Ensuring the fitness and propriety of individuals working in the financial services industry remains a pivotal part of rebuilding trust in financial services and driving better outcomes. Ethical problems associated with regulatory focus on non-financial misconduct require close evaluation, including how to preserve individual rights, privacy, and fairness in disciplinary and accountability frameworks. 

As regulators evolve their thinking on the behaviour that firms should supervise, the risk of unintended consequences increases, including the loss of psychological safety through hyper-vigilance and hazard avoidance bias. IC Insights discusses below why inferring dishonesty from an individual's personal acts is dangerous and can impede professional accountability. We explore conceptual, philosophical, environmental and practical problems arising from this shift and offer takeaways on embedding fairness in accountability frameworks.  

[Fifteen minute read]

___

Managing misconduct: a growing intellectual challenge

In 2018 Chris Woolard, Executive Director of Strategy and Competition at the Financial Conduct Authority (FCA), publicly stated that 'misconduct is misconduct, plain and simple'. 

The statement was meant to drive home that individuals cannot divorce their wider conduct, principles and behaviour from their professional selves. The FCA subsequently stated during a key note speech at the 2022 XLOD Conference that it had a 'reasonable expectation' that an individual will act poorly in financial services if they casually misbehave elsewhere. The insinuation is problematic: that individuals who deceive in their personal lives are likely to do so professionally, and should be stopped at the gates, even if no workplace misconduct had been uncovered.

Why is this problematic? After all, individuals working in a highly regulated field like financial services, where consumer duty is written into rules and ethical decision-making is expected of its leaders, are legally and morally subject to higher standards, and in the UK senior managers are criminally liable for recklessness that leads to firm failure. Financial institutions have the potential to do great harm to the societies and environments they work in, and their agents and leaders must wield such power responsibly. Persons will not pass the authorisations bar if they cannot demonstrate integrity, honesty and probity.

The principle of higher accountability standards is not, itself, contentious: financial services are rife with conflicts of interest stemming from asymmetric information and power dynamics between clients, marketplaces, and buyer and seller. If individuals cannot demonstrate some level of general moral soundness, they will struggle when faced with ethical challenges in their work life. It is well understood that accountability frameworks in financial services need to be robust and enforceable, and there must be appropriate consequence for individuals whose behaviour negligently or wilfully causes harm. 

Difficulties arise with presuming or inferring a lack of integrity, honesty or competence from a person's non-workplace related behaviour, and placing an obligation on the individual to rebut that presumption. Trawling an employee's social media archive and chancing upon a micro-aggression from their university days does not indicate anything about that person's character today. Presuming individuals are bad actors also risks creating a selection bias through which behaviour is assessed: one looks for evidence of malfeasance or malpractice that supports a presupposing judgement of impropriety, rather than fairly evaluating the evidence of a person’s character. It is also unfair not to start from a presumption of good standing, because it places an obligation on the individual to prove their moral character, even when there is no evidence to suggest anything to the contrary.

As accountability frameworks shift their focus to misconduct that does not specifically cause financial harm such as harassment, the focus of regulators such as the FCA on a person's 'reputation' or good standing (see FIT 1.3.1B), including their criminal convictions and any rehabilitation, in a fitness and propriety assessment, weighs ever heavier. The judgement is one to be made by the employing or supervising firm, however the FCA's stated expectations are persuasive, influencing how regulated firms in the UK consider their authorisations, accountability and disciplinary frameworks.

The conceptual problem

Who judges what is 'misbehaving', especially in the presence of prevalent social media campaigners and changing expectations on good conduct generally, and what type of 'harm' does a regulator, and by extension its firms, have the authority to police? 

Fraud, theft and negligence are well-trodden examples of misconduct: supported by criminal and civil precedent, there is a legal underpinning of what is and is not 'acting with integrity' that firms can use within their codes of conduct. Misconduct is, loosely speaking, an act that could or does cause harm to another; historically, such harm would have been a financial impact, however in recent years, the FCA has pivoted its focus towards non-financial harm, in particular sexual harassment, discrimination and bullying. The FCA has stated its basis for doing so is rooted in its statutory objectives: it is part of a well-functioning financial services market representative of the people whom it serves. This is arguable, but laudable. It is also moot, given the government pressure on the FCA following the Odey Asset Management scandal: societal expectation is clear, and firms will face scrutiny if they employ, or defend, individuals with questionable moral standards, even if those standards are not expressly on display in the workplace.

There are some obvious challenges with going beyond financial harm in a conduct framework. Perhaps the most pertinent is materiality: not all lies are equal, and not all lies are lasting. If financial harm is not the barometer, what is? Is it criminal behaviour? This would scope in most sexual harassment, but dishonesty is often far from criminal. Is one lie enough to tarnish a person as fundamentally dishonest? To what lengths should a firm go to ascertain the integrity of that individual if there is no evidence of professional impropriety? Is a misdemeanour worthy of sanction, irrespective of whether it was said in a professional context or not? Does lying to your spouse make you more likely to lie to your boss, or can people compartmentalise their lives? These are questions of moral conviction, and it is dangerous for any regulator, even one with a clear legal remit, to think on them independently of the government and society for which they act.

