasonable (FCA APER 3.1.8AG).

In determining whether or not an approved person's conduct complies with the statements of principle, the FCA takes into account whether or not the person's conduct relates to activities that are subject to other provisions of the FCA handbook, and that it is consistent with the requirements and standards of the regulatory system that are relevant to the approved person's firm (FCA APER 3.2.1G).

In addition, when determining whether or not the conduct of an approved person complies with statements of principle 5 to 7, the FCA will consider:

  • whether or not the approved person exercised reasonable care when considering the information available to him or her;
  • whether or not the approved person reached a reasonable conclusion that he or she then acted on;
  • the nature, scale and complexity of the business;
  • his or her role and responsibility as an approved person; and
  • the knowledge the person had, or should have had, of regulatory concerns arising in the business under his or her control.

(FCA APER 3.3.1G).

The code of practice helps firms determine whether or not an approved person's conduct complies with the statements of principle. An approved person will be in breach of a statement of principle only where he or she is personally culpable, ie where his or her conduct was deliberate or unreasonable in all the circumstances (FCA APER 3.1.4(1)G).

The statements of principle (1 to 7) are listed below.

Statement of principle 1

An approved person must act with integrity in carrying out his or her accountable functions. Examples of failures to comply include:

  • deliberately misleading (or attempting to mislead) customers, clients, the firm (or its auditors) or the FCA;
  • providing false or inaccurate documentation (including details of qualifications and past experience);
  • deliberately misusing the assets or confidential information of a client or the firm; and
  • deliberately failing to disclose conflicts of interest in connection with a client.

(FCA APER 4.1).

Statement of principle 2

An approved person must act with due skill, care and diligence in carrying out his or her accountable functions. Examples of failures to comply include:

  • failing to inform customers of material information;
  • recommending an investment to a customer where there are no reasonable grounds for believing it is suitable;
  • failing to disclose, without good reason, a conflict of interest; and
  • continuing to perform controlled functions despite failing to meet training and competence standards.

(FCA APER 4.2).

Statement of principle 3

An FCA-approved person must observe proper standards of market conduct in carrying out his or her accountable functions.

A fact to be taken into account in determining whether or not an approved person has acted in accordance with statement of principle 3, is whether or not that approved person, or his or her firm, have complied with the Market Abuse Regulation (2014/596/EU) or any market codes and exchange rules (APER 4.3.3G).

Statement of principle 4

An approved person must deal with the FCA, the PRA and other regulators in an open and cooperative way, and must disclose appropriately any information of which the FCA would reasonably expect notice. Examples of failures to comply include:

  • failing to report promptly, either internally or to the FCA, matters that it would be reasonable to assume would be of material significance to the FCA; and
  • failing without good reason to supply the regulator with documents or information when requested, and within the appropriate time limits.

(FCA APER 4.4).

Firms should therefore have a procedure in place to deal with the disclosure of such information. The process should include the recording of an incident in a breaches log even if the firm does not deem disclosure to the FCA to be necessary.

Statement of principle 5

An approved person performing an accountable higher management function must take reasonable steps to ensure that the business of the firm for which he or she is responsible in his or her accountable function is organised so that it can be controlled effectively. Examples of failures to comply include:

  • failing to take reasonable steps to apportion responsibilities clearly, for example, through confusing or uncertain reporting lines, authorisation levels, job descriptions or responsibilities;
  • failing to review the competence, knowledge, skills and performance of staff to assess their suitability to fulfil their duties, despite evidence that their performance is unacceptable; and
  • allowing managerial vacancies that put compliance at risk to continue without arranging suitable cover.

(FCA APER 4.5).

Statement of principle 6

An approved person performing an accountable higher management function must exercise due skill, care and diligence in managing the business of the firm for which he or she is responsible in his or her controlled function. Examples of failures to comply include:

  • permitting transactions without a sufficient understanding of the risks involved;
  • inadequately monitoring unusual or highly profitable transactions; and
  • delegating authority for dealing with an issue without reasonable grounds for believing that the delegate has the necessary capacity, competence, knowledge, seniority, skills or time to deal with it.

(FCA APER 4.6).

Statement of principle 7

An approved person performing an accountable higher management function must take reasonable steps to ensure that the business of the firm for which he or she is responsible in his or her accountable function complies with the relevant requirements and standards of the regulatory system. Examples of failures to comply include:

  • failing to take reasonable steps to implement adequate and appropriate systems of control;
  • failing to take reasonable steps to monitor compliance; and
  • failing to take reasonable steps to keep informed about the reasons why significant breaches may have arisen, including failing to investigate which systems or procedures failed.

(FCA APER 4.7).

It is important for firms to ensure that all approved persons are aware of the Statements of Principle and Code of Practice and that this awareness is continuous and not simply at the point of approval. Firms should therefore consider an annual reminder and/or training for all approved persons on the standards of behaviour expected.

Approved persons in overseas firms

An overseas firm that carries out regulated activities from an establishment in the UK but does not have its registered office in the UK, must obtain FCA approval for individuals carrying out certain controlled functions (Supervision sourcebook at FCA SUP 10A.1.6R). The relevant functions are:

  • the director function, where the person performing that function: has responsibility for the regulated activities of a UK branch, which is likely to enable him or her to exercise significant influence over that branch; or is someone whose decisions or actions are regularly taken into account by the governing body of that branch;
  • the non-executive director function, where the person performing that function: has responsibility for the regulated activities of a UK branch, which is likely to enable him or her to exercise significant influence over that branch; or is someone whose decisions or actions are regularly taken into account by the governing body of that branch;
  • the chief executive function;
  • the FCA-required functions;
  • the systems and controls function;
  • the significant management function, insofar as the function relates to: designated investment business other than dealing in investments as principal, disregarding art.15 of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (SI 2001/544) (RAO); or processing confirmations, payments, settlements, insurance claims, client money and similar matters insofar as this relates to designated investment business; and
  • the customer function.

Overseas firms, other than those from within the European Economic Area (EEA), must also give the FCA details of:

  • the firm's worldwide chief executive; and
  • the person within the firm with responsibility for UK operations.

In addition, if the firm is a bank, it must also give the names of two or more persons who direct its UK business and, if the firm is an insurer, it must also provide the name of its UK representative.

Overseas firms that have their registered office in the EEA are regulated by the regulatory authority within their member state. The Markets in Financial Instruments Directive (MiFID II) places the responsibility on the regulator in the member state in which the firm has its registered office for ensuring that individuals from within the EEA have the relevant skills, knowledge and expertise to perform their role. A firm's home state regulator is, therefore, responsible for ensuring the competence of an individual performing a controlled function at an EEA firm operating in the UK.

As a consequence, EEA firms with UK branches will need to obtain approval from the FCA only for persons carrying out:

  • the money laundering reporting function;
  • the significant management function insofar as the function relates to:
    • designated investment business other than dealing in investments as principal, disregarding art.15 of the RAO; or
    • processing confirmations, payments, settlements, insurance claims, client money and similar matters insofar as this relates to designated investment business; and
  • the customer function (other than where this relates to giving advice on syndicate participation at Lloyd's) (FCA SUP 10A.1.11R).

Enforcement

Approved persons are regulated by, and personally accountable to, the FCA. Approved persons are required to comply with the Statements of Principle and Code of Practice for Approved Persons (APER) (see Statements of Principle and Code of Practice for Approved Persons).

If the FCA considers that an approved person is no longer a fit and proper person it can make a Prohibition Order under s.56 of the Financial Services and Markets Act 2000 (FSMA 2000) prohibiting the individual from performing the relevant and other controlled functions.

The FCA can also take disciplinary action against an approved person if it appears to it that the individual has failed to comply with APER or a provision of the FCA Handbook, or has acted in breach of the FSMA 2000 (s.66 FSMA 2000) or has knowingly acted in breach of the firm's regulatory requirements.

