In July 2104, the recently divorced Financial Conduct Authority (FCA) and the Prudential Regulatory Authority (PRA) came together once more to produce a Joint Consultation Paper entitled ‘Strengthening accountability in banking: a new regulatory framework for individuals’ . Following the scandals of the GFC, LIBOR and PPI, the regulators believe that holding “individuals to account is a key component of effective regulation”. The regulators pointed out that their extensive proposals were intended to “create a new framework to encourage individuals to take greater responsibility for their actions, and will make it easier for both firms and regulators to hold individuals to account”.
The key words throughout the consultation paper are ‘individual’, ‘responsibility’ and ‘accountability’.
A Significant Change to Regulation
The joint consultation heralds a significant change to regulation which WILL have a major impact on all financial institutions operating in the UK, including international banks. There are three major sets of changes proposed by the regulators: a new Senior Managers Regime (SMR); a new Certification Regime, covering those employees “who could pose a risk of significant harm to the firm or any of its customers” (a very wide net indeed); and a new set of “Conduct Rules”. Although the first two changes are significant and will be covered by other commentators, here we discuss only the implications of the new Conduct Rules.
The consultation warns that the new Conduct Rules will not only apply to those covered by the Senior Manager and Certification Regimes but that the FCA “will also apply them to most employees of relevant firms … based in the UK or who deal with customers in the UK”. Basically, this is everyone employed by an FCA-regulated entity, except for a (fairly long) list provided in the document of occupations such as, Security Guards, Drivers, Cleaners and intriguingly “Corporate Social Responsibility staff”. Essentially, one can assume that everyone in a professional role, whether qualified or not, will be covered by the new rules. And, for general discussions on Codes of Conduct, it is easier to assume that the vast bulk of employees will be covered by the FCA rules and ‘guidance’.
The consultation paper proposes five Conduct Rules for ‘individuals’: (1) You must act with integrity; (2) You must act with due skill, care and diligence; (3) You must be open and cooperative with the FCA, the PRA and other regulators; (4) You must pay due regard to the interests of customers and treat them fairly; and (5) You must observe proper standards of market conduct. In addition, new rules are proposed for senior managers and many points of ‘guidance’ are given to firms.
At this point, it must be admitted that it is impossible to squeeze 395 pages of arcane legal text into the few pages available here and it is likely that this consultation paper will generate many thousands (maybe millions) of billable hours for lawyers and consultants when it is finally enacted. However, Rule 1 “You must act with integrity” is sufficient to illustrate the problems that regulated firms and the regulators themselves will face in making the new rules work.
Act with Integrity
Sounds simple? You (i.e. everyone in the firm) must act with ‘integrity’. But what is integrity? Easy to say, but hard to define. And to prove that point, the regulators do not attempt to define it, instead giving a very long list of examples of what Integrity is NOT, such as ‘falsifying documents’. Some of these examples are fairly obvious but others less so, such as “Not paying due regard to the interests of a customer”. But what is ‘due’ regard?’ How is due regard to be measured? And how will we know that an employee didn’t pay due regard? Resolving such questions when the regulations are enacted will be a legal nightmare for firms and a bonanza for lawyers.
Regulatory Code of Conduct
In the consultation paper, the PRA and FCA propose a new Code of Conduct ‘sourcebook’ (or formal set of regulations), called C-CON, which will enshrine the rules for acceptable conduct for the regulators. The section (Annex A) in the paper that proposes the requirements for a Code of Conduct, is long, legalistic and complex. It is obvious that C-CON cannot be transferred willy-nilly into a firm’s corporate Code of Conduct, because it is just too complex! Nor is it likely that a firm will jettison its own code of conduct for that proposed by the regulators, for the simple reason that the regulators’ code covers only a subset of the rules of conduct applicable to any sizeable firm, specifically those related to customer interactions, and not for example covering suppliers. When it is finally placed into law at the end of the consultation period there is likely to be an enormous amount of work needed to update corporate codes of conduct to incorporate the mandated changes. And in the translation, discrepancies WILL creep in, opening firms to possible censure down the line.
Regulations, such as the Sarbanes Oxley Act, require that firms have a formal Code of Conduct (or Business Ethics) to which executives must attest compliance each year. Financial firms regulated by the PRA/FCA will be forced to incorporate C-CON changes into their own corporate codes, or alternatively have multiple codes, which will be a legal nightmare.
But is updating the corporate Code of Conduct sufficient?
The Open Compliance and Ethics Group (OCEG), a not-for-profit group that aims to improve corporate governance standards, identifies what it calls the ‘Code of Conduct Conundrum’  in which firms spend considerable time and effort crafting codes of conduct but do not understand nor measure what value such codes actually have. If corporate Codes of Conduct are constructed merely to comply with regulations, they are little more than an expensive waste of time.
