In September the PRA and FCA released co-ordinated Consultation Papers on Diversity & Inclusivity in the Financial Services sector, building on the previous Discussion Paper from July 2021. Progress has been slow, albeit the issue is one that continues to receive much attention across our industry and in wider societal conversations. Our industry has had more than its fair share of negative headlines on the subject, with periodic LinkedIn posts featuring images of a white male group of senior leaders accompanied by an observation about the lack of diversity being something we have probably all seen at some stage.

This latest move is therefore welcome and we can expect to start seeing some positive regulatory change in 2025. That might seem distant, but these are changes that will take time both to get right and to implement. Much like the proverbial supertanker seeking to change direction, cultural change of this nature cannot effectively be implemented quickly. It will take time and strong leadership.

The FCA & PRA Proposals And Scope

With many firms being subject to regulation from both the PRA and FCA, it is to be welcomed that the regulators have acted collectively. And where they have been able to apply a common approach, they have sought to do so.  

• FCA: CP23/20 Diversity and inclusion in the financial sector – working together to drive change will require all FSMA firms with a part 4A permission to meet a minimum standard, with additional requirements for firms with 251 or more employees.
• PRA: CP18/23 Diversity and inclusion in PRA-regulated firms applies to Solvency II firms, including third country insurance branches, again with some limitations for smaller firms.

Broadly, the collective objectives can be defined as:

• supporting more effective and prudent decision-making and risk management;
• creating healthier firm cultures;
• reducing groupthink;
• unlocking new talent for our industry; and
• developing a greater understanding of, and provision for, diverse consumer needs.

In addressing these objectives, the main proposals from the two regulators are, not unsurprisingly, very similar, although both use slightly different language to suit their existing regulatory framework.

The key areas covered, and our suggested actions for firms to consider now, are:

Diversity & Inclusivity Strategy

Both FCA and PRA regulated firms will be expected to have a firm-wide strategy and both define, in broadly similar terms, what they expect it to cover. The PRA report that 76% of respondents to its D&I survey already had a policy in place. It’s not however clear how many of those may meet the new ‘expectations’ of each regulator. The proposed rules would apply to all firms. The use of the term strategy rather than policy is an intentional one, to help reinforce the more proactive approach expected of firms.

ICSR recommended action: if you already have a strategy or policy, you should review it against the likely expectations. If you do not have a D&I strategy, it’s time to start developing it.

Non-financial Misconduct

This is primarily an area of focus for the FCA, who have the existing rules that make the implementation of any changes a simpler process. They are proposing changes to include non-financial misconduct within the Conduct Rules (COCON), Fit and Proper assessments (FIT) and suitability guidance on the Threshold Conditions (COND). The FCA has been at pains to observe that it feels many firms already apply a very similar approach to such misconduct and this is about ensuring a consistent standard is applied given the impact such behaviour can have on the culture within a firm. It says that “…conduct that could damage such public confidence is likely to mean that the person is not fit and proper.”

ICSR recommended action: the proposed changes will have an impact on employees at all levels within regulated firms. Firms should review their employment contracts, employee handbooks and guides to ensure they are consistent with the additional forms of non-financial misconduct that the FCA is seeking to take action against. Procedures for the assessment of Fitness and Propriety will need to be reviewed.

Monitoring D&I / Data Reporting

The PRA reports that questions relating to data and regulatory reporting in the previous Discussion Paper received the most interest from respondents, with the vast majority supporting the need for additional reporting to help drive behavioural change. The PRA proposals will however only apply to firms with 251 or more employees, except that all firms will be required to report employee numbers to enable it to establish which firms are in scope. For the larger firms, the PRA is proposing to produce aggregated benchmarking data to help firms assess their own performance. Given what we have seen in other areas where the regulators use data to identify ‘outliers’, this will benefit firms but is also likely to highlight those that are not within what might be considered as norms. A joint PRA and FCA return is proposed, covering mandatory (age, sexual orientation, sex or gender, long term health conditions, ethnicity and religion) and voluntary (gender identity, parental responsibilities, carer responsibilities, socio-economic background) data points. The approach taken with the gender pay gap reporting appears to have worked well and a similar approach makes sense here.