The FCA's disciplinary powers include:

The FCA may not take disciplinary action more than six years after the date that it first became aware of the misconduct. However, for misconduct occurring before 25 July 2014, the limitation period is three years (s.66 (5ZA) FSMA 2000).

Senior Managers Regime

The Senior Managers Regime (SMR) applies to all UK-incorporated banks, building societies, credit unions and investment banks (s.71A Financial Services and Markets Act 2000 (FSMA 2000)) and replaces the Approved Persons Regime for individuals working within those firms. Since 10 December 2018, the SMR applies to insurers and replaces the Senior Insurance Managers Regime and the revised Approved Persons Regime (see Insurers).

The SMR seeks to promote a clear allocation of responsibilities to key decision makers and to strengthen individual accountability through robust, initial and ongoing assessments of their fitness and propriety (by firms and regulators), with strengthened powers of approval and enforcement for the regulators.

Senior management functions (SMFs) are those that will require the person performing them to be responsible for managing one or more aspects of the relevant firm's affairs, so far as they relate to regulated activities and those aspects involve, or might involve, a risk of serious consequences for the authorised person or for business or other interests in the UK (s.59ZA FSMA 2000).

Senior managers comprise the top layer of executive management of the firm and all directors, including ordinary non-executive directors (NEDs). The FCA provides guidance on how the SMR applies to NEDs in COCON 1 Annex 1.

Individuals performing SMFs require pre-approval from the PRA and/or FCA. In contrast, individuals subject to the Certification Regime do not require pre-approval before performing their functions. Individuals who will perform a PRA SMF will require pre-approval by the PRA with the FCA's consent. Individuals performing an FCA SMF will require pre-approval by the FCA only.

Applications for pre-approval must be on the relevant form, for example Form A, Form E, Form I or Form J with a statement of responsibilities (see Statement of responsibilities) and a management responsibilities map (see Management responsibilities map) appended.

Individuals performing SMFs are also subject to the conduct rules (see Conduct rules).

Converting Approved Persons Regime functions to SMR functions

The SMR is extended to all FCA-authorised firms (except benchmark administrators) from 9 December 2019. Form K (conversion notification for core and enhanced firms only) will be available on Connect from 9 September 2019, and the form must be submitted by midnight 24 November 2019. Where a firm has an Approved Persons Regime application in progress that the FCA has not processed by 9 December 2019, the firm will need to submit a statement of responsibilities for that application by 16 December 2019. The FCA says that this should be done by the firm sending a paper statement of responsibilities to its FCA case officer. The FCA will make the form for this available in due course.

Senior management functions

There are 21 senior management functions (SMFs) for UK-incorporated banks, building societies, credit unions, investment banks and insurers that broadly replace the approved persons significant influence functions. A list of prescribed SMFs is set out in FCA SUP 10C.4.3R. Further information on the PRA's SMFs is set out in the PRA Rulebook: Senior management functions, chapters 3 to 7.

New SMFs include: head of key business area (PRA); group entity senior manager (PRA); and other overall responsibility function (FCA).

A table showing the combined PRA and FCA SMFs is set out below. The tick mark indicates which regulator is responsible for assessing the fitness and propriety of the individual and granting their approval.

SMF Description FCA function PRA function
SMFs 9 to 14 to be held by approved NEDs rather than executives
SMF1 Chief executive function
SMF2 Chief finance function
SMF3 Executive director function
SMF4 Chief risk function
SMF5 Head of internal audit function
SMF6 Head of key business area function
SMF7 Group entity senior manager function
SMF8 Credit union SMF (small credit unions only)
SMF9 Chairman function
SMF10 Chair of the risk committee function
SMF11 Chair of the audit committee function
SMF12 Chair of the remuneration committee function
SMF13 Chair of the nominations committee function
SMF14 Senior independent director function
SMF15 Chair of the with-profits committee function
SMF16 Compliance oversight function
SMF17 Money laundering reporting function
SMF18 Other overall responsibility function
SMF19 Head of overseas branch function
SMF20 Chief actuary function
SMF20a With-profits function
SMF21 EEA Branch senior manager function
SMF22 Other local responsibility function
SMF23 Chief underwriting function
SMF23a Underwriting risk oversight function (Lloyds only)

While some SMFs will be present in all firms, others will exist only in certain firms.

Individuals with overall responsibility (SMF18)

Individuals with overall responsibility are individuals who have the ultimate responsibility under the governing body for managing or supervising a function and with direct responsibility for reporting to the governing body and putting matters before it (SYSC 4.7.11G and SUP 10C.7.1R). This will usually be the most senior officer or employee with responsibility for managing that function, not the individual who has day-to-day management control of the function (SYSC 4.7.15G).

The PRA and FCA have made it clear that it will be important for firms to "identify any other individuals who have overall responsibility for an activity, function or area", not just those individuals identified as performing one of the specific SMFs. Such individuals will need to be pre-approved to perform SMF18.

There has been some debate within the financial sector as to whether or not individuals who are performing a "head of legal" function should be included within the Senior Managers Regime (SMR) as individuals with overall responsibility. The argument in favour is that general counsel play an important business role and a failure in the management of the legal department could potentially have a significant impact on the business. The argument against inclusion is that the primary role of the legal function is to provide independent legal advice and including it within the SMR as an SMF would prejudice a general counsel's ability to provide impartial and privileged advice to the business. On 26 July 2019, following consultation in FCA CP19/4: Optimising the Senior Managers & Certification Regime and feedback to DP16/4 - Overall responsibility and the legal function, the FCA confirmed the exclusion of the legal function from the overall responsibility requirement and the exclusion of the head of legal from the requirement to be approved as a senior manager (FCA PS19/20: Optimising the Senior Managers & Certification Regime - Feedback to CP19/4 and Final Rules). However, the FCA stressed that, while it is removing the requirement for the head of legal to be a senior manager, it is not excluding lawyers from performing an SMF. The FCA advised that dual-regulated insurers may wish to consult the PRA for guidance on whether or not the head of legal should be treated as a key function holder.

Insurers

The Senior Managers Regime (SMR) and the Certification Regime (CR) were extended to insurers and reinsurers on 10 December 2018. The SMR and CR apply to the following:

  • Solvency II firms (all firms that fall within the scope of the UK rules implementing the Solvency II Directive (2009/138/EC)): This includes the Society of Lloyd's, managing agents, incoming branches of non-UK firms and Insurance Special Purpose Vehicles.
  • Non-Directive firms (NDFs): Insurers that are outside the scope of the Solvency II Directive. A small NDF is a firm where the value of assets for all the regulated activities that it carries out is £25 million or less. NDFs that are over this threshold qualify as large NDFs.
  • Small run-off firms: Insurers that have £25 million or less in technical provisions and no longer have permission to write or acquire new business. This category also includes firms that are not treated as Solvency II firms because the rules that implement the Solvency II Directive have been disapplied to them (Rule 2 of the PRA Rulebook: Solvency II firms: Transitional measures).

The SMR and CR replace the Senior Insurance Managers Regime (SIMR) and the revised Approved Persons Regime for insurance firms. While many of the requirements of the SMR are similar to those under the SIMR, insurers and reinsurers now have additional obligations including, senior management functions, the requirement to certify staff under the CR, and handover procedures (see Certification Regime and References).

The FCA has produced a guide for insurers that contains a summary of its rules on the SMR and CR and an overview of how the regimes work, including the FCA and PRA senior management functions (SMFs) and prescribed responsibilities that are specific to insurers (FCA: The Senior Managers and Certification Regime: Guide for insurers).

For insurers, the overall responsibility requirements and SMF18 and SMF22 functions apply only to Solvency II firms (including third-country branches) and large non-Directive firms (NDFs). They do not apply to small NDFs or Insurance Special Purpose Vehicles.

