Herbert Smith Freehills' Financial Services Regulatory (FSR) team surveys the regulatory landscape in 2020 and identifies some themes that we expect to be at the core of regulatory priorities globally in the next 12 months.
The wider "stakeholder" in a new era of purposeful corporate culture
Global regulators are increasingly setting their sights on the wider meaning of "company purpose", including Environmental, Social and Governance (ESG) criteria, and non-financial risk.
This change in focus reflects a societal shift in attitude, with individuals becoming more conscious of the need to contribute to the well-being of society. As a consequence, companies, including financial institutions, are coming under pressure to realign their corporate purpose for the benefit of their shareholders, employees and the communities within which they operate.
In the UK, attention has turned to the meaning of section 172 of the Companies Act 2006. This requires company directors to consider a non-exhaustive list of factors when decision making, including having a regard for employees, the community in which the company operates and the environment. At the request of the UK Government, the GC 100 (the association of general counsel and company secretaries working in the UK FTSE 100 companies) has recently published guidance on section 172, providing practical steps for directors in the areas of strategy, director training, the content of board papers, use of policies and processes, flow of information and stakeholder engagement, to better enable directors to make decisions with regard for wider stakeholders. This aligns with a recent speech given by Jonathan Davidson, Director of Supervision at the Financial Conduct Authority (FCA) on purposeful leadership to promote progression.
Reporting obligations, imposed as part of a new wave of statutory changes to the UK corporate governance framework, require all large private and public UK incorporated companies to include a statement in their strategic reports describing how their directors have had regard for their section 172 duties. The statutory changes are part of the growing trend towards the expanding definition of the "company purpose", the need for increased transparency and a pressure for organisations, including financial institutions, to develop culture, and operate for the benefit of society as a whole.
In the USA, 181 CEOs of American companies (Business Roundtable CEOs) have signed a new statement on the purpose of a corporation. They have committed to leading their companies for the benefit of all stakeholders – customers, employees, suppliers, communities and shareholders – demonstrating a wider global shift towards investment in employees and communities.
We expect that this focus on the accountability of corporates and financial institutions will only increase and diversify with time. In a recent speech, Christine Lagarde promoted the building of a safer, more sustainable and ethically sound financial sector, with the aim of creating an industry where the "everyday magic" of finance is restored. Lagarde identified innovation, regulation and a broadening of corporate responsibility as key to creating an industry more aligned to society's needs, and in the interests of all stakeholders.
We anticipate that, with the growing demand from consumers for large corporates to take their social responsibilities seriously (including for future generations), global regulators will become increasingly interested in the steps that should be taken by corporate and financial institutions to curtail the effects on climate change. Mark Carney, the Governor of the Bank of England (BoE), recently spoke of his desire to bring climate risks and resilience into the heart of financial decision making, and for sustainable investment to go "mainstream".
In Europe, the Commission will draw up a Sustainable Europe Investment Plan, hoping to unlock €1 trillion of sustainable investment over the next decade. A new Non-Financial Reporting Directive will require information on sustainability risks and opportunities.
In the UK, the FCA issued a feedback statement as part of a wider set of communications from UK financial regulators seeking to direct the evolving conversation around climate change and green finance. The FCA is targeting three priority outcomes: an increase in climate-related disclosures to the market; integration of climate change considerations; and an increase in the availability of green finance products and services for consumers. In early 2020, the FCA will consult on new 'comply or explain' rules for climate-related disclosures, with the objective of bringing UK corporate disclosure in line with the Financial Stability Board's (FSB) task force on climate-related financial disclosures (TCFD) recommendations by 2022.
With 80% of over 1100 G20 companies already disclosing in line with TCFD recommendations, it is expected that, like the FCA, financial regulatory authorities in other jurisdictions will also implement changes to promote increased corporate reporting on, and accountability for, climate-related considerations and products.
