ICAEW.com works better with JavaScript enabled.

Staying fit and proper

Archived content

This page has been archived because it is no longer current information but is still relevant, or it is current but over 12 months old
  • Publish date: 27 May 2016
  • Archived on: 27 May 2017

Internal audit teams are being asked to provide assurance that regulated staff are properly certified. Charlotte Henry explains what’s expected

The new Certification Regime (CR) represents a significant shift in responsibilities from UK regulators to financial services firms, and auditors are at the frontline in ensuring a smooth transition. While senior managers will continue to be pre-approved by regulators, firms will be responsible for ensuring that a much wider pool of people, outside the scope of the Senior Managers Regime, are certified as “fit and proper”.

The CR has therefore added significantly to auditors’ responsibilities for providing independent assurance to the board. They must consider how to ensure the certification population has been identified correctly, how to test the certification process, and how to examine documentation and report their results to the board.

Accountability for the conduct of certified persons will ultimately lie with senior managers and board members, who will answer to the regulatory authorities. More than ever, however, they will want assurance that all reasonable steps have been taken to ensure the right people are in the right positions so they can effectively manage the risks to the business.

The certification population

It is important to establish the individuals that are captured by the CR to ensure that the firm correctly identifies all certified staff. A firm must ensure that no individual performs a “significant harm function” unless she or he has been certified as fit and proper.

The challenge for audit is to make sure that the correct individuals have been included within the population. This will require sufficient knowledge and understanding of how the UK regulators have interpreted Capital Requirements Directive IV, and an awareness of when an individual is considered as a ‘material risk taker’, as there is overlap with the remuneration rules. Otherwise, the final population could prove to be inaccurate.

This requirement could be evidenced by a formal note detailing the approach taken by the firm on why individuals are considered to be within the certified population along with a complete list of individuals.

Audit the documentation

At some point, individuals will decide to leave the firm and new individuals will be recruited, so the certified population will change. Therefore, the certified population list should be updated to properly record such changes. One of audit’s responsibilities will be to confirm that valid certificates are held for the entire certified population of the firm. This could be a challenge depending on the firm’s size and nature.

Testing the process

One role of the audit function will be to assess whether the process for certifying individuals is working effectively. To be effective in this role, audit must have a thorough understanding of the internal processes adopted by the firm for issuing a certificate in order to be able to determine whether that process has been followed.

The following factors could be taken into account, but it is not an exhaustive list:

  • Should the process for certification be reviewed? Across the market there have been different approaches taken. For example, some firms have decided that the most efficient approach is to include the certification process within their annual performance and appraisal process. However, firms who take this approach must ensure that appraisals are not delayed or postponed due to annual leave or other work commitments. Otherwise, there is a real risk that at the end of the year individuals may not be re-certified and so cannot continue with their role.
  • Does the responsibility of certifying staff sit with the right person or department?
  • Has the firm implemented proper systems and controls relating to record retention?
  • Are there procedures and policies for providing regulatory references from the previous employers?
  • Do certified individuals possess sufficient knowledge of the firm’s fitness and propriety policy?
  • Were there breaches? If so, were they handled appropriately and escalated to the audit committee or board if necessary?

Although it is not exhaustive, this list helps to illustrate the key areas of focus for audit. It is important that the fitness and propriety assessments are robust enough to highlight any areas of concern. Fitness and propriety assessments should include the following:

  • Honesty, integrity and reputation – this should be a review of criminal convictions, references from previous employers (within the last five years) and prior dealings with regulators;
  • Competences and capability – this should examine qualifications, experience and training; and
  • Financial soundness – this should consider unpaid judgement debts and filings for bankruptcy.

These assessments are similar to the previous Approved Persons regime, but the FCA and PRA have increased their focus on this area. Previously some errors and breaches of the Approved Persons regime could have resulted in an informal warning and caution. Now they will have to be dealt with via the formal certification process and should be taken into account when determining if an individual should be re-certified. For example, an individual who incorrectly claims expenses.

Audit the decision

The FCA and PRA will expect firms to be able to show compliance with the CR. This will also provide assurance to the board. Audit should review a selection of certificates and relevant processes to determine whether a person is fit and proper (against the firm’s fit and proper policy) which might be difficult as some of the elements are judgement-based elements. This could include a review of personnel and certification files along with individual interviews. However, if there is a variance in results these concerns should be recorded and escalated to the board.

Ensuring systems and processes are well designed and implemented consistently across large financial services organisations will require significant time and resources in the next year. Audit chiefs must ensure teams have the right training and support for a smooth transition to the new regime and to meet their ongoing obligations.