SMCR Individual accountability and the key considerations

Individual accountability and the key considerations

The Senior Managers and Certification Regime (SMCR) and other comparable regimes across the globe

In the years following the 2008 financial crisis, financial services regulators in many jurisdictions have increased their scrutiny of individuals carrying out regulated functions.

Regulators have either introduced new or enhanced measures with the aim of driving higher standards of conduct. It has therefore never been more important for firms to understand the extent of the regulatory regimes to which they and their employees are subject. The UK’s Senior Managers and Certification Regime (SMCR) is considered the most prescriptive and unified regime. Since its implementation in 2016, other common law jurisdictions have followed the UK’s lead. In contrast, many of the regimes in civil law jurisdictions are based on multiple laws that have been in place for years and have been incrementally updated to take into account the increasing focus on individual accountability over the last decade. A reason for this may be that civil law codes seem not to suffer from the same ‘lack of law’ that drove the development of the SMCR in the UK, and similar regimes in other common law jurisdictions. It is hard to assess whether the accountability regimes in civil law jurisdictions were already more effective in holding individuals to account, or whether the regulators were or are simply not scrutinising the behaviours of individuals to the same extent. Individual accountability is very much at the forefront of regulators’ agendas and will continue to be so for many years to come. We have seen from compiling this insight that the frameworks for holding individuals to account will continue to evolve as regulators review their scope. Here you will be able to review aspects of individual accountability regimes across multiple jurisdictions, and how they compare to the SMCR in the UK.

“It is important for the industry to maintain a close watch on ever changing regulatory expectations”

Click the location to go to the page

Select regime element

Location comparison

Approvals Required

Employee Conduct Rules

Employment Implications

Criminal, Civil and/or Regulatory Liabilities

Other Points of Interest

Territorial Limitations

Approvals Required

United Kingdom

Any individual performing a SMF needs FCAapproval (and PRA approval depending on the SMF/combination of SMFs) before carryingout that function. The FCA expects firms to satisfy themselves that the individual is fit and proper before seeking approval. Under the ‘12 week rule’, individuals can cover for absent SMFs without approval from the relevant regulator in some circumstances. Firms must certify individuals as fit and proper to carry out certification functions both before undertaking a SMF roleand annually thereafter. This includes considering how each SMF complies with the senior manager conductrules (see below). Depending on the type of SMCR firm, there is a requirement for firms to make ongoing notifications to the FCA concerning the accuracy of the informationabout their certification staff, and that it is correctly reflected in the new FCA directory.

No upfront approvals are required from the German Federal Financial Supervisory Authority (BaFin) in order for individuals to hold positions in financial institutions, no rare the institutions required to attest to, or certify, an individual’s ‘fitness and propriety’ (or similar) to hold positions.

Germany

No approvals are required from either the Bank of Italy or Consob for individuals performing senior management roles. There are specific requirements for institutions to cover the positions of company representatives with those that meet certain standards set out in the TUB and TUF. The administrative and controlling bodies of the institutions are responsible for assessing the suitability of their members and the overall adequacy of the body.

Italy

Members of the board, managing directors (MD), general managers and, in some specific cases, those individuals holding other key positions require approval from the relevant regulator. Individuals must be assessed by the relevant regulator as suitable for the role. In some cases a register of approved individuals is maintained by the relevant regulator (for example, ‘registry of senior executives’ in the BE for credit institutions; the register of MLROs in SEPBLAC, the Spanish anti-money laundering supervisor).

Spain

Approvals from the PFSA are required for certain members of managed boards of certain financial institutions. Applicable requirements depend on the sector of the financial market. In relation to banks, certain members of the board, namely the chair and those in charge of supervising material risk in the bank’s activities, must be approved by the PFSA. Members of a bank’s management and supervisory boards should have knowledge, skills and experience relevant to their functions and duties, and give an adequate guarantee of due performance of their duties. Banks must certify that those criteria are met. If a person performs a function without approval or against the decision of the PFSA, there are no criminal ramifications, but it would likely lead to regulatory sanctions being imposed on a bank.

Poland

The Central Bank is required to assessand approve those in senior management positions at banks and financial institutions operating in the UAE (UAE Federal Law no.14 of 2018 concerning the Central Bank, the Monetary System and the Organisation of Banking (Banking Law)). The activities of senior management are‘ designated functions’ under the Banking Law, and are defined as functions of an influential nature on the relevant institution’s activities. A financial institution must submit an application to the Central Bank if it wants aparticular individual to undertake a designated function. The Central Bank may reject an application if it determines that the individualis not ‘fit and proper’ for the relevant role.

UAE - Onshore

Any director, officer, employee or agent of an entity, body, government or state that has been licensed by the DFSA to carry out financial services in the DIFC (authorisedfirm), and who performs functions that require a licence pursuant to the DIFC Laws amendment no.1 (authorised individual)should be registered with the DFSA. An authorised firm must investigate the individual’s fitness and propriety to carry out a ‘licensed function’, as set out in the DFSA rules and guidelines. The individual must satisfy the requirement that they are the ‘fit and proper’ person to carry out the role. The DFSA must be satisfied that the functions of each authorised individual’s role will be conducted in a sound and prudent manner. Once the authorised firm and DFSA are satisfied, an application form for authorised individual status must be completed and submitted through the DFSA.

UAE - DIFC

The FSRA requires that any director or executive officer of an authorised firm is assessed and approved by the regulator. Once approved, such individuals are known as ‘approved persons’. The authorised firms are accountable for recognising and approving customer facing staff and those who perform ‘recognised functions’. This includes senior managers, compliance officers and money laundering reporting officers.

UAE - ADGM

In September 2019, the SCB issued requirements for senior positions within the financial institutions that it regulates (the Requirements). People in senior positions have been broadly defined in the Requirements as those who "take, propose and implement strategic decisions" and manage a financial institution’s business processes (Senior Position Holders). Before appointing a Senior Position Holder, a financial institution must apply to the SCB and receive a written non-objection from the SCB for each Senior Position Holder it wishes to appoint (or re-appoint in the case of some persons). The SCB may, its absolute discretion, reject the appointment, or continuity of any Senior Position Holder of a financial institution. The Requirements provide a list of Senior Position Holders, which differs depending on the type of financial institution. However, there are a number of common Senior Position Holders across all financial institutions including, but not limited to, the board of directors, the CEO, the Chief Compliance Officer, the Chief Risk Officer, and the Director of Internal Audit. Furthermore, financial institutions must adopt policies and procedures to assess the fitness and propriety of Senior Position Holders. As a minimum, the fit and proper criteria includes: • honesty, integrity, good reputation and fairness; • competence and capability (including academic qualifications, technical and financial experience) to perform the role; and • the necessary independence to perform the role.

Saudi Arabia - SCB

The Central Bank may reject the appointment, nomination or continuity of any member of the Board of Directors of a financial institution (under Qatar Law No. 13 of 2012 (the Banking Law)). The Central Bank may also reject the appointment or renewal of a term of any of the senior employees or their authorised representatives. The Banking Law does not define senior management. However it does contain directions to the relevant institution regarding senior management, such as the required level of experience for individuals. In addition to the Banking Law, the Qatar Financial Markets Authority's (QFMA) Financial Services Book governs the approval of senior management and regulated function appointments. A financial institution must submit an application to the Central Bank and/or QFMA if it wants a particular individual to undertake a senior management and/or regulated function. Applications may be rejected if the Central Bank and/or QFMA determines that the individual for whom the application is being made is not fit for the relevant work.

Qatar - Onshore

There is no separate set of conduct rules within the Central Bank's laws and regulations. However, any individual licensed to undertake a regulated function may have his or her license revoked or suspended if they no longer meet the criteria of the Central Bank and/or QFMA. The Central Bank and/or QFMA (as the case may be) determines whether a relevant person is 'fit and proper' to perform a particular role and considers, for example, the integrity, experience and financial soundness of the individual in question.

Qatar - Onshore

In August 2019, the SCB issued a Code of Conduct and Work Ethics (the Code) which lays out the minimum ethical conduct to be followed by all employees of financial institutions. The Code covers a wide variety of topics ranging from AML, anti-bribery, conflicts of interests to confidentiality and disclosure mechanisms and compliance with laws, regulations and instructions.

Saudi Arabia - SCB

The FSRA General Rule Book expands on the conduct rules of approved persons. These include the requirement to act with due care and responsibility. Financial institutions must ensure the appropriate allocation of management responsibilities and are required to ensure that effective systems and controls are implemented. Furthermore, guidance on complaints handling, including acknowledgement and resolution of complaints, must be established.

