All dual-regulated and FCA solo-regulated firms are now under the scope of the Senior Managers & Certification Regime (SMCR), with many working hard in recent months to ensure all aspects of the regime are well embedded. As part of these efforts, it is crucial that firms establish an effective framework to prevent but also detect and manage conduct breaches if they do happen, and when it is necessary, report them.
There are some key factors that firms should consider when developing their controls:
Firms should communicate, embed, and reinforce conduct rules in key documents that are accessible to all employees. This is especially important when people are working remotely, and employees should be reminded about the firm’s values, policies and procedures, and codes of conduct.
Implementing effective training for all in-scope employees is core to good compliance with the SMCR and effective risk management more generally. Senior managers should be integrally involved in the training, which should be engaging, interactive, and use realistic scenarios. Training should be reinforced regularly and built into the firm’s onboarding process. The accountable Senior manager should ensure that the training is effective and therefore periodic reporting and effectiveness reviews should be in place.
The process for investigating potential conduct rule breaches needs to be clear. Relevant stakeholders should be engaged early, ensuring legal, compliance and human resources are involved, as well as external advisers where necessary. Having the correct people investigating the breach is essential, and any potential conflicts of interest should be acknowledged and addressed.
While remote working has impacted some internal processes, regulatory expectations in terms of necessary standards of conduct remain unchanged. A year into the pandemic, there is less room for flexibility in this area and delays are no longer justified. Now that firms have adapted to the new way of working, they should be well-versed in utilising technology to facilitate investigations and conduct witness interviews remotely.
There are steps that should be taken in order to mitigate regulatory risks. The way a firm shapes its response and approaches the investigation is as important as the outcome of its review. Firms should conduct early-stage assessments if possible. An audit trail should always be made and retained as well, carefully considering the application of privilege in the way investigations are conducted and advice is provided, including on and the management of any potential conflicts of interest.
It is important that firms have a process in place for determining appropriate action when conduct rules are breached. They should be able to justify the assessment undertaken and instigate disciplinary proceedings where appropriate. It is critical that any disciplinary action is proportionate and that steps are consistently applied in future scenarios. Firms should be able to identify key risk areas from which the issues arose and train others using those lessons learned. Consideration should also be given to the ongoing assessment of fitness and propriety of any certified individual or senior manager found to be in breach of the conduct rules, and the consequent impact on any future regulatory reference.