There is also the ethical issue with firms ascertaining a person's dishonesty outside of criminal convictions or professional misconduct: to what standard should it be proven that the individual did in fact act dishonestly? A firm cannot determine the context and compensating factors to an individual’s behaviour in their private life without the individual’s consent to share personal details. Even if an employer - or a regulator - had the moral right to evaluate a person’s probity in their private life, the information is fundamentally asymmetric. Judgements are more likely to be speculative than informed.

Does a lie ten years ago make a person dishonest today? Rehabilitation, maturity, empathy and discretion are fundamental parts of a fair and just accountability framework. The FCA recognises that fitness and propriety tests should be evidence-based and take rehabilitation for criminal convictions into account. In practice, however, society is less kind than it once was, and mistakes can have longer shadows than acts of contrition, especially if they imply a person acted dishonestly: once a liar, always a liar. It is not just regulatory criticism that a firm faces for its decisions, but social justice campaigners.

As well as being an essential part of a justice system, 'second chances' in financial services are a critical part of a meaningful diversity and inclusion strategy, but fraught with challenge to execute. Consider this stance taken by the Timspon Group:

'We are very proud to say that Timpson is now one of the largest employers of ex-offenders in the UK. Approximately 10% of our workforce is made up of people who have criminal convictions. We believe in giving people a second chance. We don’t judge people on what they have done in the past, preferring instead to focus on what they can do in the future.'

Focusing on a person’s future conduct, rather than concentrating solely on their past actions, is a more credible inclusion strategy that can build loyalty with employees. However, it requires an authentic firm culture to support such individuals and ensure they are in an environment where they will flourish. There is no intuitive reason why financial services cannot provide such an environment, but in reality cultural reform is still needed.

The philosophical problem

Should a regulated firm supervise its employees and agents to identify potential misconduct outside of the workplace, or have a right to limit their activity, on the basis that such individuals are held to a higher accountability standard by virtue of working in financial services?

The heart of this question is not simply employee privacy and data collection, but rather whether a firm should hold their employees to a greater standard in their personal endeavours than the law (criminal or civil) does. For a liberal society, this is a breach of a fundamental right; the right to conduct one's personal affairs as one chooses within the lines of the law. Expecting firms to evaluate a person's dishonesty based on what they do in their private lives is quintessentially imposing the morals of the firm on their individuals, be that with regard to unconventional, but legal, sexual habits, white lies or enjoyment of social vices.

More so than this, it also risks judging people for misconduct they have not yet committed: inferring how they might act in a financial services setting. Notwithstanding the obvious data privacy issues, no matter how sophisticated big data and personal data mining gets, looking for potential bad actors is predictive, not determinative. It is simply not just to penalise someone for something they have not yet done. 

A firm that polices its employees' behaviour outside of the workplace is acting beyond the reach of the powers given to it. Whilst it is likely that acting in accordance with the firm's code of conduct is a term within the employment contract, stretching that to the individual's personal activities is likely to be seen as overreach of the contract or an unfair term. The notable caveat is acting in such a way as to cause harm to the firm, which would not be unreasonable grounds for termination. Of course, an employer exercises significant discretion in their consideration of when you have done so. 

The supervision of an employee's private affairs is not the core problem currently faced by regulated firms. Rather, they are facing a difficult question drawing the line between personal and professional activities in an ever-increasingly integrated world, where employees name their employers on social media profiles, host hospitality events for clients, attend office parties and create work teams for charity races. Firms needs to define what a work 'event' is, and what it is not, but declaring a congregation of work friends to be a work event is far too simplistic, especially when lifelong friendships may exist both across a single firm and across the industry. There must be an element of discretion in the application of a firm's code of conduct, but above all it must be clear and fair.

Whose views does a person represent when they post to social media: their own, or their company's? If an individual uses their platform to espouse a political view, but works for an organisation which has a policy of neutrality (consider the recent controversy surrounding Gary Lineker and the BBC), does the organisation have a right to demand the employer recant the post or otherwise terminate their employment? Is a disclaimer of the post as a personally held view sufficient to divorce the individual's action from their employer? Even if a firm has a policy on social media use, it is not likely to carry weight if the individual has reasonably acted to distance their association with their employer. 

Overreaching policies on employee behaviour outside of the firm may ultimately be unenforceable, but an employee still risks being fired for going against their firm's ethos in their personal postings, and an uphill struggle to take their case to tribunal after the fact. Such policies may also foster resentment. Instead, codes of conduct need to be reasonable, and protect employee liberties. A more generous code of conduct that acknowledges mistakes with compassion and rehabilitation rather than threat, and recognises employee rights to have divergent values outside of the workplace, may achieve better behavioural outcomes simply because it recognises that employees are human, with human interests and lives outside of work to be respected and valued.

