The Financial Conduct Authority (FCA) is engaging with firms to improve diversity and inclusion in financial services. It has launched a consultation, CP23/20 Diversity and inclusion in the financial sector – working together to drive change (Consultation), setting out a series of proposals for a new regulatory framework on diversity and inclusion (D&I). In broad terms, the proposals would integrate non-financial misconduct – such as sexual or racial harassment – into the Conduct Rules, suitability criteria for firms to operate in the financial sector and the test for Fitness and Propriety, and would also require certain large firms to develop a D&I strategy and collect, report on and disclose data relating to a number of D&I metrics.

The Consultation follows a number of previous D&I-related workstreams, including:

• the FCA’s July 2021 Discussion Paper DP21/2 Diversity and inclusion in the financial sector – working together to drive change which we reported on at the time; and
• the FCA’s multi firm review published in December 2022 which we reported on in Issue 5 of The Employment Edit.

The consultation period runs until 18 December 2023. The FCA proposes to use feedback from the Consultation to develop final regulatory requirements that will be published in a Policy Statement in 2024. It is proposed that final rules would be in force 12 months after the publication of the Policy Statement.

In the Consultation, the FCA proposes minimum standards for in scope firms of any size, with additional requirements for large firms. In more detail, the FCA sets out:

• A core set of requirements for Financial Services and Markets Act (FSMA) authorised firms with a Part 4A permission (i.e., permission to carry out regulated activities in the UK); and
• Additional requirements for: (i) FSMA firms with a Part 4A permission with 251 or more employees, (Large Firms), and (ii) Capital Requirements Regulation (CRR) firms and Solvency II firms of any size.

Proposals for firms of any size

The minimum standards proposed by the FCA for all FSMA firms of any size with a part 4A permission aim to reduce discrimination and misconduct, to promote healthy and inclusive workplace cultures and to reduce the risk of groupthink within the financial services sector.

(i) Non-financial misconduct: conduct rules, fitness and propriety and threshold conditions

• Conduct Rules – The FCA Conduct Rules chapter of its Handbook (COCON) sets a base level of conduct or behaviours that the FCA expects everyone involved in financial services work to comply with. Per the Consultation, the FCA proposes that non-financial misconduct be explicitly included within COCON by expanding the scope of COCON so that serious instances of, e.g., bullying or harassment towards colleagues would be a breach of COCON. The FCA expressly states that it would take decisive and appropriate action against employees for instances of non-financial misconduct, which may include prohibiting individuals from working in regulated firms.
• Fitness and Propriety – In relation to assessments of fitness and propriety, the FCA proposes to give examples of non-financial misconduct such as sexual or racially motivated offences in the Handbook. Conduct both within and outside the workplace would be taken into account, especially where it may damage public confidence in the financial system in the UK.
• Suitability – The FCA proposes that Guidance on the Suitability Threshold Condition (the minimum requirements that firms must meet to carry on regulated activities) would be expanded to include, e.g., sexual or racially motivated offences.

(ii) Data reporting

Per the proposals, all FSMA firms with a Part 4A permission with 250 or fewer employees (except for Limited Scope SM&CR firms)¹ would be required to report on the FCA’s RegData platform their average number of employees – for the purpose only of determining whether they are in scope for the proposed additional requirements described below. Such firms could report additional data on a voluntary basis, but would not be required to do so.

Proposals for large firms and for CRR and Solvency II firms

The proposals for these firms aim to promote healthy and inclusive workplace cultures, reduce the risk of groupthink, unlock new talent and enable greater understanding of the diverse needs of consumers.

The FCA proposes that the provisions relating to D&I Strategies (described below) apply to (a) dual regulated CRR and Solvency II firms and (b) all FSMA firms with a Part 4A permission who have 251 or more employees, excluding Limited Scope SM&CR firms. The other categories would apply to all FSMA firms with a Part 4A permission who have 251 or more employees, excluding Limited Scope SM&CR firms.

