Ashurst Governance & Compliance Update – Issue 53
03 June 2024
In our most recent update on the Economic Crime and Corporate Transparency Act 2023 (ECCTA), we reported on those provisions that were in force, as well as the key measures yet to be brought into force – see AGC Update Issue 50, Item 2. What follows is a further update on developments.
We covered the issue of identity verification for company directors and others in sections 4 and 5 of our November 2023 briefing: New economic crime and corporate transparency law: Key implications for UK businesses. By way of reminder, ECCTA specifies two routes for identity verification. An individual can verify their identity directly with Companies House. Alternatively, an authorised corporate service provider (ACSP) can provide a verification statement about the individual to Companies House. An ACSP must be registered with a supervisory body for anti-money laundering purposes and can, for example, include company formation agents, accountants or legal advisers.
Timing: The Department for Business & Trade has recently published a progress report on the implementation and operation of the first three parts of ECCTA (DBT Report). This anticipates ACPSs being able to register with Companies House by the winter of 2024/25 and identity verification commencing sometime in the first half of 2025.
Legislation: On 23 May 2024 the government published the draft Registrar (Identity Verification and Authorised Corporate Service Providers) Regulations 2024, together with an explanatory memorandum, which make provisions under the Companies Act 2006 for identity verification, ACSPs and unique identifiers.
The identity verification provisions specify the procedure for verifying an individual's identity and give the Registrar the power to impose additional requirements through Registrar's rules (see below). ACSPs are also obliged to keep records when verifying an individual's identity; a failure to do so would constitute an offence.
The ACSP provisions address record keeping by ACSPs and the notification of information to Companies House on the basis that the Registrar will monitor and evaluate the suitability of ACSPs to continue providing their identity verification services on an ongoing basis. Again, failure to comply with these duties by an ACSP is an offence.
The Regulations also set out procedures for the allocation and discontinuation of unique identifiers for verified individuals and ACSPs.
Registrar's rules: Companies House has issued draft rules specifying the contact information (including a current residential address and a valid email address), other personal information and the evidence which will be required when an individual applies for identity verification. The evidence required depends on whether the identity of the applicant is being verified directly by Companies House or indirectly by an ACSP and is specified in the schedules to the draft rules.
The draft rules also specify that an applicant must undertake a number of additional steps before their identity is verified. These will be set out in a subsequent version of the draft rules. The draft regulations and draft Companies House rules are expected to be finalised later this year.
ECCTA amends the Companies Act 2006 to permit Companies House to disclose information to certain public authorities to assist them with the discharge of their public functions.
Taking those powers further, the government has published the draft Information Sharing (Disclosure by the Registrar) Regulations 2024, which will allow Companies House to share information with insolvency practitioners and other office holders engaged in insolvency proceedings (for example, so as to maximise returns to creditors). The draft regulations are expected to be finalised later in 2024.
The government has published the draft Companies and Limited Liability Partnerships (Protection and Disclosure of Information and Consequential Amendments) Regulations 2024, which amend existing company law to permit individuals to protect their usual residential address where it appears on the register in more instances than is currently possible, including where a usual residential address is used as a registered office address in certain cases.
The draft Regulations also amend the corresponding provisions for LLPs and are expected to come into force on 30 September 2024.
Part 3 of ECCTA deals with reforms to the Register of Overseas Entities (ROE) regime. The reforms aim to ensure the provisions governing the ROE remain consistent with changes ECCTA makes to companies and other corporate entities. The DBT Report indicates that secondary legislation will be introduced later in 2024 to bring these reforms into force.
Part 2 of ECCTA includes reforms which aim to increase the transparency of limited partnerships and prevent their use for fraudulent purposes. There are also changes concerning the registration of limited partnerships and significant new obligations for the general partner and limited partners of a limited partnership. The DBT Report indicates that limited partnership reforms will be introduced during 2026.
A full implementation timetable for ECCTA is expected to be published shortly.
The Economic Crime and Corporate Transparency Act 2023 (Financial Penalty) Regulations 2024 have been published by the government.
The Regulations introduce the new civil penalties regime under ECCTA which enables the Registrar of Companies to impose a financial penalty for many offences under the Companies Act 2006 as an alternative to pursuing a criminal prosecution through the courts. The Registrar is empowered to do so if he/she is satisfied beyond reasonable doubt that the entity or person has committed conduct amounting to a relevant offence under the Act.
The Regulations came into force on 2nd May 2024. Companies House will publish guidance on its approach to enforcement and imposing financial penalties before it starts issuing financial penalties.
As part of its focus on 'Smarter Regulation', the government has published a consultation proposing various changes to the non-financial reporting regime in order to ease the burden on medium-sized companies.
By way of reminder, a company is 'medium-sized' if it satisfies two out of three criteria in a financial year:
As we reported in AGC Update, Issue 51, the government confirmed that it proposes to raise the turnover and balance sheet thresholds to £54m and £27m respectively, alongside increases in the financial thresholds for other company sizes (i.e. 'micro', 'small', 'large'). An overview of the impact of these threshold changes can be found in the consultation linked above.
