Diversity and inclusion: new regulations

Insurer Update - December 2023

read timeRead time: 36 mins

The regulators are consulting on proposals for wide-ranging changes to how firms tackle diversity and inclusion (D&I) and their reporting. What will this mean for you?

The FCA and PRA published their respective consultation papers (FCA CP23/20 and PRA CP18/23) in September on the proposal to introduce a new regulatory framework on D&I in the financial sector. Comments on the consultation papers must be in by 18 December. The final regulatory requirements will be set out in a joint policy statement in 2024. In-scope firms, which include insurers intermediaries, will be subject to the new rules 12 months later. The proposals apply differently to firms depending on the number of employees and their SM&CR categorisation. Firms with less than 251 employees will be exempt from many of the requirements, but must meet the minimum standards.

What are the key proposals?

  • Integration of non-financial misconduct considerations into staff fitness and propriety assessments, conduct rules and the suitability criteria for firms to operate in the financial sector.
  • Reporting annually on average number of employees and data collection.
  • Reporting and disclosure of certain D&I data.
  • Requirement to establish, implement and maintain a D&I strategy.
  • Determining and setting appropriate diversity targets.
  • Recognition that a lack of D&I is a non-financial risk.

Non-financial misconduct

The FCA is proposing to explicitly include non-financial misconduct within:

  • Conduct rules.
  • Fit and proper assessments.
  • Suitability guidance on the Threshold Conditions.

Conduct rules

The scope of conduct rules will be expanded to take account of serious instances of bullying, harassment and similar behaviour towards fellow employees, and employees of group companies and contractors. Guidance will also be provided on:

  • Types of behaviour that would fall within the expanded scope of conduct rules, and that may breach conduct rules; and
  • Conduct that is out of scope because it relates to an employee’s personal or private life.

Fit and proper assessments

The FCA proposes to explain in more detail how non-financial misconduct forms part of the Fit and Proper test for Employees and Senior Personnel (FIT) section of the FCA Handbook. Particularly, it will emphasise that bullying and similar misconduct in the workplace is relevant to fitness and propriety, as is equally serious behaviour in a person’s personal or private life. This will be supported by examples of non-financial misconduct, such as sexual or racially motivated offences.

Suitability guidance on the Threshold Conditions

To maintain integrity and conduct in UK markets, the guidance on the Suitability Threshold Condition will be extended. It will include offences relating to a person or group’s demographic characteristics (such as sexual or racially motivated offences). And it will also encompass tribunal or court findings showing that the firm, or someone connected with the firm (such as a director), has engaged in discriminatory practices.

What firms should consider doing

  • Perform a gap analysis between their current processes that support conduct rules and fit and proper assessments, to determine if they need updating to meet the FCA requirements on non-financial misconduct.
  • Update policy documents, procedures, codes of conduct and handbooks to reflect the new requirements.
  • Develop training materials and deliver training to employees.

D&I strategies

In-scope firms will be required to develop an evidence-based D&I strategy that takes account of their current progress on D&I. This strategy must contain the following, as a minimum:

  • D&I objectives and goals.
  • Plans for meeting those objectives and goals and measuring progress.
  • A summary of arrangements made to identify and manage any obstacles to meeting the objectives and goals.
  • Ways to ensure adequate knowledge of the D&I strategy among staff.

Firms will be required to make the D&I strategy easily accessible and free to obtain (for example, through their website). This will facilitate stakeholder engagement and scrutiny on their approach, and progress against stated commitments. 

D&I strategies may be reviewed by the FCA as part of its supervisory assessment of how firms are identifying, monitoring and taking steps to address D&I issues.

What firms should consider doing

  • Review existing D&I strategies to assess any gaps against the minimum requirements.
  • Identify resources needed to develop a D&I strategy and activities and plans for achieving this. It may be worth seeking external advice or support.
  • Consider how the firm will make the D&I strategy easily accessible.
  • Determine how the D&I strategy will be incorporated into current processes and systems.

Setting targets

Firms must set specific, time-bound diversity targets to address under-representation at both board and firm-wide level. They will be expected to set at least one target for demographic characteristics of the board, the senior leadership, and the employee population as a whole.

