Online Safety Act implementation

At a glance:

• Ofcom’s implementation of the Online Safety Act (the Act) is now underway, following Royal Assent on 26 October.
• A key feature of the new online safety regime relates to embedding proactive risk management as part of a company’s broader approach to governance and compliance. For the largest online services, this means user safety being recognised and represented at all levels of the company.
• At a high level, parallels can be drawn between the new online safety requirements and the “Consumer Duty” requirements recently introduced by the FCA in the financial services sector, designed to deliver better consumer outcomes, which must be embedded within company cultures.
• Also inherent within both the online safety and financial services regimes is an emphasis on Senior Manager responsibility. This means that regulators have clarity about who is responsible for what and can focus on whether a nominated individual has complied with their relevant responsibilities.
• Although most of the new rules will come into force in late 2024, a good number of the Act’s provisions commenced immediately, with the remainder commencing two months after Royal Assent. From the outset, Ofcom expects to use its information powers in order to gather evidence to implement the new regime.
• As the new regime gets up and running, this blog sets out our view on insights from the financial services regime for implementation of the Act, which affected companies should already be considering.

Introduction

Online Safety regime

The Act introduces a landmark set of new rules designed to tackle illegal content online and prevent harm to individuals in the UK, imposing new requirements for providers of online services.

Ofcom expects implementation of the Act to deliver four outcomes:

• stronger safety governance in online firms;
• online services designed and operated with safety in mind;
• choice for users so they can have meaningful control over their online experiences; and
• transparency regarding the safety measures services use, and the action Ofcom is taking to improve them, in order to build trust.

A key aspect of Ofcom’s new rules is that they will focus on services developing stronger systems and processes in relation to user safety (e.g., taking effective steps to ensure that such systems and processes mitigate the risks identified by risk assessments, such as illegal content ranging from online fraud to terrorism). Ultimately, the intention is to build a stronger culture and practice of risk management in online services.

As set out above, Ofcom has stated that two of its four key focus areas will be on stronger safety governance, and services that are designed and operated with safety in mind. Where Ofcom decides to exercise its supervision powers in relation to these two areas (specifically by issuing an information notice as a first step, but which may also extend to audit notices), services must name a Senior Manager with responsibility for ensuring compliance with Ofcom’s requests.¹

Therefore, in one sense, these Senior Manager obligations only apply following Ofcom’s exercise of the abovementioned supervision powers. However, given the nature of this new supervisory regime, we expect these powers to be used widely (in particular for the largest internet companies within scope). Indeed, Ofcom stated in its 9 November consultation on protecting people from illegal harms online that “We expect to use our power to issue statutory information notices regularly from the outset of the regime”.

Financial services regime

The FCA’s new Consumer Duty is also seen as a landmark new approach in the financial services sector, introducing rules relevant to firm conduct, with principles based requirements (amongst other things) for firms to avoid foreseeable harm to retail customers.

The Consumer Duty requires firms to monitor, measure and act on the outcomes their retail customers are receiving which should lead to good outcomes for customers in four specific areas (namely products and services, price and value, consumer understanding and consumer support). A central element of this requirement is that all staff need to understand their role in delivering good consumer outcomes in order to achieve the necessary cultural change.

These rules are set in the context of the existing Senior Managers and Certification Regime, jointly enforced by the FCA and the Prudential Regulation Authority (PRA), which aims to reduce harm to consumers and strengthen market integrity by making Senior Managers more accountable for their conduct and competence on an ongoing basis.

Against this background we have identified some key learnings from UK financial services regulation that can be read-across to Ofcom’s implementation of the Act.

Learnings from financial services regime relevant to online safety

1. Leading practices relevant to effective embedding of proactive risk management within the company

Broadly speaking, initial parallels can be drawn between, on the one hand, the processes, systems and controls that need to be introduced, and on the other, the policies and practices that should be adhered to.

