Introduction to SMCR for FCA-regulated firms

What is the Senior Managers and Certification Regime? (SMCR) 

The Senior Managers and Certification Regime is intended to strengthen market integrity and reduce harm to consumers by holding people to account. As discussed below, the number of financial service firms to which SMCR applies has been expanded in recent years. The aims of this expansion are to regulate individuals working in financial services by encouraging staff to take responsibility, and to make sure they understand where responsibility lies within their organisation.

Whilst it has applied to the banking sector since 2016, the number of firms governed by SMCR has expanded in recent years. As of late 2019, SMCR now applies to all solo-regulated firms (i.e. those regulated by just the FCA). For firms within the scope of the regime, the precise nature of the obligations that fall on individual members of staff vary according to the nature of their role. 

What do staff need to do about SMCR? 

All staff, with the exception of ancillary staff (such as cleaners, caterers and security personnel) must understand and follow the five Individual Conduct Rules. These include the obligation to act with integrity, as well as the requirement to act with due skill, care and diligence. 

In addition to the Individual Conduct Rules, Senior Managers are governed by an additional four rules, including the obligation to take reasonable steps to ensure that the business of the firm for which they are responsible is controlled effectively. A Senior Manager (e.g. an Executive Director or Money Laundering Reporting Officer) is subjected to a fitness and propriety test, and must obtain FCA approval to perform their role, as they are potentially capable of causing the most harm to both their consumers and the market. 

The final SMCR staff category is Certified Persons (e.g. someone who performs a client dealing function, such as investment managers). As with Senior Managers, Certified Persons are also subject to a fitness and propriety check. However, unlike Senior Managers, Certified Persons are not subject to the Senior Manager Conduct Rules, and need not obtain FCA approval to perform their role. Instead, the assessment is internal, with certificates issued and renewed annually (where appropriate). 

How are firms coping with the new FCA conduct rules? 

As mentioned above, the regime was expanded to include many more firms in late 2019. The deadline for solo-regulated firms to complete their first assessment was originally set for December 2020. However, whilst the SMCR rules themselves were not altered, the FCA did extend this implementation period in light of Covid-19. As of the new March 2021 deadline, those temporary allowances have come to an end, and the application of SMCR to solo-regulated firms is currently in full force. 

Notwithstanding the extension, a “Dear CEO” letter from May 2021 underlined the weight the FCA is putting on SMCR compliance. Whilst the letter was principally intended to address failings in firms’ AML processes, firms were also reminded of their SMCR obligations:  

SMCR … places a responsibility on all senior management to counter the risk that their firm might be used to further financial crime. Particular responsibility lies with those SMCR roles holding responsibility for financial crime, including Senior Manager Function (SMF) 17 (Money Laundering Reporting Officer).

This reminder, in a letter which did not have an obvious connection to SMCR, shows that this regime is not being viewed as a simple ‘tick-box’ exercise by the FCA. It is aimed at encouraging all staff, especially Senior Managers, to take responsibility for their actions. Should firms fail to take heed, it is clear that the FCA will scrutinise Senior Managers themselves, and “consider carefully whether the relevant SMF holders have carried out their responsibilities appropriately”. 

How can VinciWorks help with FCA and SMCR compliance?

VinciWorks will soon be releasing its own SMCR training course, which will include training on the Individual and Senior Manager Conduct Rules amongst other topics. In addition to the training course, VinciWorks has already launched its own FCA Compliance Suite in Omnitrack, our data collection and reporting tool. The SMCR module can help you stay compliant in a number of ways: 

  • Customisation: With different requirements, depending on a firm’s size and complexity, it can be hard to find a solution which meets your needs. We can work with you to adapt the SMCR workflow, to ensure your staff are only asked relevant questions.
  • Courses integration: Omnitrack will be able to extract information from our SMCR course, which can then be used by compliance staff as part of an annual review. 
  • Reporting: Assess Certified Persons’ fitness and propriety and generate certificates for them. Prepare and store FCA applications in the portal for Senior Managers, using the ‘file upload’ feature to store documents such as regulatory references. 
  • Reminder function: ensure processes such as issuing certificates are reviewed as needed.

The Omnitrack SMCR module, which is part of our FCA Compliance Suite can be:

  • integrated with our SMCR course; or  
  • used as a standalone product to supplement your own training process. 

Contact us now to learn more or book a demo.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.