FINEX GLOBAL

DIRECTORS AND OFFICERS NEWS UPDATE

IN THIS ISSUE2 Personal Accountability: A Checklist for Worried

Directors

3 HBOS: Why the Regulators Will Make Sure Things Go Differently Next Time

5 Two of the Most Important Pieces of Cyber Legislation Ever

8 A New Report on the Theme of Personal Accountability Contains a Worrying Conclusion

10 Directors’ Liability Regime Changes – In Force Today!

11 Maritime Corporate Risk Now Has a Human Face in an Increasingly Difficult Regulatory Environment

13 Whistleblowers: You Know they Make Sense if You’re a Regulator!

14 U-Turn on Presumption of Guilt for UK Senior Managers

15 The Email has Gone. But Who’s it Gone to?

Francis Kean an Executive Director in Willis’ FINEX Global is a regular blogger on WillisWire, sharing his expertise with readers.

Francis specialises in insurance for Directors’ and Officers of companies. He joined Willis in 2010 and has 25 years of experience as a leading litigation lawyer specialising in Professional Indemnity, Financial Institutions and Directors’& Officers (D&O) Liability in the London insurance market.

We have pulled together Francis’s blogs from the last quarter and put them in to this easy to read bulletin.

I blogged recently on the recent Treasury announcement (still subject to Parliamentary approval) about the abolition of the presumption of responsibility under the senior managers regime (SMR), due to be introduced in the UK in March 2016. In the same publication the Treasury were careful to point out that:

The same tough underlying obligation will remain on the individual to ensure that they take reasonable steps to prevent regulatory breaches in the areas of the firm for which they are responsible.

I could also tell you that buried in the same publication is the announcement that the Conduct Rules are to be extended to all non-executive directors of banks because:

…there may also be circumstances when it is appropriate to take enforcement action against NEDs, such as when a NED fails to act with honesty and integrity, and it is difficult to justify a position where enforcement action can be taken against relatively junior staff but not against board members.

At the risk of sounding like a stuck record (for those who remember vinyl), the new mantra for regulators both here and in the US is: “It’s all about personal accountability for senior managers”.

So this time round, and especially for those of my readers who are in fact senior managers, I thought I would instead come up with some practical steps for you to consider. The checklist which follows is not necessarily intended to be exhaustive, but assumes a healthy curiosity on the part of a senior executive or non-executive (either in post or considering an appointment) as to the nature and quality of the liability protections that might be available to him or her in the event of a problem with regulators.

REGULATORY LIABILITY PROTECTION CHECKLIST FOR SENIOR MANAGERS

_ With which categories of employee, at what level of seniority, do I share the D&O limit purchased by the company on my behalf?

_ Is my D&O limit also shared with the company itself and, if so, in what respects and to what extent?

_ Is access to my D&O insurance policy dependent on a failure or refusal by the company to indemnify me?

_ Does the company agree to indemnify me in respect of all legal expenses (including, where I consider it necessary, seeking independent legal advice) in my capacity as a senior manager to the extent legally permissible?

_ What cover, if any, is available to me to seek independent legal advice under the firm’s D&O insurance programme in pre-enforcement dealings with regulators?

_ If the answer to 4 and/or 5 above is “No/None”, has the company considered purchasing additional legal expenses for me in pre-enforcement dealings with regulators?

_ What restrictions are imposed (both by indemnity and insurance) on my freedom to select lawyers of my choice and in the conduct and control of my defence?

_ Does the policy provide a mechanism under which insurers will advance all defence costs and legal representation expenses to me pending resolution of any dispute between the company and the insurers as to the extent of such costs ultimately covered under the policy?

_ What protection do I have against future claims against me if I retire or resign during the policy period or if during such period the company is the subject or object of mergers and acquisitions activity?

_ Does my D&O policy contain provision that enable me to take proceedings which clear my name in appropriate cases?

PERSONAL ACCOUNTABILITY: A CHECKLIST FOR WORRIED DIRECTORS

2 | D&O NEWS UPDATE

Much has been written in the last week about the long-awaited report into the reasons behind the collapse of Halifax Bank of Scotland (HBOS). This is hardly surprising given the size of the collapse and the report’s hard hitting conclusions, including the findings that:

_ Its board failed to instil a culture within the firm that balanced risk and return appropriately, and lacked sufficient experience and knowledge of banking.

