FCA/PRA Diversity and Inclusion for Crypto and FinTech Firms: PART II

By Rodrigo Zepeda, CEO, Storm-7 Consulting

INTRODUCTION
In 2023, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) (Bank of England (BoE)) (collectively the “regulators”) sought to engage with financial firms and other stakeholders, to discuss new proposed measures to boost “diversity and inclusion” (D&I) in financial services in the United Kingdom (UK).

In PART I of this four-part blog series, we defined and discussed key D&I concepts such as demographic characteristics, diversity, groupthink, inclusion, non-financial misconduct (NFM), and psychological safety. In PART II we will provide an overview of the D&I proposals, and we will identify the tiered standards that are to be introduced under the proposed FCA and PRA frameworks.

OVERVIEW OF THE D&I PROPOSALS
From a high-level perspective, the FCA/PRA proposals seek to:
(1) boost D&I to support healthy work cultures;
(2) reduce “groupthink”;
(3) unlock talent; and
(4) provide a better understanding of, and provision for, diverse consumer needs (FCA, 25 September 2023; FCA CP23/20, 7).

New rules and guidance will be developed to make it expressly clear to firms that NFM such as bullying, discrimination, and sexual harassment, poses a risk to healthy firm cultures (FCA, 25 September 2023). Whereas previously misconduct within authorised firms covered financial misconduct (e.g., financial fraud, financial wrongdoing, financial misstatements or irregularities), new D&I rules will now include a broadened concept of NFM.

This would seem to reflect an ongoing transition on the part of the regulators to more broadly supervise individual and firm behavioural conduct that may impact financial and regulatory objectives. Other recent practical examples include greater regulatory supervision of “conduct risk”, the implementation of the “Senior Managers and Certification Regime” (SMCR), and the implementation of the “Consumer Duty”.

The D&I proposals seek to better integrate NFM considerations into:

• Conduct Rules;
• staff fitness and propriety (Fit and Proper) assessments; and
• suitability criteria and guidance for firms to operate in the financial sector (FCA CP23/20, 5; 23, para. [4.7]).

These are collectively referred to as “Threshold Conditions” (i.e., the FCA’s set of minimum requirements needed for firms to carry on regulated activities).

Overall, the D&I proposals also seek to require firms to:

• collect, report, and disclose certain D&I data;
• determine and set appropriate diversity targets;
• establish, implement, and maintain a D&I strategy;
• recognise a lack of D&I as a type of “non-financial risk” (NFR) (examples of other NFRs include cyber, environmental, geopolitical, social, and technological risks); and
• report average number of employees on an annual basis (FCA CP23/20, 5).

NFM AND D&I STANDARDS FRAMEWORKS
It is important to understand that the proposed FCA framework is tiered in nature. This means a basic minimum standards framework (Minimum Framework) (also referred to as core proposals) applies to all firms, and then additional measures will be applicable only to “large firms” (Additional Measures Framework).

The characterisation of large firms in the D&I measures is made dependent on number of employees. However, “dual-regulated firms” (i.e., those firms that are regulated by both the FCA and the PRA) are treated somewhat differently. In addition, “Limited Scope” (LS) SMCR firms (SYSC 23 Annex 1 1.2R), which represent authorised firms whose only regulated activities are non-mainstream regulated activities, are generally excluded (FCA CP23/20, para. [1.6]). So, there is no standard “one-size-fits-all” approach that will always be able to be adopted to D&I regulatory compliance.

PROPOSED FCA NFM AND D&I MINIMUM FRAMEWORK
A summary of the FCA NFM and D&I Minimum Framework is set out below.

In practice, the FCA NFM and D&I Minimum Framework will mean:
(1) there is a minimum standard to be applied across ALL firms authorised under Part 4A (Permission to carry on regulated activities) of the Financial Services and Markets Act 2000 (FSMA);
(2) the NFM rules will apply to ALL Part 4A FSMA firms (this includes integration of NFM considerations into Threshold Conditions (where relevant));
(3) the D&I data reporting requirements (minimum obligations) for employee numbers will apply to ALL Part 4A FSMA firms (excluding all LS SMCR firms).

The minimum obligations for D&I data reporting for Part 4A FSMA firms at present are minimal. They only require firms to report their average number of employees annually using a single data return on the RegData platform, within a 3-month reporting window (FCA CP23/20, 26, paras. [4.31]-[4.32]). So, as we will see, in reality the issue for all non-Large Part 4A FSMA firms really boils down to application of NFM rules.

