the changes, the challenges, the new focus of institute ... changes, the challenges, the new focus...

BFSS/IIA Annual Conference 2015

The changes, the challenges, the new focus of Institute

support

11 November 2015

Agenda

09:00 - 09:10 Seminar introduction Gordon Craig, Chairman BFSS; Director, Internal Audit 3i Group plc

09:10 - 09:50 IIA sector strategy Dr Ian Peters MBE, Chief Executive, Chartered Institute of Internal Auditors

09.50 - 10.30 Panel discussion: Internal audit guidance for financial services – where are we now? Chair: Julian Nichols

Panel: Dr Ian Peters, IIA; Hanif Barma, Independent Audit; Lisa Nowell, Head of QA, Barclays; Chit Ghee Yeoh, Director of Internal Audit, Metro Bank

10:30 - 10:50 Break

10:50 - 11:30 The banking reform programme – an industry perspective Paul Chisnall, Director of Policy and Operations, British Bankers’ Association

11:30 - 12:10 Internal audit on the hook – case study Julian Nichols, Financial Services Consultant, Grant Thornton

12:10 - 12:50 Senior managers and certification regimes – implications for internal audit Ross Whelan,

12:50 - 13:50 Lunch

Agenda

13:50 - 14:00 Introduction Gordon Craig, Chairman BFSS; Director, Internal Audit 3i Group plc

14:00 - 14:40 Role of internal audit in outsourcing and contract management – key lines of questioning Papiya Chatterjee, Senior Policy Officer, IIA

14:40 - 15:20 Internal audit – building talent for the future Glenn Bluff, Grant Thornton

15:20 - 15:40 Break

15:40 - 16:20 Cyber security – risks and responses Shivani Maitra, Director, Deloitte

16:20 - 16:30 Closing comments

Annual conference 2015

Dr Ian Peters Chief Executive

Wednesday 11th November 2015

Banking & finance services sector

Agenda

• A changing profession

• Financial services code

• New sector strategy

• Conduct risk poll

• Creating the agenda for the sector advisory panel

A changing profession

There are greater expectations of internal audit to assess:

• Tone at the top

• Culture

• Business strategy / management information

• Public reporting (e.g, Strategic Reports, Integrated Reports)

These expectations raise a number of issues for internal audit in all sectors,

especially the financial services sector, in particular:

• Its Independence and status

• Its scope and priorities

Key initiative: Financial Services Code

• Response to the regulators

• As much for executives and non-executives as internal audit

• Relevance beyond financial services

• Has put internal audit firmly on the agenda

Independence and status of internal audit

• The primary reporting line for the Chief Internal Auditor should be to the

Chairman of the Audit Committee.

• The Audit Committee should be responsible for the Chief Internal Auditor’s:

o appointment/removal

o performance, objectives setting and remuneration

• The Chief Internal Auditor should be at a senior enough level within the

organisation to give him or her the appropriate standing, access and

authority to challenge the Executive

o normally Executive Committee level

• “Internal Audit should have the right to attend and observe all or part of

Executive Committee meetings and any other key management decision

making fora.”

The response

New sector strategy

• The Financial Services Code demonstrates the value of the Institute’s sector

focus

• The Institute has now formalised its approach to the financial services sector

• Our strategy will benefit other sectors in the future

New sector strategy - aims

• To tailor our services in key sectors, in addition to the Institute’s current delivery

of cross sector themes and regions.

• To enhance the value of membership of the Institute by increasing its relevance

to specific groups of members.

• To formalise and structure the Institute’s relationships with groups of members in

key sectors, so that practitioner knowledge is more effectively harnessed.

• To support the Institute’s public policy research programme and improve the

relevance of technical guidance to sector-specific issues.

Financial services sector strategy

• One third of our members work in the financial services sector.

• The sector has seen great changes to the way internal audit needs to operate

and this presents both challenges and opportunities for practitioners.

• We have therefore increased the emphasis we place on our work in the financial

services sector.

• Key to this is our new sector advisory panel.

Financial services sector advisory panel

• Panel draws together practitioners from across the FS sector.

• Chaired by Gordon Craig, director of internal audit, 3i.

o With Mutuals represented by Karen Bassett, Leeds Permanent Building

Society

• The institute will work with the sector advisory panel to:

o Increase representation and member input via our policy and influence work

o Produce new and updated technical guidance on topical issues

o Organise sector specific events, webinars and an annual conference

• The new strategy requires insight into the issues affecting the sector

Potential insights

• The sector advisory panel can feed into our policy programme by providing the

Institute with insights for potential future research.

• The Institute has trialled an initiative around an issue of increasing concern in

the sector: conduct risk.

• Release of guidance for practitioners and snap poll.

Conduct risk poll

• The risk of poor customer outcomes is an increasingly important area of focus

for regulators.

• We conducted a snap poll of internal auditors in the financial services sector to

understand better the extent of internal audit’s involvement in the area of

conduct risk

• The Financial Conduct Authority has no master definition of conduct risk,

however, in its Retail Conduct Risk Outlook 2011, the UK FCA referred to

conduct risk as ‘the risk that firm behaviour will result in poor outcomes for

customers'.

Has your audit committee formalised and communicated

its risk appetite for conduct risk?

Do you audit conduct risk?

Do you audit any of the following?

Conclusion

• Poll shows need for more in depth analysis of conduct risk, its audit and

its importance to audit committees

• The sector advisory panel will be at the heart of this and other policy

initiatives

Creating the agenda for the sector advisory panel

• What should be the key areas of focus?

• How should they be reflected in research, guidance and events?

Panel discussion

Internal audit guidance for financial

services – where are we now?

Banking reform

Paul Chisnall

Executive Director

Why financial and professional services matter

• 2 million jobs – two thirds outside of London

• 12.6% UK GDP

• £61bn trade surplus in 2013

• £65bn tax receipts

• Social good:

- ‘nearly all’ banked

- direct correlation ‘credit’ and GDP

- global financial innovation

Financial crisis: so what went wrong?

Turner Review, March 2009, Chapter 1

• Macro-imbalances meet financial innovation

• Increased leverage

• The growth of ‘shadow banking’

• Misplaced reliance on sophisticated maths

• Hard-wired pro-cyclicality: self-reinforcing irrational exuberance followed by confidence collapse

“socially useful”

“socially useless”

Financial crisis: so what’s the answer?

Turner Review, March 2009, Chapter 2

• Capital, accounting and liquidity

• Deposit insurance and bank resolution

• Credit ratings, remuneration, and counterparty risks

• Macro-prudential analysis

• A new approach to supervision

• Governance and risk management

• The regulation of large complex banks

Banking reform globally focused

Financial Stability Board

• G20 Action Plan

– Maintain the openness of the financial system

– Cooperate & coordinate

– Make banks safer: more capital & liquidity

– Ending too big to fail

– Make financial markets safer: central clearing of OTC

derivatives

Building new rules for the global financial system

Establishing a safe, responsible & growth-enhancing financial sector in Europe

Creating a banking union to strengthen the euro

CRD IV on capital , liquidity, leverage, remuneration and tax transparency

EMIR, MiFID and MAD Credit Rating Agencies Shadow banking Creation of the three European

Supervisory Authorities Deposit Guarantee and Investor

Compensation schemes Bank Recovery and Resolution SSM & SRM Structural reform FTT – a Robin Hood or Sheriff of

Nottingham tax?

UK Government banking initiatives

Coalition agreement

“We will reform the banking system to avoid a repeat of the financial crisis, to promote a competitive

economy, to sustain the recovery and to protect and sustain jobs.”

“We will take steps to reduce systemic risk in the banking system and will establish an independent

commission to investigate the complex issue of separating retail and investment banking in a

sustainable way.”

New regulatory system

Recommendations of the Independent

Commission on Banking

“Vickers” ring-fencing: Financial Services (Banking Reform) Act 2013 Implementation by 2019

Ring-fencing timetable

2013 •Q3: Consultation on secondary legislation

•Q4: Financial Services (Banking Reform) Act 2013

2014 •Q3: Secondary legislation on ‘location’, eg product offerings

•Q4: First PRA CP on ‘height’ – legal services, governance etc.

2015

•Q1: CP response & submission individual preliminary plans

•Q2: FCA CP on customer disclosures

• Q3: PRA & FCA CPs on transfer schemes

•Q3: Second PRA CP on ‘height’ – intragroup exposures etc.

