Out-Law News 4 min. read
20 Jul 2015, 11:46 am
Financial services sector head John Salmon and the Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.
The Senior Managers' Regime (SMR) introduces a new level of accountability for individuals who work within financial services organisations.
For the banking sector, which received its final rules recently, where mistakes are made individuals could be deemed personally culpable and criminally liable. Individuals within insurers and other financial services firms could also facing similar consequences.
Questions arise, however, as to when, and whether, decisions relating to technology fall within the regime. Technology risk, cyber security and systems resilience are all matters that require board level attention which needs to be dealt with proactively.
Legacy systems present risks both in terms of taking action and failing to take action. Projects to renew or replace legacy systems present significant challenges and risks which few boards will relish at the outset of the project.
The risks of inaction are also significant – failures to deal with inefficient or vulnerable legacy systems or applications have exposed financial services organisations to negative and damaging financial and reputational consequences. Inaction also has the potential to hold an organisation back strategically, preventing it from moving forward with new approaches to engaging customers through digital channels, capitalise on data-as-an-asset and implement more efficient technology infrastructures.
Could action or inaction in dealing with a legacy system result in accountability for an individual under the SMR? Every senior manager within a financial services organisation has good reason to seek clarity on which managers the new regime applies to and how compliance can be achieved even in the context of technology decision making.
The SMR and technology decision makers
While chief executives, chief financial officers, executive directors, chief risk officers and chairs of risk, audit and remuneration committees are all identified by title under the regime, no mention is made of chief information officers, chief technology officers or technology directors.
Given the importance of technology to financial services firms, it seemed unusual to leave the application of the regime to technology leaders uncertain given the Financial Conduct Authority's listing of technology as a significant area of focus for 2015. Out-Law.com therefore asked the FCA for the background on its decision not to include specific references to technology positions in its list of senior management functions. In response the FCA told us that "The senior manager’s regime is not designed around job titles per se. To do so would be difficult for us to come up with a comprehensive enough list that would prevent easy work-arounds."
The intention, however, is not to exclude individuals holding senior technology positions from the regime. In its guidance the FCA suggests that a senior technology manager who is a 'head of a key business area' would fall within the regime. It has also suggested that individuals who hold overall responsibility for technology may be designated as senior managers under the catch-all 'other significant responsibility' function (SMF18).
In more direct terms, the FCA told Out-Law.com that "In terms of IT, it would depend on the responsibilities that come with a specific job title. If those responsibilities are for areas of the business that are ‘so large in relative terms to the size of the firm that it could jeopardise its safety and soundness’ then yes, they would be covered by the rules as consulted on."
We are not sure however, that the FCA's explanation clarifies the matter. Unlike other areas of business, it is not possible to think about technology-related responsibilities in terms of 'size proportionate to the overall business'. Technology underpins the entire business. It may therefore be difficult to see circumstances in which individuals ultimately responsible for technology within a financial services business could fall outside the SMR.
Technology decisions that sit outside the regime
In addition to the SMR itself, new conduct rules have been introduced under which other employees, beyond senior managers, will be held accountable. These rules, according to the FCA, have been designed to introduce minimum standards of conduct and individual accountability for "staff at all levels" other than staff carrying out "purely ancillary functions."
The job descriptions of staff considered to be performing 'ancillary functions' are listed in the rules to include cleaners, vending machine staff but also curiously 'data controllers and processors under the Data Protection Act 1998'. Out-Law.com asked the FCA for clarification as to why data controllers and processors had been singled out and what technology decisions therefore fall outside the scope of the new rules. In response the FCA said that "In IT, as elsewhere in the rules that were consulted on, ancillary staff who perform a role that is not specific to the financial services business of the firm will not be covered by the conduct rules."
But the FCA also told Out-Law.com that "we specify that it is those who are controllers or processors under the Data Protection Act, who already have responsibilities under that act, are excluded from our rules. Other staff will be covered by the conduct rules unless they are ancillary staff who perform a role that is not specific to the financial services business of the firm."
This did not make very much sense to us. Under the Data Protection Act, every financial services business will be a 'data controller' – it is not a designation that sits well with individuals, but one that applies to the business as a whole whenever it processes personal data. It is confusing therefore to list 'data controllers' as a type of job description that would fall outside the conduct rules.
More directly in relation to the types of individual roles that fall outside the new conduct rules, the FCA's spokesperson also said: "So yes, it would be perfectly possible for there to be IT staff in middle management and even junior rules who perform a role that is specific to the financial services business of the firm and are therefore covered by the conduct rules but not by the senior managers’ regime. Again, it would depend on their responsibilities."
As with other areas of business not all technology decisions will result in individual accountability under the new rules. But it is clear that the both UK regulators, the Prudential Conduct Authority and the FCA, will want to see evidence of improvement in processes and controls in relation to technology. We hope that these remaining uncertainties are clarified through future guidance. But whatever the case, senior managers, from CEOs through to senior technology decision makers, will have to ensure that they have in place processes which contribute to effective technology strategy and governance.