Regulatory round-up – January-February 2018


Consumer and Retail Finance – January/February 2018
Latest from the Financial Conduct Authority, including review updates and consultation feedback, PSD2 and other sector news. […]
Latest from the Financial Conduct Authority, including review updates and consultation feedback, PSD2 and other sector news.
Financial Conduct Authority (FCA)
On 31 January 2018, the FCA published a high-cost credit review update. This follows its July 2017 feedback statement which identified keys areas of concern including arranged and unarranged overdrafts, rent-to-own, home-collected credit and catalogue credit. A substantive update will be published in May 2018 setting out the FCA’s analysis and assessment of harm from the high-cost credit products forming the focus of its review. At that stage it also intends to consult on changes that it may propose to improve the operation of those markets. Consultation on a wider package of remedies on overdrafts is expected towards the end of the year. The FCA says that it is “prepared to look at solutions designed to increase the choice and encourage the availability of alternatives to high-cost credit”. A separate update on the rent-to-own sector was also published recently.
On 14 December 2017, the FCA published feedback on its earlier credit card market study consultation on persistent debt and earlier intervention remedies, and opened a further consultation. The new consultation included a revised analysis of the costs to businesses of the proposed remedies and set out how the FCA had changed its thinking on aspects of its persistent debt proposals in light of the feedback received. On 27 February 2018, the FCA published the consultation feedback and final rules. As a result of the responses received, the FCA has amended its proposals to carve out business credit card products from the scope of the rules. The rules do not apply to credit card products promoted solely for the purposes of the customer’s business, but will apply to personal credit cards being used by businesses. The final rules and guidance on persistent debt and earlier intervention are set out in Appendix 1. They come into force on 1 March 2018 but firms have six months until 1 September 2018 to be fully compliant. The FCA issued a press release on the new rules.
Also on 27 February 2018, the FCA published the draft of a speech on ‘The Consumer Credit landscape today’ delivered by FCA Chief Executive Andrew Bailey to the Finance & Leasing Association. The FCA previously published an insight article on the types of borrowers driving recent consumer credit growth – currently ten per cent a year. Based on credit reference agency data for one in ten UK consumers, it concluded that: credit growth has not been driven by subprime borrowers; people without mortgages have mainly driven credit growth; and consumers remain indebted for longer than product-level data implies.
An interim report on the FCA’s review of the retained provisions of the Consumer Credit Act 1974 will be published in summer 2018. There will be a series of roundtable discussions and other stakeholder engagement in the second half of 2018 with a final report due by 1 April 2019.
The FCA has asked for help in reducing the high number of calls from consumers responding to letters, emails or sales literature that they have received from regulated firms. It reminds firms that there is no regulatory requirement to provide the FCA’s telephone number and asks them to review their use of the FCA’s details and remove the number. The FCA also reminded firms that they have a regulatory requirement under the FCA Handbook to keep contact information up to date. They should make sure that email address, telephone number and address details are correct. This can be done via Connect, the FCA’s online system.
An illegal money lender was sentenced to three and a half years’ imprisonment for offences under the Consumer Credit Act 1974 and Financial Services and Markets Act 2000. See the FCA’s press release.
The revised EU Payment Services Directive (or PSD2), introduced in the UK on 13 January 2018, brings in two new regulated payment services – payment initiation services and account information services. The FCA published a webpage for consumers setting out key information on those services. The FCA’s main PSD2 webpage also links to information for firms on applications, passporting and notifications under PSD2. A card surcharge ban also came into effect on 13 January 2018 as a result of PSD2.
On 30 January 2018, the FCA published the findings from its thematic review into the fair treatment of existing interest-only mortgage customers by lenders. See our recent briefing for details.
The FCA wrote to CEOs asking them to consider, together with UK Finance’s new best practice standards, how their firms are tackling authorised push payment fraud within the context of the Senior Managers and Certification Regime (SM&CR). See our recent briefing on push payment fraud for background and further details. Another dear CEO letter was written to the providers and distributors of contracts for difference products on resolving failings which may cause significant consumer harm.
