Moving the dial in financial services

Application – All authorised firms with a Part 4A permission under the FSMA and where relevant threshold conditions and existing chapters of the FCA apply.

Non-financial misconduct will be explicitly included within:

1. the Conduct Rules – currently, the scope of the Code of Conduct chapter within the FCA Handbook (COCON^[6]) is restricted (except in the case of banks) to regulated activities, other SMCR financial activities and certain kinds of misconduct that could have serious effects. The FCA is proposing to extend the scope of COCON to make clear that it covers serious instances of bullying, harassment and similar behaviour towards fellow employees and employees of group companies and contractors. To that end, the FCA is proposing to add guidance on:
   • the types of behaviour that would fall within the expanded scope of COCON and that may breach the Conduct Rules; and
   • what conduct is out of scope because it relates to an employee's personal or private life.
2. Fit and Proper assessments – currently, firms must be satisfied, on an ongoing basis, that individuals performing a Senior Management Function (SMF) or a Certification function are 'fit and proper' to carry out their role. The Fit and Proper Test within the FCA Handbook (FIT^[7]) provides guidance on how firms should assess honesty, integrity and reputation, and outlines how misconduct both within and outside the workplace can be relevant for FIT. The FCA proposes to add guidance that bullying and similar misconduct in the workplace is relevant to fitness and propriety, and that similarly serious behaviour in a person's personal or private life is also relevant. Examples of non-financial misconduct will include sexual or racially motivated offences. The FCA is intending to draw a direct link between one of FIT's purposes, of maintaining confidence in the financial system in the UK, with serious non-financial misconduct – whether inside or outside the workplace. The proposed changes clarify that conduct that could damage public confidence in the financial system is likely to mean that the person is not fit and proper. This is likely in response to the Upper Tribunal's judgment in the case of Jon Frensham v FCA, which found that there needed to be a link between an individual's criminal behaviour and their professional work, with a distinction being drawn between an individual's personal and professional integrity. Mr Frensham had been convicted of attempting to meet a child following sexual grooming. Although the Upper Tribunal upheld the FCA's decision to issue a Prohibition Order against Mr Frensham, this was on the basis that Mr Frensham was already on bail for another suspected offence when he committed this offence, and his failure to notify the FCA in accordance with his notification obligations to the FCA; and
3. Suitability guidance in the Threshold Conditions – the FCA is proposing to extend guidance on the Suitability Threshold Conditions in COND^[8], including, for example, offences relating to a person or group's demographic characteristics (such as sexual or racially motivated offences) and tribunal or court findings that a firm, or someone connected with the firm (e.g. a director) has engaged in discriminatory practices.

Guidance on how non-financial misconduct should be incorporated into regulatory references will also be added.

Application - All FSMA firms with a Part 4A permission, excluding all Limited Scope SMCR firms.

Firms will be required to report their average number of employees using the RegData platform.

Application – All FSMA firms with a Part 4A permission, with 251 or more employees, excluding all Limited Scope SMCR firms.

The proposals introduce requirements for large firms to:

1. annually collect and report to the FCA and PRA in numerical figures, data across a range of demographic characteristics, inclusion metrics and targets via a regulatory return;
2. during the first year the requirements are in place, report such data as is reasonably practicable and explain the reasons for any gaps and how they will be closed; and
3. report data to the FCA and PRA using a single data return (referred to as REPxxx Diversity and Inclusion for indicative purposes at this stage) on the RegData platform.

The FCA proposes to produce a regular aggregated disclosure report based on the data that firms report to them, which would enable firms and their stakeholders to see how their progress compares to that of peers' and help drive progress.

The data will be integrated into the framework the FCA uses to understand culture in firms, which will help them to identify areas that could require further supervision. This will also aid the FCA's understanding of patterns and identify drivers of progress, as well as areas that may need further intervention.

The Regulators recognise the challenges firms face in collecting good quality data and, therefore, the FCA and PRA propose the introduction of a joint regulatory return covering the following metrics:

1. Mandatory demographic characteristics:
   1. age;
   2. sex or gender (firms are required to report on either sex or gender. Firms may choose to report on both sex and gender on a voluntary basis);
   3. disability or long-term health condition(s);
   4. ethnicity;
   5. religion; and
   6. sexual orientation.
2. Voluntary demographic characteristics:
   1. sex or gender (firms are required to report on either sex or gender. Firms may choose to report on both sex and gender on a voluntary basis);
   2. gender identity;
   3. socio-economic background;
   4. parental responsibilities; and
   5. carer responsibilities.

