For those following the evolution of the regulators' proposals in relation to the Senior Managers and Certification Regime (SMCR), the decision not to implement the proposed reversal of the burden of proof for Senior Managers (a focal point for much anxiety), appeared to be an important moment. However, in its place, a "duty of responsibility" for Senior Managers was adopted and has been in force since 10 May 2016 (see s.66A (5) of FSMA). The duty requires an SMF Manager (namely an individual pre-approved to hold a senior management function) to take such steps as a person in their position could be reasonably expected to take (i.e. "reasonable steps") to avoid a breach of a regulatory requirement by their firm. Crucially the breach by the firm must already have been proven by the FCA and must be in the area for which the SMF Manager holds responsibility, before the "duty of responsibility" applies. The burden of proof both in relation to proving the breach by the firm and then by the relevant senior manager, rests with the regulators.
The present FCA and PRA consultations (that closed on 7 and 9 January 2017 respectively) relate to guidance regarding how the "duty of responsibility" will be construed by the regulators. The regulators state that they have worked in tandem in relation to their respective proposals, which are indeed very similar.
We set out below some areas of particular interest in the guidance under consultation:
- The FCA and PRA make clear that the question of which area an SMF Manager is responsible for does not simply involve looking at the Statements of Responsibilities and Management Responsibilities Maps. The FCA proposes guidance which contains a non-exhaustive list of factors that will be looked at in this regard, such as how roles are defined in meetings, on recorded calls, in minutes and in organisational charts. It is worth remembering in this context that "SMF Manager" in the rules is an individual with approval under s.59 FSMA to perform a senior management function. Therefore, whilst the "duty of responsibility" is applied to de facto senior managers, it can only be applied to those who are in fact already senior managers albeit of other parts of the business.
- It is clear from the scope of the "duty of responsibility" in FSMA that the relevant standard is the steps reasonably expected of a person in the position of the relevant SMF Manager. In the FCA guidance, the standard is elaborated upon to make clear that the FCA will consider the steps that a "competent" SMF Manager would have taken at the time, in the relevant manager's position, with that person's roles and responsibilities and in all the circumstances. The PRA echoes the fact that it is interested in what should have been done at the time and not with the benefit of hindsight.
- The proposed FCA and PRA guidance provides lengthy (but non-exhaustive) lists of considerations that the regulators propose to take into account when determining whether or not the SMF Manager has failed to take reasonable steps. Many of these are unsurprising and relate to steps taken (or not) to ensure appropriate delegation, information flow and decision making. For example, both regulators include as a consideration the knowledge that the SMF Manager had (or ought to have had) about actual or suspected issues in the relevant part of the firm and whether steps were taken to deal with those issues in a timely and appropriate manner. Also both regulators include as a consideration whether reasonable steps were taken to ensure that delegation of responsibilities was to an appropriate person and whether there was appropriate oversight of that person.
- The considerations that are perhaps more interesting include:
- Whether the SMF Manager took reasonable steps to initially assess then monitor the governance, operational and risk management arrangements in place for the firm's activities for which they are responsible "including, where appropriate, corroborating, challenging and considering the wider implications of the information available to them", and taking any reasonable steps required (FCA only).
- Where the SMF Manager is involved in collective decision making regarding the area of the firm for which they are responsible, whether it was appropriate for the decision making to be collective and whether the SMF Manager informed themselves of relevant matters before taking part in the decision and exercised reasonable skill and care in contributing to it (FCA only).
- The PRA provides a list of steps that might be considered to constitute reasonable steps for a SMF Manager to have taken to discharge the "duty of responsibility". The FCA does not provide such guidance, although many of steps identified by the PRA closely relate to the more extensive considerations identified by the FCA. Those steps mentioned by the PRA include:
- Pre-emptive action to prevent a firm breach occurring, including initial reviews of the relevant business area.
- Awareness of the relevant regulatory requirements.
- Obtaining appropriate internal management information and critically interrogating and monitoring that information.
- Structuring and control of day-to-day operations, including ensuring that any delegations are managed and reviewed appropriately.
- Seeking appropriate expert advice (whether internal or external).
- Finally, the PRA sets out a list of evidence that it might seek to obtain in relation to cases under the "duty of responsibility". Whilst the FCA does not provide such guidance, what the PRA set out in this regard is uncontroversial. For example, the PRA refers to board minutes, regulatory correspondence and interviews, Statements of Responsibilities and Management Responsibilities Maps.
It is noteworthy that the FCA and PRA appear keen for the new guidance not to become a managers' handbook. The PRA specifically comments that it is not offering "safe harbours" and will consider each case on its facts. Similarly, the FCA explicitly declines to give guidance on how a senior manager should deal with "competing priorities" (such as finance or time constraints or other breaches) in the context of a firm's breach. Added to the regulators' wishes in this regard, much of the proposed guidance is so broad that it can serve no meaningful purpose on a day-to-day basis. Nonetheless the guidance in whatever form ultimately adopted will no doubt form an important backdrop to future enforcement cases and it will be interesting to see how the FCA and PRA seek to interpret this guidance and its significance. We await with interest the outcome of the consultations.