Over the past two years, we have seen an increasing number of GDPR claims being made alleging that an individual’s data protection rights have been breached.
The latest sweep, alongside the publication of the new Regulatory Framework, is likely to make all registered providers shift in their seats and look at their governance arrangements with a more critical eye.
So, what should you do if the Regulator comes knocking?
Identify your weaknesses
The key trends in Regulatory Judgements unsurprisingly read like a ‘what’s what’ of the new Regulatory Framework, but can assist us to identify the issues that are most likely to lead to a downgrade:
1. Value for money
In the latest raft of regulatory downgrades, eight RPs were downgraded (or maintained a ‘downgraded’ status) for breaching the value for money standard. This standard requires RPs to “deliver a comprehensive and strategic approach to achieving value for money in meeting their organisation’s objectives.” To achieve this, it is vital for organisations to assess their procurement processes and to constantly push their contractors to ensure they obtain best value and performance.
Most of the downgrades relate to a failure to provide adequate information on a value for money strategy. For more serious (but perhaps less ‘tangible’) breaches, this can often mean that the Regulator believes there are weaknesses in Board scrutiny.
2. Board skills
The Regulatory Framework emphasises the importance of RPs recruiting Board members with the skills to properly understand, assess and challenge its current and planned activities. For example, in one Regulatory Judgement the Regulator stated that the RP had not demonstrated that the skills of its Board were aligned with its activities (it had increased its development programme and had diversified into market sale; its Board consisted of 16 long-standing members, whose skills had been reviewed ‘infrequently’). Succession planning is also linked to this, and has been raised as a specific concern in other Regulatory Judgements.
The outcome from a weak Board structure could manifest itself in a lack of proper attention to risk. One RP did not demonstrate that an appropriate ‘strategic planning and control framework’ was in place that identified and managed risks. In fact, this is a consistent thread in Regulatory Judgements leading to downgrades i.e. that an RP has failed to consider risks, manage them, and have in place an appropriate risk control strategy.
The new Regulatory Framework requires RPs to “ensure that they have an appropriate, robust and prudent business planning, risk and control framework”. It expects RPs to have a considered framework in place to indicate the organisation’s overall appetite to risk, which should then be backed up by risk maps and stress testing.
3. Openness and Transparency
With its renewed commitment to ‘co-regulation’, transparency is near the top of the Regulator’s list when assessing the severity of potential breaches. For example, when downgrading one RP late last year, the Regulator stated that there was a real concern that it had failed to co-operate with its enquiries and review. In another, the Regulator stated that failure to disclose the breach of its financial covenants was an aggravating factor in its judgement, and was taken into account in the decision to downgrade it to a G4/V4 rating.
The Regulator has also been critical of RPs failing to communicate potential breaches of the Regulatory Framework. One Regulatory Judgment stated that: “Transparency and accountability is a key principle of the Regulatory Framework and is central to co-regulation. It is essential that providers run their businesses with a presumption of openness and co-operation with stakeholders, including the regulator.”
4. Reputation of the sector
One of the required outcomes of the new Regulatory Framework is for RPs to safeguard the reputation of the sector through their governance arrangements. This reputational concern is demonstrated in the Regulatory Judgements of two RPs, which were downgraded because their Boards had failed to demonstrate that they had assessed and exercised control in the risks associated with the early retirement/redundancy of their chief executives. In particular, the Boards had failed to challenge the proposed level of compensation, and (in one case) failed to consult its policies (which were out of date). The Regulator considered that the reputational risk of such high value ‘pay-offs’, and the Board’s failure to consider value for money or to act in the organisation’s best interests, showed a lack of effective management of risk.
Regulatory Judgements also commonly refer to a lack of assurance or information from RPs enabling the Regulator to make a full assessment. At the most extreme end of the scale, downgrades can result from an obvious lack in monitoring or access to information by the RP (as was the case with Cosmopolitan). Asset and liability registers are one solution to this put forward by the Regulator, and should be used as part of an organisation’s overall ‘risk and control strategy and framework’.
5. Breach of the Home Standard
The Regulator has published a number of high profile notices about breaches of the Home Standard. Such a breach will inevitably lead to the Regulator assessing an RP against the governance standard. Whether this actually leads to a downgrade may depend on whether the breach was disclosed (two RP Groups have been heavily criticised for failing to disclose a potential breach to the Regulator). It may also depend on the severity of the breach: one large RP is currently on the ‘gradings under review’ list following a regulatory notice published earlier this month, which outlined serious concerns raised by the local authority and tenants.
