This is a SMCR+ View Flash Alert as you may have seen last week that the PRA have published their first Senior Manager Conduct Rule enforcement case in relation to Senior Manager Conduct Rule 2 (a Senior Manager must take reasonable steps to ensure that the business of the firm for which they are responsible for complies with the relevant requirements and standards of the regulatory system).
The Final Notice is in respect of the former Chief Information Officer (SMF 18) at TSB who was responsible for the firm's performance of its obligations under the PRA's outsourcing rules (amongst other things). The PRA considered him to be in breach of SCR 2 because of failings in relation to an IT migration event which occurred in 2018 (see the FCA/PRA press releases here and here). Whilst this case relates to a bank and has been brought by the PRA, we still think that there are points of interest for solo-regulated firms.
Here is a note which outlines our key thoughts on the Final Notice, but in summary:
This is quite an obvious case to bring given the scale and public nature of the IT migration failures. Therefore it isn't particularly helpful for firms in answering the critical question of where the threshold lies for finding a SCR 2 breach.
The PRA does not consider the Duty of Responsibility, despite that being an avenue open to them, and they don't delve into what steps would have been considered reasonable in this scenario. As the case settled we likely won't get more clarity on what reasonableness means in the context of the Conduct Rules until a case is challenged and taken to the Upper Tribunal (which could be some time).
There are some key lessons learned including the importance of (i) ensuring that internal documents recording responsibilities (both regulatory documents such as SoRs, but also other documents such as risk registers) are up to date and aligned, (ii) Senior Managers considering risks holistically, (iii) ensuring that management information is complete and fulsome, particularly where significant weight is being placed on particular reports/confirmations etc, and (iv) a formal paper trail and showing a Senior Manager's workings, particularly where there are significant/important decisions being taken.
There are also specific takeaways for Senior Managers who have responsibilities relating to outsourcing, including in relation to intra-group outsourcings, the level of oversight required and expectations in relation to 4th party providers.
For information or advice on SMCR, contact our SMCR Team.
_11zon_(1).jpg?crop=300,495&format=webply&auto=webp)