PROPOSED FCA D&I ADDITIONAL MEASURES FRAMEWORK 
A summary of the FCA D&I Additional Measures Framework is set out below. It covers data disclosure, data reporting, D&I strategies, risk and governance (R&G), and target setting.

Proposed FCA D&I Additional Measures Framework 

Additional D&I measures and requirements will only be applied to firms that are deemed to be “large firms”. The threshold for large firms proposed by the FCA is 250 employees, which means authorised firms with 251 or more employees will be deemed to be large firms. In practice, the proposed FCA D&I Additional Measures Framework will mean:
(1) D&I data reporting additional obligations will apply to ALL Large Part 4A FSMA firms (excluding all LS SMCR firms);
(2) the D&I strategy requirements will apply to ALL Large Part 4A FSMA firms (excluding all LS SMCR firms);
(3) the D&I strategy requirements will apply to ALL firms (of any size) that are FCA/PRA dual-regulated under “CRR” (Capital Requirements Regulation (Regulation (EU) No 575/2013) (applied within the UK)) and “Solvency II” (Directive 2009 (2009/138/EC) (applied within the UK)) (FCA CP23/20, 16) (CRR/Solvency II firms); and
(4) data disclosure, D&I target setting, and R&G requirements will apply to ALL Large Part 4A FSMA firms (excluding all LS SMCR firms).

Here, we will summarise the basic requirements for firms for each of these areas, albeit in practice these areas will have more detailed and prescriptive requirements set by the FCA for firms.

D&I DATA REPORTING (ADDITIONAL OBLIGATIONS)

General D&I Data Reporting

Firms will be required to:

• report such data “as is reasonably practicable”, explain the reasons for any gaps, and explain how such gaps will be closed (this is only during the first year, i.e., 2026, to provide firms with a transition period in which they can “comply or explain”);
• collect and report to regulators via a regulatory return, data obtained across a range of demographic characteristics, inclusion metrics, and D&I targets (annually); 
• report data to the FCA/PRA using a single data return (REPxxx Diversity and Inclusion) on the RegData platform (i.e., a joint FCA/PRA regulatory return) (FCA CP23/20, 23, para. [5.35]).

D&I Demographic Characteristics Data Reporting

The mandatory D&I demographic characteristics to be reported are:

• disability or long-term health conditions;
• ethnicity;
• religion;
• sex or gender;
• sexual orientation (FCA CP23/20, 33, para. [5.40]).

The voluntary D&I demographic characteristics to be reported are:

• carer responsibilities;
• gender identity;
• socio-economic background;
• gender identity;
• parental responsibilities (FCA CP23/20, 33, para. [5.40]).

The FCA has created a sample template to download, and has drawn up working guidance notes to help in completion of the template available in Annex 4 of FCA CP23/20 (FCA CP23/20, Annex 4).

D&I Inclusion Metrics Data Reporting

A firm must report on “inclusion metrics” which consist of measures of inclusion data reported on a 5-point scale (strongly agree to strongly disagree) (the data could be obtained via employee surveys) (FCA CP23/20, 36, para. 5.64]). These measures will identify whether employees feel:

• safe to express disagreement with, or challenge, the dominant decision or opinion, without fear of negative consequences;
• safe to make an honest mistake;
• safe to speak up if inappropriate behaviour or misconduct is observed;
• that their manager cultivates an inclusive environment at work;
• their contributions are valued and meaningfully considered;
• they are subject to treatment (e.g., actions, remarks) that had made them feel insulted, or badly treated, because of their personal characteristics) (FCA CP23/20, 36, para. [5.64]).

This inclusion metrics data is important, and we will refer back to it in the next two blogs.

D&I Target Setting Data Reporting

A firm must report on D&I target setting which covers the progress that firms have made towards achieving D&I targets that have been set. The D&I target setting data to be reported includes:

• any information the firm would like to be considered about the targets set;
• demographic characteristics firms have set targets for, and inclusion targets (if any);
• percentages for each target set;
• the rationale behind the targets set;
• the year each target was set;
• the year the firm is aiming to meet the target (FCA CP23/20, 37, para. [5.67]).

