INDIVIDUAL INFLUENCE

PERSONAL MATTERS – How will the risks to firms from individuals’ behaviour increase in 2024?

18/01/2024

Financial regulators in the UK have been interested for some years in the question of how personal behaviour can affect the risk profile of a financial institution. A recent SEC case suggests that US regulators may now be following suit. What risks to firms will flow as the regulatory focus on conduct broadens and intensifies? Further, what will be the impact of the UK’s expanded ‘identification doctrine’ on firms’ exposure to criminal prosecution. It seems to us that 2024 is shaping up to deliver increased exposure to firms from their employees and other connected individuals.

Culture and conduct has been a top priority area for financial services regulators in the UK for many years – as we have discussed in earlier issues of this publication. However, certain legal and regulatory changes expected in the coming year have the potential to bring with them a different scale of non-financial risks for financial institutions. Heading into 2024, we anticipate people-related risks for firms taking new and different forms – both in the UK and the US.

New guidance for UK firms on impact of non-financial misconduct

In the UK, we await the output of the PRA and FCA’s separate but concurrent consultations in their respective papers on diversity and inclusion (FCA CP20/23 [1]and PRA CP18/23[2]) on the role ‘non-financial misconduct’ should play in firms’ assessments of whether their key people are fit and proper to perform roles in which they have the potential to cause significant harm to the firm or its customers. Both regulators are currently proposing that, in addition to workplace misdemeanours, the way in which a person behaves in their private life may be relevant to the assessment of their fitness and propriety to perform key roles. It remains to be clarified whether this will impose an obligation upon firms to enquire into the private lives of their people, and if so, how such an obligation can be squared with other legal rights and protections (not least under data protection laws). In addition, the UK conduct regulator, the FCA, is proposing that behaviour in the workplace that is not conducive to a ‘good working environment’ (being one in which “each employee feels respected, valued and able to give their best; and is treated fairly and with dignity and respect”) may amount to a regulatory breach. It is further proposed by the FCA that firms whose senior managers have been dismissed or asked to resign in circumstances where they have not behaved in a manner conducive to a good working environment, may no longer be capable of fulfilling its ‘threshold conditions’ (minimum standards that firms must meet to become and remain authorised).

the way in which a person behaves in their private life may be relevant to the assessment of their fitness and propriety to perform key roles.

US SEC increases focus on ‘human capital risk’

Last year saw a settlement in which the US SEC charged Activision Blizzard with failing to maintain adequate disclosure controls and procedures relating to workplace complaints and, in so doing, seemingly expanded the types of workplace conduct that must be tracked. The SEC’s settlement with Activision Blizzard is here[3]. In this case, no claim was made that the company’s SEC filings were false or misleading. Instead, the SEC charged that management was unable to evaluate whether employee complaints indicated a material risk that might need to be disclosed because the company did not adequately collect information about such complaints.

Although left unmentioned in the settlement, the company had recently faced regulatory charges relating to equal pay violations and sexual harassment. The company agreed to cease and desist from causing future violations and to pay a $35 million penalty. It did not admit to or deny the findings.

The settlement order can be seen as a new initiative to induce companies to strengthen their controls and procedures in relation to what the SEC has termed ‘human capital risks’, whether or not they face a material disclosure issue. In particular, it seems that the effect is to broaden the categories of non-financial information that a company must track, including relating to workplace misconduct where the company has made disclosures about staff retention and culture. However, because this case reflects a negotiated settlement, it is unclear how far the SEC will enforce this approach against other companies. What is clear though is that unless management can appropriately monitor and evaluate all potential risks, including issues relating to their working culture and environment, a company may be vulnerable if such issues become significant.

a new initiative to induce companies to strengthen their controls and procedures in relation to what the SEC has termed ‘human capital risks’

Expanded UK corporate criminal liability

In the UK, we will also be monitoring the impact of the new Economic Crime and Corporate Transparency Act 2023, which passed on 26 October 2023. This new legislation materially expands the scope of individuals whose criminal conduct can be attributed to a company, under the ‘identification doctrine’, for economic crime.

Previously, companies could only be criminally liable for offences committed by persons considered to be their ‘controlling mind and will’, a status primarily determined by analysing the allocation of power under the articles of association. Typically, the persons who fall within scope are the board, the managing director, and other superior officers, although power can be formally delegated to others.

However, under the new Act, companies will be criminally liable for a long-defined list of economic crimes (including offences under the Theft Act and tax, money laundering and bribery offences) committed by ‘senior managers’ “acting within the actual or apparent scope of their authority”. ‘Senior managers’ are defined as individuals who play a significant role in either decision-making about how the whole or a substantial part of the activities of the company is to be managed or organised, or the actual managing or organising of a substantial part of those activities. This represents a very significant expansion of the population of individuals whose behaviour can give rise to criminal liability on the part of the firm.

This represents a very significant expansion of the population of individuals whose behaviour can give rise to criminal liability on the part of the firm.

Although the new Act does significantly expand corporate liability in the UK, it is still more restrictive than corporate criminal liability in the US. In the US, under the respondeat superior doctrine, corporates are liable for the acts of all employees if the act was done within the course and scope of employment and at least in part for the benefit of the corporate.  It also applies to all crimes, not just an enumerated list. Although on this last point, we note that the UK Criminal Justice Bill that was introduced in November 2023 proposes to extend the reform of the identification doctrine to all criminal offences. So the gap between the UK and US approach to corporate criminal liability could be set to narrow further.

CONCLUSION

This coming year more than ever before, regulated financial services firms will need to ensure that their legal, compliance and human resources teams are briefed and working effectively together to identify, monitor and proactively manage these new categories of people-related risk.

MEET THE AUTHORS

2 Articles

Polly James

Partner and Global Practice Leader, London
5 Articles

David Rundle

Partner, London
1 Article

R. Randall Wang

Senior Counsel, St. Louis