The Senior Managers and Certification Regime places the management of financial crime risk front and centre within the senior management of financial institutions. Firms need to respond to this; they should focus on embedding and improving their financial crime governance structures and documenting their framework of policies & procedures, systems and controls which collectively mitigate financial crime risk.
- Sian Herbert, Partner
The Senior Managers and Certification Regime (SM&CR) required firms to appoint Senior Managers to manage certain specified ‘prescribed responsibilities’, which include the overall responsibility for the firm’s policies and procedures for countering the risk that the firm might be used to further financial crime (FCA 4).
The creation of a defined responsibility for financial crime requires firms to evaluate their governance arrangements and provide an opportunity to develop a more integrated and holistic approach to managing financial crime risk. Our experience from working with clients has identified five key SM&CR financial crime challenges:
Firms need to ensure that they have clearly defined financial crime. The definition needs to support the appointed Senior Manager’s role and responsibilities, yet be consistent with existing policies and procedures and governance structures; as well as the definition within the Financial Services & Markets Act and FCA guidance. We have seen firms using SM&CR as an opportunity to rearticulate financial crime within their policy framework.
FCA guidance categorises financial crime as including money laundering and terrorist financing, fraud, data security, bribery and corruption and sanctions (including asset freezes). This categorisation has left firms to determine which additional behaviours, if any, constitute financial crime within SM&CR. Whilst we haven’t yet seen an industry or regulatory consensus develop as to which risk areas should be included under financial crime for SM&CR, we believe firms should be including market abuse, cyber-crime and rogue trading within their financial crime definitions.
The FCA’s preference is for prescribed responsibilities to be allocated to a single individual, although they have recognised that there may be “…limited circumstances where sharing or dividing a function or a responsibility may be appropriate…" . Within most large financial institutions fraud risk is generally owned and managed within the risk division, whereas other financial crime components may be owned by compliance. This has led to some firms splitting the prescribed responsibilities between risk and compliance owners. Similarly, some firms have designated the responsibilities for cyber-crime to a separate senior manager.
In allocating split prescribed responsibilities for financial crime firms we would advise firms to ensure that they have:
All employees play a role in mitigating financial crime risk, largely achieved through a firm’s internal code of conduct and the design and implementation of financial crime policy and procedures, supported by underlying systems and controls operated front-to-back through the business.
The senior manager responsible for financial crime should have a documented view of how the front-to-back systems and controls are designed to mitigate financial crime, and receive Management Information which provides assurance, at the appropriate level, that the controls are operating effectively.
Some firms have documented the roles and responsibilities of the 1st line of defence and control functions in respect of the systems and controls which mitigate financial crime risk. In these instances, the senior manager with responsibility for financial crime is responsible as a 2nd line of defence for overseeing the effective design and operation of the 1st lines’ systems and controls. In our opinion in taking this role, the 2nd line of defence senior manager needs to be able to rely upon the 1st line, and have evidence of the effective operation of their systems and controls.
The prescribed responsibility for financial crime provides an opportunity for firms to consolidate the oversight of financial crime risk, systems and controls. For example, financial crime risk concentrations may be identified and efficiency gains achieved through the consolidated oversight of those controls which mitigate several financial crime risks.
The senior manager responsible for financial crime is accountable for money laundering as a component of financial crime, however, the Money Laundering Reporting Officer (MLRO) is also a senior management function with responsibilities set out in legislation which the FCA has stated are not diminished by the introduction of the SM&CR.
Where the senior manager responsible for financial crime is an individual other than the MLRO, firms have established governance and reporting structures to support the oversight of the MLRO function. We see the key challenge for firms is ensuring that the oversight is effective and proportionate, and effectively delineates between the respective responsibilities of both individuals.
In getting their responses to these five key SM&CR financial crime challenges right, firms will find SM&CR adherence more straightforward and will incrementally enhance their financial crime processes.
1 Paragraph 2.25 of CP15/22 Strengthening accountability in banking: Final rules (including feedback on CP14/31 and CP15/5) and consultation on extending the Certification Regime to wholesale market activities July 2015 (https://www.fca.org.uk/static/documents/consultation-papers/cp15-22.pdf)