Blog article
See all stories »

FCA/PRA Diversity and Inclusion for Crypto and FinTech Firms: PART IV

By Rodrigo Zepeda, CEO, Storm-7 Consulting

INTRODUCTION
In 2023, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) (Bank of England (BoE)) (collectively the “regulators”) sought to engage with financial firms and other stakeholders, to discuss new proposed measures to boost “diversity and inclusion” (D&I) in financial services (FS) in the United Kingdom (UK).

In PART I of this four-part blog series, we defined and discussed key D&I concepts such as demographic characteristics, diversity, groupthink, inclusion, non-financial misconduct (NFM), and psychological safety. In PART II we provided an overview of the D&I proposals, and we identified the tiered standards to be introduced under the proposed FCA/PRA framework.

In PART III, we analysed how new NFM obligations fit into the D&I framework, what they will entail, and how this will affect and impact crypto and financial technology (FinTech) firms. In PART IV, we will analyse what the D&I rules and obligations consist of, to which types of firms they will apply, and how they will affect and impact crypto and FinTech firms.

REGULATORY FRAMEWORKS
The regulatory frameworks relevant to this analysis include:

PROPOSED FCA NFM AND D&I MINIMUM FRAMEWORK
The tiered measures differentiate between “Small” firms, which are all firms with 250 or less employees, and “Large” firms, which are all firms with 251 or more employees (i.e., Large FCA firms, Large PRA firms). The proposed FCA NFM and D&I Minimum Framework consists of:

(1) NFM Rules; and
(2) D&I data reporting (minimum obligations).

We know that the NFM Rules apply to all Part 4A FSMA firms. The D&I data reporting (minimum obligations) also apply to all Part 4A FSMA firms, excluding all LS SMCR firms. Consequently, all the following types of firms that are crypto and FinTech firms are excluded from the D&I data reporting (minimum obligations):     

  • E-Money firms and Payment Services firms;
  • LS SMCR firms;
  • registered CRAs; and
  • Small PRA-regulated firms.

However, as soon as existing FinTech firms (e.g., E-Money and Payment Services firms) apply to expand FCA authorisation in any way (e.g., to offer new types of products or services), then they will likely fall within scope of the D&I data reporting (minimum obligations) (i.e., Part 4A FSMA authorisation required). For crypto firms, those seeking to make and market “financial promotions” relating to “qualifying cryptoassets” in the UK, will be required to either become FCA authorised, or communicate them via FCA/PRA authorised persons. If they become authorised, they will be subject to D&I data reporting.

In practice, all crypto and FinTech firms that become Part 4A FSMA authorised will be required to:

(1) complete registration and set up with the FCA’s RegData system;
(2) note the total number of employees in the firm on a specified date (provided in the D&I measures) in each of the firm’s three (3) most recent years;
(3) complete Part 1 of the FCA D&I return (REPxxx Diversity and Inclusion) via the FCA’s RegData system;
(4) report the average number of employees predominantly carrying out activities from an establishment in the UK (based on last three years) within a 3-month reporting window (FCA CP23/20, 26, paras. [4.31]-[4.32]; 65, Annex 4).

PROPOSED FCA D&I ADDITIONAL MEASURES FRAMEWORK
A summary of the FCA D&I Additional Measures framework is set out below.

For comparative purposes, a summary of the PRA D&I framework is set out below (albeit we will limit commentary to the FCA D&I requirements) for firms.

All crypto and FinTech firms excluded from the D&I data reporting (minimum obligations), will also be excluded from the Additional Measures framework (i.e., E-Money firms and Payment Services firms, LS SMCR firms, registered CRAs), EXCEPT for certain Small PRA-regulated firms. If a Small PRA-regulated firm is also a dual-regulated CRR/Solvency II firm, it must report its D&I strategy.

In PART II, we identified the different components and requirements for each specific area relating to the different policy proposals. Here, we will set out commentary relating to how each specific area may affect and impact crypto and FinTech firms that qualify as Large Part 4A FSMA firms.

D&I DATA REPORTING (ADDITIONAL OBLIGATIONS)

General D&I Data Reporting
There are four points to note for crypto and FinTech firms with regards to general D&I data reporting requirements. First, because firms are Large, they will have at least 251 employees that they need to report data on. Therefore D&I data collection will require some work. Even if firms can obtain some of the data required from existing data sources, it is highly likely that they will still need to implement new systems and procedures to obtain some of the new types of D&I data required (e.g., D&I Inclusion Metrics).

In addition, D&I data reporting is not simply about data collection. Crypto and FinTech firms will have to work with the D&I data to develop D&I strategies and justify these based on evidence they have obtained. Therefore, initial D&I data collection and reporting may not always go as smoothly as anticipated. D&I data reporting timelines should incorporate built-in time buffers to address potential delays.

Second, once reporting deadlines are set, firms must put in place detailed D&I data management and reporting project timeline streams to ensure they report on time. The difficulty for firms is that it is not simply a case of quickly collecting data and then transforming it into the correct format required by the FCA. Some areas will require additional projects to be implemented to collect the right D&I data.

