Telling tales out of school: when do you report low level misbehaviour to the FCA?

Under the Senior Managers and Certification Regime (“SMCR”), firms are required to identify and report to the FCA any instances of disciplinary action taken in relation to conduct that would amount to a breach of one of the SMCR Conduct Rules. Almost all financial services workers are, or will soon be, within scope of the SMCR Conduct Rules (regardless of their seniority).

As the FCA seeks to use SMCR as a “lever” to drive culture change, firms must show they are implementing an appropriate framework for the identification and reporting of Conduct Rule breaches; and to minimise employment law risk, the framework should be fair to individuals.

Accountability for all staff

The biggest change to individual accountability in the UK as a result of SMCR is the extension of personal regulatory accountability to all staff of regulated firms, save for “ancillary staff” (whose work is purely administrative).

The Conduct Rules under SMCR apply to all staff other than administrators, making the majority of financial services workers (“Conduct Rules Staff”) directly accountable to the regulators for the first time. For banks, a handful of PRA-authorised investment firms and insurance companies, this is already the case. For firms regulated only by the FCA, the Conduct Rules were extended to their senior managers and certification staff in December 2019, and will apply to all of their Conduct Rules Staff from December 2020.

Under SMCR, any disciplinary action taken by a firm in relation to conduct that would amount to a breach of a Conduct Rule must be reported by the firm to the regulators. The frequency of reporting varies according to the level of seniority of the individual who has been in breach, but the consequence is the same – a permanent regulatory black mark without a “sell-by” date, that is almost certain to route any future application by the person for approval to perform a controlled function into the dreaded “non-routine applications” sub-division (heralding longer timeframes, difficult questions asked and the risk of an embarrassing invitation from the regulator to one’s employer to withdraw the application for approval). It is also a matter which the firm would be obliged to include on any regulatory reference, which could also damage the individual’s future employability. 

There have long been regulatory obligations to report any significant regulatory breach by a firm or its senior management – Principle 11 requires that anything of which the regulators would reasonably expect notice should be notified promptly to them.

The Conduct Rules breach reporting regime is less intuitive to implement in practice than the Principle 11 requirement, because there is no significance threshold attached to the new obligation to report – any misconduct for which a person has been disciplined (with the lowest threshold being the issuance of a formal written warning) is notifiable to the extent that it relates to conduct which would amount to a breach of a Conduct Rule.

What would amount to a breach of conduct rule, and who decides?

Given the serious potential consequences for an individual’s career, ensuring consistency in identifying reportable Conduct Rule breaches is both fundamentally important from a fairness perspective (and therefore for employment law risk), and very difficult to achieve in practice. The Senior Management Function holder who holds the Prescribed Responsibility for implementation of the Conduct Rules regime is ultimately accountable for achieving this.

How can it be achieved? In our view, it is important for consistency purposes that anonymised records are kept of why particular disciplinary incidents have been deemed reportable as Conduct Rule breaches, and others have not. We have also seen some good practice where firms’ senior management meet to agree, in principle, what types of misconduct they would generally consider to breach a Conduct Rule, and which they would not.

Conclusion

It is still early days for the Conduct Rule breach reporting regime, so one would hope that there is still a fairly forgiving approach by the regulators to firms who don’t get it right all of the time. As SMCR beds in though, the FCA has higher expectations of firms, including that firms should use the process of embedding SMCR as a “lever” to drive cultural improvements e.g. by stamping out “non-financial misconduct” which the FCA now says is “as important” to tackle as “financial” misconduct (e.g. market abuse).

In this context, in the coming year it will become increasingly important for firms to be able to show that there are strong systems and controls in place for the effective identification and timely reporting of disciplinary incidents that amount to breaches of the Conduct Rules, even where such breaches are not sufficiently serious to be deemed “significant”.