PRESENTER: Third of January 2018 and MiFID II is in play. So in this, the second of our Akademia Compliance Workshops, we’ll focus on the senior managers and certification regime, and what the financial services industry should be aware of and the challenges lying in wait. Joining me to discuss will be Gillian Boston, Head of Business Consulting for AutoRek. There’ll be three key learning outcomes: the senior managers and certification regime, why relevant now; what will change for transaction reporting under MiFID II; and potential regulatory challenges in 2018 and how to be prepared. But first we’ll start with SMCR and the changes to be aware of.
GILLIAN BOSTON: As you rightly say the senior managers and certification regime has been in place since 2016, but that was for the banking industry, so that included building societies and credit institutions as well. But it’s now being rolled out to insurers as well as to investment and credit consumer firms. So what that means, really it was put in place initially in the banking industry because of misconduct, and what we saw there was since 2009 the fines and redress costs alone in the UK have been £35bn. So there was kind of an inevitability it was going to make its way into other sectors as well.
So it’s been extended as I say to insurers and to investment and consumer credit firms, and the policy statement is expected by the end of May 2018 from the FCA. So there’s going to be 47, approximately 47,000 firms affected, and they’re going to have to adhere to the SMCR, or the accountability regime as it’s often referred to, and of those 47,000 firms it’s going to mean approximately 156,000 approved persons: 89,000 of those will be senior managers, and those senior managers will need to be approved by the FCA, or approved by regulators, and the 67,000 certified persons, they’re going to have to be certified if you like by their own firms. And that certification is an annual process. So isn’t a one-off, it will be a continuing process.
In terms of that approval of that certification, it really means is that person fit and proper, is that person competent to hold the role? In terms of implementation costs, they reckon it’s going to cost approximately £700m to implement this, with ongoing costs of £150m. So quite staggering figures, but of course that’s already on top of, you’ve got CASS enhanced insurance standard, and the additional costs that firms have had from that, as well as MiFID II implementation. So there’s a lot to consider for firms.
PRESENTER: So these changes, since 2006, are they just pretty much who it applies to, or are there other key changes that we need to?
GILLIAN BOSTON: Well we won’t really know until we see the policy statement. But pretty much what’s been rolled out in terms of the approval and the certification of people for their roles should largely be the same. But as I say we need to wait to see the finer detail in May 2018.
PRESENTER: So then how would you say is the best way to approach allocation of responsibilities, and also statement of responsibilities?
GILLIAN BOSTON: So I think the first thing is really for a firm to understand how they fit into the regime, because there are different scopes if you like. So for example you have the limited scope firm, and really that’s a firm where there aren’t as many senior management positions, or senior manager functions if you like, and actually they probably have exemptions under the existing approved persons’ regime. Then you have a core scope firm, and that’s the majority of firms who are regulated by the FCA. And then of course there’s an enhanced scope. So these firms are more complex, and indeed their actions if you like could affect the market or indeed consumers.
So really when you talk about the larger firms, you’re talking about a large CASS firm, or indeed firms who have in excess of £50bn assets under management. They will absolutely be enhanced firms from the SMCR perspective. Now, of the 47,000 firms I mentioned originally, approximately 33,000 of those will be limited scope, 13,500 will be core scope, and then it’s your 500, your big players, will be enhanced scope under the regime.
PRESENTER: So has duty of responsibility changed, or indeed will it?
GILLIAN BOSTON: So under the duty of responsibilities, it’s really as I said before, it’s about making sure people are fit and proper or competent to do their roles. So we think about the senior managers first. They have to be approved by the regulator, so approved by the FCA. And also they have to have a statement of responsibilities, and this statement has to be very clear in terms of what their responsibilities and their accountabilities are. So that includes actually a senior manager who will be responsible for the senior managers and certification regime, and that will also include key conduct risks as part of that as well. Also the firm will need to certify, although the senior manager will be approved by the regulator, the firm themselves still need to certify on an annual basis that that senior manager is fit and proper for the role. So again it’s a continual assessment and not a one-off exercise.
Now if you compare that to the certification regime, what this means is that persons who aren’t senior managers but are still deemed to be if you like material risk takers. And in that I mean they could potentially have a significant impact to the firm, or indeed to consumers, they have to be approved by the firms themselves to hold their roles. So the type of things there if you like, if someone has to hold a qualification for their role, so a chartered accountant, they need to be a chartered accountant, and make sure they retain that professional qualification if you like. Or if there’s someone in a CASS oversight role, do they have the necessarily operational experience? Do they understand the client money and client asset rules? Do they understand how the audit works, and indeed how that applies, really how that applies practically? And again the firm would need to look at those certified individuals, and again do that annual certification as well.
