Skip to main content

FCA and PRA moving the dial on Diversity & Inclusion

Who is this blog for?

Board members, senior executives, in house legal teams, those with in-house culture and HR responsibilities, reward, and other teams involved in the implementation of their firm’s diversity and inclusion (D&I) policies.

At a glance:

  • Both the FCA and PRA have published consultations on D&I and Non-financial misconduct (NFM) in the Financial Services sector. The proposals are wide-ranging and include measures to improve overall diversity (beyond gender) and address misconduct in regulated firms.
  • A set of minimum requirements will be applicable for a range of regulated firms. Larger firms (over 250 employees) will be required to develop, maintain, and publicly disclose D&I strategies, set targets against key demographics and report data across a range of mandatory and voluntary metrics on an annual basis.
  • Firms need to develop their approach to data collection, whilst also communicating with employees to understand their concerns and address potential barriers to providing the prescribed D&I data.
  • Firms will welcome the fact that the regulators are expecting them to develop their own strategy and targets for progress on their D&I efforts. The detailed disclosure requirements will require firms to work hard to make progress or face difficult conversations with regulators and other stakeholders, including those focussed on ESG.
  • Key senior manager functions such as the Chair of the Board and CEO responsible for culture and D&I will need this new framework to be embedded into their responsibilities. This expansion of key roles’ prescribed responsibilities will need to be carefully reflected into role objectives, performance, and remuneration & incentives practices.
  • While these proposals will provide data on the D&I status, to design and deliver the right strategy, firms will need to better understand and address the root cause of the barriers to D&I progress so far. This analysis could provide valuable insight to feed into the action plan to implement the D&I strategy going forward.


Two years on from the publication of DP21/2: Diversity and inclusion in the financial sector, a pilot data survey and a multi-firm review of how firms design and embed D&I strategies, the FCA and PRA have published proposals to introduce a new regulatory framework on D&I: FCA CP23/20: Diversity and inclusion in the financial sector , and PRA CP18/23: Diversity and inclusion in PRA-regulated firms.

The proposals aim to bring about healthier firm cultures, reduced groupthink, improve access to a wider talent pool, improve consumer outcomes and support for innovation, and develop new markets. They include a set of minimum requirements that will apply to the majority of regulated firms, and which are designed to better integrate non-financial misconduct (NFM) considerations into staff fitness and propriety (F&P) assessments, Conduct Rules and Threshold Conditions (NFM proposals).

In addition, larger firms (broadly those with more than 250 employees) will be required to develop and implement D&I strategies, publish diversity targets, report and disclose certain D&I data, and recognise D&I deficiencies as a non-financial risk (D&I proposals).

The consultations are open for comment until 18 December 2023. The regulators expect any subsequent requirements and obligations to take effect 12 months after the publication of final rules in 2024.

1. NFM proposals

Scope: All regulated firms – those with a Part 4A permission, solo entity basis, activities carried out mainly from a UK establishment.

The FCA proposes to amend the Handbook to explicitly include NFM within its Conduct Rules, F&P assessments, and suitability guidance on the Threshold Conditions.

Key proposals include:

  • NFM is to be considered misconduct and not an additional principle. Firms will be expected to take decisive and appropriate action against employees for instances of NFM.
  • Additional guidance (to COCON) is available on what types of behaviour will be in scope of NFM and what relates to an employee’s personal life. This is relevant to all staff except those considered ‘ancillary staff’ and appointed representatives.
  • Only serious misconduct would amount to a breach of conduct rules. Examples of serious NFM breaches could include serious instances of bullying, harassment or multiple instances that are collectively serious. Firms will need to notify the FCA if they take disciplinary action for NFM that is considered a breach of conduct rules.
  • The FCA proposals explain in more detail how NFM is part of the F&P test for employees and senior personnel (FIT). For example, misconduct both within and outside the workplace can be relevant for FIT with bullying, sexual or racially motivated offences in and outside the workplace being relevant.
  • The FCA proposes to extend guidance on the Suitability Threshold Conditions in COND to include, for example, sexual or racially motivated offences and tribunal or court findings that the firm or someone connected with the firm (such as a Director) has engaged in discriminatory practices.

Impact on firms

The clarification of the application of conduct rules and what constitutes NFM will require careful consideration by firms, their HR and internal legal functions. The new requirements and expected standards of conduct will need to be reflected in employee handbooks, internal policies, and contracts, as well as remuneration and bonus policies. Firms will need to provide regular training and updates for staff and managers on the conduct rules and the risks and consequences of breaches of the rules.

2. D&I strategies and targets

Scope: All Solvency II and CRR1 firms, regardless of size and all other regulated firms except SMCR limited scope firms.

Firms in scope will be required to develop an evidence-based D&I strategy containing as a minimum:

  • the firm’s D&I objectives
  • a plan for meeting them and measuring progress
  • a summary of the arrangements in place to identify barriers to meeting the objectives; and
  • ways to ensure staff have adequate knowledge of the D&I strategy.

The PRA also expects the D&I strategies to include the firm’s core values, the culture it is trying to create, its commitment to D&I, links to the overall strategy and the role of the firm and staff in fostering an open and inclusive environment.

A firm’s Board and senior leadership will be responsible for maintaining and overseeing the D&I strategy, including regular reviews to ensure it remains effective and appropriate. The D&I strategy should be made available, for example on the firm’s website.

Firms will be required to set targets to address under-representation internally, at each level of: the Board, senior leadership, and employee population as a whole. In particular, the FCA notes that firms focus on senior leadership at present but issues of under-representation start to arise at more junior levels.

Nomination committees of banks will be required to recommend targets to the Board rather than decide them and the targets will have to cover wider groups than just Board or senior leadership. This means that Boards will have an increased responsibility for diversity targets.

