If there were a major cyber security breach at your company, what would happen? Chances are it would be very difficult to pinpoint the exact person or people responsible, meaning those involved could potentially get off light.
Now, what if the responsibility of any wrongdoing wasn’t placed on your firm but lay solely on senior managers? Suddenly it’s a whole different ball game. The Senior Managers and Certification Regime (SMCR) has created a real culture of fear within the financial services industry – and rightly so. We’re not just talking a slap on the wrist; concerns include a hefty fine at best and potentially imprisonment in the worst-case scenario.
By now, anyone working within the sector will already be well aware of the extended SMCR regulations coming into force from 9 December 2019. But the question is: are you really prepared for them?
Why was the regime introduced?
When years of irresponsible lending by banks came to a head in the great financial crisis of 2008, an opaque and bureaucratic system meant people were able to easily hide behind others. As a result, regulators struggled to find the individuals responsible and it was the taxpayers who ended up bailing out the banks.
To help drive governance and accountability within financial services firms, the Financial Conduct Authority (FCA) then introduced the SMCR, which aims to deter misconduct and improve awareness of conduct issues across firms – as well as ensure retail customers are protected.
Banks and the larger regulated insurance firms are already subject to the SMCR. But this will now be extended in December 2019 to cover all other FSMA authorised firms too, as the FCA seeks to place an even greater emphasis on personal accountability.
For too long, it has been easy to pass the buck or hide behind other individuals. Not anymore. Senior managers must start taking active measures now, to show their firm is acting according to the clients’ best interests, within suitable conduct rules.
Who is most likely to get caught out?
Although other members of staff are subject to the certification part of the regime, it still ultimately goes all the way to the top – and this is where the regulators will come knocking should something go wrong. As such, the prospect of the SMCR is perhaps scarier for large corporations. Would you feel comfortable having ultimate responsibility for the hundreds of employees beneath you who could potentially do something wrong?
However, big organisations will also have a whole team dedicated to ensuring the correct processes are in place and that they are carried out to the letter. But what if you’re a small to medium FCA solo regulated firm or a one-man IFA? Chances are you’ll have to take on all these responsibilities and do a lot of the work yourself.
Smaller firms often won’t have the necessary knowledge or resources needed to ensure the company practices are compliant or to continually monitor processes. But if it’s your neck on the line, then you definitely won’t want to be cutting any corners, so outsourcing can prove invaluable.