We reported in the previous edition of the Regulatory round-up that the FCA was: consulting on its approach to supervising and enforcing the SM&CR rules for authorised firms’ unregulated activities, including those covered by industry-written codes of conduct; and starting a discussion and seeking views on extending the application of FCA Principle for Businesses 5 (“A firm must observe proper standards of market conduct”) to unregulated activities. The City of London Law Society responded to the consultation and discussion. Among other things, it believes that: there is a significant risk that the effect of the proposals would be to encourage the proliferation of a multiplicity of codes, all seeking regulatory recognition, presenting significant challenges and increased litigation risk for firms; the proposals may foster over-reliance on the fact of recognition; and the case for extension of the scope of Principle 5, giving the regulator very broad discretion to take enforcement action, has not been made out.
On 20 February 2018, the FCA launched a call for input on the use of technology to achieve smarter regulatory reporting. On the subject of innovation, the FCA has also been consulting on the merits of creating a global regulatory sandbox, given that many aspects of financial markets and FinTech are global.
The FCA and Information Commissioner’s Office (ICO) published a joint update on the EU General Data Protection Regulation (GDPR), the new data protection regime which comes into force on 25 May 2018. Among other things, the FCA says it believes GDPR does not impose requirements which are incompatible with the rules in the FCA Handbook. It will continue to collaborate with the ICO in the coming months to address concerns firms raise and support firms’ preparations for the introduction of GDPR.
We reported in the previous edition of the Regulatory round-up that credit reference agencies Callcredit, Equifax and Experian had launched an industry-wide Credit Reference Agency Information Notice (CRAIN) in preparation for the implementation of GDPR. Customers must be given the opportunity (even if they decide not to take it) to access and read the CRAIN in full at the point of application.
The FCA’s Head of Technology, Resilience & Cyber recently gave a speech on ‘Building cyber resilience’. The FCA wants firms to be “resilient and robust. That means you understand what to protect, how you can swiftly detect an attack, and how you can respond and recover. If you can do these you will have built a successful foundation for resilience. Our challenge to you all is to embrace this effort. Attacks will happen, so be critical of yourselves, learn new behaviours and build resilience”. The FCA’s webpage on cyber resilience can be found here.
See the Data Protection section of this Regulatory round-up for the latest on GDPR and cyber security.
Other sector news
The Prudential Regulation Authority (PRA) sent a letter to the Chairs of relevant firms to communicate the key findings and action points following its review in the first half of 2017 of PRA-regulated firms’ consumer credit lending, covering credit cards, personal loans and motor finance. The PRA’s main finding concerns weaknesses in management information and governance, with other findings covering medium-term economic risk; affordability assessments; and some product specific points on 0% interest credit cards; and on larger or longer-term personal loans and motor finance.
On 12 February 2018, the Lending Standards Board announced a review of the Standards of Lending Practice for personal customers. Responses are requested by 30 March 2018.
The Department for Work and Pensions issued a written statement on the Financial Guidance and Claims Bill which provides for the creation of a single financial guidance body. Subject to parliamentary approval, the intention is to launch the new body in autumn 2018. The Bill is currently working its way through the legislative process.
The Money Advice Service recently published an independent review of the funding of debt advice in England, Wales, Scotland and Northern Ireland. A list of recommendations to provide an effective and transparent framework for the funding of debt advice is set out on page six onwards.
The Financial Services Compensation Scheme published its Plan and Budget for 2018/19, outlining the Scheme’s expected management costs and initial levy forecasts financial services firms will pay next year. See the press release for details and a link through to the document. The PRA and FCA recently consulted jointly on the management expenses levy limit. Policy statements/Handbook notices will be issued so that the final rules are in place by 1 April 2018.
The Financial Ombudsman Service recently consulted on its plans and budget for 2018/19. It says that it expects to see 4,500 more complaints about short-term lending (payday and instalment loans) in the current financial year than previously forecast, and anticipates 20,000 new cases of this sort in 2018/19.
On 2 February 2018, the Competition and Markets Authority (CMA) issued a press release concerning a rule change in force on that date requiring banks to set up an alert system which will help their customers avoid unnecessary charges. The rule change is part of the CMA’s Retail Banking Investigation.
