Founder & Executive Chairman of ERP Maestro's Board of Directors. Jody is a trusted advisor and security thought leader who is a CISSP, a CISA, and former director of KPMG. Follow him on Twitter @JodyCPaterson.
Will Emerging Legislation on Internal Controls Make You Personally Liable?
Recently, we’ve heard more about changes to the United Kingdom’s (UK) Senior Managers and Certification Regime (SMCR), making it one of the most significant challenges and personal liability issues related to governance, risk and compliance (GRC) and internal controls.
What is the SMCR?
Firstly, this legislation does have implications of personal liability for senior managers and lower-tier employees if they are in key roles that can potentially cause harm to a firm or customers. Secondly, however, this ruling is limited to financial institutions and, as was recently announced, to all firms governed by the Financial Conduct Authority (FCA) in the UK.
Firms, such as banks, credit unions, Prudential Regulatory Authority (PRA)-designated investment firms and building societies, for instance, must annually certify that managers, directors and C-level employees serving in these roles are fit to perform their duties, and these employees must have FCA approval before performing their jobs. Furthermore, financial firms must ensure that these employees have proper training as set forth in the FCA’s Conduct Rules.
Variations of the SMCR have also been adopted by other regions, such as Australia and Hong Kong, and the trend is gaining momentum in Singapore with an emphasis on greater executive accountability. According to a January 2018 PricewaterhouseCoopers (PwC) report, while the specifics may differ between jurisdictions, the new measures are consistent in their endeavor to improve accountability through a sound risk culture, effective governance and imposing stronger consequences for conduct that’s not in line with expectations.
What does the SMCR mean for you?
If your business is in one of the impacted regions, or in cases where a foreign bank or other financial institution has a branch in one of the affected areas, companies, of course, have to comply and have even tighter and effective access controls to protect both the business and employees from personal liabilities that can include fines, job loss and other disciplinary actions –including prohibiting the employee from holding a controlled function in the future. In early 2018, Barclays CEO was fined over £642,000 in addition to forfeiting £500,000 of his annual bonus. Additionally, the FCA currently reports more than £22,000,000 in fines so far this year for SMCR violations.
Could legislation like the SMCR extend beyond financial institutions?
PwC has already theorized that legislation may broaden beyond banking institutions under Australia’s Banking Executive Accountability Regime. The trend to expand to other industries certainly could occur, and similar laws for executive accountability could start to emerge in other geographic regions as well. Still, even without such laws, are you personally liable?
Personal liabilities without SMCR legislation
Just because countries such as the US don’t have a law yet like the SMCR, there’s still personal liability for failed access controls and segregation of duties (SOD) negligence. A case of fraud, a breach of sensitive information, a Sarbanes Oxley violation or a failed audit put any executive or manager who is charged with keeping a watchful eye on internal controls at risk. Loss of employment, a muddied reputation or an inability to seek new employment won’t hit the pocket with fines but can very well result in loss of income –and integrity.
Stay apprised of the changing laws around personal accountability. Make sure you are using the best tools to protect yourself and your company, catch access control risks before your auditors do, and assure your audit committee that you can instantly spot and fix risks –to keep everyone safe.
If you’re not sure you’re seeing all of your risks accurately, download the free Active Risk Monitoring tool and get a snapshot of your SOD and access risks in SAP delivered monthly straight to your inbox.