Firms may also want to set inclusion targets in addition to diversity targets. Targets should be consistent with firms’ D&I strategy and current diversity profiles, and the FCA expect firms to prioritise areas of greater under-representation.

Firms will be free to choose which demographic characteristics the targets cover but the FCA will require disclosure against specific targets, including gender and ethnicity. The PRA expects firms to set targets as a minimum for gender and ethnicity where firms identify under-representation in these areas. Aligned to the FCA approach, the PRA favours a flexible approach to target setting, allowing firms to choose their own appropriate realistic but stretching targets.

Outcomes and process targets should be updated regularly (although frequency will not be mandated) and firms will need to publicly disclose both their targets and progress towards them on an annual basis.

Impact on firms

Large firms will need to carry out an assessment to identify the need for change based on current D&I policies and targets. This should include scoping the areas of the business that are likely to be affected such as HR functions including performance and reward systems & processes, controls and data, recruitment, and oversight processes to monitor progress against targets.

Firms will need to gather robust D&I data to act as a starting point as this will help determine the key areas of under-representation that will in turn inform where targets are most needed. For many firms this will be a significant challenge and therefore they might want to engage early with the proposals to allow sufficient time to obtain the necessary data and identify obstacles and risks in this process early on.

Under the proposals the Board will have a central role in owning the D&I strategy and deciding on targets. Firms will need to consider how to create the necessary processes to engage the Board in an effective and timely manner.

3. Data reporting and disclosure

Scope: Annual average employee numbers are to be reported by all regulated firms except SMCR limited scope firms. All remaining reporting obligations will only apply to large firms (with over 250 employees).

Large firms will have to report to the FCA / PRA, data across a range of demographic characteristics, inclusion metrics and targets via a regulatory return. On the first year of application firms must take all reasonable steps to gather the data and explain reasons for any gaps and report on a comply or explain basis. From Year 2, the full reporting requirements apply for mandatory fields.

The data needs to be reported across three dimensions: Board, senior leadership, and whole employee population. Where there is a risk of identification of individuals due to low numbers, the data should be reported in aggregate. The FCA plans to produce an aggregated disclosure report based on firms’ data. This report could act as an industry benchmark and allow firms to compare their progress against their peers.

Mandatory demographic characteristics include: age, ethnicity, sex or gender, disability or long-term health conditions, religion and sexual orientation. The PRA notes that high numbers of staff choosing not to disclose their data could be an indicator of lack of inclusiveness within the firm and these firms will be expected to investigate if their culture is discouraging employee self-disclosure.

Voluntary demographic characteristics include sex or gender (when not chosen above), parental responsibilities, gender identity, carer responsibilities and socio-economic background. The regulators expect firms to increase their voluntary reporting over time or add more fields to their mandatory reporting over time.

Firms will also be required to report annually on a number of inclusion metrics including psychological safety, i.e. whether employees feel safe to speak up or express disagreement, feel their contributions are valued and feel secure when they make an honest mistake.

Firms will be expected to report annually on their progress against targets. The FCA proposes that firms disclose the information they report to the FCA on D&I data by referencing percentages rather than absolute numbers to increase transparency and scrutiny.

Impact on firms

Firms will need to foster a psychologically safe environment where employees are encouraged and feel safe in submitting data around D&I targets. A robust and transparent narrative around D&I status and the firm’s strategy and ambition will be key to developing trust and employee engagement.

Another important factor for collecting meaningful data will be to ensure that response options are representative and appropriate, so that employees don’t feel like the only suitable response is ‘prefer not to say’.

For many firms, diversity target metrics will need to be enhanced and new inclusion targets designed. Intersectionality - where employees belong to more than one minority group - will also need to be considered in the design and analysis of metrics.

4. Risk and governance

Scope: All large, regulated firms except limited scope firms.

Firms are expected to consider the role of internal audit and their risk functions in supporting progress on D&I. Risk functions would be expected to consider D&I driven risks such as groupthink and poor decision making, which can affect outcomes for consumers and markets.

The regulators expect current prescribed responsibilities (PRs) around culture to capture D&I. In particular, for banks and insurers the PRA expects the Chair of the Board (PR I) to include among its PRs the development of the firm’s D&I strategy. The CEO’s (PR H)2 PRs are also expected to include the implementation of the D&I strategy approved by the Board and responsibility for ensuring that all business areas understand the role they play in implementing the D&I strategy.

The SMFs responsible for D&I should be expected to incorporate D&I in their performance objectives and remuneration scorecard, and their performance against these reflected in their remuneration decisions where relevant. Both regulators acknowledge that it would be challenging to hold SMFs to account for failing to meet D&I targets, but they will be expected to demonstrate ‘reasonable steps’ to implement the strategy and to identify any barriers hindering progress.


The D&I proposals for large firms are wide ranging and likely to have a material impact as firms move to make tangible progress on their D&I journey. Firms will need to assess the proposals carefully and consider seeking clarification from the PRA or FCA to help drive a smooth implementation.

A key challenge ahead will be for firms to create the right culture (including systems, processes and safeguards) that would encourage employees to disclose sensitive information. Greater public disclosure around D&I strategy and detailed metrics will provide stakeholders with data on the broader ESG profile of the firm.

Over the past few years, progress on D&I has been slow to materialise. The proposals will put firms in the driving seat when it comes to target setting and prioritising key demographic attributes for reporting. However, lasting and sustainable change will only be possible once firms understand the root causes of slow progress to date, and invest in addressing these.


1 Capital Resource Requirement (CRR) and Solvency II (SII) firms are firms to which the CRR or SII parts of the PRA Rulebook apply.

2 PR I and H are typically held by the Chair of the Board and CEO respectively but it is not a requirement that they do – the positions can be held by other senior executives.