In the next step in its drive to boost diversity and inclusion (D&I) in regulated firms, the Financial Conduct Authority (FCA) published Consultation Paper 23/20 at the end of September setting out its proposals on new regulatory framework in respect of D&I in the financial sector (FCA CP). At the same time, the Prudential Regulation Authority (PRA) published its own proposals (PRA CP18/23) for PRA-regulated firms (together, the Consultations).
The FCA and PRA are making these proposals on the basis that greater diversity and more inclusion can improve outcomes for consumers and markets, support prudent decision-making and lead to better risk management by reducing groupthink. Reducing groupthink is relevant to overall governance and leadership, but the FCA also link this to individual product design and the focus on consumer outcomes and higher standards under the Consumer Duty.
The Consultations build on feedback received on the discussion paper (DP) jointly published by the FCA, PRA and the Bank of England in July 2021 (see our blog post here on the policy options that were considered). The regulators billed the responses received to the DP as largely positive, with most respondents endorsing regulatory action in this area. The Consultations also cover the regulators’ positions on non-financial misconduct (NFM) which, while providing a degree of clarity, do not fully resolve uncertainty in this difficult area. Whilst in some cases, there is an obvious answer, there are likely to be plenty of others where firms need to make fine judgement calls.
The Consultations are open for response until 18 December 2023, and the regulators propose to bring the final rules into force 12 months from publication of the subsequent policy statement(s), which are on the agenda for 2024.
D&I strategies and reporting
The FCA’s proposed requirements are set out in a new Chapter 29 in the Senior Manager Arrangement, Systems and Controls Sourcebook (SYSC 29). The proposals apply (on a solo entity basis) to firms which are not limited scope Senior Manager and Certification Regime (SMCR) firms as follows:
- SYSC 29 will apply to firms with Part 4A permission which are at or above the ‘diversity and inclusion employee number’ (a new defined term in the FCA Handbook) of 251 or more employees (for the purposes of SYSC 29, the definition of ‘employee’ excludes individuals who do not predominantly carry out activities from an establishment in the UK)
- SYSC 29 will also apply to dual-regulated firms (regardless of the number of employees) which are subject to either the Capital Requirements Regulation (CRR) sector or the Solvency II sector of the PRA Rulebook; and
- notwithstanding the ‘diversity and inclusion employee number’ threshold, firms would be required to provide to the FCA the average number of employees by completing Part 1 of the new D&I report in the FCA’s RegData system.
For overseas firms, the requirements apply in relation to activities carried on from an establishment in the UK.
SYSC 29 will require larger firms to:
- set out a D&I strategy which is ‘easily accessible and free to obtain’ and includes clear objectives and an action plan; firms’ management bodies will be responsible for overseeing their strategies (SYSC 29.2);
- set targets to address under-representation in relation to each of the management body, senior leadership, and whole employee body and disclose the rationale for its targets; firms’ management bodies will again be responsible for overseeing their targets (SYSC 29.3)
- report to the FCA their D&I data – a new template form is included alongside the FCA CP (SYSC 29.4);
- make mandatory D&I data disclosures to be published in a manner that is ‘easily accessible and free to obtain’ and highlight significant changes to previous disclosures (SYSC 29.5); and
- consider D&I as a non-financial risk and ensure that relevant functions, such as internal audit and control functions, treat it accordingly (SYSC 29.6).
The PRA’s proposals apply to PRA-authorised banks and insurance firms, building societies, PRA-designated UK investment firms, and their qualifying parent undertakings (which are UK-headquartered financial holding companies and mixed financial holding companies). As with the FCA’s approach, the regulatory reporting and disclosure requirements apply only to firms subject to the CRR sector or Solvency II sector of the PRA Rulebook. The requirements then largely mirror those which the FCA is setting out, although the PRA proposes that D&I be allocated to the relevant senior manager functions, with this reflected in statements of responsibility and in accountability measures.
SYSC 29 and the proposed requirements on larger firms, particularly in respect of the collection, reporting and disclosure of data, are significant. Larger firms will be required to collect, report and disclose certain data about: age; sex or gender; disability or long-term health condition; ethnicity; religion; and sexual orientation. They may also on a voluntary basis report and disclose data on gender identity, socio-economic background, parental and/or carer responsibilities (and the FCA notes that it may consider moving to mandatory reporting on these characteristics at a later date).
In addition, there are disclosures and reporting requirements on culture and inclusion wherein the FCA specifies the questions to be asked of employees (see SYSC 29.5.19R). These are:
- I feel safe to speak up if I observe inappropriate behaviour or misconduct;
- I feel safe to express disagreement with, or challenge, the dominant opinion or decision without fear of negative consequences;
- I feel as though my contributions are valued and meaningfully considered;
- I have been subject to treatment (for example, actions or remarks) that has made me feel insulted or badly treated because of my personal characteristics;
- I feel safe to admit an honest mistake; and
- My manager cultivates an inclusive environment at work.