_ There was a failure by the board and control functions to effectively challenge executive management in pursuing this course or to ensure adequate mitigating actions.

The report itself is over 400 pages long, is based on testimony of over 80 witnesses, cost over £7 million and goes into a lot of detail about all of this.

MORE INTERESTING: THE GREEN REPORTOf more interest to me though were the findings of the linked report prepared by Andrew Green QC into the regulators’ enforcement actions following the failure of HBOS.

The Green Report weighs in at a more modest 93 pages plus appendices. It provides some illuminating insights into the approach taken by the Financial Services Authority to the question of enforcement and sheds light on the way in which its successor the Financial Conduct Authority will (and will be able to) do things differently in future.

The overall conclusion of the Green Report is that, “the scope of the FSA’s enforcement investigations in relation to the failure of HBOS was not reasonable.”

You may remember that the only senior individual to be subject to specific investigation and regulatory sanction at the relevant time was Peter Cummings the head of HBOS’ corporate division.

More specifically, the Green Report concludes that:

“The FSA gave no proper consideration to the possibility of investigating any additional individuals including other members of the Board at the date of failure, such as the CEO and Chairman, even though it was apparent to the FSA (certainly to Supervision) that there had been significant problems within the failed bank extending beyond the Corporate Division (including problems in the International and Treasury Divisions)…”

HBOS: WHY THE REGULATORS WILL MAKE SURE THINGS GO DIFFERENTLY NEXT TIME

THE “PROBLEM” OF COLLECTIVE BOARD RESPONSIBILITYAs to the reasons for this failure, the Report concludes that it occurred:

“in the context of a regulatory scheme that was ill-suited to the identification of appropriate subjects for enforcement action in circumstances where a banking institution had failed. …the FSA’s regulatory guidance stated that it would only take disciplinary action against an individual where there was evidence of ‘personal culpability’. In the context of a substantial multi-divisional company such as HBOS, where strategy was frequently the result of collective decision-making over an extended period of time, it was inevitably difficult to identify a particular individual whose conduct evidenced ‘personal culpability’.”

With a finding like that, it is not hard to see why politicians and regulators alike are putting so much faith in the Senior Managers Regime. The express purpose of the new regime is of course to facilitate the process of identifying individuals who are to be held personally accountable in the event of a serious failure.

D&O NEWS UPDATE | 3

Whilst the legal principle of collective board responsibility survives, the regulatory focus on individual responsibility is new and may not turn out to sit comfortably with it when the senior managers regime comes into force in March 2016.

THE FEAR OF FAILUREBut it is not simply evidential difficulties to which the Green Report directs attention. It also highlights an attitude prevalent in the enforcement division of the FSA in 2009 that “enforcement against big bankers had become virtually impossible” (Para 347).

The Report goes on to draw attention to the practice at the time of seeking to assess in advance the outcome of any subsequent disciplinary proceedings before the decision to investigate was made. The problem with this approach, according to the Report was:

“accurately evaluating the prospects of success in disciplinary proceedings before an investigation had even begun. This approach…had a tendency to discourage the FSA from starting investigations even though the threshold test for investigating was met and even though the public importance of investigating was high.”

What’s interesting about that is how starkly different the approach of the FCA is already now even before the implementation of the Senior Managers Regime. The days of adopting a risk-averse approach to the investigative process are already over as anyone who has been caught up in one in over the last five years can testify.

THE LUXURY OF TIMEYet another factor, according to the Report, which played on minds of FSA enforcement division, was time. In 2009 the FSA only had two years (and later three) in which to institute proceedings before they became time barred. By contrast the FCA will now have up to six years in which to institute such proceedings.

That is likely to make a big difference in practice. It will enable the FCA to deal with the regulatory sanctions for the entity first, before turning to the individuals. It will also allow it more time to adopt the classic “bottom up” approach to investigation starting with the more junior members of management whilst leaving enough time to pursue more senior managers in appropriate cases.

CONCLUSIONAll in all it is hard to imagine that the regulatory outcome of another major bank collapse in the UK would be remotely similar to what occurred at HBOS and elsewhere in 2008. The Green Report, seen against the reforms implemented since 2008, makes that even less imaginable.

I suppose the real question though is whether anyone can predict how, when and why the next big collapse will come. If not, finding any individuals personally culpable may still prove a challenge.

