Employment in Financial Services

The Central Bank of Ireland (CBI) is responsible for the authorisation and supervision of regulated financial service providers (RFSPs) in Ireland. RFSPs can include credit institutions, credit unions, brokers/retail intermediaries; and other RFSPs such as electronic money institutions, insurance and reinsurance undertakings, investment firms and payment institutions. The regulatory regime applies in a bespoke way to each sector and its employees and tailored legal advice should be taken for a specific situation. The general principles of the regulatory framework are set out below.

Fitness and Probity

The primary regulatory regime applicable to employees of RFSPs is the Fitness & Probity ("F&P") framework under the CBI Reform Act 2010 (2010 Act) as amended. Its function is to assess and monitor the suitability of individuals for certain key positions, known as Controlled Functions (CFs), including Pre-approved Controlled Functions (PCFs). The general rule is that an RFSP cannot permit a person to perform a controlled function unless the RFSP is satisfied on reasonable grounds that the person complies with the F&P Standards prescribed under the 2010 Act and further set out in the regulations and Guidance prescribed by the CBI. A link to resources governing the F&P Standards is here.

Fitness relates to an individual's competency, experience, qualifications and capacity to perform the role (including time commitments and being free from conflicts of interest).

Probity relates to an individual's honesty, diligence, independence, ethics and integrity in performing their role.

Employers are required to perform due diligence to confirm that individuals they propose placing in CF roles are fit and proper. Employers are also required to hold a certificate of compliance in respect of each in scope employee, certifying that the employee complies with the F&P Standards. Employees of RFSPs must agree in writing to comply with the F&P Standards.

A breach of an individual's F&P obligations can result in criminal and administrative sanctions for the RFSP and suspension and disqualification for the individual from holding a controlled function.

Minimum Competency Requirements

The CBI also operates a minimum competency regime under the Minimum Competency Code 2017 and the CBI (Supervision and Enforcement) Act 2013 (section 48(1)) Minimum Competency Regulations 2017, which set out professional standards and competencies, and continuing professional development (CPD) requirements, for persons providing certain financial services and products across certain sectors e.g., credit union and insurance services.  The aim is to protect consumers by ensuring a minimum acceptable level of competence from individuals acting for or on behalf of RFSPs providing advice and information and associated activities (such as dealing with insurance claims or complaints), in connection with in-scope financial products.

The Individual Accountability Framework

The CBI (Individual Accountability) Act 2023 (the "2023 Act") was signed into law on 9 March 2023. The 2023 Act introduced a new Individual Accountability Framework ("IAF"):

• An enhanced Fitness and Probity Framework;
• New Common Conduct Standards, including Additional Conduct Standards for PCFs, applicable to employees and officers of RFSPs as well as Business Conduct Standards;
• The Senior Executive Accountability Regime ("SEAR"); and
• Administrative Sanctions Procedures ("ASP") which empowers the CBI to investigate and sanction individuals for breaches of their obligations under the IAF including the Conduct Standards and their F&P obligations.

The IAF commenced in Ireland from 29 December 2023. The F&P Framework and the application of the new Conduct Standards became effective from this date. Other parts of the IAF will be effective later in 2024.

Conduct Standards

Under the 2010 Act, both CFs and PCFs must take any step that is reasonable in the circumstances in the performance of their role, to ensure that they meet the requirements of the Common Conduct Standards. The Common Conduct Standards are explained in Guidance published by the CBI here. The Conduct Standards include the requirement to act with honesty and integrity, due skill and care, co-operate in good faith with the CBI, act in the best interests of customers and comply with applicable rules governing market conduct and trading as applicable to the relevant RFSP's sector. The F&P Standards set a standard that CFs and PCFs must meet to ensure that they are sufficiently skilled and have the competence and capability to perform their roles. Whereas the Common Conduct Standards impose positive, enforceable legal obligations on individuals in those roles, governing their conduct and requiring them to act in accordance with a single set of standards of expected behaviour. Employers must train their employees on the applicable Conduct Standards. Employees are required to attend at that training and to fully understand and comply with the Conduct Standards. Additional Conduct Standards apply to PCFs.

Senior Executive Accountability Regime

SEAR which applies to senior managers/officers holding PCF and CF1 roles, will be applicable from 1 July 2024. SEAR will come into force in respect of Non Executive Directors (NEDs) and Independent Non Executive Directors (INEDs) with effect from 1 July 2025.

In terms of the scope of application, SEAR will be introduced on a phased basis and will initially apply from 1 July 2024 to credit institutions, insurance undertakings (excluding reinsurance undertakings, captive (re)insurance undertakings and insurance special purpose vehicles) and investment firms that underwrite on a firm commitment basis, deal on own account, or are authorised to hold client monies or assets; and third-country branches of the above.

