Operating in an era where regulatory expectations have not been higher and will undoubtedly continue to grow, combining SMF16 & 17 into one role provides some challenges and risks. Periodically, certainly as firms grow, it makes sense for their leadership to review this approach.
The only constant in life is change
In 2022, the FCA set out its expectations on Heads of Compliance and MLROs, as part of the approval process for SMF16 & 17 applications. The publication indicated that the applicant will need the necessary skills and knowledge, and that the level of skills and knowledge should be in line with the size of the firm and its risk of harm. That’s straightforward enough, but for the individual, it can be problematic. Firstly, there is acquiring the requisite skills and knowledge and then the keeping on top of regulatory developments when they could be very diverse, from AML, ABC, fraud, sanctions, and MAR, to cybersecurity, data privacy, PSR, ESG, MiFID, operational resilience, whistleblowing, plus, of course, consumer duty. Regulations and regulatory expectations, perhaps reflecting societal changes, are constantly moving. No wonder ancient Greek philosopher Heraclitus' “everything changes” quote (or misquote) is often used.
Understanding at what point the SMF roles could be better served by being split
As well as the obvious customer population size and product complexity, the maturity of the first line risk functions, as well as the second line depth of skills and expertise would all go into the mix. Size aside, perhaps there’s also a slight paradox, as firms that have further to travel on their risk and compliance maturity journey are more likely to combine these roles.
Points to consider:
Are first line risk functions managing these risks separately and do they require specialist second line support and oversight?
Do senior management feel that the annual compliance monitoring plan isn’t adequately covering both financial crime and compliance risks?
Is there an overfocus on the familiar within the Compliance team, so time isn’t permitting a focus on new emerging risks, or shaping how the compliance team continues to learn and develop?
The above could be signals that the scope and breadth of the compliance and financial crime risks could be causing challenges for the second line Compliance team and, by association, the person holding both the SMF16 & 17 roles. Here’s where the third line has a part to play; the luxury of being able to step back from the day to day and take a wider look at what is / isn’t working.
Maintaining the current status
Nothing says a firm can’t combine these roles and be effective at managing both compliance and financial crime risk. Perhaps key for the person holding both SMF roles is an acceptance that whilst they can’t be the subject matter expert on all topics, they can have a good understanding of what’s required, and have a team around them that has the time and inclination to dive deep into different regulatory areas. However, it is helpful, from time to time, to review whether this path remains the right one and, as per the FCA’s expectations, is in line with the size of the firm and its risk of harm.