Ashurst Governance and Compliance Update - Issue 21

1. FRC issues updated Guidance on the Strategic Report

The Financial Reporting Council has published a revised version of its 'Guidance on the Strategic Report' which seeks to improve the quality of corporate reporting.

Amendments have been made to reflect various changes since the guidance was last revised in 2018 including:

• the requirement for publicly quoted companies, large private companies and LLPs to disclose climate-related financial information in their annual reports for financial years beginning on or after 6 April 2022;
• the requirement for publicly traded and banking LLPs to publish a strategic report; and
• the publication of the Streamlined Energy and Carbon Reporting (SECR) rules, which came into effect on 1 April 2019.

Further information and guidance, including the FRC's recommendations as regards communication principles to consider in the context of corporate reporting, can be found here.

ESEF: FCA clarifies range of taxonomies available

The Financial Conduct Authority has published an instrument implementing a further change to the UK version of the European Single Electronic Format (ESEF) reporting regime. The instrument amends the UK Transparency Directive ESEF Regulation to correct a drafting error and clarify that, for financial years beginning on or after 1 January 2022, both the UKSEF 2022 taxonomy and the ESEF 2021 taxonomy are permitted taxonomies (not only the UKSEF 2022 taxonomy). The instrument is now in force. For further background, see AGC update, Issue 16 and AGC update, Issue 19.

3. FCA clarifies approach to enforcement of the market abuse regime

In response to recent press reports about its approach, the Financial Conduct Authority has provided an outline of the work it carries out to tackle insider dealing and manipulation which it has stated to be one of its strategic priorities.

The FCA highlights that it adopts a data-led approach to such enforcement. The data which the FCA collects and analyses is complemented by Suspicious Transaction and Order Reports (STORs) which are sent to the FCA by market participants and assessed by a specialist team. To assist market participants in playing their role in tackling insider dealing and manipulation, the FCA regularly publishes the findings of its oversight work in its Market Watch publication, which shares good practice and highlights weaknesses likely to be common in all firms' systems and controls.

The FCA states that where market abuse is detected, although criminal prosecution is an available tool, it is also able to take enforcement action itself where it has seen false or misleading statements or other forms of market manipulation, and such action has resulted in fines for both firms and individuals. The FCA cites the censure of Redcentric plc in 2020 (we covered the criminal proceedings in AGC update, Issue 14) as an example of a civil action being used to secure redress for investors. In terms of criminal cases, the FCA has one trial involving two defendants scheduled to start in October 2022 and a further three cases in which prosecution decisions will be made before the end of the year.

The FCA also notes that it has worked with international partners to disrupt the activity of serial market abusers, including collaborating with the DFSA in Dubai and the AMF in France and sharing intelligence with colleagues in the United States, all of which has led to action in those jurisdictions.

The FCA concludes by stating that the aggregate picture is one of 'intensity, scrutiny and sophisticated action', in which criminal prosecution is one of several concurrent strategies being deployed.

4. Economic Crime and Transparency: Register of Overseas Entities Regulations published

The government has published draft Register of Overseas Entities (Delivery, Protection and Trust Services) Regulations 2022.

The draft Regulations implement aspects of the new register of overseas entities, to be created under the Economic Crime (Transparency and Enforcement) Act 2022, including:

• Requiring certain documents (including applications for registration, information required to be delivered to the Registrar of Companies and applications for removal from the register) to be delivered to the Registrar by electronic means.
• Setting up a protection regime, which will allow individuals who are beneficial owners and/or managing officers of overseas entities to apply to have their information made unavailable for public inspection and not disclosable by the Registrar (subject to limited exceptions) where they can provide evidence that such disclosure will put them or someone living with them at serious risk of violence or intimidation.
• Setting out that legal entities governed by the law of a country or territory outside the United Kingdom that provide trust services are subject to their own disclosure requirements, for the purpose of the definition of a 'registrable beneficial owner'.

By way of reminder, the regime will require an overseas entity that holds certain types of real estate in the UK to register with Companies House detailing its beneficial owners and, potentially, its managing officers and trusts which exist within its corporate structure.

The Regulations will come into force on the day that section 3 (Register of overseas entities) of the Act comes into force. Commencement regulations as to section 3 are yet to be published.