We reported in the previous edition of the Regulatory round-up that the European Parliament and Council reached political agreement on the Commission’s proposal for a directive (which will become the Fifth Money Laundering Directive or MLD5) to amend the Fourth Money Laundering Directive (MLD4). MLD4 was implemented in the UK by the introduction of the new money laundering regulations which came into force on 26 June 2017. The European Parliament is due to consider MLD5 at its 16 to 19 April plenary session.
In the meantime, the House of Commons European Scrutiny Committee has cleared the MLD5 proposal from scrutiny. MLD5 makes substantial changes to the scope and operation of anti-money laundering rules in the UK. Given that the government is seeking a Brexit transitional period, the Committee considers it likely that most, if not all, of MLD5 will have to be transposed in the UK as a matter of law.
On 15 February 2018, the House of Commons Library published a briefing paper on the Sanctions and Anti-Money Laundering Bill which passed second reading in the House of Commons on 20 February 2018. The House of Commons Public Bill Committee is calling on those with relevant expertise and experience or a special interest in the Bill to submit their views in writing.
The Joint Money Laundering Steering Group recently published further amendments to its Guidance.
HM Revenue & Customs published a thematic review of anti-money laundering compliance in the money service business sector. The review is expected to be of particular benefit to businesses engaged in money transmission through networks of agents, and of interest to money service businesses using different operating models, or non-money service businesses operating with an agency model. Among other things, the review sets out findings of good and bad practice, and summarises the steps principals and agents should take to minimise their exposure to money laundering risks.
On 23 January 2018, the European Supervisory Authorities issued an Opinion on the use of innovative solutions by credit and financial institutions in the customer due diligence process. It highlights that, while the move towards a more technologically driven financial services market presents many benefits (including reduced costs, improved customer experience, increased speed of transactions, reduced account opening times and continuous access to services online) firms have to be mindful of the impact these changes might have on their money laundering and terrorist financing risk exposure.
On 22 February 2018, the Treasury Committee launched an inquiry into digital currencies and distributed ledger technology, which will look at: the potential risks that digital currencies could generate for consumers, businesses, and governments (including those relating to volatility, money laundering, and cyber-crime); and examine the potential benefits of cryptocurrencies and the technology underpinning them, how they can create innovative opportunities, and to what extent they could disrupt the economy and replace traditional means of payment.
The Payment Systems Regulator (PSR) published a webpage on the UK’s ATM network. This follows concerns raised by LINK’s consultation on proposals for the future level of its interchange fee, which funds the UK’s free-to-use ATM network. LINK has addressed the PSR’s key requirements to ensure that consumers continue to have widespread free access to cash. The PSR says that it will continue to actively monitor developments. It has also published a reference guide for consumers on protecting free-to-use ATMs.
The European Commission issued new requirements that ensure independence of payment card schemes and processing entities, to enhance competition in the card payment market. It says retailers will be able to choose the most suitable processor for their card transactions, to the benefit of consumers. See the full press release here.
And finally, the European Banking Authority issued its final guidance for the use of cloud service providers by financial institutions.

Data Protection – January/February 2018
Latest on GDPR, the UK’s Data Protection Bill, e-privacy, ICO fee changes, cyber security and more. […]
Latest on GDPR, the UK’s Data Protection Bill, e-privacy, ICO fee changes, cyber security and more.
Latest on the EU General Data Protection Regulation (GDPR)
The Information Commissioner’s Office (ICO) continues to update its Guide to the GDPR. See the “What’s new” section on page four.
It recently consulted on proposed guidance for UK organisations processing children’s personal data under GDPR and added a link on “GDPR breach reporting tips” to its local government webpage.
On 3 January 2018, the Department for Education published updated privacy notice model documents for schools and local authorities to issue to staff, parents and pupils about the collection of data.
The Fundraising Regulator has revised the Code of Fundraising Practice to take GDPR into account. The new Code rules will come into effect on 25 May 2018.
The Charity Finance Group recently published a guide for charities on GDPR.
On 24 January 2018, the European Commission published guidance “to facilitate a direct and smooth application of the new data protection rules across the EU as of 25 May” and launched a new online tool dedicated to SMEs. See the press release which includes a link through to Q&A on GDPR.