Ring-fencing timetable

2016

•Q1/H1 Final regulatory rules

•Firming up strategic plans & beginning legal processes: authorisations, permissions, waivers, recruitment

2017

•Bulk of Part VII FSMA transfers, 9-12months or longer for collation, independent expert review, PRA approval, with FCA consultation, customer communications and Court processes – possibly on a staggered basis

2018 •Putting the plan into action – structure &business migration

• Ideally 12 months parallel running, at minimum 6 months, before the 2019 timeline

Parliamentary Commission on Banking Standards

July 2012-June 2013 – 337 days

161 hours of evidence sessions

Asked more than 9,000 questions

354 written evidence submissions

9 volume report - vols I & II run to 571 pages

“Most important Parliamentary report into banking in

a generation”

80+ recommendations accepted by Government

Key themes

Strengthening individual responsibility

Corporate governance

Better outcomes for consumers through enhanced

competition

Enhancing financial stability

Strengthening individual responsibility

• Senior Managers regime (nee Senior Persons)

• Certification regime (nee Licensing regime)

• Banking Standards Rules

• New criminal sanction for reckless misconduct

• “Reversal of the burden of proof”

• Support for the creation of a new professional body:

Banking Standards Board

Two further reviews

• The ‘Fair and Effective Markets Review’ looking beyond Libor and into f/x, commodities and fixed income, with the promise of new criminal sanctions: June 2014 - June 2015: FICC Market Standards Board

• CMA competition review into Personal Current Account and SME lending: July 2014 - October 2015:

• Requiring banks to prompt customers to review the service they receive from their bank through receiving individual messages at certain ‘trigger points’

• Making it easier for consumers and businesses to compare bank products by upgrading Midata

• Requiring the creation of a new price comparison website for SMEs - currently nothing effective exists to fulfil this role

Light at the end of the tunnel?

• FSB: final step – Total loss absorbing capital

• European Commission:

- Growth & jobs

- Capital Markets Union

- ‘Cumulative Impact’ reappraisal

• HMG:

- Bank levy (though…)

- Reversal of the burden of proof

Work programme 2016-2019

• More and better capital

• Bank FPC ‘countercyclical capital buffer’

• Total loss absorbing capital – ‘TLAC’

• Key FSB ratios & their disclosure:

- Leverage Ratio

- Liquidity Coverage ratio

- Net Stable Funding Ratio

• Basel IV?

• IFRS 9 - expected loss provisioning

• Capital/regulation CCPs

• UK ring-fencing

Foundations stronger

• Capital & liquidity

• Recovery planning

• Resolution arrangements

• Risk governance

• Banking supervision

• Macroprudential overlay

• Conduct, values, culture

Foundations stronger

• 7 – 10.5 x capital, 4.5 x CET1 capital

• ‘Bail in’, stress testing, high quality liquidity

• Confidence in resolution arrangements

• Renewed Boards & lines of responsibility

• ‘Enhanced’ supervision

• FPC up and running

• Conduct, values, culture

Risk free?

Internal audit: core governance

Internal audit: BCBS principle

Corporate governance principles for banks,

July 2015, Principle 10:

The internal audit function should provide independent assurance to the board and should support board and senior management in promoting an effective governance process and the long-term soundness of the bank

• http://www.bis.org/bcbs/publ/d328.pdf

BCBS on internal audit, June 2012

• http://www.bis.org/publ/bcbs223.pdf

http://www.bis.org/bcbs/publ/d328.pdf

http://www.bis.org/publ/bcbs223.pdf

http://www.bis.org/publ/bcbs223.pdf

Internal audit: areas of interest

• Capital and liquidity

• Risk weighted assets

• Key ratios

• Expected loss provisioning

• Regulatory returns

• IT systems – resilience & security

• Report to whom?

Banking reform

www.bba.org.uk/policy/

financialandriskpolicy/

banking reform

http://www.bba.org.uk/

• Internal Audit on the Hook

• Julian Nichols

– CIIA Financial Services Conference 11th Nov 2015

Internal Audit on the hook

The Financial Conduct Authority imposes £2.1m

fine and places restriction on Bank after it

mislead the regulator


The Bank ?? (UK) Ltd. has been fined £2.1m by the Financial Services

Authority (FCA) and stopped from acquiring new customers from high-risk

jurisdictions for 126 days. in addition, the FCA has fined two approved

persons at the bank.

The Bank repeatedly provided the regulator with misleading information

after it was required to address concerns regarding its financial crime

systems and controls.

The former compliance officer ("X") at the Bank, and the internal auditor

("Y"), have been fined £19,600 and £9,900, respectively. X and Y failed to

deal with the regulator in an open and cooperative way when responding to

queries about the actions taken to mitigate financial crime risk.


Georgina Philippou, acting director of enforcement and market oversight, FCA,

commented:

“It is essential to consumer protection, market integrity and the prevention of financial

crime that we can rely on firms giving us the right information at the right time. Bank

?? failings impeded us and left it open to the risk that it might be used for financial

crime.

Equally worrying was the fact that X and Y provided a number of misleading

communications to us, which is a serious breach of their responsibilities as approved

persons.

We are reliant on compliance officers and internal audit to act as an important line of

defence, to support effective regulation at firms and to show backbone even when

challenged by their colleagues.”

Internal Audit on the hook - Background

1. Final Notice: Bank ??

2. Final Notice: X (Compliance Officer)

3. Final Notice: Y (Internal Auditor)

https://www.fca.org.uk/your-fca/documents/final-notices/2015/bank-of-beirut-uk-ltd

Internal Audit on the hook - timeline

2010 FSA ARROW review and visit in 2011, the bank showed "too little consideration given to the risk of the firm being use for financial crime. The bank was required to take a number of actions to address these concerns."

Remediation Plan: Full remediation of customer files. Improvement of Compliance Monitoring Plan Resolve all open audit issues

Jan 2012: Internal Auditor Y joins the bank, working part time.

Internal Audit on the hook - timeline

May 2012: FSA reminds the Bank of the file remediation due date (1st

June) and specifically requires the Internal Auditor to review the implementation of all other Remediation Action Plan points. Full remediation of customer files due. June 2012: Bank states all action points completed. Y "provided an assurance (to management) to be given to the Authority that all the action points had been implemented even though they had failed to review the Bank's implementation." "Y was aware that the bank had still not completed two…required actions. Following discussions with senior management about the response that the Authority required, Y did not provided the Authority of this information, which the Authority would reasonably expect notice of."

Internal Audit on the hook - Background

July – Aug 2012: Bank provided two reports assuring completion and implementation "even though this was not the case". Nov 2012: "Y prepared a report for the Authority which gave a misleading impression about…completion of a specific action point (Compliance Monitoring Plan) Y omitted this information even though this was information the Authority would reasonably expect notice…….In omitting this information, the Authority recognises that Y was influenced by comments made by senior management."

Internal Audit on the hook – Background

March 2013: FCA visit found Remediation Plan not completed. Bank employed an external consultant and appointed a team to complete the work which was finalised in Oct 2013. FCA interviewed Y who shared their concerns about the Bank's completion of the point and corrected the misleading impression given in Nov 2012.

Internal Audit on the hook – FCA expectations of internal audit

Final Notice: Following visits to the bank in 2011 and 2012, the Authority became concerned that the culture at the bank was one of insufficient consideration of risk or regulation despite the high risk it might be exploited to facilitate financial crime.


Final Notice:

The Authority specifically requires Internal Auditors to evaluate the effectiveness of firm's internal controls and risk management processes, and are reliant on Internal Auditors to maintain an open, constructive and cooperative relationship with the Authority.

The Authority is particularly reliant on the internal audit function in supporting an culture of effective controls and governance at small sized firms that are not subject to frequent supervision by the Authority.


"Whilst the Authority recognises that Y's actions were influenced by senior management….this does not excuse Y's misconduct. Y was in a position to understand the true position regarding…..completion of the action points…..and as such should have resisted senior management in this regard." "Internal Auditors must maintain their independence, and as an approved person holding a significant influence function, Y was personally bound by their own regulatory responsibilities." "Y failed to deal with the Authority in an open and cooperative way and breached Statement of Principal 4. Fine = 30% of earnings."