Whilst the FCA has provided guidance on compulsory and voluntary demographic characteristics, it will not specify which characteristics the targets must cover nor what those targets should be. Firms must consider the context in which they operate by taking into account available data on the diversity profiles of the UK population and the geographical area in which they carry out regulated activities.   

Those based in other countries that carry out operations in the UK would be in-scope. If they do not have a board or senior leadership in the UK, they would not have to set a target for the parts of the business based overseas.

Firms may choose to set inclusion targets voluntarily, in addition to their diversity targets.

They must provide information on:

  • Demographic characteristics for which they have set targets, and their inclusion targets (if any).
  • The percentage at which each target has been set.
  • The year each target was originally set, and the year the firm is aiming to meet it.
  • The current level of representation against each target (%).
  • The rationale for the targets set.
  • Any further details the firm would like the FCA to consider about targets they have set.

What firms should consider doing

  • Agree which demographic characteristic target they would like to report on.
  • Agree whether to report on inclusion targets and, if so, which one(s).
  • Allow sufficient resources and time to implement systems to capture the required data.
  • Identify potential difficulties in encouraging employees to provide data, and mitigating factors.
  • Make changes to their data collection processes and policies.

Data reporting

Employee numbers must be reported annually by firms of any size, but the proposed data reporting requirements would only apply to firms with more than 250 employees. They will need to:

  • Collect and report annually to the regulators in numerical figures, data across a range of demographic characteristics, inclusion metrics and targets, via a regulatory return.
  • During the first year, report such data as is practicable and explain the reasons for any gaps and how they will be closed.
  • Report data to the FCA and PRA using a single data return.

Data should be reported to the FCA in three categories: board, senior leadership and all employees (including the board and senior leadership).

Limited Scope SM&CR firms are out-of-scope for data reporting requirements.

What firms should consider doing

  • Map out the data reporting process – consider whether this will be integrated as part of an existing process or form part of a separate one.
  • Allocate ownership for the D&I data reporting process.
  • Update HR or other systems if appropriate.
  • Clarify responsibilities for reviewing and approving the data to be reported, including the related governance process.

Data disclosure

Firms will need to make public disclosures on D&I data to increase transparency and scrutiny and to facilitate comparisons between firms on D&I performance. This should be done either when they   publish annual reports and accounts or, for firms that do not do so, within six months of the end of their financial year.

The rules on disclosure will come into force 12 months after the final rules are published. In the first year they are in force, firms can make their disclosures on a voluntary basis. From the following year onwards, disclosures are mandatory for in-scope firms.

What firms should consider doing

  • Allocate ownership of the process for data disclosure (e.g. whether it will be the responsibility of HR or finance).
  • Update, if necessary, annual reports and accounts or the financial year end process for incorporating D&I disclosures.
  • Clarify the responsibilities for reviewing and approving the data disclosure, including the related governance process. Consider a potential role for the internal audit function to provide assurance over disclosures.

Risk & governance

New guidance will be introduced for large firms to make clear that matters relating to D&I must be considered as a non-financial risk and treated appropriately within the firm’s governance structures.

The following responsibilities will remain with the firm’s board:

  • D&I strategies: Although the FCA will not insist on the frequency of reviews, boards will need to review the D&I strategy regularly enough to ensure it remains appropriate, effective and fit for purpose.
  • Setting targets: The board would oversee the targets set and would be expected to explain the rationale for the targets chosen, if need be.

Firms need to consider how a range of relevant functions can contribute to progress on D&I. Risk functions, as well as internal audit functions, will play an important role in managing risk and giving assurance to boards.

What firms should consider doing

  • Agree how the board will oversee D&I strategy and targets, including timing and frequency.
  • Update board terms of reference to reflect enhanced responsibilities for D&I.
  • Consider independent assurance over D&I strategy, data reporting and disclosure.

If you’d like to discuss the FCA and PRA consultation papers and potential impacts on your firm, please contact Jessica Wills or Prianca Hanoomanjee in our Governance, Risk & Control Assurance team.