We have watched with interest as many of our Financial Services clients have been busy rearranging organisational structures, defining and refining role definitions, clarifying and assigning responsibilities to those in Senior Management Functions (SMF’s). These individuals are now personally responsible (and liable) for key aspects of compliance in the firm that they work for. Many Heads of Compliance or HR are now sitting back with a sigh of relief having met the December deadline. However, the question is whether they have actually delivered what the FCA is looking for. Can they demonstrate a culture of responsible risk management for the long term? More importantly, do they have processes in place to protect these individuals should a breach of SMCR occur?
The thing is, assigning roles and responsibilities on a spreadsheet by a deadline does not deliver culture change on its own. Certainly, culture change takes time and requires embedding. This means that for many firms significant work is yet to come and should be ongoing during 2020. Therefore, phase one of the process was assigning responsibilities, phases two and three are embedding the process and turning it into business as usual. Critically, firms should be asking these key questions: How will the annual conduct and certification process be managed? What happens when the incumbant compliance officer or key SMF’s move on? Can we transfer responsibilities reliably? What about breach management and new starters? All of these aspects of SMCR need to be wrapped into a consistent and reliably managed process for the long term that is not dependent on one spreadsheet or one individual.
Perhaps you are someone who now holds Senior Management Responsibilities in the eyes of the FCA? So you are personally liable for any breaches. Is your firm providing you with the systems and processes that will protect you should a breach happen on your watch? Alternatively, imagine being hauled in by the FCA for a breach that happened after you left the business. Only, the spreadsheet hasn’t been updated. Therefore, you have no reliable audit trail to protect you.
It is a commonly held adage that we pass our driving test then we learn how to drive. Solo-regulated Financial Services Firms may have got their ducks in a row to pass the first SMCR deadline, but the real test is what processes and systems have been put in place to embed the ethos of SMCR in the long-term. Above all, will this protect the individuals who are personally holding the can?
Certainly, if I held an SMF within a financial services firm under the new SMCR regime, I would be actively asking what processes are in place to protect me as an individual. A long term spreadsheet approach wouldn’t help me sleep at night, the question is whether it is enough for you?
Join the Actus Comply free webinar to understand how a software solution can provide affordable assurance to those holding SMF roles in your firm. You can register using the button below.