October 2023
The long-awaited PRA and FCA (PDF 1.25 MB) consultations on diversity and inclusion (D&I) have been published, following on from the 2021 joint Bank of England (BoE), PRA and FCA Discussion Paper (PDF 777 KB) on diversity and inclusion in the financial sector.
The consultations overlap significantly as the regulators worked closely to develop their parallel proposals. While specific requirements will be proportionate, based on a firm's size and type, the overarching messages are clear: the PRA and FCA expect firms to develop D&I strategies and targets, consider D&I in their board and firm-wide governance, and make relevant disclosures both externally and via regulatory returns.
Scope
FCA CP23/20 is relevant for firms with a Part 4A FSMA permission who are subject to the FIT, COCON and COND parts of the FCA Handbook. The requirements vary by firm type, for example some exclude Limited Scope SM&CR firms1 and smaller firms (those that employ under 251 people). CP23/20 does not apply to non-Part 4A FSMA firms such as credit rating agencies, payment services and e-money firms.
PRA CP18/23 applies to banks and insurers in scope of CRR and Solvency II — non CRR e.g. credit unions and non-directive firms are excluded. On 11 October, the PRA clarified that CP18/23 applies to all CRR and Solvency II firms, including third party branches in the UK, and friendly societies that are subject to Solvency II. The original publication mistakenly stated that friendly societies were out of scope.
Firm-wide diversity and inclusion strategies
What: Both the FCA and PRA propose that firms should develop a D&I strategy that outlines:
- The firm's core values, the culture that it is trying to create and its commitment to D&I;
- Objectives and goals for improving diversity and inclusion, as well as a plan for achieving them;
- Ways of measuring progress against the objectives and goals; and
- The firm's role in fostering an open and inclusive environment where staff are able to express their views.
The regulators have been clear that they would expect a firm's senior leadership and board to own the strategy, with its development and review to be supported by the appropriate risk and control functions.
The firm-wide D&I strategy should be published in an accessible format on the firm's website.
Who: All dual-regulated firms to which the CRR and Solvency II parts of the PRA Rulebook apply, regardless of size. The requirement would also apply to large FSMA firms with a Part 4A permission that are required to follow the FIT, COCON and COND parts of the FCA Handbook (excluding Limited Scope SM&CR firms).
Targets
What: The PRA and FCA propose that the largest firms set targets for underrepresented demographic groups, as well as a strategy on how to meet these targets. The targets would apply at all levels of the firm: board, senior leadership and throughout the employee pipeline. The regulators have deliberately not been prescriptive about what the targets should be, recognising that a one-size-fits-all approach would be unworkable. While firms would be expected to set targets for women and ethnicity at a minimum, they would decide what underrepresentation looks like for their own circumstances and set targets for those characteristics accordingly. The targets, progress towards them and the accompanying strategy would need to be disclosed annually.
Firms should note that the PRA would not consider it appropriate for them to use these proposals as the sole reason to expand the size of their board. The PRA has also stressed that the proposed requirement to set targets would not breach the Equality Act 2010 or any other relevant legislation.
Who: All large dual-regulated firms to which the CRR and Solvency II parts of the PRA Rulebook apply, and all large FSMA firms with a Part 4A permission that are required to follow the FIT, COCON and COND parts of the FCA Handbook (excluding Limited Scope SM&CR firms).
Regulatory reporting
What: The PRA and FCA both propose that firms report their total UK employee numbers to help regulators monitor which firms should be in the scope of their additional requirements.
Who: All dual-regulated firms to which the CRR and Solvency II parts of the PRA Rulebook apply, regardless of size, and all FSMA firms with a Part 4A permission that are required to follow the FIT, COCON and COND parts of the FCA Handbook (excluding Limited Scope SM&CR firms) regardless of size.
What: Larger firms would need to report mandatory data on the following metrics to the regulators via a single template: age, sexual orientation, sex or gender, long term health condition, ethnicity, and religion.
Firms would also be able to report the following metrics on a voluntary basis: gender identity, parental responsibilities, carer responsibilities, and socio-economic background.
The regulators have included categories that go beyond legislated protected characteristics, seeking to gain data on other factors that can affect employees' work experiences. They have also been clear that they are not creating a new requirement for employees to disclose sensitive information to their employers — a `prefer not to say' category is applicable to all the above characteristics.
Who: All large dual-regulated firms to which the CRR and Solvency II parts of the PRA Rulebook apply, and all large FSMA firms with a Part 4A permission that are required to follow the FIT, COCON and COND parts of the FCA Handbook (excluding Limited Scope SM&CR firms).