4 | D&O NEWS UPDATE

_ Water: drinking water supply and distribution

_ Digital infrastructure: internet exchange points (which enable interconnection between the internet’s individual networks), domain name system service providers, top level domain name registries

_ Member States will identify these operators on the basis of criteria, such as whether the service is essential for the maintenance of critical societal or economic activities

_ Security and notification requirements for digital service providers

A bit like London buses —you wait for ages and then two come along—two of the most significant pieces of European legislation ever affecting cyber liability have been announced by the European Commission in the last week.

NETWORK AND INFORMATION SECURITY DIRECTIVEOn 8th December, the European Commission announced a new Network and Information Security Directive. Under the new directive, businesses in member states with an important role for society and the economy—referred to in the directive as “operators of essential services”—will have to take appropriate security measures and to notify serious incidents to the relevant national authority.

As the press release makes clear, The Directive will cover such operators in the following sectors:

_ Energy: electricity, oil and gas _ Transport: air, rail, water and road _ Banking: credit institutions _ Financial market infrastructures: trading venues,

central counterparties _ Health: healthcare providers

TWO OF THE MOST IMPORTANT PIECES OF CYBER LEGISLATION EVER

D&O NEWS UPDATE | 5

_ The Data Protection Directive for the police and criminal justice sector will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.

This is probably the most fundamental overhaul of data privacy at an EU level ever.

Highlights include: _ A right to be informed if your data has been

hacked. Companies will have to notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures. No such obligation currently exists in the EU but a similar obligation which has existed in the US for some time has given rise to some very expensive remedial action needing to be taken by companies who have suffered cyber-attacks under which the personal data of many thousands of individuals have been compromised.

_ A significant extension of data privacy laws from companies who are data controllers to those who process data. At the moment only the former are liable in damages for breaches in the EU, whereas when the regulation comes into force data processors will be held jointly liable. This has very significant implications for outsourcing agreements relating to the processing of data which are commonplace between businesses.

_ Important digital businesses, referred to in the Directive as “digital service providers” (DSPs), will also be required to take appropriate security measures and to notify incidents to the competent authority. The Directive will cover the following providers:

_ Online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online)

_ Cloud computing services _ Search engines _ In line with the objectives of the Digital Single Market

strategy, the Directive aims to establish a harmonised set of requirements for digital service providers, so that they can expect similar rules wherever they operate in the EU. That is a lot of businesses!

The obligation to notify comes with some real teeth. Draconian penalties will be imposed for non-compliance with up to 2% of global turn over or €75 million possible for the most aggravated cases.

The legislation will need to be approved by the European Parliament and is likely to be phased in over the next 2 years.

DATA PRIVACY LAW REFORMThen exactly a week later on 15th December the European Commission announced agreement on the long anticipated Data Privacy law reform. This is probably the most fundamental overhaul of data privacy at an EU level ever.

The reform consists of two instruments: _ The General Data Protection Regulation will enable people to

better control their personal data. At the same time modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust.

6 | D&O NEWS UPDATE

_ Subject to an exemption for small and medium size enterprises, it will be mandatory for companies to appoint data protection officers with responsibilities for ensuring compliance with the new legislation.

_ The right will be given to consumers to have their personal data corrected if inaccurate, and the expansion of their right to remove irrelevant or outdated information. This “right to be forgotten” extends a concept enshrined in the EU’s existing privacy laws. Consumers will for the first time have the right to stop a firm using data when they close an account.

_ The age of consent for data processing is set at 16, but EU countries governments will be able to lower it to 13, which is the current limit for many US social media companies.

_ A “one-stop shop” for data protection complaints will be introduced. This will allow people to complain about a company in their home country rather than the country where that firm’s EU headquarters is located.

PENALTIES ADD TEETH TO THE DIRECTIVEAgain, draconian penalties for serious breaches of the new regulation will be enforced. Fines of up to 4% of global sales can be imposed on companies. The timetable for introduction of the new laws looks to be very similar to that for the Network and Information Security Directive. Subject to approval from the European Parliament, the laws are likely to be introduced within the next two years.

These summaries do not really do justice to the implications of these new pieces of legislation for companies doing business in any of the 28 European Union Member States. Expect plenty more to be written about this in 2016 – 2017.