Corporate Codes of Conduct are, of necessary, ‘one size fits all’ documents. But not every employee in a firm faces the same ethical dilemmas. For example, a salesperson being asked by a client to ‘falsify’ a mortgage application by ‘slightly’ overstating income is in a very different situation to a risk manager who is asked to approve a new risk report which he/she suspects, but cannot prove, might underestimate the firm’s risk (as for example occurred in the JPMorgan Whale case ). Employees have to work out for themselves, what ‘falsifying documents’ means in their particular circumstances, and unfortunately may come to the wrong conclusion. Furthermore, they have to do that for ALL of the new rules. Chances are – someone, somewhere will get it very wrong.
In the new regulations proposed by regulators, firms are required to “take all reasonable steps to ensure that those persons understand how the rules in C-CON apply to them”, and are required to provide ‘suitable training’ which should “ensure that those who are subject to the rules in C-CON have an awareness and broad understanding of all of the rules in C-CON, and that they also have a deeper understanding of the practical application of the specific rules which are relevant to their work”.
Since it is the firm, rather than its employees, that is subject to these extremely strict requirements, how can a firm ensure that ALL employees actually do have a DEEP understanding of their individual responsibilities? One could ask the employees, of course, but they are probably going to say ‘Yes – We understand’. However, such a ‘tick in the box’ is unlikely to absolve the firm from sanctions, if/when there are subsequent problems.
Since there will be a lot of work to do anyway in meeting the new regulations, maybe it is time to step back and reconsider the purpose of ‘Codes of Conduct’?
Personal Codes of Conduct
Since the new regulations are aimed at the ‘individual’, why should individuals not be encouraged to construct a ‘Personal Code of Conduct’ that is specific to their role? Sounds crazy, impossible?
Under the new FCA/PRA regulations, firms are required to provide training for their employees in their INDIVIDUAL responsibilities and to then to assess their understanding of those responsibilities. What if the output of such training sessions was not to be merely the result of a generic assessment test but a personalised code of conduct produced by the employee him/herself, taking the firm’s corporate code and applying it to the day-to-day interactions of their own job? Such an exercise, obviously facilitated by HR experts and trainers, would make the corporate Code of Conduct personal and relevant to the individual and the quality of the output (as assessed independently by Human Resources and line managers) would indicate the actual level of understanding of the employee of their responsibilities.
Furthermore, if creation and on-going maintenance of a personal code was tied to an individual’s compensation, then there would be a positive incentive for employees to improve their understanding of their individual responsibilities. And production of high-quality personalised codes of conduct would go some way to proving to regulators that firms were indeed taking their regulatory responsibilities seriously.
But, while useful in demonstrating a sufficient level of initial understanding, creating a code and leaving it on a shelf will not maximize its potential, nor protect the firm against sanctions. On the other hand, if employees were encouraged by management to keep their individual codes close to hand and to refer to it whenever conduct issues or conflicts of interest arise, the code would then become a living document that would help to drive good conduct. In future, a personal code could be an ‘App’ on the employee’s tablet (we will all have one soon) to which the employee can continually refer and update when new issues arise. Access to, and considered updates of, a person’s code could be monitored to measure and reward ‘understanding’.
The old way of doing things; creating an eloquent, inspirational Corporate Code of Conduct, that is communicated TO employees and then usually relegated to the bottom drawer after Induction, has not worked. New ideas are needed. If individual responsibility is important, codes of conduct must be somehow personalised. To do that Risk Managers must begin to talk about these issues to Human Resources and vice versa. We have a lot to learn from one another in developing workable Codes of Conduct in particular and managing People Risks in general.
People Risk Management
The risk that an employee deliberately or inadvertently breaks regulators’ rules is a People Risk as it can lead to substantial fines and sanctions on the firm and its employees. Both firms and employees will need to understand these People Risks and take action to manage them. This blog is one of a planned series that will discuss facets of People Risk in general and Conduct issues in particular. It is obvious that those functions within a corporation that deal with people and conduct issues on the frontline, such as Human Resources, Risk Management, Audit and Compliance, must understand the concept of People Risk because failure to manage it may result in significant damage to the firm.
 See FCA CP14/13/PRA CP14/14 at http://www.fca.org.uk/news/cp14-13-strengthening-accountability-in-banking
 See ‘The Code of Conduct Conundrum’ at http://www.oceg.org
 See McConnell P. J., 2014, ‘Dissecting the JPMorgan Whale: a post-mortem’ Journal of Operational Risk, Vol. 9 No. 2