One of the biggest challenges facing Senior Managers who are regulated under the FCA’s SMCR duties is ensuring that they have taken proportionate ‘Reasonable Steps’.
Ben Mason, CEO of My Compliance Centre looks at the challenges and practicalities of the reasonable steps obligation.
15 March 2022
SMCR, Accountability and Reasonable Steps
The PRA and FCA’s Senior Managers and Certification Regime (“SMCR”) was introduced on the back of the Parliamentary review into the causes of the credit crunch. Its objective is simply to improve market and customer outcomes, which it does by significantly increasing accountability for those outcomes.
The people with responsibility for delivering those outcomes are “Senior Managers” within the SMCR. This is a big responsibility, with significant implications for each individual should something go wrong that they could reasonably have prevented.
Part of management’s obligation is to take “Reasonable Steps” to deliver the right outcomes. While this might seem a sensible approach from the outside, the challenge is that nowhere is it clearly defined what “Reasonable Steps” might be for any given business or Senior Management Function (SMF) – you need to work that out for yourself.
The FCA says that it expects Senior Managers to “bear in mind” that a higher degree of control is required for businesses in high-risk areas, but that does not exactly clear up the issue.
The 3 areas of Reasonable Steps the FCA identifies are:
- “Controlling effectively” the business for which you are responsible.
- Ensuring compliance with the regulatory system.
- Ensuring that any delegated activities for which you are responsible have proper oversight.
The FCA does give examples of where breaches might occur, which is helpful, but not specific for any given business and its inherent risks.
How do I take “Reasonable Steps”?
For Senior Managers not from a compliance or regulatory background, and with challenging commercial objectives to achieve, working out exactly what to do to prove Reasonable Steps can prove difficult to calibrate.
Getting it wrong could lead to a career defining enforcement process, that, at best, is stressful over an extended period and, at worst, is career ending and financially ruinous. Spending too much time worrying about regulatory outcomes could end up with unacceptably negative commercial outcomes. A balance needs to be achieved.
One way or another, it is critical that you, as a holder of a Senior Management Function, have satisfied yourself that your internal controls are commensurate with the risk in the business and that you are compliant with the FCA (and PRA’s) rules. If in doubt, get an independent review and follow through on actions arising.
However, it goes wider than this. In our experience, many firms get most of their compliance right and are careful to only undertake business that they understand and can control in line with associated regulatory risks.
What can be difficult to do, however, is evidence that controls are in place and appropriate and to demonstrate an audit trail of “doing the right thing’’. Evidencing that you have taken “Reasonable Steps” is critical and, unfortunately, doing the right thing but not being able to prove it will amount to having done the wrong thing in the face of an FCA investigation.
Introducing Compliance Management Systems
New technology is now facilitating collating and storing the evidence needed to demonstrate effective ongoing compliance.
Traditionally, compliance functions have used relatively old fashioned and manual processes to manage their compliance. However, that is now changing. Most firms would not use a spreadsheet and e-mails to manage their sales or marketing or finance functions – they have proper management systems, and the same is increasingly becoming true of compliance.
There are many benefits of Compliance Management Systems, including high ROIs and significant time savings; many people feel that enhanced automation is the key to having more strategic compliance functions in the future, for forward looking organisations.
Another prime benefit, however, and of value to the whole company, and specifically Senior Managers that might need to prove having taken “Reasonable Steps”, is the quality of audit trail they provide.
That is, the evidence that core business processes are being followed and primary risk controls are in place, for the benefit of all stakeholders – regulators, the board and individual Senior Managers.
My Compliance Centre is a market leading Compliance Management System and can assist the demonstration of “Reasonable Steps” in many ways.
Here are some examples:
- My Compliance Centre’s SMCR module provides a dedicated area to record adhoc reasonable steps that have been taken.
- The Governance module provides a structured, easy to evidence and demonstratable way of showing proper governance, decision making and associated actions.
- The Incidents and Breaches register provides a flexible and configurable way of maintaining a demonstrable audit trail, evidencing that all serious issues are addressed and corrected.
- The Compliance Monitoring module evidences that procedures and measures designed to comply with regulatory obligations are monitored and corrective actions are taken.
- The various registers related to Conflicts of Interest ensure that Conflicts are identified, approved and clearly documented.
- The Attestations module makes it easy to evidence that staff are aware of, and have attested as such, to their obligation to comply with compliance policies.
- The various reporting options provide MI that supports management’s assertions that it has taken “Reasonable Steps” to comply.