However, the CBI has noted in its Consultation Paper 153 (CP153) that "there is much in the spirit of the SEAR that firms not initially failing within scope should consider as aligned with good quality governance". RFSPs which are not in Phase 1 of SEAR should therefore consider the presence of the new regime and whether it may be appropriate to comply with the spirit of SEAR by ensuring that individual responsibilities for senior managers are mapped and clearly allocated across the firm's senior management. This is to ensure that it is very clear who is individually accountable for what and in order to ensure that the business and its risks are being properly managed.

Business Standards

The 2023 Act provides for the ability of the CBI of Ireland (CBI) to prescribe the "Business Standards" for the purposes of ensuring that in the conduct of its affairs a firm:

1. acts in the best interests of customers and of the integrity of the market;
2. acts honestly, fairly and professionally; and
3. acts with due skill, care and diligence.

The Business Standards are obligations which apply to the RFSP.

Protected Disclosures Legislation – Whistleblowing

The Protected Disclosures Act 2014 as amended provides that all employers (with 50 or more employees) and most RFSPs regardless of head count (including MiFID firms, UCITS management companies, AIFMs, externally managed UCITS and externally managed AIFs)  have and maintain secure, confidential and effective internal reporting channels and investigation procedures that comply with its requirements. Employees and other workers, including INEDS and NEDS as well as contractors have significant anti retaliation protection in connection with making a protected disclosure. Employers are required to appoint a designated person to acknowledge a report within 7 days, make diligent inquiries and to follow up with the reporter within three months in relation to the progress/outcome of the investigation. The Central Bank (Supervision and Enforcement) Act, 2013 as well as the European Union (Market Abuse) Regulations, 2016 set out whistleblowing requirements for in scope employees and anti retaliation protection.

In the UK, there are two main regulators responsible for the supervision of financial institutions. These are:

• The Prudential Regulation Authority (the PRA) – The PRA supervises over 1,500 financial institutions, including banks, building societies, credit unions, insurance companies and major investment firms. It creates policies for these institutions to follow and watches over aspects of their business.
• The Financial Conduct Authority (the FCA) – The FCA regulates the conduct of approximately 50,000 firms, prudentially supervises 48,000 firms, and sets specific standards for around 18,000 firms.

Some financial institutions are regulated by both the PRA and FCA (dual-regulated). Those financial institutions must comply with rules set down by the PRA in its rulebook (the PRA Rulebook) and by the FCA in its handbook (the FCA Handbook). Other firms are regulated solely by the FCA (solo-regulated) and must comply with the FCA handbook alone. Different rules can apply depending on the nature and size of the firm. The PRA and FCA work closely on certain issues and firms, but the FCA focuses specifically on ensuring fair outcomes for consumers.

The Senior Managers and Certification Regime (SM&CR) sets out how the UK regulators oversee people in businesses supervised and regulated by them, and how those people must act. As the FCA has summarised, “The SM&CR aims to reduce harm to consumers and strengthen market integrity by making individuals more accountable for their conduct and competence” (https://www.fca.org.uk/firms/senior-managers-certification-regime).

SM&CR consists of three elements:

• The Senior Managers Regime (SMR) – This applies to the most senior people in a firm (senior managers) who perform one or more senior management functions (SMFs). These functions are specified in the PRA Rulebook and the FCA Handbook. Senior managers must be pre-approved by the PRA or FCA before starting their roles. Each senior manager must also have a “Statement of Responsibilities” (that sets out what they are responsible and accountable for), which may include (depending on the firm) certain responsibilities prescribed by the regulator known as “Prescribed Responsibilities”. Every year, senior managers must be certified as fit and proper to carry out their role by their firm.
• The Certification Regime (CR) – This applies to employees who, because of their role, could pose a risk of significant harm to the firm or its customers, such as employees who offer investment advice (certified staff). For solo-regulated firms, these roles are generally called certification functions. Firms must certify that these employees are fit and proper for their roles both at the outset of their employment and continuously.
• The Conduct Rules – The Conduct Rules set minimum standards of individual behaviour in financial services in the UK. They apply to almost all employees of a firm. They also include particular rules applicable only to senior managers.

Certain parts of SM&CR apply to particular firms only. This is outside the scope of this note, which sets out the general position under SM&CR.

RFSPs must satisfy themselves that all CF and PCF candidates or employees comply with the F&P Standards. Pre-employment due diligence must be performed, including asking the candidate to certify they will comply with the F&P Standards and notify the RFSP immediately of any change in circumstance that may mean they no longer comply. Employers must continue to ensure that in scope employees comply with the F&P Standards and must complete an annual declaration to this effect. This means that due diligence must continue throughout the employment relationship and not just at the recruitment stage.

Candidates for PCF roles must complete an online individual questionnaire, which is submitted to the CBI in advance of appointment to the role through the Central Bank portal. The CBI must grant its approval for the PCF appointment before a candidate can take up the role. Any PCF offer of employment must be conditional on that approval being obtained. The CBI may request applicants attend an interview as part of the approval process.

