evolving expectations of fitness & probity to support an ... · in october 2015, hm treasury...

Evolving expectations of Fitness & Probity to support an Individual Accountability FrameworkBreakfast Briefing 2018

28th August 2018

2

Agenda

Topic Presenter Timing

Introduction Sean Smith 8:00 a.m. – 8:10 a.m.

Keynote speech – Regulatory Expectations

Seána Cunningham, CBI 8:10 a.m. – 8:35 a.m.

Session 2 Pierre-Francois Rodriguez 8:35 a.m. – 8:55 a.m.

Session 3 Laura Wadding 8:55 a.m. – 9:15 a.m.

Session 4 Melissa Scully 9:15 a.m. – 9:35 a.m.

Panel Discussion All 9:35 a.m. – 9:50 a.m.

Close

3

Keynote speech

Seána Cunningham, CBI

4

Individual Accountability – our approach

Seána Cunningham, Director of Enforcement and Anti-Money Laundering

Deloitte 28 August 2018

5

Overview

1. The Fitness and Probity Regime

2. Participation under the Administrative Sanctions Procedure

3. Suggestions for reform

4. Conclusion

6

The Fitness and Probity Regime

7

Participation under the

Administrative Sanctions Procedure

8

Suggestions for reform – the Individual Accountability

Framework

9

Conclusion

10

Agenda



Keynote speech – Regulatory Expectations Seána Cunningham, CBI 8:10 a.m. – 8:35 a.m.





Close

11

Session 2

Pierre-Francois Rodriguez Director, Deloitte UK

UK Senior Managers & Certification Regime

28 August 2018

13

1. Recap on the regime

2. SMCR implementation lessons learnt

3. Questions

Senior Managers & Certification Regime

14

Recap on the regime

15

Senior Managers and Certification RegimeBackground – Increasing individual accountability

• Under SMCR the regulators are seeking to reinforce the concept of individual accountability at the top of firms and for Senior Managers to demonstrate adherence to the conduct rules, including being able to demonstrate that they have taken ‘reasonable steps’ to control their areas of responsibility.

• The regulators have expressed that this expectation is not greatly removed from the current state of affairs, but by increasing the clarity around accountabilities and responsibilities it will focus the minds of those occupying Senior Management Functions.

• SMCR has been in force in banks since 7 March 2016. In October 2015, HM Treasury announced the key features of the banking Senior Managers Regime will be extended across the broader financial services industry from 2018. Insurance firms will transition to the SMCR from 10 December 2018. SMCR will come into force from 9 December 2019 for other financial services firms, including IFAs and brokers.

• The regulators will ensure that the extended regime appropriately reflects the diverse business models operating in the UK market and is proportionate to the size and complexity of firms.

“Six months on and, in a great many cases, firms have made a substantial effort to get this right and embrace the

importance of the key principles underlying the Senior Managers and Certification Regime, namely responsibility

and accountability.“Knowing who is responsible for what is critical for firms

and regulators and we have seen genuine engagement on this from the Board down”

Andrew Bailey, Chief Executive, FCA, September 2016

“If people want to rise to the top of firms, with all the rewards that brings, while ducking proper accountability,

then they are in the wrong sector"

Sam Woods, Deputy Governor, Prudential Regulation,Bank of England and CEO of the PRA, January 2017

16

Focus on Individual

Accountability

Introduces Senior Management Functions with a statutory duty of responsibility.

The Certification regime includes roles which can cause “significant harm to the firm or its customers”.

The Responsibility Map is a requirement to describe how individual accountability is apportioned and how governance operates in a firm.

The Statement of Responsibilities set out the areas of the business that the Senior Manager is responsible and accountable for.

SMCR introduces some changes to processes including enhanced criminal record checks, monitoring conduct breaches and obtaining regulatory references dating back six years for people applying for Senior Manager, Certification and non-approved

NED roles.

Introduces two tiers of Conduct Rules to firms’ regulated and unregulated financial services activities (including any related ancillary activities carried on in connection with a regulated activity).

New roles and duty of responsibility

New Conduct Standards

New documentation

Enhanced processes

Senior Managers and Certification RegimeKey provisions

17

Key provisions

Senior Managers and Certification Regime

Senior Managers Regime

• The most senior people in a firm.• Anyone who performs a Senior Management Function (“SMF”) must be approved by the FCA/PRA.

Senior

Management

Functions

Duty of

responsibility

Statement of

Responsibility

Criminal record

checks

Prescribed

responsibilities

Responsibilities

map

Handover

procedures

Overall

responsibilityApply to large Banks, Solvency II firms, large NDFs and enhanced FCA solo firms only

Certification Regime

• People who aren’t Senior Managers but whose job can cause significant harm to the firm or its customers have to be certified.

• No FCA/PRA approval, but firms need to check and confirm on an annual basis that these people are fit and proper to perform their role.

Other Staff

All staff who perform financial services roles, except ancillary staff (e.g. caterers, cleaners and security staff).

