Directors’ Duties: The UK Perspective

42.1 Introduction

Corporate governance has become increasingly important in the context of financial crime compliance and investigations. One reason for the development is that good corporate governance is a foundation for asserting substantive legal defences to allegations of misconduct. Legislative developments such as the introduction of the UK Bribery Act 2010 and the Criminal Finances Act 2017 mean that the board’s responsibilities for identification, mitigation and ongoing review of financial crime risk have a material impact on whether companies can defend allegations of criminal conduct by associated persons (those providing services to the company). The ‘adequate procedures’ and ‘reasonable prevention procedures’ defences contained in that legislation require companies to demonstrate ‘top-level commitment’ to managing financial crime risk and to show that they have understood and managed their financial crime risks proportionately by reference to the nature, scale and complexity of their operations. In the financial services sector, senior managers in firms subject to the Senior Managers and Certification Regime (SMCR) will have specific statements of responsibilities for which they can be held to account.

In 2014 the United Kingdom introduced deferred prosecution agreements (DPAs) as a new mechanism for resolving corporate criminal investigations where there is evidence of criminal conduct. DPAs have added to the focus on corporate governance. Factors that influence whether to offer a company a DPA resolution include whether the company has an effective compliance programme, the composition and conduct of the management team, and the extent to which corporate structures or processes have been changed to mitigate identified risks. A company’s prevention procedures are therefore relevant to corporate outcomes even where they fall short of the legislative standard required to establish a substantive defence. A company’s commitment to compliance will also be taken into account in calculating the level of fines or other penalties.

The issue of how companies manage themselves and identify and mitigate their risks has therefore become central in financial crime investigations. Indeed, an investigations process forms part of a company’s prevention procedures and companies should take care to ensure that investigations are sufficiently independent and appropriately robust. Where there are allegations of misconduct that may entail significant reputational or commercial risk, the board (or a board subcommittee) is likely to provide oversight of particular investi­gations, in addition to providing oversight of a company’s overall compliance obligations. Directors can also be compelled to give evidence as witnesses in government investigations to explain (among other issues) their company’s approach to compliance.^[2]

In significant investigations, and subject to managing conflicts of interest, the board is likely to be involved in making strategically important decisions such as whether to self-report suspected misconduct and how to resolve findings of misconduct in a major investigation.

It is therefore important that directors are aware of the multiple sources of their duties and obligations and how they are likely to apply both to the board’s oversight obligations regarding the management of financial crime risk and in individual investigation scenarios.

42.2 Sources of directors’ duties and responsibilities under UK law

The core duties owed by directors to their companies are set out in sections 171 to 178 of the Companies Act 2006 (CA 2006). Directors may also have additional duties depending on the company they serve. The commentary below identifies and explains the key sources of governance obligations for directors in the United Kingdom. As a result of the global financial crisis and high-profile examples of corporate collapse, the legislative and regulatory framework is increasingly focused on integrity, accountability and driving high standards of business conduct.

42.2.1 Companies Act 2006

42.2.1.1 The duty to act within powers (section 171 CA 2006)

Directors are not permitted to abuse their powers.^[3] They must act in accordance with the company’s constitution, which includes its articles of associations, resolutions, decisions and investment agreements. In addition, directors are only permitted to exercise their powers for the purposes for which they are conferred, called the ‘proper purpose test’. The question of whether a power has been exercised properly will turn on whether the ‘substantial’ or ‘dominant’ purpose for which it was exercised was the purpose for which it was conferred.^[4] Directors must not exercise their powers to protect their own positions. If power is exercised for a wrongful purpose, the use to which that power is put is voidable.

In the context of a financial crime investigation, it would be an improper use of power if a director sought to prevent, control or influence an investigation to protect his or her own position. A director in this position would also have a conflict of interest, which would engage the separate duty to avoid conflicts of interest. The conduct would also likely breach the duty to promote the success of the company. Investigators must always be alive to the risk of conflicts of interest within the investigation team and in the reporting line.

42.2.1.2 Duty to promote the success of the company (section 172 CA 2006)

The duty to promote the success of the company is relevant to almost everything a director does. The duty requires directors to act in good faith in a way they consider would be most likely to promote the success of the company for the benefit of its members as a whole.^[5] The courts will typically respect the decisions of the board provided that they reach the standard of a good-faith business judgment.