Internal Audit on the hook – the Compliance Officer

Handled most of the communication with the Authority ("although others were involved in the drafting, including senior management in relation to its completion of the action points .. ") "In an email to senior management X stated that they were 'fairly guarded' during a conversation with the Authority about the CMP."

False information was given to the FSA re confirmation of completion of points and establishment of the CMP. This was repeated several times.

Internal Audit on the hook – the Compliance Officer

X suggested that he did not have enough support, was under pressure from senior management to be "careful" in communications with the FSA and "not given licence" to explain issues thoroughly. Breach of Statement of Principal 4. Fine = 30% of earnings

Internal Audit on the hook – implications??

The Principle for Businesses relevant to Bank ?? investigation is: Principle for Businesses 11: A firm must deal with its regulators in an open and cooperative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice.

The relevant Principle to the investigations into X and Y is:

Statement of Principles for Approved Persons 4: An approved person must deal with the FCA, the PRA and other regulators in an open and cooperative way and must disclose appropriately any information of which the FCA or the PRA would reasonably expect notice.

Internal Audit on the hook – Conclusions?

The Internal Auditor must ensure that any internal audit related information or

statement provided to the FCA/PRA is accurate.


What happens where IA has a different opinion to Compliance / Senior Management regarding a self-reporting issue?

If the Internal auditor sees that incorrect or misleading information is being sent to the FCA/PRA, they should whistleblow to the FCA/PRA.


The FCA/PRA places higher reliance on internal auditors in smaller institutions

"The Authority is particularly reliant on the internal audit function in supporting a culture of effective controls and governance at small sized firms that are not subject to frequent supervision by the Authority."

Internal Audit on the hook – Action to take?

Point out to your Audit Committee Chair, CEO and HIA the ramifications of the

Bank ?? case.

Make sure that information you pass to others which is then passed to the

FCA/PRA remains unchanged. Use this case to support your position to enforce

this.

When considering whether to whistleblow, think whether your company "loyalty" is more important than your career.

Internal Audit on the hook – The LIBOR Example

Bank XX was fined £105m.

LIBOR CONTRIBUTOR FINAL NOTICE

October 2013 "The Authority hereby imposes on XXX a financial penalty of £105m." The bank breaches Principles 2, 3, and 5 in the following ways: 1. Manipulation of the bank's own rates that formed part of the calculation of the

published JPY, USD and GBP LIBOR rates;

2. Collusion with interdealer broker in attempts to influence the LIBOR submissions of other banks; and

3. Collusion with LIBOR Panel Banks directly.


In March 2009 the Bank's Internal Audit Group carried out an audit of the bank's Global Liquidity & Finance Group, in which certain Submitters and Traders were located. Although the audit focus was not on the LIBOR submission process IA was advised by a Submitter that JPY LIBOR submissions were based on the almost daily suggestions from Trader 1. Despite noting this in its working papers, IA failed to assess and address the issue effectively.


Internal Audit's notes make it clear that they were aware that: LIBOR rates are sent from overseas for submission; and

The Submitter inputs the rates on behalf of overseas Traders. Example emails were provided including from Traders giving suggestions for 8 LIBOR tenors.

Despite identifying these issues in its workpapers, IA did not assess or address the issues effectively. IA failed to advise senior management that LIBOR submissions were being dictated by Traders.


At a minimum, IA should have identified that the behaviour of the Trader and Submitter was inappropriate and raised notable conflict of interest concerns. IA should also have brought those concerns to the attention of the bank's compliance or legal departments or senior management.

These three failings by Internal Audit meant that the bank's breaches of Principles 3 & 5 were allowed to continue.


So why was no action taken against this bank's HIA?

They had audited part of the LIBOR process where many banks had not? This Final Notice was in 2013 (the first one was 2015)?

LIBOR CONTRIBUTOR - CONCLUSION

The FCA reviewed individual Internal Audit workpapers Internal Audit Managers must review workpapers and identify risks and issues raised If IA does not perform it's role properly there are severe regulatory implications

Internal Audit on the hook - Summary

Use the first example to strengthen your position with the Audit Committee / CEO / Senior Management Make sure anything which you are involved in or can be linked to you which goes to a Regulator is accurate Do not compromise your position or your career!

• Internal Audit on the Hook

• Julian Nichols

– CIIA Financial Services Conference 11th Nov 2015

GRT100910

STRICTLY CONFIDENTIAL

SENIOR MANAGERS AND CERTIFIED PERSONS (SM&CP) REGIMES: IMPLICATIONS FOR INTERNAL AUDIT

Ross Whelan

11th November 2015

S T R I C T L Y P R I V A T E A N D C O N F I D E N T I A L

TODAYS AGENDA

83

DRIVERS FOR CHANGE

PROPOSED NEW REGIME

CHALLENGES TRANSITION TO NEW REGIME

CONCLUSIONS



DRIVERS FOR CHANGE

84


“Cultural reform in the banking sector marks the next step in the government’s plan to move the whole sector from rescue to recovery and ensure that UK banks demonstrate the highest standards, and are able to support business and drive economic growth.”

George Osborne, Chancellor of the Exchequer

“How a firm conducts its business and treats its customers must be at the heart of how it operates. This has to start at the top”

Martin Wheatley, Chief Executive of the FCA.

“A lack of personal responsibility has been commonplace throughout the industry. Senior figures have continued to shelter behind an accountability firewall.” “Where the standards of individuals, especially those in senior roles, have fallen short, clear lines of accountability and enforceable sanctions are needed. They have been lacking.”

Andrew Tyrie, MP, Chairman of the Parliamentary Commission on Banking

Standards.

1 June 2012

Parliamentary Commission on

Banking Standards (PCBS)

Established


DRIVERS FOR CHANGE

85


Recommendations (Major Themes)

• Reinforcing the ‘ring-fencing’ changes to banks originally set out in the report of the Independent Commission on Banking;

• Making a reality of individual responsibility, particularly at senior levels;

• Improving competition; • Creating much more robust and

effective corporate governance structures; and

• Giving regulators the powers they needed while holding them to their task. PCBS Report

(Vol. 1 & 2) http://www.parliament.uk/documents/bank

ing-commission/Banking-final-report-volume-i.pdf

http://www.parliament.uk/documents/banking-commission/Banking-final-report-vol-

ii.pdf

1 June 2012



Established

2 June 2013

PCBS Report

‘Changing Banking for Good’

Published

“A Senior Persons Regime... should provide far greater precision about individual responsibilities than the system that it replaces, and would serve as the foundation for… changes to enforcement powers…” “A Licensing Regime… as the basis for upholding individuals' standards of behaviour, centred on the application of a revised set of Banking Standards Rules to a broader group…”


86


3 December 2013

Financial Services (Banking Reform)

Act 2013

Passed 1 2

June 2012



Established

June 2013

PCBS Report


Published

DRIVERS FOR CHANGE

Created the legislative

framework and adopted the key recommendation

s made in the PCBS Report Banking Reform Act 2013

(Chapter 33 – Part 4) http://www.legislation.gov.uk/ukpga/2013/33/pdfs/ukpga_20130033_en.pdf

Financial Services Markets Act (FSMA) 2000

(Part 5) http://www.legislation.gov.uk/ukpga/2

000/8/part/V Details of amendments:

http://www.legislation.gov.uk/ukpga/2013/33/pdfs/ukpgaen_20130033_en.p

df


DRIVERS FOR CHANGE

87


2 3 4 June 2013

PCBS Report


Published

December 2013


Act 2013

Passed

2014/2015

Various FCA & PRA

Consultation Papers

2014 July

FCA CP14/13: ‘Strengthening accountability in banks: A new regulatory framework for individuals’. PRA CP14/14: ‘Strengthening the Alignment of Risk and Reward: New Remuneration Rules’.

November FCA CP14/25: ‘Changes to the Approved Persons Regime for Solvency II firms’.

December FCA CP14/31 / PRA 28/14: ‘Strengthening accountability in banking: forms, consequential and transitional aspects’.