Collecting this type of data may require firms to amend their existing employee and data protection and privacy policies, as well as to create new types of data collection informed consent forms. Firms also need to think about how they will inform and engage their employees regarding D&I data collection, instead of just thrusting D&I data collection on them without warning.

Third, even with advance planning, some firms may still run into D&I data delivery and reporting delays and problems. In the first year, the FCA will be providing firms with a “comply or explain” approach which will allow them to explain and justify data gaps, and to explain how and when such gaps will be remedied. Fourth, D&I reporting is subject to a £250 administrative fine for non-timely submission of reports.

D&I Demographic Characteristics Data Reporting
Mandatory D&I demographic characteristics of employees to be reported are: (1) disability or long-term health conditions; (2) ethnicity; (3) religion; (4) sex or gender; and (5) sexual orientation (FCA CP23/20, 33, para. [5.40]).

Voluntary D&I demographic characteristics to be reported are: (1) carer responsibilities; (2) gender identity; (3) socio-economic background; (4) gender identity; and (5) parental responsibilities (FCA CP23/20, 33, para. [5.40]).

Crypto and FinTech firms must be careful in their understanding of these requirements. Mandatory here means that the firm must submit relevant D&I data to the FCA. It does NOT mean that the firm must obtain the data from employees. Voluntary here means the firm may choose whether or not to submit this D&I data to the FCA.  

Crypto and FinTech firms are not obliged to collect this data, however, they would be free to collect this data and then choose not to report this data. Either way, crypto and FinTech firms must make it absolutely crystal clear to employees that they are free to choose NOT to respond to questions, or to indicate if they prefer not to say (FCA CP23/20, 34, paras. [5.45]-[5.46]).  Strictly speaking, pressuring employees to forcibly disclose such personal data could be viewed as endangering the psychological safety of such employees.

D&I Inclusion Metrics Data Reporting
Crypto and FinTech firms must report on “inclusion metrics”. These are measures of inclusion data reported on a 5-point scale (strongly agree to strongly disagree) (FCA CP23/20, 36, para. [5.64]). The measures must identify the degree to which employees agree or disagree with certain statements (below). The D&I inclusion metrics data is highly problematic.

First, all the descriptions highlighted in bold show that the statements are subject to individual subjective interpretation. What is inappropriate behaviour or misconduct, or what is an inclusive environment. Because the statements generate extensive subjectivity, the responses lose value in terms of their accuracy. In addition, say a Small FinTech firm has high levels of inappropriate behaviour, harassment, and verbal bullying. At the same time, whilst all employees are paid high salaries there are high levels of employee turnover.

In this kind of culture and environment, even though the firm says that surveys are confidential, employees really have no idea who will have access to the survey data, and whether the responses given will be kept confidential. Providing negative responses risks “marking” the employee as being difficult, a negative influence, sensitive, subject to over-reacting, or not being a team player.

If there are high turnover levels in the firm, combined with toxic cultures, employees do not feel safe, because they may feel they could be fired at any time, for any reason, or for a made-up reason. In that type of situation, employees are highly disincentivised to tell the truth, and will more likely engage in groupthink to play along with everyone else. The D&I Inclusion Metrics data system fails to account for negative and toxic work environments. It presumes it will be applied in an honest and truthful way, which may be false.

D&I Target Setting Data Reporting
Crypto and FinTech firms must report on D&I target setting (FCA CP23/20, 37, para. [5.67]). This covers the progress firms have made towards achieving set D&I targets. Reportable D&I target setting data includes:

  • demographic characteristics for which firms have set targets, and inclusion targets (if any);
  • percentages for each target set;
  • the rationale behind the targets set;
  • the year each target was set;
  • the year the firm is aiming to meet the target; and
  • any other information the firm would like to be considered about the targets set.

The objective is for firms to set appropriate diversity targets to address under-representation of demographic characteristics within the firm (FCA CP23/20, 68, Part 2). Therefore, to set D&I targets, firms really need to have already obtained D&I data to identify existing demographic characteristics within the firm. It makes little sense setting arbitrary targets based on no data (the target might be completely unrealistic, or it may have already been met). Firms must then define what under-representation actually means within the firm. This illustrates why setting out D&I data collection and reporting timelines is so important.

D&I STRATEGIES
Crypto and FinTech firms must develop an “evidence-based” D&I strategy that takes account of the firm’s progress on D&I. This may require senior management to engage more deeply with the D&I data the firm has obtained, and to seek additional input from all relevant internal stakeholders. Clearly, the larger the firm (and the more complex that D&I issues become in that firm), the more time and work that setting the firm’s D&I strategy may take.

In addition, firms must tie this D&I strategy to the FCA’s three Operational Objectives and its Secondary Objective (FCA CP23/20, 28, para. [5.7]; Blog PART I). Next, firms report their D&I strategy by setting out:

  • the firm’s D&I objectives and goals (O&G);
  • a plan for achieving D&I O&G and measuring progress;
  • a summary of arrangements to identify and manage obstacles to achieving O&G; and
  • ways to ensure adequate knowledge of D&I strategy amongst staff (FCA CP23/20, 28, para. [5.8]).

