Evolving expectations of Fitness & Probity to support an Individual Accountability Framework Breakfast Briefing 2018.

Transcription

1 Evolving expectations of Fitness & Probity to support an Individual Accountability Framework Breakfast Briefing th August 2018

2 Agenda Topic Presenter Timing Introduction Sean Smith 8:00 a.m. 8:10 a.m. Keynote speech Regulatory Expectations Seána Cunningham, CBI 8:10 a.m. 8:35 a.m. Session 2 Pierre-Francois Rodriguez 8:35 a.m. 8:55 a.m. Session 3 Laura Wadding 8:55 a.m. 9:15 a.m. Session 4 Melissa Scully 9:15 a.m. 9:35 a.m. Panel Discussion All 9:35 a.m. 9:50 a.m. Close 2

3 Keynote speech Seána Cunningham, CBI 3

4 Individual Accountability our approach Seána Cunningham, Director of Enforcement and Anti-Money Laundering Deloitte 28 August

5 Overview 1. The Fitness and Probity Regime 2. Participation under the Administrative Sanctions Procedure 3. Suggestions for reform 4. Conclusion 5

6 The Fitness and Probity Regime 6

7 Participation under the Administrative Sanctions Procedure 7

8 Suggestions for reform the Individual Accountability Framework 8

9 Conclusion 9

10 Agenda Topic Presenter Timing Introduction Sean Smith 8:00 a.m. 8:10 a.m. Keynote speech Regulatory Expectations Seána Cunningham, CBI 8:10 a.m. 8:35 a.m. Session 2 Pierre-Francois Rodriguez 8:35 a.m. 8:55 a.m. Session 3 Laura Wadding 8:55 a.m. 9:15 a.m. Session 4 Melissa Scully 9:15 a.m. 9:35 a.m. Panel Discussion All 9:35 a.m. 9:50 a.m. Close 10

11 Session 2 Pierre-Francois Rodriguez Director, Deloitte UK 11

12 UK Senior Managers & Certification Regime 28 August 2018

13 Senior Managers & Certification Regime 1. Recap on the regime 2. SMCR implementation lessons learnt 3. Questions 13

14 Recap on the regime 14

15 Senior Managers and Certification Regime Background Increasing individual accountability Under SMCR the regulators are seeking to reinforce the concept of individual accountability at the top of firms and for Senior Managers to demonstrate adherence to the conduct rules, including being able to demonstrate that they have taken reasonable steps to control their areas of responsibility. The regulators have expressed that this expectation is not greatly removed from the current state of affairs, but by increasing the clarity around accountabilities and responsibilities it will focus the minds of those occupying Senior Management Functions. SMCR has been in force in banks since 7 March In October 2015, HM Treasury announced the key features of the banking Senior Managers Regime will be extended across the broader financial services industry from Insurance firms will transition to the SMCR from 10 December SMCR will come into force from 9 December 2019 for other financial services firms, including IFAs and brokers. The regulators will ensure that the extended regime appropriately reflects the diverse business models operating in the UK market and is proportionate to the size and complexity of firms. Six months on and, in a great many cases, firms have made a substantial effort to get this right and embrace the importance of the key principles underlying the Senior Managers and Certification Regime, namely responsibility and accountability. Knowing who is responsible for what is critical for firms and regulators and we have seen genuine engagement on this from the Board down If people want to rise to the top of firms, with all the rewards that brings, while ducking proper accountability, then they are in the wrong sector" Sam Woods, Deputy Governor, Prudential Regulation, Bank of England and CEO of the PRA, January 2017 Andrew Bailey, Chief Executive, FCA, September