In Australia, we have observed moves by regulators to expand corporate governance awareness to encompass both the wider community, and climate change. Following on from the 2019 Final Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission), the expression "community standards and expectations" has entered the financial services regulatory lexicon, and we expect that trend to continue. For example, the release of a 4th edition of The ASX Corporate Governance Principles and Recommendations (ASX Principles) to take effect on 1 January 2020, was "fuelled by recent examples of conduct by some listed entities falling short of community standards and expectations". ASX Principle 3 – that a listed entity should "instil a culture of acting lawfully, ethically and responsibly" – underwent a shift in focus, to openly promoting the values of a listed entity and instilling a culture of ethics. ASX Principle 7 – that a listed entity should "recognise and manage risk" – has extended to environmental and social risks, such as climate change. Listing Rule 4.10.3 obliges listed entities to disclose the extent to which they have or have not followed the ASX Principles.
The findings of the Royal Commission have also prompted emphasis on "community standards and expectations" with respect to financial institutions' management of non-financial as well as financial risk. In its 2019 report on "Director and officer oversight of non-financial risk", the Australian Securities and Investments Commission's (ASIC) Corporate Governance Taskforce found that broad oversight of non-financial risk, and of its "very real financial implications", has been lacking. ASIC's view is that the approach to board oversight of non-financial risk has been one of form over substance, overly reliant on frameworks and policies and deficient in compliance with these policies.
Regulators have shown themselves to be increasingly responsive to public pressures for greater corporate awareness of wider social issues, non-financial risk and climate change. Corporates and financial institutions will need to re-think the factors relevant to board decisions; adjust their internal processes, policies and reporting practices to meet the expectations of their regulators and wider stakeholders; and align themselves with a new age of globalised social awareness for sustainable business practice, which will, inevitably, become the new mainstream.
Protecting vulnerable customers
In the same way as regulators are requiring financial institutions to consider social criteria in their "company purpose", we also see them looking to firms to ensure that vulnerable customers receive appropriate protection. This is part of a wider debate which also draws in other industry sectors, including in particular power, water and telecommunications. The dial has moved away from the principle of "buyer beware" – and there has been much discussion about the definition of vulnerability, the extent of financial institutions' responsibilities with regard to vulnerability, and whether regulatory action alone can deliver a good outcome for the vulnerable or the excluded in society.
In the UK, in July 2019 the FCA launched its consultation on draft guidance for firms on the fair treatment of vulnerable customers, setting out its expectations about how firms should:
- understand the nature and extent of vulnerabilities in their target market, and the potential needs that therefore arise;
- ensure that staff have the skills and capability (and are empowered) to meet those needs; and
- integrate that understanding through practical steps in designing products and services, delivering good customer service that responds to customers' needs and situations, and communicating clearly with vulnerable customers.
Critically, the FCA's definition of "vulnerability" includes potential vulnerability, as well as actual vulnerability. Research cited by the FCA suggests that half of UK adults display one or more characteristics of being potentially vulnerable. Potential vulnerability can be transient or short term, a sensitive personal matter for the customer, and may arise well after the point of sale. Identifying and meeting the needs of vulnerable customers on this scale is no small challenge, and calls for a flexibility in processes which is not always easy for large organisations to implement and monitor. That said, there is an opportunity for firms to leverage the data they already hold to, for example, identify consumer patterns of behaviour and signs of stress (whilst ensuring this can be done in compliance with data protection requirements). Getting it right, consistently, would be a real brand differentiator.
We expect other regulators globally will follow the FCA's lead on vulnerability, and firms in jurisdictions where regulators have focused less on these issues may wish to engage in the dialogue with their regulators at an early stage. Firms in the UK are already taking steps towards achieving outcomes for vulnerable customers that are at least as good as those for other customers. Some have, for example, embedded the output from studies on consumer responses and behavioural economics into their policies and procedures. Firms will wish to consider these issues at all levels of their organisation, from board level to front line, to ensure that staff are properly trained and empowered to take appropriate action to achieve appropriate outcomes for vulnerable customers.
