We now have our first enforcement action against a Senior Manager under the SMCR for breaches of the Senior Manager Conduct Rules.
And (surprising many) it's from the PRA, which has fined TSB former CIO Carlos Abarca £81,620 for breach of the PRA's Senior Manager Conduct Rule ("SM Conduct Rule") 2 (compliance with requirements and standards of the regulatory system).
This is in connection with issues and service disruptions during TSB's 2018 IT migration occasioning disruption to customers (including retail customers), as to which the FCA and PRA have already fined TSB £48.5m in total for breaches of FCA Principle 2 and PRA Fundamental Rule 2 (skill, care and diligence) and FCA Principle 3 and PRA Fundamental Rule 6 (organisation and control).
Let's unpack what this action means for Senior Managers going forward - in particular for what it means to take "reasonable steps".
The PRA's findings
The PRA found Abarca's responsibilities as CIO required him to take reasonable steps in relation to identification and mitigation of risk relating to the migration readiness of outsourced providers including a third party provider SABIS. The processes for which he was responsible were critical to the migration's success and to "the knowledge of the risks that TSB understood it was accepting and was willing to accept".
The PRA found that Abarca gave assurances to the TSB Board about SABIS's preparedness without first ensuring that SABIS (and fourth party contractors to SABIS) gave TSB sufficient assurance. The PRA found Abarca's failing to have undermined TSB's operational resilience and contributed to the disruption in question.
Statement of Responsibilities and Material Risk Register: enforcement weapons?
Abarca was CIO and holder of SMF18 (Other Overall Responsibility), and the PRA's findings essentially proceed from Abarca's Senior Management Regime Statement of Responsibilities which set out his responsibility for the IT function and alignment with TSB strategy, specifically TSB's compliance with the PRA's Outsourcing Rules, for the migration programme and the relationship with SABIS, and for migration governance, communication and decision-making processes.
They also proceed from the Statement of Responsibilities' identification of Abarca as owner of the risk - noted in TSB's Material Risk Register - of operational resilience issues and poor customer outcomes caused by the migration.
A warning to Senior Managers, then: keep referring to your statements of responsibilities and asking yourself whether you've done enough to mitigate enforcement risk should things go wrong.
Interestingly, the PRA noted that Abarca shared certain of these responsibilities jointly with another Senior Manager, but this does not at all feature on the PRA's findings and action taken. So we'll have to wait longer for clarity on joint responsibilities including matrix management arrangements.
Important guidance on "reasonable steps" - but more is needed
The SM Conduct Rules are all confined by the concept of "reasonable steps". The right way to think about this is a "range", specifically, a Senior Manager is in breach if their conduct falls "outside the range of reasonable responses" for a Senior Manager in their position.
This action yields our first guidance on what this requires.
Unfortunately it's not generally applicable, but it is useful in the context of a Senior Manager seeking to rely upon confirmations from, and capabilities of, other entities. Whilst most applicable to outsourcing (whether external or intra-group), it may bear to some extent on Senior Manager reliance upon other internal employees such as the Senior Manager's direct reports.
Here are the key messages and how they played out in this case:
- It's critical to fully inform governance fora (e.g. Boards) of relevant risks. This includes a Senior Manager adequately substantiating any assurances they give. It also means that a Senior Manager should annex underlying confirmations on which the assurance is based. In this case, the PRA criticised Abarca for providing his assurance to the TSB Board without annexing the underlying confirmation from SABIS or including it in the papers for the Board.
- When it comes to statements made by others, a Senior Manager might "trust" but should also "verify".
- When a Senior Manager gives assurance to governance fora based on confirmations from third (and fourth) parties, the Senior Manager should ensure that those confirmations adequately support the Senior Manager's assurance.
- Here, confirmations of readiness from SABIS and fourth parties, according to the PRA, were to some extent "forward looking statements of good intention or expectation" rather than "statements of fact about the completeness of readiness activities undertaken", some assurances included caveats and outstanding tasks or tests, and Abarca relied on the fact that fourth parties had given confirmations to SABIS without himself critically assessing these.
- The PRA said it was insufficient for Abarca to rely on the fact that the fourth parties were engaged under contracts which conformed to the PRA's Outsourcing Rules. When a firm is reliant on an outsourced provider to manage fourth parties, the firm must take a "sufficiently engaged and proactive approach" to overseeing the outsourced provider, including the outsourced provider's management of, and testing, monitoring and control over fourth parties.
- Senior Managers should consider what triggers might prompt them to conduct closer oversight. In this case:
- If service level breaches are experienced during a IT migration programme, those issues should prompt the Senior Manager to cause their firm to re-assess the outsourced provider's capabilities holistically against business needs. The PRA found that Abarca failed to do this.
- SABIS was still developing its supplier management model late in the migration programme; Abarca did not appear to have considered whether this meant he should obtain further information from SABIS about confirmations from fourth parties.
- The lack of contractual relationships between TSB and fourth parties contracting with SABIS may have limited visibility of relevant risks.
The wider context
The SMCR already has had a powerful impact on behaviour in financial services and is an important part of the regulators' supervisory toolkit.
In the enforcement context, SMCR investigations constitute a rising proportion of all FCA investigations and we expect to see more concluded outcomes against senior individuals within the next 12-18 months.
This is so particularly observing that 2022 featured a series of enforcement actions that were accompanied by actions against individuals, many of whom have made Upper Tribunal references.
We expect the Abarca action to be just the first of an imminent series of SMCR enforcement actions - contested and otherwise - which will shed further light on the reasonable steps obligations of Senior Managers.
We're all waiting with bated breath.