In relation to processes, systems and controls, drawing on our experience of working with financial services firms to implement the Consumer Duty, we think that companies subject to the Act should consider having:

• A governance framework with clear safety governance implementation plans and oversight of their delivery, with the ability to demonstrate how user safety requirements are embedded throughout their company.
• Appropriate oversight of the outcomes relevant to implementation of the Act (e.g., the design and operation of safe online services) through their systems and controls and a well-defined process, including clear accountability, actions and monitoring, if outcomes are not on track.
• A clear view on what “good” looks like bearing in mind residual risks. Experience from the Consumer Duty regime and Deloitte’s recent work with companies to support compliance with EU online safety regulation under the Digital Services Act reinforces the importance of defining relevant metrics in this respect, which can be a non-trivial exercise. Ofcom has already highlighted that there are challenges associated with metrics, noting that it is important to get them right as part of the transparency reporting process.
• A robust third-party management governance and compliance framework which includes identifying and managing roles and responsibilities of third parties in delivering the company’s online safety responsibility and effective monitoring mechanisms.
• A champion at board level (or equivalent governing body) who, along with the Chair and the CEO, are there to ensure that consumer safety requirements are discussed regularly and raised in all relevant forums. On a related point, it will also be beneficial to include a section in the Annual Board Report evidencing how the responsibilities are being continuously implemented (building on the requirement under the Act for regular risk assessments and for certain in-scope platforms to publish transparency reports).

More broadly, the largest firms within scope of the Act should prepare for ongoing and detailed “supervision” regarding the status of compliance with these new measures throughout the company (indeed, Ofcom has itself highlighted the relevance of experience from the financial services industry in this respect). Companies within scope should prepare for the nature of the regulatory dialogue to change, with ongoing and enforceable information requests allowing Ofcom to establish a view on ongoing company compliance.

In relation to policies and practices, we consider thatthe following regulatory expectations in relation to Consumer Duty implementation are relevant:

• Compliance with the new requirements should be built into people management policies and practices, including performance management, training, role descriptions, pay and bonuses. Under the Consumer Duty Conduct Rule 6, every member of staff needs to understand their role in delivering good customer outcomes.
• Online services within scope should create a culture which empowers employees at all levels to speak up and provide challenge, without fear of retaliation.

This approach also appears consistent with Ofcom statements in this area, for example an emphasis on ‘“good risk management practice as a fundamental part of service design and organisational culture”, which ‘“links to strong governance”, where Ofcom will ‘“advocate for risk assessments and risk management to be owned at the most senior levels”. Ultimately, members of staff should understand their role in delivering outcomes consistent with the Act, supported by underlying people management and processes designed to achieve this.

2. Learnings from the Senior Managers regime

There are two categories of learning in this context; the first, a broader insight relating to how the Senior Managers regime has been established in the financial services sector, the second a more specific insight on how the requirement for senior managers to take “reasonable steps”² has been interpreted in the financial services regime.³

Likely leading practices that can be drawn from the financial services regime

• Every Senior Management Function holder must have a Statement of Responsibilities that clearly states what they are accountable for.
• Every Senior Management Function holder is under a Duty of Responsibility. This means that if a firm breaches a regulatory requirement, the Senior Manager responsible for that area could be held accountable if they did not take reasonable steps to prevent or stop the breach.

Likely differences between both regimes

• In the financial services regime, firms need to confirm that an individual is fit and proper to perform the function (including undertaking a criminal record check) and then apply to the FCA/PRA for approval for individuals to carry out a Senior Management Function. It does not appear that a similar requirement will be in place under the Act (which envisages a company identifying a nominated Senior Manager, but not necessarily Ofcom approval).
• The range of Prescribed Responsibilities that Senior Managers may have in the financial services regime is broader than that envisaged under the Online Safety regime (which includes compliance with an Ofcom information notice in particular). That said, good practice would still be for in-scope companies to map the different scenarios where they might be subject to Ofcom’s supervisory powers and to identify a roster of accountable Senior Managers accordingly so that time- critical regulatory activities can be owned and executed promptly.
• Under the Act, Senior Managers may be held criminally liable for failure to comply with an Ofcom information notice, which contrasts with civil liability in the financial services Senior Managers regime (meaning that there is a difference in the standard of proof between both regimes).