When discharging their duties to promote the success of the company, directors must have regard to a list of factors, including:

• the likely consequences of any decision in the long term;
• the interests of the company’s employees;
• the need to foster the company’s business relationships with suppliers, customers and others;
• the impact of the company’s operations on the community and the environment;
• the desirability of the company maintaining a reputation for high standards of business conduct; and
• the need to act fairly as between members of the company.

The list of factors is not exhaustive. Directors may balance the various factors and they must take into account any other factor that would be relevant to a particular decision.^[6]

The Association of General Counsel and Company Secretaries of the FTSE 100 (GC100) and the Chartered Governance Institute (ICSA) have published useful, practical guidance notes relevant to the interpretation and application of this duty.^[7] The GC100 Guidance on Directors’ Duties: Section 172 and Stakeholder Considerations (GC100 Guidance) states that: ‘The factors are designed to ensure that, in promoting the success of the company, broader implications of decisions are considered by the directors. You may find it helpful to see the duty as about creating a culture in the business, so that when you take decisions, their wider impact has been considered.’

The duty to promote the success of the company is intertwined with the duty to act with reasonable care, skill and diligence set out in section 174 of the CA 2006. The GC100 Guidance states that: ‘The section 172 duty must be fulfilled by a director in accordance with the duty of care, skill and diligence imposed by section 174.’

An interesting application of the duty to promote the success of the company to investigations is that where directors may be implicated in misconduct, they must disclose their own wrongdoing.^[8] A director who asserts the privilege against self-incrimination will therefore breach this duty.

In insolvency situations, the interests of creditors will take precedence over the interests of members. This can materially change how the board approaches an investigation. A company’s solvency position can change for reasons unrelated to the investigation but also for reasons central to the investigation, such as where there has been an internal fraud. If there are concerns about the company’s solvency, directors should proactively seek legal and financial advice as to their altered duties. The duties owed under sections 171 to 177 of the CA 2006 do continue even after the relevant company has entered into an insolvency procedure.^[9]

For periods beginning on or after 1 January 2019, most UK-incorporated companies are required to report on the company’s performance of the duty under section 172 of the CA 2006.^[10] The government believes that by imposing reporting obligations linked to this duty, directors will consider the wider stakeholder issues more carefully and that boardroom engagement will be improved. In 2018, the Financial Reporting Council (FRC) published its Revised Guidance on the Strategic Report to assist companies in their reporting. It is believed that the enhanced reporting obligations for non-financial information will result in more trust and transparency in business.

General oversight obligations and oversight of material investigations

The duty to promote the success of the company is central to the directors’ obligations to ensure that a company identifies and mitigates its financial crime risks.

The GC100 Guidance recommends that directors ensure that they receive the information they need to carry out their roles and satisfy the duty. In the context of the board’s oversight duties in relation to compliance, directors should satisfy themselves that both the quality and frequency of the management information they receive is adequate. Directors need to understand the company’s risk profile and risk assessment, and how the compliance programme responds to these risks. In addition, directors should expect to receive periodic reporting to satisfy themselves that the procedures adopted remain fit for purpose. There is no one-size-fits-all approach, and the detail and frequency of management information will depend on the size, complexity and risk profile of the organisation. Data about non-material issues and investigations will often be aggregated and shared annually. Where the board has oversight of a material investigation, they are likely to require more detailed information and regular information flows. The company should consider the issue of legal privilege in this regard.

Where boards are receiving legally privileged advice about investigations or material compliance issues, the way in which it is communicated to the board and documented in the minutes will need to be carefully managed. The GC100 Guidance on Directors’ Duties states that directors should not be ‘forced to evidence their thought processes’ as this would create unnecessary process and ‘inevitably expose directors to a greater and unacceptable risk of litigation’.

42.2.1.3 Duty to exercise independent judgment (section 173 CA 2006)

Directors must exercise independent judgment in the interests of their own company,^[11] regardless of whether they align with the interests of other group companies. The principle that underpins this duty is that directors must not subordinate their powers to the will of others unless they are authorised to do so under the constitution. Director nominees may therefore follow the instructions of their appointer if the company constitution so allows, provided that they are able to comply with their other legal obligations.

