Why tax risk requirements and the Senior Managers and Certification Regime overlap

The tax Senior Accounting Officer (SAO) regime has strong parallels with the Senior Managers and Certification Regime (SM&CR) in place since 2016, and covering almost all regulated financial services firms since 2019.

It is designed to make individuals within organisations accountable to the regulator for their individual conduct and competence. The SAO is similar to a Senior Management Function (SMF) under this regime, where senior individuals must be approved as fit and proper before appointment and must have a Statement of Responsibilities defined and shared with regulators.  A mandatory set of prescribed responsibilities must be allocated by firms across their senior managers. The more material firms have to maintain a summary document which summarises the names of each senior manager (SM) and their responsibilities, the allocation of prescribed responsibilities among SMs, and the firm’s governance arrangements – a so-called management responsibilities map.

Below are key lessons which can be applied to large organisations from a tax’s perspective.

Defining a risk strategy

The requirement for a tax strategy has parallels to the risk strategies that financial services firms develop for approval by their boards, and the risk appetites that link to these risk strategies. Defining a risk strategy is crucial in many organisations, it helps them to communicate the level of risk that is acceptable and unacceptable to the business. So, the business has guidance enabling it to knowingly manage risk in line with the board’s requirements. In many organisations, this is now a valuable tool helping to both control inappropriate and empower appropriate risk-taking.

Accountability for tax risk being in line with risk appetite

Once an individual is given clear accountability across a significant area, it is important to take reasonable steps to ensure the accountabilities are met. This will include clearly outlining how individuals and processes across the organisation come together to enable that accountability to be met. This requires a clear view on how relevant processes are delivered, their risks and their level of resilience to stresses and disruption. Mapping and documenting how the resources of the organisation enable this activity to be undertaken is an important first step. Done well, it can help an organisation and the relevant accountable person to be confident that the level of tax risk is in line with its risk appetite and tolerance for disruption.

The consequences of lack of accountability

In April 2023 we saw the first enforcement action under the SM&CR against a senior manager. TSB Bank’s (TSB) former Chief Information Officer (CIO) was fined for a breach of SM&CR, in connection with TSB’s failed 2018 IT migration. The CIO was expected to act reasonably in carrying out their role with the identification and mitigation of risks from an IT perspective, including risks associated with TSB’s outsourcing arrangements, but was deemed to have failed to do so. This illustrates what can go wrong if regulators feel that accountable individuals fail to take what they see as “reasonable steps” in the identification and mitigation of risk and to comply with regulatory requirements.

How we can help

Crowe’s Risk Consulting team is experienced in reviewing and enhancing the effectiveness and efficiency of risk and governance arrangements in financial services organisations. We ensure:

• accountability – ensuring clarity on who the boards look to when things go wrong, and how individual responsibilities enable accountable individuals to discharge responsibilities
• appetite – clarity on how much risk organisations are prepared to accept
• controls – the right level of control to ensure your organisation stays on track with its ambitions
• assurance and testing – building confidence and knowledge in your approaches.

If you require assistance in this area or want further information as to how we can help you, please contact Justin Elks.