What should Senior Managers be doing to limit their potential liability in this regard? Clearly, they need to take steps to ensure that the section of the business for which they are directly responsible is fully compliant, but is there potential for them to be subject to any collective responsibility?
The Senior Managers and Certification Regime (SM&CR) has now been in force for about 6 years (for dual regulated firms, at least), and as yet there are still few clear public examples showing how the FCA intend to approach the general enforcement of the conduct rules for Senior Managers (SM) set out in COCON 2.2. Yes, there are examples relating to egregious breaches of FCA Rules and Principles, but little evidence as to the extent of the generic expectations set out in SC1 and SC2.
There are likely to be two reasons for this; partly the private nature of much FCA enforcement activity, and partly the length of time it takes for such activity to progress to the stage at which any Final Notice might be published.
COCON 2.2 informs every Senior Manager that:
- SC1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
- SC2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
The key question here is; what is the business of the firm for which a Senior Manager is 'responsible'? Is responsibility in this context limited strictly to that part of the firm's activities for which a Senior Manager has direct responsibility, as set out in their formal Statement of Responsibilities, or does it extend more widely?
The wider interpretation of COCON 2.2, for which we have consistently argued, is clearly in line with the general pronouncements of the FCA at the time they were developing the SM&CR. The 2008 banking crisis had highlighted the inability of the FCA to hold Approved Persons to account for the general mismanagement of authorised firms; the SM&CR was to be part of the solution. However, in the absence of any clear evidence, a narrower interpretation of COCON 2.2 remained a possibility advocated in some quarters.
The recent Final Notice issued in respect of Matthew Charles Kent must surely put the issue to rest. Although the decision actually concerned his responsibilities under the previous APER regime, the reasoning adopted by the FCA is highly relevant to the interpretation of the current COCON 2.2.
The underlying offence in the case, which centred on the esoteric area of Contracts for Difference (CFDs), was not committed by Mr Kent; he had not benefitted from it financially, and the FCA were satisfied that his breach was negligent rather than deliberate or reckless. Nevertheless, whilst no action was taken to cancel or restrict his ability to be a Senior Manager in future, he was fined £83,600 (after discount).
Essentially, two other directors of the relevant firm (who were both banned from performing any senior management function in future) had brought about a significant breach of Principle 3, by failing to ensure that the firm had taken steps to 'organise and control its affairs responsibly and effectively with adequate risk management systems in relation to the business activities of the CFD desk generally, and specifically its compliance with the Authority’s MiFID transaction reporting requirements.' This in turn allowed the potential (not even actual) facilitation of financial crime.
APER Statement of Principle 7 says that 'An approved person performing an accountable higher management function must take reasonable steps to ensure that the business of the APER employer for which they are responsible in their accountable function complies with the relevant requirements and standards of the regulatory system'.
Mr Kent was found to have breached this requirement because he, as a CF1 executive director, was collectively responsible for the failure of the Board to ensure that the firm had in place appropriate systems and controls for the CFD desk in accordance with Principle 3. In particular, the Board effectively:
- approved the appointment of a CF10 with insufficient experience;
- received no reports regarding ongoing compliance with CFD requirements;
- did not review policies or procedures relating to CFD compliance;
- took no steps to oversee/review such compliance; and
- in fact, held no meetings at all during the relevant period (32 months).
In other words, the Board of which Mr Kent was a member made no adequate attempt to oversee the CFD activities of the firm. The FCA clearly accepted that Mr Kent was not directly responsible for running this element of the firm's business; nevertheless, he was in significant breach of Statement of Principle 7 because it was not reasonable for him to rely entirely on other members of the Board to discharge the function of governance and oversight of this element. As such, his failure to take steps to ensure that the Board complied with Principle 3 was in itself a breach of Statement of Principle 7.
In the circumstances, it would appear from this recent decision almost certain that the FCA will adopt a wide interpretation of SC1 and SC2. As such, a Senior Manager's responsibilities are not necessarily limited to the direct responsibilities set out in their Statement of Responsibilities.
Senior Managers who are only exercising a required function, such as an MLRO, may be able to argue that the 'reasonable steps' they need to take to comply with SC1 and/or SC2 are more limited. On the other hand, a Senior Manager exercising a governing function will almost certainly need to go further in order to be able to demonstrate that they:
- have an objectively reasonable basis for believing that other Senior Managers within the firm are both capable of, and are in fact, running the sections for which they have responsibility in a compliant manner; and
- have taken steps (in line with the standard expected of any executive director) to ensure that they are adequately informed about the firm's wider business and have, where necessary, challenged the conduct of that business.
It is also worth noting that for those Senior Managers operating within a retail business, the required standard for compliance with SC1 and SC2 may be raised still further from August 2023 when the new Consumer Duty Individual Conduct Rule 6 comes into force (COCON 2.1.6 - You must act to deliver good outcomes for retail customers.).
As is made clear by the Rules in COCON 2.4.6 to 2.4.8, compliance with Rule 6 will require Senior Managers to adopt a proactive approach in discharging their general duties of governance and oversight. This may or may not amount to an extension of the SC1 and SC2 duties outlined above; executive directors in particular are already required to be active in discharging their duties, rather than merely passive.
If nothing else, though, Rule 6 will further underline for those acting within the FCA retail sector the wider requirement for all Senior Managers to be able to evidence:
- that they have reasonable grounds to believe that all areas of their firm are controlled effectively and in a manner that is consistent with regulatory requirements; and
- if not, that they have taken reasonable steps to challenge and correct any deficiencies.
If you require any advice or support in the implementation of your plans with regards to the Consumer Duty please reach out to a member of our team.
Have you read our previous articles providing an overview of the required risk analysis and our recommendations of how to assess outcomes when implementing the Consumer Duty in your organisation? Visit the hub here.