New initiatives to promote engagement and collaboration with regulators can help businesses address compliance challenges more effectively.
More often than not, when companies clash with a regulator, the regulator comes out on top. Even without any action taken, the knowledge that a company and its activities are on a regulator’s radar is enough to make most think twice about what they are doing and how they are doing it.
Regulatory fines can be massive and the subsequent costs to remediate damage and compensate customers can be even more punitive. For example, BP’s $20.8 billion settlement with the U.S. Department of Justice over the Deepwater Horizon oil spill in the Gulf of Mexico remains the biggest corporate fine to date. However, the company has paid more than three times that amount in compensation and remediation.
Failure to heed a watchdog’s warnings or to fully disclose key details to a supervisory authority can also prove a costly mistake. In June 2020, cryptocurrency firm Telegram Group agreed to return $1.2 billion to investors and pay an $18.5 million civil penalty after the U.S. Securities and Exchange Commission (SEC) charged it with pursuing a digital token coin offering to raise cash from investors despite being barred from doing so. The regulator took the position that initial coin offerings (ICOs) are, in effect, securities offerings and therefore subject to SEC offering rules, requiring companies to file registration and disclosure documents. As Telegram did not do this, its ICO was disallowed. According to the SEC, had Telegram worked with the agency instead of launching the token offering without any oversight, the outcome might have been different.
“Whether you are the regulator or the regulated, a good relationship is fundamental to good governance and can save a whole world of pain,” said Phillippa Ellis, head of the business crime and investigations practice at Capital Law. “And key to a successful relationship is to remember that regulators do not like surprises. They would far rather a company engage in a conversation before running afoul of their rules or guidance, and for companies to self-report when they do.”
Regulators Reach Out
Over the past few years, regulators in several countries have made a concerted effort to forge working relationships with companies. This is particularly common in fast-moving industries where regulation is often slower than innovation. Agencies have surmised that cooperation may lead all parties to a greater understanding of what companies are trying to develop, what a regulator’s concerns may be, and how a workable solution can be achieved without imposing rules first or taking enforcement action later.
Indeed, regulators in a wide range of industries have taken steps to encourage companies to approach them first before going to market with a product or service that may cause harm. In some sectors, regulators have set up “sandboxes” where companies can road-test products in a safe environment prior to launch. While there is no guaranteed assurance, this arrangement allows companies to gain input and direction from the regulator as to whether the product or service complies with regulations, standards and best practices.
For instance, the U.S. Food and Drug Administration has been advancing new approaches to pre-market review for several years, particularly for new technologies in the areas of artificial intelligence, machine learning and software as a medical device (SaMD). In 2017, the U.S. Federal Aviation Administration set up an initiative that aimed to connect government agencies and aircraft manufacturers to look at the design and safe use of drones for commercial and public purposes.
In the fintech industry, financial services regulators have been looking to engage with market participants to understand emerging development trends, root out potentially harmful innovations early, and foster closer cooperation to demonstrate that regulators and business can work together to mutual advantage. For example, Mick Mulvaney, the former acting director of the U.S. Consumer Financial Protection Bureau (CFPB), launched a regulatory sandbox in 2018 to encourage cryptocurrencies and blockchain technology, while the SEC unveiled its Strategic Hub for Innovation and Financial Technology (FinHub) to better facilitate collaboration between the agency and innovators, developers and entrepreneurs in the fintech arena.
A number of jurisdictions around the world are also taking this kind of collaborative approach in an attempt to attract and facilitate business. Last year, the New York Department of Financial Services signed an agreement with its French counterpart, the Autorité de Contrôle Prudentiel et de Résolution, pledging to work together to encourage innovation in their individual financial services markets, enhance consumer protection, and support fintech innovators in their efforts to enter and meet regulations in each other’s jurisdictions.
Regulators are also pushing for closer cooperation to keep pace with technical developments regarding data use. For example, Europe’s strict—and highly punitive—data privacy rules have prompted some national data protection authorities to set up regulatory sandboxes to help companies achieve compliance in their data-driven products and services.
The U.K.’s data regulator, the Information Commissioner’s Office (ICO), formally launched its regulatory sandbox in 2018 to help companies develop data-driven products safely and in compliance with the EU’s General Data Protection Regulation (GDPR) and other privacy legislation. Norway’s data regulator launched its sandbox initiative last year to promote the development of ethical and responsible AI solutions, principally by start-ups and new firms. In February, France’s data authority solicited the first round of applications for a sandbox to promote data-led projects in the health care sector. The Norwegian and French programs aim to encourage “privacy-by-design” from the outset in the projects they greenlight.
