The UK has recently embarked on far-reaching reform to its approach to senior management accountability in financial services, in contrast to the US’s approach, which has seen more evolutionary change since the financial crisis. In the words of the UK Parliamentary Commission on Banking Standards (PCBS), which was set up in 2012 in the wake of the LIBOR scandal, ‘too many bankers, especially at the most senior levels, have operated in an environment with insufficient personal responsibility’. The PCBS recommended an overhaul of how individual accountability should operate in UK banks. The Senior Managers and Certification Regime (SMCR) that resulted has applied to banks incorporated in the UK, the UK branches of non-UK banks and significant investment firms (eg major broker-dealers) since March 2016.
The SMCR represents a major remodelling of its predecessor, the ‘approved persons regime’. Under the new regime, only the most senior individuals with managerial responsibilities for the firm need to be approved by the regulators, the Prudential Regulation Authority (PRA) and/or the Financial Conduct Authority (FCA). However, new requirements apply for those subject to approval, including providing the regulators with a ‘statement of responsibilities’ for every senior manager and a ‘responsibilities map’ setting out the management and governance arrangements for the firm. There are also certain ‘prescribed’ responsibilities that need to be assigned to a senior manager, which cover matters such as responsibility for the firm’s business model and responsibility for the firm’s policies and procedures for countering financial crime risk.
New Conduct Rules also apply to Senior Managers imposing duties to take reasonable care to ensure, for example, that the part of the firm for which the Senior Manager has responsibility is effectively controlled and complies with regulatory requirements. Along with a new ‘duty of responsibility’ the intention is to spell out more clearly Senior Managers’ liability when things go wrong. The duty of responsibility means that UK regulators can impose penalties on senior managers at firms where a regulatory breach occurs if:
• the senior manager was, at the time, responsible for the management of any of the firm's activities in relation to which the contravention occurred; and
• the senior manager did not take such steps as a person in the senior manager's position could reasonably be expected to take to avoid the contravention occurring (or continuing).
Breach of the Conduct Rules or the duty of responsibility can give rise to personal civil liability for the relevant Senior Managers.
While there is increased focus on the most senior individuals, some individuals, such as traders or sales staff without senior management responsibility but who are capable of causing significant harm to the firm or its clients, are no longer approved by the regulator. Instead they are subject to a ‘certification regime’ where firms have to identify such persons and certify that they are fit and proper to perform their roles (including ensuring they have the requisite qualifications where relevant). The certification regime is intended to put the onus on firms to have proper procedures in place to ensure that their certified staff are fit and proper (and remain so).
The third part of the SMCR is the conduct rules. In addition to the Conduct Rules that apply to Senior Managers referred to above, Individual Conduct Rules are broadly framed standards of conduct (eg acting with integrity and acting with skill care and diligence) that apply to almost all staff, other than certain defined excluded roles (eg security staff). Firms must train staff on the conduct rules and report disciplinary action taken for breaches of the rules to the regulators. Enhanced regulatory reference obligations also require firms to provide more detailed information to new employers.
Following recommendations by the Fair and Effective Markets Review and former members of the PCBS, the UK Treasury decided that the approved persons regime should be replaced with the SMCR more generally, as this would 'create a fairer, more consistent and rigorous regime for all authorised financial services firms'. It was extended to insurers in December 2018 and will apply to almost all UK regulated financial services firms from December 2019. Similar regimes have also been adopted or are being contemplated by regulators in other jurisdictions, including Hong Kong, Australia, Singapore and Ireland.
In contrast to the UK, the US approach to individual accountability did not change markedly in the immediate aftermath of the 2008 financial crisis. Regulators in the US tended to emphasise systemic causes and wider governance problems over a lack of individual accountability and there were few if any criminal prosecutions following the crisis. While the Financial Crisis Inquiry Commission, an investigative body set up by Congress to explore the root causes of the crisis, found that ‘the captains of finance and the public stewards of our financial system ignored warnings and failed to question, understand, and manage evolving risks within a system essential to the well-being of the American public’, that finding did not result in concrete policy changes. As before the financial crisis, individuals engaged in certain financial activities in the US are merely required to be licensed and, in some cases, pass qualifying examinations. For example, individuals engaged in the investment banking and securities business of broker-dealers need to be qualified with the Financial Industry Regulatory Authority (FINRA) as ‘registered representatives’.
In addition to the FINRA registration requirement for representatives, ‘registered principals’, persons who are actively engaged in the management of a broker-dealer's investment banking or securities business, are subject to additional qualification requirements. While such principals historically included persons involved in day-to-day management, since October 2018, FINRA has explicitly included CEOs and CFOs. This change by FINRA apparently represents an increased emphasis on the ‘tone from the top’, consistent with the approach of the UK regulators.
The U.S. Securities and Exchange Commission (SEC), the US government agency charged with primary oversight of the US securities markets, and FINRA each conduct regular and recurring examinations of their regulated entities. As part of such examination programs, both regulators annually issue a summary of their exam priorities. These typically focus on products (eg annuities) and categories of vulnerable persons (eg senior citizen investors). The summaries also emphasise the importance of sound supervisory frameworks, including a broad focus on culture, incentive compensation, and conflict management.
The SEC also assesses individual conduct in the enforcement context when it considers seeking civil penalties. The SEC has been clear that individual accountability is critical to an effective enforcement program and is one of the core principles of the SEC’s enforcement approach. Indeed, in the SEC’s fiscal year ending September 2018, 72% of all of the SEC’s actions involved charges against one or more individuals, approximately the same percentage as in the prior year. While that overall number is inflated by insider trading cases, more than half of SEC enforcement actions against broker-dealers and investment advisers included named individuals.
Although registered principals are subject to enforcement actions for failures to supervise persons whom they oversee, neither the SEC nor FINRA require assignment of ‘prescribed responsibilities’, instead they more generally require documentation of the responsibilities with discretion as to how to characterise those responsibilities.
The US can impose individual criminal penalties for regulatory failures, an approach that is relatively rare in UK. For example, the Department of Justice (DOJ) has issued a policy on individual accountability (commonly referred to as the ‘Yates Memo’), which was implemented to ensure a consistent focus on individual accountability where civil or criminal corporate investigations are taking place.
While not a direct result of the financial crisis, the Yates Memo has been interpreted as reflecting a more aggressive and consistent focus on individual criminal culpability by the DOJ. The Yates Memo has undergone some refinements since its initial issuance, but its core premise—that corporate criminal misconduct happens through the actions of individuals and that, accordingly, cooperating companies must provide federal prosecutors information about which individuals engaged in which acts—remains a cornerstone DOJ policy.
As in many other areas there is a clear divergence of approach either side of the Atlantic and there is no ‘Anglo-Saxon model’. Judgment on the effectiveness and suitability of different models of individual accountability is only likely to be possible with the benefit of significant hindsight. What is clear is that the UK has embarked on a radical experiment while the US has adopted a more traditional approach. Perhaps the US could be seen as the control to the UK’s new experimental approach. Time will tell which works best.
Omar Salem is a Managing Associate in the London office of Linklaters LLP.
Jerome Roche is a Partner in the Washington DC office of Linklaters LLP.