UAE - ADGM

The licensed functions of an authorised individual are linked to an authorised firm’s management and/or its provision of services. Therefore, the DFSA require authorised individuals to meet certain standards in relation to their experience, knowledge and qualifications. The licenced functions include senior executive officers, licensed directors, licensed partners, finance officers, compliance officers, senior managers, money laundering reporting officers or responsible officers/non-executive directors. An authorised individual must abide by principles set out in the DFSA’s General Module (section 4.4). These include integrity, due skill, care and diligence, market conduct, relations with the DFSA, systems and controls, management and compliance.

UAE - DIFC

There is no separate set of conduct rules within the Central Bank’s laws and regulations. However, any individual licensed to undertake designated functions may have their license revoked or suspended if they no longer meet the criteria of the Central Bank.

UAE - Onshore

Board members of banks must have the knowledge, skills and experience relevant to their functions and duties, and give an adequate guarantee of due performance of their duties.

Poland

Financial institutions must have codes of conduct in force, applicable to all staff, as well as additional rules and requirements for those holding key positions (management body, general manager, etc.). These codes of conduct must include the standards set out in the EBA Guidelines (that is, guidelines on internal governance) and the requirements set out in Spanish and European legislation. However, there are no standardised models officially published by the regulators.

Spain

Compliance with provisions of the TUF and TUB is required for ‘persons performing administrative, management or control functions’ as well as ‘personnel’. ‘Personnel’ means ‘employees and those who, in any case, operate within the company by means of a relationship that determines their inclusion in the company organisation, even in a form other than an employment relationship’.

Italy

There are no specific conduct rules stipulated by legislation or BaFin for directors or employees of financial institutions. However, financial institutions must implement appropriate conduct and governance rules which are assessed by their auditors. BaFin can also initiate special audits and investigations if they suspect an institution has not implemented appropriate conduct and governance rules.

Germany

The Code of Conduct containing conduct rules is applicable to almost all employed by firms falling within the regime except for those who perform ‘ancillary’ functions not specific to financial services. ‘Senior manager conduct rules’ apply to those holding SMFs and include obligations for SMFs to disclose information of which the FCA or PRA would reasonably expect notice and to take reasonable steps to ensure: 1. that the business for which they are responsible complies with regulatory requirements; and 2. that any delegation of responsibilities is to an appropriate person. Our online Conduct Rules training Get in touch with our regulatory consulting team to find out more about our online training, which will: • Help all staff understand the key tenets of the SMCR and underpin what individual accountability means and what good conduct looks like. • Promote understanding of the Conduct Rules, how they apply to all relevant staff and Senior Managers and how to identify a breach. • Increase understanding of the Certification regime and requirements for Senior Managers and Certified staff. • Increase understanding of Duties of Responsibilities and Reasonable Steps expectations for Senior Managers. • Ensure that firms can comply with FCA requirements and evidence that Conduct Rules training has been provided to all relevant staff and Senior Managers.

United Kingdom

Employee Conduct Rules

Remuneration There is currently no legislation that allows the Central Bank and/or QFMA to target the remuneration of a senior manager for misconduct. However, a financial institution can have its own internal disciplinary hearings relating to the conduct of senior management, which may result in the institution itself taking actions affecting the remuneration of senior management. Disciplinaries If an employer takes disciplinary action against an employee then it must inform the relevant regulator.

Qatar - Onshore

The SCB may cancel the non-objection granted to a financial institution on the appointment or re-appointment (as the case may be) of a Senior Position Holder. This is likely to occur if the SCB discovers: 1. that a Senior Position Holder has not cooperated in carrying out or neglected or omitted to carry out their duties; 2. any concealment, misrepresentation or misreporting of information as required under the Requirements; or 3. any violation or circumvention of the Requirements or any other instructions issued by the SCB (without prejudice to any statutory penalties that may apply towards the financial institution and the Senior Position Holder). There is currently no legislation that allows the SCB to target the remuneration of a senior manager. However, the onus of monitoring and controlling any violations of the Code lies with a financial institution, which has to impose penalties for any violations of the Code by employees. Therefore, there is nothing expressly preventing a financial institution from taking action that could affect the remuneration of senior management in the event of a breach of the financial institution's code of conduct.

Saudi Arabia - SCB

Remuneration There are no explicit provisions regarding how the remuneration of senior management will be affected if they breach the rules. However, a financial institution can have its own internal disciplinary hearings relating to the conduct of senior management, which may result in the institution taking actions affecting their remuneration.

UAE - ADGM

Remuneration There are no explicit provisions regarding how the remuneration of a senior manager is to be affected if they breach the rules. However, a financial institution can have its own internal disciplinary hearings relating to the conduct of senior management, which may result in the institution taking actions affecting remuneration.

UAE - DIFC

Remuneration There is currently no legislation that allows the Central Bank to target the remuneration of a senior manager. However, a financial institution can have its own internal disciplinary hearings relating to the conduct of senior management, which may result in the institution itself taking actions affecting their remuneration. Disciplinaries If an employer takes disciplinary action against an employee then it must inform the relevant regulator; the DFSA, ADGM and/or the Central Bank as appropriate.

UAE - Onshore

Remuneration The individual accountability regimes do not explicitly deal with remuneration. Remuneration may be reduced for misconduct depending on the policies of the financial institution and the employment contract of the relevant individual (if the individual’s employment is not terminated). The supervisory board of a bank must notify the PFSA of the composition of the management board and of any changes to it. Banks must conduct criminal record checks of candidates for positions on a management board.

Poland

Remuneration Spanish regulation does not specifically provide for a reduction in remuneration or clawback in the case of misconduct. Internal disciplinary policies and an individual’s employment contract or commercial agreement with the relevant institution will govern this. If the misconduct is defined by law, any individual within the company or external, such as a client, with knowledge of the breach of the rules is entitled to notify the regulator. Communications must be submitted by any means that provides proof of identity of the person communicating the breach. If internal disciplinary action is taken against a senior manager, the financial institution is not obliged to notify the regulator. However, changes in senior management must be notified for approval purposes, without having to report the reason. Dismissal of an administrator/board member for misconduct does not need to be justified, as the labour legislation regarding dismissal does not apply. The dismissal of a general manager for misconduct can be considered ‘appropriate’ (and not subject to compensation) if justified and proven. Additionally, the general manager could be dismissed without a justified cause, but any such dismissal would be subject to indemnification.

Spain

There are no specific provisions in the individual accountability regime regarding employment implications. The fact of internal disciplinary proceedings (or lack thereof) is irrelevant to the regulators’ assessment of the appropriate sanctions. On the contrary, reports resulting from the application of the whistleblowing procedure could be relevant. There are no specific provisions relating to remuneration for breaches of the regime. Reductions in remuneration are determined by the relevant employment contract and employment law.

Italy

Employment implications of misconduct are determined by the contract between the MD and institution. Directors and Officers (D&O) insurance policies can significantly mitigate the personal consequences of misconduct in the case of MDs. These policies usually cover liability for civil damages and regulatory sanctions are frequently excluded from cover, as are criminal sanctions. Disciplinaries Neither BaFin nor any other regulatory body needs to be informed if disciplinary action is taken against a director by the company. Remuneration In many service/employment contracts there are usually bonus and clawback provisions in individual employment contracts relating to misconduct. If the company takes out an insurance policy to cover a board member against risks arising from their professional activity for the company, a deductible of at least 10% of the loss up to at least one and a half times the fixed annual remuneration of the board member must be provided for as an indemnity under the insurance policy (according to section 93, paragraph 3 of the German Stock Corporation Act).

Germany

Regulatory reference Firms must obtain regulatory references for any individual it is considering: 1. appointing to carry out a SMF; 2. certifying as ‘fit and proper’; or 3. appointing as a board director. Firms must provide regulatory references to other firms where the rules apply. Disciplinaries Where disciplinary action is taken because of a conduct rule breach, the firm must notify the FCA. For senior managers, the notification is required within seven working days. For other individuals, the reporting occurs via annual reporting. Other notification requirements may also apply under rules outside the SMCR. Remuneration Disciplinary action taken by firms for breaches of the code of conduct may include a reduction in remuneration or clawback (depending on the circumstance and the malus/clawback provisions in the relevant employment contract). Criminal record checks Required for SMFs prior to initial approval by the FCA. Not required as part of annual assessment of fitness and propriety. Criminal record checks are not mandatory for certification functions but firms can, where legally permissible, carry out these checks.