In Hong Kong, the Code of Banking Practice, which is published by industry associations and endorsed by the Hong Kong Monetary Authority (HKMA), provides that treating customers fairly should be an integral part of good governance and corporate culture of all institutions and their authorised agents, and that special attention should be dedicated to the needs of vulnerable groups. In recent years, the HKMA has encouraged the banking industry to put the spirit of financial inclusion into practice. As part of this work stream, the HKMA has provided guidance relating to specific types of customers, such as those relating to ethnic minority customers (following a mystery shopping programme) and a practical guideline on barrier-free banking services setting out recommendations to the industry for enhancing accessibility of banking services by customers with physical disabilities, visual or hearing impairments. We expect the HKMA will continue its supervisory focus on financial inclusion, and firms should be prepared to take action where needed to ensure these principles are put into practice.
With a reduction in the provision of consumer credit as a result of tighter credit policies following the Royal Commission, the emphasis in Australia now seems to be upon finding an appropriate balance. Consistent with that approach, we expect ASIC to continue to engage actively with the industry in the finalisation of its updated "Regulatory Guide 209: Credit licensing: Responsible lending conduct". The consultation attracted a significant volume of feedback from stakeholders, and we expect the finalised guide to be a nuanced approach to responsible lending, which is more principles based than prescriptive in its approach.
It is clear that regulators view the protection of vulnerable customers as a key focus for supervision and enforcement. Regulators in both Australia and the UK consider that harm to vulnerable customers is indicative of the seriousness of misconduct, and have prioritised the protection of vulnerable customers in their business plans. The FCA has also indicated that the way that a firm treats vulnerable customers informs the regulator about the firm's overall culture, and how well they are complying with its Principles. We anticipate more scrutiny from the FCA on firms' treatment of vulnerable customers, and related enforcement action, in 2020.
However, the outlook for Australian enforcement activity in relation to responsible lending looks likely to be somewhat subdued in 2020, given the tightening of credit policies. While we expect there to continue to be key enforcement activity in 2020 and beyond, we expect ASIC's vulnerability-related regulatory action to focus on certain key thematic drivers of harm, including poorly designed investment and protection products (including the inappropriate selling of such products), and inappropriate sales of consumer credit products.
Enhancing operational resilience
Operational resilience will remain at the top of the agenda of both firms and regulators in 2020. Regulators in the UK define it as "the ability of firms, financial market infrastructure (FMIs) and the sector as a whole to prevent, respond to, recover and learn from operational disruptions" and the Deputy CEO of the BoE suggests that operational resilience will come to be seen as on a par with financial resilience in a firm's risk profile, with cyber being a key element of operational resilience.
In Australia, the Chair of the Australian Prudential Regulatory Authority (APRA) considers operational resilience as one of three key pillars vital for the resilience of the Australian banking system. APRA's prudential standards relating to business continuity, outsourcing, disaster recovery and crisis management arrangements were updated in 2017, but further requirements issued in 2019 aim to ensure that the IT security capabilities of regulated entities could meet the evolving cyber threat landscape. These new requirements required APRA-regulated entities to:
- clearly define the information security-related roles and responsibilities of business personnel;
- maintain information security capabilities commensurate with the size and extent of threats to their information assets, which enable continued operation;
- implement information security controls that effectively protect information assets and are commensurate with the criticality and sensitivity of those assets;
- continually test the effectiveness of their information security controls in proportion to their information assets and the relevant threats; and
- notify APRA as soon as possible, and, in any case, no later than 72 hours, after becoming aware of material information security incidents.
In 2019, the Reserve Bank of Australia (RBA) also proposed additional steps to enhance operational resilience in the context of financial market infrastructure and in particular, disruptions to electronic payment systems. The RBA will also seek to:
- develop publicly available statistical information on individual institutions' operation outages;
- engage retail payment providers on operational risks and how to solve these issues; and
- if necessary, consider imposing operational resilience standards on market operators and participants.
Finally, in 2019 ASIC proposed rules intended to ensure operational resilience in automated and interconnected markets. These would require firms to:
- have arrangements in place to adequately protect critical systems (including appropriate controls in outsourcings);
- have appropriate governance arrangements and adequate financial, technological and human resources to support the arrangements contained in the above proposals. This includes developing an accountability structure which ensures that an organisation's leaders are responsible for business continuity;
- have arrangements to adequately protect data obtained, held or used; and
- establish, maintain and implement plans for dealing with an interruption to critical systems.
