PRA and FCA proposals on diversity & inclusion and non-financial misconduct seek to drive change in the UK financial sector
On 25 September, the PRA and FCA each published their highly anticipated consultation papers (CP 18/23 and 23/20 respectively) on diversity and inclusion (D&I) in financial services, highlighting the continued regulatory concern in this area. Originally anticipated in September 2022, these CPs have been delayed a couple of times by the UK regulators, but despite the delay in their publication, their importance cannot be overstated.
The CPs follow the PRA and FCA’s 2021 joint discussion paper (DP 21/2) where they considered the state of D&I in the industry and set out the case for further progress and potential policy intervention (please see our blog post here for more details), and the FCA’s 2022 multi-firm D&I review (here) aimed at getting a better understanding of firms’ D&I approaches. In April 2022, the FCA also published its policy statement on D&I on listed company boards and executive committees, as discussed in this blog post. The focus of the UK regulators on D&I is therefore not new, and is part of the wider focus on ESG in financial services.
The references to non-financial misconduct in the CPs have a shorter history, albeit that the topic of non-financial misconduct has been on the regulators’ radars for some time as part of the broader focus on culture. The inclusion of this topic in the CPs follows some high-profile allegations in the sector, which have led the regulators to strengthen (and state clearly) their expectations around how firms consider non-financial misconduct from a regulatory perspective.
A consistent and coordinated set of proposals to improve D&Iin line with regulatory objectives
Despite the discussion paper being joint, the PRA and the FCA have published separate consultation papers in order to address the impact of the specific proposals on their respective rules and guidance. The CPs have, however, been developed in parallel with the combined aim of developing a consistent and coordinated set of proposals to improve D&I initiatives across UK regulated firms. The proposals in the CPs would apply differently to firms depending on their number of employees, categorisation and whether they are dual-regulated. Smaller firms (with fewer than 251 employees) would be exempt from many of the requirements in relation to D&I, but would need to comply with the changes in relation to non-financial misconduct.
While both the PRA and FCA are aligned in their values and overarching aims, the FCA has a different focus, with one of its objectives being to protect consumers. The FCA therefore seeks to build on its other work in this area and deliver better outcomes for consumers, as well as considering the impact of D&I on the financial sector and society more broadly. In doing so, it emphasises the importance of ‘the degree to which firms reflect the societies they serve and how open a culture they create’.
The PRA is aiming to support better firm governance and decision-making through its proposals, with PRA Chief Executive Sam Woods noting that ‘[firms] in which a broad range of perspectives is welcomed and encouraged will manage their risks better, advancing the PRA’s objective of safety and soundness’.
Both the PRA and the FCA emphasise that stronger D&I will also promote competition.
A need for effective D&I strategies
Whilst many firms already have D&I strategies in place, the FCA notes that it has found several shortcomings with existing strategies, including failures to clearly explain their purpose or a lack of specific actions to achieve their stated aims.
Under the new proposals, firms will be required to maintain and make publicly available an effective firm-wide D&I strategy aimed at promoting a diverse and inclusive culture. Both the PRA and FCA proposals provide a high-level framework with certain minimum requirements to bring greater consistency in the approaches taken by firms.
In addition, the regulators propose that firms with a nomination committee must put in place a strategy for promoting D&I on the board, which will replace the current reference to ‘a policy promoting diversity’. The PRA also expects firms to apply board D&I strategies to board sub-committees, where appropriate, and suggests that the board D&I strategy would need to be published on the firm’s website alongside the firm-wide strategy. In addition, the PRA proposes to clarify that when considering succession planning, upcoming appointments should be considered in the context of diversity, which may impact the avenues of recruitment used when seeking candidates for future directorships.
Diversity targets will address underrepresentation identified by the firm
The D&I strategy will be complemented by a proposed obligation for firms to set diversity targets to address underrepresentation in their firms.
Firms above an employee threshold (251 or more) will be required to set diversity targets for the board, senior leadership, and the employee population as a whole, in respect of demographic characteristics identified by the firm.
In order to give firms flexibility to address the areas of greatest underrepresentation relevant to them, the FCA does not mandate the demographic characteristics the targets must cover nor what those targets should be. This is different from the FCA’s approach to listed firms set out in PS 22/3 where disclosure against specific targets for gender and ethnicity is required on a ‘comply or explain’ basis.
