SMCR + View - October 2023

We hope you all enjoyed the clock going back and that extra precious hour of sleep at the weekend. With Halloween upon us, we wish we could say this was a spookily quiet edition, but, as ever, there's a lot to cover including the regulators' Feedback Statement on Artificial Intelligence, responses to the Treasury Committee's Inquiry on "Sexism in the City", and changes to SMF application forms, amongst other things.

Also, we want to flag our D&I webinar on 1 November 2023 at 3pm, where we will be walking through the FCA and PRA's D&I proposals including the FCA's latest non-financial misconduct guidance - you can register here.

As always, we want to make sure this publication is as helpful as possible so if you have any feedback then please do let us know!

1. Treasury Committee Inquiry - Sexism in the City

This summer we flagged the Treasury Committee's Inquiry into "Sexism in the City", which aimed to explore the role of firms, the Government and regulators in combatting sexual harassment and misogyny. The Treasury have now published all written submissions.

Of particular interest is the Equalities & Human Rights Commission (EHRC) response which suggests that the complexity of the FCA's regulatory remit and finite resources may limit its ability to regulate non-financial misconduct (NFM). The EHRC states that it cannot solely be the role of the regulator to drive improvements and the government (and industry) need to take further action. The FCA also responded - nothing particularly novel - but they do focus on their desire for firms to be building 'pipelines' of diversity at more junior levels and (given this was submitted before their D&I paper was published) they trail a lot of their D&I proposals in the paper. These messages were reinforced in a recent speech by Nikhil Rathi where he stated that skills and talent are essential ingredients for delivering on the FCA's secondary objective of supporting international competitiveness. In the speech he highlighted the recent D&I consultation paper and stated that there is no place for "egregious" NFM. In the Transcript of the FCA's Annual Public Meeting 2023, Nikhil Rathi specifically stated that NFM is a "sensitive and difficult issue" and that the FCA "don't have the choice to not take a view" as to whether to take action when serious allegations emerge or indeed serious criminal convictions. He fully acknowledged that it's "difficult terrain" involving "other parties including the courts".

Perhaps of most interest was the oral evidence given by witnesses, including Baroness Helena Morrissey in October (after the FCA and PRA's D&I papers and their guidance on NFM were published). There is a discussion about CEOs not loving (or understanding) hybrid working and being keen to "switch it off" which would have implications for women in the workplace. The discussion around NFM is also interesting and notably there is a suggestion that the FCA should ask firms to disclose their use of settlement agreements or NDAs. Dame Angela Eagle was damning of the recent FCA NFM guidance in CP23/20 calling it "pretty pathetic" and there has been criticism from the witnesses that the proposals suggest that bullying is fine and only "serious" bullying is not acceptable ("serious" being undefined). All in all, there was a call from those involved for the regulatory regime to have "more teeth" (or a "really toothy intervention" ?!) , indicating a need for a stronger and more assertive intervention.

We are doing a lot of work in this space, and if you would like to join our D&I webinar on 1 November 2023 at 3pm, we will be talking about the FCA's NFM proposals as well as the broader FCA/PRA D&I proposals - register here.

If you have any questions, please reach out to Penny Miller (Partner), Andrea Finn (Partner), or Amy Sumaria (Managing Associate).

2. FCA - Dear Remuneration Chair letter

Hot off the press, today the FCA published its Dear Remuneration Chair letter which was sent to Level 1 banks, building societies and PRA designated investment firms. The letter outlines important things for the SMF 12 to consider including:

(1) the recent bonus cap policy statement (see more on this below)

(2) the Consumer Duty and how SMF 12s can use relevant risk metrics and performance criteria to help inform both individual and firm-wide remuneration decisions, including making remuneration adjustments if progress in embedding the Duty falls short

(3) ensuring that there is a clear, strong and evidenced link between behaviours and remuneration outcomes, including appropriate, timely and transparent adjustments, all in the context of promoting healthy cultures and ensuring robust and prompt action is taken in non-financial misconduct

(4) the D&I consultation papers and the FCA highlight their expectation of firms to maintain gender neutral pay policies and make sure that awards of variable remuneration do not discriminate on the basis of any protected characteristic, and (finally)

(5) sustainable finance and specifically referencing the Transition Plan Taskforce (TPT) which recommends that firms disclose how they plan to align their remuneration and incentive structures with the strategic ambition of their transition plans. Although the TPT's disclosure framework was developed in the context of the climate transition, the FCA suggests that firms may find its conceptual underpinning and key considerations relevant more widely

This is the last letter to SMF 12s for the next two years, but in the meantime SMF 12s need to consider this letter and the FCA welcome their response on how they will be adopting the principles outlined above.