The fact that legislative agreement has finally been reached now on such a broad front after such long and tortuous negotiations is perhaps significant. It demonstrates that many governments have really begun to take cyber threats seriously.

That challenge now need to be taken up and addressed by businesses to avoid not simply reputational and business interruption losses (bad enough though they are) but also very genuine and serious liability threats.

D&O NEWS UPDATE | 7

A NEW REPORT ON THE THEME OF PERSONAL ACCOUNTABILITY CONTAINS A WORRYING CONCLUSIONIt’s not just me who keeps returning to the theme of personal accountability for senior managers. A very recent survey and report by Thomson Reuters on personal liability of senior individuals and compliance officers contains some fascinating insights. Two findings in particular caught my eye.

AN INTERNATIONAL PHENOMENONI have been saying for some time that it would be wrong to look at the UK Senior Managers Regime in isolation. The US for example is showing every sign of treading the same path. It seems the respondents to the survey agree with me:

64% of respondents to the survey expect that regulatory regimes introducing personal accountability will be replicated around the world.

In fact this is not simply a matter of opinion. It is happening now. Other countries referred to in the report which are alrea dy pursuing similar campaigns include Australia, Canada and Hong Kong.

In Australia for example, the current chairman of the Australian Securities and investments Commission (who is mentioned in some circles as a possible replacement for Martin Wheatley as Head of the FCA) plans to incorporate “culture” into its role as conduct regulator with obvious implications for senior manager accountability.

Perhaps even more tellingly, the Thomson Reuters report quotes remarks made by Christine Lagarde, managing director, International Monetary Fund, during a conversation with Janet Yellen, chair of the Board of Governors of the Federal Reserve System in May 2015 when she said:

Ultimately, we need more individual accountability. Good corporate governance is forged by the ethics of its individuals. That involves moving beyond corporate “rules-based” behaviour to “values-based” behaviour. We need a greater focus on promoting individual integrity.

If two of the most important controllers of global purse strings consider this an important enough theme to debate, it is reasonable to assume that its impact will soon extend to other countries too.

8 | D&O NEWS UPDATE

ALL THAT WORK FOR NOTHING?What is more surprising and disturbing is the finding that:

Only 53% of respondents to the person al liability survey anticipate new legislation will change behavior for the better.

It’s not clear what lies behind that finding. The survey was conducted among over 2000 risk and compliance practitioners – the very people who have the responsibility for implementing the changes on the ground in large companies. Yet, more than half of them appear to believe that the changes will not be effective. Could it be that they feel this is another case of the regulators shutting the stable doors after the horses have bolted?

Or maybe it’s because they don’t really believe that the senior managers themselves are really willing to embrace the cultural changes necessary to deliver a model of corporate governance which puts such emphasis on personal accountability.

The report quotes Ravi Menon, the managing director of the Monetary Authority of Singapore saying in January 2015:

Even the most intrusive supervision can only go so far in promoting a culture of ethics. The industry must itself take collective responsibility to promote higher ethical standards. It is better that industry develops codes of good conduct that take into account operational realities that they know best and that holds firms accountable to their peers, than wait for the regulator to set rules that may be impractical or too onerous.

Whilst Mr. Menon’s sentiments might be out of step with those of his international regulatory colleagues at the moment, it could be that they resonate more with the businesses themselves which must implement them. Time will tell who was right.

D&O NEWS UPDATE | 9

DIRECTORS’ LIABILITY REGIME CHANGES – IN FORCE TODAY!

Over a year ago I blogged about significant proposed changes to the Directors Disqualification Regime and to the rules relating to assignment of rights of action against directors of insolvent companies. I wrote:

It is perhaps unlikely in the current political climate that changes aimed at increasing director accountability will be left on the back burner too long whatever the complexion of the next government.

CHANGES DEFINEDWell, now we have the answer. With effect from today (as I write this) those changes come into force. The relevant pieces of legislation are parts of the unpromisingly named Small Business Enterprise and Employment Act 2015 and the Deregulation Act 2015. To recap:

Wrongful and Fraudulent Trading

Wrongful trading and fraudulent trading as well as transactions at an undervalue and preferences will all be treated as an asset in the insolvent estate to be assigned and sold. Company administrators will, for the first time, be able (like liquidators) to bring proceedings against directors for wrongful trading and fraudulent trading. Unlike liquidators neither they (nor their assignees) will have to consider what is in the best interests of the creditors as a whole in deciding whether to pursue a claim or not. This is likely to lead to more litigation especially where there are some assets (including the proceeds of D&O policies) which are deemed worth pursuing.

