Two Regulators, Two Approaches
Written by Ben Mason, Founder, My Compliance Centre
Most people reading this will be aware of the critical work carried out by the FCA and ICO. My Compliance Centre Founder, Ben Mason, explains the significant differences in their approach and explains why those differences exist.
Regulators like to set out their vision of the future and most people reading this article will experience the FCA’s approach daily and already have a good idea of where they are heading.
Most of us are also aware of the need for world class regulation of the use of personal data: we have watched “The Capture”, we see CCTV cameras everywhere, we click “Accept All” 20 times a day when we visit new websites, and so on.
This is regulated by the Information Commissioners Office (ICO).
It’s interesting to compare the approaches of the FCA and the ICO. They are equally important, but do they plan to do the job in the same way?
The FCA’s future approach has been described in detail by Nikhil Rathi, the CEO, over many speeches. And, the ICO’s approach was described in 2022 by New Zealander John Edwards, the Information Commissioner, in his “ICO25” plan. In some areas the difference between the regulators could not be starker.
Let’s take a look.
Is there a difference in primary objectives?
The differences start with both organisations’ primary objectives.
The FCA’s primary objectives are to empower and protect consumers and support the integrity of financial markets.
The ICO is also ALL about empowerment. However, in a very different way. The ICO seeks to empower all parties, including those it regulates.
This is a different approach and sets the scene for what is to come.
How do the FCA and ICO approach those they Regulate?
The ICO wants to empower those it regulates through some incredibly positive policies:
- Creating central training for all.
- Creating a database of all the advice they provide to organisations and the public.
- Investment in a series of services, tools and initiatives to enable organisations to benefit from the ICO’s advice and the experience of others.
- Publishing their internal data protection and freedom of information training materials.
- Providing certainty to those they regulate – citing tax regulators as an example to follow.
The FCA by contrast has ‘negative KPIs’. These include reducing the number of firms that are regulated (essentially it is targeting itself with putting regulated firms out of business) and increasing the number of applications it prevents from getting authorised. These measures have been taken in response to political pressure applied when things go wrong.
The differences between the two regulators appear very strong - one regulator wanting to empower those it regulates and another judging its success by the wounds it inflicts on the regulated population.
The Cost of Compliance
The Regulators Code requires all regulators to reduce the cost of compliance to the regulated. This applies to both the FCA and ICO.
However, this is not enforced (to the best of my knowledge) and I simply don’t believe it is a concern for the FCA, given all the other pressures it is under. I have asked many current and ex-regulators about this point, and they look at me a bit non-plussed, as if it is not a thing. But it is a thing – they just ignore it.
By contrast, the Information Commissioner has challenged his team to save the firms it regulates £100m in compliance costs.
That is admirable, and a very different approach to the FCA.
Giving Certainty to the Regulated
The ICO’s policy is to provide clear advice to those it regulates so they have certainty and can execute their business plans with confidence.
The FCA, by contrast, cannot aspire to such principles. Essentially, many firms applying for their initial authorisation must gamble huge amounts of time and money with no guarantee that they will get authorised. The challenge of long processing times for new applications and the potential for the FCA to change their risk appetite mid-application are well-known issues within the compliance advisory community.
Why is it so different?
A summary of the analysis above is simply that the ICO is more open and supportive than the FCA. However, I would not want anyone reading this to think that I am simply making casual criticisms of the FCA. This happens too often and criticisms of the FCA are often uninformed.
It is true that the FCA has a more negative outlook, but it is also true that there are very strong reasons for this. The FCA is continually caught between a rock and a hard place, trying to balance the different pressures on it from politicians, public enquiries, and firms’ misconduct. Everything that goes wrong is blamed on the FCA. It’s only way out is to tighten regulation, be more intrusive in its approach and look to take action which acts as a deterrent to the ‘bad guys’.
The ICO, by comparison, has recently reduced its use of fines in favour of different approaches to enforcement, without suffering overbearing criticism. It is under pressure, but a different level of pressure. As a result, it is able to present a far more positive and open approach, to support those it regulates, rather than looking to impose itself on them.
Either way, and while there may well be good reasons for it, the FCA and the ICO are treading two very different paths.