If you'd like to discuss this further please get in touch with Amy Sumaria (Managing Associate).

3. FCA - changes to SMF application forms

As previewed in the last SMCR+ View, and following feedback from user testing, the FCA has confirmed that it has begun to roll out new Form As (they've said they get 15,000 applications a year!). The forms have been amended to "make it quicker and easier for firms and individuals to apply for authorisations"... only time will tell if this has been successful! The FCA has also confirmed that it plans to reduce the overall number of forms required from firms, and that it has invested in new technology to enable quicker implementation of any future changes to the forms. The FCA has also updated the Form A webpage to include a number of FAQs - i.e. why are they changing the forms, what are the benefits, who does it impact etc.

The PRA is also proposing, in Occasional Consultation Paper CP 22/23, minor amendments to its Form C and Form D to reflect the new Consumer Duty and allow firms to notify the PRA if there has been a breach of the new Individual Conduct Rule 6 (deliver good outcomes to retail customers). The deadline for feedback is 13 November 2023 with the new forms expected to be in place by December 2023.

We note that in Nikhil Rathi's speech he confirmed that the median processing time for Senior Manager applications is 40 days (50 days ahead of the statutory deadline). This is reinforced in the FCA's 2023 Annual Public Meeting transcript which stated that in Q1 of the relevant year, 94% of Senior Manager applications were approved within the statutory period.

For any questions please contact Amy Sumaria (Managing Associate).

4. New Corporate Criminal Law

The Economic Crime and Corporate Transparency Act recently received royal assent bringing with it two major reforms to the law on economic crime. We've included some highlights below on this topic. These will be of interest to senior leaders and Board members in particular:

• Corporate criminal liability: Act introduces a new test which means criminal liability will be attributed to firms for a wide range of economic crimes based on whether a "senior manager" was involved in the offence. Whether a "senior manager" is in scope will depend on the decision-making power of the senior manager, as opposed to their job title, with the intention being to bring individuals such as the CEO or CFO within scope of the offence.

• Failure to Prevent Fraud: Act introduces a new offence whereby firms will be liable if their "associates" (i.e. employees, agents or others acting on their behalf) commit a range of fraud offences intending to benefit the firm. Examples of this offence include mis-selling, manipulation of financial forecasts or account, or issuing company statements that are knowingly misleading.

Our team has published podcasts on these topics, which you can access here. For further information in this area, please reach out to Camilla de Silva (Partner) and Nick Benwell (Partner).

5. PRA and FCA - Feedback Statement on Artificial Intelligence and Machine Learning

Remember DP 5/22? We'll forgive you if you don't, but effectively the PRA and FCA asked stakeholders whether existing regulatory requirements and guidance are sufficient to address the risk and harms associated with AI. The regulators have now published their Feedback Statement, summarising the responses received. The feedback highlighted most respondents' view that no new "AI SMF" role or "AI prescribed responsibility" is required given there are so many possible applications of AI within businesses and rather responsibilities can be reflected in existing Prescribed Responsibilities and statements of responsibilities. Of course there were dissenting voices too, so we will need to see where the regulators land. Many respondents believed existing regulatory requirements (including SMCR) and firm governance structures are sufficient to address AI risks but asked for further guidance, e.g., as to how to interpret "reasonable steps" in the context of AI. Some respondents noted that there may not be sufficient skills and experience within firms, including among senior management, to support the level of oversight required to ensure technical (e.g. data and model risks) and non-technical (e.g. consumer and market outcomes) risk management. We know that the collective suitability and skills of the Board in relation to AI has been something that firms and the regulators have been thinking about for some time.

Another thing to note, the Corporate Governance Institute UK & Ireland have also issued a warning for UK corporate boards regarding their governance approach to AI, which is a helpful read and might be helpful for firms considering how they build out their AI governance frameworks.

To discuss AI further, please contact Minesh Tanna (Partner) and Angus Brown (Supervising Associate).