The Commission also published ‘Stronger protection, new opportunities’, a communication to the European Parliament and Council on GDPR. At paragraph 3.2, it discusses the new independent European Data Protection Board, which will replace the Article 29 Working Party (WP29) when GDPR comes into force. Importantly, the Board will not only issue guidelines on how to interpret core concepts of GDPR but will also issue binding decisions on disputes regarding cross-border processing, to ensure consistency of approach across the EU.
The WP29 recently adopted final versions of its guidelines on personal data breach notification and automated individual decision-making and profiling. It has also adopted final versions of its working documents on adequacy and binding corporate rules for controllers and for processors. It is currently consulting until 26 March 2018 on proposed guidelines for the application of Article 49 of GDPR, which concerns derogations from the prohibition on transfers of personal data outside of the EU. It is also consulting until 30 March 2018 on proposed guidelines on the accreditation of certification bodies under GDPR. Certification mechanisms are one of the voluntary measures to facilitate compliance with GDPR. The WP29 has not yet adopted its final guidelines on consent and transparency. Walker Morris will continue to monitor and report on developments.
In the press release issued after its February plenary meeting, the WP29 says that it is fully aware of the specific needs of SMEs and will provide guidance on when the obligation applies to maintain a record of processing activities according to GDPR. It will also work on updating the existing guidelines and criteria on the right to be forgotten. Links to the press release, consultations and other documents can be found on the new WP29 website.
Update on the UK’s Data Protection Bill and Brexit
The new Data Protection Bill, which will sit alongside GDPR, has completed its stages in the House of Lords and was presented to the House of Commons on 18 January 2018. It is expected to have its second reading there on 5 March 2018.
In a speech at the Munich Security Conference on 17 February 2018, the Prime Minister said: “The UK’s Data Protection Bill will ensure that we are aligned with the EU framework. But we want to go further and seek a bespoke arrangement to reflect the UK’s exceptionally high standards of data protection. And we envisage an ongoing role for the UK’s Information Commissioner’s Office, which would be beneficial in providing stability and confidence for EU and UK individuals and businesses alike. And we’re ready to start working through this with colleagues in the European Commission now”.
In its future partnership paper on the exchange and protection of personal data, published in August 2017, the government said that it wanted to explore a UK-EU model which could build on the existing adequacy model (where the European Commission assesses whether a third country’s data protection standards are ‘essentially equivalent’ to those applied in the EU) in two ways. Firstly, by enabling an ongoing role for the ICO in “EU regulatory for a”. Secondly, by the UK and EU agreeing to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU and other EU adequate countries, and the UK, from the point of exit (until longer-term arrangements come into force).
On 19 January 2018, the European Commission issued a notice to stakeholders processing personal data, reminding them of the legal repercussions which will need to be considered when the UK becomes a third country, “in view of the considerable uncertainties, in particular concerning the content of a possible withdrawal agreement”. It notes that: “Subject to any transitional arrangement that may be contained in a possible withdrawal agreement, as of the withdrawal date, the EU rules for transfer of personal data to third countries apply”.
ICO fee changes announced
The government recently announced changes to the way that the ICO will be funded from 25 May 2018. Under GDPR, there will no longer be a requirement to notify or register with the ICO on an annual basis as under the current rules, but there will be a legal requirement for data controllers to pay the ICO an annual ‘data protection fee’ unless they are exempt. The new fees range from £40 to £2,900 with an automatic £5 discount when paying by direct debit. There is a three tier structure based on number of staff, annual turnover, and whether the organisation is a public authority, charity or small occupational pension scheme. See our newsflash for more details.
Latest ICO enforcement action
Carphone Warehouse was issued with a £400,000 fine, one of the ICO’s largest to date, after one of its computer systems was compromised as a result of a cyber-attack in 2015. Serious failures placed customer and employee data at risk.
A company that was previously fined £50,000 by the ICO for making nuisance calls has been prosecuted under the ICO’s criminal enforcement powers for continuing to break the law. Recent ICO fines in relation to nuisance calls include: a £300,000 fine for making 8.7 million automated marketing calls; a £350,000 fine for making 75 million automated marketing calls in four months; a total fine of £600,000 issued against four companies behind 44 million spam emails, 15 million nuisance calls and one million spam texts; and a fine issued to a former employee of an accident repair firm who downloaded and sold the personal data of motorists to nuisance callers. Ofcom and the ICO recently published an update to their joint action plan to address the consumer harm caused by nuisance calls and messages.