Employers should take all reasonable steps to secure references from previous employers in order to due diligence the candidate's compliance with the F&P Standards and their suitability for the role. However, an employer is not obliged to issue a reference in respect of a former employee which means that a prospective employer may not be able to secure a reference from a previous employer.  The CBI does not oblige employers to either issue or obtain a reference as part of screening checks, however employers must make good efforts to do so.

There are material obstacles from a data privacy and practical perspective to employers conducting criminal background checks in relation to prospective employees. Data relating to criminal convictions is special category data under the GDPR. Employers would need to satisfy both Article 6 and Article 9 requirements under the GDPR to justify the processing of this data. In terms of Article 9, this means employers would need to show reasons of substantial public interest or that they are carrying out their legal obligations in processing the data.  In terms of Article 6 the employer will need to show that the processing is necessary to comply with a legal obligation to which the employer is subject or the processing is necessary for the employer's legitimate interests for example to ensure the suitability and honesty of its employees and to protect its reputation. Employers are also prevented from asking candidates about "spent convictions" which are usually minor criminal offences dating back over seven years.

Pre-employment medical checks must also have a clear legal basis justifying the processing of an employee's medical and health information.

For employees subject to the SMR, anyone performing an SMF must be pre-approved by the relevant regulator before they can start their role. Generally, firms that wish to employ a senior manager must first carry out sufficient due diligence to satisfy themselves that the candidate is a fit and proper person to perform their proposed functions. In this regard, firms must consider the individual’s qualifications, training, competency and personal characteristics. The firm must also carry out a criminal records check. They may then apply to the relevant regulator for that candidate’s pre-approval. In the firm’s application, all matters relating to the candidate’s fitness and propriety must be disclosed. The firm must also enclose a statement of that individual’s proposed responsibilities and (depending on the firm) the latest version of the firm’s management responsibilities map.

For employees subject to the CR, before the appointment and annually thereafter, these employees must be certified by the employing SM&CR firm as being fit and proper. Certification does not involve pre-approval by the FCA or PRA.

Additionally, firms must comply with the regulatory reference rules for all candidates subject to either the SMR or CR before their employment. These rules require employing firms to request a regulatory reference from all previous employers covering the past six years of employment. Information must be shared between regulated firms using a particular template, which includes information relevant to assessing whether a candidate is fit and proper. Firms are also expected to retain records of disciplinary and fit and proper findings going back six years for their employees (or longer for findings of gross misconduct), and they must update regulatory references that they have previously given where new significant information comes to light that would impact the content of a previously given regulatory reference.

The following documents should be in place:

• written statement of terms of employment e.g., a written contract of employment that complies with the Terms of Employment (Information) Act 1994-2014 and the European Union (Transparent and Predictable Working Conditions) Regulations 2022;
• grievance and disciplinary policy;
• protected disclosures policy;
• dignity at work policy (anti-harassment and bullying prevention);
• safety statement; and
• where possible, an employee handbook that details all the statutory leave policies and other bespoke policies of the RFSP.

As a matter of general UK employment law, employers must give employees written particulars of certain terms and conditions of employment. This is known as a “section 1 statement” after section 1 of the Employment Rights Act 1996, which sets out the mandatory information that employers must give to employees no later than the first day of their employment. This includes fundamental information such as the names of the employer and employee; the date of commencement of employment; the rates and timing of pay; and working hours. Other prescribed particulars (such as information regarding pensions, collective agreements and training) can be provided to employees in instalments within two months of commencement of employment. Typically, a written employment contract will contain the relevant information to satisfy these requirements.

Financial services employers should ensure that, in addition, their employment contracts reinforce the requirements of SM&CR. This will help the employer manage the employment relationship in a manner compliant with SM&CR and demonstrate to the relevant regulators the employer’s commitment to compliance with SM&CR. The employment contract will usually include, therefore, additional provisions regarding the completion of SM&CR-compliant background checks; confirmation of the employee’s regulated function (eg, their SMF or certification function); required regulatory standards of conduct; cooperation with fitness and propriety assessments; and tailored termination events.

In addition, all senior managers must have a statement of responsibility setting out their role and responsibilities. Certain firms must also allocate certain regulator-prescribed responsibilities (prescribed responsibilities) among senior managers. It is common to set out a senior manager’s regulatory responsibilities in their employment contract.

Dual-regulated firms must also ensure that individuals approved to carry out a PRA-designated SMF are subject to any specific contractual requirements required by the PRA. For example, depending on the type of firm, a firm may be required to ensure that the relevant individual is contractually required to comply with certain standards of conduct, such as to act with integrity and with due care and skill (among other requirements).

Yes, under the Minimum Competency Regime (see question 1), employees who perform certain prescribed functions and roles in prescribed RFSPs such as insurance businesses and credit unions, must meet the required competencies and qualifications standards.

The 2023 Act also introduces a new requirement that persons can only be permitted to perform a CF role (including a PCF role) where a certificate of compliance with the F&P Standards given by the firm is in force (Certification Regime).