Demonstration of “reasonable steps” by Senior Managers

Under the Act, Senior Managers have liability for information offences or otherwise obstructing or delaying Ofcom’s supervision and enforcement functions (e.g., inadequate response to an Ofcom information notice). However, the nominated Senior Managers may have a defence if they can demonstrate that they have taken “all reasonable steps” to prevent that offence being committed. Therefore it will be important to have a clear understanding of what those “reasonable steps” will be in practice.

In its consultation of 9 November (specifically, ‘Information gathering and enforcement powers and approach to supervision’), Ofcom provided a summary of Senior Manager liability in this respect, but did not specifically elaborate on what may be considered “reasonable steps”. Ofcom did however elaborate on the following potential defences relevant to this provision, referring to situations where:

• the individual was a Senior Manager for such a short time that they could not reasonably have been expected to take steps to prevent the offence;
• the individual was not a Senior Manager at the time the offence occurred; or
• the individual had no knowledge of being named as a Senior Manager in a response to the information notice in question.

In the financial services regime, Senior Managers must take “reasonable steps” in the execution of their duties. The following considerations which are relevant to an assessment of “reasonable steps” in the financial services sector seem to us to be equally relevant to online safety:

• At a high level, financial services regulators have indicated that in the event of a breach they will assess the steps that the Senior Manager actually took against such steps the Senior Manager could have taken to avoid the contravention occurring or continuing to occur.
• The competence the Senior Manager had, or ought to have had.
• The steps the Senior Manager could have taken, considering what alternative actions might have been open to the Senior Manager at the time and the timescale within which action would have been possible.
• The proportionality of a particular measure, consistent with the size, scale and complexity of the company concerned and the time and effort involved in taking a particular step/steps.
• Whether the Senior Manager delegated any functions, taking into account that any such delegation should be appropriately arranged, managed and monitored.

Enforcement activity under the Senior Managers regime (by the PRA) earlier this year provides one example of how reasonable steps have been interpreted in practice. In this case, the PRA found that a Senior Manager Chief Information Officer (CIO) had not taken reasonable steps relating to identification and risk associated with outsourced providers (broadly speaking, that although the CIO had given assurances to his Board about his company’s preparedness, he had not received sufficient assurance from the outsourced provider in question). This resulted in a financial penalty of £81,620 for the individual in question. This would be relevant to a situation where a regulated online company is dependent on third party input for the purposes of appropriately engaging with an Ofcom supervision and enforcement function.

Ultimately whether “all reasonable steps” were taken by a Senior Manager under the online safety regime will be a question of fact to be determined in each case, so an element of uncertainty is likely to remain for some time until the defence is tested. However, it can already be seen from the financial services regulatory regime that Senior Manager responsibility is an important supervisory tool to incentivise the right behaviours and ensure individual accountability. We would expect to see such provisions having a similar impact in relation to online safety.

Conclusion

Ofcom’s implementation of the Act is in its early stages, and further guidance is expected in advance of all of the rules coming into force.

Nevertheless, there would certainly appear to be a number of relevant learnings from financial services regulation that companies in scope of the new Act can draw on to prepare themselves for the new regime.

Affected firms can already begin to consider the new obligations that may be expected, both in terms of systems, processes and controls, policies and practices in general and Senior Manager responsibilities in particular.

_____________________________________________________________

References

¹ For completeness, the Act also introduces new requirements for corporate officers in relation to child safety duties. This relates to a failure by an officer of the company, defined as a “director, manager, associate, secretary or other similar officer” to comply with their responsibilities in this regard. Therefore, it may be expected that certain Senior Managers will also be impacted by this obligation. Such duties, which will be continuing in nature, will come into force 40 days after the relevant Ofcom codes are formally laid in Parliament. As this is currently expected to take place in late Q3 or Q4 2024, we do not consider them further at this stage.

² Further detail on the Senior Manager conduct rules in the financial services regime in this respect can be found at COCON 2.2 Senior manager conduct rules - FCA Handbook

³ For completeness, we note that the Act requires that “all reasonable steps” be taken by Senior Managers, whereas the financial services Senior Managers regime focuses on “reasonable steps”. We do not consider any broader implications of this here.

⁴ Deloitte has previously set out views on what constitutes “reasonable steps” for Senior Managers under the financial services regime, for example see deloitte-uk-senior-manager-regime.pdf