6. PRA - PS 9/23 - Policy Statement on the bonus cap

Cast your minds back to the first SMCR+ View of this year, and you may remember the PRA and FCA's joint Consultation Paper on the bonus cap for dual regulated firms. The PRA has now published its long-awaited Policy Statement removing the limit on the variable remuneration paid to material risk takers (MRTs) in banks to two times salary (Bonus Cap). The policy change takes effect from 31 October 2023, after which time banks can choose to set their own maximum ratios of variable to fixed remuneration.

Banks now need to decide whether and when to implement the policy change. This decision will not be straightforward. Because of the Bonus Cap, many banks awarded MRTs role-based allowances (RBAs), a form of fixed pay, to supplement variable remuneration. Banks may choose to implement a higher ratio and remove RBAs. However, depending on the contractual arrangements in place, RBAs may not be able to be wound back unilaterally, giving rise to complex employment law considerations that will need to be worked through. Banks will also need to consider potential diversity and equity issues, in addition to deciding what the new ratio should be and the governance processes needed to support its implementation.

For any questions, please reach out to Tair Hussain (Partner) and Colleen Cassidy (Supervising Associate).

7. PRA - Dear CFO and Dear CRO Letters

The PRA has been busy with Thematic Reviews, and has published a Dear CFO letter setting out its findings from its thematic review of written auditor reports, and a Dear CRO letter sharing its findings from its thematic review of fixed income financing. From an SMCR perspective, these letters are worth highlighting to your relevant Senior Managers.

The Dear CFO letter includes thematic findings on climate risks (which is a quasi-prescribed responsibility for dual regulated firms). There is recognition of firms being at different stages and the availability of data and management information (MI) being varied. Areas of focus for 2024 include greater oversight of climate risks by those responsible for financial reporting, agreeing detailed plans and timeframes for developing climate accounting capabilities with key committees, to enable progress tracking and reporting to ensure plans are executed in a timely way.

The Dear CRO letter needs to be shared with the Board Risk Committee and the PRA expects a benchmarking exercise to be conducted against their observations and this, plus any remediation plans, to be shared with the relevant supervision team by 8 December 2023. This letter comes following "episodes of extreme volatility and illiquidity" in even the deepest markets. The letter highlights PRA observations and expectations of practices that firms should build into their risk management of matched book repo business. These include the PRA observing a number of shortcomings in firms' counterparty risk management processes. The PRA states specifically that stress scenarios should be formally linked to risk exposure monitoring and should be incorporated fully into the decision-making and governance processes of the second line of defence. They also want firms to ensure that operational processes and margining platforms are sufficiently robust and scalable to cope with extended periods of heightened market volatility which should lead to exceptional margin payment flows and securities settlements that mitigate these counterparty risks.

If you have any questions, please reach out to Alex Ainley (Partner) or Amy Sumaria (Managing Associate).

8. Use of WhatsApp - an update

The use of WhatsApp and other messaging systems has been in focus in the United States for some time and the SEC has issued significant penalties: 16 financial firms have been fined a combined $1.8bn after staff discussed deals and trades on personal devices; 9 Wall Street firms have been fined a combined $549m over employees' use of personal messaging apps; and a number of traders have been fired for using WhatsApp and other unauthorised messaging platforms. UK regulators are beginning to take similar action. For example, following an investigation into Wyelands Bank, the PRA found that senior staff regularly exchanged messages on WhatsApp in respect of the bank's strategy, as well as actual and potential transactions and the bank had failed to adopt appropriate policies and procedures in relation to the retention of business-related correspondence and records.

A number of firms, both buy and sell side, are starting to consider this more closely, including US groups which are seeking to balance SEC scrutiny with EU/UK GDPR/employment law requirements. Please get in touch if you'd like to discuss this with us further.

9. FCA - Final Notices - there's a few!

• The FCA has published a Final Notice fining Equifax Limited ("Equifax") £11,164,400 for breaching Principle 3 (organise and control affairs responsible and effectively), Principle 6 (pay due regard to the interests of customers) and Principle 7 (pay due regard to the information needs of clients) due to failures in relation to the risk management of outsourcing of data processing, amongst other things. This is particularly interesting because it involves intragroup outsourcing (and in particular a UK regulated entity's reliance on a US parent) and highlights the importance of regulated firms ensuring that there is appropriate risk management of intra-group outsourcings. It highlights failures in management information and the fact that the Board was presented with information that was too high-level and unstructured meaning they couldn't exercise meaningful oversight of information/data security matters. We'd suggest the SMF responsible for outsourcing framework (often the SMF 24) and SMFs responsible for overseeing specific outsourcing arrangements take note of this.