The FCA recognises that, currently, less than 50% of large firms collect data against the characteristics set out in (2)(b) to (e) above, and so to ensure a proportionate approach, propose voluntary reporting against those four demographic characteristics with a view to increasing numbers of firms reporting against these on a voluntary basis over time. To that end, the FCA may consider moving the voluntary metrics to mandatory at a later date. The FCA views these metrics as being important in supporting a full intersectional analysis of employee experience.

Firms will need to report this data in three categories: board; senior leadership and all employees. Employees in each category can choose to not respond or to indicate that they prefer not to say. The FCA acknowledges that employees may not want to disclose certain personal information as part of an employer's data collection and that, as a result, datasets may be incomplete.

Culture and inclusion

In addition to reporting demographic data, the FCA proposes to introduce consistent measures of inclusion reporting to provide a baseline of measurable data within firms and across the sector.

Under the proposals, firms should, on an annual basis, report on the following measures of inclusion, asking whether employees feel:

• safe to speak up if they observe inappropriate behaviour or misconduct;
• safe to express disagreement with or challenge the dominant opinion or decision without fear of negative consequences;
• their contributions are valued and meaningfully considered;
• they are subject to treatment (for example actions or remarks) that have made them feel insulted or badly treated because of their personal characteristics;
• safe to make an honest mistake; and
• that their manager cultivates an inclusive environment at work.

The data should be reported on a five-point scale of strongly agree to strongly disagree, including a neutral option. Data on inclusion must be captured on an anonymous and voluntary basis and should always include a response option to 'prefer not to say'. Responses to the questions on inclusion would also need to be reported in the three layers of the board, senior leadership and all employees.

Data on target setting and progress

The FCA will use the regulatory report to monitor large firms' progress against targets they have set for themselves.

Under the proposals, firms will need to provide information on:

• the demographic characteristics they have set targets for, as well as their inclusion targets, if any;
• the percentage at which each target has been set;
• the year each target was originally set;
• the year the firm is aiming to meet the target;
• the firm's current level of representation against each target (%);
• the rationale for the targets set; and
• any further information the firm would like us to consider about targets they have set.

Information on targets would also need to be reported in the three layers of the board, senior leadership and all employees.

Firms will be required to report all data to the FCA annually.

Firms should ensure that any collection or reporting of diversity data complies with data protection legislation where personal data is processed for the purpose of being shared with the FCA and the PRA.

Application - Dual-regulated CRR and Solvency II firms of any size (firms to which the CRR or Solvency II parts of the PRA Rulebook apply), and all other FSMA firms with a part 4A permission that have 251 or more employees, excluding all Limited Scope SMCR firms.

Firms must develop an evidence-based D&I strategy that takes account of their current progress on D&I. The strategy would need to advance the Regulatory Aims and contain, as a minimum:

• the firm's D&I objectives and goals;
• a plan for meeting those objectives and goals, and measuring progress;
• a summary of the arrangements in place to identify and manage any obstacles to meeting the objectives and goals; and
• ways to ensure adequate knowledge of the D&I strategy among staff.

This high-level framework is intended to give firms flexibility to devise strategies that most effectively deliver the outcomes the FCA wants to see, taking account of their own needs and operating environment. The proposals would, however, establish minimum requirements for firms' D&I strategies to promote consistency in approach.

Firms' boards will be responsible for the maintenance and oversight of the firm's D&I strategy and will need to ensure that it remains appropriate and effective on an ongoing basis. While the FCA is not mandating how frequently the D&I strategy should be reviewed, firms need to be satisfied that it remains fit for purpose.

Firms will need to make their D&I strategy easily accessible and free to obtain (making the strategy freely available on the firm's website is likely to satisfy this requirement).

Application – All FSMA firms with a Part 4A permission with 251 or more employees, excluding all Limited Scope SMCR firms.

The FCA proposes that firms make public disclosures on D&I data to increase transparency and scrutiny, as well as facilitate comparisons between firms on D&I performance.

