Webinar recap: compliance with UK SMCR regulation
Brexit is always in the news, but there’s another noteworthy change in the UK scene that applies specifically to the country’s financial institutions. UK banks must now comply with the Senior Managers and Certification Regime, known as SMCR.
For a better idea of compliance requirements and challenges to overcome, watch our webinar, A Framework for Managing SMCR. In the webinar, Sam Abadir with Lockpath, a NAVEX Global company shares SMCR’s major requirements, top challenges, and best practices for compliance. He also presents a framework that UK financial institutions can use to manage SMCR compliance efforts.
Abadir sees SMCR as the first in a new class of regulations.
“SMCR is a turning point in regulations towards personal responsibility,” said Abadir. “It’s not checkbox compliance; rather, it’s focused more on how the organization runs.”
Here are four highlights from the webinar:
29 requirements. #18 is a little scary
The webinar presents a summary of requirements for senior manager functions that total 29. However, what alarms Abadir is #18 Other Overall Responsibility. It leaves covered institutions in the dark on what requirement 18 encompasses.
Could #18 include cybersecurity? Abadir sees its absence as a big hole in the regulation. A breach could be disastrous for a bank given the personal financial information they possess. It’s a reminder that while regulations may address risk, many risks can remain.
For cybersecurity, take advantage of information security frameworks like NIST CSF, NIST 800-53, and ISO 27001.
Compliance challenges with SMCR
Watching the webinar, you’ll note several compliance challenges with SMCR. One is the senior manager’s statement of responsibility and ensuring it’s clearly defined without gaps. Banks will also have to create their own certification process.
All the work may require change management. One possible result is adopting practices common in major financial institutions that utilize responsibility maps. These maps offer demarcation, so each senior manager corresponds to a defined set of responsibilities.
Defining reasonable steps
SMCR states that senior managers must take “reasonable steps” to control their areas of responsibility. But what is reasonable to your bank may not be viewed as reasonable by the regulator. Here’s the litmus test. Is the process for managing areas of responsibility defendable in an audit? Treat senior manager responsibilities like internal controls that you tie to processes, which will help bring accountability to them.
Bottom line: Ensure reasonable steps are defined, defendable, and documented.
Embrace the value of internal audits
In addition to expressing the value of a well-oiled compliance and training program, Abadir also talks up befriending your institution’s internal auditor who will measure SMCR effectiveness, improve best practices, and help ensure the likelihood your program is compliant.
Most senior managers avoid working with internal auditors. Remember, you both work for the same company. You should see auditor findings as guidance on improving your SMCR program.
It’s quite likely that UK SMCR is the harbinger of what is to come on the regulatory front worldwide. By attending this webinar, you’ll have a better idea of compliance demands and how your financial institution should adapt to best practices for operations.
While the coronavirus has dominated news cycles, other notable events occurred around a number of new rules, regulations and guidance, from California’s data privacy regulation to NIST data privacy framework and SEC guidance on cybersecurity for financial service firms.
We see a trend that would unify compliance and risk management under the same umbrella and help address the new risk landscape. It’s a principled, ethical approach to governance. Good governance guides organizations to do the right thing.
In this post, we share the importance of BYOD policies, alert you to compliance challenges, as well as the risks posed by personal devices tethered to IT infrastructure.