5. Law Commission publishes Options Paper on reforms to corporate criminal liability

The Law Commission has published an Options Paper which sets out ten options for reform of the law relating to corporate criminal liability. This follows a discussion paper published in June 2021 which sought views on whether, and how, the law could be improved to capture and punish criminal offences committed by companies, their directors and senior management.

The Law Commission's possible reform options include:

• Retaining the current general rule of criminal liability applied to corporations – the 'identification doctrine' – as it stands.
• Allowing conduct to be attributed to a corporation if a member of its senior management engages in, consents to, or connives in the offence – thereby widening the identification doctrine. This could be drafted so that chief executive officers and chief financial officers are always considered part of an organisation's senior management.
• Introducing an offence of failure to prevent fraud by an employee or agent. This would apply when a company has not put in place appropriate measures to prevent its own employees or agents committing a fraud offence for the benefit of the company. The government has already confirmed its intention to take this proposal forward in its response to the consultation on Audit and Corporate Governance reform.
• Introducing offences of: failure to prevent human rights abuses; failure to prevent ill-treatment or neglect; and failure to prevent computer misuse.
• Making publicity orders available (requiring the corporate offender to publish details of its conviction) in all cases where a corporation is convicted of an offence.
• Introducing a regime of administratively imposed monetary penalties.
• Introducing civil actions in the High Court, based on Serious Crime Prevention Orders, with a power to impose monetary penalties.
• Introducing a reporting requirement requiring large corporations to report on anti-fraud procedures.

It is now for the government to review and consider the Options Paper.

6. QCA publishes governance survey of NEDs in small and mid-sized quoted companies

The Quoted Companies Alliance has published the findings from its fifth YouGov survey of non-executive directors of small and mid-sized quoted companies with market capitalisations generally less than £500m, which sought to gather insights into the role and value of non-executive directors.

The survey showed that a majority (60 per cent) of respondents feel Cyber and IT is an area where their boards lack expertise. A significant proportion (34 per cent) also felt that ESG was an area lacking expertise.

The QCA believes that continued improvements in more objective recruitment processes that allow for more diverse candidates to be considered is likely to be the best way to close the current gaps in expertise.

On the issue of diversity, more specifically, the survey also revealed that:

• the average age of an NED of such companies is 61;
• of the 3,745 NEDs surveyed only 23 per cent were female;
• of the 1,161 companies surveyed 29 per cent have all male boards; and
• 66 per cent of those surveyed have over 10 per cent women on their board, with 33 per cent having between 20 and 29 per cent women membership.

7. Government publishes next steps in UK data governance reform

The government has published its response to its Data: a new direction consultation which it launched in September 2021. This is the pre-cursor to the Data Reform Bill expected later this summer, which is set to amend the current UK GDPR.

This response has revealed that the Data Reform Bill will not present the radical overhaul to data protection law which many expected. Instead, it is set to tinker around the edges of the UK GDPR, removing some of the more prescriptive requirements of the current regime and replacing them with more flexible concepts.

Cookies and the Privacy Electronic Communication Regulations (PECR)

A particular 'crowd pleaser' for website and app operators will be that the requirements for cookie consent on websites will be watered down. As the long-term browser-based solutions to the issues presented by cookies will take time to develop, the government has proposed an interim position where certain non-intrusive applications of cookies will become exempt from the requirements of consent.

However, the fining regime for PECR, the regulation that sets out additional provisions on electronic communications, will be brought into line with the fining regime under the UK GDPR/Data Protection Act 2018. Practically, this means that fines for breaches of PECR will now be capped at the greater of £17.5m or 4 per cent of annual global turnover, as opposed to the current cap of £500,000.

Reform of the ICO

The government intends to make a number of reforms to the Information Commissioner's Office itself. Headline changes include the creation of a statutory framework; a new 'overarching objective'; a statement of strategic priorities set by the Secretary of State; and duties in relation to: (i) growth, innovation and competition; and (ii) public safety.

The ICO will no longer be obliged to investigate every complaint presented to it, regardless of materiality. Legislation will give the ICO clear discretion on whether to investigate certain types of data protection complaint, including vexatious complaints and complaints where the complainant has not first attempted to resolve the issue with the relevant data controller. Sensible utilisation of this discretion should free up the resources of the ICO to focus on more strategic priorities, and also free up resource in data protection teams within organisations.