The duty does not prevent directors from seeking and relying on professional advice to form an opinion provided that the decision they reach is their independent judgment.^[12] Directors may also delegate their powers (although they remain responsible for their exercise) provided that such a delegation is authorised.

Directors may also be able to fetter their discretion in certain circumstances, provided that it promotes the success of the company to do so. For example, directors could bind the company to an exclusive commercial arrangement and agree to exercise their powers to ensure that the contract was carried out.

42.2.1.4 Duty to exercise reasonable care, skill and diligence (section 174 CA 2006)

Directors must exercise reasonable care, skill and diligence in how they discharge their duties.^[13] The standard is both objective (the care, skill and diligence that would reasonably be expected of a director acting with reasonable diligence) and subjective (the general knowledge, skill and experience that the particular director has). As a general rule, a non-executive director will not be expected to have the same level of knowledge of the internal workings of the business that an executive director would.

Directors must satisfy themselves that they have a proper understanding of the functions and duties of directors, the fundamental principles of company law, the company’s business, the risks faced by the company and the regulatory and compliance regime in which it operates.^[14] Directors should also, as a practical matter, ensure that they receive a proper induction and ongoing training to keep their knowledge, skills and experience up to date.

Directors may rely on the expertise of colleagues and advisers in discharging their functions. Indeed, a failure to seek expert advice may amount to a breach of the duty.^[15] The right (or duty) to seek advice does not absolve a director from the duty to supervise the discharge of delegated functions.^[16] It must be reasonable for directors to rely on the advice of colleagues or advisers.^[17] For example, directors must ensure that advisers have appropriate expertise and are instructed to address relevant issues; they should also ensure that advisers are free from conflicts of interest.^[18] The question of whether reliance is reasonable will depend on the circumstances.

Although there is no difference between the tests to be applied to executive and non-executive directors, the law recognises that because they fulfil different functions, they will reasonably be expected to exercise different levels of care, skill and diligence. The extent to which a non-executive director may reasonably rely on the executive directors would be fact-sensitive.^[19] Non-executive directors should expect to comply with high standards. They would also be expected to properly understand any activity that contributed significantly to a company’s commercial offering or revenues.^[20]

42.2.1.5 Duty to avoid conflicts of interest (section 175 CA 2006)

Companies are entitled to the benefit of impartial decision-making on the part of their directors. Directors therefore have a duty to avoid actual and potential conflicts between their personal interests and those of the company they serve even where they are acting in good faith.^[21] The duty is widely drawn. Section 175 of the CA 2006 states that: ‘A director of a company must avoid a situation in which he has, or can have, a direct or indirect interest that conflicts, or possibly may conflict, with the interests of the company.’ The reference to indirect interests requires directors to take account of whether persons connected with them^[22] might have a conflict of interest.

The application of the duty is acute where it involves the exploitation of a company’s property, information or opportunity, and it is immaterial whether the company could itself have taken advantage of the opportunity or whether it suffered any loss. The test is an objective one and directors must therefore analyse whether a reasonable person would think that the relevant facts and circumstances gave rise to a real and sensible possibility of conflict. If the situation cannot reasonably be regarded as giving rise to a conflict of interest, the duty will not be breached.^[23]

The duty will not be infringed where the conflict has been authorised in advance by the directors where there is a power to do so in the company’s constitution.^[24] The authorisation will only be effective if the relevant meeting is quorate without counting any interested directors and the authorisation was given without counting their votes. Effective authorisation will require directors to give full disclosure of the scope and nature of the conflict. In 2008, the GC100 published guidance on Directors’ Conflicts of Interest, which includes guidance on authorisation.^[25] Directors will not infringe their duties if they act in accordance with provisions in the company’s articles for dealing with conflicts of interest.^[26]

It may be possible for shareholders to authorise a conflict of interest in advance or subsequently ratify a breach of duty. There are limits on the type of conduct that can be authorised or ratified, and the process that applies will need to be checked taking into account the company’s constitution.