Firms will be expected to disclose the same information that they report to the FCA in the proposed reporting requirements mentioned above, but as percentages rather than whole numbers.

In line with the new data reporting requirements, disclosure on certain demographic characteristics is voluntary. Further detail on what to disclose and the levels of disclosure can be found in the FCA's consultation paper.

However, the FCA has built safeguards into its proposals to address concerns around 'identifiability'. If publishing the information as outlined in the FCA's proposals might lead to disclosure of information about an individual, firms should combine levels (e.g. combine the data for board and senior leadership or combine all three categories; board, senior leadership and all employees). Firms would not be required to make disclosures that breach any laws, including the UK GDPR. Firms should make an assessment based on their specific circumstances.

Firms will need to make disclosures on an annual basis. Disclosures should be made: (1) at the same time that firms publish annual reports and accounts; or (2) for firms that do not publish annual reports and accounts, within six months of the end of their financial year.

The rules on disclosure come into force 12 months after the FCA publishes its final rules. In the first year of the rules being in force, disclosures can be made on a voluntary basis. In the following years, disclosures will be mandatory for in-scope firms.

Application – All FSMA firms with a Part 4A permission with 251 or more employees, excluding all Limited Scope SMCR firms.

The FCA proposes that firms would be required to set targets to address underrepresentation in their firms.

The FCA expects firms to set at least one diversity target for each of the board, its senior leadership and for the employee population as a whole (including the board and senior leadership). The FCA found that existing initiatives often focus on underrepresentation at senior leadership levels, but that the sharpest drops in gender and ethnic diversity occurred in the step from junior to mid-level roles, highlighting the importance of firms setting targets across the entire employee population.

When setting targets, firms must take into account their D&I strategy and current diversity profile. Firms will need to consider the context in which they operate by having regard to available data on the diversity profiles of the UK population, and the geographical area in which they carry out regulated activities.

Firms based overseas that carry out operations in the UK would be in scope but may not have a board or senior leadership in the UK – these firms will not have to set a target for the areas of the firm that are based overseas.

Firms may choose to set inclusion targets on a voluntary basis, in addition to the diversity targets.

Notably, the FCA does not propose to mandate which demographic characteristics the target must cover, nor what those targets should be. This is in contrast to the approach to targets for listed firms, which requires disclosure against specific targets for gender and ethnicity on a 'comply or explain' basis. This is to ensure that firms have full flexibility to target the characteristics, or additional characteristics in the case of listed firms, that would enable them to make progress in their areas of greatest underrepresentation.

Firms would need to review and update their targets regularly to ensure that they remain stretching but realistic, and to assess whether to establish targets for other underrepresented characteristics. Firms' boards would be required to oversee the targets set, including monitoring progress, identifying obstacles to achieving them, and agreeing plans to overcome such obstacles.

The FCA proposes that firms publicly disclose their targets and their progress towards them annually. This disclosure would promote transparency and allow firms and other interested stakeholders to benchmark progress.

Application – All FSMA firms with a Part 4A permission with 251 or more employees, excluding all Limited Scope SMCR firms.

New guidance will be issued to large firms to make clear that D&I related matters are to be considered as a non-financial risk and treated appropriately within the firm's governance structures.

1. Firms should consider how a range of relevant functions can contribute to progress on D&I. For example, risk functions should consider potential risks stemming from a lack of D&I, such as increased groupthink and poor decision-making, which can affect outcomes for consumers and markets.
2. The FCA will give firms significant flexibility to implement this proposal in a way that is aligned with their own internal governance structures. The FCA will not prescribe how firms consider these risks.

The FCA has made clear that risk functions, as well as internal audit, can play an important role in managing risk, but that it is essential that D&I is not seen as a 'tick-box' compliance issue. Support functions, including HR, Corporate Responsibility and conduct specialists can also help to embed D&I practices within the firm, monitor progress against targets and identify areas for targeted interventions.

Application – All CRR and Solvency II firms with respect to their establishment in the UK, including third country branches.

(i) Firm & board strategies

Proposals will require firms to have and publish on their websites: (i) a firmwide strategy; and (ii) a board strategy, each promoting D&I.