So the FCA are also proposing new standards of behaviour, in other words conduct rules, and these will apply to just about every employee who undertake financial services activities. So it’s things like treating customers fairly, it’s about diligence, it’s about honesty and discretion within the workplace. And really the crux of that is to drive up individual accountability, so the individuals understand what these conduct rules mean to their business and to the firm. And really I suppose training will play a big part in that, but also it’s the culture of the firm as well will play a big part of that as well. So for example if an employee was to breach a conduct rule, a good example of that may be if an employee mislead a customer in terms of the risk of an investment, if they knowingly did that, then the firm themselves would have to notify the FCA when they’ve taken disciplinary action against that employee.
So in essence it’s about truly understanding your business, and it’s making sure you have the right people in the right roles, and ensuring that they are doing a fit and proper and indeed a competent job in those roles.
PRESENTER: So that sounds almost a bit like self-policing, is that the case?
GILLIAN BOSTON: Well I suppose if you think what it’s trying to do, and certainly the banking sector it’s about misconduct. So you could say it’s, I suppose it’s prescribing or indeed formalising or making more rigorous what you could argue should already be taking place. But yes it is pretty prescriptive in terms of what’s expected now.
PRESENTER: So technological solutions, what sort of solutions are out there to help managers manage this?
GILLIAN BOSTON: So obviously there’s a whole range of solutions out there, but I think the key thing is here in terms of the senior managers and control regime, the key thing is about making sure if you’ve got these responsibilities and accountabilities we have to be in control. So how do you make sure you’re in control? So for example if you think about data, it’s that transparency of data, it’s that good governance and the auditability of the data.
So it’s about having robust control regimes in place, and so you really understand what that data’s telling you. And if errors and issues occur that you can actually capture them, manage them efficiently and effectively, so for example before a regulatory breach does occur. And I suppose that’s opposed to manual processes and spreadsheets, which are still quite prevalent out there, but yes I think there’s a move away from that, the recognition that actually a lot can be automated to give that control that’s necessary, and you certainly see that coming through with the new regulations that are coming into place. It’s just not the place for manual processing and spreadsheets any longer.
Of course real time, meaningful and continuous MI is another factor here to play. And again that goes hand in hand with really understanding what your data is telling you: being able to surface those issues quickly and effectively, so you can act on them as quickly as you can. For senior managers themselves, it’s about ongoing status and changes, and what’s actually happening on processes. So a really good example I think is in the CASS space. So we were talking to CF10as, you have to have your rules mapping to your controls, but also there’s an errors and breaches log. So really it’s about the integration of that. If an error occurs CF10a wants to know straightaway what control has failed or hasn’t operated as expected. So again remediation can take place really quickly, and again that’s demonstrating you are in control and are taking responsibilities and accountabilities seriously if you like.
Trending and profile analysis, I mentioned, or gave the example whereby an employee potentially has misled a customer with respect to the risk of an investment. So if you’re doing trend analysis, and you’re seeing for example an unusual trend in investment that clients are taking knowing it is risky that could be an early warning sign that something’s not quite right. And responsibility maps, that’s another piece that’s required with the prospective senior managers and control regime. So it’s about having a single repository so you can see that full picture of that responsibility map as well. And of course technology or software can be applied right down to the lowest level of detail as well. So a good example of that would be if someone goes on holiday you have a user, you need to reassign that process, and it’s just having that clear visibility of your data and your processes to retain that control that you need.
PRESENTER: So moving on to transaction reporting now, what sort of things will change under MiFID II that’s coming into play in January?
GILLIAN BOSTON: So first up a lot more firms are having to do transaction reporting now, because the scope for transaction reporting has been extended under MiFID II. And of course in a nutshell there’s a lot more reporting to be done. So with the transaction reporting piece it’s gone from 25 data fields up to 65 data fields, so quite a big jump there. But of course I think with the 3rd of January, I mean it’s so close now, I think the shots have been fired by the FCA. Because of course there was a Merrill Lynch fine, where Merrill Lynch were fined £34.5m for not reporting some of their transactions, and actually what happened was there was £68.5m exchange traded derivative transactions that weren’t reported in accordance with EMIR, so the European Markets Infrastructure Regulation, they weren’t reported from February 2014 onwards.
So I do think the shots have been fired, because there’s a strong correlation there with MiFID II, and as I say with the 3rd of January just around the corner, you have to be ready for that.