As part of the Certification Regime, a certificate of compliance may only be given if:

1. the firm is satisfied on reasonable grounds that the person complies with the F&P Standards; and
2. the person has agreed to abide by the F&P Standards and to notify the firm without delay if for any reason they no longer comply with the F&P Standards.

See question 2.

All individuals performing an SMF, as classified by the FCA or PRA, will be subject to the SMR. SMFs are described in the Financial Services and Markets Act 2000 (FSMA) as functions that require the person performing them to be responsible for managing one or more aspects of a firm’s affairs authorised by the FSMA, and those aspects involve, or might involve, a risk of serious consequences for the firm or business or other interests in the UK. As noted, any individual performing an SMF will need to be pre-approved by the relevant regulator before they can start their role, and thereafter they must be certified as fit and proper by their firm annually. Applications to the regulator for pre-approval must disclose all matters relating to a candidate’s fitness and propriety and be accompanied by a statement of responsibilities. Firms must carry out a criminal records check as part of the application for approval.

Additionally, employees of firms who are not senior managers but who, because of their role, could still pose a risk of significant harm to the firm or any of its customers, may be subject to the CR. The certification functions that place an employee within the ambit of the CR are different under the rules of the FCA and the PRA but include persons such as those dealing with clients or those subject to qualification requirements. These employees must be certified by their firm as fit and proper for their roles both at the outset of their employment and on an annual basis thereafter (certified staff). Firms are not required to carry out criminal records checks for certified staff, but firms can choose to do so to the extent it is lawful.

The regulators have set out detailed guidance for firms to consider when assessing an individual’s fitness and propriety. This includes assessing an individual’s honesty, integrity and reputation; competence and capability; and financial soundness.

Yes. Common Conduct Standards and Additional Conduct Standards were introduced by the 2023 Act and employers need to update employees' contractual documents to reflect same.

The Common Conduct Standards set out standards of behaviour expected of individuals carrying out Controlled Functions (CFs) within firms. The Common Conduct Standards are basic standards such as acting with honesty and integrity with due skill, care and diligence and in the best interest of customers. An individual that is subject to the Common Conduct Standards will be expected to take reasonable steps to ensure that the Common Conduct Standards are met.

In addition, senior executives, which includes individuals performing PCF roles (e.g. the directors, designated persons) and other individuals who exercise significant influence on the conduct of a firm's affairs (CF1) will also have Additional Conduct Standards related to running the part of the business for which they are responsible. An individual who performs a PCF/CF1 role should take reasonable steps to ensure that the Additional Conduct Standards are met.

When SEAR comes into effect, those performing senior executive functions will be required to have detailed statements of responsibility setting out the scope of their role. The Duty of Responsibility which the PCF will have under SEAR is extensive. The duty extends to taking any step that is reasonable in the circumstances to avoid a breach by their firm of its obligations in relation to an aspect of the firm's affairs for which the PCF is responsible.

There are a number of General Prescribed Responsibilities that will need to be assigned to PCFs:

(a)   Performance by the Firm of its obligations under SEAR

(b)   Performance by the Firm of its obligations under the F&P framework

(c)   Performance by the Firm of its obligations under the new Conduct Standards

(d)   Responsibility for overseeing the adoption of the firm’s policy on diversity and inclusion.

Every senior manager under the SMR has a “duty of responsibility” concerning the areas for which they are responsible. If a firm breaches a regulatory requirement, the senior manager responsible for the area relevant to the breach could be held accountable for the breach if they failed to take reasonable steps to prevent or stop the breach.

In addition, for most firms, the FCA requires that certain responsibilities – “prescribed responsibilities” – are allocated to appropriate senior managers. These responsibilities cover key conduct and prudential risks. They include, among others, responsibility for a firm’s performance of its obligations under the SMR; responsibility for a firm’s performance of its obligations under the CR; and responsibility for a firm’s obligations around conduct rules training and reporting. Firms must give careful thought to the best person to allocate each prescribed responsibility.

No.

The FCA maintains a public list of authorised firms and the activities for which each firm has permission. This list is known as the Financial Services Register. The register also includes a directory of certified and assessed persons working in financial services – this includes for each firm (as applicable) senior managers; certified staff; directors (executive and non-executive) who are not performing SMFs; and other individuals who are sole traders or appointed representatives.

Firms are responsible for keeping the directory up to date. Firms must report certain information to the FCA about persons included in the register and directory, including information on an individual's role, their workplace location, and the types of business they are qualified to undertake. The FCA provides guidance and Q&As to assist firms with navigating the register and directory.

There are prescriptive, sector-specific requirements, which apply to the remuneration of specified categories of employees or directors, and which apply in the asset management, investment services, banking, and insurance sectors.

Employers in these sectors are tasked with ensuring that the remuneration paid to material risk takers (individuals whose professional activities have a material impact on an RFSP's risk profile) or identified staff align with the RFSP risk profile.