The government's latest proposals would:
The consultation also confirms that the government intends to remove certain content requirements from the existing directors' report (for all sizes of company). Content requirements which may be removed include disclosure of:
Responses to the consultation are requested by 27 June 2024.
Of course it remains to be seen whether the proposals will be taken forward by a future administration after the General Election.
The FCA has published PMB 49 in which it has addressed a number of topics including:
The FCA reports on the outcome of its review of annual financial reports and relevant corporate documentation published between 2020 and 2022 by 25 UK incorporated premium listed companies, which assessed (i) compliance with disclosure obligations under the Listing Rules in relation to LTIPs and (ii) the nature of the metrics and performance conditions tied to the LTIPs.
Amongst other findings, the FCA notes poor levels of compliance with LR 13.8.11R(1) which requires companies to release a shareholder circular with the full text of the scheme or a description of its principal terms; only 10 of the 25 companies fully complied with this rule. In addition, the FCA found that 11 of the LTIPs had been amended and observed poor levels of compliance with LR 13.8.14R(2) as only five of these companies released a circular with the full terms of the proposed amendments.
The FCA stresses relating to the new regime that it expects premium listed companies to know the compliance framework around LTIPs and reminds issuers of Listing Principle 1 (Procedures, systems and controls) and the relevant Listing Rules, including with respect to LTIP disclosures. Looking forward to the implementation of the FCA's reform of the Listing Regime, the approval of LTIPs will remain subject to a shareholder vote under the UKLRs applicable to the 'commercial companies' category; requirements relating to amendments to LTIPs will also be carried forward under the new regime. For more on the mapping process relating to the new regime, see the end of this item.
The FCA expects to continue using thematic reviews in order to assess how companies have complied with the relevant requirements in this area.
The FCA reminds issuers of their disclosure and filing obligations for annual financial reports and outlines its observations on compliance rates with respect to preparation, filing and publication requirements as well as its current supervisory approach.
The FCA refers to Technical Note 507.1 (July 2023) as a supplement to DTR 4.1 on the preparation and publication of annual financial reports. The FCA also highlights the FRC Lab's publication: Structured digital reporting – 2023 insights (Dec 2023), which sets out areas of focus and provides suggestions to optimise reporting for companies required to produce their annual financial report in a structured digital format (for more detail, see AGC Update, Issue 46).
In terms of compliance observations, the FCA notes a low compliance rate with preparation and filing that meets the disclosure requirements; for example, annual financial reports that contain consolidated financial statements that have not been correctly tagged in accordance with DTR 4.1.18R and those that have been filed with the National Storage Mechanism in accordance with DTR 6.2.10R but not in XHTML format as required by DTR 4.1.15R. In relation to non-compliance, the FCA reminds issuers that it will temporarily suspend a listing of securities where the issuer is unable to publish and file its annual financial report by the prescribed timeline set out in DTR 4.1.3R.
Following the ONS' revised descriptions of its recommended categories for ethnicity made in 2021, the FCA is proposing to make a similar change to the 'Other Ethnic Group' reporting category in its standardised board diversity tables (see LR 9, Annex 2) to align it with the ONS category description.
By way of reminder, in 2022 the FCA introduced rules requiring listed companies to report diversity information and to disclose against targets on the representation of women and ethnic minorities on their boards and in executive management teams (see Ashurst AGM 2023 update). The FCA is proposing to implement this revision as part of its wider Listing Regime reforms in CP 23/31 which it anticipates will be implemented in the summer.
Further to the government's announcement that it now expects to complete the UK endorsement process of the International Sustainability Standards Board Standards by Q1 2025, the FCA has updated the timelines which it previously set out in FCA PMB 45.
In short, following expected completion of the endorsement process in 2025, the FCA will consult on amending its rules to move from TCFD to UK-endorsed ISSB disclosure standards, as initially planned. The FCA also intends to consult simultaneously on strengthening its expectations for listed companies' transition plan disclosures, with reference to the TCFD Framework. In the meantime, the FCA encourages companies to familiarise themselves with the ISSB Standards and suggests that companies may also consider reporting voluntarily against ISSB Standards prior to the conclusion of the UK endorsement process. In line with this, the FCA may explore additional guidance to support issuers by indicating how reporting based on ISSB Standards can remain consistent with existing TCFD-based rules.
As signalled in FCA PMB 48 (see AGC update, Issue 52), the FCA has started to notify certain standard and premium listed issuers of the category it expects their securities to be mapped to under the new Listing Regime, should the proposals be implemented. Issuers who believe they have been incorrectly allocated to a particular category are being afforded four weeks to raise this with the FCA from receipt of the correspondence. Where clients have sought our advice, all have been correctly 'mapped' to their new listing category.
The draft Reporting on Payment Practices and Performance (Amendment) (No 2) Regulations 2024 have been published and laid before Parliament.
The draft regulations amend the Reporting on Payment Practices and Performance Regulations 2017 (2017 Regulations) (SI 2017/395) to require qualifying companies to publish information about their payment practices and policies in relation to retention clauses in any construction contracts that they have with suppliers. Similar requirements will also apply to LLPs. For background, see Item 5 of AGC Update, Issue 45.
