Governance, Risk Management & Culture has been saved
Governance, Risk Management & Culture
Financial Services Internal Audit Planning Priorities 2022
Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.
4.1. Embedding SM&CR
Why is it important?
Improving culture in financial services is a continuing priority for the Financial Conduct Authority (FCA). One of the ways it has attempted to improve culture is through The Senior Managers and Certification Regime (SM&CR). In brief, its aim is to ensure senior decision-makers in firms have clearly assigned responsibilities and are accountable for actions within their sphere of activity. There are three components to SM&CR: The first part of the legislation, the Senior Managers Regime, states that those at the top level must be FCA approved before taking up a position and certified at least once a year. The second part of the legislation, the Certification Regime, ‘applies to employees whose role means it’s possible for them to cause significant harm to the firm or its customers’ and firms need to ensure that they are fit and proper every year. The third part is the Conduct Rules which set the standards of personal conduct against which employees are held to account by the FCA.
- Whilst SM&CR is not new, since its introduction in 2016 there have been a number of additions and enhancements to the regime. Further, certification is still fairly new, particularly to solo regulated firms for which the deadline for them to have undertaken the first assessment of the fitness and propriety of their Certified Persons was the end of March 2021.
- The FCA has stated that it will continue to focus on the four key culture drivers in firms—purpose, leadership, approach to rewarding and managing people and governance—together with their effectiveness in reducing the potential harm from firms’ business models and strategies.
- The FCA published its SM&CR Banking Stocktake Report in 2019 and in December 2020 the Prudential Regulation Authority (PRA) published a report entitled “Evaluation of the Senior Managers and Certification Regime”. Generally, it was felt that the implementation of the SM&CR was successful and that it was driving positive behaviours in the industry with firms having robust frameworks with several checks and balances in place. However, there is still a need for SM&CR to be further embedded.
- The Conduct Rules set minimum standards of individual behaviour in financial services. Firms should have in place appropriate training and procedures to enable them to identify, monitor and where applicable, report on any Conduct Rule breaches. This approach should be embedded within the day to day running of the business, taking into consideration positive and negative indicators as stated within FCA guidance.
- New rules on a Consumer Duty are expected by July 2022. There is not yet a sufficient level of detail on how the FCA will supervise and enforce any new rules, however, it is likely that the new rules will impact on the existing Principles. The Consumer Duty is intended to set a higher standard of care and expectation beyond current FCA Principles and Rules. In-light of this, further consideration should be given on where the accountability for the firm’s duty of care to consumers should sit within the firm.
What should Internal Audit be doing?
|Area of Focus
|Assess how governance and oversight arrangements including roles and responsibilities, stakeholder engagement and Committee reporting are documented and embedded.
|Approach for SM&CR population
|Assess the approach taken to define the SM&CR population and capture the SM&CR requirements for the chosen firm categorisation in line with Senior Management Arrangements, Systems and Controls (SYSC) requirements.
|Review the mapping of Senior Management Functions and Prescribed Responsibilities within the Statement of Responsibilities (SoRs) which outline the accountabilities of each Senior Manager is in line with SYSC including reasonable steps; evidenced by sample testing draft statements issued to Senior Managers.
|Regulatory references/conduct rules
|Understand and review the approach to obtaining SM&CR regulatory references and the application of Conduct Rules.
|Review processes and controls in place for Certification Regime requirements including; in-scope staff competence assessments, fitness and propriety evaluations and certificate issuance in line with FCA rules and guidance.
|Internal Audit should start to consider the new Consumer Duty in the context of SM&CR in due course.
4.2. Third Party Risk Management—Regulatory Requirements
Why is it important?
No organisation operates in isolation, however, whilst not every organisation is increasing the volume of engagement with third parties in its ecosystem, we are seeing a trend of organisations becoming increasingly reliant on third party relationships. Reasons for this include the nature of the relationships, how bespoke the services are being tailored (making substitutability challenging), or even how ‘close to core’ the services are. Regardless of the reason, increasing reliance on a third-party ecosystem is clear and this makes the management of that ecosystem all the more important. Furthermore, the financial impact of a failure in this ecosystem is costly (through fines, loss of custom or reputational damage). In addition, the COVID-19 pandemic has rapidly increased focus on third party risk as firms have seen accelerating digitisation across entire operations, with traditional services and operating models requiring unprecedented changes to new ways of working in such a short space of time.
Regulators are providing more clarity and greater harmonisation of third party risk regulations in 2021, providing increased direction for firms operating across multiple jurisdictions, greater linkages to third party management and operational resilience across group level entity structures and heightened data security requirements, including use of the cloud. Our experience has shown firms that acknowledge the cross functional nature of third party risks and implement third party oversight in a holistic manner, enabled through technology, achieve far greater clarity and consistency compared to firms that assess individual third-party risks in individual siloed teams.