In Hong Kong, the SFC has issued a circular to Licensed Corporations (LCs) setting out its regulatory expectations in relation to their use of external electronic data storage for regulatory records. LCs must have in place appropriate contingency plans to ensure operational resilience and an exit strategy to ensure the service can be terminated without disruption. They should also consider concentration risk where the EDSP provides data services to a large number of financial firms.
In Europe, the European Banking Authority (EBA) has published guidelines on information and communications technology (ICT) and security risk management. These include a requirement for a second-line control function to monitor adherence to an ICT and security risk management framework. Guidance is also given on the oversight of third party providers (see also "The regulated firm as a conduit in the age of fintech" below).
In the UK, operational resilience, particularly in the context of cyber issues, outsourcing and other technological change is of increasing interest to the regulators, given the risk that issues could impact financial stability and cause harm to consumers and market participants. The FCA has created a cyber-resilience self-assessment questionnaire in collaboration with the Prudential Regulation Authority (PRA).
The BoE, PRA and FCA have just published a suite of proposals to embed into policy the approach to operational resilience they initially outlined in 2018. These envisage that firms and financial market infrastructures will take ownership of their operational resilience, and prioritise plans and investment choices based on their impacts on the public interest, by:
- identifying their important business services that if disrupted could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system;
- setting impact tolerances for each important business service, which quantify the maximum tolerable level of disruption they would tolerate;
- identifying and documenting the people, processes, technology, facilities and information that support their important business services; and
- taking actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios.
Taking a business services approach is intended to enable firms of different sizes and scopes to manage their resilience in a dynamic environment, while impact tolerances encourage firms to assume that operational disruptions would take place, and direct their attention to minimising the impact of the disruption on key business services.
Operational resilience will remain a focus for the regulators and market participants for at least the medium term, not least because of the pace and scale of technological innovation, change management, interconnectedness, third party dependencies and cyber threat within the financial services sector. Firms have to respond to this challenge by meeting the regulatory expectations above, in particular by ensuring:
- governance is fit for purpose;
- the firm's business continuity plans and processes are comprehensive and considered;
- outsourcing is properly managed, in particular in relation to "fourth parties" – the subcontractors used by a firm's service provider; and
- collaboration takes place across the sector to share data and experiences in order to improve.
The rapid growth of data remains one of the most significant developments in the banking sector, and its impact in the next decade or two will be even more profound. The 2019 edition of our Global Bank Review: The Data Game explores this in more detail and provides a global regulatory update.
The regulated firm as a conduit in the age of fintechs
1971 is the date of the first known use of the term "fintech", at least according to America's go-to online dictionary Merriam-Webster. But in the personal chronologies of many working in financial services, "fintech" as a buzzword follows on from crisis-related phrases like "individual accountability", "macro-prudential", "systemic risk", and "regulatory tsunami".
The fact that the term "fintech" has a much longer history than one might first think reflects the financial services industry's relationship with digital and computer technology. The industry has been working with these technologies for over half a century – early computers began arriving in banks in the late 50's and early 60's. What has changed in the past decade is that the technology that firms have come to rely on and interact with is increasingly likely to be partially or wholly external to the firm itself. For example:
- many firms make use of cloud computing services;
- banks (under the EU's Revised Payment Services Directive for example) are required to facilitate the use of innovative payment solutions by allowing third parties to access customer data; and
- many firms are exploring the uses of blockchain.
For firms, exploiting new technologies is one challenge. Another is grappling with the supervisory expectations of firms' use of technologies.
With the advent of more reliance on unregulated third parties, firms are increasingly finding themselves in the role of conduit between their supervisors and unregulated third parties, as supervisors impose obligations which effectively require firms to seek to exert influence on behaviour in the unregulated space. Developments in relation to both crypto-assets and cloud services illustrate this move.