PRESENTER: And you said they weren’t reported, was this more an oversight because they didn’t realise, or is this just trying to sweep it under the carpet? What do people have to be aware of there?
GILLIAN BOSTON: Well I think, I don’t actually know the ins and outs of exactly what did happen, but it’s very much about the completeness and accuracy of your data, and the measurements and reconciliations and the processes that have to be put in place, to ensure that you are capturing what you should be capturing in terms of reporting.
PRESENTER: So there’s really no shortcuts there.
GILLIAN BOSTON: So I think what speaks volumes is the recent speeches by Mark Stewart, who is the Director of Enforcement and Oversight at the FCA. So I will actually, I want to read this out because it’s in response to the Merrill Lynch fine, and what he actually said was: ‘Effective market oversight depends on accurately and timely reporting of transactions. The obligations under EMIR as with MiFID II are key aspects of such oversight, and so it’s vital that reporting firms ensure that transaction reporting systems are tested as fit for purpose, adequately resourced and perform properly. There needs to be a line in the sand. We will continue to take appropriate action against any firm that fails to meet requirements.’
Now that was in response to the Merrill Lynch fine, so I think that’s a really clear message from the FCA there. And actually those remarks came only a month after Mark Stewart’s speech at, it was the European Compliance and Legal Conference in 2017, and the most, or one of the most significantly headlines here was that the number of investigations being undertaken by the FCA have actually increased in the past year by over 75%.
PRESENTER: But considering the size and the magnitude and the complexity of these changes, and the fact that it’s just around the corner MiFID II, it’s happening in January, will the FCA perhaps cut a little bit of slack at the beginning?
GILLIAN BOSTON: I think everyone would probably hope so, but again the salient points from Mark Stewart’s speech, and again to read these out. He said: ‘The FCA do recognise the size, complexity and magnitude of changes that firms need to put in place for MiFID II.’ So there is recognition there. But he also went on to say that: ‘Firms will be in a good place if they can evidence that they’ve taken sufficient steps to meet MiFID II requirements.’ Now if you think of the flipside of that, what is the converse of that? So again it could be a very different disposition from the FCA is a firm isn’t prepared. And so again with the 3rd of January just around the corner, if you’re not prepared now then who knows what may happen.
PRESENTER: But these steps you mention, what are the steps that people should have been taking and need to be taking?
GILLIAN BOSTON: Well we know there’s been a lot of MiFID II projects out there, and again just specifically talking about transaction reporting, it’s the dry runs of the data, it’s the testing of the data. And if possible actually testing, doing some testing with your approved reporting mechanism to do that with your ARM if that’s been available to you. Although I have heard that some firms have only just in the last few weeks seen their reports for the first time, which does seem very close. But also it’s about having robust processes in place. So for example the reconciliations required to help make sure that your reporting is complete and accurate.
So in particular your three-way reconciliation whereby you need to have a process in place where it’s the data that you give to your ARM is data that the ARM holds, and then the data that the FCA holds, you have to do a three-way reconciliation, and again that’s teasing out and helping if you like that complete inaccuracy picture. But at the end of the day firms need to remember it’s their responsibility, they’re the firms that are regulated. So even if they are using an ARM the responsibility rests with them. So if you put that another way, the reporting is only as good as the firm’s data that they give to the ARM, and then what the ARM can give to the FCA, but the responsibility’s with the firm themselves.
PRESENTER: So let’s look at challenges then for 2018, and what does the year ahead pose?
GILLIAN BOSTON: So I do feel CASS is still a challenge for firms. We’re going to move into the second year of the application of the FRC’s assurance standard with respect to the CASS audits. And what should be happening next year is that auditors are going to look much more closely at IT systems, so systems and controls. And indeed even to the point where it’s been talked about they’ll actually look down to the code that sits behind systems. So that will be a big challenge for firms I think. And certainly if there have been, or as we know there’s been adverse opinions from the audits from this year, it’s the remediation of those issues that have been raised as well. MiFID II as we know, we’ve talked about transaction reporting, but if you think there’s the whole data storage, the voice recording, the data management so on and so forth.
So again that will be a focus I believe for next year as well. Some jurisdictions if you like are already changing reporting for [unclear 17:47] CRS. That’s still there, and we’re seeing changes happening now. There’s GDPR which we’ve talked about before of course. And that’s a right to be forgotten. So I think that will be quite a challenge as well. And of course that comes into effect in May 2018. There’s PSD2 in the banking sector. There’s also actually quite a lot of competition reviews occurring at the moment that’s been, well competition and market reviews by the FCA. So with that work that’s being undertaken you can only assume therefore that there will be perhaps consultation papers, policy statements and all that good stuff to come from the FCA as well. So it’s still a lot of regulation out there that firms are getting to grips with, and will continue throughout 2018 as well.
