The Senior Managers and Certification Regime (SMCR), which came into force in March 2016 for UK banks, PRA-designated investment firms, and UK branches of foreign banks, changes the way in which individuals working in financial services are regulated. It was introduced to reduce harm to consumers and strengthen market integrity by making individuals more accountable for their conduct and competence.
The UK Financial Conduct Authority (FCA) intends to extend the SMCR to all solo regulated firms, including asset managers, investment firms, and consumer credit firms in 2019, replacing the Approved Persons Regime (APR). The SMCR will be extended to insurers from 10 December 2018.
Accountability is focused on a narrower number of the most senior individuals under the SMCR. Certain individuals currently requiring FCA approval under the APR will instead under the SMCR be required to be certified by their firm as “fit and proper” to perform their role, placing greater onus on the firm itself. We consider below the effect that this will have on the criminal record checks that can be carried out on those individuals as part of the assessment of their fitness and propriety. We also reflect on proposals by the FCA to widen the scope of the public financial services register (the FS Register) in response to substantial feedback on the public value of it maintaining a central public record of certification employees and other important individuals in regulated firms.
Whilst a firm may wish to carry out a standard criminal record check on a prospective employee, which discloses both spent and unspent convictions, a standard check is permitted only if the role is exempt under the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (the Rehabilitation Order). If it is not exempt, only a basic check is permitted.
The FCA has an exemption that permits the disclosure of information regarding both spent and unspent convictions in respect of individuals requiring regulator approval, provided that the individual is informed at the time of the request that, by virtue of the Rehabilitation Order, spent convictions are to be disclosed. However, the number of roles requiring regulator approval under the SMCR has been reduced considerably in comparison with the position under the APR, as set out further below. This has caused concern amongst firms, on the basis that the assessment of fitness and propriety is curtailed in respect of a class of individuals who pose potential risk to the organisation, given the nature of the roles they undertake.
The current APR applies to firms falling outside the scope of the SMCR and the Senior Insurance Managers Regime (SIMR). This includes, for example, stockbrokers, securities and futures firms, financial advisers, insurance and mortgage brokers, fund managers, asset managers, and consumer credit firms.
Under the APR, a person must be approved by the FCA before they can perform a controlled function, i.e., a significant influence function or customer-dealing function.
Before submitting an application for FCA approval for a person to carry out a controlled function, firms should conduct their own investigations, interviews, assessments and background checks necessary to satisfy themselves that the candidate is fit and proper to perform the controlled function.
Whilst there is no legal obligation requiring a criminal record check for approved persons, previous guidance (issued by the FSA, the FCA’s predecessor) has suggested that it would be considered good practice. As the FCA has an exemption under the Rehabilitation Order that permits the disclosure of both spent and unspent convictions in respect of individuals requiring approval, firms are therefore permitted to conduct standard criminal record checks for approved persons (provided that the individual is informed at the time the question is asked that, by virtue of the Rehabilitation Order, spent convictions are to be disclosed).
Before firms seek FCA approval for a person to carry out a senior manager function (e.g., the chief executive officer, director, partner, compliance oversight, or money laundering reporting functions), they must obtain the fullest information that they are lawfully able to obtain about a candidate under Part V of the Police Act 1997 (Certificates of Criminal Records) and related subordinated UK legislation.
Again, as the FCA has an exemption under the Rehabilitation Order that permits the disclosure of information regarding both spent and unspent convictions for individuals requiring approval, firms are permitted to carry out standard criminal record checks on senior managers under the SMCR (again, provided that the individual is informed at the time the question is asked that, by virtue of the Rehabilitation Order, spent convictions are to be disclosed).
However, under the SMCR, firms cannot carry out criminal record checks regarding spent convictions for “certified persons”. Certified persons are not approved by the FCA but are certified annually by their firm as “fit and proper” to perform their roles. Therefore, firms cannot benefit from the exemption for persons requiring FCA approval under the Rehabilitation Order.
Certified persons are not senior managers but are individuals who could cause significant harm to the firm or customers. They can include, for example, team managers, dealers, traders, investment decision-makers, and customer advisers.
A number of persons that would have needed approval by the FCA to carry out certain controlled functions under the APR (e.g., traders, managers, or investment advisers who carry out significant influence functions or customer-dealing functions) will instead be classified as certified persons and only need certification from the firm under the SMCR. The extent of the criminal record checks that can, at present, be carried out in respect of those persons under the APR will be restricted under the SMCR, given that firms will no longer be able to rely on the Rehabilitation Order exemption for those persons.
This is a significant departure from current practice and previous FSA guidance for persons performing controlled functions under the APR who will instead be certified persons under the SMCR. For roles that require FCA approval under the APR, but which will require only the firm’s certification under the SMCR as certified persons, there is less that a firm can do to satisfy themselves that there are no issues that would call into question a prospective certified person’s fitness and propriety. This has caused some concern amongst those firms already subject to the SMCR, as it is felt this limits the firm’s ability to carry out a full and transparent assessment of fitness and propriety. However, firms can still conduct basic criminal record checks into unspent convictions and should obtain representations or attestations from the prospective certified person.
At present, the FCA has not announced any plans to address the gap between the SMCR and the APR with respect to the eligibility of the certified population for standard background checks.
However, the FCA announced on 26 February 2018 that it will consult on proposals for certified persons to appear on the FS Register. As the FS Register only includes persons who are approved by the FCA or PRA, persons appearing on the register as approved persons under the current APR will not appear on the register if they become certified persons under the SMCR. It is felt by many that this leaves a considerable gap, and the FCA has received substantial feedback on the public value of it maintaining a central public record of certified persons. Depending on the outcome of this consultation, it could indicate a shift towards certified persons being subject to other standards equivalent to those that apply to senior managers and approved persons under the APR, such as in relation to the level of criminal checks.
The SMCR could apply to an overseas-based person performing a senior management function for a UK firm and certain persons based in the UK branch of an overseas firm. Persons located in overseas branches of UK firms categorised as material risk-takers or who deal with UK clients may also need to be certified under the SMCR.
Firms with senior managers or other individuals for which they would like to obtain criminal records checks may have difficulty in assessing fitness and propriety where those individuals are based in countries where local laws do not permit the same level of criminal record checks as permitted in the United Kingdom.
Obtaining criminal records of applicants and employees constitutes the processing of sensitive personal data under the current Data Protection Act 1998 and will also be deemed to be personal data under the EU General Data Protection Regulation 2016/679 (GDPR).
Under the current draft of the new UK Data Protection Bill, criminal records data is a “special category” of personal data (although it is not under the GDPR). The processing of such sensitive personal data or special category of personal data is subject to stricter requirements and is only permitted where certain conditions are satisfied. Firms should be aware of the data privacy implications of seeking information about the criminal records of applicants and employees and, if obtained, firms should seek to protect this data in accordance with the GDPR and other UK Data Protection laws.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: