Lockpath for UK Senior Managers & Certification Regime compliance

Challenges complying with UK SM&CR

The United Kingdom’s Financial Conduct Authority (FCA) mandates that financial institutions comply with the senior managers and Certification Regime (SM&CR). The regulation requires UK financial services firms to certify their senior managers as competent in performing their duties. The major takeaway is that now senior managers are personally liable for their actions.

Common challenges complying with SM&CR include:

  • Defining responsibilities. Senior managers must create their own Statement of Responsibility based on Prescribed Responsibilities assigned to them. It codifies the manager’s mission and activities. The challenge is defining “reasonable steps” for the Senior Manager’s actions and ensuring alignment with the individual Statement of Responsibility.
  • Broader requirement. Senior managers are required to certify others who perform actions involving material risk, including managers, proprietary traders and those with Client Asset Sourcebook (CASS) oversight. The hurdle for the institution is in creating a defensible certification process for additional personnel impacted by this requirement.
  • No overlap. No gaps. A guiding principle of SM&CR is that responsibilities do not overlap between senior managers, nor any gaps remain. This requirement also applies to certified personnel. The headache is in identification, mapping and documentation, ensuring the right responsibilities match up with the right manager or certified personnel.
  • Taking reasonable steps. SM&CR requires senior managers to take “reasonable steps” to control their areas of responsibility, affirming the firm’s business is controlled effectively and complies with requirements and standards. Performing reasonable steps is labor-intensive, and steps are not defined, nor are there any checklists. The challenge is senior managers need command over multiple areas, including organizational charts, handover processes, management information, risk management, skills management, issue/escalation notes and meeting agendas.
  • Other responsibilities. SM&CR 24 covers operations, and 18 specifies other functions. Banks will be challenged with functions that fall outside 24 and 18, including cybersecurity management, digital risk management and business continuity. The burden will be to identify, document and manage unsubscribed functions as robustly as clearly prescribed functions.

Benefits of using Lockpath

Lockpath, a governance, risk management and compliance platform (GRC), is ideal for a compliance challenge like SM&CR. Lockpath enables financial institutions to engage a federated approach for managing the regulation. In this approach, banks centrally identify risks caused by gaps in functions prescribed to senior managers, as well as govern certified personnel. Meanwhile, senior managers focus on their reasonable steps and manage the certification process for their respective areas.

With Lockpath you can:

  • Streamline the certification process. Lockpath enables you to map requirements to certification documents using the institution’s internal controls framework, creating a defensible certification process. Use the platform to manage the lifecycle of certification documents, including creating surveys and certifications using a wizard.
  • Align operations and compliance objectives. Leverage policies, standards and guidelines that help align the institution’s operations and compliance objectives. While the connecting elements change, Lockpath offers insight into the impact of strategic changes, turnover, promotions, new business processes and more. Institution leadership relies on Lockpath to better understand Senior Manager responsibilities, see where certifications are necessary, and handoffs are required.
  • Managing reasonable steps. Lockpath offers senior managers their own singular workspace in the platform to define and perform their reasonable steps. These steps benefit from Lockpath’s integration of requirements, policies and standards, as well as data sharing among stakeholders. Because Lockpath consumes and correlates data, the platform can prompt users for timely information or pull data from other systems of record. Whether it’s executives, senior managers or Compliance, all have insights on controls, risk and compliance failures and slippages.
  • Add IT risk management to responsibilities. Rely on Lockpath to manage the firm’s IT risk, assigning owners to each control and duty. Use Lockpath to identify, analyze, mitigate and manage IT risks. Leverage the platform’s workflow to escalate threats to levels of authority. Any incidents are given due diligence, from root cause analysis and mitigation to record-keeping and archiving. Every step is documented for review, audits and defense.

The Lockpath Difference

Lockpath’s integrated approach to governance, risk management and compliance is ideally suited for SM&CR requirements. Financial service firms can use Lockpath to maintain oversight of senior managers while giving them the autonomy to perform duties with accountability.

Lockpath brings instant insights and alerts to senior managers, provides audit trails, evidence to defend their work, and offers a defensible approach to their statements of responsibility. Certified roles and certifications are managed and kept current. For management, Lockpath also provides reporting and alerts to bring immediate attention to gaps or issues with a senior manager’s reasonable steps. The same due diligence that applies to senior manager responsibilities also applies to other institutional responsibilities assigned to senior managers, including information technology, cybersecurity and business continuity.

UK’s SM&CR ups the ante on senior managers performing their duties and holds them personally responsible. Lockpath offers an ideal solution to this, from giving banks the oversight needed for proactive management to empowering senior managers to carry out the duties with the accountability the regulation demands.


Get started with Lockpath today.

Request a Lockpath Trial demo and discover a new approach to risk management.