Later this year, the Government is due to unveil its final policy position on online harms: the new regulatory regime that will apply to platforms that allow individuals to discover user-generated content or interact with one another online. One of the primary open questions is whether the Government will impose liability for senior managers under the regime.
In her post, my colleague Rebecca Dickie considers whether it’s appropriate to impose criminal liability on a senior manager who oversees a major breach of the statutory duty of care. In this post, we’ll consider another option suggested by the UK Government: civil liability similar to the Senior Managers and Certification Regime (“SMCR”) that applies in financial services.
What is the Government considering?
In the Online Harms white paper, the Government said that it was exploring the possibility of holding individuals “personally accountable in the event of a major breach of the statutory duty of care”. The suggestion was that individuals could be personally liable for civil fines and presumably also publicly named as being to blame. The Government pointed to the SMCR as an example of a regulatory approach that has “driven a culture change in risk management in the sector”. Indeed, at one stage, it was rumoured that the centrepiece of the online harms regime may have been an “SMCR for tech”.
But is what’s being considered for online harms really a copy/paste of the SMCR? And would those proposals be appropriate for tech firms and effective in preventing online harms?
What is the SMCR and where did it come from?
First, it’s worth being clear on what the SMCR is and why it came into force. The SMCR was not the origin of individual accountability in financial services; the UK financial services regulators could already sanction individuals under the earlier “Approved Persons” regime. Rather, the SMCR was introduced in response to the financial crisis and the difficulty regulators encountered in ascertaining who was responsible for what within regulated firms. In the view of the Parliamentary commission that looked into this, “top bankers dodged accountability for failings on their watch by claiming ignorance or hiding behind collective decision-making”.
The SMCR sought to tackle this problem by codifying the key responsibilities within a firm, requiring firms to allocate these to appropriately competent individuals (who had to be approved by the regulators) and then requiring those individuals to discharge those responsibilities properly. If a firm breached a regulatory requirement, the senior manager with responsibility for the area where the breach occurred can be held to account if they failed to take reasonable steps to prevent the breach from occurring or continuing.
Another problem the financial crisis exposed was that it was not just senior managers who could cause harms to consumers and markets, but many individuals below senior management (such as the traders connected to the FX and LIBOR scandals).The SMCR brought these individuals within the remit of the “certification regime”: firms had to annually assess and confirm their fitness and propriety and these individuals came within the remit of the regulators’ conduct rules.
The regime also required firms to take a whole host of other steps: for instance, avoiding the problem of “rolling bad apples” by requiring firms to seek “regulatory references” from previous employers. Our extensive suite of materials about the SMCR can be found here.
Has the SMCR worked?
The White Paper’s claim that the SMCR has led to a “culture change in risk management” is a bold assertion, but not one that’s entirely without merit. Indeed, in a recent survey by UK Finance, 88% of senior managers surveyed said that the SMCR had brought about a meaningful change in behaviours in the industry. Similarly, there is anecdotal evidence in the industry that the SMCR has been a force for good and has seen regulatory compliance take more precedence in decision-making.
That said, questions remain about whether the SMCR has resulted in unintended consequences, in particular, whether it has created or exacerbated an unhealthy and potentially counterproductive blame culture in financial services and whether it is right to pin blame for issues which are often complex and caused by a multitude of internal, external and societal factors on one human being.
But what has been proposed is not an SMCR for Tech
There is a problem though with the White Paper using the SMCR as an argument for introducing individual accountability for online harms. That is because what’s being considered for online harms is not a copy/paste of the SMCR. What’s being considered appears to be taking just one element of the SMCR – making individuals personally liable for firm failures – rather than the whole SMCR package summarised above.
This is problematic because there is far less evidence that individual liability alone would lead to the “culture changes” the SMCR has apparently helped achieve. As noted above, there already was an individual accountability regime in financial services prior to the SMCR and, indeed, throughout the financial crisis.
Though there are cases waiting in the wings, to date, there has been just one concluded enforcement action since the SMCR was introduced in 2016. And even this was for personal conduct that could have been sanctioned under the predecessor Approved Person regime. This makes it unlikely that enforcement risk alone has driven changes in culture.
Likewise, the UK Finance survey mentioned above indicated that many senior managers rarely consider the potential regulatory consequences that could arise under the SMCR, suggesting that it is not a major influence on their day-to-day behaviour [page 15]. Indeed, in speeches, even the FCA have recognised that aiming for compliance through “fear” of regulatory consequences is unlikely to be as effective as seeking to instil an ethical culture more broadly.
Ultimately, the Government seems to be considering asking tech firms to nominate one (or more) individuals to carry the can if things go wrong. Considering the broad array of harms that are likely to fall within the scope of the regime – everything from terrorist content to online bullying – it seems likely that only the most senior individuals in an organisation, and perhaps only the CEO, would have the breadth of oversight and power to ensure the firm complied with the statutory duty. Asking anyone below this level to assume responsibility - without having the power to ensure compliance - would be akin to asking firms to nominate a “fall guy”.
This immediately leads to issues concerning jurisdiction. Most of the major technology companies are not headquartered in the UK. Can (and should) a regulator try to exercise jurisdiction over these individuals? Would it be able to effectively implement any sanctions given that regulatory fines are often not enforceable in other jurisdictions?
All of this is before we begin to consider the various practical issues that need to be factored in. Implementing an individual accountability regime would require the Government to develop additional legislation and guidance. It would require the regulator (likely Ofcom) to devote additional resources, particularly when investigating individuals (which typically take far longer than firm investigations in financial services). It would also require firms to make a whole raft of internal changes. For instance, senior managers in the crosshairs would understandably want to put in place indemnity and insurance arrangements. They would also need to consider what frameworks they may need to implement internally to be able to later demonstrate to the regulator that they had fulfilled their responsibilities. Firms implementing the “full SMCR” in financial services will attest to just how far-reaching these projects have been.
Whether this additional effort and expense would be proportionate to the benefits an individual accountability regime would confer is an open question.
Awaiting the Government’s proposals
As Rebecca’s article makes clear, there are real questions about whether it is fair and right to make senior managers criminally liable for failures by their firms to prevent online harms. Similar questions exist about civil liability. If the aim is to incentivise compliance and reduce users’ exposure to harmful content, it is far from clear that borrowing just one pillar of the SMCR framework (personal liability) would achieve the same “culture change” as that said to have been achieved by the full SMCR construct.
With the Government’s fully-formed proposals on the regime due later in autumn, all eyes will be on how the Government has grappled with these issues and whether it proposes to press ahead with individual accountability and, if so, what that will look like.
We are exploring possible options to create new liability for individual senior managers. This would mean certain individuals would be held personally accountable in the event of a major breach of the statutory duty of care. This could involve personal liability for civil fines, or could even extend to criminal liability. In financial services, the introduction of the Senior Managers & Certification Regime has driven a culture change in risk management in the sector.