‘Reasonable Steps’ in the Regulated World

Books hero photo
Lucy McClements photo
Lucy McClements

There is no doubt that being a Senior Manager Function holder (SMF) in today’s regulatory environment comes with increased risks. Regulatory expectations have been enhanced thus creating additional pressure on Boards and individuals to evidence their competence on an ongoing basis, particularly when handling regulatory issues and breaches.

Under the Senior Managers & Certification Regime (SM&CR) the PRA and FCA expect all SMFs to take ‘reasonable steps’ to manage, operate and control the areas of business under their responsibility. ‘Reasonable steps’ are defined as “such steps as a person in their position could reasonably have been expected to take to avoid a misconduct/ breach/ error occurring or continuing”.

Therefore, the taking and documenting of ‘reasonable steps’ form an important line of defence for a SMF against any personal liability in relation to regulatory enquiries and investigations if issues arise in their areas of responsibility. However, ‘reasonable steps’ are not prescribed by the regulators, rather it is for each SMF to interpret and evidence how they have fulfilled their duty of responsibility within their own context and that of the firm in which they operate.

In a nutshell, ‘reasonable steps’ include making sound decisions and actions based on the information at hand and most importantly being able to demonstrate, usually via documentation, the steps taken when addressing issues. Indeed, the concept is referred to in several places in the rules and related commentaries; most notably the Senior Manager Conduct Rules (COCON 2.2) expect a SMF to ensure that the areas of the business for which they are responsible are:

• effectively controlled;

• in compliance with regulatory requirements at all times; and

• where tasks are delegated, that they are delegated to a suitable person and that the performance of those tasks is overseen appropriately.

When reaching its conclusions, the regulators will compare their findings from any investigation with those decisions and actions which it considers would have been taken by a competent SMF in the same position, with the same role and responsibilities, at that time, and in the same circumstances.

So, what might ‘reasonable steps’ entail in the context of a SMF of a regulated firm?

We could consider two different angles of approach:

  1. Potential ‘reasonable steps’ in a “Business as Usual” environment e.g.:
    1. Core operational and risk management processes in place;
    2. Governance arrangements (three lines of defence); and
    3. Regular reports received and provided.
  2. Reviewing the list of points regulators have stated they will consider in the context of ‘reasonable steps’ (see DEPP 6.2.9-E) e.g.:
    1. Exercising due skill, care, and diligence when considering the information available to them;
    2. The knowledge the SMF had, or should have had, of any regulatory concerns relating to their role and responsibilities;
    3. Reasonableness of any delegation of their responsibilities (to an appropriate person with the necessary capacity, competence, knowledge, seniority and skill);
    4. The extent of an orderly transition to another SMF when they were replaced; and
    5. How long the SMF had been in role and the extent of any handover they received.

Taking ’reasonable steps’ is not limited to diligently recording information ‘just in case’ something goes wrong in the future. It also means:

• Maintaining an up-to-date knowledge and understanding of the relevant regulatory requirements, technical elements associated with your role, as well as the wider operating environment.

• Being alive to the potential risks and issues that arise when running any business AND responding in a timely fashion to any crystallised issues that emerge. Regulators know that things go wrong. It is how the relevant SMF and the firm respond that makes all the difference, for example, creating and following through a well-defined action plan, or seeking third party expert advice on how best to proceed.

• Organising and allocating enough resources via clear reporting lines and delegations that are well communicated and understood by staff.

• Continuously reviewing, assessing, and improving. The job is never done….

Five years on from the implementation of SM&CR and there have been very few Enforcement cases concluded against individuals under the new framework. Whilst these types of cases are likely to be challenged intensively by the individual in question (and therefore take several years of legal debate), one might hypothesise that where serious regulatory breaches have occurred the accountable individual has been well able to demonstrate ‘reasonable steps’. Only time will tell.

May 2021