42.2.1.6 Duty not to accept benefits from third parties (section 176 CA 2006)

Directors must not exploit their positions for personal benefit (financial or non-financial). The duty provides directors must not accept a benefit from a third party conferred by reason of them being a director or their doing (or not doing) anything as a director.^[27] The duty will not be infringed if the acceptance of the benefit cannot reasonably be regarded as likely to give rise to a conflict of interest. The duty is very strict and directors need to take account of these obligations when accepting corporate hospitality or gifts. Although in a bribery investigation the focus will be on whether benefits provided to directors or the company were criminal, it is important not to lose sight of this duty where the conduct concerns individual directors. A company may recover the value of any benefits unlawfully received by a director through civil proceedings, and not just criminal action.

42.2.1.7 Duty to declare an interest in a proposed transaction or arrangement (section 177 CA 2006)

Section 177 CA 2006 requires a director to disclose to the other directors the nature and extent of any interest that the director has in relation to a proposed transaction or arrangement with the company. There is no requirement for authorisation. The term ‘arrangement’ is wider than the term ‘transaction’ and includes agreements or understandings having no contractual effect. The interest can be direct or indirect and therefore the interests of connected person must be considered.^[28] Directors must disclose the nature and extent of the interest before the company enters into the transaction or arrangement.

Directors do not have to make a declaration where they are unaware of having an interest or are not aware of the transaction or arrangement in question. However, they will be assumed to have knowledge of matters of which they ought reasonably to be aware. Directors will therefore need to undertake a certain amount of due diligence regarding their potential interests to avoid breaching the duty.

If the interest cannot reasonably be regarded as likely to give rise to a conflict of interest, it need not be declared. Further, if the other directors are already aware, or ought reasonably to be aware, of the conflict of interest, it does not have to be declared. Finally, interests relating to a director’s service contract need not be declared if they have been considered by a meeting of the directors or a committee appointed for the purpose.

The company’s articles may contain provisions for dealing with conflicts of interest compliance that are designed to prevent a breach of the general duty.^[29] Section 182 of the CA 2006 deals separately with declarations of interest in existing transactions or arrangements not already declared under section 177.^[30]

42.2.1.8 Other statutory, common law and equitable duties

The statutory duties are not exhaustive. Directors of all UK companies also owe a duty of confidentiality to the company and have duties to act fairly as between different members and consider the interests of creditors in appropriate circumstances. Directors also have numerous reporting obligations. Other obligations will depend on the nature of the company.

42.2.2 UK Corporate Governance Code

Companies with premium listings in the United Kingdom are required (for accounting periods beginning on or after 1 January 2019) to state in their annual report and accounts whether they have complied with the UK Corporate Governance Code (2018)^[31] and if not, explain the reason. The ‘comply or explain’ approach is designed to promote transparency about how companies have complied with the high standards of governance set out in the Corporate Governance Code and to promote trust.

The Corporate Governance Code (2018) is the latest iteration of a code that was first published in 1992. The revised code has been developed to respond to a modern business environment in which a key role of the directors is to build relationships with a wider group of stakeholders. The principles set out in the code have been updated to emphasise the link between strong corporate governance and long-term success.

The Corporate Governance Code is designed around five pillars:

• board leadership and company purpose;
• division of responsibilities;
• composition, succession and evaluation;
• audit, risk and internal control; and
• remuneration.

The Corporate Governance Code sets out a number of principles in relation to each of these items. Although they are all relevant to the identification and management of financial crime risk and the investigation of issues arising, the principles linked to board leadership and company purpose; division of responsibilities; and audit, risk and internal control are the most relevant.

Principles relating to board leadership and company purpose require directors to act with integrity. They must ensure that they establish a framework of prudent and effective controls to assess and manage risk in which the workforce should be able to raise any matters of concern.

The principles linked to the division of responsibilities highlight that the chair should facilitate board relations and the effective contribution of all the non-executive directors. The chair should also ensure that directors receive accurate, timely and clear information. The board must ensure through its composition that no one individual or group dominates the board and that there is a clear division of responsibility between the leadership of the board and the executive leadership of the business.

The principles further provide that non-executive directors must have sufficient time to meet their responsibilities and ‘should provide constructive challenge, strategic guidance, offer specialist advice and hold management to account’.^[32] The company secretary should support the board to ensure that it has what it needs to function effectively and efficiently. This will include making time and proper information available to the board to discharge its oversight responsibilities.

