CEOs Need to be Aware
Come December 2019, the Financial Conduct Authority (FCA) will extend the Senior Manager & Certification Regime (SMCR) to 47,000 solo-regulated financial institutions. The scope of the SMCR is also expanding to include non-financial conduct.
Clearly, these measures are geared towards minimising risk and enhancing the resilience of the financial services sector and indeed of UK Plc. Memories are still fresh about the scale of government support during the banking crisis, and other more recent problems that have impacted customers of financial services organisations. Government, regulators and the wider industry are wary of a repeat of these incidents, and the level of taxpayer support needed to address them.
It is within this context that SMCR has evolved, with the aim of enforcing individual accountability for senior executives and driving a cultural shift in financial institutions towards a more proactive and positive attitude towards governance. Transparency and accountability are now the name of the game.
SMCR is the keystone of UK regulation
It may however not have hit home in the C-suite yet that due to the wide scope of this regime, the vast majority of regulations that affect financial institutions ultimately lead back to SMCR. Fundamentally, a breach in one set of regulations, could imply a breach in SMCR, resulting in close scrutiny at the very least, and potentially much worse besides. Regulatory bodies are aligning themselves with each other to take a joined-up view of policy and action.
The challenge for many institutions, their CEOs and senior executives is that the plethora of new regulations and accounting standards – MiFID II, Operational Resilience, SS3/18, IFRS 9, for example – that will fall within the remit of SMCR shows no sign of abating. Moreover, the tone and scope of many of these regulations are changing, as regulators look at the systems and processes underpinning business processes, alongside any regulatory or accounting reports.
As an illustration, the current Operational Resilience (OpRes) initiative of the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) demands that Boards need to be responsible for the resilience of their business. This in turn ensures that collectively, the entire financial system is resilient. OpRes describes a resilient financial system as one that can ‘absorb shocks rather than contribute to them.’ Financial institutions need to have procedures in place to manage the processes and technology that underpin their critical business processes. While organisations typically have these in place, they now also need to be able to provide reporting and full auditability to auditors and regulators. Moreover, they need to be able to identify and resolve any gaps that may put them in breach of OpRes (and so SMCR).
Shadow IT adds complexity and threatens SMCR compliance
The focus of regulatory bodies is squarely on business services and impact tolerances of financial institutions, from operational and financial standpoints. With a wide variety of enterprise IT systems deployed for all manner of business processes, technology plays a crucial role in enabling operations and reducing risk. This reliance can also threaten the resilience of financial institutions and indeed SMCR compliance for the C-suite. The infamous TSB computer systems meltdown in April last year is a case in point when 1.9 million customers were locked out of their account for weeks and cost the CEO his job. Today, the financial cost to the bank is recorded as being £330 million.
Shadow IT – IT implemented and managed by business users rather than corporate IT – is in widespread use, and is likely not on the radar of senior executives. It adds another layer of complexity to SMCR and other regulatory compliance initiatives. Due to the easy access to IT infrastructure (often through cloud computing), Shadow IT often features powerful, easy-to-use databases, development environments and visualisation tools that business users can use to independently design and develop their own processes and applications, without the aid and knowledge of the corporate IT team.
A key application of Shadow IT in financial institutions is modelling, where the speed and flexibility of Shadow IT are well suited to rapid product development, portfolio management or business management, for example. While regulators are non-prescriptive and agnostic to the systems and type of IT adopted, they do demand that due consideration and scrutiny is given to their use. There are a range of regulations and standards that are relevant to modelling, including SS3/18, IFRS 9 and IFRS 17, all of which impact OpRes for example, and, ultimately SMCR. While Shadow IT offers flexibility to users, these models typically aren’t implemented, documented or tested against a company’s standard IT policies and therefore may contain errors that lead to poor business decisions, as well as breaches of these regulations. For example, if changes to models aren’t documented or audited, or there is no clarity about model ownership, authority and responsibility; then ultimately there will be a direct impact on SMCR compliance.
The fine art of balancing flexibility and transparency
Financial institutions must balance the flexibility and agility that business-owned processes and applications allow, against the corporate and regulatory need for control and transparency.
To ensure operational resilience and efficiency, financial institutions need to understand and document how Shadow IT, as well as corporate IT, features in their critical business processes, and how they are managed. Companies need to adopt a comprehensive and unified approach to enterprise IT, and Shadow IT management. Without this approach, senior executives and the C-suite are risking non-compliance of several regulations of course – as well as the SMCR, which makes the fall out very personal. The SMCR is almost like a ‘catch all’.
About the author
Henry Umney is CEO of ClusterSeven. He joined the company in 2006 and for over 10 years was responsible for the commercial operations of ClusterSeven, overseeing globally all Sales and Client activity as well as Partner engagements. In July 2017, he was appointed CEO and is strongly positioned to take the business forward. He brings over 20 years’ experience and expertise from the financial service and technology sectors. Prior to ClusterSeven, he held the position of Sales Director in Microgen, London and various sales management positions in AFA Systems and ICAP, both in the UK and Asia.