FCA CP14/13 http://www.fca.org.uk/static/documents/consultation-papers/cp14-

13.pdf

PRA CP14/14 https://www.fca.org.uk/your-fca/documents/consultation-

papers/cp14-14

FCA CP14/25 https://www.fca.org.uk/static/documents/consultation-papers/cp14-

25.pdf

FCA CP14/31 / PRA 28/14 https://www.fca.org.uk/static/documents/consultation-papers/cp14-

31.pdf


DRIVERS FOR CHANGE

88


2 3 4 June 2013

PCBS Report


Published

December 2013


Act 2013

Passed

2015 February

FCA CP15/05: ‘Approach to non-executive directors in banking and Solvency II firms & Application of the presumption of responsibility to Senior Managers in banking firms’.

March CP15/10: ‘Strengthening accountability in banking: UK branches of foreign banks’. FCA CP15/09: ‘Strengthening accountability in banking: a new regulatory framework for individuals’.

Policy Statement PRA CP03/15: ‘Strengthening individual accountability in banking and insurance’.

July FCA CP15/22: ‘Strengthening accountability in banking: Final rules (including feedback on CP14/31 and CP15/5) and consultation on extending the Certification Regime to wholesale market activities’.

August FS15/3: ‘Strengthening accountability in banking: UK branches of foreign banks – Feedback on FCA CP15/10’.


05.pdf

CP15/10 https://www.fca.org.uk/your-fca/documents/consultation-

papers/cp15-10

CP15/09 https://www.fca.org.uk/your-fca/documents/consultation-

papers/cp15-09

PRA CP03/15 http://www.bankofengland.co.uk/pra/Documents/publications/cp/201

5/cp315.pdf


22.pdf

FS15/03 https://www.fca.org.uk/your-fca/documents/feedback-

statements/fs15-03

2014/2015

Various FCA & PRA

Consultation Papers


PROPOSED NEW REGIME

89


1 SENIOR

MANAGERS REGIME

2 CERTIFICATION REGIME

3 CONDUCT RULES

UNDER THE NEW REGIME

Senior Managers can be held accountable for ‘misconduct’ that falls within their area of responsibility.

Individuals working at all levels can be held to appropriate standards of conduct.


PROPOSED NEW REGIME

90


1 SENIOR

MANAGERS REGIME

SCOPE

FIRMS Applies to UK Banks, Building Societies, Credit Unions, PRA – Designated Investment Firms and Incoming branches of foreign/overseas banks (also known as Relevant Authorised Persons (RAPS)) operating in the UK.

Bank of England and Financial Service Bill Amended to include all regulated/authorized firms (including Insurers, Investment Firms (Stockbrokers, Securities and Futures firms, Asset Managers) and Consumer Credit firms).

Based on FCA estimates, the number of firms impacted will rise from approx. 1,000 to just under 60,000. The newly extended regime should come into operation during 2018.

NO ‘TERRITORIAL LIMITATION’

INDIVIDUALS UK Relevant Authorised Persons

The Board and other individuals who hold key roles or have overall responsibility. Under this 6 Non Executive Directors (NEDs) functions are captured (SMF 9-14) i.e., Chairman of the Board, Chair of Risk, Audit, Remuneration and Nomination Committees and Senior Independent Directors.

Non-EEA Branches

Executive Directors of the branch and other individuals who hold key roles or have local responsibility.

EEA Branches

Individuals with significant responsibility for significant business units of the branch and other individuals who hold key roles.

The SMRs application is greater for non-European Economic Area (EEA) than EEA firms reflecting the split of EEA home and host state supervisory responsibilities under the relevant single market directives.

The focus is on the most senior individuals in firms who hold key

roles or have overall responsibility for whole areas of

relevant firms.

Intention: All members of the Board, the

second layer of governance (whether structured as an

Executive Committee or not) and anyone else carrying out an important function (e.g. a SIF)

should be made subject to regulation. The Significant

Responsibility SMF, in particular, has been designed to bring Non-

Board members in charge of particular areas into the SMR.


PROPOSED NEW REGIME

91


1 SENIOR

MANAGERS REGIME

KEY FEATURES

• A new set of Senior Manager Functions (SMFs) will replace the current Significant Influence Functions (SIFs).

3 New Functions Head of Key Business Area (SMF6)

Person who manages area with gross total assets of £10bn or more and

which either accounts for 20% or more of the gross revenue of the firm, or where the firm is part of a group,

accounts for more than 20% of the total gross revenue of the group.

Group Entity Senior Manager (SMF7)

Applies to individuals who exercise significant influence over the Relevant Approved Persons as part of their role

in the wider group (can operate in exec or non-exec capacity).

Significant Responsibility SMF (SMF18) Applies to individuals who have overall responsibility for each of the activities,

business areas and management functions of the firm.

Applies to those who do not already hold another SMF and with the

exception of Compliance with Cass , cannot be assigned any other Prescribed Responsibilities.

COMBINED LIST OF SMF’S

Chief Executive Function* PRA & FCA SMF 1

Chief Finance Function * PRA & FCA SMF 2

Executive Director* FCA Only SMF 3

Chief Risk Function PRA & FCA SMF 4

Head of Internal Audit PRA & FCA SMF 5

Head of Key Business Area PRA & FCA SMF 6

Group Entity Senior Manager PRA & FCA SMF 7

Credit Union SMF PRA & FCA SMF 8

Chairman PRA & FCA SMF 9

Chair of Risk Committee PRA & FCA SMF 10

Chair of Audit Committee PRA & FCA SMF11

Chair of Remuneration

Committee PRA & FCA SMF 12

Chair of Nominations

Committee FCA Only SMF 13

Senior Independent Director PRA & FCA SMF 14

Non Executive Director FCA Only SMF 15

Compliance Oversight FCA Only SMF 16

Money Laundering Reporting FCA Only SMF 17

Significant Responsibility FCA Only SMF 18 • *With exception of small credit unions, at least one person

must perform this role. • NEDs (SMF9-15) Cannot be allocated overall responsibility

for business activities or management functions.

For a Non EEA Branch, SMF 5 will only apply where branch has a dedicated individual performing this function.


PROPOSED NEW REGIME

92


1 SENIOR

MANAGERS REGIME

KEY FEATURES


PRESCRIBED RESPONSIBILITIES (i) ensuring that the firm has complied with the obligation to satisfy itself that persons performing a key function are fit and proper; (ii) leading the development of the firm’s culture and standards; (iii) embedding the firm’s culture and standards in its day-to-day management; (iv) production and integrity of the firm’s financial information and regulatory reporting; (v) allocation and maintenance of the firm’s capital and liquidity; (vi) development and maintenance of the firm’s business model; (vii) performance of the firm’s Own Risk and Solvency Assessment (ORSA); (viii) induction, training and professional development for all the firm’s key function holders; (ix) maintenance of the independence, integrity and effectiveness of the whistleblowing procedures, and the protection of staff raising concerns; and (x) oversight of the firm’s remuneration policies and practices.

• ‘Prescribed Responsibilities’ (as defined by PRA & FCA), which are important functions other than SMFs, must be allocated to one of the existing SMF’s “with which the responsibility is most closely associated”.

• NEDs can be allocated certain prescribed responsibilities.


PROPOSED NEW REGIME

93


1 SENIOR

MANAGERS REGIME

KEY FEATURES


LIST KEY FUNCTIONS • Establishing and operating systems

and controls in relation to financial crime.

• Safekeeping and administration of assets of clients

• Payment services • Settlement • Investment management • Financial or investment advice • Mortgage advice • Corporate investments • Wholesale sales • Retail sales • First line quality assurance of sales • Trading for clients • Investment research • Origination/syndication and

Underwriting • Wholesale lending decisions • Design and manufacturing of

products intended for wholesale customers

• Design and manufacture of products intended for retail customers

• Production and distribution of marketing materials and communications

• Customer service • Customer complaints handling • Collection and recovering amounts

owed to a firm by its customers/Dealing with customers in arrears

• Middle office • The firm’s information technology • Business continuity • Human resources • Incentive schemes for the firm’s staff

• ‘Prescribed Responsibilities’ (as defined by PRA & FCA), which are important functions other than SMFs, must be allocated to one of the existing SMF’s “with which the responsibility is most closely associated”.

• 27 ‘Key Functions’ which are important functions other than SMFs and Prescribed Responsibilities, if they exist in a particular firm, must be allocated to a Significant Responsibility SMF (SMF 18).


PROPOSED NEW REGIME

94


1 SENIOR

MANAGERS REGIME

KEY FEATURES - APPROVALS

• Subject to Pre-Approval All Senior Management Functions (SMFs) are subject to approval by the relevant regulator (FCA or PRA) before they may begin carrying out a SMF.

