On the 9th of December 2023, it will be four years since the Senior Management and Certification Regime (SM&CR) became applicable to solo-regulated firms. What has happened since then? With the aim of improving accountability and governance, has it been performing as intended? Since then, technological advancements have been rapid, especially with artificial intelligence (AI) becoming more mainstream. What does this mean for SM&CR?
This article explores the SM&CR as it stands and its relationship with AI, potential future developments, and the regime’s role in enabling accountability in an increasingly technological world.
SM&CR as it stands
It is important to remind ourselves of the goals and aims of the regime, which are to raise governance standards and individual accountability and more specifically to:
- encourage staff to take personal responsibility for their actions;
- improve conduct at all levels;
- make sure firms and staff clearly understand, and can show, who is responsible for what;
Interestingly while the regime brought forward conduct rules that promoted ethical behaviour and professionalism, firms were often unable to display “what a conduct rule breach looks like” in relation to their operations. There has also been a low number of enforcement actions, which could mean that individual conduct is improving, but it could also signify that some matters may go unnoticed. It’s fair to say that the regime has garnered mixed responses as some are of the opinion that it drove improvements in behaviour as well as market and consumer outcomes, while others think it is overly complicated processes and generated onerous red tape.
It is important to acknowledge that the SM&CR does entail a heightened administrative workload for organisations. Smaller firms may struggle with remaining compliant, as the costs may not be proportional to the improvements. Reflecting on the advancements of artificial intelligence (AI), does the regime as it stands adequately cater to related new risks?
SM&CR and AI
The far-reaching consequences of AI are well documented as it touches various aspects of the wider society, and SM&CR is no exception. This only makes sense as more and more financial services utilise AI in their processes and everyday operations. The logical next step is to ask whether the people involved in using and managing these systems are properly assessed and whether can they be held accountable.
There are, to a degree, existing frameworks that enable the responsible application of AI in financial services, but it is not very developed and generic. Whilst the FCA deems itself a technology-agnostic regulator it was noted that “The SM&CR, in particular, has a direct and important relevance to governance arrangements and creates a system that holds senior managers ultimately accountable for the activities of their firm, and the products and services that they deliver – including their use of technology and AI.”
Good foundation for AI
Regulators are already consulting on whether the SM&CR could be used to mitigate some of the data, governance and model-related risks that comes with AI use in financial services, states Emily Bradley, a senior professional support lawyer at Slaughter and May. This could be done, for example, “through creating a new prescribed responsibility for AI. This approach can be thought of as accretive, broadening the reach of the SM&CR, as opposed to altering its underlying assumptions.”
An article by law firm Hogan Lovells echoes this sentiment, stating that using “the existing SM&CR framework as an oversight and governance framework for AI systems in firms appears to be a logical step given the investment many firms have already made in operationalising SM&CR.” However, the article clarifies that additional guidance is necessary to expand the regime. This is because “the existing SM&CR guidance was written before many of the current technologies existed” meaning “key aspects such as how ‘reasonable steps’ will apply in an AI context and which roles will be in scope will need to be carefully considered.”
In early November the BBC reported that an AI bot was engaging in insider trading and lying about doing so. Could the SM&CR help in similar situations by making the owners of these systems responsible and accountable?
There is at present an existing certification requirement for staff responsible for algorithmic trading. The certification regime could be expanded to create a new certification function for AI, Hogan Lovells added, citing the discussion paper by the Bank of England, Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) (DP5/22):
“Given the technical complexity of AI systems, it is key that the staff responsible for deploying or developing them are competent to do so … regulators and firms may look to further consider whether the SM&CR will need to be extended to other individuals managing AI systems including data analysts, data scientists and data engineers who may not typically have performed roles subject to regulatory scrutiny.”
It is worthwhile to note that the regulatory cycle (teething problems, implementation, etc.) that exists means it will take a while for stakeholders to effectively evaluate whether the regime is fit for purpose, or whether further reforms are needed. With AI in the picture, the regime could be expanded in different ways as explained above.
In terms of individual conduct and behaviour change; culture change usually does take a long time too, with or without AI.
The upcoming responses from the call for evidence and discussion paper would be interesting to look forward to. The input was requested in March 2023 and was kept open for responses until June 2023, and the BoE and the regulators are now in the stage of considering the responses. Safe AI ultimately requires accountability regimes to evolve alongside innovation for sustainable growth to take place.
At Leo, we understand the complexity of the processes of staying compliant, and how time-consuming this can be. This is why we created a solution to assist solo-regulated firms in complying with the SM&CR regime, streamlining the processes, and saving time.
Our SM&CR framework solution includes encompassing digital SMF certification, senior manager self-certification, fitness and propriety assessment, SM&CR training, senior management and certified function application forms, and SM&CR registers. This can also be combined with Leo’s HR solution successfully addressing a firm’s recruitment and onboarding needs, optimising efficiency, and reducing reliance on external resources.
To learn more about how we can help click the link below.
 Ibid. (hoganlovells)
GDPR Accountability: avoid fines, adherence is easier than you think – Part 2
Despite Art. 5 GDPR referring to data controllers, in practice, the principle of accountability applies equally to processors and controllers of data. Most...Read more
The AI Sliding Scale – A Tool or a Threat?
AI regulation feels unclear to say the least. We seek to delve into what has been done and what is intended to be done...Read more