Gary Storer is Founder and Managing Director of Enterprise Learning, a leading and award-winning regulatory consultancy focused on the people element of compliance and regulatory risk management within financial services. He founded Enterprise Learning in 2002 after a career in people change and organisation transformation, mostly in regulated financial services organisations, including senior roles at Legal & General, Gartmore Investment Management and NatWest, as well as an early tenure as Managing Consultant in KPMG’s Financial Services Practice.

HK:  Gary, can you explain what the Senior Managers and Certification Regime is, and what it means for senior professionals at financial institutions?

GS:  Over the last ten years or so, since the financial crisis, there has been a growing desire to hold senior leaders to account for the conduct or misconduct of their organisations, whether these are charities, audit firms, or the media. Obviously, one of the focal points has been financial services. In my view, the SMCR is the most important new regulatory regime since 2002, when the FSA was first set up, because it’s all about personal accountability. Eventually, by the end of 2020, every single person in financial services will have a personal obligation to contribute to the good conduct of the organisation that employs them. It’s a sea change in regulation.

HK:  The difference being that it was previously more about the organisation having accountability for conduct issues than employees?

GS:  The Approved Persons Regime gave accountability to some senior managers and some specialists, but the burden of proof that a regulator had to meet, in order to prove that somebody had been negligent, was very high. The crisis showed us that there was an issue with that, in that very few people actually ended up being fined or banned from the industry, despite the litany of conduct issues exposed.

HK:  What are the key conduct rules that underpin the new regime?

GS:  There’s a personal obligation to adhere to five key rules for Senior Managers, and also those who fall under the Certification side of the regime. The only people who are excluded are those in functions such as corporate services, facilities and so on. Everybody in the industry will have a personal obligation to comply with the five conduct rules, just as a lawyer or a doctor might adhere to a code of conduct in their industries. Then, for people in Senior Manager roles, there are four additional conduct rules that are relevant to managing the organisation.

HK:  It sounds like it has been kept fairly simple and formulaic on the surface, but interpreting these, then demonstrating and documenting compliance, could be quite complex, especially for large firms. Is that correct?

GS:  Comparing it to the old Approved Person regime, the most important thing that impacts on senior people is what’s called the new ‘Duty of Responsibility’. Whilst under the old regime, regulators would try to hold people accountable but would only be able to do so in cases of demonstrable negligence or criminality, under the new regime, what the regulator needs to prove is that the individuals have not taken ‘reasonable steps’ to do their jobs properly. It lowers the bar when it comes to proving accountability.

HK:  It’s already in place across banking and large insurers, and it will soon be rolled out across the whole of financial services. What kind of things can those organisations learn from the experience that the banks have gained in recent years?

GS:  A great deal, is the short answer, although there are probably two really key lessons from the banks’ experience and that of big insurers under the Senior Insurance Managers Regime. The first is just the operational burden: the banks had to set up a lot of operations to deal with annual certification of thousands of people. No longer will the regulator do the screening of individuals who are, in the old language, Approved Persons. It’s down to the firms. Secondly, banks have also told me that they underestimated the cultural and behavioural challenge in helping people to really understand and accept their new obligations. People in financial businesses are taking on a new level of accountability for their actions, and have to assimilate that into their daily work.

HKThere generally aren’t enough hours in the day as it stands, let alone factoring in another large chunk of activity, the validity of which some people might initially be inclined to question in the first place. I can see where the challenge would arise.

GS:  The trick is to implement the SMCR so that it doesn’t become an operational challenge. What you don’t want to do is tie Senior Managers up in bureaucracy, but you do need them to think, if this decision is being looked at by regulators in future, is it clear why we’ve made it? And were we taking into account the various risks that we are running, and risks to the customer, and has this been demonstrated?

HKWhat kind of penalties are being talked about? Are there clear guidelines on that?

GS:  There are a lot of examples of what the regulator would see as a breach of the rules. In terms of penalties, it’s probably too early to say yet, because there aren’t that many examples of people being held to account, but the regulator can now both fine and ban individuals from the industry.

HKWhat has the banking industry’s response been like to the Senior Managers Regime?

GS:  I think they are taking it seriously. It has been a bit of a wake-up call because the relationship between Senior Managers and the control functions has changed. A lot of new governance frameworks have been set up and Senior Managers have had to change the way the way they think. Interestingly, one of the things I have heard is that it has also changed the way that they work with each other at board-level. Individual directors now need to work quite hard not to be too divisive in board meetings, whilst protecting their own obligations and accountabilities. It would be easy to allow a culture to develop whereby everyone protected their own areas of accountability and didn’t really collaborate; I’ve seen examples of this, and I’ve talked to Senior Managers who have noticed that that was happening and taken action.