United Kingdom

Employment Implications

The Central Bank and/or QFMA may suspend, withdraw, or revoke the authorisation issued to an individual undertaking a senior management and/or a regulated function via an official notice. This may occur in several circumstances including: 1. if the relevant individual ceased to meet, or breached one or more of the relevant regulator's criteria; 2. if the relevant individual violated any of Qatar's established laws and regulations or the regulations, rules, standards, or guidelines issued by the relevant regulator; 3. if the relevant individual was declared bankrupt; and 4. if the relevant individual refused to cooperate with the representatives of the Central Bank and/or QFMA, or failed to submit required information or records. Criminal liability under the Penal Code for illegal actions, such as fraud, apply to all employees whether they hold senior management positions or not. The rules and regulations do not stipulate whether senior management may be indemnified by insurers, or their employers, for any fines imposed by the relevant regulator.

Qatar - Onshore

Neither the Code, nor the Requirements, specify any criminal liabilities of senior management. However, violation of certain laws such as the Banking Control Law and the Anti-money Laundering Law can expose an officer of a financial institution not only to fines and removal from their post, but also to imprisonment. Recently authorities in the KSA arrested 32 individuals on charges involving bribery and transferring cash sums outside the KSA amounting to SAR 11.6 billion. The authorities initiated criminal cases against bank employees who received bribes from an "organised gang", which consisted of a group of residents and businessmen, in exchange for depositing cash sums of unknown sources then transferring them outside the KSA. Of the 32 individuals, 12 bank employees were arrested for their involvement in bribery, forgery, and exploiting the power of their position for illicit financial gain, commercial concealment, and money laundering. The SCB's rules and regulations do not expressly state that senior management may or may not be indemnified for any fines or penalties imposed by it.

Saudi Arabia - SCB

If the FSRA considers that an approved person has breached any FSRA law or rules, it may suspend the approved person for a period it considers appropriate (Financial Services and Markets Regulations, 2015). Criminal liability is not explicitly imposed by the FSRA. In circumstances where contravention of FSRA legislation or rules are of a more serious nature, the FSRA may seek to impose a fine by commencing proceedings before the ADGM court (civil proceedings). There are no explicit provisions that define whether senior management may be indemnified by insurers, or their employers, for any fines imposed by the regulator.

UAE - ADGM

If the DFSA considers that a person has breached a provision of any DFSA legislation or rules, it may impose a restriction preventing that person from performing any function in connection with the provision of financial services in, or from, the DIFC (articles 58 and 59 of the Regulatory Law). The time period of the restriction is within DFSA’s discretion. A person may be suspended as the authority sees fit or in serious circumstances, can be barred from practising within the jurisdiction. Criminal liability is not explicitly imposed by the DFSA. In circumstances where contravention of DFSA legislation or rules are of a more serious nature, the DFSA may seek to impose a financial penalty by commencing proceedings before the Financial Markets Tribunal or the DIFC Court (civil proceedings). There are no explicit provisions that define whether senior management may be indemnified by insurers, or their employers, for any fines imposed by the DFSA.

UAE - DIFC

The Central Bank may suspend, withdraw, or revoke the authorisation issued to an individual undertaking designated functions via an official notice. This may occur in several circumstances including: 1. if the relevant individual ceased to meet, or breached one or more of the fit and proper criteria; 2. if the relevant individual violated any of the State’s established laws and regulations or the regulations, rules, standards, or guidelines issued by the Central Bank; 3. if the relevant individual was declared bankrupt; and/or 4. if the relevant individual refused to cooperate with representatives of the Central Bank, or failed to submit required information or records. The Banking Law sets out various fines and prison terms for individuals who contravene its conditions and restrictions. The rules and regulations do not stipulate whether senior management may be indemnified by insurers, or their employers, for any fines imposed by the Central Bank.

UAE - Onshore

The PFSA has the power to dismiss the board member of a bank if he/she is convicted for an intentional (as defined in Polish criminal law) or fiscal offence (except for offences tried in a private prosecution), or for a failure to inform the PFSA of charges relating to such offences within 30 days of the charges being brought. The PFSA also has the power to impose fines on the board members of banks if a bank: 1. fails to comply with recommendations issued by the PFSA in response to its conduct of business activity in contravention of law or the bank’s articles of association; 2. refuses to provide the PFSA with explanations and information when required; or 3. if irregularities are discovered in a bank’s activity relating to structured deposits.There are no specific rules prohibiting the indemnification of senior managers by insurers for regulatory fines.

Poland

An infringement or a breach of conduct rules will be considered misconduct. Misconduct in financial services is dealt with by different sets of legislation and therefore can be assessed by different public authorities, specifically: • for general corporate misconduct, such as failure to fulfil fiduciary duties, civil claims can be brought against an individual (the administrator/director responds for his/her misconduct). Claims can also be brought against the corporate (the company must respond for the misconduct) by creditors, stakeholders, third-parties affected, or by other directors or the company itself; • in terms of a breach of rules in financial or securities market regulation, such as infringement of the suitability regime, the competent authority would be the CNMV, BE, the Ministry of Economy and/or the administrative jurisdiction; and • infringements of the Criminal Code (Código Penal), such as money laundering or falsification of company’s accounts, are prosecuted under the criminal jurisdiction. In order to avoid criminal prosecution, most financial institutions publish a Criminal Compliance Handbook; the existence of an effective crime prevention programme can operate as a defence. Administrative supervisors are able to take administrative actions and sanctions against senior managers, when: 1. they are responsible for the firm contravening the relevant legal requirements; and 2. if they do not implement the necessary steps/actions that a person in their position is expected to take in order to avoid these infringements from occurring (or continuing). Sanctions These can include financial penalties, suspension or removal of directors, or even prohibition orders preventing individuals from holding a board position in the future. A sanctions regime also exists in relation to third parties to whom credit institutions have subcontracted operational functions or activities. Indemnification Some liability policies could cover certain fines and sanctions. However, senior management cannot be indemnified by insurers if they commit a wilful ‘wrongful act’. As a result, D&O policies usually exclude cover for fraudulent, criminal or an intentional ‘wrongful act’.

Spain

The Bank of Italy and Consob can impose administrative or financial sanctions on financial institutions and individuals. This includes the power to prohibit individuals (either permanently or for a specific period of time) from holding certain functions in financial institutions and the power to publish an order censuring an individual for particular misconduct. Pursuant to article 7, paragraph 2-bis and 2-ter, TUB, the Bank of Italy and Consob may remove one or more employees of financial institutions under their supervision in order to ensure the safe and prudent management of institutions or the transparency and fairness of their conduct. Individuals cannot be indemnified by insurers for regulatory fines imposed upon them by Bank of Italy or Consob.

Italy

BaFin can impose sanctions (for example, fines) on, and take actions against, MDs directly, such as removing them from office and appointing a replacement. However, this happens very rarely and BaFin tends to take action against institutions rather than individuals. MDs can be held liable for damages to their employer, but not to third parties for any deliberate or negligent misconduct. Liability for damages under German civil law can be very burdensome for MDs. Section 93 of the German Stock Corporation Act and section 43 of the German Act on limited liability companies also foresees personal liability for MDs in case of personal misconduct. In extreme cases, such as market abuse, the criminal law applies.

Germany

Senior managers have a ‘duty of responsibility’ under the regime. The FCA and PRA are able to take enforcement action against senior managers if they are responsible for the management of any activities in relation to which their firm contravenes a ‘relevant requirement’, and the senior manager has not taken reasonable steps to avoid the contravention occurring (or continuing). Senior managers of UK banks, building societies and PRA investment firms can be held criminally liable for the failure of their firm (the firm becoming insolvent) in certain circumstances. The FCA can also take enforcement against senior managers, certified persons and those subject to the code of conduct for breach of the conduct rules or for being ‘knowingly concerned’ in the breach of a ‘relevant requirement’. Sanctions available to the FCA include financial penalties, public censure, withdrawal of permission to hold a SMF and the power to impose prohibition orders. All those within the scope of the SMCR (and more) can face criminal prosecution for financial crimes, such as market abuse. Senior managers cannot be indemnified by insurers, or their employer, for any regulatory fines imposed upon them by the FCA for breach of FCA rules.

