IFPR: Governance - Expectations and Challenges
IFPR: Governance - Expectations and Challenges
Welcome to the fourth article in our series of thematic publications focusing on the Financial Conduct Authority’s ("FCA") Investment Firms Prudential Regime ("IFPR").
For FCA-regulated MIFIDPRU investment firms, the past year has been extremely busy as they implemented the regime to ensure compliance with the new prudential standards. In this article we share insights on the key governance requirements under IFPR, challenges firms face from implementing these and the regulatory expectations in respect of governance arrangements more generally.
#BDOifprseries
Our IFPR Series is designed for us to share insights on key IFPR implementation themes such as ICARA, Remuneration, IFPR Implementation, Governance, Wind down planning and Public Disclosures.
We are also hosting regular thematic events to share our insights and provide an opportunity for discussion.
Click here to register to our IFPR series and receive updates about upcoming events.
IFPR Governance
Effective governance is a concept often referred to by industry practitioners and regulators alike. It is a topic on which vast amounts have been written and yet, it is an area in which firms periodically are found wanting. More often than not, shortfalls in the effectiveness of governance arrangements are caused by either poor implementation; a lack of buy-in from owners and executives; and/or changes to applicable standards not having been adequately reflected in current arrangements.
The good news is that for the vast majority of regulated firms, governance arrangements have been designed with every intention of being appropriately implemented with support and buy-in from relevant stakeholders.
The IFPR sets out clear and detailed expectations to minimum standards MIFIDPRU firms must adhere to both in terms of structures to be implemented and the proportionality to be applied. Governance arrangements must ensure that the Board is able to set a strategy and risk appetite for the firm, is able to oversee these are adhered to while also ensuring consistent and robust decision-making and delegation of authority as necessary.
The governance and organisational requirements for investment firms are set out in the MIFIDPRU Sourcebook ("MIFIDPRU"), which go hand-in-hand with existing requirements introduced with the Senior Managers and Certification Regime ("SM&CR") and as captured in the Senior Management Arrangements, Systems and Controls Sourcebook ("SYSC"). The Financial Reporting Council’s UK Corporate Governance Code (the "FRC Code") also provides a helpful guide to standards of internal governance policies and practices.
The FCA has published its final rules and guidance in MIFIDPRU 7 and the relevant chapters listed in SYSC 1 as applicable to MIFIDPRU investment firms. In doing so, the FCA has confirmed which governance requirements apply, with slight variations, to the different types of firms.
Governance in MIFIDPRU investment firms
There has always been a regulatory expectation that firms put in place appropriate governance arrangements. SYSC 4.1.1R specifically states that "A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems".
However, the IFPR through MIFIPRU provides additional direction as to minimum expected standards, the main ones of which are:
- Based on the nature, scale and complexity of their business, Small and Non-interconnected firms ("non-SNI") should maintain a risk management function that operates independently and carries out the implementation of risk management policies and procedures;
- Larger non-SNI firms that exceed specific thresholds of balance sheet and trading book size (MIFIDPRU 7.1.4R), are required to establish independent Risk, Remuneration and Nomination committees and satisfy the specific requirements on composition, knowledge, skills and independence of these committees as per MIFIDPRU 7.3. Note: where firms find these requirements unduly burdensome a waiver/modification can be sought from the FCA;
- Committees, must comprise a 'balanced' membership between Non-Executive Directors ("NEDs") and Executive Directors ("Eds") with at least 50% of members being NEDs (including the Chairperson of each committee). MIFIDPRU does not distinguish between NEDs and independent NEDs ("iNEDs") unlike the FRC Code. Nevertheless, firms should always consider the value of truly independent representation on Boards and Board sub-committees in relation to industry insight and objective challenge. Industry good practice would also extend 'balance' to the Board itself (FRC Code Section 2.11); and
- Non-SNI firms that also meet the definition of 'Significant SYSC firm' in SYSC 1.5.2R will be required to satisfy the limitation of directorships held by the members of the Board as per SYSC 4.3A.6R.
Implementation challenges
We understand that governance, as such, has not been the main focus of the broader thematic IFPR review that was recently undertaken by the FCA and in respect of which they published an initial set of observations in February 2023 (link). One key observation to mention here is that a number of firms showed insufficient governance and Board involvement in the ICARA (Internal Capital Adequacy and Risk Assessment).
In addition, in 2021-2022, the FCA conducted a separate and more focused thematic review of 25 fast-growing firms (across the CFD, Wealth and Payments sectors) looking at their risk management processes, governance arrangements and financial resources – they concluded that several firms reviewed were not operating in line with the requirements and expectations (link).