Directors’ Disqualification Regime

Company administrators will now be able to bring proceedings against directors for wrongful trading and fraudulent trading.

A number of changes are also being introduced to the directors’ disqualification regime. The period for applying for a disqualification order will be extended from two years to three. In addition, there are new powers given to the Courts today to make compensation orders against directors.

For conduct occurring post after October 1, 2015, the court, on the application of the Secretary of State, may order a director to pay compensation to a creditor or creditors who have suffered loss as a result of the misconduct leading to the disqualification.

This is a big deal. It will, in theory no longer be necessary for creditors to launch expensive and speculative civil proceedings on the back of disqualification proceedings. They will simply be able to request that a compensation order be made in their favour.

IMPLICATIONS FOR D&O INSURANCEIt seems highly likely that there will be an increased incidence of claims against directors of insolvent companies, although how long it will take for this trend to be discernable is hard to say.

This time lag (if it turns out to be so) may in itself cause real coverage difficulties for directors. That is because D&O policies operate on an annual claims made basis. Therefore unless the policy is on foot (i.e. has not expired at the time of the claim) it may be too late for the director to claim cover under the policy. There are (or may be) ways of mitigating this risk but directors need to be aware of the risk.

The potential for compensation orders also raises some interesting coverage questions. The all-important definition of “loss” about which I have blogged before, Does Your Policy Walk the WALC? is relevant here. Does the policy define loss (in relevant part) simply as “damages, settlements and defence costs”? If so is it broad enough to cover compensation orders which may or may not technically be “damages”?

There is a lot to think about here for insurers and insured alike, although whether any of it makes any difference to premium levels in this soft market is quite another matter.

10 | D&O NEWS UPDATE

MARITIME CORPORATE RISK NOW HAS A HUMAN FACE IN AN INCREASINGLY DIFFICULT REGULATORY ENVIRONMENTThe regulatory tides have recently shifted toward holding top management more accountable for company performance at a time when the insurance products which cover the liability of directors and officers (D&O) are steadily growing in complexity.

In this new environment, maritime companies’ chief risk officers should be keeping a keen eye out for the metaphorical icebergs on the horizon, unless they want to lay themselves open to accusations of having been rearranging the deckchairs on the Titanic as danger neared.

CHANGING SEA STATESIn September, the US Deputy Attorney General, Sally Yates, issued a memorandum to US assistant attorney generals for anti-trust, tax, environment and national security, and all other US States Attorneys, which made clear that corporations could “only commit crimes through their flesh-and-blood people.” She went on to say:

“It’s only fair that the people who are responsible for committing those crimes be held accountable. The public needs to have confidence that there is one system of justice and it applies equally regardless of whether that crime occurs on a street corner or in a boardroom.”

That sentiment just as easily could have been offered by a number of lawmakers across the developed world. The memorandum was not limited to criminal acts; it also raised the specter of bringing civil proceedings against executives.

Having recently extracted some eye-watering fines from companies, US prosecutors appear to now have the human element – the recognized cause of most major marine accidents – firmly in their sights.

A typical D&O policy can easily comprise 30 or 40 pages of closely typed text, with an equal number of defined terms. It is no exaggeration to say that legal advice is often necessary to work out precisely what is and what is not covered.

Is there a reliable way to cut through this complexity and focus on what really matters? A good place to start is to establish the personal liabilities that senior maritime executives might reasonably expect a D&O policy to protect them against.

For example, a standard expectation is that, if they become embroiled allegations, investigations, proceedings or enquiries relating to their capacity as senior maritime executives, the D&O policy would ensure payment of all defense and representation expenses, together with any settlements or damage awards made against them, absent any dishonest or other egregious conduct.

The good news is that such expectations can be met, but only if a number of metaphorical and medium-sized coverage ‘icebergs’ are first removed from the course being steered. These include:

_ Shared cover _ Claims made policies _ Typical exclusions, limitations

D&O NEWS UPDATE | 11

SHARED COVEROne might be forgiven for assuming that cover under a D&O policy is primarily for the benefit of an organization’s most senior executives. Very often, however, the definition of “director and officer” covers all employees, including those in a managerial and supervisory capacity. The breadth of that definition in a large organization could easily cover several hundred individuals and could well include, for example, ships masters and officers, and perhaps even some crewmembers.