Initially, this conduit role appeared to be about facilitating monitoring. In July 2018, for example, the Basel Committee on Banking Supervision (BCBS) was focused on quantifying banks' exposures to crypto-assets. But the conduit role is more and more becoming a route for supervisors to influence those outside the regulatory perimeter. The BCBS' 2019 statement on crypto-assets illustrates a progression from that earlier monitoring focus to the setting out of expectations of banks that are engaging in crypto-asset activity – from due diligence, risk management and governance, to public disclosure and supervisory dialogue relating to the bank's crypto-asset activities (whether or not the crypto-assets themselves have been determined as within scope of existing securities, payments or other regulatory frameworks). Hong Kong, for example, has introduced new principles and requirements in the form of licensing conditions for licensed corporations (LCs) which manage portfolios that invest in virtual assets, including those outside the regulatory perimeter such as utility tokens.
Were they to be introduced (and the BCBS is considering it), prudential treatments for crypto-assets would, it may be expected, exert some influence to modify firms' activities and behaviours in these markets. Similarly, the imminent implementation of a new EU Money Laundering Directive (5MLD) and Singapore's new Payment Services Act, which will both deliver the internationally-agreed Financial Action Task Force (FATF) recommendation on crypto-assets, can also be expected to have an influence on both regulated and unregulated crypto-assets and related products.
Another example of this conduit role, which (currently) has a broader application is the focus on cloud outsourcing. Two EU authorities – the EBA and the European Insurance and Occupational Pensions Authority (EIOPA) – have introduced or are introducing revised and expanded guidelines on outsourcing arrangements. Generally, such guidelines impose a requirement on regulated firms to ensure that third parties meet the same levels of regulatory compliance as the firms themselves. In Singapore, specific terms which aim to strengthen the Monetary Authority of Singapore's (MAS) oversight over outsourcing arrangements are also provided for in the Banking (Amendment) Bill 2019, including terms relating to the right of the regulator to audit the service provider, protection of customer information and termination of the outsourcing agreement under specified circumstances.
In Hong Kong, the Securities and Futures Commission (SFC) is focused on ensuring that its access to records held by external data storage providers (EDSPs) will not be impaired or unduly delayed. LCs are required to obtain approval for the data centre used by an external electronic data storage provider (EDSP) for the exclusive keeping of those records, and will have to designate two Managers in Charge responsible for ensuring the SFC has effective access to such records on demand without undue delay. LCs will also be required to consent to EDSPs producing any of the LC's data to the SFC pursuant to the exercise of the SFC's statutory powers – and without the EDSP being permitted to notify the LC of the disclosure.
In Australia, APRA has been the first of the domestic financial services regulators to directly address cloud services and outsourcing. Whilst there is no separate prudential standard for cloud services, APRA's 2018 paper on the topic provides practical guidance on the topic and a much needed update on its original 2015 paper. Consistent with its role as a prudential supervisor, APRA has adopted a risk-based approach as to the level of engagement it would expect from firms looking to outsource using cloud services. Given the growing mix of technological solutions (ie artificial intelligence platforms hosted in the cloud), firms should carefully consider whether such novel solutions reach the notification thresholds for APRA particularly since it would appear such technologies would be 'unproven' and therefore potentially represent a higher level of risk.
It is true that a consistent theme in regulation and guidance covering outsourcing is that firms cannot contract out their regulatory obligations.
In the UK, the FCA's Handbook of rules and guidance has maintained this position on firms' responsibilities since its earliest version in 2001. However, the practical landscape of outsourcing provision has changed significantly since then. It is reasonable to observe that with regulated firms becoming increasingly dependent on unregulated third parties for the continued provision of key services, the supervisory emphasis and use of provisions in the EBA and EIOPA guidelines and, for example, in UK regulation, is continuing to evolve. The UK regulators are now consulting on proposed guidance on outsourcing and third party risk management. The PRA is taking an expansive approach to the definition of "outsourcing", and outlining its expectation that firms will have appropriate governance and internal controls to identify, manage and report risks resulting from all arrangements with third parties.