• Required Submissions When applying for an individual to be approved for an SMF, or whenever there is a significant change in a Senior Manager’s responsibilities, a firm will need to submit:

• Statement of Responsibility A “..statement setting out the aspects of the affairs of the authorised person concerned which it is intended that the person will be responsible for managing in performing the function”; these statements must be kept current.

• Management Responsibilities Map This must be comprehensive, up-to-date and set out how the various responsibilities have been allocated. Must demonstrate that: • There are no gaps in accountability; • Robust governance arrangements are in place; and • A clear organisational structure with defined,

transparent and consistent lines of responsibility.

• Other supplementary information i.e. CVs, job desc., org. charts and development plans.


PROPOSED NEW REGIME

95


1 SENIOR

MANAGERS REGIME

KEY FEATURES - APPROVALS

• Handover Arrangements Reasonable steps (i.e., Handover Arrangements) should be taken to make newly appointed Senior Managers aware of all relevant information and risks of regulatory concern in order to perform responsibilities effectively.

• Conditions & Time Limits The regulators can impose conditions and time limits on approvals of Senior Managers, both at the initial approval stage and subsequently through a variation of approval. For example, approving an SMF subject to a training requirement or imposing a probationary time limit on an approval.


PROPOSED NEW REGIME

96


1 SENIOR

MANAGERS REGIME

KEY FEATURES - ENFORCEMENT

• Individual Enforcement Action Each of the regulators will be able to take individual enforcement action against any Senior Manager.

• Presumption of Responsibility The proposed ‘Presumption of Responsibility’ will now be replaced by a ‘New’ Statutory Duty responsibility on Senior Managers to take ‘reasonable steps’ to prevent a regulatory breach.

So what is the significance of this recent change?

Bank of England and Financial Services Bill – Section 3.1 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/468328/SMCR_policy_paper_final_15102015.pdf

Under the original controversial proposal (i.e., reverse burden of proof), if a firm breached a regulatory requirement, the Senior Manager responsible for the area of the breach could be held individually accountable unless they were able to satisfy the regulators that they had taken ‘reasonable steps’ to stop, prevent, or remedy the breach. This was perceived as draconian and had deterred many from taking up senior manager roles for fear of regulatory exposure.

The burden of proving that a Senior Manager has failed to meet the expected standard in an enforcement action will now rest firmly with the Regulator. The “new” Statutory Duty however represents little if any change in substance of Senior Manager obligations as it bears a very close resemblance to the Conduct Rules underpinning the Approved Persons Regime and the new SM&CP regime.

Statement of Principle 7 for Approved Persons

An approved person performing an accountable significant influence function must take reasonable steps to ensure that the business of the firm for which he is responsible in his accountable function complies with the relevant requirements and standards of the regulatory system.

Senior Manager Conduct Rule 2 You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory systems.


PROPOSED NEW REGIME

97


1 SENIOR

MANAGERS REGIME

KEY FEATURES - ENFORCEMENT

• New Criminal Offence Senior Managers will be liable to prosecution for the new criminal offence ‘relating to a decision causing a financial institution to fail’ i.e., of taking (or failing to prevent) a decision causing a financial institution to fail, where one is aware of the risks and one’s conduct fell “far below what could reasonably be expected”. This offense is punishable by up to 7 year’s imprisonment and/or an unlimited fine.

Financial Services (Banking Reform) Act 2013 – Section 36 http://www.legislation.gov.uk/ukpga/2013/33/pdfs/ukpga_201

30033_en.pdf

• New Criminal Offence Under the regime, enforcement action may occur due to: An individual breach (‘failed to comply’) of the conduct rules (FSMA ‘Condition A’); By being “knowingly concerned” in a breach of rules by the firm (FSMA ‘Condition B’); or Through breaches occurring in the areas for which they are responsible (FSMA ‘Condition C’).

CRIMINAL OFFENSE Does not apply to Credit Unions or Incoming

Branches


PROPOSED NEW REGIME

98


1 SENIOR

MANAGERS REGIME

KEY FEATURES

• Annual Assessment Firm duty to assess ‘fitness and propriety’ of Senior Managers initially and thereafter on an annual basis.

• Employee Hiring Checks Firms must perform criminal record checks and request references from the previous employer of an SMF candidate, covering previous 5 years employment history (and disclose breaches and details of any disciplinary action. References must be true, fair and accurate).

• Job Sharing Arrangements More than one individual can perform a Senior Management Function. In the case of a job share arrangement, each individual will be responsible for all the responsibilities conferred by that SMF.


PROPOSED NEW REGIME

99


1 SENIOR

MANAGERS REGIME

KEY FEATURES

RELATED TEMPLATES Form K: Grandfathering Notification

http://www.bankofengland.co.uk/pra/Documents/authorisations/simr/formk.pdf

• Grandfathering Arrangements There will be ‘grandfathering’ provisions for Senior Managers currently performing Significant Influence Functions, so as not to require fresh approval to perform the equivalent SMF. An individual can only be grandfathered into a new SMF role if: • They are performing the role under the current APR

regime on the date of notification to the regulators; and on the date the regime comes into force. Grandfathering to a non-equivalent role requires additional approval; • The function is equivalent to a SIF function that they hold in the same firm. i.e., they cannot grandfather over to new regime in a different entity in the same group; and • Applications for regulatory pre-approval of those in SMF must include a “Statement of Responsibilities” setting out the areas of the firm for which the prospective Senior Manager will have responsibility (one per legal entity).


PROPOSED NEW REGIME

100



SCOPE


TERRITORIAL LIMITATION UK Firms & Non EEA Branches

Material Risk Takers: No Territorial Limitations (applies irrespective of location).

All Other Certified Persons: Territorial Limitation (only if based in the UK or dealing

(having contact) with Client in the UK.

EEA Branches Only applies to Individuals present/based in the UK.

INDIVIDUALS Material Risk Takers;

Most former ‘Approved Persons’ not covered by SMR; Customer facing roles with a Required Qualification (e.g.,

Investment Adviser); Proprietary Traders; and

Line Managers of ‘Certified Persons’.

Applies to staff who perform a function which either regulator believe could pose “Significant

Harm“ to the firm or any of its customers.

Intention: To reduce the firms risk of

an individual causing significant harm to the firm or its customers.


PROPOSED NEW REGIME

101


KEY FEATURES

• Registration Individuals falling under the Certification Regime (CR) will not be subject to regulatory approval (as SMFs are).


• Assessment of Employees It is a Firms duty to certify that employees performing a “significant harm function” are ‘fit and proper’ to do so. Fitness and Propriety checks also apply to Notified NEDs. However a NED moving from an SMF to be a ‘Notified NED’ is not subject to further ‘Fitness and Propriety’ checks • Integrity; • Knowledge, competence and experience; and • Qualifications and training.

Certification will need to be renewed on an annual basis.

A Senior Manager will assume responsibility for the internal review and certification process, and be accountable for shortcomings.

• Employee Movements If a person moves from one CR role to another CR role, that person must be certified as ‘fit and proper’ for the new role immediately; the firm cannot wait until the annual renewal of the certificate.


PROPOSED NEW REGIME

102


KEY FEATURES

• Exceptions In exceptional circumstances, a person may perform a CR function for up to two weeks without certification where they are providing cover for a certified person whose absence was reasonable unforeseen. (This does not apply, however, to CR functions that have a qualification requirement.)


• Employee Hiring Checks Firms must request references from the previous employer of an CR candidate, covering previous 5 years employment history (and disclose breaches and details of any disciplinary action. Additional references are not required for people performing Certification Functions if they were performing the same function immediately prior to 7 March 2016. Criminal record checks are not required. Firms may carry out checks for other employees where legally allowed to (part of employment contract). With such an extended population, this represents a significant burden to the firm [SYSC 5.3.4R to SYSC 5.3.11R].

• Multiple Functions Where individuals are performing multiple certification functions, they must be assessed as ‘fit and proper’ for each function, although all the different functions may be covered by a single certificate.


PROPOSED NEW REGIME

103


SCOPE

3 CONDUCT RULES


TERRITORIAL LIMITATION

Code of Conduct Replaces existing principles and guidance set out in the FCA statements of Principles and

Code of Practice for Approved Persons (APER) for employees working for Relevant

Firms.