Basildon Borough Council has had a £150,000 ICO fine reduced to £75,000 on appeal. It received the fine in May 2017 for publishing sensitive personal data in online planning documents. The Council submitted that the level of fine should have been much lower for a number of reasons, including that the disclosed data was relatively limited, and that the Council had self-reported to the Commissioner and taken steps to review its data protection policies. The Commissioner considered that she had already taken the Council’s mitigation points into account and that the level of penalty was “appropriate and proportionate”. The Tribunal upheld the Commissioner’s decision to issue the fine, but felt that some of the mitigation points had not been given sufficient weight. Although it did not influence the Tribunal’s decision, the Tribunal also noted that “unlike fines imposed in the criminal justice system there is no independent body such as the Sentencing Council providing a definitive list of relevant aggravating and mitigating factors and a matrix of appropriate fines…the Commissioner is seeking to establish her own ‘database’ of penalties and pertinent factors to be taken into account…, though it might be argued that it is not entirely appropriate for the investigator and enforcer of monetary penalty notices to be the body that also effectively sets the level of the penalties”.
In other enforcement news: a former local authority education worker was fined after sharing personal information about schoolchildren and parents via Snapchat; the ICO executed a search warrant at the home of a person suspected of posing as an ICO officer to commit criminal offences; a man was prosecuted after posting sensitive police information on Twitter; and a firm of loss adjusters, one of its directors and a senior employee, and rogue private investigators received record fines for being involved in the illegal trade in personal information.
Points to note from recent speeches by the UK’s Information Commissioner
On 23 February 2018, a speech by the UK’s Information Commissioner was screened at the Direct Marketing Association’s (DMA) Data Protection Event 2018. Here are some of the key points:
- The ICO will soon publish an overview/roadmap of the UK’s new Data Protection Bill in response to feedback that it is “complex and confusing”.
- It will also publish tools aimed at micro businesses (organisations employing less than ten people).
- The ICO is working with the DMA to help produce a Direct Marketing Guide.
- Its own Direct Marketing Code of Practice is “in the pipeline”.
- The new e-Privacy Regulation (which sets out rules for direct marketing via phone, text and email, and which was due to apply at the same time as GDPR) is still being debated in Europe, “but a default for all consumer marketing to be opt-in is in the current draft”. The Privacy and Electronic Communications Regulations (or PECR) will sit alongside GDPR until the e-Privacy Regulation comes into force. The Commissioner said: “That means electronic marketing will require consent. Yes, there is potential to use legitimate interests as a legal basis for processing in some circumstances, but you must be confident that you can rely on it. It seems to me that a lot of energy and effort is being spent on trying to find a way to avoid consent. That energy and effort would be much better spent establishing informed, active, unambiguous consent. You say you will lose customers. I say you will have better engagement with them and be better able to direct more targeted marketing to them. You will have complete confidence that your customers have given informed consent”.
In a speech given earlier in February on information rights and responsibilities and focused on the public sector, the Information Commissioner mentioned, among other things, the following points of interest:
- She will soon publish a blog setting out the essential steps for developing accountability in organisations.
- Most cyber breaches and attacks are preventable: “The high profile attacks on TalkTalk and Carphone Warehouse would not have happened if they had put rudimentary protections in place. And if NHS systems had been patched and up to date, they would have been protected from Wannacry”.
- New guidance that the ICO has written with the National Centre for Cyber Security will be published soon.
- The ICO runs free, “no strings attached” voluntary audits to check organisations are on the right track and to identify weaknesses or red flags.
- It will soon launch its first ever technology strategy setting out its plans for the future (now published).
- It is developing a “sandbox”, a safe place for companies and public bodies to test the data durability of their innovations.
- The Commissioner described the ICO as “a risk-based, proportionate regulator”. She said that she knows there will be many organisations that are less than 100 per cent compliant on 25 May 2018: “This is a long haul and preparations will be ongoing. But if you self-report a breach, engage with us to resolve issues, can demonstrate effective accountability arrangements, you will find us to be fair. Enforcement will be proportionate and, as it is now, a last resort”.