While financial services Internal Audit functions will already be aware of a number of regulatory requirements, there have been significant new regulatory developments in 2021 on third party risk that have broadened requirements for firms.
The Prudential Regulation Authority’s (PRA’s) Supervisory Statement (SS) 2/21, that was published in March 2021, ‘Outsourcing and third party risk management’, makes it more explicit that firms are now expected to assess the risks and materiality of all third party arrangements, including those that do not fall within the definition of ‘outsourcing’ and have clearly articulated that materiality, outsourcing and risk must be independently assessed and considered as part of a proportionate and risk-based approach.
In addition, the PRA’s SS2/21 and their other SS5/21 on ‘International Banks: The PRA’s approach to branch and subsidiary supervision’, have started to increasingly focus on the risks that may arise from intra-group outsourcing. The Regulators do not necessarily consider intra-group outsourcing as carrying less risk compared to external outsourcing services, but they acknowledge that firms may adjust due diligence requirements and adapt contractual clauses depending on the level of ‘control and influence’ it has over the intragroup entity.
What should Internal Audit be doing?
Internal Audit should consider if the firm has an adequate Third Party Risk Management (TPRM) framework embedded across the business and should examine this from both a design and an operating effectiveness perspective:
Assess if the following factors are designed adequately:
Assess control performance in the following areas:
Hot topics—Given the uncertainty brought about by the COVID-19 pandemic, particular focus should be given to understanding how the TPRM framework assesses and monitors financial insolvency, operational resilience, subcontracting risk and digital risk. For example, Internal Audit should be understanding how the business is utilising tools that enable access to real-time information to supplement the more traditional ‘point-in-time’ data that is collected, which we are seeing has become a key funding priority as firms continue to respond to the pandemic.
Regulatory compliance—Assess adherence to key regulatory requirements, including the:
- Financial Conduct Authority’s (FCA’s) SYSC 8.1 general outsourcing requirements;
- FCA’s Senior Managers and Certification Regime, particularly SMF24 responsibilities;
- PRA’s SS2/21 Outsourcing and third party risk management, and relevant sections of SS1/21 and SS5/21; and
- Outsourcing guidelines published by European Banking Authority, European Securities and Markets Authority, European Insurance and Occupatonal Pensions Authority and others.
4.3. Remuneration – Risk and Reward
Why is it important?
In recent years, the regulatory and governance framework in financial services organisations has become increasingly complex, with remuneration forming a key part of this framework. Across the banking, asset management and insurance sectors, remuneration continues to be a key area of focus for UK and EU regulators, given the link between risk, reward and individual accountability. Remuneration structures, policies and processes have been subject to a significant amount of regulatory change and evolving regulatory guidance within the UK and at EU level relating, for example, to how firms should identify their “Material Risk Taker” population and how variable remuneration should be determined and allocated to individuals based on performance, while ensuring that variable remuneration is appropriately adjusted for risk and does not impact a firm’s ability to maintain a sound capital base.
For banking and asset management firms, there is a specific UK and EU regulatory requirement that the implementation of their remuneration policies be subject to a central and independent internal review on at least an annual basis. For insurance firms, such reviews are also highly advisable as they are a key means by which a firm’s Board can help to ensure that it is discharging its responsibility for the oversight of the implementation of the firm’s remuneration policy.
- While equivalent principles apply across the banking, asset management and insurance sectors, the remuneration rules and latest developments are specific to each. Across all sectors however, we have been seeing an increased focus from UK and EU regulators on the implementation of existing rules.
- The requirement in the remuneration rules applicable to banking and asset management firms is for the implementation of remuneration policy to be subject to a central and independent internal review each year. In a banking context, regulatory guidance expects this review to be undertaken by Internal Audit. For asset management firms, the current guidance is less prescriptive, although does expect firms to ensure that the review is independent. Draft EU guidance for investment firms under the upcoming Investment Firms Directive (IFD) suggests that Internal Audit will be expected to undertake this review, while near-final UK guidance for UK investment firms is less prescriptive. In practice, some firms will undertake a comprehensive review on a periodic (e.g. 3 yearly) basis and then review particular areas in more detail on a rotational basis each year. However, it will be important to ensure that material changes in policies, processes and practices year-on-year are considered, to ensure continued compliance with the remuneration rules.
- For firms in the banking sector, the amended remuneration rules under the Capital Requirements Directive (CRD V) were implemented in the UK for performance years starting on or after 29 December 2020 (with the implementation date varying between jurisdictions across the EU). This has included certain changes in how Material Risk Takers should be identified and changes relating to the disapplication of certain remuneration rules on the basis of proportionality. In the UK, smaller firms are no longer permitted to disapply the limit on the amount of variable remuneration that can be awarded (the ‘bonus cap’) or to disapply clawback.