Well of course there’s Brexit, and who knows exactly what that’s going to mean for firms. But to think, if we think about senior managers and certification regime that we’ve been talking about this morning, there could be impacts there and particular firms decide to move outside of the UK.
PRESENTER: So come January 3rd what sort of position should firms be in, do you have a checklist, a summary of everything we’ve spoken about, what they should have done and the positon they’re in, and then what to think about moving forwards?
GILLIAN BOSTON: So come January 3rd their transaction reporting should be flowing beautifully to their ARM and onto the FCA. But I think the proof will be in the pudding to see how many transactions are actually rejected, how much remediation work needs to happen so on and so forth. And some firms will be in a much stronger position than others. But I think if you look in general at the challenges for 2018 and onto 2019 as well, there’s definitely still a regulatory challenge out there for firms. There’s so much regulation out there. But I think also it could be a real opportunity with the senior managers and certification regimes for firms to maybe think more holistically about how they work and manage their data so that they can do that in a more efficient and effective manner. And one of the ways perhaps evidence of that is the emergence of the CDO, the Chief Data Officer, because they actually now have a seat at the board table.
PRESENTER: And so perhaps the Merrill Lynch thing, like you said it was a warning shot. So do you think that was almost a wakeup call for the industry as a whole to realise that they do have to have something in play, and perhaps there’s been heads in the sand a little bit? I mean how have you found sentiment when talking to people?
GILLIAN BOSTON: Well I think if you look back over the years, with transaction reporting there has been some hefty fines, but in general in the industry there have been fines for systems and control failings or reporting failures as well. I think it’s more a line in the sand, and in particular if you couple that with what Mark Stewart said in his speeches. You know, it’s quite, the tone is there, but we’ll need to wait and see what action is taken if you like by the FCA.
PRESENTER: Super, so then to summarise, your final thoughts, what would you like people to take from this Akademia session?
GILLIAN BOSTON: I think I’d go back to the point about this holistic view. We do talk to firms who are talking about a holistic view when it comes to data. Because a lot of data that’s reported is reported in, it’s the same data but in a different way shape or form for different regulations. So I think if firms can maybe think about that. It’s not easy but if they can maybe look at it more holistically. And certainly join the dots in terms of that responsibility mapping and accountability and responsibilities that senior managers and indeed certified persons will have as well. If you can think about that data and use it more efficiently and effectively, I think that would go quite a long way to helping you meet those regulatory challenges.
PRESENTER: So if that’s already meant to have been in place, why would you say then there is a need for this?
GILLIAN BOSTON: I think if you look at the headlines, the headlines are really dictating or really looking at the fines that are being handed out by the regulator. And I do think that’s why, because again going back to what was put in place in the banking industry it was about misconduct, and £35bn of fines and redress costs.
PRESENTER: So do you think there will be a change?
GILLIAN BOSTON: I do, I actually do think there will be a change. Because firms really need to think about now, and put in place, and be able to evidence. So for organisationally a structure, so it’s about communications, it’s about those responsibility mappings, and it’s about committees and strategies. Now they may already be there, but again it’s about the evidence, the real solid evidence of that. There’s also the infrastructure. So again the mapping of those management functions, the statement of responsibilities as well as training, fit and proper checks, so on and so forth. And of course BAU checkers. So what happens if someone’s demoted or promoted if it’s a new role? Succession planning and all that good stuff that firms do, and probably do quite well at the moment, but it’s just about that rigour that is now required, and that evidence that has to be put in place under the new regime.
PRESENTER: So there is quite a lot to get your head around when it comes to that, so how can managers even go about finding the right tech solution for them?
GILLIAN BOSTON: So I think the tech solution is really about obviously a GAP analysis. What does your firm need and why does it need it? So thinking about what do you want to achieve. If you’re using data now, can you use it better? What really do you want to achieve by being able to work more efficiently and effectively with your data? So things like thinking about data validation and integrity, does that need to be more robust? Thinking about the data that you have available, who needs to use it, how is it to be used, how is it to be reported? If that’s quite a long drawn-out process, which it can be if it’s manually manipulated, if it’s manually processed, and then as I keep referring back to, spreadsheets are involved somehow in there, then how robust and how much control do you really have over your data and your reporting in that scenario?