In

div

idu

al

Con

du

ct

Ru

les

Sen

ior M

an

ag

er C

on

du

ct

Ru

les

Fit a

nd

Prop

er r

eq

uir

em

en

ts

(in

clu

din

g r

eg

ula

tory r

efe

ren

ces

In addition the Conduct Rules, the Fit and Proper Requirements and Regulatory references will also apply to all NEDs, even ifthey are not a Senior Manager.

18

Knowledge and understanding

Handover – on starting or leaving a SMF role, take responsibility for understanding all aspects of the business, including key risks in areas where you have individual and collective responsibility.

Regulatory – maintain an awareness of relevant requirements and standards of the regulatory system.

Technical – maintain your technical skills, through continuing professional development.

Market knowledge – understand the broader markets in which the firm operates.

Your firm – receive and review regular updates and reports from your team and maintain a wider understanding of the activity of the firm.

Organise and control

Reporting lines – establish and articulate clear lines of control in your area.

Delegation – ensure any delegations are clearly documented and understood, and continue to oversee and review the performance of delegated responsibilities.

Resource – maintain appropriate resource levels and skillsets, and take steps to manage any resource constraints.

Succession planning – be proactive in identifying talent and planning for the future.

Governance – establish relevant committees, ensure attendees are appropriate and attend.

Review and improve

Reporting – interrogate the information you receive and produce to identify potential improvements.

People – continually assess the competence and capability of your team, identify training needs and deal with poor performance.

Controls – implement, police, review and update appropriate policies, procedures and controls.

Challenge and discussion – encourage a culture of challenge within your team and contribute personally to collective decision making within the firm.

Be proactive – prioritise key risk areas and take pre-emptive actions to prevent breaches occurring.

Resolve and learn

Take action – where potential issues occur take responsibility for ensuring they are resolved.

Support – seek and obtain appropriate expert advice or assurance, whether internal or external.

Escalate – raise issues and follow them up with relevant staff, committees and Boards.

Action plans – document action owners and timeframes and follow through to completion.

Lessons learned – use resolved issues to inform and improve your control frameworks.

Knowledge and understanding

Organise and control

Resolve and learn

Review and improve

Evidence

Reasonable steps

Senior Managers and Certification Regime

19

SMCR implementation lessons learned

20

Lessons learnt

Senior Managers and Certification Regime implementation

On average, it took at least 12 months for banks to implement SMCR, with the following deliverables being the most time consuming:

o Responsibilities maps and role profiles/SoRs;

o Certified population mapping and training; and

o Conduct staff training.

Implementation success factors were:

• Appointment of a Senior Sponsor;

• The implementation project team had sufficient resource dedicated to the project, including from HR, Compliance and Legal;

• Early engagement of the Board and Senior Management;

• Carried out a SMCR gap analysis to identify likely areas of implementation challenges;

• Early design and development of the reasonable steps framework;

• Early training/briefing to impacted staff; and

• Early drafting of the SMCR documentation:

o Management responsibilities map;

o senior managers roles and responsibilities; and

o role profiles – likely to be the longest to implement including the socialisation of the Senior Managers’ responsibilities.

21

Lessons learnt

Senior Managers and Certification Regime implementation

Opportunities Challenges

From our observations supporting Banks with the implementation of SMCR, we have identified a number of opportunities for the firm:

However, depending on the size and complexity of the firm, the implementation of the SMCR has often brought the following challenges:

Population identification

Allocating responsibilities

Responsibility map development

Fit and proper processes

(Certification)

Individual vs. collective

responsibilities

Reasonable steps framework

development

Conduct rules monitoring and breach

reporting

Operational challenges (maintaining records,

monitoring and recording systems)

Review governance arrangements and entities structure

Formalise intra-group arrangements

Increase stand-alone operations of the UK

entities

Re-allocation of role and responsibilities for Senior Managers

Formalise decision making process

Culture change

22

Questions?

23

Agenda








Close

24

Session 3

Laura Wadding Director, Deloitte Ireland

Individual Accountability & Outsourcing Laura Wadding

28 August 2018

Regulatory Landscape

© 2018 Deloitte. All rights reserved 27

Sectoral Rules & Guidance cover certain aspects of individual accountability when outsourcing.

Current Regulatory Landscape

• Fund Management Company Guidance (‘CP86’)

• Oversight of Delegates

• Designated Persons with responsibility for X

• Supervisibility – ability of the regulatory to supervise, including having access to individuals

• CBI ‘Dear CEO’ letter to Fund Administrators

• Responsibility of Board & Senior Management

• Dedicated Oversight Role

• Role of Compliance & Internal Audit (2nd & 3rd lines of defence)

• MiFID

• Supervisibility

• Named individuals in the outsourced service provider

• Solvency II & EIOPA Guidance

• Fitness & Probity of individuals within an outsourced service provider

• Key Decision Making responsibility and evidence

• Designated Persons with overall responsibility for a key function

• A ‘system of governance’

• CEBS Guidance on Outsourcing (2006)

• Retention of adequate core competence at senior management level within the firm – with ability to resume direct control if necessary

“In case of outsourcing of a key function or of outsourcing of a part of a function where this part is regarded as key, the person responsible is considered to be the one who has the oversight over the outsourcing at the undertaking.”EIOPA Guidance on System of Governance


There are several initiatives underway locally and at a European level which are seeking to influence the regulatory landscape when it comes to outsourcing in the financial sector.