In Australia, regulators are revisiting regulatory guidance in light of the ever growing role of technology in financial service firms' operations. 2020 is shaping up to be a year where consultation between ASIC and industry begins to crystallise. A critical development is ASIC's consultation paper on "Market integrity rules for technological and operational resilience". ASIC has set out its intention to introduce market integrity rules and put firms on notice that digital transformation projects ought to be assessed in light of their materiality to the firm's day-to-day operations and services including the extent to which there are any fail safes or in-built redundancies. Singapore is also looking to revise its Technology Risk Management Guidelines, with an increased focus on effective cyber and operational resilience, as well as board and senior management oversight of technology risk.
Until (and indeed if) third parties are brought into the regulated sphere – whether through tailored regulation or by bringing third parties within the ambit of an existing regulatory regime, whether for financial services or telecoms, etc. – financial services supervisors are likely to continue to rest responsibility for regulatory compliance with firms and to use regulated firms as a conduit to influence the behaviour of unregulated entities.
What does this conduit role between supervisors and unregulated third parties mean in practice for firms? While for specific technology solutions there are discrete impacts, there are some overarching impacts which firms should be addressing.
Dialogue with supervisors around interactions with third parties can be expected to increase as supervisors seek to ensure that technology risks are appropriately and robustly mitigated. It is possible that for some activities, regulatory reporting requirements may develop and/or increase. For example, the EBA's outsourcing guidelines require firms to maintain a register of arrangements which firms "should, on request, make available" to the supervisor. It is a reasonable assumption that such a register would be critical to informing the supervisory approach to the firm, and that supervisors will be keen to interrogate this information, possibly on a more regular basis than previously. APRA-supervised firms in Australia considering the use of new technology using cloud services ought to consider whether the affected services meet the risk thresholds warranting early engagement with the regulator.
Finally, reverting back to an earlier buzz term, namely "individual accountability", firms and their senior managers need to consider how their implementation and compliance with accountability regimes such as the Senior Managers and Certification Regime (SMCR) in the UK should be considered in light of use of third party technology solutions and engagement with fintech activities. In Hong Kong, it is proposed that two managers-in-charge be appointed to oversee arrangements with EDSPs. Do relevant senior managers have the right skill set to make informed decisions and to ensure delivery of appropriate oversight of technology dependent activities? Further, given that both firms and supervisors are upskilling to meet technology challenges, do senior managers have the communication skills which will enable them to "bring supervisors along" when they discuss the firm's technology journey?
Making whistleblowing work
Good corporate culture is key to restoring trust in financial services, and effective internal whistleblowing arrangements are a critical component of such a culture. The OECD's 2016 report describes whistleblower protection as "the ultimate line of defence for safeguarding the public interest".
Fostering a culture where 'speaking up' is not only accepted but actively encouraged, and where individuals can report concerns without fear of reprisal and with confidence that the issue will be properly investigated, is an essential element of firms' ability to identify and manage misconduct.
Globally, regulatory frameworks supporting whistleblowers are at varying stages of evolution. This can create additional complexity for firms operating across jurisdictions, particularly where aspects of their global operations are centralised in a jurisdiction whose whistleblowing requirements are less stringent or materially different to other jurisdictions where the firm operates, in particular in terms of the types of disclosures that are given whistleblowing protection.
Australia is the latest jurisdiction to overhaul its whistleblowing regime, another significant regulatory reform sparked by last year's Financial Services Royal Commission. The new regime employs expansive definitions (who can make a report and to whom it can be made) as well as imposing orthodox confidentiality and anti-victimisation obligations. Whistleblowers may also disclose protected information to a Member of Parliament or journalist if, after 90 days, they believe their complaint is not being addressed and that it would be in the public interest to do so. Current law reform discussions suggest that a firm's whistleblowing policy may be a relevant consideration in determining whether a corporation has exercised due diligence to prevent the commission of a corporate crime.
In the UK, following substantial whistleblowing reforms implemented in 2016, we see increased scrutiny of the systems and controls used by firms to triage and investigate whistleblowing claims to ensure they are appropriately investigated and reported within the firm and to its regulators by individuals who aren't compromised by a conflict as a result of their interest in the subject matter of the complaint. Prevention and 'monitoring' of detriment to whistleblowers remains a key focus, following a number of high profile whistleblowing cases brought by individuals who claimed their complaints were not taken seriously and ultimately resulted in their dismissal. Detriment in this context may cover a range of adverse consequences to the whistleblower as a result of their having made the complaint, which may extend, beyond dismissal and bonuses, to exclusion from deal teams, social events, promotion opportunities, ostracism and adverse impacts on mental health.