In amending the 2017 Regulations, the draft regulations:
The draft regulations are stated as coming into force on 1 October 2024. The additional information will need to be reported for financial years beginning on or after 1 January 2025.
Following on from the launch of its sustainability committee terms of reference in January 2024, the Chartered Governance Institute of UK & Ireland (CGI) has published a report: 'Governing sustainability: Are sustainability committees the answer?' The report is intended to support organisations across different sectors to understand better – and overcome – the challenges of overseeing sustainability, with or without a board-level committee.
The report is based on a cross-sectoral survey of 130 governance professionals, interviews with governance leads in 26 different organisations, and an analysis of board committees among the FTSE 100. The report covers:
We have recently published the latest in our series of briefings focused on the issue of greenwashing from an international perspective. Issue 4 focuses on:
The UK government has published an update on implementation of the UK's Sustainability Disclosure Requirements and a policy paper containing a framework and Terms of Reference for developing UK sustainability reporting standards.
This follows the government's commitment last year to consider whether to endorse the International Financial Reporting Standards' sustainability disclosure standards for use in the UK. Our analysis of the update and policy paper is here.
The EU Council has formally adopted the Corporate Sustainability Due Diligence Directive (CS3D).
The CS3D establishes a corporate environmental and human rights due diligence duty for in-scope companies operating in the EU. It places obligations on such EU and non-EU companies to:
It also obliges in-scope companies to prepare, implement and annually update a climate Transition Plan.
These obligations will be phased in over 5 years based on a company's size. The first companies to face obligations will do so in 2027 and will be EU companies with more than 5,000 employees and a net worldwide turnover of €1,500 million, and non- EU companies and ultimate parent companies with a net EU turnover of €1,500 million.
Approval by the Council is the final step in the EU legislative process, which has been particularly convoluted in respect of this Directive (see EU adopts Corporate Sustainability Due Diligence Directive (CS3D) (ashurst.com)). The Directive will now be published in the Official Journal of the EU and will enter into force on the 20th day following publication. Member states will then have two years to transpose it into national law.
In-scope companies should start assessing their existing supply chain due diligence processes to ensure that any necessary amendments to ensure compliance with the Directive are made ahead of their obligations taking effect. They should also start preparations to develop a Transition Plan.
The National Cyber Security Centre (NCSC) and three insurance industry bodies, the Association of British Insurers, the British Insurance Brokers' Association and the International Underwriting Association have produced joint guidance to help organisations faced with ransomware demands [NCSC.gov.uk].
The guidance seeks to minimise the overall impact of a ransomware incident on organisations and help reduce disruption and cost to businesses, the number of ransoms paid by UK ransomware victims, and the size of ransoms where victims choose to pay.
The NCSC continues to discourage strongly the payment of ransoms, alongside law enforcement partners and suggests that being prepared for a cyber incident is key and will help lessen the impact if one happens. The NCSC offers comprehensive guidance, including how to develop incident management capability and prevent ransomware in the first place.
The guidance suggests the following issues organisations should consider when confronted with a ransomware attack:
Don't panic - slowing down to review the options will improve decision-making and lead to a better outcome.
Review alternatives, including not paying - check your options. Organisations may have viable backups, or there may be unexpected ways to help recover systems and data, partially or fully.
Record decision-making - maintaining a careful record of the incident response, decisions made, actions taken and data captured (or missing) is important for post-incident reviews, lessons learned or presenting evidence to a regulator.
Where possible, consult experts - objective external experts such as insurers, the NCSC, law enforcement or cyber incident response companies familiar with ransomware incidents can improve the quality of decision-making. If cyber insurance is in place, an affected organisation should report the attack to its insurer or broker.
Involve the right people across the organisation in decisions, including technical staff.
Assess the impact - decisions about payment should be informed by an understanding of the impact on a business, including business operations, data and the financial impact.
Investigate the root cause of the incident to avoid a repeat attack – seek to clarify and independently validate the original source of the compromise before making a payment and take appropriate mitigation actions.
Be aware that payment does not guarantee access to devices or data.
Consider the correct legal and regulatory practice around payment - payments may not be lawful, for example, if a ransom payment is made to an entity or area sanctioned by the UK. An affected organisation should also take into account the relevant local laws and regulations applicable to all jurisdictions in which it operates.
Know that paying a ransom does not fulfil regulatory obligations'- the ICO is clear that it does not consider a payment to criminals who have attacked a system as a risk mitigation, and that it would not reduce the amount of any penalty.
Report the incident to UK authorities - organisations experiencing a ransomware attack can report it, as reporting an incident to the UK authorities will help support victims. The UK government's incident signposting service provides guidance on which organisations to notify.
Authors: Will Chalk, Partner; Rob Hanley, Partner; Marianna Kennedy, Senior Associate, Vanessa Marrison, Expertise Counsel; Becky Clissman, Counsel, Shan Shori, Expertise Counsel.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.