UK regulators have been tasked with the challenge of
breaking down that ‘firewall’ for both banks and insurance. The UK has had a regime of approved persons
for some time. The PRA and the FCA have
been consulting on proposals aimed at strengthening the accountability of
senior management. For insurers, this is
referred to as the Senior Insurance Managers Regime (SIMR).
The proposals may well increase the scope of senior
managers, and will strengthen conduct requirements that apply to them. It seems to me that the most innovative (and,
dare I say, revolutionary) aspect of the proposals is the requirement that
firms produce a ‘governance map’. As
with all good ideas, it is simple. The
regulator identifies a set of responsibilities and then asks firms to map them
to senior managers who are subject to regulatory approvals and sanctions.
The list of responsibilities is long. For example, the list for insurers is as
follows:
1.
ensuring that the firm has complied with the
obligation to satisfy itself that persons performing a key function are fit and
proper;
2.
leading the development of the firm’s culture
and standards;
3.
embedding the firm’s culture and standards in
its day-to-day management;
4.
production and integrity of the firm’s financial
information and regulatory reporting;
5.
allocation and maintenance of the firm’s capital
and liquidity;
6.
development and maintenance of the firm’s
business model;
7.
performance of the firm’s Own Risk and Solvency
Assessment (ORSA);
8.
induction, training and professional development
for all the firm’s key function holders;
9.
maintenance of the independence, integrity and
effectiveness of the whistleblowing procedures, and the protection of staff
raising concerns;
10.
oversight of the firm’s remuneration policies
and practices.
For banks, there is no direct equivalent to 7 even if there
is an ICAAP. However, the list includes the following
additional responsibilities:
1. funding
is also mentioned in 5. above as well as an additional responsibility in respect
of the bank’s treasury management functions;
2. developing
a firm’s recovery plan and resolution pack and overseeing the internal
processes regarding their governance;
3. managing
the firm’s internal stress-tests and ensuring the accuracy and timelines of
information provided to the PRA and other regulatory bodies for the purpose of
stress testing;
4. safeguarding
the independence of and overseeing the performance of the compliance function,
internal audit and risk function respectively; these are three different
responsibilities.
There are some interesting differences between banking and
insurance.
The overall message is rather simple: there is an individual
presumption of responsibility in the event of a breach. In those cases, the relevant individual will
need to demonstrate that he took reasonable steps to prevent the breach in the
relevant area.
Firms’ senior managers will spend time discussing the
mapping of responsibilities. This may well be the easy part. Undoubtedly, the
challenge for senior managers will not be the map, but the territory, i.e. how
to manage the relevant responsibility.
For some responsibilities there will processes, teams and awareness within
the company to ensure that something happens; think of item 7 above, the
ORSA. In other cases, the challenge will
be determining which business function will assume the relevant responsibility
and what approaches, processes and resources will be needed as evidence that
reasonable steps were taken. What should
be done to prove that ‘firm’s culture and standards’ are developed and
embedded?
If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. My target is to post on a weekly basis so I will not be flooding your inbox.
If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. My target is to post on a weekly basis so I will not be flooding your inbox.