The proposals can be split in to five broad categories:

(i) D&I strategies

Per the proposals, firms would be encouraged to develop an evidence-based D&I strategy that takes into account the FCA’s D&I aims (for example, reducing groupthink that can lead to poor governance and a failure to act in consumers’ best interests). The strategy would need to set out the firm’s D&I objectives and goals, a plan for measuring progress and meeting those goals, and a strategy to ensure adequate knowledge of the D&I strategy among staff. The board would have responsibility for maintenance and oversight of the strategy, and it would be required to be freely accessible (for example, on the firm’s website).

(ii) Firms setting targets

Firms would be required to set targets to address underrepresentation in their firms, including at least one target for each of the board, senior leadership and the employee population as a whole. In setting targets firms would have to take into account their D&I strategy and current diversity profile. The FCA does not intend to mandate details in terms of the targets, nor how frequently they must be updated, in order for firms to have flexibility to seek to address their areas of greatest underrepresentation. The board would have responsibility for overseeing the targets and in particular monitoring progress. Firms would be required to disclose their targets and the progress made towards them publicly and annually.

(iii) Data reporting

The FCA propose that firms in scope would be required to collect and report diversity data (referred to as ‘demographic characteristics and inclusion measures’) in relation to three categories: the firm’s employee population, senior leadership and the board.

Firms would be required annually to collect and report data in numerical figures via a regulatory return on the FCA’s Reg Data platform.

The FCA plans to produce a regular aggregated disclosure report that would allow firms and their stakeholders to see how their progress compares to peers and to help to drive progress. The expectation is that good quality data would give both firms and the regulators a basis to track and monitor D&I.

The FCA recognises that there would be an initial challenge for firms in collecting good quality data. Firms would need to develop systems for data collection and build trust with their employees so that they are comfortable sharing personal data. Consequently, some of the data would only need to be reported on a voluntary basis. Over time, as firms develop their systems, the FCA hopes that increasing numbers of firms would report on the mandatory categories, and in time all the categories may be made mandatory.

Reporting on the following characteristics would be mandatory:

• Age
• Sex or gender (firms may choose to comply with either or both)
• Disability or long-term health conditions
• Ethnicity
• Religion
• Sexual orientation

Reporting on the following characteristics would be voluntary:

• Sex or gender (the category on which they have not reported on a mandatory basis)
• Gender identity
• Socio-economic background
• Parental responsibilities
• Carer responsibilities (caring for those with disabilities, old age or long-term health conditions)

The FCA proposes that the data collection process followed by firms gives individual employees the option not to respond, or to respond that they ‘prefer not to say.’ The FCA recognises that some data sets would be incomplete until a certain level of trust is established with employees.

Data on pregnancy and maternity is already measured sufficiently through maternity leave and pay administration systems, so there would be no need to collect again.

Inclusion metrics

Firms would be required also to report on a selection of inclusion metrics. A consistent set of measures would be introduced to provide a baseline of measurable data within firms and across the sector. Firms would be required to report annually on the following measures of inclusion using a five-point scale from ‘strongly disagree’ to ‘strongly agree.’ The data would be captured anonymously and voluntarily, and there would need to be an option to respond ‘prefer not to say.’ The data would be reported in relation to the three categories of the board, senior leadership and all employees. The measures are whether individuals in each of the three categories feel:

• safe to speak up if they observe inappropriate behaviour or misconduct;
• safe to express disagreement with or challenge the dominant opinion or decision without fear of negative consequences;
• their contributions are valued and meaningfully considered;
• they are subject to treatment (for example actions or remarks) that had made them feel insulted or badly treated because of their personal characteristics;
• safe to make an honest mistake; and
• that their manager cultivates an inclusive environment at work.

Under the proposals, firms would be required to report the required data annually. There would be a three-month reporting window starting with the date the rules come into force (the “reference date”) in which to submit data to the FCA. As with other FCA reporting requirements, D&I reporting would be subject to the FCA’s standard £250 administrative fee if returns are not completed on time. This would be supported by supervisory or enforcement powers in the event of continued non-compliance.