The principles that underpin the section on audit, risk and internal control are of particular relevance in managing financial crime risk. They state:

M. The board should establish formal and transparent policies and procedures to ensure the independence and effectiveness of internal and external audit functions and satisfy itself on the integrity of financial and narrative statements.

N. The board should present a fair, balanced and understandable assessment of the company’s position and prospects.

O. The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.

The audit committee plays a key role in how the company complies with these obligations. The Corporate Governance Code sets out the requirements for the audit committee, which is responsible for, among other items:

• reviewing the company’s internal financial controls and internal control and risk management systems, unless expressly addressed by a separate board risk committee composed of independent non-executive directors, or by the board itself;

• monitoring and reviewing the effectiveness of the company’s internal audit function or, where there is not one, considering annually whether there is a need for one and making a recommendation to the board;

. . . . .

• reviewing and monitoring the external auditor’s independence and objectivity;

• reviewing the effectiveness of the external audit process, taking into consideration relevant UK professional and regulatory requirements ^[33]

The board retains overall responsibility for assessing and managing the company’s risks. Boards must carry out a robust assessment of the company’s emerging and principal risk, have in place procedures to identify its emerging risks and explain how these are being managed or mitigated. The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.

Separately, the FRC has published Guidance on Audit Committees,^[34] Guidance on Audit Quality^[35] and Guidance on Risk Management, Internal Control and Related Financial and Business Reporting^[36] to assist companies in complying with these principles.

Appendix C of the Guidance on Risk Management, Internal Control and Related Financial and Business sets out the questions the board can ask itself in the context of its risk-related responsibilities, as the small sample of its risk-related questions set out below illustrates:

Risk appetite and culture

• How has the board assessed the company’s culture? In what way does the board satisfy itself that the company has a ‘speak-up’ culture and that it systematically learns from past mistakes?
• How has the board agreed the company’s risk appetite? With whom has it conferred?
• How do the company’s culture, code of conduct, human resource policies and performance reward systems support the business objectives and risk management and internal control systems?
• How has the board considered whether senior management promotes and communicates the desired culture and demonstrates the necessary commitment to risk management and internal control?
• How is inappropriate behaviour dealt with? Does this present consequential risks?
• How does the board ensure that it has sufficient time to consider risk, and how is that integrated with discussion on other matters for which the board is responsible?

. . . . .

Monitoring and Review

What are the processes by which senior management monitor the effective application of the systems of risk management and internal control?

• In what way do the monitoring and review processes take into account the company’s ability to re-evaluate the risks and adjust controls effectively in response to changes in its objectives, its business, and its external environment?
• How are processes or controls adjusted to reflect new or changing risks, or operational deficiencies? To what extent does the board engage in horizon scanning for emerging risks?
• Public reporting

  How has the board satisfied itself that the disclosures on risk management and internal control contribute to the annual report being fair, balanced and understandable, and provide shareholders with the information they need?

• How has the board satisfied itself that its reporting on going concern and the longer term viability statement gives a fair, balanced and understandable overview of the company’s position and prospects?

The UK Corporate Governance Code does not override or seek to interpret the general duty under section 172 of the CA 2006 to promote the success of the company. However, it is clear from the above that many of the suggestions for how to identify and manage risk will apply in both the context of the general section 172 duty and also the duty to exercise reasonable care, skill and diligence.

42.2.3 QCA Code for smaller listed companies

The QCA Corporate Governance Code^[37] is intended to provide small and mid-sized UK quoted companies with a corporate governance framework tailored to their needs and less prescriptive than the UK Corporate Governance Code. It consists of 10 corporate governance principles that companies should follow, along with step-by-step guidance on how to effectively apply them and the related disclosures companies should make.

The 10 principles are to:

• establish a strategy and business model which promote long-term value for shareholders;
• seek to understand and meet shareholder needs and expectations;
• take into account wider stakeholder and social responsibilities and their implications for long-term success;
• embed effective risk management, considering both opportunities and threats, throughout the organisation;
• maintain the board as a well-functioning, balanced team led by the chair;
• ensure that between them the directors have the necessary up-to-date experience, skills and capabilities;
• evaluate board performance based on clear and relevant objectives, seeking continuous improvement;
• promote a corporate culture that is based on ethical values and behaviours;
• maintain governance structures and processes that are fit for purpose and support good decision-making by the board; and
• communicate how the company is governed and is performing by maintaining a dialogue with shareholders and other relevant stakeholders.