There are detailed rules with technical guidance (emanating from EU law) specific to each sector, but at a high level they (to differing degrees) set out rules on; variable remuneration composition, ratios or other metrics to compare variable to fixed remuneration to ensure it is appropriate; malus requirements, which would allow the RFSP to cancel or reduce the employee's variable remuneration before it is paid out; and clawback provisions which allow RFSPs to recover variable remuneration after it has been awarded. It is important to ensure that employees' contracts of employment acknowledge that any variable remuneration will be subject to all regulatory restrictions and rules and may be clawed back in certain circumstances.

The CBI's 2014 Guidelines on Variable Remuneration Arrangements for Sales Staff also emphasise the importance of remuneration structures to have sufficient deterrents built into them (such as malus and clawback mechanisms) to avoid incentivising undesirable/risky behaviours from sales staff in the banking, insurance and investment services sectors.

The remuneration of financial services employees working at certain firms (such as banks, building societies, asset managers and investment firms) is heavily regulated. The relevant rules can be found in various FCA “Remuneration Codes” (each Code tailored to different firms) and also (for dual-regulated firms) in specific remuneration parts of the PRA Rulebook and directly applicable retained EU law.

The remuneration rules are complex and their application is dependent on each firm. The key principle of the rules, however, is that firms subject to them must ensure that their remuneration policies and practices are consistent with and promote sound and effective risk management.

Some elements of the rules apply to all staff, whereas others apply only to material risk-takers within a particular firm.

By way of a snapshot, the rules generally cover such matters as:

• the appropriate ratio between fixed pay and variable pay, to ensure that fixed pay is a sufficiently high proportion of total remuneration to allow for the possibility of paying no variable pay;
• the amount of any discretionary bonus pool, which should be based on profit, adjusted for current and future risks, and take into account the cost and quantity of the capital and liquidity required;
• performance-related bonuses, which should be assessed based on a variety of factors, including the performance of the individual, the relevant business unit and the overall results of the firm;
• restrictions on guaranteed variable pay and payments on termination of employment; and
• malus and clawback requirements.

Yes. A CF employee, subject to the Minimum Competency regime, will be required to complete CPD training. Evidence of meeting that CPD requirement is also a factor in determining a person's F&P. RFSPs must maintain records of CPD training provided to CFs to demonstrate compliance with the minimum competency regime.

The 2023 Act also introduces new training obligations for those subject to the Common and Additional Conduct Standards, with firms being required to train those persons on how these obligations apply to them and their new duties of responsibility. Attendance at, or completion of, training in respect of the Conduct Standards should be mandatory and such attendance should be carefully documented with refresher training rolled out periodically.

Employers within the scope of the Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 - 2021 (including RFSPs) are required to provide annual training to relevant staff and directors on its requirements and the RFSP must have procedures in place to comply with that legislation and associated guidance.

Depending on the RFSP's business, additional mandatory training may be needed annually, for example, on topics such as market abuse.

The designated person for responding to protected disclosures should be trained and competent in the identification and handling of protected disclosures.

The PRA and FCA training and competence regimes set the minimum standards that must be achieved by individuals working in the financial services industry. These regimes aim to ensure that authorised firms have arrangements in place to satisfy themselves that their employees are competent.

All FSMA-authorised firms are required to have adequately trained and competent senior management and employees. The training and competence requirements include:

• Threshold conditions on suitability – All firms must show that persons connected with the firm are fit and proper, taking into account all the circumstances. When assessing the suitability threshold of an employee, the FCA and the PRA will consider:
  • the nature of the regulated activity the firm carries on or is seeking to carry on;
  • the need to ensure that the firm's affairs are conducted soundly and prudently;
  • the need to ensure that the firm's affairs are conducted appropriately, considering especially the interests of consumers and the integrity of the UK financial system; and
  • whether those who manage the firm's affairs have adequate skills and experience and act with probity.

• FCA Principles for Businesses or PRA Fundamental Rules – These rules lay out the parameters of the “fit and proper” standard set for firms in the threshold condition on suitability, and require firms to undertake the following:
  • recruit staff in sufficient numbers;
  • provide employees with appropriate training, with competence assessed continuously;
  • make proper arrangements for employees involved with carrying on regulated activities to achieve, maintain and enhance competence; and
  • train employees to pay due regard to the interests of a firm’s customers and treat them fairly.

• Competent employees rule in chapters 3 and 5 of the Senior Management Arrangement Systems and Controls Sourcebook – This is the main employee competence requirement in the training and competence regime under the FSMA and applies to individuals engaged in a regulated activity in UK-regulated firms. The application of this rule can be complex and dependent upon the firm and the activities it undertakes, but in general, it provides that firms must employ personnel with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them.