This data is to be disclosed and reported on an annual basis, with an explanation of the reasons for any gaps and how they will be closed.
The proposals in respect of reporting and disclosure of D&I will not be surprising to firms. The FCA has made clear that it wants to mainstream D&I into all of its regulatory processes, and in order to achieve this, the regulators need to build up a clear and consistent understanding of the current position across regulated firms. However, the amount of data proposed to be reported and disclosed is likely to represent a considerable administrative task for many firms. Some of the categories of data referred to may not be currently collected or monitored by certain firms and it is likely that the implementation of the necessary processes will require significant upfront investment from firms.
It is fair to comment that in addition to the administrative exercise, the reporting proposals will require a significant internal communication exercise which reassures employees/potential employees (and any representative organisations, including unions) about the collection and processing of sensitive personal data. Employees/potential employees are, of course, under no obligation to provide all the information which the FCA is asking firms to collect.
Firms should note that the rules will require the aggregation of some data where there is risk of the disclosure of information about an individual (because there are few individuals represented in the data set concerned, e.g. senior leadership or members of the management body).
As in other cost versus benefit analyses, the FCA appears to have under-estimated the likely costs for firms in meeting this proposed obligation. Notwithstanding this, given the emphasis placed on reporting and disclosure in the FCA CP, these proposals are likely here to stay, and firms should analyse their policies and processes now against the proposals and feedback to the regulators any specific challenges foreseen at this stage.
Measures not being adopted (for now…)
For those who have been following the journey of D&I within the financial services sector closely, the proposals that have been taken forward in the Consultations might seem less ambitious than anticipated. The FCA has repeatedly noted that the rate of meaningful change within firms has been too slow, and that faster and more measurable progress in D&I is needed. With that in mind, it is interesting that the FCA is not taking forward a number of policy options that were discussed as part of the DP, in particular, those falling within a category of measures seeking to address the ‘tone from the top’. Further detail on the policy options originally considered can be found in our blog post here, but in summary, the proposals that the FCA has benched for now include:
- proposals on individual accountability, Senior Manager Function (SMF) approval, board recruitment, succession planning and talent pipelines;
- mandatory D&I training – although firms continue to be required to provide suitable training as required in the FCA Code of Conduct Sourcebook (COCON 2.3);
- additional rules and guidance on integrating D&I into firms’ products and services; and
- linking remuneration to non-financial metrics such as D&I as a way of driving accountability and incentivising progress.
As addressed in more detail in our earlier blog, the DP considered whether, where the regulators have concerns that a proposed appointment would worsen or not address risks arising from a lack of diversity and groupthink, this could provide grounds for withholding SMF approval. However, this proposal apparently received a significantly negative response, with concerns being raised over the potential for tokenism and ‘positive discrimination’. Feedback to the DP also made the point that current levels of underrepresentation at senior levels could make it difficult to find suitably qualified and experienced candidates from diverse backgrounds, and many respondents have been clear that the final decision over appointments should remain with the firms themselves. In light of the strength of the feedback received, and in particular, the emphasis on this final point, that firms need to retain responsibility for the final decision on their SMF appointments, we are hopeful that the regulators have accepted that this is not a viable policy option.
However, none of the above should be taken to indicate a change of direction generally. The regulators have made clear that some proposals, for example, the amendments to the remuneration rules, may be introduced at a later date. The tone from the top remains a key focus for the FCA, not least because most respondents to the DP apparently agreed that it was essential in tackling D&I related issues.
The FCA is planning to embed NFM in its Handbook as follows:
- The Code of Conduct (COCON): The scope of COCON is to be expanded to make clear that it covers ‘serious instances of bullying, harassment and similar behaviour towards fellow employees…’. Additional guidance explains the types of behaviour which the FCA expects will indicate a breach of COCON, and what conduct is not in scope because it relates to an employee’s personal or private life.
- Fit and Proper Test for Employees and Senior Personnel (FIT): The FCA explains that bullying and similar misconduct within the workplace is relevant to assessing fitness and propriety, and that similarly serious behaviour in a person’s private or personal life is also relevant. The regulator gives examples of NFM, such as sexual or racially motivated offences. The FCA also clarifies that conduct that could damage public confidence is likely to mean that the person is not fit and proper.
- Threshold Conditions (COND): The guidance on the suitability threshold condition contained will be extended to include, for example, offences relating to a person or group’s demographic characteristics (e.g. sexual or racially motivated offences) and tribunal or court findings that the firm, or someone connected with the firm, has engaged in discriminatory practices.
