The FCA finalised its guidance on the Senior Managers Regime in August and, with the deadline approaching in December, many firms have some serious work to do, particularly with regard to how they manage data.
The latest CEO Sentiment Survey, released by Pimfa revealed that SM&CR topped the list of CEO concerns with MiFID II following close behind. According to the survey, the biggest issue keeping them awake at night is amount of time it will take to manage these regulations.
There’s a fair bit to take in. The Senior Managers Regime, aims to embed responsibility into the heart of financial institutions. New rules have come in regarding the conduct of every employee in the organisation and imposing additional requirements on firms to look into their background.
Each process will require firms to identify functions which lie within the scope, document responsibilities, notify regulators of conduct breaches and assess the fitness of named senior managers to carry out their functions.
As part of this they will need to take references and perform a criminal records background check, all of which will require them to manage and monitor a considerable amount of data about their personnel.
Complying with GDPR
Compiling this data is quite an intrusive process and can create a number of issues with GDPR.
To justify the processing of the data GDPR Article 6 processing conditions must apply. These include that the processing of the data is necessary to comply with legal obligations.
In addition, you will also have to take account of Schedule One of the Data Protection Act which mean that the data processing is necessary for the purposes or obligations of imposed by the data controller.
However you choose to store this information, you should run a data privacy impact assessment to ensure that processing is proportionate and that you have taken adequate steps to mitigate the possible impact of processing this data, namely who it is shared with and what happens if there is a breach.
All personnel should also be notified about how their data is being processed in order to comply with the principle of transparency. You will need to explain what data you are processing, why you are using it, how long it will be stored and who it will be shared with.
It can be a considerable data management undertaking. You will need quick and easy access to the data to demonstrate that you have complied with the steps required by both SM&CR and GDPR. You may need an up to data record retention policy to demonstrate positive compliance to all parties involved.
The Senior Managers Regime is set to be a considerable change; one which will turn regulatory compliance into an organisation wide issue, rather than just the preserve of the compliance department. Every employee, from the top down, has a role to play to ensure that firms manage their obligations under SM&CR without affecting their compliance with GDPR.