United Kingdom

Criminal, Civil and/or Regulatory Liabilities

There are no specific provisions assigning responsibility for whistleblowing or data protection to particular senior individuals. That said, managers and employees of financial institutions, as well as experts, consultants and technicians assigned to perform functions for the relevant entity, are prohibited from disclosing any information or data on their customers, their accounts or deposits or transactions, unless such disclosure is legally authorised.

Qatar - Onshore

Data protection Although there is no specific data protection law in the KSA, information relating to customers cannot be disclosed (and must be kept confidential) unless the disclosure is legally authorised. In accordance with the Code, all employees of financial institutions cannot disclose any information or data relating to their customers, to other employees, or the supervisory and control authorities or external lawyers and/or advisors, except after obtaining the required approvals. In such cases, there has to be a legitimate need to disclose the confidential information and the disclosure will not cause damage. Whistleblowing In August 2019, the SCB issued a Whistle Blowing Policy for financial institutions (the WBP). The WBP provides the minimum controls to be adhered to by financial institutions when receiving and processing violation reports. Each financial institution is expected to prepare a whistleblowing policy that should (amongst other things): 1. encourage its employees and stakeholders to report any violation committed inside or outside the financial institution; 2. provide information on all channels for whistleblowing (including at minimum a direct telephone number, website, postal service, and e-mail address); and 3. protect whistleblowers against retaliation. Financial institutions are also required to establish an independent administrative unit to receive and process violation reports and to report to the compliance department.

Saudi Arabia - SCB

Data protection There is no explicit data protection responsibility for senior management. The ADGM has a data protection law that prescribes general implications on licensed firms. Whistleblowing The FSRA does not have specific rules and/or regulations related to whistleblowing protection.

UAE - ADGM

The DFSA does not have specific rules or regulations relating to whistleblowing or data protection.

UAE - DIFC

There are no specific provisions assigning responsibility for whistleblowing or data protection to particular senior individuals.

UAE - Onshore

Data protection The Polish individual accountability regimes do not explicitly cover data protection. Responsibility for data protection breaches is regulated by GDPR and other domestic legislation. Whistleblowing There are requirements for a senior manager to be responsible for whistleblowing. In relation to banks, one board member must be responsible for whistleblowing. Entities from certain sectors of the financial market (in particular banks and investment firms) must implement whistleblowing policies. In the case of banks, the articles of association must include a procedure of anonymous reporting of violations of the laws, internal regulations and ethical standards applicable to the bank. The procedure must provide protection for whistle-blowers against retaliation, discrimination and other potential instances of unfair treatment.

Poland

Data protection There are no specific rules regarding accountability for administrators or senior managers under Spanish data protection law. Whistleblowing There are no requirements for a particular senior individual to be responsible for whistleblowing. Financial institutions must implement and supervise whistleblowing procedures and channels.

Spain

Whistleblowing In accordance with annex 4 of the Bank of Italy’s Regulation implementing articles 4-undecies and 6 of the TUF, dated 5 December 2019, and Circular no. 285 of 17 December 2013 (as subsequently updated), a ‘person responsible for internal reporting systems’ shall be appointed. This person ‘shall ensure the proper conduct of the process and shall report directly without delay to the corporate bodies the information reported, where relevant’. Both TUF (articles 4-undecies and 4-duodecies) and TUB (articles 52-bis and 52-ter) require the recipients to adopt specific procedures for the reporting by their personnel of acts or facts that may constitute violations of the provisions governing the activity carried out. The procedures shall be suitable to: 1. ensure the confidentiality of the personal data of the whistle-blower and of the alleged perpetrator; 2. protect the whistle-blower from retaliatory, discriminatory or unfair conducts related to the report; and 3. provide a specific, independent and autonomous channel for reporting. Within the scope of their specific functions, the Bank of Italy and Consob can receive reports by personnel of violations of the provisions of the TUB and TUF or of directly applicable EU legislation. They shall use the content of these reports in the exercise of their respective supervisory functions.

Italy

Whistleblowing Companies have to implement a whistleblowing policy and procedure, responsibility for which lies with the board of directors collectively (rather than any single individual).

Germany

Statement of responsibilities Each senior manager must have a statement of responsibilities which sets out what they are responsible for – see ‘duty of responsibility’ in the preceding column for its significance. Data protection There is no SMF or ‘prescribed responsibility’ (PR) for the FCA or PRA which explicitly relates to data protection. However, data protection and operational resilience are a current focus of the FCA. Whistleblowing UK SMCR banking firms are required to appoint a non-executive director (NED) as a ‘whistle-blowers champion’ responsible for ensuring and overseeing the integrity, independence and effectiveness of the firm’s policies and procedures on whistleblowing. Management responsibilities map Some firms, including enhanced scope firms and SMCR banking firms must have a management responsibilities map. This is a single document which describes a SMCR firm’s management and governance arrangements and sets out how responsibilities have been allocated, including whether they have been allocated to more than one person.

United Kingdom

Other Points of Interest

The Central Bank laws and regulations are applicable to banks and financial institutions registered with the Central Bank and/or QFMA and their employees.

Qatar - Onshore

The laws, rules and regulations of the SCB are applicable to all financial institutions licensed by the SCB and its employees.

Saudi Arabia - SCB

There is no explicit territorial limitation imposed for contravention. The regulator may bring proceedings against the individuals who are based in another jurisdiction for conduct in the UAE.

UAE - ADGM

There are no explicit territorial limitations under the DFSA regime. However, an authorised individual must reside in the UAE (rule 7.5.2 of the General Module). The regulator may bring proceedings against individuals who are based in another jurisdiction for conduct in the UAE.

UAE - DIFC

No territorial limitations are specified. The regulator may bring proceedings against individuals who are based in another jurisdiction for conduct in the UAE.

UAE - Onshore

The regimes are only applicable to conduct within Poland.

Poland

The senior management of a Spanish financial institution can be held responsible for misconduct without any territorial limitation, provided such misconduct is carried out within the scope of application of the codes of conduct and accountability of the financial institution. This applies to the entire group of the financial institution, thus including branches and their employees in other countries.

Spain

These apply to corporate representatives and personnel of ‘qualified entities’ for which the Bank of Italy has the sanctioning power. These include, inter alia, EU investment companies with a branch in Italy, Italian banks or EU banks with a branch in Italy authorised to provide investment services or activities. Sanctions can be applied irrespective of whether the subject involved has a registered office/residence in Italy or whether they are based abroad, provided that they fall within the scope of the TUB and TUF.

Italy

Directors can be held liable in Germany for actions taken outside Germany if they affect customers of German financial services firms.

Germany

The SMCR has no territorial limitation. If individuals are carrying out captured roles outside the UK for UK regulated activities then they may be caught. The conduct rules apply to certain senior individuals worldwide, including SMF holders, and other individuals based overseas in specified circumstances. For UK firms, this includes activities conducted outside of the UK, which involve dealing with UK clients.

United Kingdom

Territorial Limitations

United Kingdom

Poland

Germany

Italy

Spain

Qatar

Saudi Arabia

United Arab Emirates

United Kingdom

In the wake of the 2008 financial crisis and the LIBOR scandal, the UK parliament established the Parliamentary Commission for Banking Standards (PCBS) in order to make recommendations on how to improve conduct in the banking sector.

The SMCR has three distinct but connected parts: • The Senior Managers Regime: which focusses on the most senior individuals who perform Senior Management Functions (SMFs); • The Certification Regime: which applies to employees who could pose a risk of significant harm to the firm or any of its customers; and • The Conduct Rules: which are high-level requirements that apply to in-scope people (which is most within financial services firms). In this report we have provided a snapshot of the SMCR for both dual and solo-regulated firms. The application of the regime varies according to the type of firm and whether it is dual or solo-regulated and it is not possible to capture all of the variations in a summary report. We have, therefore, focussed on the key points which apply to the widest number of firms. Whilst the SMCR has now been in place for over four years, we have not yet seen the plethora of enforcement outcomes against senior managers that was anticipated by some prior to the regime’s implementation. In fact, the FCA has opened relatively few enforcement investigations into senior managers and has only had one public enforcement outcome in relation to a senior manager’s conduct under the regime. However, given the SMCR’s ever-increasing scope, this is highly likely to change, especially in the wake of the COVID-19 pandemic during which the FCA’s rhetoric has been clear; senior managers’ obligations remain unchanged and SMFs, as well as firms, must be able to demonstrate that they took ‘reasonable steps’ to deal with the pandemic.