D&I STRATEGIES
A firm must develop an “evidence-based” D&I strategy that takes account of the firm’s progress on D&I, and which advances the FCA’s three Operational Objectives and its Secondary Objective (FCA CP23/20, 28, para. [5.7]; Blog PART I). The term “evidence-based” would seem to indicate that firms must base their D&I strategy on data and information obtained from either the firm, or externally, to provide evidence to support and justify the proposed D&I strategy.

Firms must then also report their D&I strategy which sets out:

• the firm’s D&I objectives and goals (O&G);
• a plan for achieving O&G and measuring progress;
• a summary of arrangements to identify and manage obstacles to achieving O&G; and
• ways to ensure adequate knowledge of D&I strategy amongst staff (FCA CP23/20, 28, para. [5.8]).

D&I DATA DISCLOSURE
Firms will be required to publicly disclose their D&I targets and their progress towards them every year. This is based on the diversity data that firms collect on their senior management and employees, but it is then reported publicly on an aggregated basis in percentages (FCA CP23/20, 39-40).

PFCA D&I Data Disclosure: Aggregated Public Disclosure 

D&I TARGET SETTING
A firm must set at least 1 target to address under-representation for each of:

• the firm’s senior leadership;
• the firm’s board; and
• the firm’s employee population as a whole (FCA CP23/20, 30, para. [5.21]).

When firms engage in target setting, they must take into account both their D&I strategy, and their current diversity profile (FCA CP23/20, 30, para. [5.24]). Firms will be required to publicly disclose their D&I targets, as well as their progress towards them annually (FCA CP23/20, 31, para. [5.29]). This is intended to promote transparency to firm stakeholders as well as the general public. 

D&I R&G
Firms will be required to recognise a lack of D&I as an NFR. NFRs include those that arise from a poor working culture within firms (FCA CP23/20, 42, para. [5.87]. The FCA is to issue guidance which makes it clear to firms that matters relating to D&I are to be considered as an NFR, and treated appropriately within the firm’s governance structures (FCA CP23/20, 24, para [5.89]).

Nevertheless, the FCA is NOT proposing to prescribe how firms consider such potential risks, which, for example, may stem from a lack of D&I owing to increased groupthink and poor decision-making (FCA CP23/20, 42, paras. [5.90]-[5.92]). This is despite masses and masses of banking and financial scandals, mis-selling scandals (e.g., interest rate hedging products, mortgages, payment protection insurance (PPI), pensions, packaged bank accounts), the sub-prime crisis, anti-money laundering sanctions and fines, and industry fraud and ponzi schemes (e.g., London Capital & Finance), which have cost UK consumers and taxpayers billions.   

Firms are therefore essentially left to report on their own internal bad behaviour, groupthink, lack of psychological safety, and poor decision-making. In addition, if risk management and internal audit functions are undertaking reporting, there is no way for such functions to report on any groupthink and poor decision-making that may occur within their own functions. The expectation from the FCA seems to be that it would be impossible or unthinkable for such internal functions to engage in bad or egregious behaviour, groupthink, or poor decision-making themsevles - they are 100% trustworthy.

PROPOSED PRA D&I FRAMEWORK
As our predominant focus is on crypto and financial technology (FinTech) firms, and given space constraints, we will only set out a high-level summary of the proposed PRA D&I framework (below). However, we will use the PRA D&I framework to compare FCA and PRA approaches to culture, NFM, and NFRs in the next blogs. The 251 employee threshold is applied to identify “Large” CRR and Solvency II firms.

Proposed PRA D&I Framework 

SUMMARY
We now have a solid basic understanding of the key concepts behind the proposed D&I measures, which are demographic characteristics, diversity, groupthink, inclusion, NFM, and psychological safety. In addition, we have set out an overview of the D&I proposals and the tiered standards to be introduced under these new regulatory frameworks. In the next blogs, we will identify all the issues and problems that the proposed D&I measures may raise in practice.

In theory, these are all issues and problems that should have been identified by the FCA and PRA. I am always surprised by how in Consultation Papers, the regulators, which owe a duty of public accountability, always include a Cost Benefit Analysis (CBA), but NEVER include a detailed risk analysis. It is as if they either want to keep the risks hidden from the public, or worse still, they have failed to consider these risks. 

In PART III of this blog series, we will analyse how new NFM obligations fit into the D&I framework, what they will entail, and more crucially, how this will affect and impact crypto and FinTech firms.