According to Erlend Andreas Gjaere, CEO of Norwegian cloud services provider Secure Practice, being selected for Norway’s pilot program has several benefits. “Developing an employee profiling tool is a new area for us and it presents enormous legal risks if any part of the process we are developing is not GDPR compliant,” he said. “As a start-up company, using a law firm to advise us on how best to develop the product would be very expensive and would not likely give us the same level of assurance that we will get from the regulator that what we’re developing is legally safe.”
Engaging Effectively
While engagement and cooperation alone are not enough to avoid the risk of enforcement action, there are likely no downsides to closer engagement and meaningful dialogues with a regulator, according to Bill Dunkerley, director of the regulatory team at law firm Pannone Corporate. “Although regulators may be reluctant to provide confirmation to a business that it is operating in full compliance with the law, where a channel of communication exists between a business and its regulator, this will serve to help the regulator remain up-to-date with the organization’s activities, which in turn may help to identify—and therefore avoid—potential breaches before they occur,” he said.
For organizations that are subject to multiple regulatory regimes, Dunkerley noted that it is crucial to actively engage with officers in each of them. “Occasionally, specific regulators will undertake campaigns aimed at raising awareness of risks within specific sectors and it is useful for duty-holders to be aware of these campaigns and how they may impact their business, which in turn will help them to have constructive and meaningful conversations with their regulator,” he said.
In addition to sandboxes, there are several positive ways in which companies can interact with regulators. The first is to engage in any feedback processes. “Before making major decisions, regulators tend to write papers and invite market commentary,” said James Gray, managing director of business consultancy Graystone Strategy. “It is absolutely my experience that regulators take notice of expert commentary, and there are strong, structured arguments that an operator can put in place to inform the regulator.”
It also pays to look at how regulators in other jurisdictions have reacted to similar concerns—such as opening up a market to new entrants or checking whether operators are playing by the rules. This can help inform decisions about whether it makes commercial sense for the company to “play ball” before its rivals and adjust its practices in line with what the regulator wants, Gray said.
He added that it is important for companies to think practically. “Regulators tend to think in terms of outcomes, so a reasoned argument about the operational impact of those outcomes and the reality of mandating particular—and likely unrealistic—timelines to implement a new regulation should encourage them to make concessions,” he said.
Some experts believe that the relationship with regulators works better if companies are specific about what they may need. According to Nathaniel Lalone, partner in the financial markets team at law firm Katten Muchin Rosenman, there are three questions that companies should ask themselves before they consider approaching a regulator. “First, is what we’re planning to do novel and does it fall into a grey area where we might be pushing the envelope? Second, is the new product or service critical to us as a business—to the extent that, if a regulator kills it, our business is also killed? Third, is there significant legal uncertainty about what we are preparing to do? If the answer to any of these questions is ‘yes,’ then you should engage with the regulator before you go any further.”
Companies also need to be ready for tough questions. “The key point to remember is that you need to be open and transparent,” Lalone said. “The regulator already knows that you have concerns about the product or service you are thinking of going to market with, which means that it will also have legitimate concerns, so it’s best that you spell everything out in detail. Prepare for harsh and forensic questioning that requires specific details. Also be prepared to defend your position. Just because something is risky and new does not mean it is harmful to consumers or to other market participants. It could be that the regulator does not fully understand what you’re trying to do.”
Engaging with a regulator can depend on several factors, including the agency’s attitude, enforcement record and jurisdiction, said Gavin Reese, a partner and head of the liability team at law firm RPC. “In some countries, regulators can act very aggressively and hand out large punitive fines more readily than in other jurisdictions,” he added. “Such an approach would make it largely unthinkable for a company to consider discussing compliance queries with it in case it prompted regulatory scope creep.”
If the company has not conducted a risk assessment to inform the decision, seeking a regulator’s advice could prove problematic, agreed Jane Sarginson, barrister at law firm St Philips Chambers. “Talking through plans without any meaningful in-house risk assessment about the potential impact the product or service could have on consumers or clients is likely to raise the risk factor of the entire project in the eyes of the regulator,” she said. “It would show a lack of confidence over the company’s ability to identify and mitigate associated risks, as well as cast doubt over the organization’s ability to implement measures to comply with existing legislation. The possibility that a regulator would regard such a poor approach to risk management and compliance as an opportunity for an audit or further investigation could not be ruled out either.”
Notwithstanding potential risks, experts say that regulators do not need to be kept at arm’s-length and relationships should not be adversarial. Indeed, there is more to be gained if both sides are more open, consultative and collaborative. “The regulator is an extremely important stakeholder,” Gray said. “You should manage the relationship with it in the same way you manage your relationship with investors, key clients and the analyst community. Ongoing updates and discussions will put you in a better position to lobby than simply engaging when you want something or don’t want something. This need not be a full lobbying approach, but building positive professional relationships is crucial.”