The Conduct Rules and regulatory references are aimed at increasing individual accountability which is at the heart of the Senior Managers and Certification Regime (SMCR). They have also become a subject of an increased supervisory focus due to the practical post-implementation problems they have caused. Below we provide a reminder of the key requirements related to Conduct Rules breach reporting and the provision of regulatory references. We also highlight some of the practical challenges that financial institutions have encountered in these areas.
Conduct Rules reporting requirements [i]
Firms subject to the SMCR are required to identify, assess, and report breaches of the Conduct Rules by individuals who are in scope of the rules.
- Conduct Rules training: All employees subject to the Conduct Rules need to receive training on how the rules apply to them and their roles specifically. There is no definitive regulatory guidance that states what constitutes a breach of the Conduct Rules, so each firm must make its own determination of what activities they would consider a breach of the rules and this needs to be clearly communicated to staff. Training should be tailored to specific roles, providing examples of breaches of specific Conduct Rules. Areas of focus should be where the risk of harm is high or where the role requires comprehensive knowledge of specific aspects of regulation or customer treatment.
- Senior Manager Conduct breach notifications: Where a Senior Manager Function (SMF) holder breaches the Conduct Rules, firms must notify the relevant UK regulator within seven business days of concluding disciplinary action. Disciplinary action is defined as the issuing of a formal written warning, the suspension or dismissal of that person or the reduction or recovery of any of such person’s remuneration.
- Annual reporting of Conduct Rules staff breaches: Firms are required to make an annual report notifying the regulators of all disciplinary action taken against Certified staff and other Conduct Rules staff (other than SMFs) resulting from a breach of the Conduct Rules. Most firms will be required to report every October, reporting on the preceding 12 months to the end of August.
In the notification form, firms are required to include the details of the disciplinary sanctions taken, the Conduct Rule that has been breached and identify the individual.
- Mandatory Reporting: Reporting is mandatory for all firms subject to SMCR. Even where there are no breaches, firms must still submit a ‘nil return’. This is to ensure that firms correctly identify and monitor Conduct Rule breaches.
- General disclosure requirements: Firms will also need to adhere to general regulatory obligations to appropriately disclose anything of which the regulators would reasonably expect notice. This may include reporting significant breaches of the Conduct Rules ahead of the annual report. The reporting of Conduct Rule breaches does not replace this obligation, and so for example where a breach was significant the regulator would expect to be informed quickly, not for the firm to wait until the annual return.
- Ongoing monitoring: Firms should ensure ongoing monitoring of Conduct Rules breaches in order to ensure consistency of approach to assessing compliance with the regulators’ Code of Conduct and fitness and propriety requirements.
Regulatory reference requirements[ii]
Regulatory references were introduced to stop the repeat of historical examples of ‘bad apples’ (i.e. individuals with poor conduct records) moving to new firms before being investigated or subject to disciplinary action. These references now form part of the assessments of potential SMF, Certified and NED candidates’ and will help firms make better-informed decisions about a candidate’s fitness and propriety. These are some of the key regulatory reference requirements:
- Six years: Firms subject to the SMCR are required to request a regulatory reference from SMF, Certification and non-approved non-executive director (NED) candidates’ previous employers, covering the past six years. Firms must also provide regulatory references as soon as reasonably practicable when they receive a request from another regulated firm.
- Prescribed form: The regulators prescribe the form which the regulatory reference must take and firms must include in it the details of any disciplinary action taken against an individual who has breached the Conduct Rules or has been assesses as not to be fit and proper to perform a function.
- Other relevant information: Firms have an obligation to disclose any other information relevant to the assessment of fitness and propriety (e.g. the number of complaints upheld) for the six years prior to the reference request, unless it relates to serious misconduct, in which case there is no time limitation. Firms will need to use their judgement when considering what is relevant, on a case-by-case basis.
- Records retention: Firms must retain records of disciplinary and fit and proper findings going back at least six years.