The regulator has recently reiterated the view that ‘senior managers have a crucial role to play to ensure their firms continue to act appropriately and with integrity’ and it is highly probable that where failings are identified, the individuals responsible will find themselves facing enhanced regulatory scrutiny and potential enforcement action.

The PCBS recommended the introduction of a new accountability framework focussed on senior management. As a result, the first version of the Senior Managers and Certification Regime (SMCR) came in to force in March 2016, and applied to UK banks, building societies, credit unions and PRA-designated investment firms and branches of foreign banks operating in the UK. The scope of the SMCR has since been extended and now includes all UK insurers, reinsurers and solo-regulated (Financial Conduct Authority (FCA) only authorised) firms.

Implementation Implementation of the SMCR was resource intensive and presented difficulties for most firms. Those operating in jurisdictions in which similar regimes are due to be implemented (such as the Republic of Ireland or Singapore), firms applying to be regulated in the UK, new SMFs and EEA firms considering their post-Brexit position may find the following practical observations helpful: • Initially some firms found it difficult to determine which senior managers were responsible for which business area. Often, open and frank conversations were needed amongst senior managers to determine this. We have found this clarity has, in some cases, resulted in a positive change to how those areas of the firm were managed. • Some individuals were reluctant to take up SMFs or certification functions, so firms should address this ahead of time, including through re-negotiation of employment terms and confirmation of the extent and access to Directors and Officers (D&O) insurance. • Senior managers not only need to take reasonable steps to ensure their areas of responsibility have complied with all applicable regulatory requirements, they also need to be able to evidence them. It is important that senior managers consider how to document their actions from the outset, without risking turning their operation into an unproductive exercise in compliance reporting, attestations and approvals. • Firms needed to consider how they amend interview and other on-boarding processes to help comply with the need to carry out ‘fit and proper’ assessments. This process has helped some firms to identify improvements required as part of their governance structure. For example, where one committee was, in practice, responsible for multiple group entities, this may result in those committee members being SMFs for multiple group entities. This was unlikely to be the intention and so necessitated some changes to the group’s structure. • Some firms found obtaining buy-in across the business difficult. Whilst compliance and legal functions often understood the need, convincing more customer facing roles such as sales teams and advisers, proved difficult for some. Board committees or sponsors were often needed to force through the necessary changes and deal with what invariably proved complex and time-consuming projects on time and on budget.

Post-implementation Post-implementation of the SMCR, we have seen the following issues: • A number of firms have not really understood how, in practice, changes to those holding SMFs should be effected. This included knowing when the new SMF could carry out the role, what forms should be submitted to the FCA and when, and ensuring the firm has captured sufficient information as part of the SMF on-boarding process. Advice should be sought as and when necessary in order to avoid breaches and/or enhanced regulatory scrutiny. • Where firms have suddenly lost a senior manager, consideration may need to be given to how that senior manager’s responsibilities are handled in the short term and whether this necessitates FCA applications and/or changes to internal documentation – such as the ‘responsibilities map’ (where applicable). Firms should be alert to the temporary ‘12 week rule’. • It is advisable for firms to seek and obtain external validation of their implementation from a qualified practitioner. Depending upon the scope of any review, this may go some way to demonstrate that the senior managers have taken reasonable steps to ensure their practice areas comply with the regulatory requirements. • We expect that once a number of senior managers have been penalised by the FCA/PRA for failing in their ‘duty of responsibility’, senior managers will more urgently and attentively consider the steps they are taking on a day-to-day basis. It will be interesting to see how firms with a significant number of certification staff ensure substantive compliance with yearly certification requirements. We can expect many employment law disputes around internal misconduct investigations, dismissals, team moves and regulatory references.

The SMCR is applicable to dual-regulated (FCA and PRA regulated) and solo-regulated firms operating in the UK. For dual-regulated firms, our summary focuses on the rules applicable to banks and PRA-designated investment firms rather than insurers.

Approvals required

Any individual performing a SMF needs FCA approval (and PRA approval depending on the SMF/combination of SMFs) before carrying out that function. The FCA expects firms to satisfy themselves that the individual is fit and proper before seeking approval. Under the ‘12 week rule’, individuals can cover for absent SMFs without approval from the relevant regulator in some circumstances. Firms must certify individuals as fit and proper to carry out certification functions both before undertaking a SMF role and annually thereafter. This includes considering how each SMF complies with the senior manager conduct rules (see below). Depending on the type of SMCR firm, there is a requirement for firms to make ongoing notifications to the FCA concerning the accuracy of the information about their certification staff, and that it is correctly reflected in the new FCA directory.

Employee conduct rules

Criminal, civil and/or regulatory liabilities

Employment implications

Regulatory reference Firms must obtain regulatory references for any individual it is considering: 1. appointing to carry out a SMF; 2. certifying as ‘fit and proper’; or 3. appointing as a board director.Firms must provide regulatory references to other firms where the rules apply. Disciplinaries Where disciplinary action is taken because of a conduct rule breach, the firm must notify the FCA. For senior managers, the notification is required within seven working days. For other individuals, the reporting occurs via annual reporting. Other notification requirements may also apply under rules outside the SMCR. Remuneration Disciplinary action taken by firms for breaches of the code of conduct may include a reduction in remuneration or clawback (depending on the circumstance and the malus/clawback provisions in the relevant employment contract). Criminal record checks Required for SMFs prior to initial approval by the FCA. Not required as part of annual assessment of fitness and propriety. Criminal record checks are not mandatory for certification functions but firms can, where legally permissible, carry out these checks.

Other points of interest

Territorial limitations

Key contacts

Director M: +44 7842 608 194 E: Imogen.Makin@dwf.law

Imogen Makin

Partner M: +44 7545 100 514 E: Robbie.Constance@dwf.law

Robbie Constance

Associate M: +44 7892 701766 E: Aaron.Osborn@dwf.law

Aaron Osborn

Get in touch

Global Co-Head of Financial Services Sector M: +971588498244 E: bhavesh.dattani@dwf.law

Bhavesh Dattani

Global Co-Head of Financial Services Sector M: +1 7187 094 874 E: Vishal.Anand@mindcrest.com

Vishal Anand

Partner M: +49 1705 543 936 E: Axel.vonGoldbeck@dwf.law

Axel von Goldbeck

Key contacts

Territorial limitations

Directors can be held liable in Germany for actions taken outside Germany if they affect customers of German financial services firms.

Other points of interest

Whistleblowing Companies have to implement a whistleblowing policy and procedure, responsibility for which lies with the board of directors collectively (rather than any single individual).

Criminal, civil and/or regulatory liabilities

Employment implications

Employee conduct rules

Approvals required

No upfront approvals are required from the German Federal Financial Supervisory Authority (BaFin) in order for individuals to hold positions in financial institutions, nor are the institutions required to attest to, or certify, an individual’s ‘fitness and propriety’ (or similar) to hold positions.

No specific individual accountability regime but applicable legislation includes the German Banking Act, German Stock Corporation Act (applies mostly to listed companies) and the German Act on limited liability companies.

It is rare for regulatory authorities to take actions against individuals in Germany in contrast to other jurisdictions, such as the UK. Furthermore, there is no mechanism for holding individuals accountable for regulatory breaches by an institution. For example, a Head of Compliance cannot be held to account for the inadequate design or implementation of particular systems and controls, nor can they be held accountable for failing to take reasonable steps to remedy on-going regulatory breaches in the event that gaps in an institution’s systems and controls are identified. In Germany, the civil liability regime is widely seen as adequate to prevent personal misconduct. However, it is noteworthy that a third party which has suffered damage as a result of a managing director’s (MD) misconduct can issue a claim for compensation against the MD’s employer, but not against them directly. If the employer pays damages to a third party, it can, in cases of personal misconduct, claim damages from the MD personally. Germany has seen a number of prominent claims brought against MDs in recent years.

Germany does not have a single individual accountability regime comparable to the Senior Managers and Certification Regime (SMCR) or similar regimes in other jurisdictions.

Germany

Partner M: +39 3397 539 913 E: Luca.LoPo@dwf.law

Luca Lo Pò

Counsel M: +39 3478 363 081 E: Francesco.Falco@dwf.law

Francesco Falco

Key contacts

Territorial limitations

Other points of interest

Criminal, civil and/or regulatory liabilities

Employment implications

Employee conduct rules

Approvals required

The regime is applicable to most financial services firms in Italy. In particular, it applies, inter alia, to banks, financial intermediaries, depositaries and ‘qualified entities’ (for example, EU investment firms with branches in Italy).