In brief, the SMFs for insurers are as follows:

Solvency II firms and large non-Directive firms

These firms have:

  • six FCA executive and two oversight SMFs; and
  • six PRA executive and 10 oversight SMFs (eg SMF23b Conduct risk oversight officer (Lloyds only) and SMF15 Chair of the with-profits committee for the person(s) responsible for the with-profits advisory arrangement).

Small non-Directive firms

These firms have four FCA SMFs and five PRA SMFs.

Small run-off firms

These firms have four FCA SMFs and 16 PRA SMFs.

Insurance special purpose vehicles

These firms have two FCA SMFs and four PRA SMFs.

Senior managers' duty of responsibility

The FCA had originally proposed (FCA CP15/9: Feedback on FCA CP14/13/PRA CP14/14 and consultation on additional guidance) a "presumption of responsibility" that, in an enforcement action, would place the burden on senior managers of proving that they had taken all reasonable steps to prevent a breach from occurring or continuing. This was known as the "reverse burden of proof" and proved controversial within the financial services industry.

The proposal was subsequently dropped and replaced with a duty of responsibility. This duty requires senior managers to take reasonable steps to prevent regulatory breaches in the areas for which they are responsible, but with the burden of proving that a senior manager has failed to meet the expected standards in an enforcement action resting firmly with the FCA. The duty is set out in s.66A(5)(d) of the Financial Services and Markets Act 2000, as amended by s.25(2)(f) of the Bank of England and Financial Services Act 2016, and came into force on 10 May 2016.

Prescribed responsibilities

The PRA and FCA have between them 30 prescribed responsibilities for UK-incorporated banks, building societies, credit unions and investments banks that must be assigned to the individuals who hold senior management functions (SMFs). Firms must ensure that each prescribed responsibility is allocated to a senior manager holding an SMF, to ensure that someone is accountable for the prescribed responsibility. Firms will need to identify the individuals who hold SMFs and assign the prescribed responsibilities to them.

Some responsibilities are prescribed by both the FCA and PRA. Some apply in specified circumstances only and some apply to non-executive directors. Some responsibilities apply to all firms, and others apply only to larger or only to smaller firms. For these purposes a smaller firm is one with gross total assets of £250 million or less. The threshold is calculated over a rolling five-year period, or if less, the period during which the firm has existed. In effect this creates a simplified Senior Managers Regime for smaller firms, with fewer requirements to be met.

The FCA's prescribed responsibilities are set out in SYSC 4.7.7R. The PRA's prescribed responsibilities are set out in the PRA Rulebook: Allocation of responsibilities rule 4.1 and rule 5.2 for smaller firms. A combined list of FCA- and PRA-prescribed responsibilities is set out below.

Description of prescribed senior management responsibility FCA prescribed? PRA prescribed?
Applying to all firms
a Responsibility for the firm's performance of its obligations under the senior management regime. SYSC 4.7.7R(1) 4.1(1)
b Responsibility for the firm's performance of its obligations under the certification regime. SYSC 4.7.7R(2) 4.1(2)
c Responsibility for compliance with the requirements of the regulatory system about the management responsibilities map. SYSC 4.7.7R(3) 4.1(3)
d Overall responsibility for the firm's policies and procedures for countering the risk that the firm might be used to further financial crime. SYSC 4.7.7R(4) -
e Responsibility for the allocation of all prescribed responsibilities in accordance with rule 3.1 of PRA Rulebook: Allocation of responsibilities. - 4.1(20)
ee Acting as the firm's whistleblowers' champion. The allocated responsibilities for the whistleblowers' champion are set out in SYSC 18.4.4.R. SYSC 4.7.7R(4A) -
Applying to larger firms
f** Responsibility for leading the development and monitoring effective implementation of policies and procedures for the induction, training and professional development of all members of the firm's governing body. SYSC 4.7.7R(5) 4.1(13)
g Responsibility for monitoring the effective implementation of policies and procedures for the induction, training and professional development of all persons performing designated senior management functions on behalf of the firm, other than members of the governing body. SYSC 4.7.7R(6) 4.1(5)
h Responsibility for overseeing the adoption of the firm's culture in the day-to-day management of the firm. - 4.1(6)
i Responsibility for leading the development of the firm's culture by the governing body as a whole. - 4.1(14)
j** Responsibility for safeguarding the independence of, and overseeing the performance of, the internal audit function, in accordance with SYSC 6.2 (Internal Audit). SYSC 4.7.7R(7) 4.1(15)
k** Responsibility for safeguarding the independence of, and overseeing the performance of, the compliance function in accordance with SYSC 6.1 (Compliance). SYSC 4.7.7R(8) 4.1(16)
l** Responsibility for safeguarding the independence of, and overseeing the performance of, the risk function, in accordance with SYSC 7.1.21R and SYSC 7.1.22R (Risk control)/Risk control 3.4 and 3.5. SYSC 4.7.7R(9) 4.1(17)
m** Responsibility for overseeing the development and implementation of the firm's remuneration policies and practices in accordance with SYSC 19D (Remuneration Code). SYSC 4.7.7R(10) 4.1(18)
n Responsibility for the independence, autonomy and effectiveness of the firm's policies and procedures on whistleblowing, including the procedures for protection of staff who raise concerns of detrimental treatment. - 4.1(19)
o Responsibility for managing the allocation and maintenance of capital, funding and liquidity. - 4.1(7)
p Responsibility for the firm's treasury management functions. - 4.1(8)
q Responsibility for the production and integrity of the firm's financial information and its regulatory reporting under the regulatory system. - 4.1(9)
r Responsibility for developing and maintaining the firm's recovery plan and resolution pack and for overseeing the internal processes regarding their governance. - 4.1(10)
s Responsibility for managing the firm's internal stress tests and ensuring the accuracy and timeliness of information provided to the PRA and other regulatory bodies for the purposes of stress testing. - 4.1(11)
t Responsibility for the development and maintenance of the firm's business model by the governing body. - 4.1(12)
u Responsibility for the firm's performance of its obligations under fitness and propriety in respect of its notified non-executive directors - 4.1(4)
Applying in specified circumstances
v If the firm carries out proprietary trading, responsibility for the firm's proprietary trading activities. - 4.2(1)
w If the firm does not have an individual performing the chief risk function, overseeing and demonstrating that the risk management policies and procedures that the firm has adopted in accordance with SYSC 7.1.2 R to SYSC 7.1.5 R/Risk control 2.1 to 2.4. - 4.2(2)
x If the firm outsources its internal audit function, taking reasonable steps to ensure that every person involved in the performance of the service is independent from the persons who perform external audit. This includes supervision and management of the work of outsourced internal auditors, and management of potential conflicts of interest between the provision of external audit and internal audit services. - 4.2(3)
y If the firm is a ring-fenced body, responsibility for ensuring that those aspects of the firm's affairs for which a person is responsible for managing are in compliance with the ring-fencing obligations. - 4.2(4)
z Overall responsibility for the firm's compliance with CASS (Client assets sourcebook). SYSC 4.7.7R(11) -
Applying to small firms only
aa Responsibility for implementing and managing the firm's risk management policies and procedures. - 5.2(3)
bb Responsibility for managing the systems and controls of the firm. - 5.2(4)
cc Responsibility for managing the firm's financial resources. - 5.2(5)
dd Responsibility for ensuring the governing body is informed of its legal and regulatory obligations - 5.2(6)
** Indicates SMFs to be held by approved NEDs, rather than executives

It is possible for prescribed responsibilities to be allocated to more than one senior manager (PRA Rulebook: Senior management functions, rule 8.1 and FCA SYSC 4.7.26G). However, such sharing will need to be justified and each senior manager will be deemed to be wholly responsible for the prescribed responsibility and will be jointly liable for any breach of the prescribed responsibility. Firms must also ensure that a person who performs the chairman function does not simultaneously perform the chief executive function within the same firm (PRA Rulebook: Senior management functions, rule 8.2).