A firm’s D&I strategy is therefore dynamic in nature, because it will need to be monitored in some way to identify how progress is measured, how obstacles are continually identified and monitored, and to what extent the firm has progressed towards its D&I O&G. This will require crypto and FinTech firms to develop new systems to monitor and keep track of a firm's D&I strategies, key responsibility holders, and key personnel.

D&I DATA DISCLOSURE AND D&I TARGET SETTING
Firms will be required to publicly disclose their D&I targets and their progress towards them every year (FCA CP23/20, 39-40). The D&I data disclosed by firms will be reported on an aggregated basis in percentages (FCA CP23/20, 39-40). Crypto and FinTech firms will also be required to set at least 1 target to address under-representation for:

(1) senior leadership;
(2) the board; and
(3) the firm’s employee population as a whole (FCA CP23/20, 30, para. [5.21]).

Target setting must take into account a firm’s diversity profile and D&I strategy (FCA CP23/20, 30, para. [5.24]). The idea is that by requiring firms to publicly disclose D&I targets and progress made towards targets on an annual basis, D&I transparency is increased.

For example, people can externally track a firm which has made little, or no progress on D&I targets, and then analyse the firm to assess whether the firm views D&I compliance as a “tick box exercise”.  D&I target setting will also be able to act as an industry benchmark, because people will be able to compare D&I targets set by similar firms to compare D&I achievements and progress.

To illustrate the potential effect this may have, we will compare three FinTech firms currently on the market: (1) “Monese”; (2) “Revolut”; and (3) “Monzo”. Monese currently has NO information on D&I available on its website – you cannot even search for D&I. Revolut has snippets of information on D&I on its website, but this is superficial and there is no data or statistics available. Monzo has D&I data, blogs showing D&I data and graphics, and it has published a D&I report (2022) on its website.

When you compare websites, the distinct impression you obtain is that Monzo seems to be committed to D&I to a much greater degree than Monese and Revolut. However, the point is that there is no way to easily compare D&I data and statistics for these firms at present. We cannot benchmark the D&I performance of these firms. Another takeaway is that crypto and FinTech firms can use D&I data disclosure and target setting to leverage their D&I credentials with a view to securing strategic market advantage. Crypto and FinTech firms could incorporate D&I data into strategic marketing channels and campaigns.

D&I R&G
Crypto and FinTech firms must recognise a lack of D&I as a “Non-Financial Risk” (NFR). In theory, this means that they must consider matters relating to D&I as an NFR, and then treat them “appropriately” within the firm’s governance structures (FCA CP23/20, 24, para [5.89]).

In PART II, we noted how this approach will essentially leave firms to report on their own internal bad behaviour and poor decision-making. This approach creates a conflict of interest (COI). If firms develop highly sophisticated tools and technologies to capture data to identify increased groupthink and poor decision-making in firms, this data may then potentially need to be disclosed to the FCA. It is negative data because it can harm the firm.

Firms will face a COI between, helping the FCA to achieve its D&I objectives, and protecting the firm and its reputation. Given this potential COI, and also given that realistically D&I for many firms may be seen as low priority, firms may adopt a superficial and low priority approach to D&I NFR recognition within the firm’s governance structures. Especially since the firm faces no attendant costs or repercussions for doing so.  

CONCLUSION
So, what do you think, do the new proposed D&I measures look clear and simple, or do they tend towards being described along the lines of “Complicated as hell”? By undertaking this type of basic analysis we have been able to identify a huge range of issues and problems that arise with the proposed new D&I measures, D&I data reporting, and in particular the NFM Rules. This type of analysis and risk assessment really should have been carried out by the FCA and the PRA, in addition to the standard Cost Benefit Analysis undertaken.

The report by the UK Treasury Committee (UKTC) into “Sexism in the City” published today found that there had been a disappointing lack of progress on sexual harassment and bullying (including serious sexual misconduct), and that many of the barriers originally identified in 2018, still remained stubbornly in place (Treasury Committee, 2024, 3). The UKTC stated that they had heard many firms still treat D&I as a “tick-box”  exercise, instead of a core business priority, despite clear evidence that diverse firms achieve better results (Treasury Committee, 2024, 3). The UKTC added:

“It is shocking to hear how prevalent sexual harassment and bullying, up to and including serious sexual assault and rape, still are in financial services, and how poorly firms handle allegations of such behaviours. We were particularly concerned to hear of the widespread misuse of non-disclosure agreements (NDAs), which have the effect of silencing the victim of harassment and forcing them out of an organisation, while protecting perpetrators and leaving them free to continue their careers and go on to abuse others” (Treasury Committee, 2024, 3). 

Unfortunately, the way the current proposed NFM Rules are drafted to operate, it is unlikely that they will make any serious impact on NFM across FS in the UK. There are simply far, far, too many exceptions and exclusions and complications identified. These include complications with different legal frameworks with respect to EA 2010 protected characteristics, and thousands and thousands of firms, and tens of thousands of employees being excluded from the application of the NFM Rules within FS. 

2801

Comments: (0)

Now hiring