16 Senior Managers and Certification Regime Key provisions New roles and duty of responsibility Introduces Senior Management Functions with a statutory duty of responsibility. The Certification regime includes roles which can cause significant harm to the firm or its customers. New Conduct Standards Introduces two tiers of Conduct Rules to firms regulated and unregulated financial services activities (including any related ancillary activities carried on in connection with a regulated activity). Focus on Individual Accountability New documentation The Responsibility Map is a requirement to describe how individual accountability is apportioned and how governance operates in a firm. The Statement of Responsibilities set out the areas of the business that the Senior Manager is responsible and accountable for. Enhanced processes SMCR introduces some changes to processes including enhanced criminal record checks, monitoring conduct breaches and obtaining regulatory references dating back six years for people applying for Senior Manager, Certification and non-approved NED roles. 16

17 Senior Managers and Certification Regime Key provisions Individual Conduct Rules Senior Manager Conduct Rules Senior Managers Regime The most senior people in a firm. Anyone who performs a Senior Management Function ( SMF ) must be approved by the FCA/PRA. Senior Management Functions Responsibilities map Duty of responsibility Handover procedures Statement of Responsibility Overall responsibility Certification Regime Criminal record checks Prescribed responsibilities Apply to large Banks, Solvency II firms, large NDFs and enhanced FCA solo firms only People who aren t Senior Managers but whose job can cause significant harm to the firm or its customers have to be certified. No FCA/PRA approval, but firms need to check and confirm on an annual basis that these people are fit and proper to perform their role. Other Staff All staff who perform financial services roles, except ancillary staff (e.g. caterers, cleaners and security staff). Fit and Proper requirements (including regulatory references In addition the Conduct Rules, the Fit and Proper Requirements and Regulatory references will also apply to all NEDs, even if they are not a Senior Manager. 17

18 Senior Managers and Certification Regime Reasonable steps Knowledge and understanding Organise and control Handover on starting or leaving a SMF role, take responsibility for understanding all aspects of the business, including key risks in areas where you have individual and collective responsibility. Regulatory maintain an awareness of relevant requirements and standards of the regulatory system. Technical maintain your technical skills, through continuing professional development. Reporting lines establish and articulate clear lines of control in your area. Delegation ensure any delegations are clearly documented and understood, and continue to oversee and review the performance of delegated responsibilities. Resource maintain appropriate resource levels and skillsets, and take steps to manage any resource constraints. Market knowledge understand the broader markets in which the firm operates. Your firm receive and review regular updates and reports from your team and maintain a wider understanding of the activity of the firm. Knowledge and understanding Organise and control Succession planning be proactive in identifying talent and planning for the future. Governance establish relevant committees, ensure attendees are appropriate and attend. Evidence Resolve and learn Review and improve Take action where potential issues occur take responsibility for ensuring they are resolved. Support seek and obtain appropriate expert advice or assurance, whether internal or external. Escalate raise issues and follow them up with relevant staff, committees and Boards. Action plans document action owners and timeframes and follow through to completion. Lessons learned use resolved issues to inform and improve your control frameworks. Resolve and learn Review and improve Reporting interrogate the information you receive and produce to identify potential improvements. People continually assess the competence and capability of your team, identify training needs and deal with poor performance. Controls implement, police, review and update appropriate policies, procedures and controls. Challenge and discussion encourage a culture of challenge within your team and contribute personally to collective decision making within the firm. Be proactive prioritise key risk areas and take preemptive actions to prevent breaches occurring. 18

19 SMCR implementation lessons learned 19

20 Senior Managers and Certification Regime implementation Lessons learnt On average, it took at least 12 months for banks to implement SMCR, with the following deliverables being the most time consuming: o o o Responsibilities maps and role profiles/sors; Certified population mapping and training; and Conduct staff training. Implementation success factors were: Appointment of a Senior Sponsor; The implementation project team had sufficient resource dedicated to the project, including from HR, Compliance and Legal; Early engagement of the Board and Senior Management; Carried out a SMCR gap analysis to identify likely areas of implementation challenges; Early design and development of the reasonable steps framework; Early training/briefing to impacted staff; and Early drafting of the SMCR documentation: o o o Management responsibilities map; senior managers roles and responsibilities; and role profiles likely to be the longest to implement including the socialisation of the Senior Managers responsibilities. 20

