Online Safety Act implementation | Deloitte UK has been saved
Online Safety regime
The Act introduces a landmark set of new rules designed to tackle illegal content online and prevent harm to individuals in the UK, imposing new requirements for providers of online services.
Ofcom expects implementation of the Act to deliver four outcomes:
A key aspect of Ofcom’s new rules is that they will focus on services developing stronger systems and processes in relation to user safety (e.g., taking effective steps to ensure that such systems and processes mitigate the risks identified by risk assessments, such as illegal content ranging from online fraud to terrorism). Ultimately, the intention is to build a stronger culture and practice of risk management in online services.
As set out above, Ofcom has stated that two of its four key focus areas will be on stronger safety governance, and services that are designed and operated with safety in mind. Where Ofcom decides to exercise its supervision powers in relation to these two areas (specifically by issuing an information notice as a first step, but which may also extend to audit notices), services must name a Senior Manager with responsibility for ensuring compliance with Ofcom’s requests.1
Therefore, in one sense, these Senior Manager obligations only apply following Ofcom’s exercise of the abovementioned supervision powers. However, given the nature of this new supervisory regime, we expect these powers to be used widely (in particular for the largest internet companies within scope). Indeed, Ofcom stated in its 9 November consultation on protecting people from illegal harms online that “We expect to use our power to issue statutory information notices regularly from the outset of the regime”.
Financial services regime
The FCA’s new Consumer Duty is also seen as a landmark new approach in the financial services sector, introducing rules relevant to firm conduct, with principles based requirements (amongst other things) for firms to avoid foreseeable harm to retail customers.
The Consumer Duty requires firms to monitor, measure and act on the outcomes their retail customers are receiving which should lead to good outcomes for customers in four specific areas (namely products and services, price and value, consumer understanding and consumer support). A central element of this requirement is that all staff need to understand their role in delivering good consumer outcomes in order to achieve the necessary cultural change.
These rules are set in the context of the existing Senior Managers and Certification Regime, jointly enforced by the FCA and the Prudential Regulation Authority (PRA), which aims to reduce harm to consumers and strengthen market integrity by making Senior Managers more accountable for their conduct and competence on an ongoing basis.
Against this background we have identified some key learnings from UK financial services regulation that can be read-across to Ofcom’s implementation of the Act.
Broadly speaking, initial parallels can be drawn between, on the one hand, the processes, systems and controls that need to be introduced, and on the other, the policies and practices that should be adhered to.
In relation to processes, systems and controls, drawing on our experience of working with financial services firms to implement the Consumer Duty, we think that companies subject to the Act should consider having:
More broadly, the largest firms within scope of the Act should prepare for ongoing and detailed “supervision” regarding the status of compliance with these new measures throughout the company (indeed, Ofcom has itself highlighted the relevance of experience from the financial services industry in this respect). Companies within scope should prepare for the nature of the regulatory dialogue to change, with ongoing and enforceable information requests allowing Ofcom to establish a view on ongoing company compliance.
In relation to policies and practices, we consider that the following regulatory expectations in relation to Consumer Duty implementation are relevant:
This approach also appears consistent with Ofcom statements in this area, for example an emphasis on ‘“good risk management practice as a fundamental part of service design and organisational culture”, which ‘“links to strong governance”, where Ofcom will ‘“advocate for risk assessments and risk management to be owned at the most senior levels”. Ultimately, members of staff should understand their role in delivering outcomes consistent with the Act, supported by underlying people management and processes designed to achieve this.
There are two categories of learning in this context; the first, a broader insight relating to how the Senior Managers regime has been established in the financial services sector, the second a more specific insight on how the requirement for senior managers to take “reasonable steps”2 has been interpreted in the financial services regime.3
Likely leading practices that can be drawn from the financial services regime
Likely differences between both regimes
Demonstration of “reasonable steps” by Senior Managers
Under the Act, Senior Managers have liability for information offences or otherwise obstructing or delaying Ofcom’s supervision and enforcement functions (e.g., inadequate response to an Ofcom information notice). However, the nominated Senior Managers may have a defence if they can demonstrate that they have taken “all reasonable steps” to prevent that offence being committed. Therefore it will be important to have a clear understanding of what those “reasonable steps” will be in practice.