The key challenges for fast growing firms, in terms of governance arrangements, implied by the FCA's findings were:
- Demonstrability of governance arrangements operating effectively (e.g. 'mind and management' in the UK; high degree of informality in committee meetings; insufficient regularity of committee meetings occurring; inadequate MI; and a lack evidence such a meeting minutes capturing oversight and decision-making);
- Governance arrangements and the risk management framework not keeping pace with the growth of the business and the range of activities carried out as well as culture not being conducive to the arrangements; and
- Inadequate skills and experience across the Board and Senior Management are often a symptom of inadequate governance/oversight.
In the context of IFPR, these challenges remain. While acknowledging that IFPR expresses a clear view from the FCA that standards across the industry must demonstrably meet certain minima, they have observed that many firms, particularly those of a smaller operational scale and/or previously not caught by the more stringent predecessor regimes, find it challenging to align operational efficiency and the cost of implementing (time and money alike) these governance arrangements.
Of course, being regulated carries with it certain obligations some of which may incur costs over and above, one’s own perception of what is sufficient. However, there are direct benefits arising from the implementation of robust governance arrangements, in terms of consistency of decision making relative to risk appetite and general oversight of activities carried out.
Regulatory expectations
Stating the obvious, governance arrangements need to be tailored and be proportionate to the individual organisations; in doing so, there are a number of core components that must be implemented in order to achieve and maintain ‘effective’ implementation. These core components are also at the heart of regulatory expectations and include:
- Establishing a clear governance hierarchy from the Board down, defining levels and processes for delegation of authority and operating a commonly used three lines of defence model;
- Defining roles and responsibilities for the Board, committees and individuals. This includes active participation and challenge from all committee members and in particular NEDs/iNEDs;
- Making available timely, comparable and comprehensive Management Information (MI) at all levels of the decision making and oversight process. This allows, among other things, monitoring of the implementation of a firm’s strategy against its agreed risk appetite;
- Assessing of the appropriateness and diversity of skills, experience and backgrounds across employees, executives and Board members periodically. This ensures the Board has adequate information from which to drive decision-making and maintains an appropriate degree of diversity (e.g. across gender, social and ethnic backgrounds, cognitive and personal strengths);
- Ensuring clear demonstrability of the Board owning and driving the strategy and culture for the firm as well as the associated risk appetite. Flowing from this the Board must also maintain oversight and challenge of the Risk Management Framework ("RMF") implemented by the firm to ensure it is adequate overall, and where applicable communicate regularly with the Risk Committee and the Risk Management Function;
- Documenting key governance artefacts, such as committee terms of reference, and subjecting these to periodic review and challenge (typically annually or in response to organisational changes as required); and
- Maintaining oversight of any outsourcing arrangements with third-party providers, including intra-group provision of critical or essential services. This means taking reasonable steps to avoid undue additional operational risk from outsourcing, and ensuring the quality of internal controls to demonstrate appropriate and effective monitoring of these relationships.
Provided these core components are designed and implemented to reflect organisational idiosyncrasies (e.g. reporting lines and intra-group support across legal entities where relevant) it is possible for governance arrangements to be implemented effectively to achieve consistent and transparent decision making as well as robust oversight and challenge.
Experience shows that when things go wrong within not only regulated firms but businesses across all industries, often weak governance either is a contributing factor or indeed the root cause.
Mature organisations not only acknowledge that over time regulatory expectations may change, they ensure that the continued adequacy of their arrangements is periodically tested whether through internal reviews (e.g. by Internal Audit functions) or with support from independent third-party providers. This allows the Board and those holding relevant Senior Manager Functions ("SMF") assurance and adds to the universe of evidence relied on by SMFs to demonstrate ‘Reasonable Steps’ taken to discharge their roles.
How we can help
BDO has a dedicated team of prudential specialists helping clients with a range of challenges arising from the introduction of the IFPR (e.g. design, implementation and operational effectiveness testing of Governance and SMCR arrangements, SREP reviews and Section 166 investigations).
We do not offer a 'one size fits all' approach but rather tailor our support to clients' specific needs. Importantly, on longer term projects we remain flexible throughout to ensure your needs are met at all times even if that may change over time. As a starting point, we offer a menu of support the nature of which can be delivered to varying degrees of BDO involvement (e.g. from light touch ad-hoc advice through to hands-on support with the actual drafting of artefacts).
To find out how we can help you on your IFPR journey for example to overcome challenges and avoid common pitfalls implementing effective governance arrangements, please get in touch with Mads Hannibal, Giovanni Giro or Suds Rabdia.
In the meantime, you can download our sample Terms of Reference template which provides guidance on what is expected in each section so that you can tailor it towards your firm.