The PRA proposals mirror this approach in not being prescriptive about the specific targets firms must set; however, the PRA expects firms to set targets for women and ethnicity at a minimum if the firm identifies underrepresentation in these areas.
Firms will be required to publicly disclose information on their targets and their progress towards meeting them. They may additionally choose to set targets to improve their inclusion metrics on a voluntary basis.
Regulatory reporting and public disclosure requirements
The proposals envisage requirements for large firms (with 251 or more employees) to collect and report to the PRA and the FCA certain D&I data across a wide range of characteristics. Some of these will be mandatory (age, sexual orientation, sex or gender, long term health condition, ethnicity and religion) whilst others will be reported on a voluntary basis (gender identity, parental responsibilities, career responsibilities and socio-economic background).
It is suggested that data can be reported to the FCA and PRA using a single data return, a sample template for which is available on the FCA website.
The data collected will help firms understand which areas to focus on when planning strategy and setting targets, whilst also enabling the regulators to identify areas that could require further supervisory attention and supporting their trend analysis and firm- and sector-wide comparisons. The data will also be used to monitor firms’ progress towards the targets they have set for themselves.
To increase transparency and facilitate comparisons between firms, the FCA and PRA are also proposing a requirement for large firms to publicly disclose D&I data on an annual basis.
Risk and governance – managing the risk of poor D&I
The FCA proposes to introduce new guidance for large firms to clarify that D&I matters should be considered a non-financial risk and treated accordingly within firms’ governance frameworks. However, it does not intend to prescribe how firms should consider this risk, but instead allows for flexibility in the implementation of the proposal in a way that works with firms’ internal governance structures, which would include applicable operational and internal audit functions.
The PRA, on the other hand, proposes to clarify that not only internal audit, but also risk management and compliance functions, have a role to play when considering the firm’s risk management and controls framework around D&I. The PRA expects development and review of the D&I strategy to be supported by appropriate risk and control functions, which should play a role in ensuring that risks involved in having poor D&I are managed alongside other business risks.
Tackling non-financial misconduct
The regulators consider that non-financial misconduct, such as bullying and harassment, can pose a risk to healthy firm cultures and increase the risk of groupthink. On the contrary, the FCA notes, healthy cultures that are inclusive and psychologically safe will support and allow diversity of thought to flourish. For these reasons, the FCA has proposed new requirements aimed at integrating non-financial misconduct within the workplace and, in some circumstances, similarly serious behaviour in an individual’s personal or private life, into fitness and propriety assessments (for individuals performing a Senior Management Function (SMF) or a certification function), Conduct Rules and the suitability guidance on the Threshold Conditions for firms to carry on regulated activities.
- Fitness and propriety. The FCA proposes that serious non-financial misconduct in work and personal life could be relevant to fitness and propriety assessments, a proposal we expect to be hotly debated during the consultation. The rationale for this is said to be: (i) the risk that if conduct occurred at work it could go to fitness and propriety; (ii) the conduct may show that the individual lacks moral soundness, rectitude and steady adherence to an ethical code, which in turn raises doubts as to whether they will follow the requirements of the regulatory system; or (iii) conduct that is so disgraceful or morally reprehensible or otherwise sufficiently serious could undermine public confidence in the financial sector.
- Conduct Rules. From a Conduct Rules perspective, the FCA makes clear that not every instance of misconduct will amount to a breach – factors to consider when deciding whether there has been a breach include whether the conduct is repeated, the duration of the conduct, and the extent of the impact on the subject. If disciplinary action is deemed appropriate, the FCA will consider all relevant sanctioning powers, including public censure and financial penalty. Breaches of the Conduct Rules may also lead to an individual not being considered fit and proper. Some of the guidance in the CP could raise further questions – for example, the FCA makes clear that misconduct in relation to a member of the workforce at a social occasion organised by their firm would be in scope of the Conduct Rule proposals, but misconduct at a social occasion organised by them in their personal capacity would not. What is unclear is what the FCA’s stance would be if misconduct occurred at a social occasion that takes place after a firm-organised event.
- Threshold Conditions. The FCA proposes to extend the guidance on the Suitability Threshold Conditions to include offences related to a person or group’s demographic characteristics, such as sexual or racially motivated offences, and tribunal or court findings that the firm, or someone connected with the firm (such as a director), has engaged in discriminatory practices. This may lead to an increase in firms seeking to appeal findings made against them in relation to discrimination.
