Senior Managers and Certification Regime (SM&CR) - Are you ready?

Senior Managers and Certification Regime (SM&CR) soon to be enforced in all FCA regulated firms – Are you ready?

The Senior Managers and Certification Regime (SM&CR), the new regulatory structure by the FCA, has been applicable to the banking sector since March 2016 and will be implemented to all 47,000 other FCA solo-regulated firms on 9 December 2019. There will be a major transition required for firms and individuals from the existing Approved Persons Regime (APR)1 to the new SM&CR.

What is the SM&CR?

The SM&CR applies to all firms that are solely regulated by the FCA (or dual regulated insurers), all banks operating in the UK and the largest investment firms operated by the PRA and FCA. It is a set of rules that require firms to identify staff who should bear ultimate responsibility for malpractice. The SM&CR is made up of three main sections:

Senior Managers Regime – Including which roles require senior management functions, and statements of responsibility for accountability.
Certification Regime – Including all employees whose role means it’s possible for them to cause significant harm to the firm or customers.
Conduct Rules – Including high-level standards of behaviour that apply to almost everyone regulated by the FCA.

What is the implementation timeline?

While the FCA has confirmed a one-year transition period for some aspects of the SM&CR, the arrangements for senior managers and certification staff must be in place by December 9, 2019. The Conduct Rules will apply from then for all senior managers and certified staff members.

The near-final rules were published back in July 2018, and other than a few minor Handbook changes as a result of Brexit, it is unlikely substantial amendments will be made. Therefore, firms already need to begin preparing their implementation plans.

How can I prepare?

Senior Managers and Certification Staff must be identified and trained by 9 December 2019 and the Conduct Rules will apply to them from that date. While firms will have a further 12-month transitional period to complete the certification process for existing Certified Staff and to train other staff on the Conduct Rules, it is advisable to ensure you are prepared, as from 9 December 2020 the Conduct Rules will apply to all staff in addition to Senior Managers and Certification Staff.

Most firms will have a heavy training and HR task ahead of them to ensure all staff are familiar with the Conduct Rules that apply to them.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”