Applies to all staff at a relevant firm (except

Ancillary Staff)

Intention: To extend the new

behavioural standards against which individuals

will be judged down through the

organisational structure.

Bank of England and Financial Service Bill Amended to include all those sitting on the board of an in-scope firm (including all NEDs) so that enforcement can be taken against these individuals where they fail to act with ‘honesty and integrity’.

UK Firms &

Non-EEA Branches EEA Branches

Senior

Manager

No Territorial Limitation

Applies wherever they are based

Material

Risk Taker

Applies wherever they

are based

Applies if individual

based in UK only

Other

‘Certified

Persons’


based in UK or

dealing with a client

in the UK only


based in UK only

Other

Conduct

Rules Staff


based in UK or

dealing with a client

in the UK only


based in UK only EXAMPLES

UK-based EEA Branch Senior Manager of a UK branch of a

Spanish Retail Bank. New York-based Chair of Audit Committee‘ of a UK subsidiary

of a US Bank. Swiss-based Senior Manager with overall responsibility for

Fixed Income business within a UK Wholesale Bank.


PROPOSED NEW REGIME

104


‘Second Tier’: Conduct Rules - Apply to Senior Managers only

3 CONDUCT RULES

Proposed New Rules Corresponding Rule from APER or PRIN

SM1. You must take reasonable steps

to ensure that the business of the firm

for which you are responsible is

controlled effectively.

APER Statement of Principle 5.

An approved person performing an

accountable significant-influence function

must take reasonable steps to ensure that

the business of the firm for which he is

responsible in his accountable function is

organised so that it can be controlled

effectively.


to ensure that the business of the firm

for which you are responsible complies

with relevant requirements and

standards of the regulatory system.


An approved person performing an

accountable significant-influence function

must take reasonable steps to ensure that

the business of the firm for which he is

responsible in his accountable function

complies with the relevant requirements

and standards of the regulatory system.


to ensure that any delegation of your

responsibilities is to an appropriate

person and that you oversee the

discharge of the delegated

responsibility effectively.

SM4: You must disclose appropriately

any information of which the FCA or

PRA would reasonably expect notice.

PRIN 11.

A firm must deal with its regulators in an

open and cooperative way, and must

disclose to the appropriate regulator

appropriately anything relating to the firm

of which that regulator would reasonably

expect notice.

SENIOR MANAGERS Must ensure that there is:

• Effectiveness of business controls; • Compliance with regulatory requirements; • That there is appropriate delegations of responsibility with effective

oversight; and • There is appropriate disclosure of information to regulators.


PROPOSED NEW REGIME

105


‘First Tier’: Conduct Rules - Apply to All Staff*

3 CONDUCT RULES

Proposed New Rules Corresponding Rule from APER or PRIN

1. You must act with integrity.

Manage risk, exercise sound judgment, observe rules as well as honesty


An approved person must act with

integrity in carrying out his accountable

functions.

2. You must act with due skill, care and

diligence.

Understand the business, the regulations and act compliantly & competently.


An approved person must act with due

skill, care and diligence in carrying out his

accountable functions.

3. You must be open and cooperative

with the FCA, PRA, and other

regulators.


An approved person must deal with the

FCA, the PRA and other regulators in an

open and cooperative way and must

disclose appropriately any information of

which the FCA or the PRA would

reasonably expect notice.

4. You must pay due regard to the

interests of customers and treat them

fairly. (Applied by FCA Only)

PRIN 6.

A firm must pay due regard to the

interests of its customers and treat them

fairly.

5. You must observe proper standards

of market conduct. (Applied by FCA

Only)

All markets, not just listed securities


An approved person must observe proper

standards of market conduct in carrying

out his accountable functions. SENIOR MANAGERS, CERTIFIED FUNCTIONS & OTHER RELEVANT STAFF Under the Bank of England and Financial Service Bill, the rules of Conduct have now been extended to Non Executive Directors. This plugs a perceived gap necessary to address CRD IV, incorporated by reference into MiFID II, which requires Member States to be able to take action against members of an institution’s management body (including NEDs).

*ANCILLIARY STAFF Staff carrying out a role which would be fundamentally the same in a non-financial services firm. Approximately 20 Designated categories (e.g., cook, cleaner, receptionist and security guard).


PROPOSED NEW REGIME

106


3 CONDUCT RULES

*Fair and Effective Markers Review (FEMR)

http://www.bankofengland.co.uk/markets/Documents/femrjun15.pdf

KEY FEATURES

• Requirement to report breaches and suspected breaches has been rescinded.

Bank of England and Financial Service Bill Removed obligation to notify the regulators of breaches or suspected breaches to the Conduct Rules: • To the PRA within 7 days of suspicion

that there has been a breach of the rules; and

• To the FCA within 7 days for SMR, for FCA Certified Persons and Relevant staff this is annually (end of October) each year.

Low legal threshold for a ‘suspected’ breach meant firms would have had to report lots of individuals to the regulator with many of those allegations subsequently being unfounded.

• Notify the regulators of disciplinary action taken Firms are required to notify the regulators of disciplinary action taken again against an employee for conduct which amounts to a breach of the Code of Conduct.[FSMA s54C(1)]

• Conduct Rules Training Firms must make individuals aware if they are subject to the new conduct rules, and provide suitable and role specific training to ensure understanding and compliance with the rules. (*FEMR)

• Whistleblowing Includes a “duty to whistleblow” to the FCA/PRA where Senior Managers are aware of information of which the regulators may expect notice.

RELATED TEMPLATES Form C: Notice of ceasing to perform controlled functions (including

senior management functions) https://www.handbook.fca.org.uk/form/sup/SUP_10A_ann_6R_Form_C_20160307

.pdf

Form D: Notification: Change to personal information/application details and conduct breaches/disciplinary action

related to conduct https://www.handbook.fca.org.uk/form/sup/SUP_10A_ann_7R_Form_D_20160307.p

df

Form H: Notification of Conduct Rules Breaches and Disciplinary Action relating to certification employees and other conduct rules staff

https://www.handbook.fca.org.uk/form/sup/SUP_15_ann_7R_Form_H_20160307.pdf


PROPOSED NEW REGIME

107


2

1

3

SENIOR MANAGERS FUNCTION

CERTIFIED INDIVIDUALS

ALL OTHER RELEVANT STAFF

‘Subject to’ CONDUCT

RULES

‘Pre-Approved

by’ FCA/PRA

ANCILLARY STAFF (Not in Scope)

‘Fitness’ FIRM

ASSESSED


CHALLENGES

108


1 SENIOR

MANAGERS REGIME


3 CONDUCT RULES

KEY CHALLENGES

• Attracting & Retaining the right Staff Shift towards individual responsibility may make it harder to attract and retain Senior Managers.

• Disclosure of sensitive information to potential candidates at the Hiring stage At the hiring stage, potential SMF candidates are likely to want as much detail about any issues in the bank in general and the relevant business area in particular before taking on the significant regulatory responsibility. Firms will be wary of divulging highly sensitive information to individuals who may remain at current employer or join a competitor. • Lengthy negotiations around detailing Senior Managers responsibilities Employer and employee interests are diametrically opposed. Whilst firms will want to ensure that the Statement of Responsibilities is detailed and comprehensive, Senior Managers will want to minimize the area for which they would be held responsible, leading to lengthy negotiations.

• Reluctance of SMFs to assume additional responsibilities SMFs will want to have a high level of clarity about their areas of responsibility and will resist taking on additional responsibilities.


CHALLENGES

109


1 SENIOR

MANAGERS REGIME


3 CONDUCT RULES

KEY CHALLENGES (CONT’D)

• Increased turnover of poor performing staff SMFs are likely to be unwilling to retain any members of staff who they believe are not up to the job and will not want to spend time performance managing poor performers if they fear regulatory failures could arise in the meantime. This will create tension with HR organizations and increase the risk of employment claims.

• Excessive caution and risk avoidance The focus on individual responsibility and the more draconian sanctions, may result in excessive caution, stunting growth and profitability.

• Increased clarity around ‘cover’ for Senior Managers Plans will have to be made for the absence of an SMF. Someone who is to deputize for an absent SMF will want a clear apportionment of responsibilities to avoid the impact of a breach occurring while he/she is deputizing that related to a failure for which the SMF should be held responsible. • Recording of ‘disclosable’ Information SMF’s who do not agree with particular commercial decisions are likely to document their concerns in order to protect themselves against regulatory sanction. This will result in more convoluted decision making, the emergence of a culture of ‘finger pointing’, and disclosable items.