In itself, that is not a coverage problem, per se. But it is highly relevant to the question of how much liability cover should be purchased. Limits are usually shared on an aggregate and ‘first-come-first-served’ basis.

Following a major shipping incident or disaster, regulators, prosecutors and litigants tend to adopt a “bottom up” approach, focusing first on those individuals most obviously implicated in the causes.

Senior executives may not come under detailed scrutiny until months or even years later. This may result in inadequate cover remaining for senior executives, if and when the repercussions rise to their level.

CLAIMS MADE POLICIESA key feature of the way in which the liability insurance for directors and officers works is that it only responds to claims that are first made against them during the period for which the policy is purchased.

What this means is that, if several years after they have left the company, the board members of any shipping company are held accountable for a “wrongful act” committed while they were in post, there will only be cover if the company has continued to purchase D&O liability insurance for the period in which the allegations are made. That of course assumes that the company is still in existence, and has not been “reorganized” or otherwise ceased to exist.

Typical Exclusions, Limitations Some of the exclusions most typically seen in D&O policies cover precisely the situations in which exposure to liability for shipping companies is most likely to arise. For example, it is not uncommon to encounter exclusionary language relating to pollution, property damage, bodily injury and death; nor is this language safely identified by a thorough read of what appears to be the relevant section of the policy.

This is because insurers often adopt lengthy definitions which include within them restrictive or exclusionary language. A good example of this is the definition of “loss,” which frequently contains language such as: “Loss does not include…,” adding a list of further exclusions often covering, for example, all types of fines and penalties, as well as clean-up costs.

Despite the apparent traps, there are rational and sensible restrictions available on the scope of cover.

Another trap for the unwary maritime executive can be what appear to be ‘enhancements’ to cover that are, on closer examination, in fact restrictions. Examples might include so-called additional limits on cover for pollution exposure and/or for “corporate manslaughter.” These protections can be laden with additional restrictions and limitations.

For example, under careful inspection, the additional marine pollution limit may turn out to be a sub-limit on the total amount of cover available and, in any event, may only provide restrictive cover. Similarly, cover for corporate manslaughter might appear useful, relevant and generous. But, in fact, it may not extend to investigations, as opposed to prosecutions.

D&O insurers will tell you, with some justification, that their policies are not designed to cover exposures such as clean-up costs and/or damages for bodily injury and death. They might also say that the D&O premium does not take account of the ‘business as usual’ costs for a shipping company, such as cooperating with regulators and, if necessary, incurring the legal costs to do so.

FOCUS ON THE ESSENTIALSBe that as it may, the seasoned maritime professional can still safely navigate the risk of these increasingly treacherous waters. Reverting to the ‘reasonable-expectation’ test above, they would be well counseled to focus on a few essentials, by asking:

_ Do the key definitions of “claim”, “wrongful act”, “loss” and “investigation” – which often serve as the main gateways to cover—provide sufficient breadth?

_ Do the exclusions (and related definitions) allow scope for defense and investigation costs (at least) for all types of claims and investigations?

_ Is the limit adequate (and of adequate duration) for the number of people insured, given that, when the iceberg (literally or metaphorically) hits, the consequences are likely to be felt by the shipping company and its directors for many years to come?

12 | D&O NEWS UPDATE

WHISTLEBLOWERS: YOU KNOW THEY MAKE SENSE IF YOU’RE A REGULATOR!The FCA published last week new rules on whistleblowing. The key requirements of the new rules are to:

_ appoint a senior manager as their whistleblowers’ champion _ put in place internal whistleblowing arrangements able to handle all

types of disclosure from all types of person _ put text in settlement agreements explaining that workers have a

legal right to blow the whistle _ tell UK-based employees about the FCA and PRA

whistleblowing services _ present a report on whistleblowing to the board at least annually _ inform the FCA if it loses an employment tribunal with a

whistleblower _ require its appointed representatives and tied agents to tell their

UK-based employees about the FCA whistleblowing service

The new rules will not come into force until September 2016, but the senior manager whistleblowing champion must be identified in time for the launch of the Senior Managers Regime in March 2016.

