Bristol Centre for Economics and Finance hosted an online event on 28th May 2020: Rules vs. Principles-based Regulation: What can we learn from different professions? Below is a summary and recording of each session.
Session 1: Data regulation
Lizzie Green at UWE introduced the principles-based approach to data governance. She noted that protecting data is easy: just hide it in a big metal box. More difficult is protecting it while simultaneously extracting value from it. A rules-based approach offers clarity and consistency, but it can run into problems: humans are good at finding interpreting ambiguity for their own benefit, sometimes just for the pleasure of getting round a restriction. A principles-based approach gets round this, but it introduces uncertainty which can be hard to manage. One way to do this is to map principles to accreditation procedures, using frameworks such as the Five Safes.
Felix Ritchie, also of UWE, described experiences of regulation in the UK and Australia. In the UK, this has been an evolutionary model, from a ‘default-closed’ perspective at the start of the century in a context set by a law from 1948, through two pieces of legislation and a shift in attitudes towards a default-open model. In contrast, the Australian federal government took a conscious decision to bring in the default-open principles-based models that had evolved slowly elsewhere. As public perceptions and discussion of data governance in these countries differ substantially, the contrast between the Australian and UK approach will be informative to a great many countries.
Martin Hickley, Director of Martin Hickley Data Solutions, discussed private sector models of regulation. Focused on the Data Protection Impact Assessment carried out for the Covid-19 tracking app being trialled on the Isle of Wight. He argued that the DPIA is significantly flawed, and appears to have been completed as a check-box exercise rather than understanding the risk-based context. This is one of the problems of rules-based regulation. In contrast the principles-based approach calls for transparency, active scrutiny and debate – which are hard but necessary for robust solutions.
Finally, Luk Arbuckle, Chief Methodologist of Privacy Analytics, discussed US health data regulation. He demonstrated that the HIPAA guidance includes both rules-based and principles-based regulation. The safe harbour regulations are rules based: comprehensive and easy to follow, but, most importantly, with a catch-all of “actual knowledge”. This brings in flexibility, but can lead to uncertainty; but overall, it means that the safe harbour rules are easily applied. In contrast, the ‘expert determination’ of the level of protection in the data is explicitly principles-based, relying on trained experts to make informed judgements based on “generally accepted statistical and scientific principles”. In contrasting the two models, he noted that the safe harbour model demonstrates one of the problems of rules-based regulation – that it is more likely to become out of date as it reflects the context in which it was written.
The ensuing discussion initially focused on the expertise needed in a principles-based environment: how for example do you enforce the principle “drive safely” without training people to understand what this means? More deeply, do we over-estimate the value of principles-based models because we are all ‘experts’ in this field in some way? Finally, how do we make sure that we have enough experts to do principles-based? Rules are very efficient in making sure a lot of people carry out a lot of activity adequately, and perhaps expertise isn’t needed all the time. Moreover, evidence suggests that a basic level of ‘expert knowledge’ can be instilled quite easily, in many different environments.
A number of participants also suggested that the implementation matters. Some organisations claimed to be principles-based and but are actually rules-based, and there is always an incentive to turn compliance into a tick-box exercise. Perhaps there is a need to accept that encouraging positive behaviour via checkboxes might be a less-worst option than over-estimating people’s willingness to become experts. Understanding the threat environment is key, because all options are a subjective balance of risks. A mix of rules implementing overarching principles may be the preferred outcome. Conceptual frameworks have an important role to play in developing the context.
Finally, the discussion considered whether there is a difference between the public and private sector. There do seem to be different incentives (what is important) as well as different disincentives (what punishments are being avoided), and perhaps also a different way of assessing costs and benefits. However, there wasn’t a consensus as to whether this limits the options for public-private co-operative projects.