HKIt sounds as though it will fall to HR and compliance to work with Senior Managers to help them understand their responsibilities. What should HR and compliance teams at asset managers and other firms be thinking about at this stage?

GS:  I certainly see HR teams getting more involved in regulation and risk management than they previously had, driven by the new regime. HR and recruitment teams are now very clear about the accountabilities and obligations of the people they are hiring, for example, and are working with compliance and Senior Managers to ensure that onboarding processes for new joiners are thorough. Each Senior Manager is required to sign a statement covering their personal obligations, and the regulator expects a due diligence and a handover process to ensure that those people know what they’re taking on. Often, that’s coordinated by HR and compliance. Additionally, under the new regime, if there’s ever a breach, that has to be reported through regulatory referencing, which is another operational challenge for the HR function.

HKTo what extent is this on the board agenda as a strategic or operational issue?

GS:  A Senior Manager, not HR or compliance, needs to hold accountability for how the regime is running, and that can be the CEO, or it can be one of the board directors. That’s one of the SMF accountabilities. Generally, accountability, as in how Senior Managers make decisions, and whether they are taking reasonable steps to protect customers as well as the organisation, is definitely something I am seeing discussed at the senior level. When a new initiative is proposed, or a strategic decision is made, people are asking more questions than they have done previously. Interestingly, it’s forcing the discussions that perhaps haven’t been held in the past.

HKHow is it all being administered? Is technology playing a role?

GS:  There are systems out there now which take over from the point that an applicant applies for a role, that will do a lot of the referencing and screening prior to the recruitment process getting underway. HR teams are still struggling a little bit to weld the requirements of SMCR into some of the generic performance management systems that they use, and that has been a challenge, given the specificity of some of the requirements. I think the smart way of maintaining and monitoring compliance that we’ve seen in some organisations is to try and build those controls into normal day-to-day processes.

HK:  The next question must be how to turn compliance with the Senior Managers Regime into a competitive advantage.

GS:  Many firms have realised that by having an adequate risk framework in place, at the very least you can avoid the consequences of misconduct, such as fines from the regulator, or management distracted from their work by having to fix things that have gone wrong. There is real evidence that if firms have not just adequate, but robust, thorough and thoughtful risk management frameworks in place, they will be allowed to take more risk by regulators, and can move into different areas of business or even different parts of the world. Conversely, weak risk frameworks in this ‘post-crash era’ make regulators more reticent to extend permissions.

HKYou can see that being impactful at smaller businesses. Large groups that are already globally active are going to take this in their stride, but smaller groups that are looking to grow could make forward-thinking compliance with the regime a strategic advantage. A facilitator of growth, instead of the opposite.

GS:  On the other hand, some firms have become a bit too risk-averse. I spend quite a lot of my time as a consultant and coach helping Senior Managers understand that a ‘reasonable steps’ defence is about reasonable steps – it’s not about jumping over a very high burden of proof.

HKOr having to spend an excessive amount of money on covering every single base.

GS:  Absolutely – in fact, where things are working well and risk management is being integrated into the day-to-day business, the cost of risk and controls actually falls. Eventually we might see a premium from the regime if it becomes truly embedded.

HK:  From a search and selection perspective, the impact we’ve seen is that when hiring for banks, a lot of supporting documentation is provided on the precise areas that a certain Senior Manager is going to be responsible for looking after, the entities that they’ll have responsibility for covering and the reasons why, adding several pages to the job description in some cases. You can tell when an organisation has been taking this seriously because that documentation is thorough and it’s a step forward from what we’ve seen in the past.

GS:  And conversely, I’m hearing from HR contacts that when candidates are applying, they are asking challenging questions about the role that they are taking on, the obligations and responsibilities involved, and how the organisation works. Even in sectors where the SMCR isn’t yet in force, applicants for what will be Senior Manager roles are looking hard at what they’re taking on, and at how ready the hiring organisation is to support them in their duties.

HK:  One thing we’re not clear on yet is the remuneration impact of SMCR, as in what additional compensation it might take to get people into Senior Manager roles in future. When cases come to light and the FCA starts penalising people, I suspect we will see higher expectations.

GS:  Yes, I’m sure that will happen. I’ve been party to one situation where the head of HR for an insurance firm felt very strongly that taking on accountability for risk management was part of the existing day job, and the obligation to do that hadn’t changed from pre-SMCR to post-SMCR. That said, where Senior Managers become more careful about what they’re going to take on and which organisations they’ll work with, one of the ways that might be mitigated could be through more interesting compensation structures.