Since September 2018, companies listed on the Alternative Investment Market^[38] have been required to adopt and identify a recognised corporate governance code. Companies are also required to set out how they comply with that code or explain their reasons for non-compliance.^[39]

42.2.4 Wates Corporate Governance Principles for Large Private Companies

In recent years, the government has extended its focus on corporate governance to large private companies. This is in recognition that private companies are both a substantial and an expanding part of the economy. Under the leadership of the Wates Committee, the FRC and others have developed the Wates Corporate Governance Principles for Large Private Companies.^[40] The guidance sets out six principles that such companies should consider within the context of the company’s specific circumstances and then explain how they have addressed them in their governance practices. The guidance exists to assist companies but does not have the same status as the UK Corporate Governance Code, which requires companies to comply or explain why they have not done so.

The two principles most relevant to financial crime investigations are Principles 3 (Director responsibilities) and 4 (Opportunity and risk). Principle 3 requires the board and individual directors to have a clear understanding of their accountability and responsibilities. Principle 3 states that the board’s policies and procedures should support effective decision-making and independent challenge. The responsibility of reviewing the governance processes to confirm that they remain fit for purpose and considering any initiatives that could strengthen the governance of the company reside with the chairman and company secretary. The guidance also emphasises the importance of the integrity of information and that the board papers and supporting information should inform the director what is expected of them on each issue.

Principle 4 states that the board is responsible for a company’s overall approach to strategic decision-making and both financial and non-financial risk management, including reputational risk. The board must have oversight of risk and how it is managed, and provide appropriate accountability to stakeholders: ‘The size and nature of the business will determine the internal control systems put in place to manage and mitigate both emerging and principal risks. Some companies may decide to delegate to a committee to oversee such matters.’

The guidance further elaborates on the responsibilities of the board as follows:

• The board should establish an internal control framework with clearly defined roles and responsibilities for those involved. It should agree an approach to reporting, including frequency of reporting and the points at which decisions are made and escalated. Responsibilities may include:
• developing appropriate risk management systems that identify emerging and established risks facing the company and its stakeholders. Such systems should enable the board to make informed and robust decisions, including those associated with material environmental, social and governance matters, such as climate change, workforce relationships, supply chains, and ethical considerations;
• determining the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives (determining its ‘risk appetite’);
• agreeing how the principal risks should be managed or mitigated and over what timeframe to reduce the likelihood of their incidence or the magnitude of their impact;
• establishing clear internal and external communication channels on the identification of risk factors, both internally and externally; and
• agreeing a monitoring and review process.

42.2.5 FRC Guidance on Board Effectiveness

In July 2018, the FRC published its revised non-mandatory and non-prescriptive Guidance on Board Effectiveness^[41] to assist boards to understand and consider good practice in the context of their corporate governance obligations. The Guidance on Board Effectiveness adopts the same structure as the Corporate Governance Code. However, there is not space in this chapter to summarise the good practices identified, other than to note that it places a strong emphasis on tone from the top and the continual monitoring of culture. Two important sources of cultural data identified are (1) whistleblowing, grievance and ‘speak-up’ data and (2) attitudes to regulators, internal audit and employees. The Guidance on Board Effectiveness also suggests taking an integrated approach, noting that resources, internal audit, risk and compliance all have a role to play. Providing examples of questions the board can pose itself on different issues, the Guidance on Board Effectiveness is a rich source of information for those assisting a company with remediation or cultural transformation in the context of an investigation (or outside the investigative process).