Potential sanctions include financial penalties, disqualification orders and reputational sanctions. The regime, therefore, has a strong dissuasive effect and appears to be effective in holding individuals to account when they have been involved in serious wrong-doing. Both the Bank of Italy and Consob have used their powers under the individual accountability regime many times. To date most investigations using the powers given to the authorities under the 2015 amendments have related to criminal conduct or severe violations of statute, rather than more minor violations. As is the same in several other jurisdictions, wide discretions are used by the Bank of Italy and Consob in assessing conduct and using their powers to impose sanctions. More prescriptive rules would clearly benefit those subject to the regime, so as to provide them with more clarity on their obligations and the ramifications of failing to comply. This would, hopefully, limit the authorities’ ability to use discretion when applying sanctions. In addition, the procedure by which the appropriate sanction is determined by the relevant authority can be unclear and does not present the procedural guarantees of claims brought in court. For this reason, the sanctioned party always has the option to appeal the sanction to the competent court. The regime could be amended to allow for individuals to exchange information, and negotiate, with the authorities regarding the appropriate sanctions prior to their imposition (such as occurs in the UK); this is not currently provided for in Italy. The regime could also be improved through the introduction of a specific whistle-blower channel in order to report minor violations and prevent more serious violations. This could enable either the Bank of Italy or Consob (as appropriate) to investigate less serious violations which, nonetheless, have the potential to amount to misconduct, albeit not criminal behaviour. For instance, reports could be made of behaviours which suggest that a more serious violation is about to take place, or that the foundations for such a violation have been laid (for example, when preparing company plans or projects that are not in line with specific measures adopted by the competent authority). Given the potentially severe consequences of breaches of the regime, financial services firms should ensure that they have implemented a detailed training programme on the relevant rules and obligations on individuals and that the programme is updated regularly to reflect relevant legal or regulatory changes. Furthermore, all processes and procedures implemented in order to ensure compliance with the regime should be formalised through appropriate governance mechanisms and documented accordingly. This will assist in providing the relevant authority with evidence of institutions’, and individuals’, attempts to comply with the regime in the event of an investigation. Lastly, establishing an internal whistleblowing procedure specifically related to the individual accountability regime could help to identify misconduct and mitigate the risk of serious misconduct occurring unidentified.

Following these amendments, both financial institutions and, in some circumstances, their management, can be held liable for violation of the provisions of the TUF or TUB. Prior to the introduction of the regime, sanctions for failures were directed at the entity rather than the responsible individual. The individual accountability regime in Italy now provides for severe administrative sanctions to be imposed on company representatives and personnel as a consequence of a breach of their duties (or of duties of bodies they belong to), when one or more of the following conditions are met: • The conduct had a significant impact on the firm’s overall organisation or on corporate risk profiles. In relation to financial institutions, TUF provides that sanctions can be imposed for conduct that caused serious prejudice to investor protection or to the transparency, integrity and proper functioning of the market. • The conduct has contributed to the firm’s failure to comply with specific measures issued by either the Bank of Italy or Consob (for example, orders to limit activities). • The breaches relate to the obligations imposed on the remuneration and incentives of personnel (under regulations issued by the Bank of Italy, amongst others), where company personnel is involved in the breach.

The individual accountability regime in Italy was introduced by Italian Legislative Decree in 2015 through amendments to the Italian Financial Intermediaries Act(TUF) and the Italian Banking Act (TUB).

Italy

Partner M: +34 695 880 414 E: Carlos.Nogareda@dwf-rcd.law

Carlos Nogareda

Key contacts

Territorial limitations

Other points of interest

Criminal, civil and/or regulatory liabilities

Employment implications

Employee conduct rules

Approvals required

Whilst there is no unified regime in Spain, there are legislative provisions holding senior individuals to account. These provisions apply to the senior management of all financial institutions authorised by the BE or the CNMV. Insurance entities are not included within the scope of this note.

There have not been any recent changes to the legislation governing individual accountability in Spain. However, given the amount of regulatory activity and recent public judicial proceedings against both financial institutions and their senior managers for criminal infringements of the law, there has been an increase in the procurement of Directors and Officers (D&O) insurance (which includes cover for certain fines and regulatory sanctions). There has also been an increase in the inclusion of ‘golden parachute’ clauses in senior managers’ employment contracts.The issue of senior management accountability is, therefore, very much a live issue in the jurisdiction.

Whilst there is no unified individual accountability regime in Spain, the legal provisions holding individuals within credit institutions and investment firms to account was first introduced 32 years ago, with Law 26/1988 of 29 July and Law 24/1988.

Spain

Both laws have been amended on several occasions to adapt Spanish legislation to the regulatory changes imposed at international and EU level. There has been no shortage of regulatory actions taken by Bank of Spain (BE) and the National Securities Commission (CNMV) against individuals in recent years. The majority of the sanctions or penalties imposed by the BE and CNMV on individuals recently are attributable to the following infringements: • the provision of financial services without the prior required authorisation; • breaches of the obligations regarding client relationships, specifically notproviding sufficient pre-contractual information to the client (for example, tariffs and commissions), and not acting in the best interest of the client; • non-compliance with internal conduct rules, for example, relating to a lackof oversight, inadequate risk management, the improper use of privileged information, or a lack of transparency and integrity; • non-compliance with the obligation to record transactions; and • failure to have proper administration and management in the Spanish territory.

Senior Associate M:+34 695 990 220 E: Iratxe.Lezamiz@dwf-rcd.law

Iratxe Lezamiz

Senior Associate M: +48 692 003 532 E: Michal.Toronczak@dwf.law

Michal Torończak

Partner M: +48 571 244 772 E: Adam.Stopyra@dwf.law

Adam Stopyra

Key contacts

Territorial limitations

The regimes are only applicable to conduct within Poland.

Other points of interest

Criminal, civil and/or regulatory liabilities

The PFSA has the power to dismiss the board member of a bank if he/she is convicted for an intentional (as defined in Polish criminal law) or fiscal offence (except for offences tried in a private prosecution), or for a failure to inform the PFSA of charges relating to such offences within 30 days of the charges being brought. The PFSA also has the power to impose fines on the board members of banks if a bank: 1. fails to comply with recommendations issued by the PFSA in response to its conduct of business activity in contravention of law or the bank’s articles of association; 2. refuses to provide the PFSA with explanations and information when required; or 3. if irregularities are discovered in a bank’s activity relating to structured deposits. There are no specific rules prohibiting the indemnification of senior managers by insurers for regulatory fines.

Employment implications

Employee conduct rules

Board members of banks must have the knowledge, skills and experience relevant to their functions and duties, and give an adequate guarantee of due performance of their duties.

Approvals required

Individual accountability regimes under the jurisdiction of the president of the OCCP and the PFSA applicable to board members of banks and management personnel of certain other financial institutions, for example, investment firms.

Board members of financial institutions would benefit from further clarity regarding the circumstances in which fines and/or other penalties are likely to be imposed. The rules allow regulators a wide discretion when interpreting them and exercising the relevant powers. They would also benefit from the introduction of firmer procedural guarantees of respecting their rights by the regulators. For example, the right of the party to participate actively in the conducted administrative proceedings and the right to be informed of the evidence collected by the regulator. The process of reconsidering contested decisions by the PFSA and the appeals process in the administrative courts can be very slow. This often leaves individuals with the burden of regulatory actions imposed on them for several years. Whilst individuals do not commonly find themselves personally subject to regulatory investigations in Poland, the existence of the regime and the severity of the potential sanctions mean that those in management positions in financial institutions should ensure they fulfil their roles with due care and diligence, always critically assessing the risks and consequences of their actions. It is advisable for individuals to obtain legal and compliance opinions from advisors with experience in regulatory matters when making strategic decisions. Additionally, they should follow the statements of the Polish regulators carefully, and ensure that their knowledge of the interpretations of laws and regulations provided by the regulator remains current. Financial institutions should implement codes of conduct and corporate governance rules in accordance with guidance from the PFSA. It is also advisable to maintain an open and cooperative dialogue with the regulator at all times.