Overall, the session concluded that while the principles-based models has many advantages (principally, flexibility in context and application, and efficiency), it does pre-suppose an ability to get agreement on /train individuals in those principles. Moreover, a badly-designed principles-based system doesn’t avoid box-ticking, especially for untrained users. In practice, an element of rules within an overall principles-based approach can offer efficiency gains, whilst not sacrificing the gains from a recognition of principles. Ultimately this is a balance-of-risks decision, and so understanding the risk environment (including human behaviour) is central to a well-designed system.
Session 2: Regulation in UK financial markets and accounting
Paul Keenan, of Keenan Regulatory Consulting and visiting Professor at UWE, introduced the two-pronged approach in UK financial markets. Following on from an initial simple principle (‘My word is my bond’) an extensive rulebook has been developed, leading to the current system of higher-level principles backed up by rules. In practice, he explained, when the regulator takes actions against market participants, they look at rule breaches and whether the interpretation of the rule led to a breach of a principle. Essentially, the regulator considers the firm’s understanding and interpretation of the rules to be in breach of the principles. So even if the rules have been broken the action taken, i.e. the fine imposed, is based on the principles.
Bryan Foss, Digital Non-Executive Director, Risk & Audit Chair, and also visiting Professor at UWE, reflected on the need for, and implementation of, regulation. He argued that regulators should work with stakeholders to develop effective regulation, and that flexibility to change with circumstances over time is a key point for adequate regulation. Principles are therefore generally better suited by allowing scope for differences, innovation, easier revision or withdrawal. Fundamentally, however, both approaches require transparency, accountability, and stakeholder oversight to make them work. He also noted that there tends to be a lot of social pressure at the moment to increase the rules, and the UK regulator looking to bring in aspects of US rules-based elements, despite practitioners recognising the advantages of principles.
Florian Meier of UWE discussed the self-regulation and enforcement approach used by UK professional accounting bodies. Members are subject to both professional regulations and principles-based codes of ethics, with the key component being the ethical principles. Self-regulation, however, raises a number of challenges which do cast some doubt on the effectiveness of enforcement. Ismail Adelopo, also of UWE, highlighted how corporate governance exhibits a clear split along a geographical line: The UK uses principles and the US uses rules, each having evolved from their historical contexts over time to each address specific situations and needs. The UK approach relies heavily on investors’ active involvement as a key factor in ensuring compliance and enforcement, but this leads to challenges such as: What if investors don’t play along and simply sell non-compliant firms instead of engaging with them? Who enforces compliance if everybody sells, or the market simply doesn’t care?
The discussion focused largely on questions surrounding enforcement and effectiveness of approaches. Starting with the area of financial market regulations, the initial debate around appropriateness of fines quickly turned to looking at the broader aspect of penalties: As firms seem to increasingly consider fines as cost of doing business, maybe the focus then should be much more on the personal accountability of individuals? In this context the measure of imposing a ‘stop trading’ order on an individual or firm was brought up. Those can be more important than a simple fine since they may even lead to the closing of a firm or ending a career. Given those potentially severe consequences, robust processes to defend yourself or the firm against the regulator (if the regulator is wrong) are therefore seen as essential.
Another interesting point brought up was that the market regulator’s approach seems to have shifted over the years from being rather heavy-handed and punitive in the past to a much more constructive approach: They are increasingly working with firms and affected individuals to help them improve and change to become better.
In the area of corporate governance, the discussion touched upon shortcomings of the current UK approach and brought up ideas for improvement. For instance, it questioned the reliance of UK enforcement on investors and pointed to significant shortcomings. For one, the fact that it is essentially being left to the major shareholders to hold the firms to account or take them to the courts was raised as a concern. Unless in line with the majority, the minority shareholders’ interests get disregarded. They lack the resources to fight for their interests, so what recourse do they have other than either accepting this or selling the shares?