• Detailed training and competence requirements in the FCA’s training and competence handbook (TC) – The TC rules are designed to supplement the competent employees rule, especially concerning retail activities carried on by firms. Among others, these rules include the following:
  • rules on assessing and maintaining competence;
  • supervision of employees who have not yet been assessed as competent;
  • appropriate qualifications; and
  • recordkeeping and reporting for firms within its scope, including how a firm assessed its employees as competent, and how it has ensured that its employees remain competent.

Yes there are. They are:

• the F&P Standards;
• the minimum competency regime; and
• the IAF and SEAR (see question 1).

There are also sector-specific conduct of business requirements in legislation and codes, including the Consumer Protection Code 2012, the MiFID II regime, and other regulatory requirements applicable to RFSPs based on their industry sector that apply and deal with matters such as:

• error handling,
• disclosures to customers,
• acting in the best interests of customers; and
• complaints handling.

Yes. Both the FCA and PRA have established their own high-level required standards of conduct known as the Conduct Rules. The FCA’s conduct rules are set out in the FCA’s Code of Conduct sourcebook. The PRA’s conduct rules are set out in the PRA Rulebook (and different versions apply to different types of PRA-regulated firms).

The FCA’s conduct rules apply to most individuals working at an SM&CR firm. The PRA’s conduct rules apply to more limited individuals working at dual-regulated SM&CR firms: senior managers (approved by the PRA or FCA); individuals within the PRA’s certification regime; key function holders; and non-executive directors.

The Conduct Rules apply to conduct relating to the carrying out of an individual’s role. They do not extend to conduct within an individual’s private life, provided that the conduct is unrelated to the activities they carry out for their firm. Nevertheless, an individual’s behaviour outside of work can still be relevant to the separate consideration of their fitness and propriety.

There are two tiers of Conduct Rules: a first tier of rules applicable to all individuals subject to the Conduct Rules; and a second tier applicable to senior managers only.

The rules of the first tier are:

• Rule 1 – You must act with integrity.
• Rule 2 – You must act with due skill, care and diligence.
• Rule 3 – You must be open and cooperative with the FCA, PRA and other regulators.
• Rule 4 – You must pay due regard to the interests of the customer and treat them fairly.
• Rule 5 – You must observe proper standards of market conduct.

The rules of the second tier (applicable to senior managers) are:

• SC1 – You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
• SC2 – You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
• SC3 – You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
• SC4 – You must disclose appropriately any information for which the FCA or PRA would reasonably expect notice.
• SC5 (certain dual-regulated firms only) – When exercising your responsibilities, you must pay due regard to the interests of current and potential future policyholders in ensuring the provision by the firm of an appropriate degree of protection for their insured benefits.

Firms must notify the FCA if they take disciplinary action against an individual for a breach of the Conduct Rules.

The CBI expects RFSPs to be open and transparent in their engagement, including concerning compliance with the F&P Standards and the Common Conduct Standards. While early versions of the IAF regulations and related guidance contained an obligation on a RFSP to report to the CBI if disciplinary action had been taken against an individual, the obligation was removed from the latest version of the draft legislation. The Guidance indicated that the CBI would expect that they would have already received relevant details as it provides that firms and persons performing PCF roles are required to report to the CBI where they suspect that a "prescribed contravention" may have occurred for the purposes of the CBI legislative framework and the CBI states that a breach of the Common Conduct Standards and/or Additional Conduct Standards is a "prescribed contravention" for these purposes.

Yes. There are multiple potential reporting obligations with various timing imperatives. We include below a snapshot of some of the key obligations:

• under FCA Principle 11, firms have a general duty to inform the FCA of matters about which it would reasonably expect notice;
• a firm must notify the FCA immediately it becomes aware, or has information which reasonably suggests, that a matter which could have a significant adverse impact on the firm’s reputation has occurred, may have occurred or may occur in the foreseeable future;
• a firm must notify the FCA immediately it becomes aware, or has information which reasonably suggests, that a significant breach of a rule (including a significant breach of a Conduct Rule) has occurred, may have occurred or may occur in the foreseeable future; and
• a firm must also notify the FCA if it takes disciplinary action against an individual for a breach of the Conduct Rules. Where the relevant individual is a senior manager, the notification must be made within seven business days. Where the relevant individual is certified staff, the notification must be made in the firm’s annual reporting.

Yes. Concerning the prevention of wrongdoing, RFSPs should implement a written protected disclosures/whistleblowing policy that explains the secure and confidential internal and external reporting channels available to workers who wish to report relevant wrongdoings. The anti-retaliation protection should be explained and workers should understand from the policy how a report of relevant wrongdoing will be dealt with by the RFSP.

RFSPs should ensure that they have clear, up-to-date and fully compliant policies governing:

• dignity at work (including anti-harassment and anti-bullying measures); and
• grievance and disciplinary policies.

RFSPs should ensure that employees are trained on the RFSP's dignity at work (anti-bullying and harassment) policies to ensure that the RFSP's values, culture and commitment to preventing harassment and bullying are clear regarding their rights and obligations.