Cyber security update
The government responded at the end of January 2018 to the consultation on its plans to implement the Security of Network and Information Systems Directive (or NIS Directive) in the UK. The NIS Directive must be transposed into UK law by 9 May 2018. Businesses identified as “operators of essential services” will be required to take appropriate and proportionate security measures to manage the risks to their systems and to notify serious incidents to the relevant authority. Key digital service providers will also have to comply with security and incident notification requirements. The National Cyber Security Centre has issued guidance for organisations on what they need to do to comply.
The European Economic and Social Committee says that the EU should “strengthen the mandate of ENISA [the European Union Agency for Network and Information Security] as the EU cybersecurity agency, create a certification framework at European level, and focus on the education and protection of internet users”. It broadly supports the Cybersecurity Act which was put forward by the European Commission in September 2017, and it proposes a number of practical measures to increase the European cybersecurity framework. See the press release here.
Here in the UK, the government recently consulted on the Commission’s proposal for a Cybersecurity Act and the House of Commons European Scrutiny Committee requested clarification from the government on the policy and Brexit implications of the proposal.
More news from Europe…
On 28 January 2018, Facebook published its privacy principles for the first time. It also introduced an education campaign which will include educational videos on important privacy topics. A new privacy centre will be introduced this year featuring core privacy settings in a single place, a move prompted by the requirements of GDPR.
Facebook has come increasingly under fire in Europe on a number of fronts. A German court recently found its default privacy settings and use of personal data to be in breach of German consumer law; and a Belgian court ruled that the company failed to comply with Belgian privacy legislation when tracking and recording the browsing behaviour of internet users in the country. The European Court of Justice ruled that privacy campaigner Max Schrems can sue Facebook in his home state of Austria as a “consumer”, despite his various semi-commercial activities which include publishing books, lecturing and fundraising. He does not have to sue in Ireland, where Facebook is based. However, the court ruled against Schrems being able to bring claims in Austria on behalf of thousands of consumers from Austria and other countries.
On 15 February 2018, the European Commission announced that Facebook, Google and Twitter had made changes to their terms of services “to make them customer-friendly and compliant with EU rules”. A factsheet sets out an overview of the changes.
We reported in the previous edition of the Regulatory round-up that Max Schrems launched a non-governmental organisation (called “noyb” or “None of Your Business”) with the aim of ensuring “that the tech industry is following fully the existing privacy and data protection laws in the European Union, through strategic litigation in the public interest”. He has already surpassed the minimum funding goal.

Health and Safety – January/February 2018
Launch of New Office for Product Safety and Standards, Supreme Court authority, sentencing news and more. […]
Launch of New Office for Product Safety and Standards, Supreme Court authority, sentencing news and more.
Government announces new Office for Product Safety and Standards
The government has now responded to the July 2017 report of the Working Group on Product Recalls and Safety, which was tasked with developing options to improve the system of product recalls and safety. The government supports the eight recommendations put forward by the Working Group and has decided to create a new Office for Product Safety and Standards (OPSS).
Among other things, the OPSS will: provide advice and support to ensure manufacturers, importers and retailers meet their responsibilities to place only safe products on the market; provide consumer-facing product safety information and advice; and co-ordinate rapid and effective action when national safety issues arise. It will cover non-food consumer product safety such as white goods, electrical goods, toys, clothes and cosmetics. Market surveillance of construction products is being looked at separately as part of Dame Judith Hackitt’s review of building regulations and fire safety.
The OPSS was launched on 21 January 2018 and sits within the Department for Business, Energy and Industrial Strategy (BEIS). Longer term, the government will consider options for making the OPSS an independent, arm’s length body. Initial OPSS priorities will be to set up an incident management capability to respond to national product safety issues and make further improvements to the information on the government’s product recall webpages to make them more accessible. Among other things, it will move on to building an extensive data hub of all corrective action and recall programmes affecting consumer products. Full public access is anticipated in 2019.
Separately, and prior to the launch of the new OPSS, the House of Commons published a report from the BEIS Committee on the safety of electrical goods in the UK. The Committee was particularly concerned by Whirlpool’s response to a defect in its tumble dryers. The Committee’s conclusions and recommendations are set out on page 26 onwards.
