Regulatory change as far as the PI can see
Dramatic regulatory change, and an increase in regulatory action, is affecting a number of important sectors in the professional indemnity market, as we exit 2019 and look ahead at 2020. We consider below some key points to be aware of.
Senior Managers and Certification Regime (SMCR)
On 9 December 2019, the Senior Managers and Certification Regime (SMCR) will replace the Approved Persons Regime for the 47,000 or so authorised firms regulated solely by the FCA.
SMCR strengthens market integrity by enabling firms and regulators to hold individuals to account. The regime consists of three core elements:
- The first being the Senior Management Functions (SMF) regime. This replaces the controlled functions regime and introduces a statutory duty of responsibility, which requires senior managers to take reasonable steps to prevent regulatory breaches from occurring or continuing.
- The second element of SMCR is the Certification Regime, which requires firms to assess and certify individuals who could potentially put the firm or its customers in “significant harm”.
- The third element is the new Conduct Rules, which set out expected behaviours for almost all employees of authorised firms.
SMCR requires significant planning and investment in compliance processes for firms, as well as staff training. We are already seeing an increase in FCA enforcement investigations focusing on senior management responsibility, and we expect this trend to be accelerated after SMCR's full roleout.
Defined benefit pension transfers are increasingly an area of concern for the FCA. In 2019, the FCA completed an extensive survey, which found that between April 2015 (the advent of Pension Freedoms) and September 2018, 234,951 customers received advice, with 69 per cent being advised to transfer.
The fact more customers were advised to transfer than not is a concern for the FCA, as the FCA's starting point is to presume a transfer will be unsuitable. According to the FCA's findings, the average transfer value was £352,303 and the total sum of amounts transferred was £82.8 billion. This clearly gives rise to a potentially huge liability exposure, for firms and their Insurers, albeit actual customer complaint volumes have so far been low.
It is unclear exactly how the FCA will look to rectify the perceived issues. However, the FCA is now making further enquiries of firms where the potential for harm exists. The increased pressure has led to some big players leaving the market and continues to cause headaches for remaining firms.
The FCA's guidance on the regulation of cryptocurrencies and other "cryptoassets", published in July 2019 following a six-month consultation, heralds increasing regulatory scrutiny in this area. In particular, the guidance emphasises that those dealing in more sophisticated cryptoassets should consider carefully whether they are carrying on regulated activities, which require FCA permissions.
Whilst the FCA's guidance clarifies the position rather than making new rules, it highlights that the increasing sophistication of cryptoassets is well and truly on the regulator's radar.
Firms and their insurers should also be aware of the incoming FCA-supervised anti-money laundering regime for UK cryptoasset businesses, which come into effect on 10 January 2020.
Regulatory investigations impacting D&O cover have been a driving force in 2019, with Serious Fraud Office (SFO) investigations and subsequent prosecutions particularly prominent.
Particularly high profile has been the prosecution, trial and subsequent acquittal of three executives of Sarclad Ltd. Their acquittal was notable, because Sarclad had earlier entered into a "Deferred Prosecution Agreement" (DPA) with the SFO, on the basis of the executives' alleged conduct (of which they were then acquitted).
We have also seen an increase in market abuse investigations by the FCA. This corresponds with the FCA's mission statement that “preventing, detecting and punishing market abuse is a high priority for us” and their goal to crack down on individuals who fail to meet their obligations under the Market Abuse Regulations.
As with SFO investigations, FCA market abuse investigations, when they strike, are extremely expensive for the organisations and the individuals affected, and for their D&O insurers. It is not just the officers of the company under suspicion who require separate legal representation, but also the (often numerous) officers of the company interviewed as witnesses.
Another issue, which is not a regulatory issue as such but will be of particular interest to the D&O market, is that 2020 is set to see claims against directors related to the environment and climate change.
We expect there will be an increase in activists purchasing shares in "environmentally unfriendly" companies to allow them to bring derivative claims against the directors. After all, directors have a duty to promote the success of the company for the benefit of the members as whole and, as part of this duty, must have regard to "the impact of the company's operations on the community and the environment" (section 172(1)(d) Companies Act 2006).
Whilst this is likely to be of more concern where the companies are engaged in high profile perceived "environmentally unfriendly" activities (eg oil and gas companies), there are many companies indirectly involved in such activities, including transportation and manufacturing companies.
New SRA codes of conduct will come into effect on 25 November 2019. The old Code has been split into two: the Code for Solicitors which addresses the expected standards of professionalism and the Code for Firms setting out the standards and business controls expected from firms. There will also be new accounts rules.
The new Codes include obligations on a solicitor to 'put matters right'. There is also an obligation to notify the client that they may have a claim against the firm.
The Codes have been streamlined and consolidated and redrafted to use plainer English. However, there is a greater use of subjective words, which will lead to difficulties when it comes to interpretation. Moreover, there is also far less actual guidance.
A lot of work has already been done by firms to prepare for these new rules, but they amount to a significant change that will inevitably lead to compliance challenges for solicitors.
A long-anticipated shake-up of the audit sector remains on the cards, with the FRC, which recently strengthened the 'going concern' standard in response to recent enforcement cases and well-publicised corporate failures, due to be replaced by a new oversight body, the Audit, Reporting and Governance Authority.
A key area to watch out for will be whether or not the scope of audit is extended to specifically include the detection of fraud (which has never been a statutory requirement).
The market is already gearing up for the possibility of joint-audits, creating opportunities for so-called 'challenger firms' outside of the big four. We expect this trend to continue; however there are unresolved issues in relation to litigation risk, such as the scope of joint and several liability in the case of mandatory joint-audits.
Data protection is a systemic issue which will affect all subsets of the market. In 2019, we saw an increased number of decisions being made by the Information Commissioner Office (ICO) in relation to data breaches reported under the new GDPR regime that came into force in July 2018. The ICO reported in 2018/2019 an unprecedented number of personal data breach reports - 13,840 cases. That was a staggering increase compared to 2017/2018, when 3,311 data breaches were reported. This aligns with the increased onus on organisations to be proactive with data protection action and reporting.
We saw an increased number of these personal data breaches arising out of cyber incidents. The ICO received around 2,500 cyber security incident reports during 2018/19 with 44% of those incidents being the result of phishing attacks. This accords with the types of cases handled through RPC's own breach response service (ReSecure).
With the ICO's increased regulatory powers, it is ever more important for organisations to implement adequate security measures to prevent these attacks and avoid regulatory actions as well as the likelihood of fines. Measures can include using multi factor authentication, rule alerts, suitable firewalls and e-mail scans to prevent phishing attacks and other cyber incidents. However, the importance of training for staff can never be underestimated as it is the human element of these attacks which often makes them so successful.
Despite a record breaking total of monetary penalties being issued by the ICO during 2019, these relate to breaches which occurred under the old Data Protection Act 2018 regime. We are yet to see the first fine for a breach under the GDPR. We expect this to occur in 2020.