Under the Senior Managers and Certification Regime (SM&CR), each Senior Manager must have a Statement of Responsibilities (SoR), detailing those key areas of the business for which (s)he is responsible. If those responsibilities change, a new SoR must be completed. The intention being that the FCA will always be able to identify which individual was responsible, and therefore should potentially be held accountable, at the time of any breach of rules or failure to take ‘reasonable steps’ to prevent the breach situation arising.
At first sight, ‘reasonable steps’ would appear to be a vague and nebulous concept that could be applied in future to criticise an individual using the benefit of hindsight. So, how can Senior Managers be sure they can evidence that they are taking ‘reasonable steps’ to fulfil their regulatory duty to manage, operate and control the areas of business under their responsibility?
In this article we seek to clarify the concept of ‘reasonable steps’ and give some practical suggestions on how Senior Managers should approach this aspect.
Not a new concept
First, it is worth remembering that ‘reasonable steps’ is not a new concept. Under the old approved persons regime, individuals performing Significant Influence Functions (SIFs) were required to take ‘reasonable steps’ to discharge their regulatory obligations.
Mark Steward (the FCA’s Director of Enforcement and Market Oversight), and a member of the FCA’s Executive Committee has described ‘reasonable steps’ as follows:
‘It has been said that a person who takes reasonable steps is one who does not exhibit a negligent or reprehensible state of mind, who is conscientious, exhibiting, through diligence, a keen and watchful eye on his or her field of responsibility, observing, asking questions and so informed and informing, being vigilant, deciding, guiding and monitoring, oversighting, delegating when safe to do so to those who are well-placed, and only acting beyond expertise and experience with competent expert advice. Sounds good. This is not exhaustive and denotes a person not only in terms of qualities – skill and competence – but also in terms of how the person should behave and the behaviour is described with doing words, verbs (these verbs are really the tools of responsibility). In other words, doing nothing, in circumstances where reasonable steps requires something to be done, will not suffice’.
More specifically, ‘reasonable steps’ has been defined as “such steps as a person in their position could reasonably have been expected to take to avoid a misconduct / breach / error occurring or continuing.”
In addition, when SM&CR was at the consultation stage, the intention was that Senior Managers would be presumed to be in breach unless they could prove otherwise. This would have been entirely at odds with the general principle of being innocent until proven guilty and was reversed before implementation. The situation now is that the onus of proving that a Senior Manager did not take reasonable steps lies with the FCA.
Finally, there is a lot of guidance in the rules to assist Senior Managers in understanding ‘reasonable steps’ and how to fulfill their responsibilities. Here are our thoughts.
When agreeing their SoR, Senior Managers should consider documenting the ‘reasonable steps’ that they will need to take to be able to demonstrate that they discharge their duties effectively.
This is because the documenting of (and carrying out of) ‘reasonable steps’ is a line of defence for a Senior Manager against any personal liability in relation to subsequent FCA enquiries / investigations if issues arise in their areas of responsibility, and is also relevant to demonstrating compliance with the Senior Manager Conduct Rules.
Code of Conduct (COCON) 2.2 – states:
- You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively;
- You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system;
- You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
As an industry, we are moving into an era of increased personal accountability and we believe it to be highly probable that there will be an increase in FCA investigations against individuals. It is therefore critical to ensure that Senior Managers are comfortable they can discharge their duties effectively and have the authority and scope to take the necessary ‘reasonable steps’.
How can you protect yourself?
The FCA will, of course, clearly expect to see documentation setting out how individuals are meeting the COCON requirements. As a minimum, the FCA will want to consider the following when assessing whether a Senior Manager is responsible in the event of a breach or issue arising:
- The Senior Manager’s Statement of Responsibilities (and Responsibilities Map where applicable*);
- The Senior Manager’s actual role and responsibilities in the firm; evidence will include items such as meeting minutes, emails, organisational charts etc.;
- The relationship between the Senior Manager’s responsibilities and the responsibilities of other Senior Managers in the firm (including any joint responsibilities);
- The practicalities of how the responsibilities are discharged when compared to the descriptions in the Statements of Responsibility (and, where applicable, the Responsibilities Map*).
* Responsibilities Maps are only required for Enhanced Firms.
These are critical considerations for Senior Managers in identifying clearly what they are and are not responsible for and whether they have the remit and authority to discharge their duties?
The FCA will compare its findings from any investigation with those decisions and actions which it considers would have been taken by a competent Senior Manager in the same position, with the same role and responsibilities, at that time, and in the same circumstances.
Documenting ‘reasonable steps’
The regulatory requirements are likely to evolve over time. There is no best solution, but one approach would be to consider each of the conduct rules in COCON 2.2 and evaluate:
- How and where is my responsibility defined, e.g. organisation chart? job description?
- How comfortable am I in my knowledge of the regulations that apply to my areas of responsibility?
- Are there documented operational systems and controls which clearly demonstrate that the regulatory requirements are being met?
- Is there a risk management process around those systems and controls?
- Are roles and responsibilities in delivering those systems and controls clearly defined and communicated?
- Are the governance arrangements appropriate?
- Is management information available that provides the right information, to the right people at the right time, enabling the right decisions?
- Where is reporting done and is it provided and appropriate?
The appropriate rules
The most relevant rules are listed below and could be compared against the above questions. The rules are detailed in the FCA’s Systems and Controls Handbook:
- Apportionment of Responsibilities SYSC 2.1.1 and SYSC 3.2.2;
- Knowledge of regulatory requirements SYSC 5.1.1;
- Operational processes SYSC 5.1.13;
- Risk management process and controls in place SYSC 3.2.10;
- Delegation to and oversight of staff SYSC 3.2.3, 3.2.13 and 3.2.18;
- Governance arrangements SYSC 4.1.1;
- Reporting received and provided SYSC 3.2.11-3.2.12.
A comparison of the current position against the rules will enable individuals to determine whether remedial work on the current systems and controls is required. It will also help individuals and firms think about delegation of authority and whether firms are willing to give Senior Managers sufficient autonomy to be able to make any necessary changes or decide whether the senior management function would be better allocated to another individual.