In its consultation of 9 November (specifically, ‘Information gathering and enforcement powers and approach to supervision’), Ofcom provided a summary of Senior Manager liability in this respect, but did not specifically elaborate on what may be considered “reasonable steps”. Ofcom did however elaborate on the following potential defences relevant to this provision, referring to situations where:
In the financial services regime, Senior Managers must take “reasonable steps” in the execution of their duties. The following considerations which are relevant to an assessment of “reasonable steps” in the financial services sector seem to us to be equally relevant to online safety:
Enforcement activity under the Senior Managers regime (by the PRA) earlier this year provides one example of how reasonable steps have been interpreted in practice. In this case, the PRA found that a Senior Manager Chief Information Officer (CIO) had not taken reasonable steps relating to identification and risk associated with outsourced providers (broadly speaking, that although the CIO had given assurances to his Board about his company’s preparedness, he had not received sufficient assurance from the outsourced provider in question). This resulted in a financial penalty of £81,620 for the individual in question. This would be relevant to a situation where a regulated online company is dependent on third party input for the purposes of appropriately engaging with an Ofcom supervision and enforcement function.
Ultimately whether “all reasonable steps” were taken by a Senior Manager under the online safety regime will be a question of fact to be determined in each case, so an element of uncertainty is likely to remain for some time until the defence is tested. However, it can already be seen from the financial services regulatory regime that Senior Manager responsibility is an important supervisory tool to incentivise the right behaviours and ensure individual accountability. We would expect to see such provisions having a similar impact in relation to online safety.
Ofcom’s implementation of the Act is in its early stages, and further guidance is expected in advance of all of the rules coming into force.
Nevertheless, there would certainly appear to be a number of relevant learnings from financial services regulation that companies in scope of the new Act can draw on to prepare themselves for the new regime.
Affected firms can already begin to consider the new obligations that may be expected, both in terms of systems, processes and controls, policies and practices in general and Senior Manager responsibilities in particular.
_____________________________________________________________
1 For completeness, the Act also introduces new requirements for corporate officers in relation to child safety duties. This relates to a failure by an officer of the company, defined as a “director, manager, associate, secretary or other similar officer” to comply with their responsibilities in this regard. Therefore, it may be expected that certain Senior Managers will also be impacted by this obligation. Such duties, which will be continuing in nature, will come into force 40 days after the relevant Ofcom codes are formally laid in Parliament. As this is currently expected to take place in late Q3 or Q4 2024, we do not consider them further at this stage.
2 Further detail on the Senior Manager conduct rules in the financial services regime in this respect can be found at COCON 2.2 Senior manager conduct rules - FCA Handbook
3 For completeness, we note that the Act requires that “all reasonable steps” be taken by Senior Managers, whereas the financial services Senior Managers regime focuses on “reasonable steps”. We do not consider any broader implications of this here.
4 Deloitte has previously set out views on what constitutes “reasonable steps” for Senior Managers under the financial services regime, for example see deloitte-uk-senior-manager-regime.pdf
Robert is a Director in Deloitte's EMEA Centre for Regulatory Strategy, where he leads the Centre’s work on regulation in Digital Markets. Prior to joining Deloitte, Robert spent eleven years at Vodafone Group, setting Group policy positions across a wide variety of regulatory initiatives relevant to the promotion of competition and protection of consumers in digital markets. Robert has over a decade's experience working at regulatory bodies relevant to the sector, spending eight years at Ofcom (and its predecessor Oftel) and four years at the UK's competition and consumer protection authority. This included a secondment to the US Federal Trade Commission working on technology topics in the FTC's Bureau of Consumer Protection.
Brij is an Associate Director within the Internet Regulation team at Deloitte and is an expert in media regulation. Having previously worked on developing the UK’s online safety regulations at Ofcom, Brij is well versed in the new wave of regulations for online businesses. Prior to joining Ofcom, Brij worked on developing government policy for online harms, online advertising, broadcasting and the UK creative industries as a whole at DCMS, and before this held a number of senior roles in policy, strategy and regulation at the BBC. He has an MSc in Media and Communications Regulation & Policy from the London School of Economics and Political Science, and is a postgraduate lecturer on contemporary issues in media and communications technology with the University of Alberta in Canada. Brij is a member of BAFTA and the Royal Television Society.