Public disclosure
What: In addition to the external disclosures already referenced (D&I strategies and targets), both the FCA and PRA propose that all large firms should disclose data on the percentage of employees in the different demographic characteristics, following the same mandatory/voluntary grouping described above.
The regulators propose that specific disclosures on sex, gender and ethnicity should be split into three categories to cover differing levels of seniority within firms: board, senior leadership and employee population. Firms are not expected to make disclosures that would breach data protection legislation or privacy laws. Where disclosures run the risk of identifying individual employees, firms may group the employee categories together (e.g. board and senior leadership as one category).
Who: All large dual-regulated firms to which the CRR and Solvency II parts of the PRA Rulebook apply, and all large FSMA firms with a Part 4A permission that are required to follow the FIT, COCON and COND parts of the FCA Handbook (excluding Limited Scope SM&CR firms).
Board governance
What: The PRA proposes that firms disclose their board D&I strategy alongside the firm-wide strategy (as described above). The PRA rejects the argument that there is a limited talent pool for diverse board-level appointments. It recognises the short-term difficulties in achieving diversity at executive level, but notes that firms should focus on the employee pipeline and succession planning, and use alternative recruitment methods for wider board appointments.
Who: All dual-regulated firms to which the CRR and Solvency II parts of the PRA Rulebook apply, regardless of size.
Non-financial misconduct
What: Changes are proposed to the FCA Handbook to reflect non-financial misconduct as 'misconduct', not an additional principle. Firms will be expected to consider bullying, sexually or racially motivated offences (including in an individual's private life), harassment or other similar behaviour when assessing conduct and fitness and propriety. Non-financial misconduct would be included explicitly in:
- The Conduct Rules.
- Fit and Proper assessments.
- Suitability guidance on the Threshold Conditions.
Who: Non-financial misconduct requirements will apply to all FSMA firms with a Part 4A permission that are subject to the FIT, COCON and COND parts of the FCA Handbook, regardless of size.
Individual accountability
What: the PRA proposes to assign D&I accountability to a Senior Management Function (SMF), but states that ‘SMFs would not be held to account for a failure to meet diversity targets’. Instead, it proposes that SMFs should ‘be able to discuss with the PRA the reasons that firms set certain targets and, if they are not going to be met, the reasons why’.
Who: all dual-regulated firms to which the CRR and Solvency II parts of the PRA Rulebook apply, regardless of size.
What: for firms in scope of its Prescribed Responsibilities (PRs) on culture, the PRA proposes that the PRs be clarified to include responsibility for the development and implementation of diversity and inclusion strategies. PR I, usually held by the Chair, sets out responsibility for leading the board’s development of a firm’s culture. PR H, usually held by the CEO, includes responsibility for overseeing the adoption of a firm’s culture in its day-to-day management.
Who: all dual-regulated firms to which the CRR applies and with assets greater than £250 million, and all dual-regulated firms to which the Solvency II parts of the PRA Rulebook apply (excluding third country branches).
Risk and governance
What: The FCA proposes to introduce new guidance for large firms to make clear that matters relating to D&I are to be considered as a non-financial risk and treated appropriately within the firm's governance structures. The PRA expects development and review of the D&I strategy to be supported by appropriate risk and control functions at the firm, and for these functions to play a role in ensuring the risks involved in having poor D&I are managed alongside other business risks. Neither regulator is being prescriptive on how firms should achieve this.
Who: All large dual-regulated firms to which the CRR and Solvency II parts of the PRA Rulebook apply, and all large FSMA firms with a Part 4A permission (excluding Limited Scope SM&CR firms).
What next?
Firms have until 18 December to submit responses to both consultations, with the final policy expected in 2024.
The proposed timelines for reporting and disclosure are:
- Regulatory reporting: submitted to regulators annually, with the first round due within three months of the rules coming into effect. The first returns would be on a 'comply or explain' basis. Submissions from the second year onwards would include all mandatory datasets.
- Public disclosures: required in the second year after the rules come into effect, alongside firms' annual reports.
These consultations will be closely considered by firms and will no doubt lead to many suggestions and requested clarification from impacted firms. While firms are likely to have some time following the end of the consultation period in December before final rules are published (likely early next year), it appears clear that proposals of this nature will soon be a reality as regulators continue their focus on culture and conduct across the sector as a priority. These proposals require thoughtful consideration from several, multi-disciplinary angles, including, at the very least, legal (employment and data protection in particular), HR/ER, governance, risk and compliance, regulatory practices, reward, and data perspectives. It is important that firms start engaging with these proposals now, educating stakeholders and relevant functions, and getting ready sooner rather than later in an interconnected way across their legal, people, data, risk and compliance and reward functions.
Related content
1 These solo-regulated firms are exempt from some baseline requirements and will typically have fewer Senior Management Functions.