3 August, 2017
Now that the SFC’s Manager-in-Charge (MIC) regime has gone live, we are frequently being asked, “What are my responsibilities as an MIC?” as MICs are understandably nervous about their potential personal liability for acts or omissions of colleagues. We thought it might be useful therefore to spell out the ABCs as to how an MIC needs to educate themselves and put systems in place so that they can be comfortable they are complying with their obligations as an MIC; and as such hopefully avoid any personal legal or regulatory liability. We have also added the key action item for Overall Management Oversight (OMO) MICs at the end.
Knowledge (Identification of legal and regulatory obligations)
Firstly, an MIC needs to know what the legal and regulatory obligations of their firm are, in the area for which they are the MIC. If the firm’s compliance manual / policies are kept up-to-date, it should be sufficient to identify the relevant obligations from the manual / policies. Some of them may be under subject specific headings (e.g. Financial Resources Rules) while others may be included as generic statements (e.g. the need to employ staff who are sufficiently qualified, experienced and otherwise “fit and proper”). If the MIC is not confident that the firm’s compliance manual / policies are kept up-to-date for their own area, then they should discuss this with senior management.
In addition, as part of this exercise, it would be prudent for each MIC to read carefully through the SFC Internal Control Guidelines to identify any other more general obligations which are not set out in the firm’s policies. The MIC regime has heralded a re-emergence of focus on the Internal Control Guidelines – it is very clear that when drafting the MIC circular, the SFC referred to the Internal Control Guidelines. We have noted over the years that firms tend not to focus on the obligations in the Internal Control Guidelines as much as the two Codes of Conduct. This is probably because of the unusual style in which the guidelines have been drafted and because the Internal Control Guidelines do not contain any prescriptive obligations. Instead, the obligations tend to be high level statements of principle – e.g. “Management ensures that adequate training suitable for the specific duties which staff member(s) perform is provided both initially and on an ongoing basis.”
The firm’s compliance team should be able to play a big role in this regard if it is adequately resourced.
Analysis (Have we taken steps to ensure compliance?)
Next, the MIC needs to consider separately, in the context of each and every obligation they have identified as being relevant to them in terms of their own area of responsibility, whether the firm has already implemented appropriate internal controls to ensure compliance with each obligation and if not, the MIC needs to coordinate with senior management to do so. The MIC can certainly discuss this with the compliance team and get input but ultimately they need to form their own view as to whether the controls are adequate.
Training
Thirdly, the MIC needs to ensure that the relevant controls identified above are actually being complied with by staff. This requires two things (i) training and (ii) testing, i.e. compliance monitoring. In terms of training, the MIC needs to understand (i) how new staff are trained in terms of the internal controls around each relevant obligation and (ii) the frequency with which the training is repeated to remind existing staff of the need to comply with the relevant internal controls. The MIC needs to be satisfied with the content and the frequency of the training, although the compliance or other relevant teams can be responsible for conducting the training.
Testing (Compliance monitoring plan)
The final pillar is compliance monitoring. Each firm should have a compliance plan which describes the ongoing compliance monitoring programme of the firm. Typically, the compliance department conducts this testing of compliance by the firm with the key legal and regulatory obligations by seeing whether the internal controls which have been put in place have been followed and whether the control effectively ensures compliance with the relevant obligation. It is never possible to test whether every single employee has complied with every single obligation; regulatory priorities change from time to time; and available resources will fluctuate. This means the compliance department needs to consider and keep reconsidering regularly (at least annually in our view), what degree of testing (including sample size) is appropriate, in the context of the firm’s business, its resources, the regulator’s priorities and the firm’s own analysis of its key risks. Senior management, i.e. the MIC for the relevant area, should be aware of what is being tested and how often, and should be comfortable with the monitoring plan: if they are not they need to speak up and make changes. Naturally, as the size of the business grows (and the profit increases) additional resources should be allocated to compliance monitoring.
Our clients sometimes wonder about the role of the internal audit department, and also separately, the firm’s external auditors in this regard. In an ideal world, the function of internal audit should be to check that the compliance department is conducting appropriate monitoring and not to do the monitoring but these lines are sometimes blurred depending on how a firm is structured and its size, and of course in many cases there may be no internal audit department. The appointment of an external audit firm, which issues a “compliance” report to the SFC, cannot be relied on as an alternative to internal compliance monitoring because the scope of their appointment does not extend to this general compliance monitoring.
Engagement by MIC
It is important to understand that if a firm is investing resources in conducting reviews or compliance monitoring, the time and money is wasted unless the results are effectively communicated internally to the appropriate persons, i.e. the MIC and other members of senior management, who should consider the results and then follow up as appropriate. If compliance monitoring is being conducted properly, issues should be identified from time to time. This is normal. What is not normal is for the responsible MIC not to be informed of the issue, or not to be interested and engaged in ensuring that the firm takes appropriate steps to minimise the chances of such an issue arising again (e.g. additional staff training, tweaking a process or internal control and in appropriate cases taking appropriate disciplinary action against relevant staff members). Similarly, as discussed above, the MIC needs to be engaged in the ongoing review of the compliance plan generally to ensure it remains adequate as the situation changes.
Documentation
MICs who can (i) explain to the SFC with confidence how they have followed the K.A.T.T.E.D. process and (ii) back their explanations up with an audit trail of documentary evidence, such as meeting notes and emails, should be in a strong position to be able to demonstrate to SFC inspection staff that they have understood and complied with their obligations as an MIC and avoid liability.
The OMO MIC simply needs to go one step further. They need to be sure that each of the MICs is K.A.T.T.E.D.!
For more information, please contact:
Jeremy Lam, Partner, Deacons
jeremy.lam@deacons.com.hk