Concerns raised over independent review of building regulations and fire safety
The Chair of the Communities and Local Government Committee has written to Dame Judith Hackitt, expressing concerns over the scope of her review of building regulations and fire safety, undertaken following the Grenfell Tower disaster. The interim report was published in December 2017 and a final report is expected in spring 2018. See the exchange of correspondence here.
Whirlpool fine reduced on appeal
Whirlpool UK Appliances Limited has had a £700,000 fine reduced to £300,000 on appeal [1]. The electrical appliance company received the fine in March 2017 after a self-employed contractor fell from a height of nearly five metres and later died from his injuries. It submitted that the sentencing judge had made a mistake in his application of the sentencing guideline so that the sentence imposed was “manifestly excessive”.
This was a low culpability, “harm category 3” offence. For “large” organisations, with a turnover or equivalent of £50 million or over, the starting point under the guideline for such an offence is £35,000 with a category range of between £10,000 and £140,000. In respect of “very large” organisations, the guideline provides that “where an offending organisation’s turnover or equivalent very greatly exceeds the threshold for large organisations, it may be necessary to move outside the suggested range to achieve a proportionate sentence”.
The sentencing judge had identified that the company had a turnover of £500 million (it was actually slightly higher than this at around £700 million) and considered that the appropriate starting point was £1.2 million. This was reduced by £150,000 for good character and remorse and a one third reduction applied to reflect the guilty plea.
The Court of Appeal began by considering the approach to sentence for a “large” organisation, noting that the culpability and harm category can both have a marked impact on starting points. It said that a consistent feature of sentencing policy in recent years has been to treat the fact of death as something that substantially increases a sentence, as required by the second stage of the assessment of harm at step one of the sentencing guideline. The fact of death, without taking account of turnover, in this case justified a move not only into the next category of harm, but to the top of the next category range, which might suggest a starting point of £250,000. The court went on to say that that figure must be increased to reflect the company’s large turnover and its status as a “very large” organisation. The next range up in the guideline extends from £180,000 to £700,000.
The court’s view was that the company’s turnover should result in the starting point moving to £500,000, before taking aggravating and mitigating factors into account. This figure was reduced to £450,000 to reflect the strong mitigating factors in the case, with a one third reduction to reflect the guilty plea. At step three of the sentencing guideline, which requires the court to “check whether the proposed fine based on turnover is proportionate to the overall means of the offender” (a step which the sentencing judge had not taken) the court did not consider that its figure of £450,000 required adjustment. The company had underlying profitability – a recent loss was due to two exceptional items and the fluctuations in profitability did not affect the directors’ remuneration.
The court made the following comment in relation to step three of the sentencing guideline: “There is a significant difference between an organisation trading on wafer-thin margins and another, perhaps a professional services company where the profits shared between partners or shareholders is a substantial percentage of turnover. An organisation with a consistent recent history of losses is likely to be treated differently from one with consistent profitability. So too, an organisation where the directors and senior management are very handsomely paid when compared to turnover is likely to attract a higher penalty than one where the converse is the case”.
It is also interesting to note the court’s concluding remarks in this case:
“Nothing in this judgment is intended to alter the policy in this Court in recent times (consolidated by the Sentencing Guidelines Council) of ensuring that organisations are made to pay fines that are properly proportionate to their means. That of course does not relieve the Court of a duty to enquire carefully into the facts of each case so as fairly to reflect different levels of harm and culpability. The circumstances of this case are unusual in flowing from an offence of low culpability and low likelihood of harm. Had they involved any increased culpability or likelihood of harm the appropriate fine would have been very much larger. No two health and safety cases are the same. The Guideline provides for very substantial financial penalties in appropriate cases, particularly when the offender is a large or very large organisation. Yet it is subtle enough to recognise that culpability, likelihood of harm and harm itself should be properly reflected in any fine, as well as turnover. The same degree of actual harm following a breach of section 2 or 3 of the 1974 Act can deliver very different fines depending on the circumstances…
Large commercial entities in many areas of business are vulnerable to very substantial financial penalties for regulatory failings. The same is true for breaches of health and safety or environmental law in appropriate cases. A fine of the order imposed by the judge in this case would only have been appropriate if the factors weighing in the balance for the purposes of the Guideline had been different.”