In Europe, Member States must transpose the Whistleblowing Directive, which came into force in November 2019, into national law by 17 December 2021. These requirements extend beyond existing whistleblower requirements in the financial services sector. The Directive requires both private and public organisations to provide safe channels to enable both internal and external reporting by whistleblowers. Retaliation, including threats and attempts, will be prohibited and subject to effective, proportionate and dissuasive penalties. The Directive contains a range of examples of detrimental treatment.
In France, whistleblowing is an increasingly sensitive topic. France has adopted a whistleblowing regime which likewise provides protections to whistleblowers and a public interest mechanism. Recent high-profile cases have seen record breaking penalties imposed for breaches of whistleblowing laws, including a €3.7 billion fine imposed by a French criminal court. We see greater use of social media by employees to put pressure on their employers, sometimes bringing regulatory breaches and/or irregularities to light before the regulators. Whistleblowers may report possible regulatory breaches to the French regulators, who may vouch for the whistleblower if the matter against the employers goes to court.
Regions without formal whistleblowing regimes face similar challenges. In Hong Kong, regulators have focused on the role whistleblowing plays in the overall governance of culture and conduct within an organisation. The HKMA expects banks to implement channels enabling staff to report issues and concerns to senior management and/or a dedicated team direct without the need to go through line management or local offices, and to protect staff from reprisals. Guidance on such escalation policies also considers possible arrangements to incentivize personnel to call out irregularities and misconduct. The increasing amount of data being collected by the HKMA and the SFC includes data specifically relating to whistleblowing. In addition, self-reports of actual or suspected material rule breaches which come to light as a result of a whistleblowing complaint are likely to lead to scrutiny of the firm's treatment of that complaint. Even without the broader legal protections which exist in other jurisdictions, the expectations of regulators and sympathetic treatment in the media may also still be leveraged by employees who are in a dispute with their current or former employer.
One challenge of any system designed to protect individuals is the risk of abuse – the risk that individuals will make false complaints motivated by self-interest. Historically, whistleblowing complaints were often not raised until the whistleblower left the firm, or in the context of disciplinary action. How, then, can early whistleblowing – which plays an essential role in identifying and managing misconduct – be encouraged? The US approach of providing financial incentives to encourage whistleblowing has not gained much traction in other jurisdictions, which instead tend to favour an increased focus on the need for robust systems and controls to protect whistleblowers' anonymity and prevent detriment.
It is clear that the handling of whistleblower reports will remain a key focus of firms and regulators throughout 2020, and will have particular impact on those jurisdictions with individual accountability regimes. An individual's fitness and propriety could, for example, be affected by a finding that they had mistreated a whistleblower or mishandled a whistleblowing claim. Equally, firms with clear and well documented processes would look to those records to evidence the 'reasonable steps' taken, in relation to both the issue raised, and the handling of the report.
There are however greater benefits for firms who succeed in creating a robust and safe speak up culture, which enables them to leverage the eyes and ears of their employees to identify potential misconduct. Recent research indicated that higher internal whistleblower report volumes are correlated with greater profitability and workforce productivity (measured by Return on Assets), and fewer and lower amounts of government fines and material lawsuits.
Holding individuals to account
In 2020, Australia appears set to take a lead in the global push for greater accountability for individuals operating in the financial services sector. Following the conclusion of the Royal Commission, there has been a detectable shift in the focus of Australian financial services regulators to the investigation and prosecution of individuals in relation to suspected or alleged corporate misconduct. This has manifested in a range of ways, including ASIC adopting a "why not litigate" posture to enforcement (including litigating against officers of financial institutions), the targeting of information concerning individuals in compulsory notices issued by ASIC and APRA, and an increased appetite to target individuals as well as companies for alleged breaches of corporations and financial services legislation. We expect the investigation of, and commencement of court proceedings against, individuals to continue to intensify for the foreseeable future, as the regulators take a hard line on enforcement (with the support of additional funding) and seek to test the revitalised and refined civil and criminal penalty regimes, as recently amended by the Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Act 2019 (Cth). The focus on increasing criminal prosecutions for these contraventions will be a trend to monitor.