21 Senior Managers and Certification Regime implementation Lessons learnt Opportunities From our observations supporting Banks with the implementation of SMCR, we have identified a number of opportunities for the firm: Review governance arrangements and entities structure Formalise intra-group arrangements Challenges However, depending on the size and complexity of the firm, the implementation of the SMCR has often brought the following challenges: Population identification Allocating responsibilities Increase stand-alone operations of the UK entities Culture change Responsibility map development Individual vs. collective responsibilities Formalise decision making process Re-allocation of role and responsibilities for Senior Managers Operational challenges (maintaining records, monitoring and recording systems) Fit and proper processes (Certification) Conduct rules monitoring and breach reporting Reasonable steps framework development 21

22 Questions? 22

23 Agenda Topic Presenter Timing Introduction Sean Smith 8:00 a.m. 8:10 a.m. Keynote speech Regulatory Expectations Seána Cunningham, CBI 8:10 a.m. 8:35 a.m. Session 2 Pierre-Francois Rodriguez 8:35 a.m. 8:55 a.m. Session 3 Laura Wadding 8:55 a.m. 9:15 a.m. Session 4 Melissa Scully 9:15 a.m. 9:35 a.m. Panel Discussion All 9:35 a.m. 9:50 a.m. Close 23

24 Session 3 Laura Wadding Director, Deloitte Ireland 24

25 Individual Accountability & Outsourcing Laura Wadding 28 August 2018

26 Regulatory Landscape

27 Current Regulatory Landscape Sectoral Rules & Guidance cover certain aspects of individual accountability when outsourcing. Fund Management Company Guidance ( CP86 ) Oversight of Delegates Designated Persons with responsibility for X Supervisibility ability of the regulatory to supervise, including having access to individuals CBI Dear CEO letter to Fund Administrators MiFID Responsibility of Board & Senior Management Dedicated Oversight Role Role of Compliance & Internal Audit (2 nd & 3 rd lines of defence) Supervisibility Named individuals in the outsourced service provider Solvency II & EIOPA Guidance Fitness & Probity of individuals within an outsourced service provider Key Decision Making responsibility and evidence Designated Persons with overall responsibility for a key function A system of governance CEBS Guidance on Outsourcing (2006) In case of outsourcing of a key function or of outsourcing of a part of a function where this part is regarded as key, the person responsible is considered to be the one who has the oversight over the outsourcing at the undertaking. EIOPA Guidance on System of Governance Retention of adequate core competence at senior management level within the firm with ability to resume direct control if necessary 2018 Deloitte. All rights reserved 27

28 Evolving Landscape There are several initiatives underway locally and at a European level which are seeking to influence the regulatory landscape when it comes to outsourcing in the financial sector. Brexit New entrants to the market, expansion of existing entities, extended permissions influencing CBI views of outsourcing models, substance and accountability. Day 2 outcomes will further inform risk appetite within firms. European Security Authority Opinion - Any outsourcing or delegation arrangement from entities authorised in the EU27 to third country entities should be strictly framed and consistently super-vised. EBA Consultation Paper (will apply to banks and MiFID firms) Replaces the CEBS Guidance on Outsourcing from 2006 Institutions and payment institutions should clearly assign the responsibilities for the documentation and control of outsourcing arrangements. The outsourcing policy should cover at least the responsibilities of the management body, business lines, internal control functions and other individuals in respect of outsourcing arrangements. The firm should establish an outsourcing function or designate a senior staff member (e.g. Key Function Holders). CBI Outsourcing Framework Informed by industry surveys and themed inspections. Cross-sector view Deloitte. All rights reserved 28

29 Common Themes Whilst there are some differences between sectoral requirements, there are certain principles that are common OR emerging as common themes across all sectors. Supervisible Designated Individuals Risk Based Decision Making Designated Individuals Retention of Competence Risk Based Decision Making Retention of Competence System of Governance Retention of Adequate Resources 2018 Deloitte. All rights reserved 29

