This article is published in British Academy Review No. 34 (Autumn 2018).
The print version of this article can be downloaded as a PDF file.
John Armour is Professor of Law and Finance at the University of Oxford. He was elected a Fellow of the British Academy in 2017.
The rapid pace of technological change currently under way in data-driven sectors poses an acute challenge for both firms and society at large: regulatory lag. The regulatory framework necessary to ensure the safe deployment of data-driven technology will necessarily lag behind the deployment of the technology, because the potential social harms associated with use of any new technology do not come fully to be understood until after the technology has been adopted. As a consequence, a firm making use of data-driven technology cannot assure itself or its customers and investors that it will avoid causing unnecessary social harm simply by complying with existing regulation.
The implication of regulatory lag is that should a firm’s use of data-driven technology cause harm to some section of society, then it seems unlikely that the firm’s statement that ‘we broke no laws’ will succeed in deflecting reputational damage. It is therefore desirable for a firm’s internal policies regarding data custody and risk assessment for data-driven technologies to be set according to guidelines prescribed by the firm that are more demanding than the current state of regulation.
As such guidelines prescribe conduct to a standard higher than extant regulation, they entail more than ‘compliance’ in the ordinary sense, and are a form of what are often referred to as ‘ethics’ policies. A challenge for such ethics policies is where they should legitimately be grounded. We argue that a useful starting point is a ‘forward compliance’ perspective: the firm seeks to comply not with the regulations as they are today, but where the firm anticipates they will and ought to be, based on the firm’s understanding of the issues arising from its use of the technology. This harnesses the fact that the firm has privileged access to information emerging in real time about any issues emerging from the deployment of its technology. The firm’s Ethics and Compliance team should monitor such issues and respond in accordance with its understanding of the interests of society, as grounded in the structure of the relevant regulatory frameworks. In short, the firm should not wait for the regulator to create a rule in respect of an emergent problem: it should act pre-emptively as if it were the regulator, for the purposes of writing its own guidelines of ethical conduct.
Forward compliance recognises that, on the one hand, any new technology will necessarily bring some unforeseen risks, but at the same time encourages firms to act proactively to mitigate and respond to these risks as and when they emerge. Encouraging firms to adopt a forward compliance perspective will help ensure that regulatory goals continue to be met in the face of fast-changing technological environments. Moreover, a firm that engages seriously in forward compliance will stand a far better chance of weathering any subsequent reputational storm, as the internal communications that emerge will show the firm grappling proactively with the problem rather than seeking to bury it.
Forward compliance can be implemented through a firm’s Ethics and Compliance function. It requires a high-level team to monitor emerging issues and decide on whether and how the firm’s internal Principles of Conduct should be updated – this requires a significant resource but is entirely appropriate for a very large organisation. It also requires that the firm actually execute compliance with its Principles of Conduct through an effective compliance programme, in particular ensuring that performance targets for remuneration and career progression are designed so as to reinforce, and not chafe against, such Principles.
While there are good business reasons for firms to adopt a forward compliance perspective, it may be that managers exhibit myopia regarding these benefits – for example, because they are paid for performance measured over only a short period. Steps are being taken to address this problem – for example, the 2018 version of the UK Corporate Governance Code imposes a minimum five-year vesting period for stock-based pay awards – but it may be that further encouragement is needed. To this end, modifying directors’ duty of care in relation to oversight so that it encompasses forward compliance might be a possible prompt for further action.