Firms would need to ensure that diversity data collection and reporting complies with data protection obligations – particularly UK General Data Protection Regulation (GDPR).

(iii) Data disclosure

The FCA proposes that firms would be required to make public disclosures of the D&I data on which they are required to report as set out above, but in percentages rather than numerical figures. Firms would not be required to make any disclosures that would breach any legal obligations such as in relation to data protection. This may be the case if, for example, low numbers in a particular category may make certain individuals identifiable. In such a case, a firm might be able to avoid the problem through (for example) combining categories such as board and senior management.

(iv) Risk and governance

New guidance would be introduced to make clear that matters relating to D&I are to be considered as a non-financial risk and treated appropriately within the firm’s governance structures. Firms would be required to consider how a range of relevant functions can contribute to progress on D&I. This might include (for example) risk functions, Internal Audit, Human Resources and Corporate Responsibility. The FCA’s view is that it is essential that D&I is not seen as a ‘tick box’ compliance issue.

Definition of ‘employees’

With regard to calculation of the number of employees, the FCA proposes that the number is calculated on a solo entity basis. The FCA points firms to the definition of ‘employee’ in the glossary to the FCA Handbook. The Consultation expressly notes that the glossary definition of employee includes, for example, contractors, individuals seconded to the firm and non-executive members of the board. The FCA also states that only employees who predominantly carry out activities from an establishment in the UK would count towards the 251-employee threshold.

Territorial scope

Apart from non-financial misconduct and the application of Threshold Conditions,² the FCA’s proposals would apply only to employees that carry out their activities predominantly from an establishment in the UK. For overseas firms, the FCA’s proposals would only apply to activities of the firm that are carried out from an establishment in the UK.

What is the FCA not proposing to take forward

The FCA has decided not to take forward some of the proposals it put forward in its July 2021 Discussion Paper (DP21/2), including:

• proposals to link regulatory approval of a firm to the diversity of its senior management or wider staff, due to concerns raised about unintended consequences, such as unlawful discrimination or inappropriate appointments;
• amendments to its rules and guidance to require an individual within each firm to be assigned responsibility for D&I;
• proposals on board recruitment, succession planning and talent pipelines due to high indicative costs and the need to avoid unnecessary prescription in areas where many firms already have well-established approaches;
• new rules and guidance that would have permitted withholding of SMF approval due to a lack of diversity;
• mandating a D&I training requirement, due to mixed feedback and evidence on the effectiveness of some popular forms of training;
• introducing any additional new products rules or guidance as part of the Consultation because it integrated D&I considerations into the requirements of the Consumer Duty that came into force on 31 July 2023; and
• any changes to its remuneration rules as part of the Consultation. However, the FCA says that it may consider a wider review of its remuneration regime subject to strategic priorities.

Takeaway

The proposals, particularly for firms with more than 250 employees, are far-reaching and, if adopted, would make D&I a significant feature of firms’ regulatory compliance. In particular, the design and implementation of a D&I strategy will require detailed thought and analysis and senior management engagement. In addition, reporting of D&I metrics will most likely be complex – considerably more complex than reporting gender pay gaps. As the Consultation Paper itself acknowledges, just the collection of relevant personal data from employees may be difficult. It is within scope of the GDPR and collection of such data would require firms to act with sensitivity and transparency in order to build the necessary trust such that employees feel comfortable disclosing this information. While most of these D&I proposals would have a 12-month lead in before they come into force, given their nature and scope, it would be sensible for firms to start thinking now about the steps they would need to take to comply.

1. Under the Senior Managers & Certification Regime (SM&CR), solo-regulated firms are categorised as Enhanced, Core or Limited Scope. Limited Scope firms are exempt from some baseline requirements and will typically have fewer Senior Management Function.
2. Conduct Rules and the suitability criteria for firms to operate in the financial sector.