COVID-19: Changes to the UK’s SMCR Framework
COVID-19 has presented governments globally with immense policy challenges, as they try to balance the health implications with the need to mitigate the economic downside.
Alongside Central Bank cuts in interest rates and extending unlimited liquidity to banks, regulators have also been assessing how they can help financial institutions operationally to enable them to support their customers. As well as encouraging institutions to provide payment pauses and mortgage holidays for example, some regulators are exploring how best to adapt their regulatory framework to support the operational reality of banks being run from living room sofas.
In the UK, the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) recently provided guidance about their expectations during the pandemic as to how institutions should manage their compliance with the UK’s Senior Managers and Certification Regime (SMCR). This the governance framework used to monitor the conduct of senior managers in UK banks, insurers and asset managers.
Central to SMCR is the distribution of core responsibilities – Senior Management Functions (SMFs) – to nominated individuals. The announcement relaxes, temporarily, the need to get approval from the regulators within the normal 12 weeks to reallocate SMF responsibility to existing SMF owners, if needs be, for whatever reason.
This reflects the difficulties of working from home, of sickness amongst staff, as well as the need to educate, train, and document the new SMF holder of their responsibilities.
Sending institutions a strong signal
Where this is not a practical option, the FCA and PRA are permitting staff who do not hold SMFs to take on responsibility for certain SMFs, without an approved ‘Statement of Responsibilities’ being in place. This is a significant departure, because it allows unapproved individuals to take on regulated activities, which is a key cornerstone of SMCR. It sends a strong signal to all UK institutions that regulators, alongside Central Banks, expect them to play their part in keeping the economy functioning now and during the recovery.
However, as the announcement takes pains to point out, institutions cannot not relax the requirements for proper documentation, responsibility maps, role profiles and so on, that are a key element of SMCR. And herein lies the challenge, especially for smaller institutions covered by SMCR.
While larger institutions may have more responsibilities under SMCR, they also have more resources and staff to focus on the issues if affects. In contrast, smaller institutions may have fewer SMF staff to re-allocate more roles to, and may be more likely to promote non-SMF staff as necessary. While the SMCR documentary process, and the underlying policy and compliance processes, will all be well defined, the process for efficiently distributing SMCR documents, reviewing them, monitoring them and ultimately auditing them may be more difficult during and after the disruption caused by the pandemic.
A challenge for small institutions
Smaller institutions may lack the automated policy and compliance systems and processes to manage the SMCR policy and compliance review, management, audit and reporting processes. Manually managing, maintaining and auditing multiple SMCR documents on a file share in the office may work. Trying to do this while everyone involved works from home could be very challenging, especially when the PRA or FCA come to review the documentation, systems and processes.
As well as causing a potential SMCR breach, it may produce an issue under the Operational Resilience (OpRes) regime. The impact of manual interventions in core business processes, under remote working during the pandemic, will likely come under close scrutiny as OpRes develops further. Companies will likely need to invest accordingly.