The PRA is also proposing to update its requirements relating to fitness and propriety assessments to clarify that it may consider established patterns of behaviour that would, or would be likely to, affect a firm’s safety and soundness when considering whether an individual meets the PRA’s standards. Examples of such conduct include bullying, discrimination and harassment which would, or would be likely to, have the effect of hindering individuals from speaking up and providing effective challenge.
Individual accountability for senior managers
The PRA is proposing clearer senior manager responsibilities for D&I. For firms in scope of the Prescribed Responsibilities (PRs) for culture, the PRA proposes to clarify that these PRs should include responsibility for the development and implementation of D&I strategies. While responsible SMFs would play leading roles according to their PRs, and be ultimately accountable, business areas across the organisation would be expected to contribute to firm culture and the implementation of D&I strategies. For firms that are not in scope of culture PRs, the PRA proposes that at least one SMF should have responsibility for the implementation of the firm’s D&I strategy. The PRA also seeks to make clear that SMFs should understand, and be able to discuss with the PRA, the reasons for the firm’s targets and, if they are not going to be met, the reasons why, but they would not be held to account for a failure to meet targets.
The FCA, on the other hand, has decided not to require an individual within each firm to be assigned responsibility for D&I. Whilst overall responsibility for culture or D&I would not need to be allocated to a specific SMF under FCA rules, the FCA noted that firms may find it helpful to do so to focus attention on D&I.
Monitoring and record-keeping
The PRA and FCA proposals will be complemented by various requirements for firms, and their management bodies, to monitor the implementation of targets and strategies and the progress towards achieving them.
Firms will need to keep orderly records to enable them to demonstrate compliance with the new D&I requirements.
What is the impact of these proposals for UK regulated firms?
The regulators’ proposals will require D&I to be treated by a firm as a risk issue. D&I has been at the forefront of many companies’ minds for many years and we expect these proposals to only increase its importance.
The proposals are intended to be flexible and proportionate, allowing firms operating in the UK to tailor an approach to D&I that suits their own D&I profile and governance structures within an overall framework prescribed by the regulators. Clearly flexibility is needed here, but the flip side of this is that it will take some time for the market to figure out best practice and how firms can meet the regulators’ new expectations.
On non-financial misconduct, the proposals seem slightly less flexible – the FCA and PRA have set down a further clear marker that they consider non-financial misconduct, such as sexual harassment, as misconduct for regulatory purposes and that even where such conduct occurs outside of the workplace that could go to a person’s fitness and propriety assessment. That is a significant, albeit not surprising, confirmation of the regulators’ approach. We expect that there might be a range of views on the stance that conduct outside the workplace should go to a fit and proper assessment – it may be that appropriate guardrails will be put in place around this in the final rules, but it continues a trend we have seen elsewhere of conduct outside of work potentially feeding into an employer’s decision-making processes, and it is likely to be hotly debated.
Apart from (i) for the FCA, non-financial misconduct and the application of Threshold Conditions, and (ii) for the PRA, the fitness and propriety proposals, we note that the FCA and PRA proposals apply only to employees that carry out their activities predominantly from an establishment in the UK. For third country firms, the proposals apply only to activities carried out from an establishment in the UK. Nevertheless, for groups with an international footprint, the new requirements will add complexity with respect to the implementation and compliance with differing requirements in different jurisdictions.
Most of the new rules and expectations will come into effect one year after publication of the final policy statements to enable firms time to improve existing policies and develop and implement new processes where required. However, the proposals are likely to create some challenges for firms in collecting the relevant data and building systems and developing processes for their D&I strategies and targets, as well as the related systems and procedures for, among other things, data collection, regulatory reporting, public disclosures and record-keeping. Firms will be well advised to consider the impact of these proposals, and likely implementation challenges (including their potential conflict with other legal obligations such as data privacy), at an early stage.
Ultimately, it is hoped that firms will embrace the benefits that greater diversity and inclusion can bring, including improved decision-making and risk management, increased competitiveness, and better customer outcomes.
Conclusion
Both consultations are open until 18 December 2023 and the feedback will be used to develop final rules planned for publication in 2024. It therefore remains to be seen exactly what the final rules will look like.
What is clear, however, is that UK regulators are now keenly focused on D&I and non-financial conduct, and believe that greater levels of D&I and stronger expectations around non-financial conduct can improve outcomes for markets and consumers. This is not a one-step mechanism but a multi-layered approach to driving change across the industry from the smallest to the largest of firms.