Whistleblowing

In addition to the requirements of the SM&CR outlined above which relate to the prevention of wrongdoing (including the Conduct Rules, fitness and propriety assessments, Senior Managers’ Duty of Responsibility, the certification and approvals processes and associated training requirements), the PRA and the FCA maintain rules on whistleblowing. These are intended to encourage whistleblowers to come forward to report wrongdoing and protect them from retaliation when they do.

For certain types of SM&CR firms, the rules mandate measures that employers must implement, for others they provide guidance on measures to consider.

The key measures are as follows:

• Whistleblowers’ champion – a non-executive director and senior manager with responsibility for whistleblowing compliance within the firm, including oversight of internal policies and procedures and certain reporting requirements.

• Whistleblowing channel – a system which allows whistleblowers to report concerns confidentially and anonymously, and which allows such concerns to be assessed, addressed, and escalated where appropriate.

• Notification regarding external whistleblowing channels – that is, making staff aware of their right to report matters directly to the PRA and FCA and explaining how they can do so.

• Whistleblowing training – this must cover arrangements on whistleblowing within the firm and be provided (and tailored) to employees based in the UK, their managers, and employees responsible for operating the firm’s whistleblowing arrangements.

Prevention of harassment

Harassment and related unacceptable workplace behaviours (such as bullying and discrimination) are not specifically addressed in the SM&CR rules on individual accountability. However, it is clear from regulators’ public statements that the culture of firms (in its broadest sense) is central to their approach. Having a healthy firm culture is seen as critical to consumer protection and well-functioning markets, and firms with healthy cultures are considered to be less prone to misconduct.

Firms that are subject to the SM&CR need to be alive to the possibility that instances of harassment and other non-financial misconduct could amount to breaches of the individual accountability regime or trigger certain requirements under it, such as a requirement to investigate, reassess an individual’s fitness and propriety, or notify certain matters to the regulators. The same could apply to any failure by relevant staff to investigate and deal appropriately with allegations of this kind, such as a senior manager who turns a blind eye to reports of sexual harassment or workplace bullying. While there have been relatively few instances of non-financial misconduct resulting in an enforcement action to date, this is likely to become an emerging trend.

Where possible it is important to try to resolve any outstanding issues that a PCF has or may have before the PCF's contract is terminated. An RFSP is required to give details of the circumstances of a PCF's termination of employment and to confirm whether or not there are outstanding issues regarding the PCF.

It is important to ensure that there are adequate provisions to govern the following in any settlement agreement or termination arrangements:

• adequate handover of operational responsibility;
• continued co-operation on operational matters within the employee's knowledge or in relation to matters that may subsequently be investigated by the CBI;
• secure return of all company property including any personal data; and
• post-termination confidentiality obligations and any other necessary post-termination restrictions.

Settlement agreements

The whistleblowing measures outlined above are complemented by mandatory requirements for SM&CR firms concerning settlement agreements, namely that any such agreement must include a term stating that it doesn’t prevent the individual from making a protected disclosure, and must not require the individual to warrant that they have not made a protected disclosure or that they do not know of any information which could lead to them doing so (a “protected disclosure” is a type of disclosure recognised in English employment law that gives the person making it legal protection from retaliatory detrimental treatment).

SM&CR firms entering into settlement agreements must also ensure that they are not drafted in a way that is incompatible with other relevant regulatory requirements. For example, there is a specific prohibition in the FCA Handbook on firms entering into any arrangements or agreements with any person that limit their ability to disclose information required by the regulatory reference rules (see question 2). As such, terms relating to confidentiality and the provision of employment references should allow the firm sufficient flexibility to comply with regulatory reference requirements, which could include a requirement to update such a reference. In addition, any obligations of confidentiality should include a carve-out to permit relevant regulatory disclosures and reports.

Handover procedures

The SM&CR includes requirements designed to ensure that adequate handovers take place between outgoing and incoming senior managers. Firms must take all reasonable steps to ensure that senior managers (and anyone who has management or supervisory responsibilities for them) have all the information and material that they could reasonably expect to have to perform their responsibilities effectively and under the requirements of the regulatory system. This applies when someone becomes a senior manager and when an existing senior manager takes on a new job or new responsibilities (or when their responsibilities or job are being changed).

Firms must have a handover policy in place to ensure compliance with these requirements. They must also make and maintain adequate records of steps taken to comply with them.

The information and material handed over should be practical and helpful, with an assessment of what issues should be prioritised, and judgement and opinion as well as facts, figures and records. It should also include details about unresolved or possible regulatory breaches and any unresolved concerns expressed by the FCA, the PRA or any other regulatory body.

The format and arrangements of a handover should allow for an orderly transition, which should include the outgoing senior manager contributing to the handover everything that it would be reasonable to expect them to know and consider relevant, including their opinions. This could be achieved by requiring outgoing senior managers to prepare a handover certificate, but the FCA recognises that this will not always be practical.