Laurie is a Director in Deloitte’s Ethics & Regulatory Compliance team and is the Governance, Risk and Compliance Lead for Internet Regulation across Deloitte’s EMEA team, focusing on the impact of internet regulation on digital platform companies and in the wider TMT and Consumer industries. He has over twelve years of governance, risk and compliance experience including internal audit, across the public and private sectors. Laurie also acts as a regulatory SME across a number of different regulations including EU GDPR, EU DSA, EU DMA, EU ND4C and UK OSB. Laurie has supported a number of large global TMT organisations assess and implement governance, risk and compliance frameworks. Laurie is a Chartered Member of the Institute of Internal Audit (CMIIA), a Certified Internal Auditor (CIA), and a Certified Information Privacy Professional (CIPP/E).
Kareline is a director in Deloitte’s EMEA Centre for Regulatory Strategy, specialising in insurance regulation. Kareline has more than 15 years of experience in both prudential and conduct insurance regulation, providing high quality advice to firms in the UK market. At Deloitte, Kareline leads a team of experts to carry out horizon scanning and assess the strategic impact of regulation on the market. Kareline provides advice to insurance clients on the impact of regulation on their business, finance, and operating models. Kareline has led engagements supporting clients with a number of regulatory challenges including Brexit and restructuring projects, advice on impact of Solvency II/ Solvency UK over capital decisions and investments, supporting a top 3 retail general insurer on interpretation and compliance with Pricing Practices rules, and design and implementation of insurance products and customer journeys for a large life insurer. Kareline is a member of the ICAEW Risk and Regulation Committee and the Solvency II working party. Kareline has authored several publications and columns on insurance regulation and Solvency II over the past ten years.
Suchitra is a Partner in the EMEA Centre for Regulatory Strategy and helps our clients to navigate the regulatory landscape around technological innovation. She sits on the UK Fintech Executive and leads our thought leadership on topics such as digitsation, cryptoassets, AI, regulatory sandboxes, Suptech, payment innovation and the future of regulation. She recently completed a secondment at the Bank of England, supervising digital challenger banks. Suchitra is a member of various industry working groups on innovation in financial services and has regularly featured in the Top 150 Women in Fintech Powerlist (Innovate Finance). She is a qualified Chartered Accountant and has previously worked in Deloitte’s Audit, Corporate Finance and Risk Advisory teams, where she led large-scale regulatory change projects.
Nick leads Deloitte’s global Internet Regulation offering, established to help clients respond to the strategic, practical and operational challenges presented by new rules for the Internet. These laws and regulations in EU, UK, US and globally will govern digital competition, online content and behaviour, consumer protection, AI, privacy, ownership of digital assets, access to digital services and much more. Nick created the Internet Regulation offering to be intentionally global and multi-disciplinary. The team includes risk and compliance specialists, legal and regulation experts, economists, strategists, technologists, auditors and transformation leads, working together with clients at Internet companies, government departments and regulators, financial services, and the ecosystem of affected organisations who have a stake in the future of the Internet. Nick has worked at Deloitte since 2010 and has extensive experience in regulatory transformation, enterprise data strategy and the Media and Telecoms sectors. Nick leads the Media & Entertainment sector for Deloitte’s Risk Advisory business in the UK. Nick has a degree in History of Science from the University of Cambridge.
Joey is a partner in Deloitte’s UK legal team. She has over 15 years experience advising clients in the tech sector. She is an expert in digital risks and internet law and regulation. She advises on cutting-edge issues (harmful and illegal content, rights to free speech, mis/dis-information, AI, deepfakes) and on digital content strategies and risks in light of new regulatory and legal developments. She assists clients to identify and mitigate digital risks, designing and advising on legally compliant content controls and process. She advises on the legal position with respect to content issues, on platform community standards and related content terms, notice and take-down process, moderation and on how to manage the related legal risks. She works with digital content companies, media, platforms, ISPs blending legal expertise in IP (brand, digital copyright and digital rights management and enforcement) with reputation risk (defamation), privacy, media & advertising, social media law and platform liability and regulation, all in the digital context.
Hilary is lead Director in Deloitte’s multi-disciplinary global Internet Regulation (Legal) team. She specialises in advising digital platforms, social media, e-commerce and media and entertainment companies on emerging internet law and regulation and digital and content risks. Hilary is an experienced digital disputes lawyer with over 15 years’ experience advising on and litigating intellectual property, advertising, competition, consumer protection, intermediary liability, and reputation management issues. She acts both as a practising lawyer and a SME risk consultant leading regulatory, advisory and contentious projects in the TMT sector. Hilary regularly speaks and writes on the legal, regulatory and compliance issues arising from the new rules for the internet and emerging technologies. She has a degree in Law and a Postgraduate Diploma in Intellectual Property Law & Practice from the University of Oxford.