On Thursday last week, 5th November, the FCA published three Decision Notices, all prohibiting individuals from performing “any function in relation to any regulated activity carried on by any authorised or exempt persons or exempt professional persons” as each lacked “the necessary integrity and reputation required to work in the regulated financial services sector”.
The offences in the individual cases were egregious (I will not go into them, as this is a family-friendly show), but the FCA trumpeted the decisions as having been taken due to the individuals’ “non-financial misconduct”.
The FCA focused on its previously stated position that D&I (including reducing sexual and non-sexual harassment) went to the core of a firm’s threshold conditions and whether a person was “fit and proper”, which would cover these individuals’ offences.
However, there’s more to it than that.
- At its most basic, “operational resilience” is a matter of measuring how well one may rely on individuals and systems. The expectation is that firms make a judgement call (for which the firms are accountable) on individuals’, vendors’ and systems’ reliability. That would not be determined just by whether they were good at what they did, but also whether they were good generally.
- The FCA has huge flexibility in determining what (and how) to supervise: conduct & culture is a “door to everywhere” inside an organisation, and what the FCA considers as important for conduct & culture at any individual firm is up to the FCA.
- The SMCR puts the onus on firms to certify large numbers of staff. It might be better to be safe than sorry when looking at an individual’s personal, non-financial history (which firms will need to do).
- When WFH, the impact of staff’s personal conduct may not have the immediacy and visibility it would had they been in the office, but that makes it all the more important (and difficult) to monitor. Huge increases in ecomms profanity alerts are testament to how firms feel they need to find some measure of how “good” a person is acting (although what those firms do with/make of a positive alert to one of their staff members doing a swear is another matter altogether).
- The ongoing MAR review and the FCA’s Market Watch 63 (as well as FCA speeches and statements following, such as Julia Hoggett’s speech on 12 October 2020) highlight that although the authorities should like to make it clear that their definitions of “market abuse” and “insider trading” have not changed, the way firms monitor for abusive or manipulative acts and omissions must change: a staff member’s non-financial conduct (or conduct outside the work environment, as WFH is by-and-large outside the work environment) necessarily falls into the category of new issues which firms should take into consideration when building surveillance platforms. To put it bluntly: a staff member who acts inappropriately in his/her personal life is a staff member who would be prepared to act inappropriately in his/her professional life.
- I realise that even though the authorities are at pains to emphasise that conduct which is abusive or manipulative has not changed, it is reasonable to be concerned that they have, in fact, done so. One theoretical example springs to mind: a staff member does not deliberately seek to obfuscate or hide communications with clients but nevertheless does so (e.g. the client insists on him/her using Signal or Discord, which are not commonly recordable social media) – even if the communications do not result in any de facto abusive or manipulative conduct, the fact that the staff member was willing to use these media displays a lack of integrity, respect for process, fitness and propriety (I choose my words as if I was a regulatory authority rather than stating that this is correct) and a firm which permits this is one which breaches its threshold conditions.
In summary, then:
- “non-financial misconduct” may still mean “conviction for serious indictable sexual offences” but it is likely to be broader in the future (if it is not so already);
- more likely, “non-financial misconduct” will be viewed through a wider lens, including but not limited to general threats to D&I;
- firms had better start accepting that what they need to know about their staff and vendors is likely to be (so far as they are concerned) intrusive, ongoing and difficult to measure – which is where vendors come in (although this produces a curiously circular argument where firms have also to consider the conduct and culture or their vendors);
- firms would be well advised to review each social media platform and formulate a policy for each of them, rather than a general and generic “social media” policy;
- firms getting to know “the psychology of the individual” (as the great Bertie Wooster put it) is more than just a good risk/compliance exercise; not doing so becomes an existential threat; and
- a firm which encourages and supports D&I is likely to be a “good actor” with a “positive culture”; but in order to do encourage and support D&I, firms must remove threats to D&I (which threats would include non-financial misconduct and/or conduct outside the work environment) – failure to remove threats to D&I could well be a breach of the firm’s threshold conditions.
There is no better way than to end with a quote from Marc Teasdale, Director of Wholesale Supervision at the FCA, from September 2020 (with my added emphasis):
“Truly safe cultures support … diversity with an approach to inclusion that enables employees to bring their whole selves to work, and that creates a safe environment for people to present differing views, challenge accepted norms, and even call out where things may be going wrong. It follows therefore that firms that seek out and welcome diverse and differing views are more likely to successfully identify and manage risks, be less susceptible to group-think, and generally make better decisions.