To ensure that these requirements are satisfied, it is good practice to include in senior managers’ employment contracts (and settlement agreements) specific obligations relating to handovers.

Reallocating senior managers’ responsibilities

In addition to ensuring that adequate handovers take place between outgoing and incoming senior managers, firms should also ensure on the departure of a senior manager that their responsibilities are reallocated and that this is recorded in a way that is compliant with relevant regulatory requirements. This may include temporary reallocation to one or more existing senior managers where the replacement does not take over immediately on the departure of the departing senior manager, as well as updating the firm’s management responsibilities map and statements of responsibilities.

Reporting requirements

When an individual ceases to perform an SMF, the firm must generally notify the relevant regulatory within seven business days.

SM&CR firms must notify the relevant regulators if certain types of disciplinary action are taken, which can include dismissal – see question 10.

No there are no bespoke rules that apply. Post termination restrictions in Ireland are void as being in restraint of trade unless it can be shown that the restrictions are necessary to protect an employer's legitimate proprietary interest and they are proportionate and reasonable in their scope and duration to achieve that protection[i].

[i] Law as of 15 April 2024

The SM&CR does not regulate the use of post-termination restrictive covenants for employees in the financial services sector. It is fairly typical for financial services firms in the UK to include non-dealing, non-solicitation, non-compete and similar restrictive covenants in their employment contracts. These are subject to the same common law rules on interpretation and enforceability as in any other sector. The only caveat to this is that firms should ensure that such terms do not include any provision that might conflict with the regulatory duties of either the firm or the employee. This will be a rare occurrence in practice for most types of restrictive covenant, but could arise in respect of post-termination contractual obligations that are closely associated with restrictive covenants, namely those relating to confidentiality. As such, firms should ensure that confidentiality clauses in employment contracts or other agreements such as NDAs include appropriate carve-outs.

Yes. It is possible to use NDAs in Ireland and it is quite common for them to be used, but there are some limitations on their use and enforceability.

Certain mandatory reporting obligations will override a contractual non-disclosure agreement, such as the requirement for PCFs under section 38(2) of the CBI (Supervision and Enforcement) Act 2013 to disclose certain matters to the CBI.

Further, an NDA cannot extinguish an employee's right to anti-retaliation protection where the employee makes a protected disclosure either internally or externally under the Protected Disclosures Act 2014 - 2022.

NDAs (also known as confidentiality agreements) are potentially lawful and enforceable in the UK. It is common to include NDAs in employment contracts (to protect the confidential information of the employer during and after employment) and in settlement agreements (to reiterate existing confidentiality obligations and to keep the circumstances of the settlement confidential).

NDAs do not need to follow a particular form, but they must be reasonable in scope. Following #MeToo, there has been considerable government, parliamentary, and regulatory scrutiny of the use of NDAs and their reasonableness in different circumstances.

The following limitations on NDAs should be noted:

• By law, any NDA purporting to prevent an individual from making a “protected disclosure” as defined in the Employment Rights Act 1996 (ie, blowing the whistle about a matter) is void.

• The regulatory body for solicitors in England and Wales, the Solicitors Regulation Authority (SRA), has issued a detailed warning notice and guidance to practitioners setting out – in its view – inappropriate or improper uses of NDAs. Failure to comply with the SRA’s warning notice may lead to disciplinary action. The SRA lists the following as examples of improper use of NDAs:

• • using an NDA as a means of preventing, or seeking to impede or deter, a person from:
    • cooperating with a criminal investigation or prosecution;
    • reporting an offence to a law enforcement agency;
    • reporting misconduct, or a serious breach of the SRA’s regulatory requirements, to the SRA, or making an equivalent report to any other body responsible for supervising or regulating the matters in question; and
    • making a protected disclosure;
    • using an NDA to influence the substance of such a report, disclosure or cooperation;
    • using an NDA to prevent any disclosure required by law;
    • using an NDA to prevent proper disclosure about the agreement or circumstances surrounding the agreement to professional advisers, such as legal or tax advisors, or medical professionals and counsellors, who are bound by a duty of confidentiality;
    • including or proposing clauses known to be unenforceable; and
    • using warranties, indemnities and clawback clauses in a way that is designed to, or has the effect of, improperly preventing or inhibiting permitted reporting or disclosures being made (for example, asking a person to warrant that they are not aware of any reason why they would make a permitted disclosure, in circumstances where a breach of warranty would activate a clawback clause).
       
• The Law Society of England and Wales, a professional association representing solicitors in England and Wales, has issued similar guidance (including a practice note) on the use of NDAs in the context of the termination of employment relationships.
• Other non-regulatory guidance on the use of NDAs has also been issued, including by the Advisory, Conciliation and Arbitration Service and by the UK Equality and Human Rights Commission.

Care should be taken accordingly to ensure that the wording of any NDA complies with prevailing guidance, especially from the SRA.