CHALLENGES

110


1 SENIOR

MANAGERS REGIME


3 CONDUCT RULES


• Handling SMF Grievances or Exits Banks could see an increase in whistleblowing allegations from Senior Managers who are dismissed as they try and minimize culpability and extract exit packages. Similarly Senior Managers may threaten to provide unhelpful handover documentation unless they receive favorable severance terms. With the proposed changes, FCA entries will now contain more detail on disciplinary action taken against Senior Managers, this could have significant implications for an individuals future employment prospects. • Increased documentary burden on Firms In addition to the requirements for Statement of Responsibility (limited to 300 words) and the Responsibilities Maps, the new regime will require changes to employment contracts and policies to ensure that there is a requirement to comply with the Conduct Rules and ensuring that there is a contractual basis for dismissing employees where requirements are not meet.


CHALLENGES

111


1 SENIOR

MANAGERS REGIME


3 CONDUCT RULES


• Enforcement Action: Firm v Individual interests In the case of enforcement action, where a firm is motivated to settle early and obtain a discount, this admission of guilt then makes it more difficult for an individual to defend. Firms need to clarify to prospective Senior Managers at the hiring stage under what circumstances legal expenses will be paid by the firm; and in the event this enforcement occurs a number of years after the firm and the employee have parted company, how long they are eligible for this assistance?

• Enforcement Action: Impact of investigation Investigating authorities are likely to require a high degree of access to the financial institution and its records. The interference of an ongoing investigation may prove to be a significant burden for the institution in question due to the potential breadth of the investigation (i.e., how far back); the impact on daily operations (i.e., drain on time); it may create tensions/conflict amongst management regarding historical decisions; and the availability of good records demonstrating transparent decision making processes.


CHALLENGES

112


1 SENIOR

MANAGERS REGIME


3 CONDUCT RULES


• Other Challenges • How to evidence decision making and reasonable steps

taken; • What information is considered sufficient before a

Senior Manager becomes ‘informed’ of a risk or issue that requires ‘reasonable steps’ to be taken;

• How to illustrate the manner in which responsibilities are delegated and appropriately controlled; and

• Ownership of ‘prescribed responsibilities’ and key functions, particularly where they cut across reporting lines and geographical locations.


TRANSITION TO NEW REGIME

113


1 SENIOR

MANAGERS REGIME


3 CONDUCT RULES

KEY TASKS

KEY DATE

Senior Manager & Certified Persons (SM&CP) Regime

Commencement Date

7 March 2016

• Gap Analysis Determine the role of Senior Managers under the new regime in order to identify those carrying on a SMF and to identify and complete a Management Responsibilities Map.

• Governance Systems & Controls Have in place appropriate governance systems and controls relating to policies; regulatory reporting; training; assigning responsibility for the production of reports; and be able to demonstrate to regulators that the systems and control in place are robust and effective.

• Statements of Responsibility Draft Statements of Responsibility for individuals performing a SMF, including aligning contracts of employment and having systems in place for responding to requests from the regulators for personal attestations for such individuals.

• Policies & Procedures Review relevant policies and consider amending contracts to include indemnities; legal representation at meetings; suspension; notification of disciplinaries to regulators; handling of reference requests; consent to criminal records checks for SMFs; and provisions to support handover arrangements.


TRANSITION TO NEW REGIME

114


1 SENIOR

MANAGERS REGIME


3 CONDUCT RULES

KEY TASKS (CONT’D)

KEY DATE

Senior Manager & Certified Persons (SM&CP) Regime

Commencement Date

7 March 2016

• Certifying Employees Certify SMFs as ‘fit and proper’ by 7 March 2016 and then individuals falling within the Certification Regime by 7 March 2017.

• Bespoke Training Individuals who are subject to the SMR or the CR will be subject to the new Conduct Rules from the commencement of the new regime on the 7 March 2016. Firms then have until 7 March 2017 to prepare for the wider application of Conduct Rules to other relevant staff.

• Grandfathering Arrangements Notify the regulators of the names and roles of individuals who are subject to the SMR by 8 February 2016 (i.e., Grandfathering Notification (including Statements of Responsibilities and Firm Responsibilities Maps), after which the FCA will publish the names of Senior Managers in its register.


FUTURE PUBLICATIONS

115


1 SENIOR

MANAGERS REGIME


3 CONDUCT RULES

DEVELOPMENTS

• Winter 2015 Final Rules on incoming branches of overseas firms.

• Pre March 2016 Final Rules on inclusion of wholesale activities in the Certification regime.

Final Rules on Regulatory references.


CONCLUSIONS

116


1 SENIOR

MANAGERS REGIME


3 CONDUCT RULES

It’s not just about Instilling individual ‘Accountability’ within the organisation

Demonstrating that the ‘right culture’ is embedded and permeates throughout the whole organisation.

Demonstrating that we have the right balance between what individuals are doing (i.e., generating revenue, margin, shareholder return in a financial sense) and how they are behaving (i.e., relationship with clients, counterparties and internal stakeholders).

Link between SM&CP Regime and Remuneration Code


117



support

11 November 2015

Role of internal audit in outsourcing

and contract management - key

lines of questioning

Papiya Chatterjee

11 November 2015

The role of internal audit in

outsourcing

• Trends, benefits and challenges of outsourcing

• The need to provide assurance

• Case studies

Outsourcing – the drivers

Outsourcing – be aware of the

risks

Regulatory expectations

IIA report - case studies

The role of internal audit

• Early involvement of internal audit.

• Assess how well risk is being jointly considered between the

customer organisation and the provider.

• Audit coverage is commensurate with the scale, nature and

number of contracts.

• Team - multidisciplinary and some contract management

background.

• Benchmarking supplier/contractor performance to drive overall

improvements.

• Co-ordinate assurance properly.

• Invoke the right to audit clause when necessary.

• Complement a systems-based approach with an element of

substantive testing.

Case study - Crossrail

• Integrated assurance

• Benchmarking providers

Header here max 30 characters Are Tier 1 contractors getting better?

Ave R4

High Performance

Performance Level

OUTPUTS Performance Risk

Pe

rfo

rman

ce L

eve

l

INP

UTS

Hig

h P

erf

orm

ance

P

erf

orm

ance

Ris

k

3

2

1

0 1 3 2

World Class Zone Value Added Zone

Indicative average compliance line

Ave R3

Ave R2

Ave R1

Best Collective Score R4

Case study – Ministry of

Justice

key areas for improvement Internal audit’s tiered approach

An increased Internal Audit coverage Tier 1 is a desktop assessment of all

contracts with annual spend above

£10 million using the National Audit

Office contract management

framework

A change in the methodology applied Tier 2 is a systems-based review with

the inclusion of substantive testing

A greater rigour in following up

recommendations and escalating

concerns

Tier 3 is a more detailed forensic

review

Concluding thoughts

• Outsourcing the service does not outsource the risk

• Big risks associated with outsourcing

o Poor relationship and interaction with contractor.

o Inconsistent approach to day-to-day contract management.

o Third party provider ethical/cultural issues.

• Internal audit has a key role to play

o Strategic intent and feasibility.

o Implementation and management.

o Contract management arrangements.

If you want to know more…

• https://www.iia.org.uk/policy/publications/outsourcing-and-the-

role-of-internal-audit/

Cyber Security

Glenn Bluff

Associate Director – Cyber Security and Privacy Services

Business Risk Services

Grant Thornton

[email protected]


1. Leapt up the risk table with 500 Global Risk Managers

to 2nd and 3rd place (Source: Allianz Risk Barometer)

2. Recent examples: Sony, Talk Talk

3. Malware malicious software increased 400% since

2012

Reputation and Brand Value

So what has this got to do with Cyber Crime?


All it takes is one major issue and your business

reputation and brand value is destroyed

Everything!


What does it mean?

"Any crime that involves a computer and a network.

The computer may have been used in the

commission of a crime, or it may be the target."