ICSR recommended action: across the mandatory and voluntary data points, it is unlikely most firms will have the existing capability to report to this level of detail and work will be required both to request the information from employees and to create the necessary systems to safely record it. Firms should also be mindful that much of this data is considered ‘special category data’ by the Information Commissioners Office because of its sensitivity, something that will raise additional considerations when developing the process to capture this data. This is something to begin work on soon.

Disclosure

Both the FCA and PRA propose requiring firms to make public disclosure of the data reported to them, albeit in percentage rather than numerical terms, with the same rules on what is mandatory to disclose and what may be disclosed on a voluntary basis applying. There is some guidance given to provide flexibility in how data is reported, to protect the privacy of individuals where identifiability is a concern.

ICSR recommended action: there is no specific guidance given in how firms disclose this data, only when they must do so. Firms required to publish annual reports & accounts are already using that platform to publish such data in many cases and using this platform would almost certainly meet the timing requirements. It may be that the data can be neatly included in the data reported to meet ESG requirements. But for smaller, privately owned firms, there is a need to consider how, when and where that will be published. The website is the obvious platform, but it may require new sections to support this. Develop your plan now.

Setting Targets

The PRA and FCA have adopted slightly differing approaches, although in both cases the rules apply to all firms. The FCA proposes firms be required to set diversity targets across the board, senior leadership and the employee population as a whole. Inclusivity targets would be voluntary. The FCA rules would apply to those parts of Third Country branches staffed in the UK. The PRA approach on target setting is proposed to be restricted to firms with 251 or more employees “…for the board, senior leadership, and throughout the employee pipeline, for demographic characteristics identified by the firm, as appropriate for their circumstances.”. These are expected to cover women and ethnicity at a minimum if the firm is underrepresented in those areas, albeit firms would be given the flexibility to decide what that meant in their own scenario. Both the PRA and FCA are likely to require targets to be published, although the PRA are suggesting this obligation may be restricted to larger firms, whereas the FCA appear to be leaning towards all firms being required to publicly disclose their targets.

ICSR recommended action: dual-regulated firms will need to consider the respective PRA and FCA proposed rules carefully as there is some divergence. All firms should begin work to define what ‘normal’ representation might mean for them, so they can set meaningful targets and consider carefully what the respective set of rules would require of them.

Risk & Governance

The FCA have introduced the concept of non-financial risk as part of their proposals.

“We propose to introduce new guidance for large firms to make clear that matters relating to D&I are to be considered as a non-financial risk and treated appropriately within the firm’s governance structures.”

It proposes that both Risk and Internal Audit functions will assume some responsibility for contributing to progress on D&I matters. It identifies risks such as increased group think and poor decision making as being factors that lead to poor outcomes for consumers. Other support functions such as HR, Corporate Responsibility and Conduct specialists also get a mention.

ICSR recommended action: all functions within your firm need to consider how they can contribute to an improved approach to Diversity & Inclusivity within the business, but Risk and Internal Audit have been singled out by the FCA. For Risk this will mean appropriate adjustments to the Risk Framework and Risk Policies such as for Operational Risk and for Internal Audit, a review of annual planning and audit activities to include a review of arrangements for D&I.

Individual Accountability

The regulators have given much thought to this and it was an area that generated a diverse set of feedback. Both the PRA and FCA have stopped short of requiring a specific Senior Management Function holder to be given Prescribed Responsibility for Diversity & Inclusivity, observing that existing PRA rules require an SMF to be assigned responsibility for culture. The FCA have suggested firms may wish to give responsibility for D&I to a specific SMF if a firm wishes to focus attention on the issue. Given the implications for the individual, we consider it unlikely many firms will take this approach.

ICSR recommended action: firms may wish to review their existing Statements of Responsibility for SMFs to ensure existing definitions will remain suitable.