In the accompanying press release Tracey McDermott, acting FCA chief executive, says:

“For individuals to have the confidence to come forward, it is vital that firms have in place adequate policies on dealing with whistleblowers and that a senior manager takes responsibility for overseeing these policies.”

It’s not hard to see why a regulator would want to encourage this. Indeed as Ms McDermott herself says in the same release:

“It is in the interests of the industry and regulators alike that wrongdoing is identified and addressed promptly.”

Clearly, the more regulators can rely on the employees of institutions to be their eyes and ears the easier their task becomes.

Later in the same press release she says:

“These rules are designed to build on and formalise examples of good practice already found in parts of the financial services industry and aim to encourage a culture in which individuals working in the industry feel comfortable raising concerns and challenge poor practice and behaviour.”

All of which is quite true but, as with all good regulation, there is a balance to be struck between creating “the right culture” and creating one that breeds concern that unless you point a finger first, you will end up at the wrong end of someone else’s digit!

Perhaps that’s why the most eye-catching aspect of these rules is the requirement on banks and other financial institutions to appoint a whistleblowing champion in the form of a senior manager. The idea here seems to be that the senior manager, who will be a non-executive director, must be responsible for overseeing the preparation of an annual report on whistleblowing for the board (and available to the FCA or PRA) on request. The aim seems to be to put whistleblowing firmly on board agendas.

The FCA has said that the senior manager does not necessarily have to make himself or herself available to direct approaches. Whilst that may come as a relief to the individuals concerned, it raises interesting questions as to how the senior manager will be able to demonstrate that he or she is championing the cause to the satisfaction of the regulators. If for example there is no whistleblowing activity to report to the FCA or PRA in any given period, will this be taken to be a good thing or a bad thing?

D&O NEWS UPDATE | 13

U-TURN ON PRESUMPTION OF GUILT FOR UK SENIOR MANAGERS

appropriate steps to prevent a regulatory breach from occurring and can form the basis for enforcement actions if regulators believe appropriate preventative measures were not taken. Although it will now be for the regulators to prove that reasonable steps to prevent the breaches were not taken, in one sense Mr Bailey is right. The focus on individual accountability is undiminished.

SO WHERE DOES THIS LEAVE US?The moderately good news for senior managers and their insurers may be that slightly fewer stones may have to be overturned in mounting a defence on the basis that individuals can now wait to see how the regulators put their case. That said, the regulators enthusiasm to enforce this new duty of individual responsibility is hardly likely to be dimmed.

One final sting in the tail—or silver lining in the cloud from the view of the regulators—is the formal announcement (anticipated in my earlier blog) that from 2018 the Senior Managers Regime will be extended to cover fund managers, mortgage brokers and consumer credit firms. It may be that the reverse burden of proof would have proved a bridge too far for these smaller organizations in any event.

The UK Treasury today announced a major revision of one of the most controversial provisions in the Senior Managers Regime due to take effect on British and foreign banks operating in the United Kingdom from March 2016.

This is a subject about which I have blogged several times before. The provision in question involves the reversal of the burden of proof and the imposition on bank senior managers (including certain senior non-executive directors) of a requirement to prove, where a firm is guilty of misconduct, that they “took such steps as a person in their position could reasonably be expected to take to avoid it happening.”

That was to have been a real potential game changer since it would have required a senior manager to make all the running in an enforcement action by the FCA or PRA as opposed to defending himself or herself against specific allegations made by the regulators.

WHAT HAS CAUSED THIS CHANGE OF HEART?The answers to the first two questions are relatively straight forward. Soon after the May 2015 election the UK Government signalled a desire to be more business and bank friendly. In June 2015 the Chancellor of the Exchequer delivered a speech in which he said he wanted a “new settlement” with the financial sector. A few weeks after that, in what was seen as the first evidence of this approach, the then FCA chief executive Martin Wheatley, announced his intention to leave his post. (A new permanent appointment has yet to be announced.)

WHAT DO THE REGULATORS MAKE OF IT?As for what the regulators make of this change, I suppose “putting a brave face on things” best expresses this. Andrew Bailey, deputy governor of the BoE and chief executive of, the Prudential Regulation Authority, said the change of wording will make little difference in practice.

This change is one of process, not substance. The focus for firms and individuals should be on complying with both the letter and the spirit of the rules rather than considering ways to circumvent them.

