Is recordkeeping the key to managing personal regulatory risk?
Firms need strong recordkeeping to manage personal regulatory risk and meet growing accountability demands. Clear documentation helps prove compliance and shields managers from liability.
Written by a human
Senior individual personal accountability and liability is here to stay. Firms and individuals alike in financial services are subject to licenses, rules, and requirements designed to protect customers, prevent undue risk-taking, and enable smooth market operations. Much of enforcement is to punish wrongdoing and to act as a credible deterrent to the rest of the sector.
For individuals’ enforcement action has more impact than for a corporate. Firms tend to shrug off fines and other sanctions as a cost of doing business, for an individual enforcement action could well be career-ending. Unsurprisingly, individuals fight enforcement action far harder than a firm and so specific individual accountability regimes have proliferated around the world as regulators seek to make it simpler to hold senior managers to account.
Jurisdiction-specific individual accountability regimes are all different in detail but at a high level they require complete clarity of who, precisely, is responsible for what. A deliberate additional benefit of many of the accountability regimes is to seek to drive better culture and conduct risk-aware behaviors.
The need for robust, consistent recordkeeping is twofold. Firstly, the need for the firm itself to comply with all relevant recordkeeping requirements and thereby evidence compliance. Secondly the need for senior individuals to build and maintain a suite of records to evidence the compliant discharge of all relevant personal regulatory obligations.
Individual liability
The U.K. is just one jurisdiction among many that has introduced a specific individual accountability regime. Indeed, the U.K. introduced the first phase of the Senior Managers and Certification Regime (SM&CR) in 2016, and the requirements included the need for a ‘responsibility map’ as a base on which ‘reasonable steps’ need to be demonstrated to show there is an appropriate degree of management and control. The crux of the requirement being the need to have a clear, up-to-date and detailed line of sight to who is responsible for what in a firm.
One example of the sanctions imposed for wrongdoing is the January 2024 sanction imposed on the chief executive of Wyelands Bank. The U.K. Prudential Regulation Authority (PRA) banned Iain Hunter and fined him £118,808 for, among other things, failing to take ‘reasonable’ steps to ensure that Wyelands had adequate systems and controls in relation to the PRA recordkeeping requirements.
Line of sight
The line of sight should be considered the next level of granular detail from, say, a job description or responsibility map and should be documented with, where necessary, links into the corporate governance, document creation and management, recordkeeping and risk and control framework of the firm. It is critical that the ‘line of sight’ is kept up to date – businesses and people change, and the line of sight will need to be updated accordingly.
It is not enough for a senior individual to simply be aware of the business areas under her or his control. Senior managers need to understand the detail of the business being conducted in their area of responsibility. It ought to be stating the obvious that a senior manager needs thorough in-depth understanding of all products, activities and risk management processes, but all too often enforcement actions show that as people and businesses change, knowledge levels become severely depleted with the inevitable regulatory consequences.
Evidence, evidence, and more evidence
Good management information is the lifeblood of any firm and in the current regulatory environment management information could be seen as the need for evidence, evidence, and more evidence that a firm and the senior managers running it have done all of the right things in all of the right ways.
Recordkeeping (and the generation of evidence of compliant activities) is a core competency for firms and individuals alike. However, continuing investment in technological solutions is required to both enable and evidence compliance. As the tools used for business evolve and change, a firm’s approach to recordkeeping needs to keep pace and be able to capture and retain all necessary records regardless of the technology deployed.
The same holds true for individuals. No matter how business was conducted, senior managers need to build and maintain their own personal ‘archive’ of evidence to demonstrate the full and complete discharge of their regulatory obligations. For some quantitative elements that process is likely to be relatively simple, but there are often challenges when culture is added into the mix. One quick win could be to gather all the attestations, audit trail, board, risk committee and other meeting minutes which evidence the challenge and engagement by the individual.
A final point concerns when a senior individual leaves a regulated firm. When a senior manager changes firms, it is entirely reasonable that he or she should be able to maintain the suite of documents to support the compliant discharge of his or her regulatory responsibilities. This is not without its potential challenges given that at least some of the documents could be business sensitive and intellectual property. Senior managers and their firms would be well advised to come to sensible arrangements that will enable the senior manager to access (potentially sensitive) documents under certain circumstances as and when they are no longer employed by the firm.