The FCA and PRA have in total 19 prescribed responsibilities for insurers and reinsurers (set out in FCA: The Senior Managers and Certification Regime: Guide for insurers). The FCA and PRA share seven, eight have been allocated by the PRA only and three by the FCA only (a new prescribed responsibility for the firm's performance of its obligations under COCON, a prescribed responsibility for CASS compliance and another for the prevention of financial crime).

Statement of responsibilities

When making an application to the PRA or FCA for approval of an individual to perform a senior management function (SMF) the firm must submit a statement of responsibilities (s.60(2A) Financial Services and Markets Act 2000, PRA Rulebook: Allocation of Responsibilities rule 2.1 and FCA SUP 10C.11.1G).

The template form for the statement of responsibilities is set out in Annex 5D to SUP10C. It must be signed by the individual to whom it relates and the description of the responsibilities should be no more than 300 words. The statement of responsibilities must be submitted together with the relevant other form (for example Form A, Form E, Form I or Form J) to which the application relates (see Forms to use to apply for approved persons status and approval under the Senior Managers Regime).

The contents of the statement of responsibilities must:

  • be consistent with the firm's management of responsibilities map (see Management of responsibilities map);
  • be complete and not refer to documents that do not form part of it;
  • demonstrate how the responsibilities fit in with the firm's governance and management;
  • not dilute, reduce, alter or undermine the scope of the prescribed responsibilities;
  • explain what is split or shared, why, and identify the other senior manager ensuring that the shared responsibilities are complete; and
  • be succinct and clear (FCA SUP 10C.11.23-28G and FCA SUP 10C.11.32G).

Initial guidance is set out in FCA SUP 10C.11.13D to FCA SUP 10C.11.17G and PRA Rulebook: Allocation of responsibilities, chapter 2.

On 8 March 2019, the FCA published final guidance on the statement of responsibilities and management responsibilities maps (FCA FG19/2: SM & CR: Guidance on statements of responsibilities and responsibilities maps). The aim of the guidance is to give FCA solo-regulated firms practical assistance and information on preparing the statements and maps. The guidance sets out the purpose of statements and responsibilities maps, provides some questions for firms to ask themselves and outlines examples of good and poor practice. It is designed to be read alongside the Guide for FCA solo-regulated firms as well as applicable rules and guidance in the FCA Handbook. The FCA states that its guidance should be applied in a risk-based and proportionate way. Firms should consider the size, nature and complexity of the firm when deciding if a certain example of good or poor practice is appropriate to its business.

The purpose of the statement of responsibilities is to set out clearly the responsibilities that the candidate or senior manager is to perform as part of their SMF. Firms should therefore ensure that the individual's job description captures these responsibilities.

Firms must at all times have a complete set of current and up-to-date statements of responsibilities for all persons approved to perform SMFs (PRA Rulebook: Allocation of responsibilities, rule 2.4, FCA SUP 10C.11.20R) and they must retain these statements for 10 years (PRA Rulebook: Allocation of responsibilities, rule 7.4 and FCA SYSC 9.1).

Under the revised Approved Persons Regime and the Senior Insurance Managers Regime, some insurers were required to submit a scope of responsibilities document. Under the SMR and CR, this document is renamed as a "statement of responsibilities". Solvency II firms must keep records of their statements of responsibilities for 10 years and both small and large non-Directive firms must keep records for six years.

Management responsibilities map

Firms are also required to create and keep up to date a comprehensive management responsibilities map that sets out the firm's management and governance arrangements, including reporting lines and details about the relevant people and their responsibilities (PRA Rulebook Allocation of responsibilities, rule 7.1 and FCA SYSC 4.5.4R). It is mandatory for enhanced firms to produce responsibilities maps. It is good practice for core and limited scope firms to create and maintain responsibilities maps, but it is not mandatory.

For insurers, the requirement to produce and maintain responsibilities maps will apply only to Solvency II firms and large non-Directive firms (NDFs). It will not apply to small NDFs, small run-off firms and Insurance Special Purpose Vehicles. The governance map, which was required by the Senior Insurance Managers Regime for Solvency II firms and large NDFs, is renamed as a "responsibilities map".

A management responsibilities map is, in short, a single document that describes a firm's management and governance arrangements, how responsibilities have been allocated, and to whom.

There is no template management responsibilities map and each firm is able to create its own management responsibilities map that is relevant to its business. The map must include the matters listed in FCA SYSC 4.5.7R and can be large and complex. Firms must retain superseded management responsibilities maps for 10 years (PRA Rulebook: Allocation of Responsibilities, rule 7.4).

The FCA has set out guidance on its requirements for a management responsibilities map for UK relevant authorised persons in SYSC 4.5. The FCA allows smaller firms with less complex business models and governance arrangements to create less complex responsibilities maps (SYSC 4.5.13G). The PRA sets out its guidance in its Rulebook: Allocation of responsibilities, rule 7.2 and at SS28/15: Strengthening individual accountability in banking. A management responsibilities map should include:

  • names and responsibilities of senior management and governing/management body members;
  • details of reporting lines and lines of responsibility;
  • management and governance arrangements for all senior managers;
  • how the firm's management and governance arrangements fit with, are provided by, or shared with the group or others; and
  • details of the allocation of required responsibilities.

Further details of what should be included are set out in SYSC 4.5.4R to SYSC 4.5.15G and PRA Rulebook: Allocation of responsibilities, rule 7.2.

SYSC 4 Annex 1 is not a comprehensive list of each firm's main business activities and functions, and it is a firm's responsibility to ensure that it has complete lists of its activities, areas or functions. However, SYSC 4 Annex 1 is a useful checklist for firms to ensure that they have allocated responsibility for every activity of the firm. Firms are required to confirm on an annual basis that there are no gaps in the allocation of responsibilities.

The purpose of the management responsibilities map is to ensure that there is a clear allocation of responsibilities to senior managers, a clear organisational structure and that there are no gaps in the allocation of responsibilities.

Practical steps

In practice, firms should:

  • consider the activities, business areas or functions the firm performs; the prescribed responsibilities it undertakes; and those prescribed responsibilities it is also required to undertake;
  • identify the individuals that hold the core senior management functions (SMFs 1-17);
  • allocate the prescribed responsibilities to individual senior managers holding the SMFs;
  • identify and record the overall responsibility of senior managers for other activities, functions or business areas;
  • record the allocation of prescribed responsibilities on individual statements of responsibilities; and
  • include the allocation of those prescribed responsibilities in the management responsibility map (including the responsibilities assigned to each SMF and any other information that is relevant to the function they perform).

Territorial scope

There is no territorial limitation to the Senior Managers Regime. Therefore, firms must allocate responsibility for all activities, business areas and management functions of the whole firm including those carried out from an overseas branch, including all transactions that take place overseas.

Certification Regime

The Certification Regime (CR) requires senior managers in relevant firms to assess and certify, at least annually, the fitness and propriety of staff deemed capable of causing significant harm to the firm or any of its customers or those that could risk the integrity of financial markets (s.63F(1)-(5)) Financial Services and Markets Act 2000 (FSMA 2000)). It covers a broader group of persons than those covered by the Approved Persons Regime.

There was no certification requirement for insurers under the Senior Insurance Managers Regime and the revised Approved Persons Regime. However, insurers are now subject to the CR and must certify their staff. In preparation for the extension of the CR to insurers on 10 December 2018, insurers were required to identify their certification staff before that date, but they have until the first anniversary to complete the initial certification process.

Firms should take full responsibility for the fitness and propriety of their staff that are covered by the CR (ss.63E and 63F FSMA 2000).