AND WHAT HAS TAKEN ITS PLACE?So that leads on to the question as to what has changed. What has taken the place of the reversal of the burden of proof? It seems that there will now instead be a new “duty of responsibility” on senior managers. This will still require such individuals to take

14 | D&O NEWS UPDATE

THE EMAIL HAS GONE. BUT WHO’S IT GONE TO?

We all know (or think we know) about the dangers of hitting the send button on emails, but now there’s a new threat.

I’m not just talking about the risk of sending emails to unintended recipients. Nor do I simply have in mind the predilection of prosecutors and regulators alike for relying on the power of emails to convey prejudicial insights into the authors. More recently it was also an email (and in particular a damaging postscript) which saw a finding against Mr. Hannam of market abuse in proceedings brought by the FCA. As the Decision Notice puts it:

…on 8 October 2008 at 11.11am, an email drafted by Mr Hannam was sent on his behalf to Mr A. A blind copy was also sent to Mr B. In addition, a copy of this email was forwarded to certain members of Mr Hannam’s team. The email reported on certain developments relating to Kurdistan, including the arrangements for Mr Hannam’s planned visit to Kurdistan the following week, and stated that Mr Hannam would be meeting Mr Buckingham for lunch. The email is signed off “Ian” and immediately beneath that states:

“PS – Tony has just found oil and it is looking good”.

NEW POWERS FOR THE FCANo, the real point here lies buried in the UK Government’s new Investigatory Powers Bill. Whilst most of the public’s attention is rightly focused on the surveillance powers to be given to the police and security services , Part 3 and Schedule 4 of the draft bill confirms new powers may also be granted to governmental agencies—including the FCA. (I am grateful to Drew Naylor of law firm RPC for drawing my attention to this in his own blog.)

As Naylor points out:

At the heart of the new bill is the requirement placed on “communications services providers” (CSPs), e.g. broadband providers, mobile phone operators etc, to keep “internet connection records,” (ICRs). In the Government’s guidance, an ICR is described as a type of “communications data” that is a “record of the internet services a specific device has connected to, such as a website or instant messaging application”, but it is not a person’s “full internet browsing history”.

It doesn’t matter if you don’t really follow this technical stuff (as I don’t). The point is that even if the FCA may not be entitled to your “full internet browsing history” it may (should the draft bill be passed into law without amendment in this respect) be able to access your emails in furtherance of its objectives of “preventing or detecting crime and/or the regulation of financial services and markets; or financial stability”.

Just think about that. We are not talking here about unearthing emails after the event as part of a general regulatory enquiry but the power (albeit subject to safeguards) to monitor “specific devices” in real time.

As Naylor says: “in our experience, when public bodies are granted new powers, they are very keen to use them whenever and wherever possible.”

Quite! If you aren’t already aware of the possibility that your emails may be seen by those for whom they were not originally intended, this new power should set you straight and make you think twice before you press “send.”

D&O NEWS UPDATE | 15

Willis Group Holdings plc is a leading global insurance broker. Through its subsidiaries, Willis develops and delivers professional insurance, reinsurance, risk management, financial and human resource consulting and actuarial services to corporations, public entities and institutions around the world. Willis has more than 400 offices in nearly 120 countries, with a global team of approximately 17,000 employees serving clients in virtually every part of the world. Additional information on Willis may be found at willis.com.

This bulletin offers a general overview of its subject matter. It does not necessarily address every aspect of its subject or every product available in the market. It is not intended to be, and should not be, used to replace specific advice relating to individual situations and we do not offer, and this should not be seen as, legal, accounting or tax advice. If you intend to take any action or make any decision on the basis of the content of this publication you should first seek specific advice from an appropriate professional. Some of the information in this publication may be compiled from third party sources we consider to be reliable, however we do not guarantee and are not responsible for the accuracy of such. The views expressed are not necessarily those of the Willis Group. Copyright Willis Limited 2015. All rights reserved.

Willis Limited, Registered number: 181116 England and Wales. Registered address: 51 Lime Street, London, EC3M 7DQ.A Lloyd’s Broker. Authorised and regulated by the Financial Conduct Authority.

15036/12/15

For more information please contact Francis Kean: T: +44 (0)20 3124 7078E: francis.kean@willis.com

or visit our blog, WillisWire, at blog.willis.com