Firms can develop their own strategies, however, the PRA expects a strategy to include:

• the firm's core values, the culture that it is trying to create, and  its commitment to D&I;
• D&I objectives and goals, and a plan for achieving these;
• methods to measure progress; and
• the role to be played by the firm and staff in creating an inclusive environment.

Firms can choose to combine or keep separate their board and firmwide strategies, but they must both be accessible on their website.

Firms will be required to regularly review and update their strategies.

All firms will have the flexibility to tailor their strategy to meet their circumstances. Smaller firms' strategies are expected to be less comprehensive than those of larger firms, and third country branches covered by a D&I strategy at international group level would have to consider relevant aspects.

Senior leadership and the board are to be responsible for the strategy, and are to support and disseminate information about the strategy within the firm, including, for example, via formal training.

(ii) Risk and controls

The PRA proposes to clarify in the new supervisory statement that not only internal audit, but also risk management and compliance functions have a role to play in assessing the firm's risk management and controls framework around D&I. Therefore, the PRA expects firms to adopt appropriate risk and control functions to support the development and review of each firm's D&I strategy. The PRA will not be prescriptive as to risk and control functions.

Application – CRR and Solvency II firms (including third country branches) with >251 employees predominantly carrying out activities from an establishment in the UK.

CRR firms with a nomination committee are already required to set a target for the underrepresented gender on the board. PRA proposals require the largest UK firms to set targets for underrepresented demographic groups more widely, tailored to the firm's circumstances. A firm's nomination committee would 'recommend' targets to the board rather than 'decide' the targets on its own.

The term 'largest firms' would refer to firms with 251 or more employees (the D&I employee number threshold^[10]). These firms would have wider-ranging requirements for D&I than those with smaller employee populations.

Largest firms will be required to set diversity targets for the board, senior leadership and throughout the employee pipeline, for demographic characteristics identified by the firm, as appropriate for their circumstances. As identified in the FCA's consultation paper, it is important for firms to consider the progression of their employees.

Targets for women and ethnicity would be a minimum expectation (if the firm identifies underrepresentation in these areas), with other demographic characteristic targets to be specific to each firm. It would be up to firms to decide what underrepresentation looks like for their context, recognising that diversity could look different for firms with different strategies, sizes, locations, complexity, business models and home jurisdiction.

These firms could also choose to set qualitative targets, such as undertaking desk-based reviews or audits on aspects of D&I. Firms could also set targets to improve their inclusion metrics, in addition to the targets they choose in relation to demographic characteristics.

There would be an expectation for targets to: (i) have a defined timeframe; (ii) be regularly reviewed; and (iii) have their progress be considered. There would also be an expectation for firms to: (i) analyse evidence collected; (ii) update the targets over time; and (iii) consider where further development and interventions might be needed.

While the PRA does not propose to be prescriptive about the types of D&I targets, it does expect the targets to be realistic and stretching.

The firm's board and senior managers responsible for D&I would be expected to be able to explain the rationale behind the firm's specific targets.

A strategy on how any targets could be met would be required under the new policy, and the specific targets would need to be publicly disclosed alongside progress against those targets.

Application – All CRR and Solvency II firms with respect to their establishment in the UK, excluding third country branches.

(i) Board Diversity & Inclusion

Firms have an existing requirement to consider a broad set of qualities and competencies when recruiting to the board, and put in place a policy to promote board diversity. The PRA proposes to change the rules referring to 'a policy promoting diversity' on the board, to 'a strategy promoting D&I' and to update SS5/16^[11] to expect firms to apply board D&I strategies to board sub-committees.

The board D&I strategy will need to be published on a firm's website (currently, firms only need to publish how they are meeting the board diversity requirements), alongside the firmwide strategy.

The PRA proposes to clarify that in succession planning, diversity should form part of the consideration of upcoming appointments (for example, how to use appropriate avenues of recruitment when seeking candidates for future directorships).

(ii) Board oversight of D&I

Firms' boards would be expected to have an explicit collective responsibility to set and oversee the firm's strategy on D&I, including developing talent internally, and monitoring progress (including the identification of any obstacles that may lead to adverse outcomes).

In line with existing expectations that the board should consider appropriate incentives – including but not limited to remuneration – to embed culture across the firm, the PRA intends to clarify that such incentives are also appropriate tools for driving progress on D&I, in particular, among responsible senior managers.