The environmental problem

Is an individual culpable for their actions if the environment they operate in grooms them for misconduct? Do accountability frameworks vilify 'bad actors' when the firm is in effect to blame for their actions, and are zero tolerance frameworks which hold individuals accountable for breaches resulting from failures of process or failures in control environment undermining fairness?

Deontology is an ethical theory that states an action is right or wrong in and of itself, irrespective of intent or consequence. Modern social values tend, in the main, not to be so black and white: duress, self-defence and lack of mental capacity are valid legal defences for certain criminal acts, and the law itself is (broadly) principled on the prevention of harmful behaviour. Aside from a handful of strict liability offences, mitigating circumstances can excuse, although not always fully vindicate, a person’s behaviour.

A wealth of psychological research on social systems and organisational abuses - not least the infamous Stanford Prison Experiment and expert testimony from its creator, Philip Zimbardo PhD, on the Abu Ghraib prison abuses - exists to demonstrate that a person’s actions cannot be judged in a vacuum. Their behaviours are influenced by the expectations, pressures and rewards put on them by their peers and leaders, as well as the training, processes and structures within which they operate. Notwithstanding that an individual always retains some agency for their actions no matter how toxic the culture they act within, these factors build a picture of defensible ‘reasonable behaviour’ that it would be unfair to judge as unfit or improper. Regulators typically appreciate this, but in practice firms may struggle to embed reasonable defences into their frameworks, for fear of being seen as too lenient, or too culpable. It is far easier to simply blame 'bad actors'. 

If a manager permissions, either tacitly or expressly, an employee's act, who is to blame: the manager or the employer? Should the manager have escalated the failure, and are they equally culpable if they fail to do so? If a person knows there is a hole in their fence and does not fix it, legally they can be held liable for harm caused as a result of trespass onto their property. What matters is who acted in good faith, and if the manager knew, or should have known, there was a hole that needed fixing. In reality, it is likely both will face some culpability for any harm done, but managers must face some recourse in this situation. If, however, failure to escalate becomes as punishable as the act itself, it may result in managers carefully avoiding situations where someone may wish to speak in confidence.

Similarly, holding an individual accountable for following broken processes, especially if that is what they have been trained to do, fails to appreciate where responsibility for the design of the process lies. If an individual diligently follows a checklist in order to approve a transaction, and the checklist misses a vital step that results in an operational loss, it is problematic to suggest they, rather than the design of the checklist, are at fault. Some processes simply do not have room for critical thought within them; they require the uniform execution of steps, often quickly and diligently. Individuals performing the operation are unlikely to be responsible for its design or review. 

Expecting individuals to be critical of the processes they act under requires ‘slow thinking’, and fundamentally a different skill set to operational execution. Further, continually questioning the framework one works under can have adverse performance effects. A person can of course do both, but often not at that same time: it is far harder to criticise instructions when one is under immense time pressure to follow them, and is rewarded for the efficiency of their execution. This is not to say ‘just following orders’ is a defence per se; following an instruction one knows to be bad or immoral can itself be an immoral act, even if performed under duress. It is however a major contributory factor when considering personal over environmental culpability.  

An accountability gap exists in large, complex processes where ownership for a control and responsibility for its design is unclear. The more handoffs - be these team, geography or skillset - there are in a process, the more challenging it is to ascertain accountability for decisions and outcomes. It is a problem to be mindful of when evaluating what to hold the individual worker responsible for. 

As automation reduces manual operational roles, the expectation of critical thinking within any role may well become essential in order for workers to have a value-add role. For now, penalising individuals for upholding a broken process is an is-ought fallacy; what workers should be capable of doing against what they are. 

The practical problem

As the scope of 'misconduct' broadens, so too does the reach of a disciplinary framework, and zero tolerance expectations. Individuals who risk punishment for committing any perceived infraction, regardless of materiality, intention or link to the workplace, may become hyper-vigilant, acting out of self-protection rather than in the interests of the firm, and may be at risk of an intellectual form of hazard avoidance bias, where their focus on the thing they are trying  to avoid doing inadvertently results in them doing it.

Far from being credible deterrents, zero tolerance frameworks without compassion or understanding for the complex factors that drive human behaviour will change that behaviour in unintended ways. If an individual will be damned regardless of the mitigating circumstances within which they acted, they will cease to place value in the framework they are held to. Accountability frameworks need to uphold fairness, else they risk creating the very misconduct they seek to prevent.

The harsher someone is penalised for mistakes or lapses in judgement, the less likely they are to admit to them - fundamentally undermining the culture of 'psychological safety' that firms and their regulators seek to promote. Individuals subjected to an overly stringent a code of conduct will adversely change their behaviour, for fear of making mistakes, and for fear of speaking up about their own actions. Suspicion and hyper-critical codes of conduct and their accordant disciplinary frameworks create hyper-vigilance, whereby individuals are on 'high alert' to threats to themselves. This can lead to emotional dis-regulation, mistrust and excessive energy spent on self-protection, rather than on delivering creative and collaborative work output.