Thinking about the governance required as well, the clear lines of sight and delegation you need over data if you’re processing it, if you’re reconciling it, and if you’re reporting on it, whether that be internal or external. And of course if you think about MI as well, MI can still be a bit of a cottage industry within firms trying to produce the MI, whether it be for a board, whether it be just for an operational meeting. Again it can be tricky to produce real time and continuous MI, so meaningful MI. So if you get that right that can be a really powerful tool, in particular if we’re thinking about the SMCR, a powerful tool indeed for senior managers as well as for certified persons alike.
PRESENTER: But for those sort of people who want to keep things in-house, what sort of issues perhaps can this raise?
GILLIAN BOSTON: I work for a tech solution, so we have experience of that quite a bit. So I think the first thing I would say is larger firms indeed they can have multiple systems with multiple different formats, and it’s the amalgamation and consolidation of that data that can be quite difficult unless you have the in-house skills, and also the capabilities in the systems to allow that to happen. That can prove quite challenging. Also if you’ve got legacy systems it can be quite difficult to extract data from there. And of course the data that’s being extracted, these are operating systems. So you’re invariably trying to get data out of operating systems that say aren’t necessarily designed for regulatory reporting, so again it’s extracting the right data from the right systems and indeed matching it to try and get this golden source of data if you like, but then to be able to do your reporting accurately and completely, but also meeting the regulatory requirements.
So it’s not just about the extraction of the data, it’s actually understanding how that data should be reported. So again if it’s a new regulation you might not necessarily have that in-house expertise. So again you might have to go not externally just for a tech solution, but also external for consultancy to really understand how that needs to fit together.
PRESENTER: So what then would you say people need to consider when they’re deciding whether to go in-house or whether solution, I mean are there certain things that work for one or not for the other, or is it just a?
GILLIAN BOSTON: I suppose it really depends on the firm or the organisation. Invariably, certainly when we work with firms, we do come up against the same issues. And as I said it’s about the amalgamation and consolidation of that data to really get that golden source of data, because that can be difficult in situations. And then being able to use that data, and reporting it. But it’s the same source of data that you’re using for different reporting. Because you may have different departments doing that in different ways, and actually then that doesn’t always mean that the data’s consistent that is being reported. And then that leads to other reconciliations that need to be done.
So it can be quite a snowball effect in terms of a department over here not necessarily knowing, or a system over here that doesn’t talk to a system over there so, you know, the bigger the organisation the more of a challenge that potentially can be.
PRESENTER: So Gillian, a major issue to me seems like the fact that it’s human nature, nobody likes change. I mean could this be a potential issue?
GILLIAN BOSTON: It could be. You’re right, we don’t like change do we? I suppose from our perspective what we see is we kind of know what they are, well not kind of know, we know what they are if they’re possible, because we’re data management specialists if you like. But I suppose in an organisation if a certain area or an organisation embraces that change, then it can be a snowball effect. Other areas think about what the benefits and the efficiencies that have come say from automation if you like. And once that’s understood it’s almost like it’s a gradual process but once it starts to filter through an organisation, then you will see other areas looking to automation. Because I suppose to give an example of that, if you want to surface the like of errors and issues more quickly and more efficiently, if you can do that, then you actually might surface issues that you wouldn’t necessarily see otherwise, that could then lead to longer term remediation actions being taken. But if you’re still in a manual environment, you might not surface those issues. And they might go unnoticed for quite some time until a much larger issue ensues.
PRESENTER: And obviously there’ll be the rise of the CDO, the Chief Data Officer, how to get the best out of these sort of people?
GILLIAN BOSTON: Well I suppose it’s an amalgamation of what I’ve been saying really. It’s about understanding the power that data can have. I mean really when you think about it at the end of the day we are such a data-driven industry, so if you can really understand what your data is telling you, and also have that, almost like that one view throughout your organisation. So if you’re looking at it from a finance risk perspective or a market risk perspective, if you’re looking at a cup of the same data, then the decisions that are taking and the strategies that are put in place will be decided upon, upon the same data if you like. Now I know that sounds, you might be surprised at what I’m saying, but again if you’ve got those multiple systems with data that might not quite as consistent, then there is a danger that decisions are taken on data that isn’t consistent and that they're, maybe the wrong decisions taken.
PRESENTER: Gillian, thank you.
GILLIAN BOSTON: Thank you very much Jennie.
PRESENTER: In order to consider the viewing of this video as structured learning, you must complete the reflective statement to demonstrate what you’ve learned and its relevance to you. By the end of this session you’ll be able to understand and describe the senior managers and certification regime, why relevant now; what will change for transaction reporting under MiFID II; and potential regulatory challenges in 2018 and how to be prepared. Please complete the reflective statement to validate your CPD.