A detailed definition of NFM is proposed to be incorporated into COCON, with the current drafting referring to conduct in relation to an individual (B) either employed by or providing services to or performing an activity for an in-scope firm that:
a) has the purpose or effect of (i) violating B’s dignity; or (ii) creating an intimidating, hostile, degrading, humiliating or offensive environment for B; (b) is offensive, intimidating or violent to B; (c) is unreasonable and oppressive to B; or humiliates, degrades or injures B.
NFM: Any more clarity?
Financial services firms have been looking to the regulators for clarity in respect of NFM for some time now. The cases which have gone through Enforcement have involved criminal convictions in relation to behaviour which is, by any standard, unacceptable. However, this did not provide assistance in the vast majority of practical examples of behaviour that firms will be faced with when making conduct assessments.
In that context, the clarifications and guidance which are proposed to be added to the FCA Handbook to make clear that serious instances of bullying and harassment are within scope of the conduct rules are to be welcomed, even if this clarification is overdue. They come a full year after the SRA, for example, published its equivalent (and more detailed) guidance in relation to sexual misconduct in the legal profession.
However, given the high profile publicly stated view that ‘non-financial misconduct is misconduct, plain and simple’, it is interesting that it is subject to a threshold of being ‘serious’ in the conduct rules, which does not apply to other types of misconduct.
Further, the ‘simplicity’ of the assessment is complicated by the fact COCON explicitly does not cover matters which arise in a person’s private or personal life whereas the assessment of fitness and propriety will need to take private matters into account. So, for example, misconduct by an individual towards a colleague at a social event which has been organised privately will be excluded from COCON. However, if the social event is organised by the firm with clients present, then it will be within COCON. But in either scenario, misconduct may still be relevant to a fitness and propriety assessment.
A question on many people’s minds will be whether the NFM guidance proposed for FIT sufficiently mitigates the issues in the FCA’s case highlighted by the Upper Tribunal in Frensham v The Financial Conduct Authority  UKUT 0222 (TCC). While the Upper Tribunal upheld the FCA’s prohibition in that case, the Upper Tribunal was clear that the FCA had failed to sufficiently link Frensham’s conviction for a non-financial offence in 2016 to the consumer protection and integrity objectives.
The proposed amendments to FIT seek to bridge the gaps identified in Frensham. They make clear that a fitness and propriety assessment may consider misconduct that takes place outside of work, and list the reasons that misconduct outside of the regulatory system may be potentially relevant. However, one could question whether the approach to the issue of linking NFM to the FCA’s objectives goes much further than just asserting that the link exists, which was the approach criticised by the Upper Tribunal in Frensham. If anything, the FCA doubles down on this, with the inclusion of the provision in guidance that conduct which is inconsistent with the FCA’s statutory objectives is likely to show that the person concerned is not fit and proper, even if that misconduct does not have such great effects that it measurably prejudices the FCA’s statutory objectives by itself. It also states that misconduct in a person’s private or personal life may be relevant to their fitness or propriety, even in circumstances where there is little or no risk of misconduct being repeated in work, with the justification that behaviour which is disgraceful or morally reprehensible or otherwise sufficiently serious may damage public confidence in the financial system and financial services industry in the UK.
There are still only a limited number of examples given of the specific types of misconduct that may mean a person is not fit and proper, i.e. fraud and violence or sexual misconduct in certain circumstances.
While the amendments go some way to providing clarification and guidance, they will not answer every question. Any consideration of NFM by a firm is going to require a large degree of interpretation and judgement – including as to whether misconduct is sufficiently serious for the conduct rules to apply. It will inevitably remain heavily dependent on the facts of the case in question and the evidence available. This is a burden which will fall on firms. Notwithstanding the FCA’s reference to the fact that certain matters may be better investigated by other authorities – for example, the Police – there is no such carve out for firms in assessing behaviour against the conduct rules and fitness and propriety standards. Like the reporting and disclosure proposals, the FCA’s view as to the likely costs for firms here seems likely to be a gross under-estimate.
Achieving a more diverse and inclusive financial services industry is an important part of the ESG priority the FCA has set out in its Business Plan for 2022 to 2025. The Consultations only reiterate the strength of the regulators’ view that greater diversity and inclusion can improve outcomes for consumers and markets by reducing groupthink, supporting healthy work cultures, unlocking diverse talent, and improving understanding of and the provision for diverse consumer needs.
In some ways, the proposals are unsurprising: the FCA has repeatedly made clear that it wants to amalgamate D&I with its business-as-usual regulatory processes, which is exactly what the proposals seek to do. For the time being, the measures are not as wide-ranging as we might have expected following on from the DP. However, it is likely that this is just one step in the journey for both the industry and the regulators themselves.
As firms commence reporting to the regulator and making disclosures on their progress in advancing D&I, D&I will remain front of mind both for the regulators and their overseers in government and the Treasury Select Committee.
Firms will similarly need to show that D&I is a priority and continue to grapple with the difficult judgements that arise in practice in this area.