These developments may have a cascading effect on financial institutions, not only on the conduct of their officers and employees, but also on the function of their internal legal and compliance functions. Those functions may increasingly encounter conflict issues between its officers' interests and those of the company when both are ostensibly being investigated by APRA or ASIC. We forecast that this will provoke the emergence of greater demand for individual representation, even at the investigatory stage (ie prior to any proceedings being instigated).
Enforcement against individuals is also likely to remain a topic for legislative reform in 2020. The expansion of ASIC's investigatory armoury is top of the reform agenda, with a suite of amending legislation expected to be tabled before the Australian Parliament in late 2019. That legislation would also increase the number of circumstances in which ASIC can issue persons in the financial and credit industries with banning orders. Suggestions have also been made to "weaponise" the Banking Executive Accountability Regime (BEAR) against accountable persons (including directors and senior executives). The Australian Law Reform Commission has also placed on the agenda for potential legislative reform the question of whether personal liability should be imposed upon individuals in a position of influence within a corporation for failing to prevent corporate criminal misconduct.
The position elsewhere similarly remains focused upon individual accountability in 2020. In Hong Kong we expect to see the SFC continue to use the Manager in Charge regime as a roadmap for identifying senior individuals responsible for misconduct, and for investigations of these senior individuals to intensify. We also anticipate a continued focus by the SFC on directors of listed companies engaged in fraud or malfeasance and for it to wrap up the last of its IPO sponsor cases. This follows concerted efforts by the SFC in these areas during 2019, with the SFC taking action against multiple IPO sponsor principals during the course of this year, and a doubling in the number of directors removed or banned for fraud since 2017.
Although there is no formal regulatory program specifically designed to address the issue of individual accountability in South Africa, the message from the Financial Sector Conduct Authority (FSCA) is consistent with that received from regulators elsewhere. The FSCA has made it clear that perpetrators responsible for financial misconduct will be held to account. This is plainly evident from the FSCA's recent fine levied against Steinhoff for R1.5 billion (US$102 million) in September 2019 which is the largest ever financial misconduct penalty in South African history. In this instance the FSCA reduced the fine to R53 million (US$3.6 million) due to the company's inability to pay the initial amount; however, the FSCA stated that they are still investigating the conduct of the executives responsible for the fraudulent misrepresentation and that they are unlikely to receive the same treatment that Steinhoff did in respect of the remission of a portion of fines.
It is unclear as to exactly what form of individual accountability will be introduced in South Africa but the tone from the regulators is clear and points to the fact that senior management will be under increased scrutiny and attention when it comes to their own accountability for misconduct in the financial sector.
From 9 December 2019, the SMCR will apply to all authorised FCA regulated firms (including EEA and third country branches of such firms) in the UK. This means that some 46,870 firms will become subject to the regime, albeit in proportionate and more flexible form to reflect the range of firms that will now be covered, ranging from very small firms with limited permissions (the majority) to some of the largest global firms. The total costs of this initiative for all firms is estimated to be between £140 million and £190.5 million. In addition, UK branches of EEA firms are preparing for the additional SMCR requirements involved in becoming a third-country firm when the UK leaves the EU.
Banks have been subject to SMCR since March 2016, and insurers since December 2018; there were, prior to 9 December 2019, just under 7,000 approved senior managers. Nonetheless, the UK has not seen an avalanche of enforcement actions against senior managers. This may partly reflect the fact that the SMCR has prompted real improvements by firms in the allocation of responsibilities and in procedures, systems and controls to support senior managers in discharging their obligations under the regime, and in evidencing the reasonable steps that they have taken. However, it is also the case that, because of their career implications, enforcement actions against senior managers are almost always both hard fought, and costly and time consuming for the regulators to pursue. As at June 2019, of a total of 25 FCA investigations into individuals who hold senior management functions since March 2016, 15 remained open.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.