HKCompensation is always an interesting topic in financial services, particularly given some of the Senior Managers most impacted by the new regime, and possibly with most at stake, will be those in senior commercial functions. They will be heavily incentivised salespeople and business leaders whose activities will be closely monitored. You might be forgiven for thinking those people would be inclined to be cooperative with the regime, to protect their positions.

GS:  That’s where the biggest challenges are: senior management teams will now pay more attention than previously to where a business’s profits are coming from. I’m seeing NEDs in particular being quite challenging about revenue numbers that are coming in if they are far in excess of expectation. Additionally, the individuals in sales and other commercial roles themselves will also need to look at how they are generating their income, and whether their methods will now pass the litmus test of external scrutiny. Chasing profit will eventually be noticed by the regulators and by Senior Managers, and challenged. It’s about embedding this mindset into commercial processes – structuring, marketing, sales, trading – and the fact that those functions have been separate in the past will make that difficult.

HK:  It’s quite good to hear that the regime empowers NEDs and other Senior Managers to ask the difficult questions of an organisation’s most profitable staff members; questions that might not be welcome, but could save us over time from another financial crisis. Setting aside the positives, do you think there are any ‘blind spots’ with the SMCR that might cause problems?

GS:  The regulator’s view tends to be that the way an organisation’s culture can and will change and improve is ‘top-down’. Their view is that Senior Managers’ behaviour shapes the culture of an organisation. I believe that ‘culture’ is a lot more complex than that, and I’m not sure that the Senior Managers Regime fully recognises the way that organisations work. You might have a large organisation with a number of different cultures from one division to another, so Senior Managers will have to work quite hard to make sure that they understand where all the risks are, especially in dynamic environments. External specialist firms – auditors, consultants and so on – may get close to the more esoteric areas and provide useful advice, but I’m not sure the new regime will be able to cover everything. The other danger is that senior managers themselves come to rely on a bureaucratic incarnation of management reporting, which provides false comfort through box-ticking. To combat this, Senior Managers will need to go the extra mile when it comes to understanding where the risks are in the organisation; this networking and questioning on one’s own account will be at least as important as adhering to the formal governance structures put in place. Compliance departments will facilitate this as well, as long as they can position themselves to do so. In the course of your search activity, are you seeing a change in the required skills and characteristics of risk and compliance specialists?

HKYes, the profile of the chief compliance officer, and the chief risk officer, is moving in the direction of that of the general counsel, so a sort of consigliere, or trusted adviser, to the business. Controls are such a key component of the current business conversation that it’s become essential that they do, and where firms don’t feel they have the right level of advisory capability in those roles, they are taking action. It’s an issue in some cases, because the advisory skill set doesn’t come naturally to everyone. The controls functions generally are working on this through leadership assessment and development, but I get the sense that there is still a way to go. There are time constraints on training versus business as usual, there are budgetary issues that constrain remuneration, and there’s generally an issue relating to the size of the existing talent pool.

GS:  You’re right to raise the issue of leadership development. It has been neglected somewhat in controls functions, and the SMCR is now driving an increased focus on formal leadership development. I’m doing some work with Ashridge Business School to launch a new programme there, focused on leadership in regulated environments, which is getting quite a bit of attention. We are also seeing a lot more focus on coaching and individual support to help leaders deal with the challenges and dilemmas that they face day to day.

HKWhat about the Certification regime? The good thing about that seems to be that it catches people early, in terms of their careers, and should embed an accountability for behaviour at this level that previous generations might have lacked as they developed in the industry.

GS:  I think that’s absolutely right. I suspect that if the SMCR beds in and companies get it right, then just as in hospitals or law firms where you find people are very conscious of their personal responsibilities, we’ll find that in financial services, and that will percolate through successive generations of leadership. That’s the long-term goal of the regime, and it’s a noble one.

HK:  Let’s not forget to discuss activities outside the UK. In a global marketplace, the success of the SMCR will rely on not only the UK having a regime based on personal accountability, but also other parts of the world as well. Are other countries following in the UK’s footsteps?

GS:  Yes, a personal accountability regime is on the way in Australia, and the US has always had a much stronger focus on individual accountability. I think the approach that’s been taken in the US is quite extreme, so you see financiers frequently doing the ‘perp walk’ in New York, which we’ve only rarely, if ever, seen over here. It will be interesting to see whether the SMCR goes down that route and makes things more punitive – the next couple of years will be telling. We’re also seeing similar accountability regimes in the Middle East, for example, as those countries try to persuade banks and insurers to base themselves over there. The focus on conduct, misconduct, and the accountability of individuals for what their organisations do, is a phenomenon that we are seeing across the world in lots of different sectors, and especially in financial services, which is a truly global industry.

HK:  It’s a positive development, on the whole. Thank you very much Gary, this has been interesting.