• This Final Notice fined ADM Investor Services International Limited ("ADMISI") £6,470,600 as a result of inadequate risk management frameworks. The FCA originally conducted a Periodic Assessment and required the firm to complete a Risk Mitigation Programme, but two years later a number of issues remained. Again, this Final Notice highlights the importance of clearly delineating responsibilities for matters between different teams and lines of defence, record keeping and ensuring that the MI provided actually allows those receiving it to effectively oversee and assess particular matters. It also highlights the importance of effectively remediating matters once an issue has been identified.

• The FCA has published a Decision Notice against Mr. James Staley, who has referred the decision to the Upper Tribunal. Mr. Staley was found to have breached Conduct Rule 1 (act with integrity), Conduct Rule 3 (be open and cooperative with the regulators) and Senior Manager Conduct Rule 4 (disclose appropriately any information which the regulators would reasonably expect notice). As such, the FCA fined him and prohibited him from performing any senior management or significant influence function for any regulated entity. This is in relation to disclosures made to the FCA regarding Mr. Staley's relationship with Mr. Jeffrey Epstein.

If you have any questions, please contact Emma Sutcliffe (Partner) or Richard Sims (Partner).

10. FCA - Account Closures and Data Protection

Last month we covered the FCA's report on UK payment accounts. This month the FCA has issued a statement following the independent report commissioned by NatWest into decisions on potential account closures and data protection matters. As part of its ongoing supervisory activity, the FCA has said it is considering the processes, systems and controls that were in place regarding these matters, the allocation of responsibilities (noting that the independent report wasn't asked to look into individuals' conduct), and relevant governance mechanisms. As mentioned before, we have a podcast on "Debunking Debanking" and this podcast on DSARs in a debanking context.

Please reach out to Andrea Finn (Partner) or Oliver Irons (Partner) if you have any questions.

11. FCA - the new Financial Promotions Gateway (PS 23/13)

This will be something for your SMF 16s (most likely) to consider given the importance of this change and the associated timeframes . In summary, if your firm approves financial promotions for unauthorised third parties under Section 21 of FSMA and wants to continue doing so, it needs to submit a variation of permission application to get the relevant approver permission. This process is set out in PS23/13 and SUP 6A of the FCA Handbook. Existing authorised persons can apply to the FCA for permission from 6 November 2023 to 6 February 2024. If a firm doesn't do this it will need to stop approving financial promotions for unauthorised persons on 7 February 2024 (unless an exemption applies).

On the people side, the FCA wants tighter control and oversight of who is approving what, and wants to ensure that approvals are given only by appropriately knowledgeable people. Firms will have to demonstrate that they have employees with the necessary competence and expertise. The FCA expects firms to maintain what would reasonably be considered an acceptable level of competence in relation to the types of financial product for which they approve financial promotions. The FCA also expects firms to maintain their in-house expertise in relation to approving relevant types of financial promotion. Therefore, if a firm loses access to this expertise and it is not replaced, the FCA expects the firm to stop approving promotions for products related to this expertise and notify the FCA.

Firms should confirm now whether they approve financial promotions, either for group entities or for third parties and therefore what action needs to be taken including how relevant firms will continue to approve them moving forwards. Our guide summarises the 10 things firms need to know about the financial promotions gateway.

We are running a webinar to discuss this in more detail on Friday 3 November 2023. Please contact Alex Ainley (Partner), Catherine Weeks (Partner), and Camilla Jessel (Managing Associate) if you would like to join.

12. Other

Finally, published today is the latest FCA Market Watch 75 which looks at market soundings under UK MAR which may be of interest to your Senior Manager responsible for market abuse policies/procedures/controls/training. If you have questions on this then please get in touch with Alex Ainley (Partner).

Please do get in touch with us if you would like to know more: Alex Ainley (Partner), Catherine Weeks (Partner), and Camilla Jessel (Managing Associate).