The regimes cover two different areas of responsibility. The first is focussed particularly on violations of consumer protection rules, which applies to all entrepreneurs and is not limited to financial institutions, the other, is focussed on financial institutions. The exact nature of individual responsibility and the powers of the PFSA depends on the sector of financial market of the relevant institution. The individual accountability regime applicable to banks, for example, is influenced by several EU directives (especially CRD IV). Potential sanctions under the regime in Poland (such as dismissal from the board of a bank by the PFSA), could affect an individual’s whole career path. They have therefore, proven very effective in ensuring that the managers of financial institutions maintain good standards of conduct and carry out their responsibilities in an appropriate manner. Notwithstanding the existence of the regime and its apparent effectiveness in ensuring good levels of conduct, sanctions are not commonly imposed on the board members of financial institutions in Poland. That said, it is clear that regulators are not afraid to use their powers when required.

The individual accountability regimes applicable to the board members of banks and other financial services firms are enforced by the Polish Financial Supervision Authority (PFSA) and the President of the Office of Competition and Consumer Protection (OCCP).

Poland

Global Co-Head of Financial Services Sector M: +97 1523 859 126 E: Umera.Ali@dwf.law

Umera Ali

Key contacts

Territorial limitations

No territorial limitations are specified. The regulator may bring proceedings against individuals who are based in another jurisdiction for conduct in the UAE.

Other points of interest

There are no specific provisions assigning responsibility for whistleblowing or data protection to particular senior individuals.

Criminal, civil and/or regulatory liabilities

Employment implications

Employee conduct rules

Approvals required

The Central Bank is required to assess and approve those in senior management positions at banks and financial institutions operating in the UAE (UAE Federal Law no.14 of 2018 concerning the Central Bank, the Monetary System and the Organisation of Banking (Banking Law)). The activities of senior management are ‘designated functions’ under the Banking Law, and are defined as functions of an influential nature on the relevant institution’s activities. A financial institution must submit an application to the Central Bank if it wants a particular individual to undertake a designated function. The Central Bank may reject an application if it determines that the individual is not ‘fit and proper’ for the relevant role.

Regime applicable to banks and other financial institutions in the UAE, with the exception of institutions incorporated and licensed by the DIFC and the ADGM.

• the laws and regulations of the Central Bank of the UAE; • the laws and regulations of the Dubai Financial Services Authority (DFSA), the financial regulator for the Dubai International Financial Centre (DIFC); and • the laws and regulations of the Financial Services Regulatory Authority (FSRA), the financial regulator for the Abu Dhabi Global Markets (ADGM).

There are three key legal regimes in the UAE:

United Arab Emirates

All three of these jurisdictions have their own laws and regulations. The DFSA and ADGM have to comply with the Central Bank regulations and usually incorporate these into their rule books. There is no one set of law or regulations in any of the UAE jurisdictions that are similar to the Senior Managers and Certification Regime (SMCR) in the UK. However, each jurisdiction has a few regulations that overlap with the SMCR. The rules were introduced to enhance the governance of financial institutions and ensure compliance with national and international banking regulations. The regimes are considered to be fairly effective and have led to an improvement in the conduct of those caught by the regimes. The Central Bank and other regulatory authorities are involved in firms’ governance processes and routinely conduct audits and investigations. There have been instances where the senior officials of firms have been terminated and/or fined as a result of investigations by the UAE regulatory authorities. The DFSA has also blacklisted individuals who have been found non-compliant with their regulations.

Onshore UAE

DIFC

ADGM

Territorial limitations

Other points of interest

The DFSA does not have specific rules or regulations relating to whistleblowing or data protection.

Criminal, civil and/or regulatory liabilities

Employment implications

Employee conduct rules

Approvals required

Any director, officer, employee or agent of an entity, body, government or state that has been licensed by the DFSA to carry out financial services in the DIFC (authorised firm), and who performs functions that require a licence pursuant to the DIFC Laws amendment no.1 (authorised individual) should be registered with the DFSA. An authorised firm must investigate the individual’s fitness and propriety to carry out a ‘licensed function’, as set out in the DFSA rules and guidelines. The individual must satisfy the requirement that they are the ‘fit and proper’ person to carry out the role. The DFSA must be satisfied that the functions of each authorised individual’s role will be conducted in a sound and prudent manner. Once the authorised firm and DFSA are satisfied, an application form for authorised individual status must be completed and submitted through the DFSA.

The DFSA regulates banks and financial institutions (and their staff) registered in the DIFC. The regime is applicable to all those regulated by the DFSA.

Territorial limitations

There is no explicit territorial limitation imposed for contravention. The regulator may bring proceedings against the individuals who are based in another jurisdiction for conduct in the UAE.

Other points of interest

Criminal, civil and/or regulatory liabilities

Employment implications

Employee conduct rules

Approvals required

The FSRA regulates the activities of banks and financial institutions (and their staff) registered in the ADGM. The regime applies to all those regulated by the FSRA.

Global Co-Head of Financial Services Sector M: +97 1523 859 126 E: Umera.Ali@dwf.law

Umera Ali

Key contacts

Territorial limitations

The QFC legislation is applicable to banks and financial institutions registered with the QFRCA and their employees.

Other points of interest

There are no specific provisions assigning responsibility for whistleblowing or data protection to particular senior individuals.

Criminal, civil and/or regulatory liabilities

Where the QFCRA considers that a person has contravened a provision of any QFC legislation or rules, it may restrict a person from performing any function in connection with the provision of financial services in, or from, the QFC. A person may be suspended as the authority sees fit and may also have to pay a financial penalty. Criminal liability is not explicitly imposed by the QFCRA. However, the onshore Penal Code applies to QFC entities and their employees. There are no explicit provisions that stipulate whether senior management may be indemnified by insurers, or their employers, for any fines imposed by the QFCRA.

Employment implications

Remuneration The rules and regulations do not explicitly state how the remuneration of a senior person could be affected by misconduct. However, a financial institution can have its own internal disciplinary hearings relating to the conduct of senior management, which may result in the institution itself taking actions affecting the remuneration of senior management.

Employee conduct rules

The licensed functions of an authorised individual are linked to an authorised firm's management and/or its provision of services. Therefore, the QFCRA require authorised individuals to meet certain standards in relation to their experience, knowledge and qualifications. The licenced functions include executive and non-executive governance functions, senior executive function, finance function, senior management function, MLRO function, risk management function, compliance function, internal audit function and actuarial function. An authorised individual must abide by principles set out in the QFCRA's Individual Rules. These include integrity, due skill, care and diligence, market conduct, relations with the QFCRA, management and compliance.

Approvals required

The QFC legislation provides that any director, officer, employee or agent of an entity or body that has been licensed by the QFCRA to carry out financial services in the QFC (an authorised firm), and who performs functions which require a licence pursuant to the QFC's Banking Business Prudential Rules, Governance and Controlled Functions Rules and Individual Rules (Authorised Individual) should be registered with the QFCRA. An authorised firm must investigate the individual's fitness and propriety to carry out a licensed function, as set out in the QFC rules and guidelines. The individual must satisfy the requirement that they are the 'fit and proper' person to carry out the role. The QFCRA must be satisfied that the functions of each authorised individual's role will be conducted in a sound and prudent manner. Once the authorised firm and QFCRA are satisfied, an application form for authorised individual status must be completed and submitted through the QFCRA.

The Qatar Financial Centre Regulatory Authority (QFCRA) regulates banks or financial institutions (and their staff) registered in the QFC.

Territorial limitations

The Central Bank laws and regulations are applicable to banks and financial institutions registered with the Central Bank and/or QFMA and their employees.

Other points of interest

Criminal, civil and/or regulatory liabilities

The Central Bank and/or QFMA may suspend, withdraw, or revoke the authorisation issued to an individual undertaking a senior management and/or a regulated function via an official notice. This may occur in several circumstances including: 1. if the relevant individual ceased to meet, or breached one or more of the relevant regulator's criteria; 2. if the relevant individual violated any of Qatar's established laws and regulations or the regulations, rules, standards, or guidelines issued by the relevant regulator; 3. if the relevant individual was declared bankrupt; and 4. if the relevant individual refused to cooperate with the representatives of the Central Bank and/or QFMA, or failed to submit required information or records. Criminal liability under the Penal Code for illegal actions, such as fraud, apply to all employees whether they hold senior management positions or not.The rules and regulations do not stipulate whether senior management may be indemnified by insurers, or their employers, for any fines imposed by the relevant regulator.

Employment implications

Employee conduct rules

Approvals required

Regime applicable to banks and other financial institutions in Qatar, with the exception of institutions incorporated in and licensed by the QFC.