The FCA's set of significant harm functions is wider than the PRA's. The significant harm functions are referred to as certification functions. A full description of the roles that are subject to the FCA CR is set out in SYSC 5.2.30R. The FCA's certification functions include those individuals performing the following functions:

  • client assets sourcebook (CASS) oversight (SYSC 5.2.32R);
  • benchmark submission and administration (SYSC 5.2.33R);
  • proprietary trading (SYSC 5.2.34R);
  • significant management (SYSC 5.2.35R);
  • functions requiring qualifications (SYSC 5.2.39R);
  • managers of certification employees (SYSC 5.2.41R); and
  • material risk takers (SYSC 5.2.42R).

The PRA rules relating to its certification functions are set out in the Certification chapter of the PRA Rulebook. Generally, the PRA's CR applies to persons who are significant risk takers and whose actions could pose a significant risk to the firm or its customers.

The PRA has a different set of certified functions for insurers, which do not conflict with the FCA's, and are:

  • key function holders for all Solvency II firms, large non-Directive firms (NDFs) and Insurance Special Purpose Vehicles;
  • material risk takers - this will apply only to large Solvency II insurers and large NDFs; and
  • individuals who are managing a material risk taker.

Firms that are subject to the CR, including insurers, must issue certificates every 12 months (s.63F(5) FSMA 2000). Therefore, from a practical perspective firms may wish to synchronise the annual assessment of an individual's fitness and propriety with their appraisal process. When conducting the assessment, firms should take into account whether the individual:

  • has obtained a qualification; or
  • has undergone, or is undergoing, training; or
  • possesses a level of competence.

Certificates by firms, including insurers, should:

  • state that the authorised person is satisfied that the person is a fit and proper person to perform the certification function(s); and
  • set out the aspect of the firm's business in which the individual is involved.

Firms are not required to assess whether or not their staff outside of the scope of the certification functions set out in the PRA's and FCA's rules could be in a position to pose significant harm.

Following consultation, the FCA decided to add two further significant harm functions to its CR: individuals dealing with clients and algorithmic trading (FCA PS16/3: Strengthening accountability in banking: Feedback on CP15/22 and CP15/31; final rules on extending the certification regime to wholesale market activities and interim rules on referencing).

Territorial scope

For UK firms, the CR is limited to individuals performing a certification function who are either based in the UK or, if based outside the UK, are dealing (ie have contact) with UK clients. The exception to this is where an individual is a material risk taker under one of the FCA's remuneration codes. For these individuals, there is no territorial limitation.

Fitness and propriety

The FCA's FIT sourcebook (Fit and proper test for employees and senior personnel) sets out guidance that firms, including insurers, should apply in making an assessment of the fitness and propriety of candidates to carry out controlled functions under the Approved Persons Regime, the Senior Managers Regime (SMR) and the Certification Regime (CR). When assessing the fitness and propriety of a person to perform a particular controlled function, the PRA and FCA will have regard to a number of factors, including the person's:

  • honesty, integrity and reputation;
  • competence and capability; and
  • financial soundness (PRA FIT 1.3.1G and FCA FIT 1.3.1BG).

The PRA rules covering the fitness and propriety of all persons within its SMR and CR are set out in the fitness and propriety chapter of the PRA Rulebook. They require that such persons have the personal characteristics; necessary level of competence, knowledge and experience; and appropriate qualifications and training to enable such person to perform his or her function effectively and in accordance with regulatory requirements; and to enable the sound and prudent management of the firm (PRA Rulebook: Fitness and propriety, rule 2.6).

If a relevant firm considers that an individual fails to meet the standards of fitness and propriety it requires, it must report this to the relevant regulator in the case of a senior manager, or refuse certification in the case of an individual who it is proposed will undertake, or who has been undertaking, certification functions.

Firms can make a single assessment of fitness and propriety in respect of a particular certification function. In circumstances where an individual carries out multiple certification functions, his or her fitness and propriety for each function needs to be assessed against the applicable standards.

References

Firms are required to take reasonable steps to obtain references for individuals (including non-executive directors) who will be subject to the Senior Managers Regime (SMR) and those individuals carrying out significant harm functions under the Certification Regime (CR) (see Providing references: financial services > References under the Senior Managers Regime and Certification Regime. The FCA and PRA published the final rules on regulatory references on 28 September 2016 (FCA PS16/22: Strengthening accountability in banking and insurance: regulatory references final rules and PRA PS27/16: Strengthening accountability in banking and insurance: PRA requirements on regulatory references (part II)). The rules are contained in a new chapter of the FCA's Senior Management Arrangements, Systems and Controls sourcebook. For example, the FCA requires insurers seeking to appoint someone to a senior manager or a certified role to request a regulatory reference from the candidate's past employer(s). This requirement also applies to all non-executive directors (NEDs) who are not senior managers.

For insurers, regulatory references apply to Solvency II firms, large non-Directive firms (NDFs), approved persons, standard NEDs and, following the extension of the CR to insurers on 10 December 2018, to certified staff. Small NDFs have been required, since March 2017, to provide a reference on request and to include all relevant information in the reference covering an individual's previous six years of employment. However, under the CR, small NDFs are now subject to the same full set of requirements as for Solvency II firms and large NDFs.

Other checks

In assessing fitness and propriety, the FCA does not require a criminal records check to be carried out on those carrying out certification functions, but it does require such a check for those who will carry out a senior management function (SMF) (FCA SUP 10C.10.16R). The PRA also requires criminal record checks on individuals who will carry out an SMF (PRA Rulebook: Fitness and propriety, rule 2.9(1)).

Where an individual has worked overseas or has spent time living overseas, firms should undertake the relevant applicable checks with the appropriate overseas body, to the extent possible.

Senior management within firms is expected to make due and diligent enquiries about candidates and assess, on a balance-of-risk basis, which checks it will undertake on its staff. In addition to references and criminal record checks, firms should also check an individual's relevant qualifications, credit history and civil court judgments (see Recruitment: financial services > Recruitment of approved persons and persons to perform functions under the Senior Managers and Certification Regimes: procedural considerations).

The General Data Protection Regulation (2016/679 EU) (GDPR), came into force on 25 May 2018. The GDPR requires firms to have adequate data handling and protection systems in place in relation to data that they collect and process when conducting checks on their staff under the Senior Managers and Certification regimes (see Personal data > Data protection).

Conduct rules

The conduct rules reflect the core standards expected of staff that work for relevant firms. They are divided into two tiers. The first tier rules are applicable to all individuals approved to carry out senior management functions (SMFs), staff subject to the Certification Regime (CR) and other individuals, apart from those ancillary staff who perform a role that is not specific to the financial service business of the firm, for example cleaners, security guards and receptionists (COCON 1.1.2R). The second tier rules are applicable to individuals approved to carry out SMFs.

The conduct rules replace the Statements of Principle and Code of Practice for Approved Persons for those individuals (ss.64A and 64B Financial Services and Markets Act 2000 (FSMA 2000)).

The PRA's conduct rules are set out in the Conduct rules part of the PRA Handbook (2.1-2.3 and 3.1-3.4). The FCA's conduct rules are set out in its COCON sourcebook (COCON 2.1.1R-2.1.5R and 2.2.1R-2.2.4R). A table showing the conduct rules is set out below:

Label Conduct rule Regulator
Tier 1
Rule 1 You must act with integrity. PRA/FCA
Rule 2 You must act with due skill, care and diligence. PRA/FCA
Rule 3 You must be open and cooperative with the FCA, the PRA and other regulators. PRA/FCA
Rule 4 You must pay due regard to the interests of customers and treat them fairly. FCA only
Rule 5 You must observe proper standards of market conduct. FCA only
Tier 2
SM1 You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively. PRA/FCA
SM2 You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system. PRA/FCA
SM3 You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively. PRA/FCA
SM4 You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice. PRA/FCA

Further detailed guidance on each conduct rule is set out in FCA COCON 4 (Specific guidance on individual conduct rules) and PRA SS28/15: Strengthening individual accountability in banking (chapter 5).

