The next phase of SMCR implementation: payments and e-money institutions

Why is this happening?

The directors and persons responsible for the day-to-day management of payments and e-money institutions are already subject to fitness and propriety assessments as PSD/EMD Individuals. SMCR builds upon this to appoint individual responsibilities and specific conduct obligations on individuals.

The application of SMCR will allow the FCA greater powers to take action against individuals in the event of legal, regulatory or conduct issues. Many of the reasons given in the recent consultation for the extension of SMCR to Financial Market Infrastructures (FMIs) equally apply to payment and e-money firms, for example:

• Encourage good governance;
• Incentivise good behaviour;
• Require managers to give adequate oversight to the areas for which they are responsible;
• Encourage staff to identify gaps in responsibility and address them appropriately;

These are all aspirations which should appeal to FinTechs, as fast-growing organisations that are seeking to mature into established players in the financial services market. It is good practice to understand who is responsible for what, and ensure they have the competence to do so effectively. SMCR places a helpful framework around this to make sure firms are taking the right steps to ensure appropriate governance is in place to run the business effectively.

What is SMCR?

SMCR regulates the fitness, propriety and conduct of individuals within relevant organisations. It has been introduced as a phased implementation since 2016 for banks, insurers and other FSMA-authorised persons. HM Treasury is currently analysing feedback to their consultation on extending SMCR to FMIs. We understand the next step for SMCR is an extension to payment and e-money institutions and firms should expect to start seeing consultations about this in the second half of 2022.

The regime aims to strengthen the integrity of financial services by changing behaviours and culture within firms.

SMCR is applicable in a tiered way to staff at different levels. It encourages a culture where staff take personal responsibility for their actions and ensures that firms and staff clearly understand, and can demonstrate, where responsibility lies within the organisation. When something goes wrong, this, in turn, enables the regulator to identify individual accountability (and take action where appropriate).

What is included in the regime?

SMCR comprises:

1. The "Senior Managers Regime", which requires individuals performing certain roles to have the appropriate competence, expertise and probity to carry out their roles. Firms would be required to submit and maintain documentation on the scope of these individuals' responsibilities, and would establish a statutory requirement for senior managers to take reasonable steps to prevent and/or stop regulatory breaches in their area of responsibility.
2. The "Certification Regime", which requires firms to certify individuals carrying out specified functions that could cause significant harm as being fit and proper.
3. "Conduct Rules" which almost all employees must follow with regard to their personal conduct and the treatment of customers.

While not currently included within SMCR, the upcoming Consumer Duty is also expected to place responsibility on senior managers for ensuring that customers receive good outcomes. This will apply right through from setting the culture of the firm, to monitoring products and services to ensuring appropriate conduct in line with the consumer principle.

What are the conduct rules?

There are five individual conduct rules and an additional four rules which only apply to senior managers.

The individual conduct rules are:

1. You must act with integrity;
2. You must act with due skill, care and diligence;
3. You must be open and cooperative with the FCA, the PRA and other regulators;
4. You must pay due regard to the interests of customers and treat them fairly; and
5. You must observe proper standards of market conduct.

The senior manager conduct rules are:

1. You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively;
2. You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system;
3. You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively; and
4. You must disclose appropriately any information of the which the FCA or PRA would reasonably expect notice.

It is important to ensure that all relevant individuals are aware of their obligations under the conduct rules and appropriate training is provided. However, effective implementation goes beyond this and requires a culture which enables staff at all levels to do the right thing.

What broader governance arrangements support SMCR?

Under SMCR, senior managers are individually responsible for the areas under their control. However, they cannot discharge their responsibilities effectively without an appropriate framework in place which provides the information they need at the right time. To support this, consideration needs to be given to:

• Committee structures: do the committees and reporting lines give effective oversight to relevant managers of all applicable areas of the business?
• Committee terms of reference: are documented terms of reference in place covering the purpose of the committee, all key responsibilities and attendees?
• Reporting: is standardised MI in place which provides senior managers with the information they need to make fully informed decisions? Is reporting consistent to allow identification of trends and are MI requirements reviewed when there are changes to products or services?
• Operational resilience: are operational resilience requirements factored into relevant committee decision-making and management information?
• Decision-making: does decision-making demonstrate consideration of the impact on customers and an effective culture which flows into policies and processes throughout the business?

What are the next steps?

The FCA has not yet formally announced the extension of SMCR to payments and e-money firms but, as stated above, we understand more information on this, including potential implementation timescales, is likely to be published within the second half of 2022.

In the meantime, payments and e-money firms can begin to understand their likely requirements and confirm their existing positions. Even without the formal imposition of the SMCR, application of its principles provides a best practice framework in which firms can safely grow their payments and e-money activities.

We therefore recommend that firms:

1. Identify their current PSD/EMD individuals, considering whether they remain the right people to hold these roles, and update the FCA accordingly;
2. Consider which of the existing individuals are carrying out the types of roles which would be required under SMCR – for the majority of payments firms we expect this to be a mixture of governance roles (e.g. CEO, Chair, Executive Directors) and oversight roles (Head of Compliance and Money Laundering Reporting Officer). Very large payments and e-money firms will likely need to consider a range of additional roles such as Chair of the Audit Committee, Chair of the Remuneration Committee, etc.;
3. Create a learning and development plan to ensure effective management oversight, if there are any gaps in the skills, knowledge or experience of the individuals carrying out these roles;
4. Consider whether additional recruitment may be needed to meet the requirements, and if that gap needs to be filled immediately or can wait until SMCR implementation;
5. Document their internal committees, including details of members, purpose, reporting lines and authority; consider whether all relevant aspects of the business are being effectively governed.

Even without SMCR, firms must be able to effectively control their activities and have governance structures in place which are proportionate to the risks involved with the products and services they provide. Applying SMCR principles as a baseline will help demonstrate a focus on good governance, and that managers take responsibility for customer outcomes.

SMCR will be a living process; not a one-off exercise. Firms will need to ensure they keep the documentation updated, and that senior managers and certified individuals continue to discharge their responsibilities.

For more information, please contact our authors. 

Authored by Frank Brown and Matthew Handfield.