Insurers and the SM&CR: Lessons from the banking stocktake report
05 September 2019
As the December deadline approaches for insurers to finish certification under Senior Managers and Certification Regime (SM&CR), the Financial Conduct Authority’s (FCA) stocktake report on how banks have embedded the regime gives insurers the opportunity to learn from its conclusions. Any issues identified by the FCA in the banks will read across to other sectors.
So what did the FCA find? It seems that senior managers may be focusing too much on the senior manager part of the regime because of its relevance to them personally, leaving gaps in how certification and the conduct rules are implemented.
The regulator says that senior managers in banks were generally clear on what accountability meant when it came to their own jobs and day-to-day activities. But most firms could not show how effectively they had assessed certification staff, how they may have used subjective judgement in certification, or how they ensured consistency across different certification roles. When it came to the conduct rules, firms had not always tailored their training to the specific jobs that staff do, nor had they been able to say what a conduct breach might look like for their business.
It seems that insurers should be ready for the regulators to pay greater attention to the conduct rules and the effectiveness of certification. So what should firms be doing? Let’s look at certification first as it’s the biggest challenge for insurers. By 10 December 2019 insurers must have issued certificates to any employees within scope for certification who meet the fit and proper criteria. This means not only Key Function Holders and Material Risk Takers, but a wider range of conduct-related functions. This includes, for example, client dealing functions that extend beyond the old CF30. Are insurers being rigorous and consistent in how they apply the criteria? Do they have the systems and controls to demonstrate what their processes are?
Given the emphasis the FCA places on identifying bad apples, if certification isn’t seen to be excluding people who don’t make the grade, insurers can expect questions to be asked. Many certification staff will have been in significant influence functions under the previous arrangements and will have been approved by the regulators. But now that it’s firms who have to do the assessment and issue certificates, the individuals responsible for this have to ask themselves how comfortable they are that the staff they are certifying genuinely meet the requirements. There is also a senior manager with a prescribed responsibility for certification. So firms should be able to explain how certification staff were identified and assessed and possibly what remediation has taken place for staff who did not meet the fit and proper criteria.
When it comes to the conduct rules, firms would benefit from thinking about how these rules fit with their own corporate values and encourage an atmosphere in which staff feel comfortable in speaking up. Firms should be able to explain how they approach the conduct rules, including how they meet specific training needs, how they might identify breaches and when they might use any disciplinary action.
As we approach the December deadline, the priority for firms is to complete their certification processes and complete conduct rules training. But in the longer term, embedding the regime means aiming for a much more deep-seated cultural change - that journey may have only just begun.