Firms must take all reasonable steps to ensure that persons subject to the conduct rules understand how the rules apply to them and to ensure that such persons are notified of the conduct rules that apply to them (s.64B(2)(a) and (b) FSMA 2000). Firms should therefore consider whether or not any training on the conduct rules is necessary to meet this requirement.

The conduct rules have applied to all staff subject to the SMR and CR since 7 March 2016. The conduct rules applicable to other staff took effect on 7 March 2017.

Insurers have 12 months from 10 December 2018 (the date of the extension of the SMR and CR to insurers) to apply the conduct rules to their other conduct rules staff. These are staff members that come under the conduct rules in COCON, but who do not hold a SMF or certification function.

Reporting obligation

Section 64C(1) of the Financial Services and Markets Act 2000 requires authorised firms to notify the regulator of disciplinary action (including formal written warning, suspension, dismissal or reduction/recovery of remuneration) taken against a person for any reason specified in the rules by the regulator. Notification must be made:

  • in the case of a senior manager, as soon as practicable and, in any event, within seven days of the date that the firm has taken disciplinary action, using Form D or, if applicable and with the prior permission of the FCA, by fax or email (SUP 10C.14.18R); and
  • in the case of both certification regime staff and other staff subject to the conduct rules, annually using Form H (SUP 15.11.13-14(2)R). The FCA has confirmed that it is mandatory to submit Form H even if a firm has no disciplinary action to report, in which case the firm must submit a nil return (FCA SUP 15.11.13R(5)).

The obligations on all regulated firms to deal with the regulators in an open and cooperative way, to disclose all matters of which they would reasonably expect notification and to report a significant breach of any rule continue to apply (FCA Principle 11; PRA Fundamental Rule 7 and SUP 15).

Enforcement

The FCA's Decision procedure and penalties manual and Enforcement guide set out how it will enforce the Senior Managers Regime (SMR) and Certification Regime (CR). In PS15/29: Strengthening accountability in banking: Final amendments to the Decision Procedure and Penalties Manual and the Enforcement Guide the FCA confirmed that it will follow its deterrence-based strategy, taking effective and robust enforcement action against a wide range of firms and individuals.

The Financial Services and Markets Act 2000 (FSMA 2000) has been amended to allow action to be taken for a breach of regulatory requirements, where the breach took place in an area of business for which the senior manager was responsible, and the individual failed to take the reasonable steps that a person in his or her position should have taken to prevent the breach (ss.66A(5)(c) and (d) and 66B(5)(c) and (d) FSMA 2000). This enforcement measure came into force on 10 May 2016.

The FCA can impose fines in relation to breaches of the conduct rules and regulatory requirements.

A new criminal offence of causing a firm to fail has also been introduced in relation to senior managers. The penalty for this offence is a custodial sentence of up to seven years and/or an unlimited fine (s.36 Financial Services (Banking Reform) Act 2013).

Handover and commencement arrangements

On a practical level, firms should consider how they will deal with the handover of senior management functions (SMFs) when an individual leaves the firm or changes role to undertake another function. The FCA rules on handover arrangements are set out in FCA SYSC 25.9.

One means of doing this is for the predecessor to prepare a handover certificate. This was considered by the PRA and FCA in their consultation on the new Senior Managers Regime (SMR) and Certification Regime (CR), but not adopted. A handover certificate may not always be practical. Firms should have processes in place to ensure that appropriate information is available to an individual who will commence as an SMF. The PRA requires that before an individual starts as a PRA SMF he or she is provided with all relevant information he or she might reasonably expect (PRA Rulebook: Senior management functions, rule 2.7).

Handover procedures are mandatory for enhanced firms. However, it is good practice for core and limited scope firms to have them in place.

For insurers, only Solvency II firms and large non-Directive firms are required to comply with the handover procedures.

UK branches of foreign firms

The home state supervisor of a firm in the European Economic Area (EEA) that operates a branch in another EEA country, is responsible for the prudential supervision of the whole firm including the branch in the other EEA country. For this jurisdictional reason, the PRA's application of the Senior Managers Regime (SMR) and Certification Regime (CR) to UK branches of foreign firms applies only to UK branches of non-EEA firms.

However, the FCA's application of the SMR and CR applies to the branches of both EEA and non-EEA firms. The SMR and CR are defined by reference to "relevant authorised persons". This includes firms that are undertaking deposit taking under a passport and that have a branch in the UK. There is no requirement that the passport should be an establishment passport, and an overseas firm that undertakes deposit taking under a services passport and other non-deposit taking/dealing activities from its UK branch will be subject to the FCA's SMR and CR rules.

Under the SMR, there is no territorial limitation for senior managers because the SMR applies to any individual who performs a senior management role, regardless of where their base is. However, the territorial scope for UK branches of foreign firms under the CR or the conduct rules is limited to individuals based in the UK.

For insurers, UK branches of EEA firms and non-EEA firms are treated, in principle, as Solvency II firms in the FCA's rules, but with some variations to account for home-host supervisory arrangements.

Senior management functions

The PRA requires all non-European Economic Area (EEA) branches of foreign firms to have a head of overseas branch (the person akin to the CEO in relation to the branch) (SMF19). Also, if applicable, any individual who has direct management or decision-making responsibility over a branch's UK-regulated activities should be pre-approved as group entity senior manager (SMF7), as should any individuals performing the chief finance (SMF2), chief risk (SMF4) and head of internal audit (SMF5) senior management functions.

The FCA requires all non-EEA branches of foreign firms to obtain pre-approval in respect of any senior manager with individual responsibility for the local business area, activity or management function of the branch, but who is not approved to perform any other SMF in relation to the branch (the overseas branch manager function SMF22). Branches are also required to appoint an individual to perform the executive director function (SMF3), the compliance oversight function (SMF16) and the money laundering reporting function (SMF17).

In relation to EEA branches, the FCA requires the appointment of a senior manager to the money laundering reporting officer function (SMF17) and an EEA branch senior manager function (SMF21), similar to the overseas branch manager function.

Prescribed responsibilities

Between the FCA's and PRA's rules, 12 prescribed responsibilities are specified for non-European Economic Area (EEA) branches. As with the regime for relevant UK firms, some of these responsibilities are specified by both regulators and others by either the FCA or PRA. The full list of branch responsibilities applies to all non-EEA branches.

The prescribed responsibilities are intended to be allocated to individuals performing executive functions in the branch whether or not the individual is based overseas. The extent to which the Senior Managers Regime (SMR) and Certification Regime (CR) apply to an individual based overseas will depend on the facts. However, prescribed responsibilities should not be allocated to an individual performing a non-executive function.

A combined list of the FCA- and PRA-prescribed responsibilities for non-EEA branches is set out below.

Ref Prescribed Responsibility PRA/FCA
za Responsibility for the branch's performance of its obligations under the SMR. PRA/FCA
zb Responsibility for the branch's performance of its obligations under the certification rules. PRA/FCA
zc Responsibility for compliance with the firm's obligations in relation to its management responsibilities map. PRA/FCA
zd Responsibility for management of the UK branch's risk management processes in the UK. PRA/FCA
ze Responsibility for the branch's compliance with the UK regulatory system applicable to the branch. PRA/FCA
zf Responsibility for the escalation of correspondence from the PRA, FCA and other regulators in respect of the branch to the governing body and/or the management body of the firm or, where appropriate, of the parent undertaking or holding company of the firm's group. PRA/FCA
zg Local responsibility for the branch's policies and procedures for countering the risk that the branch might be used to further financial crime. FCA
zh Local responsibility for the branch's compliance with the client assets sourcebook (CASS). FCA
zi Responsibility for management of the branch's systems and controls in the UK. PRA
zj Responsibility for the allocation of all UK branch prescribed responsibilities. PRA
zk Responsibility for the management of the branch's liquidity or, where a liquidity waiver is in place, the submission of information to the PRA on the firm's liquidity position. PRA
zl Responsibility for the production and integrity of the branch's financial information and its regulatory reporting in respect of its regulated activities. PRA

Statement of responsibilities

Statements of responsibilities must be prepared for senior managers carrying out the prescribed responsibilities at overseas firms.