42.2.6Reporting on section 172 compliance and corporate governance generally

The CA 2006 requires that all companies, other than those entitled to the small companies’ exemption, prepare a stand-alone strategic report. The FRC has recently clarified that the requirement to produce a strategic report includes companies that are categorised as ‘medium-sized’ under section 465 CA 2006 but are excluded from being treated as such because they are ineligible under section 467 CA 2006.^[42] The statutory purpose of the strategic report is to ‘inform the members of the company and help them assess how directors have performed their duty’ under section 172 (duty to promote the success of the company for the benefit of members as a whole) and in doing so to have regard to the non-exhaustive range of stakeholder interests and other considerations set out in that section. The strategic report must include an explanation of the principal risks and uncertainties faced by the business and disclose information about a number of issues, including material anti-corruption and anti-bribery issues.

Since 2007, when it first came into force, section 172 has, therefore, enshrined the importance of the consideration of wider interested groups in the creation of a successful business for the benefit of shareholders. However, in light of a number of high-profile examples of poor corporate governance – where there was little evidence that appropriate regard had been had to the needs of a broader range of stakeholders (including employees, suppliers and pension beneficiaries) – the government brought forward The Companies (Miscellaneous Reporting) Regulations 2018 (Reporting Regulations) to fulfil its commitment to strengthen stakeholder voices in boardroom decision-making.

The Reporting Regulations aim to drive greater transparency by requiring companies who must prepare a strategic report (other than those that qualify as medium-sized) to ensure that their strategic reports for each year beginning on or after 1 January 2019 include a statement describing how directors have had regard to the matters set out in section 172(1)(a)–(f) of the CA 2006 when performing their duties under that section. All qualifying companies, including subsidiaries, must report and publish their section 172(1) statements on their websites, whether separately or as part of their annual report. The FRC has revised its Guidance on the Strategic Report accordingly.

The Reporting Regulations also amend the content requirements of the directors’ report to require certain companies (meeting different qualifying criteria) to include a basic level of information on their stakeholder engagement. This includes disclosing how the board has had regard to the interests of its UK employees and to the need to foster the company’s business relationships with suppliers, customers and others and, in both cases, explaining the effect, including on the principal decisions taken by the company during the financial year.

While there is a degree of overlap between the section 172(1) statements and the revised content requirements for the directors’ report, the government’s guidance^[43] clarifies that the latter requirements are designed to ensure that company reporting includes information about the ‘important aspects of the section 172(1) duty even where directors do not judge the information to be of sufficient strategic importance to be included in the strategic report that year’. Where the board considers its stakeholder engagement information is of strategic importance, it may choose to include that information in its strategic report and not its directors’ report, with appropriate cross-referencing in the directors’ report.

The Reporting Regulations also impose further enhanced reporting obligations as regards governance arrangements on very large UK-incorporated companies, including subsidiaries, with either more than 2,000 employees globally, or an annual turnover over of £200 million globally and a balance sheet total over £2 billion globally. Premium and standard listed companies which are already required to report on their corporate governance arrangements under the Financial Conduct Authority’s (FCA) Disclosure Guidance and Transparency Rules (DTR) 7.2 are not within scope.^[44] Premium listed companies are required to apply, and comply or explain their non-compliance with, the provisions of the UK Corporate Governance Code under the FCA’s Listing Rules.^[45]

Companies in scope must include a statement as part of their directors’ report stating which corporate governance code, if any, has been applied and how. If the company has departed from the code, it must set out the respects in which it has done so, and the reasons. If the company has not applied any corporate governance code, the statement must explain why and what arrangements for corporate governance were applied. Statements must also be published on a website maintained by or on behalf of the company.

Adherence to the UK Corporate Governance Code remains under scrutiny. In the FRC’s annual review in January 2020, it discussed trends of reporting by firms, noting that full or almost full compliance with the Code was posted by the vast majority of firms. The review also discussed future expectations for reporting against the UK Corporate Governance Code, such as encouraging firms to undertake more detailed section 172 CA 2006 reporting, rather than aiming simply to achieve strict compliance.^[46]

42.2.7 Senior managers regime

The PRA’s and FCA’s new regime for supervising and approving the conduct of individuals in regulated firms, the SMCR replaces and extends the previous oversight rules for individuals, the Approved Persons Regime. This is a response to the perceived ‘firewall of accountability’ protecting senior management from regulatory enforcement. The SMCR is intended to clarify and enhance the division of responsibilities in firms, improve the conduct of all staff and to make disciplinary action against individuals easier for the PRA and FCA (the regulators).^[47]

The SMCR regulates individuals in three segments, divided roughly according to seniority:

• Senior managers are the most senior individuals responsible for managing aspects of a firm’s affairs which risk serious consequences for the firm or business in the United Kingdom.^[48]
• Certification regulates other individuals in firms who the FCA considers conduct types of roles that carry a risk of significant harm to consumers or the market.^[49]
• The conduct rules govern the behaviour of all other employees within firms whose roles relate to regulated or unregulated financial services activity.