• the Qatari laws and regulations including those of the Central Bank of Qatar; and • the laws and regulations of the Qatar Financial Centre Regulatory Authority, which is the financial regulator for the Qatar Financial Centre (QFC), (collectively the Qatar Regimes). Both of these jurisdictions have their own laws and regulations. There is no one set of law or regulations in any of the Qatar Regimes that are similar to the Senior Managers and Certification Regime (SMCR) in the UK. However, each jurisdiction has regulations that are designed to ensure individual accountability and high standards of conduct in financial institutions in a similar way to the SMCR.

There are two key legal regimes in the State of Qatar:

Qatar

Onshore

QFC

Global Co-Head of Financial Services Sector M: +97 1523 859 126 E: Umera.Ali@dwf.law

Umera Ali

Key contacts

Territorial limitations

The laws, rules and regulations of CMA are applicable to all licensed financial institutions and their employees. Furthermore, a Registered Person is subject to the jurisdiction of the CMA in respect of any act or omission that occurred before the cancellation of their registration and for a period of two years thereafter.

Other points of interest

Data protection There is no specific CMA legislation covering data protection with particular regard to senior management. However, there is a general duty on a Capital Market Institution to keep all information relating to its clients confidential. A Capital Market Institution may not disclose any client information except where: 1. the disclosure of client information is based on the CMA's or the Committees for Resolution of Securities Disputes’ request under the Capital Market Law, its Implementing Regulations or the related laws, or based on the General Administration of Financial Investigations’ request in accordance with the provisions of Anti-money Laundering Law and Combating-Terrorism Crimes and its Financing Law and their Implementing Regulations; 2.the client has explicitly consented to the disclosure of information; 3. the disclosure of information is reasonably necessary to perform a particular service for the client; or 4. the information is no longer confidential. Whistleblowing There are no specific provisions relating to whistleblowing.

Criminal, civil and/or regulatory liabilities

The Capital Market Law sets out penalties for any person that violates its articles or its rules and regulations. Broadly, there are two types of penalties: general and specific (which relate to explicit violations). If any person has engaged, is engaging, or is about to engage in acts or practices constituting a violation of any provisions of the Capital Market Law or its implementing regulations, then such person may be exposed to (amongst others) the following penalties: • a warning; • having to compensate persons who have suffered damages as a result of the person's violation • being barred from acting as a broker, portfolio manager or investment adviser for such period of time as is necessary for the safety of the market and the protection of investors; • a travel ban; and/or • fines. Criminal liability arises when a person is found to have violated particular provisions of the Capital Market Law such as those relating to market manipulation and insider trading. In addition to the general penalties, whoever commits market manipulation or insider trading may be imprisoned for a period not exceeding five years. The resolution of any securities dispute is carried out by the Committee of Resolution of Securities Disputes (as stated in the Capital Market Law) (the CRSD). The CRSD looks into complaints and cases filed against Capital Market Institutions or cases where losses are caused as a result of violations to the Capital Market Law and its regulations, such as market manipulation or insider trading. The CRSD has been very active in relation to issuing penalties for violations. Recent violations include fining 16 individuals more than SAR 10 million and obliging such individuals to pay the illegal gains they received from committing violations which gains, totalling more than SAR 135 million. The individuals were found to have committed manipulation and fraud, and created a false and misleading impression regarding the securities of a listed company. The individuals were also barred from trading by purchasing shares of companies listed on the Saudi Stock Exchange for a period of one year (one individual was barred for ten years). Under the CMIR, a Capital Market Institution must have adequate indemnity insurance relating to risks of professional failures, based on the nature, scale and complexity of its business. There is no further information provided in relation to the precise nature of insurance required, therefore, it may be possible to insure senior management against fines and penalties in certain instances. However, serious violations such as those mentioned, or violations relating to money laundering or fraud cannot be covered by insurance.

Employment implications

Under the CMIR, the CMA has the power to cancel the registration of any Registered Person if such person violates any provision of the Capital Market Law or its rules and regulations. There is currently no legislation that allows the CMA to target the remuneration of a senior manager. However, there is nothing expressly preventing a Capital Market Institution from taking actions that could affect the remuneration of senior management should the senior management breach the financial institution's code of conduct.

Employee conduct rules

There is no separate set of conduct rules within the CMA's laws and regulations. A Registered Person must also comply with all of the CMA's rules and regulations. As mentioned previously, the CMIR requires a Registered Person to comply with a number of conduct principles. In addition to having integrity, exercising skill, care and diligence and observing proper standards of market conduct, a Registered Person must also: • communicate with clients in a clear and fair manner which is not misleading; • pay due regard to a client’s interests, and treat all clients fairly; and • resolve any conflicts of interest fairly, both between the Capital Market Institution and its clients and between one client and another. The CMIR requires that any Capital Market Institution must have a number of documents and policies in place before it can be licensed and commence business in the KSA, including a code of conduct. There are no details provided in either the CMIR or other implementing regulations of the CMA as to the content of manual.

Approvals required

The Capital Market Institutions Regulations dated 28/06/2005 (as amended from time to time) (the CMIR), clearly state that a "registrable function" can only be performed by a person who has received the prior written consent of the CMA before carrying out any duties (the Registered Person). Registrable functions include the following: • the CEO or Managing Director of the board of directors; • the CFO; • the Compliance Officer; and • the Money Laundering and Terrorism Financing Reporting Officer. Before appointing a Registered Person, a financial institution must apply to the CMA and receive written consent from the CMA for each Registered Person it wishes to appoint. A Registered Person must undertake the qualification examinations required by the CMA, or secure an exemption. The CMA may reject the appointment of any Registered Person. A Registered Person must be a resident in the KSA (unless the CMA provides an exemption) and must comply with a number of principles (as laid out in the CMIR) including, but not limited to: • having integrity, and conducting their duties with integrity; • exercising skill, care and diligence when conducting business for clients and the Capital Market Institution; and • observing proper standards of market conduct.

The CMA licenses, supervises and monitors financial institutions practicing any securities business (the Capital Market Institution) and has issued various rules and regulations that regulate activities of the companies licensed by it. The employees of such companies are regulated by the CMA and must comply with the Capital Market Law and all of its rules and regulations.

Territorial limitations

The laws, rules and regulations of the SCB are applicable to all financial institutions licensed by the SCB and its employees.

Other points of interest

Criminal, civil and/or regulatory liabilities

Employment implications

Employee conduct rules

Approvals required

The SCB is responsible for licensing, supervising and monitoring all banks, insurance and reinsurance companies, money exchanges, companies practicing financial leasing, credit bureau companies and payment and fintech companies in the KSA.

• the laws and regulations of the Saudi Central Bank (SCB); and • the laws and regulations of the Saudi Capital Markets Authority (the CMA), which is the financial regulator for the capital markets in the KSA (collectively the KSA regimes). Both of the KSA regimes have their own laws and regulations. There is no specific set of laws or regulations in any of the KSA regimes that are similar to the Senior Managers and Certification Regime (SMCR) in the UK. However, each KSA regime has regulations that are designed to ensure individual accountability and high standards of conduct in financial institutions in a similar way to the SMCR.

There are two key legal regimes in the Kingdom of Saudi Arabia (the KSA):

Saudi Arabia

SCB

CMA

Qatar - QFC

Saudi Arabia - CMA

Qatar - QFC

Saudi Arabia - CMA

Qatar - QFC

Saudi Arabia - CMA

Qatar - QFC

Saudi Arabia - CMA

There are no specific provisions assigning responsibility for whistleblowing or data protection to particular senior individuals.

Qatar - QFC

Data protection There is no specific CMA legislation covering data protection with particular regard to senior management. However, there is a general duty on a Capital Market Institution to keep all information relating to its clients confidential. A Capital Market Institution may not disclose any client information except where: 1. the disclosure of client information is based on the CMA's or the Committees for Resolution of Securities Disputes’ request under the Capital Market Law, its Implementing Regulations or the related laws, or based on the General Administration of Financial Investigations’ request in accordance with the provisions of Anti-money Laundering Law and Combating-Terrorism Crimes and its Financing Law and their Implementing Regulations; 2. the client has explicitly consented to the disclosure of information; 3. the disclosure of information is reasonably necessary to perform a particular service for the client; or 4. the information is no longer confidential. Whistleblowing There are no specific provisions relating to whistleblowing.

Saudi Arabia - CMA

The QFC legislation is applicable to banks and financial institutions registered with the QFRCA and their employees.

Qatar - QFC

Saudi Arabia - CMA