Management responsibilities maps

The FCA's rules relating to management responsibilities maps for overseas branches are found in SYSC 4.6 and differ slightly from those for UK firms. The PRA's rules for overseas branches are found in the PRA Rulebook: Allocation of responsibilities, chapter 6.

Practical Steps

On a practical level, overseas branches should:

  • consider what activities, business areas or functions are performed by the branch and which prescribed responsibilities will be relevant to them;
  • identify those individuals that hold senior management functions (SMFs);
  • allocate the relevant prescribed responsibilities from this list to at least one SMF (except, if it wishes to allocate the responsibility in relation to the client assets sourcebook (CASS) to a senior manager approved to SMF22);
  • identify any individuals who have local responsibility for any other activities, functions or business areas that are not already reflected in a senior manager's function or the prescribed responsibilities;
  • record the allocation of responsibilities on individual statements of responsibility; and
  • record a summary of the allocation of the prescribed responsibilities in the management responsibilities map (including the responsibilities assigned to each SMF and any other information that is relevant to the function performed).

Certification Regime

The PRA has aligned the scope of its Certification Regime (CR) for non-European Economic Area (EEA branches) to that of the remuneration rules (PRA SS28/15: Strengthening individual accountability in banking). The FCA has aligned its CR with those it has in place for UK firms. It applies to individuals in EEA branches based in the UK (SYSC 5.2.1R).

Conduct rules

The PRA will apply its conduct rules to individuals performing senior management functions in non-European Economic Area (EEA) firms. The FCA will apply its conduct rules to those performing senior management functions in EEA and non-EEA branches within its Senior Managers Regime and Certification Regime.

Application forms for approved person status and approval to perform a senior management function

The PRA and FCA have two types of Form A: a long Form A and a short Form A. These forms are accessed, and must be submitted, through Connect, an online system for the submission of applications and notifications (replacing the previous online notification and application system (ONA)).

The long Form A requires more information than the short Form A and is used where:

  • the candidate is seeking approval to perform a controlled function/SMF for the first time;
  • the candidate has not held an approved person/SMF status for six months; or
  • there have been significant changes to the answers given in relation to the candidate's fitness and propriety since the original Form A was submitted.

The short Form A is to be used where:

  • the candidate already has approved person/SMF status with the firm and is seeking approval to perform a different controlled function/SMF;
  • the candidate already has approved person/SMF status with one firm but has ceased to perform controlled functions/SMFs for that firm within the last six months, and is seeking approval to perform controlled functions/SMFs for a new firm; or
  • the candidate already has approved person/SMF status and is seeking approval to perform controlled functions/SMFs for other firms within the same group.

In addition, the Form A for SMF status includes provisions for criminal record checks, regulatory references, statements of responsibilities and management responsibilities maps to be submitted.

There are some new forms applicable to the Senior Managers Regime (SMR) and Certification Regime (CR) only. These include:

  • Form H for notifying conduct rules breaches and disciplinary action relating to FCA-certification employees and other conduct rules staff;
  • Form I for applying for the variation of a conditional approval for the performance of a SMF;
  • Form J for notifying significant changes in responsibilities of an SMF manager;
  • Form L for notifying breach of conduct rules and related disciplinary action for PRA CR employees; and
  • Form O for allowing core or limited scope firms to "opt up" and be reclassified as an enhanced firm.

Senior Management Arrangements, Systems and Controls sourcebook

Further rules governing senior management responsibilities can be found in the FCA Handbook, in particular the Senior Management Arrangements, Systems and Controls sourcebook (SYSC).

The SYSC sets out rules and guidance to be followed in relation to senior management arrangements, and systems and controls. The purpose of these rules and guidance is to:

  • encourage senior management to take appropriate practical responsibility for their firm's arrangements on matters likely to be of interest to the PRA and FCA because they impinge on their statutory functions;
  • increase certainty by amplifying principle 3 of the principles for businesses (see Financial services regulation > Principles and Rules for businesses), which requires firms to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk-management systems;
  • encourage firms to vest responsibility for effective and responsible organisation in specific directors and senior managers; and
  • create a "common platform" of organisational and systems and controls requirements for all firms (FCA SYSC 1.2.1(4)G).

As well as providing guidance on the SMR and CR, the SYSC provides guidance for senior managers on:

  • compliance, internal audit and financial crime (SYSC 6);
  • risk control (SYSC 7 and 21);
  • outsourcing (SYSC 8);
  • conflicts of interest (SYSC 10);
  • liquidity risk systems and controls (SYSC 11);
  • group risk systems and controls requirements (SYSC 12);
  • operational risk systems (SYSC 13);
  • risk management (SYSC 14);
  • whistleblowing (SYSC 18) (see Whistleblowing: financial services);
  • remuneration (SYSC 19A-E) (see Remuneration: financial services); and
  • reverse stress testing (SYSC 20).

Enforcement action

Enforcement against firms

The PRA and FCA have taken a firm line in relation to enforcement action against firms and individuals to create a credible deterrent against misconduct and breaches of their regulatory rules. Examples include:

  • In March 2019, the FCA fined Carphone Warehouse over £29 million for failings that led to the mis-selling of "Geek Squad", a mobile phone insurance and technical support product. The FCA found that Carphone Warehouse had failed to give its sales consultants the right training to give suitable advice to customers purchasing Geek Squad. No training was provided on how to respond when customers gave answers indicating the policy may not be appropriate. When customers complained about the sale of Geek Squad, Carphone Warehouse "failed to properly investigate and fairly consider their complaints". This resulted in valid complaints not being upheld in circumstances where the product had been mis-sold. As a result, management did not have an accurate impression of the indicators of mis-selling. The FCA found that Carphone Warehouse breached principles 3, 6 and 9 of the FCA's principles for businesses between 1 December 2008 and 30 June 2015 (see FCA fines The Carphone Warehouse over £29m for insurance mis-selling).
  • In October 2018, the FCA fined Liberty Mutual Insurance Europe SE £5,280,800 for failures in its oversight of its mobile phone insurance claims and complaints handling processes, administered through a third party (see FCA has fined Liberty Mutual Insurance Europe SE £5.2 million for failures in its oversight).
  • In October 2018, the FCA fined Tesco Personal Finance plc £16.4 million for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack in November 2016. The FCA found that these deficiencies left Tesco Bank's personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m (see FCA fines Tesco Bank £16.4m for failures in 2016 cyber attack).
  • In May 2015, Barclays was fined £284.5 million for failing to control business practices in its foreign exchange business (see FCA fines Barclays £284,432,000 for forex failings).
  • In February 2015, Aviva Investors was fined £17.6 million for failings in its systems and controls that led to its failure to manage conflicts of interest fairly (see Aviva Investors fined £17.6 million for systems and controls failings).
  • In September 2014, Barclays was fined £38 million for failing to protect clients' custody assets properly. This is the highest fine ever imposed by the FCA (or FSA) for breaches in managing client assets and it reflects the "significant weaknesses" it found in the systems and controls in Barclays' Investment Banking Division and the number of affected accounts (see Barclays fined £38 million for putting £16.5 billion of client assets at risk).
  • In November 2014, the PRA imposed its first financial penalty since it came into being in April 2013. The PRA fined RBS, NatWest and Ulster Bank a total of £14 million for not having proper controls in place to identify and manage IT risks. This failure led to a serious IT incident and caused widespread disruption to customers and the financial system (see PRA fines RBS, NatWest and Ulster Bank £14 million for IT failures). The FCA also took action against the banks and fined them an additional £42 million for the same incident (see FCA fines RBS, NatWest and Ulster Bank Ltd £42 million for IT failures).