Privacy Management Regime

A key aspect of the existing data protection regime is the onerous obligation of accountability, which has become a box-ticking exercise for many organisations. The Data Reform Bill intends to strip this back to allow for more flexible outcomes and a risk based compliance approach. To this end, the obligations to appoint data protection officers, conduct privacy impact assessments and maintain records of processing are being removed. However, these obligations are being replaced with the requirements to 'designate a senior individual', implement 'risk assessment tools' and maintain 'personal data inventories'. This seems to be more of a rebranding exercise than a substantial overhaul of the basic requirements.

Legitimate Interests

In order to process personal data, a lawful basis is required. The most common lawful basis currently used is that processing is in a person's business' or a third party's 'legitimate interest'. This basis is, also, the most vague and, in order to prove to the ICO that it is available, a number of tests have to be conducted by a party intending to rely on it.

The consultation toyed with the idea of creating an approved 'white list' of activities that would automatically pass the requirements of the legitimate interests lawful basis. This is going ahead with a list of 'approved' legitimate interests to be created. The consequence of this is that if a processing purpose appears on this list then the 'balancing test' will not be required.

Specific requirements regarding Artificial Intelligence

The response reiterates the government's intention to publish a white paper on AI governance in line with its national data strategy, and not to legislate separately for AI, as will be the case in the EU.

However, the Data Reform Bill offers one AI specific provision. A new condition will be included to allow processing of special categories of personal data for the purposes of monitoring bias in AI and automated decision making (ADM) programmes. This is important as bias can be developed within an AI or ADM programme, deriving from the data set used and/or the programmer. Removing the administrative burden behind testing for this bias appears to be part of the government's proposed strategy to make the UK a hub for AI development.

Anonymous Data

The Data Reform Bill will clarify the test for anonymisation. The proposal is to make the test a relative one by defining effective anonymisation as when the specific controller in question cannot re-identify the individual. This is different from the current test, which broadly requires data to be anonymised so the individual is 'no longer identifiable'. This is uncertain, and arguably sets an impossibly high standard for anonymisation. The proposed changes go some way to remedying this.

Data subject access requests

The threshold for refusing to comply with, or charging a reasonable fee for, a subject access request will be slightly diluted, with a proposed amendment of it from 'manifestly unfounded or excessive' to 'vexatious or excessive'. However, there is no return to the standard fee for all requests (as was in place under the Data Protection Act 1998).

Personal data breach reporting requirements

The government has held off tinkering with the personal data breach notification threshold requirements within the legislation. Instead, in what appears to be an effort for more certainty, the response proposes that the ICO should provide further guidance on what is or is not reportable.

Adequacy with the EU

Crucial to any changes to the UK privacy law will be ensuring the European Commission continues to find it 'adequate', as this continues to allow personal data to flow freely between the EU and the UK. This element will cause particular tension as the Data Reform Bill makes its way through Parliament.

Overall impact

Overall, the response clarifies that, despite the 'tinkering', almost all organisations that comply with the UK's current regime will be in compliance with the future regime. This means that the overall impact of the proposals (as they currently stand) on the ICO, businesses and data subjects is likely to be minimal.

Item submitted by Rhiannon Webster, Head of UK Data Privacy and Cybersecurity

8. FRC issues consultation on audit quality indicators

The Financial Reporting Council has published a consultation on the public reporting of audit firms' firm-level audit quality indicators (AQIs) which it believes would provide users of audited information with greater detail on audit firms' efforts to deliver high quality audits.

The 11 proposed AQIs would provide stakeholders with a range of comparable indicators on perceived culture within an audit firm, audit quality inspection results, staff workloads and the level of partners' involvement in individual audits.

The FRC believes that there is limited available information that compares audit quality between the firms so setting out AQIs to enable discussions between Audit Committee Chairs (ACCs) and audit firms on the drivers of audit quality will help ACCs to make more informed comparisons between firms when appointing external auditors. In turn, the FRC hopes that the increased emphasis on quality by users will further increase audit firms' focus on driving further improvements in the key area of audit quality.

In addition to its proposed AQIs, the FRC is seeking views on:

• Whether the requirements should apply to all firms that audit more than 20 PIEs or at least one FTSE 350 company.
• Whether the AQIs should include all audit engagements, but be presented separately for PIE and non-PIE audits.
• Whether it would be useful for firms to provide supporting narrative for the numerical data.

Responses to the consultation should be submitted by 18 August 2022. The FRC intends to publish a final version of its proposals, with guidance, towards the end of 2022 with a view to them coming into effect from 1 April 2023.