As 2018 begins to take shape, the regulatory outlook seems dominated by one particular area - data. As the value of the data held by organisations increases, so does the risk from cyber criminals and pressure from regulatory authorities. There is also increasing thought given on how to regulate social media such as Twitter, Facebook and WhatsApp.
However, there are other topics on the agenda – this update covers briefly:
Area in focus: the good corporate citizen
A continuing trend
The ‘good corporate citizen’ agenda is progressing, with ongoing first publications of payment practices and gender pay gap reports building on the tone set by the Modern Slavery Act 2015. The corporate offence of failure to prevent facilitation of tax evasion also came into force in autumn 2017, encouraging businesses to put in reasonable systems and procedures akin to the UK Bribery Act 2010.
Going forward, strategic reports published for financial years starting from 1 January 2017 will need to include information on the company’s policies, performance indicators and impact relating to environmental, social, employment and anti-bribery matters. The FRC is currently consulting on its revised code accommodating the changes (see below for more detail).
Businesses’ response to these requirements is still evolving and will continue to do so depending on investor, political and public reactions to their statements. As board level approval is required for all the recently introduced reports, it is likely that validating this information, and acting on identified issues, will rise further up the priority list.
US examples under similar modern slavery legislation show the risks of inadequate research. Class action law suits were filed because companies didn’t acknowledge that some products they were selling used fish from Thai slave ships, or cocoa farmed by children. The claims failed, but the publicity and associated legal costs inevitably had an impact on the companies that needed to defend their reputation.
It seems probable that over time businesses will formalise information gathering on ethical issues and test policy and process implementation through internal audits and reviews. Much information will apply to more than one topic – for example, supply chain due diligence processes can affect reporting on bribery, slavery, tax evasion and environmental impacts.
Taking an integrated, not topic-based, approach to reviews and updating frameworks will be important to embedding effective metrics for reporting while minimising administration and monitoring costs.
You can find more information on requirements through these links:
Key Upcoming Legislation
2017 saw the abolition of roaming charges in the EU and progress made towards cross-border portability of online content. The most significant activity, however, was preparation for GDPR ahead of the May 2018 enforcement date. For more information on GDPR see here. As critical as GDPR is, there are some other things happening this year:
The ePrivacy Regulation: replacing the current “cookie” e-Privacy directive, it will affect how cookies are allowed on web browsers and how digital marketing is conducted. It is currently in negotiation at EU level but expected to be in effect before the UK leaves the EU on 29th March 2019.
Payment Services Directive 2: building on the first Directive, it will narrow exemptions for electronic communications providers. It is being phased in from January 2018.
The Automated and Electric Vehicles Bill is paving the way for new tech by increasing charging points and clarifying insurance issues on automated cars.
The Modern Slavery (Transparency in Supply Chains) Bill aims to stop public contracts being awarded to those who should publish a modern slavery statement but have failed to do so.
A new UK Corporate Governance Code: As mentioned above, the Financial Reporting Council will publish a revised code following a consultation period, with a final draft due in summer 2018, to apply to accounting periods from January 2019. It will provide guidance on social and ethical reporting. For more information see Deloitte’s Governance in Brief publication here.
The Network Information and Security Directive is expected to be implemented in the UK later this year. It sets out minimum standards for operators in electricity, transport, water, energy, transport, health and digital infrastructure. It will also cover other threats affecting IT, such as power failures, hardware failures and environmental hazards. Consultation has now closed, with final regulations expected in the government’s response to it.
And finally, the June Bank Holiday (Creation) Bill seems likely to be popular even with those who don’t consider the referendum date of 23 June to be cause for celebration. Disappointingly, as a private member’s bill, it is highly unlikely to achieve more than a fun debate in the House of Commons at most!
And not forgetting Brexit…
As the details for the UK’s departure from the EU begin to emerge, areas of regulatory convergence and divergence will naturally develop. Whilst a two year transition period may provide a degree of certainty, it is unclear how EU legislative packages which straddle the Brexit period will be handled. In the event that the UK does not adopt EU law, there is potential for immediate regulatory divergence, and we will be looking in more detail at some of these as they emerge over the next year.