Evolving Landscape

• Brexit

• New entrants to the market, expansion of existing entities, extended permissions – influencing CBI views of outsourcing models, substance and accountability.

• Day 2 outcomes will further inform risk appetite within firms.

• European Security Authority Opinion - “Any outsourcing or delegation arrangement from entities authorised in the EU27 to third country entities should be strictly framed and consistently super-vised.”

• EBA Consultation Paper (will apply to banks and MiFID firms)

• Replaces the CEBS Guidance on Outsourcing from 2006

• “Institutions and payment institutions should clearly assign the responsibilities for the documentation and control of outsourcing arrangements.”

• The outsourcing policy “should cover at least the responsibilities of the management body, business lines, internal control functions and other individuals in respect of outsourcing arrangements.”

• The firm “should establish an outsourcing function or designate a senior staff member (e.g. Key Function Holders)”.

• CBI Outsourcing Framework

• Informed by industry surveys and themed inspections.

• Cross-sector view.


Whilst there are some differences between sectoral requirements, there are certain principles that are common OR emerging as common themes across all sectors.

Common Themes

Supervisible

Designated Individuals

Risk Based Decision Making

Retention of Competence

Retention of Adequate Resources System of

Governance

Designated Individuals

Risk Based

Decision Making

Retention of Competence


With increased focus on the fitness and probity of individuals in key senior management positions, in particular within the control functions, firms are looking outside their organisation for short-medium support.

Outsourcing Key Roles

Reasons for Outsourcing Senior Management Roles

• Skills / Knowledge Acquisition• Capacity• Short – Medium term recruitment

difficulties i.e. fill a gap• Provides an Independent View

Challenges• Not a long term solution• Does not absolve the entity of its

obligations• Over-reliance can cause longer

term knowledge deficiency in the business

• Costly

Best Practice• Use a reputable firm with a

track record of performing the role

• Clearly set out role, responsibilities, objectives and regularly assess performance

• Facilitate knowledge transfer in the business (e.g. appoint a deputy / successor)

• Appoint a senior person in the business with responsibility for the outsourced role i.e. a direct reporting line for the delegate, preferably independent from the functional reporting line

Direction of Travel

32© 2018 Deloitte. All rights reserved

Looking Forward

Third Party Risk Management - functionalised, increased use of fintech solutions (including utilities) and KPI monitoring

Supervisibility – accessible by regulators, transparent, centralised books and records inventories & response management

Extension of the Board – Designated Persons with responsibility for X (e.g. CP86)

Key decision making i.e. what to outsource and how – risk based, challenged and evidenced

Oversight & Monitoring – evidence based, ongoing, embedded

Substance requirements – skills based – ability to ‘oversee’ a function with clear and tested contingency plans

Standardisation of rules and minimum standards across sectors – a ‘Framework’

The current regulatory landscape, combined with proposed changes and opinions, emerging market practices and the feedback from the CBI give us a sense of the direction of travel for accountability requirements when outsourcing.

33

Agenda








Close

34

Session 4

Melissa Scully, Senior Manager, Deloitte Ireland

35

Challenges for Board members

36

Increasing expectations and a shift towards individual accountability

Widening regulatory expectations

Internal governance

Culture

Succession planning

Conduct

Strategy

Diversity

Product governance

and oversight

Three lines of

defence

Risk appetite

COLLECTIVE BOARD RESPONSIBILITIESINDIVIDUAL

RESPONSIBILITIES

Directors’ duties

Non-executive director

responsibilities

Prescribed responsibilities

37

Key challenges for Board members

Strengthening accountability

Challenges

Clarity on prescribed

responsibilities

Demonstrating reasonable

steps

Oversight of delegated

tasks

Maintaining independence

Prompt disclosure

Recruitment process &

remuneration

38

Practical considerations

Start early

Communicate and educate Board members on the upcoming changes

Assess your governance arrangements

Determine what your particular challenges will be

Identify potential prescribed responsibilities for Board members

Ensure that you have robust succession planning

Think about the impact on challenge and the style of minute taking

40

Feel free to contact us

Sean SmithPartner, Regulatory Risk, Risk Advisory - Ireland

Email: [email protected]

Phone: +353 (0) 1 417 2306

Laura Wadding Director, Regulatory Risk, Risk Advisory - Ireland


Phone: +353 (0) 1 417 2934

mailto:[email protected]


41

Feel free to contact us

Melissa ScullySenior Manager, Risk Advisory - Ireland


Phone: +353 (0) 1 417 8656

Rose-Marie KennedySenior Manager, Regulatory Risk, Risk Advisory - Ireland


Phone: +353 (0)1 417 8933



Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.nl/about to learn more about our global network of member firms.

Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service toaddress clients’ most complex business challenges. To learn more about how Deloitte’s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person whorelies on this communication.

© 2018 Deloitte The Netherlands

evolving expectations of fitness & probity to support an ... · in october 2015, hm treasury...

Documents