Application – All CRR and Solvency II firms with respect to their establishment in the UK, including third country branches.

(i) Senior manager responsibility for D&I

SMFs will not be held to account for a failure to meet diversity targets, but there will be expectations on how SMFs should understand, and be able to discuss with the PRA, the reasoning for a firm's targets and any reason why targets are not going to be met.

For those firms in scope of the Prescribed Responsibilities (PRs) for culture^[12], the PRA proposes to clarify that these PRs include responsibility for the development and implementation of D&I strategies. PR I, usually held by the chair of the board, sets out the responsibility for leading the board's development of the firm's culture. PR H, usually held by the CEO, includes responsibility for overseeing the adoption of the firm's culture in the day-to-day management of the firm. These SMFs would be expected to have their responsibilities for D&I reflected in their Statements of Responsibility (SoR).

Business areas within firms would be expected to contribute to firm culture and strategy implementation, while the SMF holding PR I will be responsible for ensuring that the board sets, approves and adopts an appropriate D&I strategy.

The SMF holding PR H would be responsible for ensuring the implementation of the board D&I strategy. 

For firms not in scope of culture PRs, at least one SMF should have responsibility for implementation of their firm's D&I strategy, reflected in their SoR.

(ii) Fitness and propriety assessments

The PRA proposes to clarify that the PRA may take into consideration established patterns of behaviour of an individual that would, or would be likely to, affect the firm's safety and soundness, when considering whether the individual meets the PRA's standards of fitness and propriety. Examples of such conduct include bullying, discrimination and harassment which would, or would be likely to, have the effect of hindering individuals within an institution from speaking up and providing effective challenge as part of the firm's decision-making processes.

Firms will be expected to ensure that individuals subject to allegations of such behaviour are given an opportunity to respond, and that both are assessed objectively and independently by an appropriately qualified person.

Application – All CRR and Solvency II firms with respect to their establishment in the UK, including third country branches.

A new rule will be introduced to require firms to internally monitor D&I for the purposes of taking actions to improve D&I where necessary.

The PRA wants to ensure that firms with 250 or fewer employees are still monitoring D&I, despite being out of scope of the regulatory reporting proposals.

Application – Only those CRR and Solvency II firms (including third country branches) with >251 employees predominantly carrying out activities from an establishment in the UK.

(i) All CRR & Solvency II firms

Firms will be required to report their total UK employee numbers at an individual level, to ensure that the PRA can assess which firms should be in scope of the different parts of the proposed policy package. Firms with 250 or fewer employees in the UK would not be required to complete any of the other information requested on demographics, targets, and inclusion but may voluntarily comply.

(ii) Firms with >251 employees

Firms would be required to report on certain D&I metrics in relation to: (i) number of board members; (ii) senior leadership; and (iii) total employees falling within different categories.

Firms would also be required to report information on their D&I targets.

The PRA's proposals are in line with the FCA's proposals for firms with 251 or more employees – please see the sections above for "Data Reporting" among our summary of the FCA's proposals for further information.

The PRA would expect firms to develop 'process' metrics, which can be used to help identify potential challenges in employee-management processes, such as performance measurement, recruitment, promotions, attrition, disciplinary proceedings, and dismissals within a firm.

Application – Only those CRR and Solvency II firms (including third country branches) with 251 or more employees who are predominantly carrying out activities from an establishment in the UK.

The PRA proposes that firms disclose data on the percentages of employees that are representative of different demographic characteristics, as well as inclusion metrics, in line with what is requested in the regulatory reporting return.

Firms can choose whether their disclosure is based on sex or gender, or both.

Firms would be required to disclose:

1. D&I data;
2. board and firmwide D&I strategies;
3. D&I targets and policies for achieving them;
4. reasons for setting such targets; and
5. progress against the targets over time.

The PRA will not be prescriptive about the format of the disclosures, however, they should be accessible on the firm's website.

Disclosures of targets and D&I data should be updated annually at the same time the firm publishes its annual reports and accounts or, if the firm does not produce these, within six months of the end of its financial year.

The PRA proposes that the annual disclosures will not be mandatory until the second year after the rules come into force.

All firms will be required to have published their first disclosures within three years of the publication of the Policy Statement.