Sentencing update
Tata Steel is the latest company to be issued with a £1 million-plus fine for breaching health and safety legislation. The steel producer was fined £1.4 million after a maintenance electrician died when an overhead crane trapped and crushed him while he was carrying out inspection duties. An by the Health and Safety Executive (HSE) investigation found that the company had failed to enforce its own safety procedures (despite two previous incidents) and failed to put in place essential control measures.
Discount retailer Poundstretcher was fined £1 million for 24 health and safety offences, in prosecutions brought by three different councils.
In other sentencing news:
- A contractor and sub-contractor were fined a total of £800,000 after a scaffolder died when he was hit by a reversing dumper truck at a construction site. An HSE investigation found that the contractor had made no provision to maintain separation of vehicles and pedestrians where the incident took place and traffic management across the entire site was poorly managed, which was an underlying cause of the accident. The subcontractor failed to provide a person trained to direct vehicle movement, there were no such employees on site, and the vehicle was not fit for use on the site.
- A retail company and a contractor were fined a total of £640,000 after two elderly members of the public were injured on consecutive days during the construction of a concrete disabled ramp outside a convenience store. Customers were required to walk through the construction site to enter and exit the store. The HSE inspector said: “These incidents could so easily have been avoided by simply carrying out correct control measures and safe working practices. Commercial clients and companies should be aware that HSE will not hesitate to take appropriate enforcement action against those that fall below the required standards”.
- A principal contractor was fined £500,000 after a worker on a housing development site suffered life-changing injuries from being struck and run over by a tipper truck. An HSE investigation found that there were insufficient protected walkways across the site, there was no control over access to it, there was an accepted practice of walking on haul roads, and no up to date traffic management plan.
- The Ministry of Defence received a Crown Censure (the maximum sanction a government body can receive) after a Royal Navy engineering technician died when he was crushed between a moving lift and a lift shaft while carrying out maintenance work.
Supreme Court clarifies approach to challenge of improvement/prohibition notices
The Supreme Court has provided definitive authority in relation to the challenge of improvement/prohibition notices, following conflicting interpretations of section 24 of the Health and Safety at Work etc Act 1974 (the Act) in the English and Scottish courts [2]. The key question for the Supreme Court to determine was whether, in reaching its decision whether to affirm, modify or cancel the notice, a tribunal is confined to the material which was, or could reasonably have been, known to the inspector at the time the notice was served, or whether it can take into account additional evidence which has since become available.
Chevron North Sea Limited had been served with a prohibition notice under section 22 of the Act after inspectors formed the view that corrosion had rendered unsafe the stairways and stagings providing access to a helideck on an offshore installation, so that there was a risk of serious personal injury from falling through them. Chevron appealed against the notice to an employment tribunal under section 24 of the Act. It later obtained an expert report setting out the results of testing of the metalwork, which showed that it passed the British Standard strength test, and there was no risk of personnel being injured by falling through it. Chevron sought to rely upon the report as part of its appeal.
The tribunal decided that it was entitled to look at the later material and cancelled the notice. The Scottish Court of Session Inner House held that the tribunal had been correct to have regard to the subsequent testing and analysis, and entitled to accept that evidence. The English Court of Appeal had taken a different view on the proper approach to an appeal under section 24 in an earlier case, and so the inspector appealed to the Supreme Court.
The Supreme Court held that the tribunal is not limited to considering the matter on the basis of the material which was or should have been available to the inspector. It is entitled to take into account all the available evidence relevant to the state of affairs at the time of the service of the prohibition notice, including information coming to light after it was served. The inspector’s appeal was dismissed.
This decisions brings welcome clarification for duty-holders.
New occupational health and safety standard
The International Organisation for Standardisation (ISO) is developing a new standard – ISO 45001, ‘Occupational health and safety management systems – Requirements’ – to help organisations across the world reduce the significant burden of occupational injuries and diseases. The new standard is due for publication on 12 March 2018. See the ISO’s webpage here.
____________
[1] Whirlpool UK Appliances Limited v R (Upon the prosecution of Her Majesty’s Inspectors of Health and Safety), [2017] EWCA Crim 2186
[2] HM Inspector of Health and Safety v Chevron North Sea Limited, [2018] UKSC 7
Contains public sector information published by the Health and Safety Executive and licensed under the Open Government Licence.