Enforcement against senior managers

The FCA also has powers to take enforcement action against senior managers if they fail to ensure that adequate systems and controls are in place. Examples include:

  • In February 2019, the FCA fined Paul Stephany, former fund manager at Newton Investment Management Ltd, for his conduct in relation to an initial public offering and a placing. On two separate occasions, Mr Stephany submitted orders as part of a book build for shares that were to be quoted on public exchanges. Prior to the order books for the new shares closing, Mr Stephany contacted other fund managers at competitor firms and attempted to influence them to cap their orders at the same price limit as his own orders. The FCA found that Mr Stephany risked undermining the integrity of the market and the book build by trying to use their collective power. As a consequence, Mr Stephany failed to observe proper standards of market conduct. He was also found to have acted without due skill, care and diligence by failing to give proper consideration to the risks of engaging in these communications (see FCA fines former fund manager Paul Stephany).
  • In December 2018, the FCA banned Angela Burns from acting as a non-executive director (CF2 controlled function) and fined her £20,000 for failing to declare a conflict of interest. The FCA found that Angela Burns, an experienced UK investment professional and chief executive of her own investment consultancy, abused her position of trust and failed to act with integrity at two mutual societies (see FCA bans Angela Burns from acting as a non-executive director and fines her for her failure to declare conflicts of interest).
  • In March 2018, the FCA prohibited Paul Flowers, the former chair of the Co-operative Bank, from performing any function in relation to any regulated activity. The FCA found that Mr Flowers had demonstrated an unwillingness to comply not only with the FCA's requirements and standards, but also with other legal, regulatory and professional requirements. The FCA concluded that his conduct demonstrated a lack of fitness and the propriety required to work in financial services (see FCA bans former Co-operative Bank Chair, Paul Flowers, from the financial services industry).
  • In January 2016, the PRA prohibited Barry Tootell, the former chief executive of the Co-operative Bank, and Keith Alderson, the former managing director of the Co-operative Bank, from holding a significant influence function in a PRA-authorised firm for breaches related to the running of the Co-operative Bank. The PRA also fined Mr Tootell £173,802 and Mr Alderson £88,890 (see PRA takes enforcement action against former Co-op Bank individuals).
  • In November 2016, the FCA published a final notice in respect of Tariq Carrimjee, formerly an investment fund manager at Somerset Asset Management LLP. In 2013, the Financial Services Authority (predecessor to the FCA) found that Tariq Carrimjee had assisted his client in securing an artificially inflated closing price in respect of certain global depositary receipts. This had resulted in his client avoiding a trading loss under the terms of a structured product that the client held. After two referrals to the Upper Tribunal, the FCA confirmed in its final notice that Tariq Carrimjee's conduct had been in breach of statement of principle 2 because he had failed to act with due skill, care and diligence and that he should have been aware of the risk that his client might be seeking to engage in market manipulation. The FCA imposed a fine of £89,004 and prohibited Tariq Carrimjee from holding compliance oversight and money laundering reporting functions as he is not considered to be a fit and proper person (see FCA final notice).
  • In October 2016, the FCA fined Sonali Bank (UK) Ltd £3.25 million and imposed a restriction, preventing the bank from taking on new business for 168 days. The FCA also fined the bank's former money laundering officer, Steven Smith, £17,900 and prohibited him from carrying out compliance oversight and money laundering reporting functions. The FCA found that the bank had breached statement of principle 3 by failing to ensure that adequate risk management systems were in place leaving the bank exposed to money laundering and financial crime risks. The FCA found that Steven Smith had failed to exercise due care and diligence in managing the business of the bank and that he had been knowingly concerned in the bank's breach of principle 3. The FCA emphasised that there is an abundance of guidance for firms on how to comply with anti-money laundering rules and that the FCA will not hesitate to take action against firms and senior individuals who fall short of the FCA's standards (see FCA imposes penalties on Sonali Bank (UK) Ltd and its former money laundering reporting officer for serious anti-money laundering systems failings).
  • In September 2016, the FCA published a decision notice in respect of Andrew Tinney, formerly chief operating officer of wealth and investment management at Barclays. The FCA found that Andrew Tinney had taken steps aimed at ensuring that a third party report containing critical findings relating to the firm's culture would not be seen or made available to others, in breach of statement of principle 1 (acting with integrity). The FCA concluded that Andrew Tinney should be publicly censured and banned from carrying out any senior management or significant influence functions in any regulated financial service provider. Andrew Tinney has referred the matter to the Upper Tribunal and disputes this decision (see FCA publishes decision notice for Andrew Tinney, former Barclays Wealth senior director).
  • In March 2015, the FCA fined former compliance director, Stephen Bell, £33,800 for systematic weaknesses in the design and execution of network Financial Group's compliance systems and controls. Mr Bell was also banned from performing the compliance oversight function (see FCA fines Mr Stephen Bell).
  • In January 2015, the FCA fined and banned two former senior executives, David Caplin and Jeremy Kraft of interdealer broker, Martin Brokers UK, for failings that contributed to a culture that permitted the manipulation of the London Interbank Offered Rate (LIBOR). David Caplin was fined £210,000 and Jeremy Kraft £105,000 (see Two former senior executives of Martin Brokers fined and banned for compliance failings related to LIBOR). This followed previous action against Martin Brokers UK when the FCA fined the company £630,000 for misconduct relating to LIBOR in 2014.
  • In November 2014, the FCA fined three former senior executives of Swinton Group Ltd a total of £928,000 for presiding over an aggressive sales culture that led to insurance mis-selling. Peter Halpin (former CEO) was fined £412,700 and banned from acting as chief executive of a financial services firm. Anthony Clare (former finance director) was fined £208,600 and Nicholas Bowyer (former marketing director) was fined £306,700 and both were banned from performing significant influence functions at financial services firms (see Former Swinton executives fined and banned from senior roles after insurance add-ons mis-selling).

Key references

Legislation

The Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 SI 1975/1023
Financial Services and Markets Act 2000
Financial Services (Banking Reform) Act 2013
Bank of England and Financial Services Bill 2015/16
Financial Services and Markets Act 2000 (Relevant Authorised Persons) Order 2015

FCA Handbook instruments:
Individual Accountability Instrument 2015 (FCA 2015/31)
Supervision Manual (Notification Forms) (Amendment) Instrument 2015 (FCA 2015/63)
Individual Accountability (Enforcement) Instrument 2015 (FCA 2015/64)
Accountability (Foreign Branches) Instrument 2015 (FCA 2015/67)
Individual Accountability (Extension of Scope) and Whistleblowing (Amendment) Instrument 2016 (FCA 2016/1)
Individual Accountability (Conduct Rules) (Breaches Reporting) Instrument 2016 (FCA 2016/7)

PRA Rulebook instruments:
CRR Firms Non-CRR Firms: Individual Accountability Instrument 2015 (PRA 2015/6)
CRR Firms Non-CRR Firms: Individual Accountability Instrument (No 2) 2015 (PRA 2015/55)
CRR firms Non-CRR Firms: Individual Accountability Instrument (No 3) 2015 (PRA 2015/69)
CRR Firms Non CRR Firms: Individual Accountability Instrument (No. 4) 2015 (PRA 2015/98)
CRR Firms Non CRR Firms: Solvency II Firms: Non Solvency II Firms: Notification Forms (Amendment) Instrument 2015 (PRA 2015/99)
Handbook Notification Forms (Amendment) Instrument 2015 (PRA 2015/100)
Non-Solvency II Firms: Forms Instrument 2015 (PRA 2015/101)
Supervisory Statement (PRA SS28/15)

Rules and guidance

PRA Handbook (in particular APER, FIT, SUP) (on the PRA website) and SS28/15 Strengthening individual accountability in banking
FCA Handbook (in particular APER, FIT, SYSC, COCON and SUP) (on the FCA website)
Dear CEO letter: Approving and supervising significant influence functions