Wider Industry Response

Lloyd’s & the ABI have both made significant progress with their own responses to the issues of Diversity & Inclusivity in recent years. Lloyd’s Dive In festival is an annual event, now in its ninth year, and one that would appear to have achieved the holy grail of both management and wider workforce engagement. More interestingly, it is rapidly becoming an industry event, with over 25 insurers, brokers and service partners signing up as ‘Global Festival Partners’ in 2023. As tenants in the Lloyd’s building, we have seen for ourselves the impact the Corporation-wide engagement delivers – this video promoting the event sums it up rather well.

In 2022, the ABI launched their own Diversity, Equity and Inclusion (DEI) Blueprint and in its update published 10^th October 2023, it says in response to the PRA and FCA Consultation Papers:

“We agree with the regulator’s assessment of the importance of DEI and are confident that the ABI’s DEI Blueprint represents a strong framework by which firms can develop their own DEI strategies, as proposed in these consultations.”

Perhaps it is a reflection of the more limited impact for the generally smaller brokers represented by BIBA that it has, at least publicly, been far less vocal on the issue, or indeed what the proposed regulatory changes might mean for its members. Those brokers are not immune to the regulatory change though and should ensure they are well-acquainted with what the FCA has proposed, even if they employ less than 250 staff.

Next Steps

Both the FCA and PRA have given interested parties until 18^th December to respond to their proposals. With a response and final rules promised in 2024 and implementation 12 months thereafter, it is likely to be mid-2025 before any new rules take place. Implementation for PRA and FCA regulated firms would then be required as follows:

• The first regulatory reporting would be due during a three-month window following the rules coming into effect, with a reference date to be confirmed upon publication of the final policy. This would be on a ‘comply or explain’ basis, meaning if firms are unable to gather all the required data for reporting in the first year, they would be asked to explain why. With the required data already reasonably clear, we see little basis on which most firms should be unable to meet this obligation and ‘explaining’ to the regulator may be considered symptomatic of wider issues, not a perspective you want the regulator to form.
• The first mandatory disclosures would be required to be made alongside firms’ annual reports, in the second year after the rules come into effect, although firms could also choose to make disclosures sooner, on a voluntary basis.

It’s worth mentioning too that from a product perspective the FCA see the Consumer Duty as implementing the necessary changes on D&I. That has not been an easy implementation for many firms and against the backdrop of this paper, it would be well worth firms revisiting their approach to Consumer Duty with a D&I lens.

Conclusion

The timeline for feedback, publication of new rules and application of those may sound like it is some way in the future, but as we have already observed, diversity & inclusivity and the wider cultural challenges are not changes that can be made quickly. With it generally being the case that the variance between consultation and final rules is relatively minor, firms would be well-advised to start planning for these changes now and our recommended actions are designed to assist firms begin planning their response. This is most certainly not simply a case of meeting yet another set of regulatory requirements – it is an opportunity for firms to become more customer focussed and seek to drive better outcomes for it and its customers. Indeed, the FCA specifically links this work to part of the way it is addressing its new secondary growth objectives and it is one of the first points made by Nikhil Rathi in his Foreword.

We do have slight concerns around the question of responsibility. Whilst we can understand the reasons why the regulators have chosen not to introduce any new and specific prescribed responsibilities for individual SMFs, there is a risk that ownership might not be clear. The firms that have demonstrated the most effective approaches to D&I are those that have placed ownership of the issue at Board Level. Clearly not all senior leaders currently have the same view of the importance of the issue – or this regulatory action would probably not have been necessary. It remains to be seen therefore, whether the new rules give the regulator sufficient clout to be able to drive the change it seeks.

Overall though, these proposals make broad sense and it would appear those who took the time to consider and respond to the initial Discussion Paper broadly supported what was being proposed. Those firms that take the time now to consider these more formal proposals and what actions their firm might need to take, will be well-placed to ensure they can make any necessary change in direction required.

If you have any questions about the PRA and FCA Consultation Papers or would like to discuss what actions your firm may need to take, please speak with the author or your usual ICSR contact.