Individual Accountability: The Senior Managers And Beyond

There has been much debate among regulators and in the general public about whether there should have been more enforcement action against executives and other individuals in banks for misconduct in the events leading up to the 2008 financial crisis and after. The U.K. government has taken several actions against banks and companies for their corporate misconduct and involvement in market manipulation scandals of recent years. However, regulators have found it difficult to hold individuals accountable for being involved in the same misconduct, particularly individuals in management roles. Complex organizational structures of large banks and investment firms that are important for running global businesses efficiently are viewed as contributing to the problem.

NEW U.K. REGULATIONS

Regulators are starting to address this issue by changing the rules around individual accountability. The United Kingdom is reforming its approach to supervising and taking enforcement action against individuals in senior management positions and individuals who are employed in positions where they could pose a risk of significant harm to the firm or any of its clients (we'll call them certified personnel). For regulatory purposes, senior managers include not only directors but also chief executives, heads of key business lines, and certain highranking compliance and risk management personnel.

From March 7, 2016, banks, certain large investment firms, building societies, and credit unions established in the United Kingdom, including U.K. subsidiaries of overseas firms (referred to here collectively as SMR firms) and U.K. branches of third-country or European Economic Area (EEA) SMR firms (known as incoming branches), will be subject to a new Senior Manager and Certification Regime (SM&CR).

THE LIABILITY STANDARD

In the past, U.K. managers were allowed to define their own roles. Any personal liability would have been based on a legal standard of causation. The SM&CR rules aim to clarify areas of responsibility and therefore accountability. They require the allocation of certain prescribed responsibilities to senior managers and the production of Statements of Responsibility for those managers. SMR firms and incoming branches will need to create and manage processes that are effective absent deliberate wrongdoing on the part of a team member, and that minimize the risk and effects of any such wrongdoing. Most notably, the regime, as originally framed, introduced a "presumption of responsibility" for senior managers that effectively reversed the burden of proof by holding senior managers in a particular function responsible for a firm's regulatory breaches. Senior managers would have been required to rebut the presumption that they were responsible for breaches by demonstrating that they took reasonable steps to prevent them from occurring or continuing.

Such a rule is not without precedent. A similar presumption of responsibility mechanism already exists in Germany, where enforcement actions have successfully been taken against executives in particular positions of importance. However, one of the key concerns about the U.K. presumption of responsibility was that it would deter certain individuals from performing senior management roles and those who were undeterred would demand to be adequately compensated or insured for taking on the increased risk of personal liability. The U.K. Government announced several changes to the SM&CR in October, amongst which is the replacement of the presumption of responsibility with a statutory duty of responsibility. The burden of proving that a senior manager did not take reasonable steps to stop a breach will be on the regulator. The changes, at the time of writing this article, were set out in a Bill laid before Parliament.

THE U.S. IS DEVELOPING RULES

Although the United States does not have a directly comparable regulatory regime for senior managers, many of the requirements of the SM&CR already are reflected in other U.S. regulations, with some differences. U.S. regulators have broad enforcement powers as part of their supervisory mandate. Just as in the United Kingdom, U.S. regulators have principally directed their enforcement actions at institutions and not individuals at those institutions. However, along with a renewed focus on governance and management, U.S. regulators are now placing more emphasis on the need to hold individuals accountable. For example, the U.S. Department of Justice recently issued new guidelines to bolster its ability to pursue individuals in corporate cases.

EXTRATERRITORIAL IMPACT OF NEW RULES

Any fundamental governance-related regulatory change such as this has the potential to be extraterritorial in impact, especially for global financial institutions. The SM&CR has the potential to reach senior managers located outside of the U.K., just as do actions taken by the U.S. regulators or the European Central Bank regarding individuals outside the U.S. and E.U., respectively. Differing standards and enforcement regimes can in theory give rise to conflicts between overlapping oversight requirements. However, the approaches of the various regulators are generally likely to work together, though it's possible (if unlikely) that oversight in one jurisdiction might prioritize safety and soundness within that jurisdiction at the expense of another.

A DIFFICULT BALANCE

In implementing accountability regimes, regulators must strike a difficult balance. On the one hand, there is a clear need for the rules to operate efficiently to ensure executives are effective in their management roles and to prevent executives from ignoring regulatory breaches. On the other hand, regulators must ensure that the new accountability regimes are fair and do not impose de facto strict liability on executives who take reasonable steps to prevent and detect problems. There is a risk that, crudely applied, the reforms could give rise to a random minefield of rules and regulations on liability that directors and employees will find difficult to navigate and which could deter key individuals from taking up roles of responsibility within their organizations.

In this article, we focus on the new SM&CR and its extraterritorial effect, and particularly on the rules on the personal liability of senior managers. We then compare U.K. regulations with those in the United States. This article does not seek to cover the general regulation of individuals, remuneration rules, firm registration processes, the impacts of resolution and recovery regimes, or other aspects of individual regulation. The new regulatory approach of focusing on individuals is likely to evolve, so this snapshot reveals the direction of travel more than the final destination.

THE SM&CR IN SUMMARY

The SM&CR represents a fundamental change in the approach to regulating senior managers, certified personnel, and conduct within SMR firms and U.K. branches. Firms, rather than the regulators, will be given primary responsibility for vetting senior managers and certified personnel, and only senior managers will be subject to the regulators' approval.

The SM&CR is made up of the Senior Managers Regime, the Certification Regime, and a new Code of Conduct. Each of these three elements is summarized in a box to the right. The rules will be applied by both the U.K.'s Financial...