30 Outsourcing Key Roles With increased focus on the fitness and probity of individuals in key senior management positions, in particular within the control functions, firms are looking outside their organisation for short-medium support. Reasons for Outsourcing Senior Management Roles Skills / Knowledge Acquisition Capacity Short Medium term recruitment difficulties i.e. fill a gap Provides an Independent View Challenges Not a long term solution Does not absolve the entity of its obligations Over-reliance can cause longer term knowledge deficiency in the business Costly Best Practice Use a reputable firm with a track record of performing the role Clearly set out role, responsibilities, objectives and regularly assess performance Facilitate knowledge transfer in the business (e.g. appoint a deputy / successor) Appoint a senior person in the business with responsibility for the outsourced role i.e. a direct reporting line for the delegate, preferably independent from the functional reporting line 2018 Deloitte. All rights reserved 30

31 Direction of Travel

32 Looking Forward The current regulatory landscape, combined with proposed changes and opinions, emerging market practices and the feedback from the CBI give us a sense of the direction of travel for accountability requirements when outsourcing. Third Party Risk Management - functionalised, increased use of fintech solutions (including utilities) and KPI monitoring Supervisibility accessible by regulators, transparent, centralised books and records inventories & response management Extension of the Board Designated Persons with responsibility for X (e.g. CP86) Key decision making i.e. what to outsource and how risk based, challenged and evidenced Oversight & Monitoring evidence based, ongoing, embedded Substance requirements skills based ability to oversee a function with clear and tested contingency plans Standardisation of rules and minimum standards across sectors a Framework 2018 Deloitte. All rights reserved 32

33 Agenda Topic Presenter Timing Introduction Sean Smith 8:00 a.m. 8:10 a.m. Keynote speech Regulatory Expectations Seána Cunningham, CBI 8:10 a.m. 8:35 a.m. Session 2 Pierre-Francois Rodriguez 8:35 a.m. 8:55 a.m. Session 3 Laura Wadding 8:55 a.m. 9:15 a.m. Session 4 Melissa Scully 9:15 a.m. 9:35 a.m. Panel Discussion All 9:35 a.m. 9:50 a.m. Close 33

34 Session 4 Melissa Scully, Senior Manager, Deloitte Ireland 34

35 Challenges for Board members 35

36 Widening regulatory expectations Increasing expectations and a shift towards individual accountability COLLECTIVE BOARD RESPONSIBILITIES INDIVIDUAL RESPONSIBILITIES Internal governance Conduct Product governance and oversight Directors duties Culture Strategy Three lines of defence Non-executive director responsibilities Succession planning Diversity Risk appetite Prescribed responsibilities 36

37 Strengthening accountability Key challenges for Board members Clarity on prescribed responsibilities Recruitment process & remuneration Demonstrating reasonable steps Challenges Prompt disclosure Oversight of delegated tasks Maintaining independence 37

38 Start early Practical considerations Communicate and educate Board members on the upcoming changes Assess your governance arrangements Determine what your particular challenges will be Identify potential prescribed responsibilities for Board members Ensure that you have robust succession planning Think about the impact on challenge and the style of minute taking 38

39 Any Questions 2017 Deloitte. All rights reserved 39

40 Feel free to contact us Sean Smith Partner, Regulatory Risk, Risk Advisory - Ireland seansmith1@deloitte.ie Phone: +353 (0) Laura Wadding Director, Regulatory Risk, Risk Advisory - Ireland lwadding@deloitte.ie Phone: +353 (0)

41 Feel free to contact us Melissa Scully Senior Manager, Risk Advisory - Ireland mscully@deloitte.ie Phone: +353 (0) Rose-Marie Kennedy Senior Manager, Regulatory Risk, Risk Advisory - Ireland rkennedy@deloitte.ie Phone: +353 (0)

42 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see to learn more about our global network of member firms. Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients most complex business challenges. To learn more about how Deloitte s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication Deloitte The Netherlands