- Wikipedia 25/04/2015

Cyber Crime

Let's look at a recent case that's still in the

news


1. What happened

2. Impact

- Loss of Customer data

- Client confidentiality compromised

- Some clients suffer loss

- Reputation and Brand

3. What could they have done better?

Case Study: Talk Talk

Let's take a step back…


Traditional response by audit:

The traditional response has been to audit the

standard ITGC controls:

Access Management, Change Management,

Development, Backup and Recovery.


The Cyber Security risk base is changing. The

biggest risk is the low frequency but high reward

targeted attack or Advanced persistent threat

(APT). The traditional response is no longer enough.

Other Examples:

HSBC data theft – Geneva

Carbanak attack - £650m stolen

Stuxnet



Anti virus

Patching

IDS

IPS

Firewalls

Access

Management

Baseline Build

Firewall / router Configuration

OS Configuration Application Controls

Change control



Anti virus

Patching

IDS

IPS

Firewalls

Access

Management

Baseline Build

Firewall / router Configuration

OS Configuration Application Controls

Change control

Targeted attacks

are designed to

bypass the

standard controls.


1. Need to do more than traditional audit work

2. Need to ensure experts are employed

3. Key Areas of internal control

Cyber Crime Prevention and Detection


1. Cause damage or disrupt

2. Obtain data

3. Amend data

Split into 3 main areas:


Deeper response by audit requiring

specialist knowledge:

To use specialist knowledge to validate

the configuration and setup of technical

elements

In addition to preventative controls,

detective controls need to be effective.



specialist knowledge:

Baseline Build

Infrastructure Technical Configuration

Monitoring Systems

Reporting Systems

Encryption and Key Management

Advanced network rerouting (DNS),



specialist knowledge examples:

DDoS review

Active Directory Job / Batch Scheduling

Encryption / Certificates

Incident alerting /

monitoring information

File Transmission /

Messaging


1. Better Monitoring and Testing controls

2. Classification of data that link to the Monitoring

control policy

3. Resolution of issues identified

Back to the Case Study: Talk Talk

What could they have done better?


Is it just State sponsored? OFF THE SHELF.

1. Malware, attack kits, and vulnerability information off the shelf.

2. Crimeware as a service

3. A drive-by download web toolkit, which includes updates and 24/7

support!

(The online banking malware SpyEye (detected as Trojan.Spyeye)

is offered from $150 to $1,250 on a six-month lease, and DDoS

attacks can be ordered from $10 to $1,000 per day)

4. Designer software

Preparation


Targeted attacks. How to look for and detect the

unusual. Potential Audits:

1. Phishing Education

2. DDoS Audit.

3. Detect and response.

Just buying the software is not enough, you need to configure and

analyse the results.

4. Threat knowledge and intelligence. Do you receive regular intelligence

on the latest threats? (Dell secure works) How do you mange intelligence?


1. Keep up to date with threats and vulnerabilities and look

external

2. IT, the Business and Security functions know how to

respond and can detect unusual behaviour even if we cannot

prevent it.

3. Audit functions need a more detailed set of audits focused

not just on technical prevention but on detection.

Conclusion


Questions?

Glenn Bluff

Associate Director

Cyber Security and Privacy Services


Grant Thornton

[email protected]


Copyright © 2015 Deloitte Development LLC. All rights reserved. 152 Global Human Capital Trends 2015

Barriers

between

work

and life

dissolve

Talent

in high

demand

Millennials

make up

50% of

workforce

Global

transparenc

y

in job

market


3,300+ Business and

HR leaders

106 countries

Global Human Capital Trends 2015

One of the

largest-ever longitudinal

global talent studies

Unless otherwise cited, all data referenced in this presentation is from

the Global Human Capital Trends 2015 survey.


Global Human Capital Trends 2015

LEADERSHIP

Why a perennial issue? LEARNING AND

DEVELOPMENT

Into the spotlight

LEADING

CULTURE AND

ENGAGEMENT

The naked organization

PERFORMANC

E

MANAGEMENT

The secret

ingredient

WORKFORCE

ON DEMAND

Are you ready?

ENGAGING

REINVENTING HR

An extreme makeover

PEOPLE DATA

EVERYWHERE

Bringing the outside

in

HR AND PEOPLE

ANALYTICS

Stuck in neutral

REINVENTING

MACHINES AS

TALENT

Collaboration, not

competition

SIMPLIFICATION

OF WORK

The coming revolution

REIMAGINING


Performance management

People data everywhere

Machines as talent

54

40

39

Learning & development

Reinventing HR

HR & people analytics

Simplifying work

63

60

59

68

Leadership

Culture & engagement

Workforce capability

77

74

69

% VERY

IMPORTANT

46%

42%

34%

36%

0 10 20 30 40 50 60 70 80 90 100

30%

23%

23%

20%

8%

9%

10 human capital trends for 2015


LEADERSHIP

Why a perennial issue?

• Need to focus on

developing leaders at all

levels

• Commitment to leadership

development needs to start

from the top

• Develop a leadership

framework for assessment,

development and coaching

and ensure it is clearly

linked to business

outcomes

• Treated as short-term

training instead of a strategic

initiative

• Weak leadership pipeline,

driven by a lack of leadership

accountability for identifying

and developing successors

• Leadership for the few, not

the many. Companies tend to

primarily focus on developing

leaders at the Executive level

Pressuring

challenges:

Where to focus:

86% see leadership shortfalls as a top-5 issue


CULTURE AND ENGAGEMENT

The naked organisation

• Create meaningful

work, deep engagement,

and job fit

• Make engagement a top

corporate priority – it

needs to be the no. 1 job for

leaders

• Listen to Millennials, as

their needs and values will

shape the organisation’s

culture in the next 10 years

• Employees are now more like

customers. Websites like

Linkedin make it easier for

employees to learn about new

job opportunities

• Leaders lack an

understanding of culture and

struggle to define and

disseminate it

• Employee motivations have

changed – there is a new focus

on purpose, mission, and work-

life integration

42% say the problem is “very important”– double the 2014 percentage

Pressuring

challenges:

Where to focus:


REINVENTING HR

An extreme makeover

• Align HR capabilities

with business goals

• Redesign HR with a focus

on consulting and service

delivery, not just efficiency

of administration

• Invest in HR development

and skills, with a focus on

capabilities such as

business acumen,

consulting and HR

analytical skills

• Traditional HR practices are

undergoing radical change,

forcing HR to throw away the

old playbook and deliver more

innovative solutions

• The move to the global

business services model and

the use of cloud technology is

on the rise

• HR is being redefined

as an enabler and builder

of talent

Pressuring

challenges:

Where to focus:

30% see an urgent need to reskill the HR function


SIMPLIFICATION OF WORK

The coming revolution

• Redesign work to focus

on what matters

• Invest in more

integrated, simple

technology

• Reduce the number of

emails, meetings, and

conference calls

• Make simplification a

priority - implement

design thinking and

process simplification

• Technology and globalisation

creating overwhelmed

employees

• Family, and work are all

blending together as our

mobile devices deliver constant

access to work information

• Business and HR processes

and systems have become

overly complex

Pressuring

challenges:

Where to focus:

63% see need to simplify work; 23% say need is very important


MACHINES AS TALENT

• Explore and learn about

how cognitive technologies

can impact business, jobs,

and productivity

• Stay vigilant for

opportunities to apply

technology

• Find opportunities to pilot

cognitive technologies

and present leaders with

options for creating value

with them

• Increasing power of

computers and software to

perform cognitive tasks

• Poor understanding at the

leadership level of how

cognitive computing will impact

the workforce

Pressuring

challenges:

Where to focus:

Collaboration, not competition

37% say that cognitive technology at work is important or very important


“Softer” areas

such as culture and engagement, leadership, and

development have become urgent

priorities

Leadership

and learning have dramatically

increased in importance, but

the capability gap is widening

HR organisations and HR skills are not keeping up with business

needs

Talent and

people analytics are a high priority and a tremendous

opportunity, but progress is slow

Simplification

is an emerging theme; HR is

part of the problem

6 KEY FINDINGS

HR technology systems are a

growing market, but their promise may be largely

unfulfilled

Human Capital Trends 2015 Copyright © 2015 Deloitte Development LLC. All rights reserved. 161


This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or

services.

This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or

taking

any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, "Deloitte" means Deloitte Consulting LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte

LLP

and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2015 Deloitte Development LLC. All rights reserved.

Member of Deloitte Touche Tohmatsu Limited



support

11 November 2015