There is no territorial limit, so the SMCR can capture individuals based overseas, and is not limited to employees.

Banks, insurers and the largest FCA regulated firms must also submit to the regulators a very detailed ‘responsibilities map’ of senior individuals, oversight, governance and reporting lines, and a statement of responsibilities for each senior management function manager (SMF manager) setting out what matters that individual is responsible for. The documents must explain to whom certain standard ‘prescribed responsibilities’ designated by the regulators have been allocated. These documents must be kept up to date.

Only SMF managers are now approved as fit and proper by the regulators: in contrast to the previous approved persons regime, certified persons (who will in many cases include individuals previously approved by the FCA) will now only be certified as fit and proper by their employer firms, not the regulators. Firms must test and confirm the fitness and propriety of SMF managers and certified staff annually. This is likely to lead to more employment claims from staff who lose their certification.

The regulators can take disciplinary action against individuals in any of these three categories for breach of the conduct rules or for being ‘knowingly concerned’ in the firm’s breach of the regulators’ rules. In addition to the previous ‘knowing concern’ test, there is a new statutory test^[50] for taking action against a senior manager where (1) the firm breaches a regulatory rule or requirement, (2) the senior manager was at the time responsible for the activities of the firm where the breach occurred, and (3) the senior manager failed to take reasonable steps to prevent or stop the breach occurring. The test imposes a ‘duty of responsibility’ on senior managers, which has made the record-keeping of decisions and execution of duties more important.

Complementary rules on handover arrangements where senior managers depart, notifications of breaches to the regulators, and requirements for detailed regulatory references when certified or senior management staff leave a firm are designed to enhance the effectiveness of the Regime.

The SMCR came into force in full for banks in 2018 and insurers in 2019. For all other FCA regulated firms, the senior manager provisions of the SMCR rules came into force on 9 December 2019, and firms were also required by this date to have identified their certification staff. The obligation to certify staff and the application of the individual conduct rules were originally intended to come into force on 9 December 2020. In response to the covid-19 pandemic, the FCA has now delayed the deadline for firms to have undertaken the first certification process and the date that the Individual Conduct Rules will come into force (and the date therefore that employees must conduct relevant training and breach notification requirements to be in place) until 31 March 2021.

In addition, to reflect the absence of certified persons from the FCA register under the new regime, the FCA has created a new public directory of certified individuals. The deadline for reporting individuals to be included in the directory has also been extended to 31 March 2021 to reflect the extension of time for certifying them.^[51] However, the FCA has stressed that if firms can comply with the original deadline of 9 December 2020, they should.

Consequences of breach

The potential consequences for staff subject to the conduct rules who are found by the relevant regulator to have engaged in misconduct or market abuse include a private warning, public censure, unlimited financial penalty, and in the case of SMF managers a restriction, suspension or prohibition from being an approved person. While some forms of directors’ and officers’ insurance cover the costs of representing an individual in an investigation, the FCA has drafted rules to ensure a financial penalty is paid by the person on whom it is imposed. GEN 6.1.4A prohibits a regulated firm from paying any financial penalty imposed on an employee, director or partner of the firm or of an affiliated company. GEN 6.1.5 is widely drafted to prohibit insurance arrangements designed to indemnify any person against all or part of a financial penalty.

42.3 Conclusion

There are many and varied sources of corporate governance obligations and related duties on boards and companies. Although the standards expected of the board as a collective and directors individually will vary depending on the company (listed, regulated, subject to the SMCR, large, complex and so on) and the issues involved, there is considerable convergence in relation to the types of behaviour that are regarded as constituting good practice for identifying and managing risk (including financial crime risk). Directors must ensure that they understand their duties and obligations and their application to their compliance oversight obligations.

Footnotes