20.09.2024

SMCR Fines; Will I be fined for an SMCR breach?

In the fast-paced financial world it’s easy for things like the Senior Manager and Certification Regime (SMCR) to drop down the To Do list. But managing compliance is much more than just a tickbox exercise and mismanagement can be reputationally damaging and result in penalties. As two recent fines issued by the Prudential Regulation Authority (PRA) show, it can be the individuals rather than the firm that the fines are issued to.

What SMCR fines have been issued?

Since its implementation, SMCR has put a focus on the accountability of the individual within the firm. Two recent SMCR fines issued by the PRA are of particular interest as despite the firm being at fault, fines were issued to individuals due to lack of due diligence.

In April 2023, Carlos Abarca was issued a fine of £81,620 by the PRA due to issues and service disruptions during TSB’s IT migration in 2018. Abarca was shown to have displayed a lack of due diligence by failing to ensure that the risks of migration were identified and mitigated. As CIO he was expected to take reasonable steps to mitigate these risks and avoid the significant disruption to their customers. In this case, TSB were also fined by PRA and the Financial Conduct Authority (FCA).

In January 2024, Iain Hunter at Wyelands Bank was fined £119,000 by the PRA due to large exposure regime breaches and issues with record-keeping. Hunter was shown to have acted without due care and diligence. In this case, due to the firm already being in financial difficulty, Wyelands Bank was not fined but Hunter was not given the same leniency.

In both these cases the fine may have been avoided if they had taken reasonable steps to comply with SMCR.

Why were the SMCR fines issued?

The SMCR requires senior managers to take reasonable steps to ensure compliance. This means identifying risks and putting procedures and processes in place to mitigate them. What counts as “reasonable steps” can vary depending on the firm but it ultimately means putting in a strong line of defence against regulatory risk to protect the firm and its customers. This can mean showing clear accountability, delegating responsibilities and a process to manage risk effectively.

In the example of Wyelands Bank, the controls and measures put in place were not proportionate to the potential risk. In this particular case, rigorous controls were required and clear oversight was needed. Hunter should have allocated responsibilities clearly to show accountability but this was shown to not be the case.

In the TSB case, Abarca gave assurance to the TSB Board that the third-party they were using was prepared for the migration. He did this without further due diligence on assurances from the third party. As the CIO of TSB Abarca was responsible for taking reasonable steps to verify these assurances to mitigate the risk.

What are reasonable steps to ensure SMCR compliance?

News of hefty fines, particularly against individuals can be concerning but making sure SMCR is a top priority in your organisation can mitigate the risk. To avoid being in breach of SMCR, senior managers should be able to demonstrate they have taken reasonable steps to avoid a breach occurring or continuing. Reasonable steps might look like this:

  • Taking steps to sufficiently understand the firm’s activities for which they are responsible.
  • Taking reasonable care in considering information and reaching a reasonable conclusion on which to act.
  • Taking reasonable care to inform themselves appropriately when participating in collective decision-making.
  • Obtaining sufficient knowledge about regulatory concerns and, if put ‘on alert’, whether they responded appropriately.
  • Taking reasonable steps to maintain adequate systems and controls for the firm’s activities for which they are responsible.
  • Obtaining independent expert opinion where appropriate, including from outside the firm.
  • Whether they delegated any responsibilities reasonably and appropriately.

You can read more about the duty of responsibility in our blog post Duty of Responsibility under SMCR. Managing compliance doesn’t have to be complicated, if you would like information and support to manage your SMCR compliance get in touch now.