Know your Regulator
If the Regulator approaches you about a potential downgrade, you should establish the severity of its concerns to determine the appropriate action to take. The non-compliant ratings (G3/G4 (governance) or V3/V4 rating (viability)) are obviously of most concern, although it’s important to note that the lowest ratings of G4/V4 are only used in the most extreme circumstances of non-compliance. The Regulator’s guidance on its Regulatory Judgements states that “…a G4/V4 judgement indicates a failure of governance or viability to the extent that the [Regulator] is using its statutory powers to ensure the effective protection of public investment and tenants’ homes.”
The Regulator’s statutory intervention powers are extensive and include the ability for it to:
- impose a 30-day “moratorium” over an RP in financial difficulties to prevent creditors and security holders enforcing their rights against the RP;
- take over management of the RP;
- influence the governance of an RP in order to direct changes to the Executive Team and/or Board; or
- direct the RP to join another group that can support it, or to transfer some or all of its social housing assets to another RP.
The Regulator is generally reluctant to use these powers except in the most extreme cases. This is primarily because their use is almost always an “Event of Default” under facility agreements, and can therefore be harmful to the Regulator’s overall aim to protect social housing assets from being lost to the sector. These powers are also being reviewed to improve their effectiveness: for example, the 30-day moratorium period proved to be ineffective to provide the Regulator with any meaningful breathing space when it was dealing with the rescue of Cosmopolitan.
There is usually therefore an opportunity for an RP to engage with the Regulator to put in place appropriate measures to start to address the Regulator’s concerns. The Regulatory Framework itself states that the Regulator “will give careful consideration to any remedial strategies proposed by the provider, including any relevant voluntary undertakings, and seek to agree the way forward with the provider when it is prepared to resolve the presenting issues and the regulator concludes that it has the capacity, the capability and all the resources necessary to do so.”
If the Regulator isn’t willing to accept the usual assurances from the Board, then offering a voluntary undertaking (‘VU’) may offer the Regulator some reassurance. However, giving a VU is not a step to be taken lightly – the Regulator’s approach is considerably stricter following Cosmopolitan (when a number of VUs were given to the Regulator by the Boards of the Cosmopolitan group, which were not honoured. By the time the Regulator appreciated this, the Cosmopolitan group was considered to be ‘beyond saving’). It now monitors organisations closely to ensure compliance with the VU and delivery of the agreed outcomes. It is also important to remember that a VU doesn’t actually prevent the Regulator from using its statutory powers (or issuing a downgrade), but non-compliance may lead to use of them. RPs must therefore be careful not to promise anything that they cannot deliver, and should work with the Regulator to ensure that any VU is sensible, realistic and achievable.
We recommend that any VU follows the traditional ‘SMART’ model, namely that it is:
- Specific in its nature, so you know exactly what is expected of you
- Measurable, so that it is easily to tell when it has been satisfied
- Realistic, and therefore not overly-ambitious
- Timely, so that an appropriate timeframe is given for delivery
Whilst a VU is not a solution in itself, it will assist in an on-going dialogue with the Regulator and give you specific and achievable aims, particularly if offered on a ‘staged’ basis.
We are entering a new era of regulation in the sector. With the Regulator’s renewed vigour, now is an excellent time to step back and look at your governance arrangements with fresh eyes. Prevention is obviously better than cure, but there are options available to your organisation if you are approached by the Regulator about a potential downgrade.
For more information
Anthony Collins Solicitors are delighted to announce that they have been ranked as a Band 1 firm in Chambers and Partners 2022.
Alice Kinder, pensions and employment solicitor takes on the role in representing and supporting more than 5,500 legal professionals located across Birmingham and the Greater Midlands.
Our annual virtual employment law update catches up on the cases, legislation and changes over the last 12 months.
Anthony Collins Solicitors are presenting a series of podcasts with employees to raise awareness about disabilities around the firm.
Answering key questions about the details and practicalities of mandatory vaccinations in care home settings.
Anthony Collins Solicitors (ACS) has appointed a new partner to its market-leading social housing property team.
On 7 September 2021, the Regulator of Social Housing (RSH) published its annual consumer review.
From today (1 October 2021) there is yet more change on the possession front!
We are delighted to secure our position as a top-tier firm in five of our practice areas in the Legal 500 2022 edition.
To receive invitations to our events, as well as information and articles on legal issues and sector developments that are of interest to you, please sign up to Newsroom.