- Updates to regulatory reference: Firms have an obligation to update (and re-issue) regulatory references where new, significant information comes to light after an employee has left the Firm. Firms should ensure that its employees are informed about the requirement to update regulatory references.
- Non-disclosure agreements: Firms are not permitted to enter into agreements that conflict with their disclosure obligations (e.g. non-disclosure agreements).
Practical insights into Conduct Rules breaches
Firms continue to adopt a variety of approaches to identifying and monitoring of breaches of the Conduct Rules. There is no ‘one size fits all’ in this matter. Below we provide some examples of the practical challenges for some of the firms:
- Defining a breach: Firms have to be clear as to how the Conduct Rules apply and what behaviour would constitute a breach of the rules. Our experience shows that firms may have taken different approaches to similar misconducts depending on their risk appetite, consistency in application is important and providing examples of actual or potential breaches can help with training. Firms should also consider how the Conduct Rules breach should be identified, for example, through whistleblowing, risk management processes or monitoring and oversight activities.
- Embedding breach assessment into existing processes: Firms should embed the Conduct Rules breach assessment process into existing HR disciplinary processes, including disclosure to staff and rights to appeal against a decision to take disciplinary action. Some firms have introduced panels/committees which systematically review potential breaches. This ensures consistency of approach in relation to these assessments and also helps to capture any emerging trends which can be fed into training and monitoring.
- Annual return governance: Firms should establish robust governance processes to discuss, challenge and validate the annual report of disciplinary action and breaches of the Conduct Rules. Clearly identifying accountability for both oversight and execution should be a priority.
Practical insights into regulatory references
Below we provide an overview of some of the contentious issues for firms providing or requesting such references:
- Potential misconduct after leaving a firm: Certain issues may arise if new information comes to light regarding potential misconduct of an individual who has left the firm and has not been given a chance to challenge the allegation. Firms are not under a duty to conclude investigations in these circumstances, but it would be good practice to do so. Firms should ensure they have appropriate policies and processes in place to determine the appropriateness of information to be included in a regulatory reference. This will reduce the need for difficult judgements to be made by management, HR and Compliance as to how to update such a reference.
- Settlement agreements and regulatory reference policy: The regulatory references requirements may also impact on a firm’s termination and settlement agreements and may require amendments to employment contracts and disciplinary procedures. This is because the rules set preclude a firm from entering into agreements with any person that limits its ability to disclose information. It may be beneficial for firms to adopt a regulatory reference policy which would coordinate inputs from management, HR and Compliance. Such policy would enable consistent use of regulatory references across the firm.
- Timing: From a practical point of view, it is sensible and increasingly good practice to prepare a regulatory reference as soon as an employee leaves a firm instead of producing it only upon request of another firm. As time goes on, it can become increasingly difficult to ‘dig out’ the necessary information pertaining to an individual’s fitness and propriety.
- Banking Standards Board (“BSB”) good practice guidance: In order to provide some clarification and further guidance on regulatory references, BSB has issued good practice guidance which is intended to help firms implement the regulatory requirements effectively and to a high standard. The BSB proposed a set of three high-level principles (i.e. fairness, consistency and proportionality) to help firms navigate their considerations around regulatory references.
For further information on the SMCR or how the team can support, please do not hesitate to reach out to one of the contacts below for further insights or support.
- Cindy Chan, Partner, Risk Advisory
- Nikki Lovejoy, Partner, Risk Advisory
- David Clements, Partner, Risk Advisory
- Lyndsey Fallon, Partner, Audit and Assurance
- Dominic Graham, Director, Risk Advisory
- Julia Fachon, Director, Risk Advisory
You can read more on key impacts and challenges of the SMCR in our blog here.
It is important that regulatory measures such as the Senior Managers Regime are rooted in clearly understood and applied basis principles and objectives. The basic principle of the Senior Managers Regime is that of responsibility and accountability. A senior manager has to take responsibility for the activities under their control. Likewise, they should be accountable for that responsibility. These concepts – responsibility and accountability – are disarmingly simple and direct. But such things tend to be the most powerful.