Online Safety regime
The Act introduces a landmark set of new rules designed to tackle illegal content online and prevent harm to individuals in the UK, imposing new requirements for providers of online services.
Ofcom expects implementation of the Act to deliver four outcomes:
A key aspect of Ofcom’s new rules is that they will focus on services developing stronger systems and processes in relation to user safety (e.g., taking effective steps to ensure that such systems and processes mitigate the risks identified by risk assessments, such as illegal content ranging from online fraud to terrorism). Ultimately, the intention is to build a stronger culture and practice of risk management in online services.
As set out above, Ofcom has stated that two of its four key focus areas will be on stronger safety governance, and services that are designed and operated with safety in mind. Where Ofcom decides to exercise its supervision powers in relation to these two areas (specifically by issuing an information notice as a first step, but which may also extend to audit notices), services must name a Senior Manager with responsibility for ensuring compliance with Ofcom’s requests.1
Therefore, in one sense, these Senior Manager obligations only apply following Ofcom’s exercise of the abovementioned supervision powers. However, given the nature of this new supervisory regime, we expect these powers to be used widely (in particular for the largest internet companies within scope). Indeed, Ofcom stated in its 9 November consultation on protecting people from illegal harms online that “We expect to use our power to issue statutory information notices regularly from the outset of the regime”.
Financial services regime
The FCA’s new Consumer Duty is also seen as a landmark new approach in the financial services sector, introducing rules relevant to firm conduct, with principles based requirements (amongst other things) for firms to avoid foreseeable harm to retail customers.
The Consumer Duty requires firms to monitor, measure and act on the outcomes their retail customers are receiving which should lead to good outcomes for customers in four specific areas (namely products and services, price and value, consumer understanding and consumer support). A central element of this requirement is that all staff need to understand their role in delivering good consumer outcomes in order to achieve the necessary cultural change.
These rules are set in the context of the existing Senior Managers and Certification Regime, jointly enforced by the FCA and the Prudential Regulation Authority (PRA), which aims to reduce harm to consumers and strengthen market integrity by making Senior Managers more accountable for their conduct and competence on an ongoing basis.
Against this background we have identified some key learnings from UK financial services regulation that can be read-across to Ofcom’s implementation of the Act.
Broadly speaking, initial parallels can be drawn between, on the one hand, the processes, systems and controls that need to be introduced, and on the other, the policies and practices that should be adhered to.
In relation to processes, systems and controls, drawing on our experience of working with financial services firms to implement the Consumer Duty, we think that companies subject to the Act should consider having:
More broadly, the largest firms within scope of the Act should prepare for ongoing and detailed “supervision” regarding the status of compliance with these new measures throughout the company (indeed, Ofcom has itself highlighted the relevance of experience from the financial services industry in this respect). Companies within scope should prepare for the nature of the regulatory dialogue to change, with ongoing and enforceable information requests allowing Ofcom to establish a view on ongoing company compliance.
In relation to policies and practices, we consider thatthe following regulatory expectations in relation to Consumer Duty implementation are relevant:
This approach also appears consistent with Ofcom statements in this area, for example an emphasis on ‘“good risk management practice as a fundamental part of service design and organisational culture”, which ‘“links to strong governance”, where Ofcom will ‘“advocate for risk assessments and risk management to be owned at the most senior levels”. Ultimately, members of staff should understand their role in delivering outcomes consistent with the Act, supported by underlying people management and processes designed to achieve this.
There are two categories of learning in this context; the first, a broader insight relating to how the Senior Managers regime has been established in the financial services sector, the second a more specific insight on how the requirement for senior managers to take “reasonable steps”2 has been interpreted in the financial services regime.3
Likely leading practices that can be drawn from the financial services regime
Likely differences between both regimes
Demonstration of “reasonable steps” by Senior Managers
Under the Act, Senior Managers have liability for information offences or otherwise obstructing or delaying Ofcom’s supervision and enforcement functions (e.g., inadequate response to an Ofcom information notice). However, the nominated Senior Managers may have a defence if they can demonstrate that they have taken “all reasonable steps” to prevent that offence being committed. Therefore it will be important to have a clear understanding of what those “reasonable steps” will be in practice.
In its consultation of 9 November (specifically, ‘Information gathering and enforcement powers and approach to supervision’), Ofcom provided a summary of Senior Manager liability in this respect, but did not specifically elaborate on what may be considered “reasonable steps”. Ofcom did however elaborate on the following potential defences relevant to this provision, referring to situations where:
In the financial services regime, Senior Managers must take “reasonable steps” in the execution of their duties. The following considerations which are relevant to an assessment of “reasonable steps” in the financial services sector seem to us to be equally relevant to online safety:
Enforcement activity under the Senior Managers regime (by the PRA) earlier this year provides one example of how reasonable steps have been interpreted in practice. In this case, the PRA found that a Senior Manager Chief Information Officer (CIO) had not taken reasonable steps relating to identification and risk associated with outsourced providers (broadly speaking, that although the CIO had given assurances to his Board about his company’s preparedness, he had not received sufficient assurance from the outsourced provider in question). This resulted in a financial penalty of £81,620 for the individual in question. This would be relevant to a situation where a regulated online company is dependent on third party input for the purposes of appropriately engaging with an Ofcom supervision and enforcement function.
Ultimately whether “all reasonable steps” were taken by a Senior Manager under the online safety regime will be a question of fact to be determined in each case, so an element of uncertainty is likely to remain for some time until the defence is tested. However, it can already be seen from the financial services regulatory regime that Senior Manager responsibility is an important supervisory tool to incentivise the right behaviours and ensure individual accountability. We would expect to see such provisions having a similar impact in relation to online safety.
Ofcom’s implementation of the Act is in its early stages, and further guidance is expected in advance of all of the rules coming into force.
Nevertheless, there would certainly appear to be a number of relevant learnings from financial services regulation that companies in scope of the new Act can draw on to prepare themselves for the new regime.
Affected firms can already begin to consider the new obligations that may be expected, both in terms of systems, processes and controls, policies and practices in general and Senior Manager responsibilities in particular.
_____________________________________________________________
1 For completeness, the Act also introduces new requirements for corporate officers in relation to child safety duties. This relates to a failure by an officer of the company, defined as a “director, manager, associate, secretary or other similar officer” to comply with their responsibilities in this regard. Therefore, it may be expected that certain Senior Managers will also be impacted by this obligation. Such duties, which will be continuing in nature, will come into force 40 days after the relevant Ofcom codes are formally laid in Parliament. As this is currently expected to take place in late Q3 or Q4 2024, we do not consider them further at this stage.
2 Further detail on the Senior Manager conduct rules in the financial services regime in this respect can be found at COCON 2.2 Senior manager conduct rules - FCA Handbook
3 For completeness, we note that the Act requires that “all reasonable steps” be taken by Senior Managers, whereas the financial services Senior Managers regime focuses on “reasonable steps”. We do not consider any broader implications of this here.
4 Deloitte has previously set out views on what constitutes “reasonable steps” for Senior Managers under the financial services regime, for example see deloitte-uk-senior-manager-regime.pdf