Another concern of growing future significance was raised about pension funds and them increasingly making big investments in private firms. The corporate governance code does not apply to unlisted firms, and as such firms are not easy to divest from, pension funds are therefore probably even more dependent on good corporate governance. The question then becomes: How effective can those investors’ interests be protected, which are ultimately future pensioners? Further, the issue of what constitutes an appropriate penalty was raised and whether the UK has reached an appropriate balance. Especially as firms are often repeat offenders, doubts were expressed whether this can be solved without having a major overhaul to implement a robust regime. On that note, a suggestion was made to maybe learn from other countries, e.g. Australia, where the regulator has powers in regards to corporate governance and can intervene (unlike the UK).
Session 3: Legal perspective and non-financial regulation
Nicholas Ryder of UWE introduced the area of terrorism financing and the successful UK approach to combat it. He first described the current Anti Money Laundering (AML) regulations as fundamentally flawed to deal with terrorism financing, as the legal framework and international banks’ practice (‘soft law recommendations’) target the proceeds of crime, whereas terrorism financing is ‘reverse money laundering’ where no profits are made. By contrast, the more recent UK Joint Money Laundering Intelligence Task Force, a public/private partnership (PPP) with the financial sector, has been quite successful in detecting illegal fund flows and identifying funding patterns. Having been recognised as one of the best international examples of public and private cooperation, other countries have now adopted a similar model. Nicholas suggested that a PPP as opposed to a legal principles-based approach this task force could possibly be the way forward.
Jaya Chakrabarti, CEO of Semantrica (tiscreport), introduced the TISC report (Transparency In Supply Chains) as a repository for measuring compliance with the UK Modern Slavery Act, along with numerous other financial risk and compliance datasets. She pointed out that, despite the level of compliance required being very low, a lot of companies still don’t provide a statement, and only a fraction of all organisations meet all of the minimum compliance criteria. The frequently observed low quality of data provided by firms poses a challenge to effective reporting. It makes acting on it difficult and thereby enables continued corporate misbehaviour. Further, enforcement seems to be largely non-existent despite potentially severe consequences for non-compliance, thus giving firms no ‘incentive’ to comply. As a way forward, while proper enforcement would be a key pillar for better effectiveness, she also presented some suggestions for modifying corporate behaviour that do not require government regulations and enforcement.
The discussion mainly centred around enforcement and detection of illegal behaviour. The initial debate on the potential future role of Blockchain applications to certify and trace supply chains to aid transparency quickly turned to the key importance of getting the public sector and the key stakeholders on board to actively pursue enforcement. The public sector was lauded for already actively tracking their suppliers and ensuring compliance, with in particular local governments being very active and frequently working with their suppliers to increase levels of compliance. It was argued that a stumbling block to better enforcement was public bodies’ frequent inaction, even if they have the data, because they don’t know how to deal with it in their enforcement. Further, a general lack of enforcement and disinterest shown by the major stakeholders in various areas of regulation was flagged as a key problem. Using insurers as leverage to enforce better compliance was floated as an idea: that is, refusing professional indemnity insurance for cases of illegal company illegal behaviour, although doubts were also expressed about insurers’ willingness to get involved.
The discussion then moved on to financial crime and the detection of illegal behaviour. First, the big problem of increasing so-called ‘micro-terrorism’ relying on very simple methods and small amounts which makes identifying individuals and prevent small attacks almost impossible, was pointed out. Regardless of approach (rules or principles), the view was that you can never stop all money laundering or financial crime, comparing it to ‘plugging a hole in a dam with plasticine’. The ‘risk-based approach’, as embodied in international laws and international best practice, to try to identify which businesses are more susceptible to fraud or money laundering, was seen as the best option. On fraud detection, the inability of the current self-reporting nature of verifying compliance with both the slavery act and the bribery act was flagged as a major weakness, with ample evidence from banking regulation showing the approach is not working. Examples from financial services were suggested to introduce accountability as a potential solution to the problem: In some roles, such as money laundering officers, individuals are accountable for self-reporting, so they take it very seriously. Hence non-reporting by the firm puts heavy pressure on that person, which may turn them into ‘whistle-blowers’.