- Financial Conduct Authority (FCA) regulated investment firms will become subject to specific remuneration rules in a new Remuneration Code under the UK Investment Firm Prudential Regime (IFPR) from January 2022 (with equivalent rules applicable to EU firms under the IFD), with the result that many such firms and their senior staff may become subject to the rules on deferral, payment in instruments and malus/clawback for the first time.
- From an insurance standpoint, UK and EU firms must continue to comply with the Solvency II remuneration provisions (in place since 2016), and with the provisions relevant to remuneration under the insurance distribution regime (derived from the Insurance Distribution Directive (IDD)), aimed at enhancing consumer protection and mitigating the risks of conflicts of interests and mis-selling. UK firms must have regard to the Prudential Regulation Authority (PRA) guidance on the Solvency II remuneration provisions, while EU firms must take account of the European Insurance and Occupational Pensions Authority’s new Opinion, published in 2020, which sets out its expectations regarding the application of the Solvency II remuneration rules.
What should Internal Audit be doing?
Design: Review the processes in place around the current remuneration policies, remuneration governance frameworks and disclosures to ascertain whether they are compliant with the applicable reward regulatory requirements, including:
- Remuneration policies and ancillary policies and procedures, such as relating to the structure and determination of fixed and variable remuneration, the identification of Material Risk Takers, structure of variable pay awards (including performance conditions, link to values and behaviours, risk adjustment) and treatment of new hires and leavers;
- Governance including the composition and role of the Remuneration Committee and the role of control functions (e.g. Risk/Compliance) within broader reward governance, including the year-end process; and
- If applicable, specific focus should be paid to areas of the business where commission-based arrangements influence reward.
Implementation: Test the implementation of remuneration processes and procedures underpinning the remuneration policy to ensure they are robust and effective and are being operated in compliance with the applicable rules and regulatory guidance:
- Review the firm’s decision-making framework and the evidencing of this (e.g. input of control and other corporate functions, oversight of Material Risk Taker pay, assessments of firm’s capital soundness);
- Test controls within remuneration process and procedures (e.g.. Material Risk Taker identification); and
- Perform spot checks of systems and outputs.
Future state: Consider how the firm is adapting to future regulatory requirements via review of the firm’s readiness for future regulatory changes in reward (e.g. changes introduced under the IFPR or the EU IFD rules).
Reward structures: Assess the remuneration and incentive arrangements across all parts of the business to ensure that they are effective in encouraging a customer–centric culture and do not encourage inappropriate risk-taking.
4.4. Governance Culture
Why is it important?
The Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) consider the robustness and effectiveness of governance frameworks as the foundation of an established business that manages risk effectively and complies with regulation. Corporate governance arrangements, and the culture they promote and support, are crucial to a firm’s regulatory compliance, as well as the long-term sustainable success of the organisation. One of the key mechanisms for the Regulators to ensure effective governance and a culture of accountability is the Senior Managers and Certification Regime (SM&CR). SM&CR has been in place for a number of years, however, firms continue to face challenges in ensuring responsibilities are clearly defined and the delineation between individuals’ responsibilities are clearly articulated, including for newer areas of responsibility, for example, operational resilience and climate change. The FCA has highlighted that firms should be reviewing their SM&CR frameworks from a bottom-up perspective (e.g. looking at Conduct Rules training, breach reporting, and fitness and propriety assessments of certificated staff) as the robustness of the implementation of these core processes is considered by the Regulators to be a strong indicator of a firm’s culture and overall approach to regulatory change.
- COVID-19 has increased firms’ focus on the effectiveness of their governance frameworks and how efficiently these operate when normal operations are faced with significant disruption. A number of firms have been using the COVID-19 pandemic and key decisions taken in-light of it, as case studies to test whether their governance operations stand up to the requirements of SM&CR (e.g., reasonable steps) and whether there is opportunity to enhance and streamline their existing governance structure.
- With the implementation of the Conduct Rules having come into force for FCA solo-regulated firms, the focus has shifted from implementing of the framework to assessing embeddedness of the framework in business as usual (BAU), e.g., is the Conduct Rules training provided relevant for each cohort of individuals, is the Conduct Rules breach management process fit for purpose, are individuals fit and proper to carry out their functions and how is this evidenced.
- Whilst diversity has been on firms’ radars for some time, the enhanced focus on Black Lives Matter has pushed this higher up the agenda, including the recent discussion paper on diversity by the regulators. This has led to Boards re-assessing their own skills and composition, as well as firms looking at the extent to which they have appropriate policies around diversity and inclusion.
What should Internal Audit be doing?
|Area of Focus
|Corporate governance (including Board effectiveness)
Review the corporate governance activities as follows, focusing on the design and operational effectiveness of key controls.
|SM&CR (Also refer to our Embedding SM&CR topic for further details)
Review key elements of the SM&CR as follows: