Ethics and Governance

Michael Diviney and Níall Fitzgerald explore the ethical challenges arising from artificial intelligence (AI), particularly ‘narrow’ AI, and highlight the importance of ethics and professional competence in its deployment Earlier this year, artificial intelligence (AI) industry leaders, leading researchers and influencers signed a succinct statement and warning: “Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war.” Was this a publicity stunt? Well, probably not, as the generative AI ChatGPT was already the fastest-adopted application in history.  Was this an over-the-top, alarmist statement by a group possibly trying to steal a march on self-regulation of a rapidly emerging technology and growing industry?  Again, this is unlikely if one considers the warnings of pioneer thinkers like Nick Bostrom, Max Tegmark, Stephen Hawking and Astronomer Royal Martin Rees. They concur that there is an existential threat to humankind if human-level or ‘general’ AI is developed and the ‘singularity’ is reached when AI surpasses human intelligence.  Autonomous weapons and targeting are a clear risk, but more broadly, unless we can ensure that the goals of a future superintelligence are aligned and remain aligned with our goals, we may be considered superfluous and dispensable by that superintelligence.  As well as the extinction threat, general AI presents other potential ethical challenges.  For example, if AI attains subjective consciousness and is capable of suffering, does it then acquire rights? Do we have the right to interfere with these, including the right to attempt to switch it off and end its digital life?  Will AI become a legal entity and have property rights? After all, much of our economy is owned by companies, another form of artificial ‘person’. Ethical challenges from ‘narrow’ AI Until general AI is here, however – and there is informed scepticism about its possibility – the AI tools currently in use are weak or ‘narrow’ AI. They are designed to perform a specific task or a group of related tasks and rely on algorithms to process data on which they have been trained.  Narrow AI presents various ethical challenges:  Unfairness arising from bias and opacity (e.g. AI used in the initial screening of job candidates include a gender bias based on historical data – in the past more men were hired); The right to privacy (AI trained with data without the consent of the data subjects); Threats to physical safety (e.g. self-driving vehicles); Intellectual property and moral rights, plagiarism and passing-off issues in the use of generative AI like ChatGPT and Bard; and Threats to human dignity from the hollowing out of work and loss of purpose. Regulation vs. ethics Such issues arising from the use of AI, particularly related to personal data, mean that regulation is inevitable.  We can see this, for example, with the EU’s landmark AI Act, due to apply by the end of 2025, which aims to regulate AI’s potential to cause harm and to hold companies accountable for how their systems are used. However, as Professor Pat Barker explained at a recent Consultative Committee of Accountancy Bodies (CCAB) webinar, until such laws are in place, and in the absence of clear rules, ethics are required for deciding on the right way to use AI.  Even when the regulation is in place, there are likely to be cases and dilemmas that it has not anticipated or about which it is unclear. Legal compliance should not be assumed to have all the ethical issues covered, and as AI is evolving so quickly, new ethical issues and choices will inevitably emerge.  Ethics involves the application of a decision-making framework to a dilemma or choice about the right thing to do. While such a framework or philosophy can reflect one’s values, it must also be objective, considered, universalisable and not just based on an instinctual response or what may be expedient. Established ethics frameworks include: the consequentialist or utilitarian approach – in the case of AI, does it maximise benefits for the greatest number of people?; and the deontological approach, which is based on first principles, such as the inalienable rights of the individual (an underlying philosophy of the EU’s AI Act). (The Institute’s Ethics Quick Reference Guide, found on the charteredaccountants.ie website, outlines five steps to prepare for ethical dilemmas and decision-making.)  A practical approach While such philosophical approaches are effective for questions like “Should we do this?” and “Is it good for society”, as Reid Blackman argues in Harvard Business Review, businesses and professionals may need a more practical approach, asking: “Given that we are going to [use AI], how can we do it without making ourselves vulnerable to ethical risks?”  Clear protocols, policies, due diligence and an emphasis on ethical risk management and mitigation are required, for example responsible AI clauses in agreements with suppliers. In this respect, accountants have an arguably competitive advantage in being members of a profession; they can access and apply an existing ethical framework, which is evolving and adapting as the technology, its opportunities and challenges change.  The Code of Ethics The International Ethics Standards Board for Accountants (IESBA) recently revised the Code of Ethics for Professional Accountants (Code) to reflect the impact of technology, including AI, on the profession. The Chartered Accountants Ireland Code of Ethics will ultimately reflect these revisions.  IESBA has identified the two types of AI likely to have the most impact on the ethical behaviour of accountants:  Assisted intelligence or robotic process automation (RPA) in which machines carry out tasks previously done by humans, who continue to make decisions; and  Augmented intelligence, which involves collaboration between human and machine in decision-making. The revisions also include guidance on how accountants might address the risks presented by AI to ethical behaviour and decision-making in performing their role and responsibilities.  Professional competence and due care The Code requires an accountant to ensure they have an appropriate level of understanding relevant to their role and responsibilities and the work they undertake. The revisions acknowledge that the accountant’s role is evolving and that many of the activities they undertake can be impacted by AI.  The degree of competency required in relation to AI will be commensurate with the extent of an accountant’s use of and/or reliance on it. While programming AI may be beyond the competency of many accountants, they have the skill set to:  identify and articulate the problem the AI is being used to solve;  understand the type, source and integrity of the data required; and assess the utility and reasonableness of the output.  This makes accountants well placed to advise on aspects of the use of AI. The Code provides some examples of risks and considerations to be managed by professional accountants using AI, including: The data available might not be sufficient for the effective use of the AI tool. The accountant needs to consider the appropriateness of the source data (e.g. relevance, completeness and integrity) and other inputs, such as the decisions and assumptions being used as inputs by the AI. This includes identifying any underlying bias so that it can be addressed in final decision-making. The AI might not be appropriate for the purpose for which the organisation intends to use it. Is it the right tool for the job and designed for that particular purpose? Are users of the AI tool authorised and trained in its correct use within the organisation’s control framework? (One chief technology officer has suggested not only considering the capabilities of the AI tool but also its limitations to be better aware of the risks of something going wrong or where its use may not be appropriate.) The accountant may not have the ability, or have access to an expert with that ability, to understand and explain the AI and its appropriate use.  If the AI has been appropriately tested and evaluated for the purpose intended. The controls relating to the source data and the AI’s design, implementation and use, including user access. So, how does the accountant apply their skills and expertise in this context?  It is expected that accountants will use many of the established skills for which the profession is known to assess the input and interpret the output of an AI tool, including interpersonal, communication and organisational skills, but also technical knowledge relevant to the activity they are performing, whether it is an accounting, tax, auditing, compliance, strategic or operational business decision that is being made.  Data and confidentiality According to the Code, when an accountant receives or acquires confidential information, their duty of confidentiality begins. AI requires data, usually lots of it, with which it is trained. It also requires decisions by individuals in relation to how the AI should work (programming), when it should be used, how its use should be controlled, etc.  The use of confidential information with AI presents several confidentiality challenges for accountants. The Code includes several considerations for accountants in this regard, including: Obtaining authorisation from the source (e.g. clients or customers) for the use of confidential information, whether anonymised or otherwise, for purposes other than those for which it was provided. This includes whether the information can be used for training AI tools.  Considering controls to safeguard confidentiality, including anonymising data, encryption and access controls, and security policies to protect against data leaks.  Ensuring controls are in place for the coding and updating of the AI used in the organisation. Outdated code, bugs and irregular updates to the software can pose a security risk. Reviewing the security certification of the AI tool and ensuring it is up to date can offer some comfort.  Many data breaches result from human error, e.g. inputting confidential information into an open-access web-based application is a confidentiality breach if that information is saved, stored and later used by that application. Staff need to be trained in the correct use and purpose of AI applications and the safeguarding of confidential information. Dealing with complexity The Code acknowledges that technology, including AI, can help manage complexity.  AI tools can be particularly useful for performing complex analysis or financial modelling to inform decision-making or alerting the accountant to any developments or changes that require a re-assessment of a situation. In doing so, vast amounts of data are collected and used by AI, and the ability to check and verify the integrity of the data introduces another level of complexity.  The Code makes frequent reference to “relevancy” in relation to the analysis of information, scenarios, variables, relationships, etc., and highlights the importance of ensuring that data is relevant to the problem or issue being addressed. IESBA was mindful, when revising the Code, that there are various conceivable ways AI tools can be designed and developed to use and interpret data.  For example, objectivity can be challenged when faced with the complexity of divergent views supported by data, making it difficult to come to a decision. AI can present additional complexity for accountants, but the considerations set out in the Code are useful reminders of the essential skills necessary to manage complexity. Changing how we work As well as its hugely beneficial applications in, for example, healthcare and science, AI is proving to be transformative as a source of business value.  With a range of significant new tools launched daily, from personal effectiveness to analysis and process optimisation, AI is changing how we work. These are powerful tools, but with power comes responsibility. For the professional accountant, certain skills will be brought to the fore, including adaptability, change and risk management, and leadership amidst rapidly evolving work practices and business models. Accountants are well placed to provide these skills and support the responsible and ethical use of AI.  Rather than fearing being replaced by AI, accountants can prepare to meet expectations to provide added value and be at the helm of using AI tools for finance, management, strategic decision-making and other opportunities. Michael Diviney is Executive Head of Thought Leadership at Chartered Accountants Ireland Níall Fitzgerald is Head of Ethics and Governance at Chartered Accountants Ireland

With the Central Bank of Ireland’s consultation on the Individual Accountability Framework drawing to a close later this month, Níall Fitzgerald reviews the scope and effectiveness of similar regimes already in place in other parts of the world Following the 2008 financial crisis, global governance and regulatory reforms in the financial services sector have had a significant impact on how financial institutions, such as banks, insurance companies and investment firms, are run.  The EU has been at the forefront of regulatory change in financial services in Ireland since the creation of the Banking Union, which includes the European Supervisory Mechanism, and significant regulatory developments from rule-setters such as the European Banking Authority.  The Central Bank of Ireland has also put in place governance requirements for all financial institutions and implemented fitness and probity standards. These have included regulations requiring minimum competencies for individuals working in certain roles and, in some cases, regulatory pre-approval before individuals can be appointed to certain management positions, such as – to name just a few – board director, head of compliance, head of internal audit and chief risk officer. The proposed Central Bank of Ireland Individual Accountability Framework (IAF) is an extension of the current suite of regulations and efforts to address cultural failings and ensure better governance, performance and accountability among financial services firms.  The IAF is not the first of its kind, however, and while it has some unique features, it also shares similarities with regimes of this nature operating in other parts of the world.  UK: Senior Managers and Certification Regime The UK introduced the Senior Managers and Certification Regime (SM&CR) in 2016. Following a three-phase roll-out over three years, the SM&CR now applies to banks, insurance companies and a large portion of the remaining regulated financial services firms in the UK. This regime introduced: Prescribed responsibilities for certain roles; Requirements for firms to follow when allocating those roles to individuals, including: applying a certification process (up to obtaining pre-approval from the Regulator for an appointment to a role); and  the introduction of individual conduct rules. Hong Kong: Manager-in-Charge Regime In Hong Kong, The Securities and Futures Commission introduced the Manager-in-Charge (MIC) Regime for licensed corporations in 2017.  The regime did not bring in any new sanctions and was implemented by way of circular, rather than legislation, but it provided the regulator with additional powers of enforcement and the ability to hold individuals to account. A key objective of the MIC regime is to enable Hong Kong’s Securities and Futures Commission to assess culture within the licensed organisation.  The regulator attributes non-compliance with elements of the regime – e.g. failure to assess whether individuals have discharged their responsibilities appropriately, as evidence of cultural failings. Australia: Banking Executive Accountability Regime  Australia’s Banking Executive Accountability Regime (BEAR) came into effect in 2018, applying to the directors of, and the most senior and influential executives within, banks and authorised deposit-taking institutions (ADIs). The regime introduced prescribed responsibilities for certain roles, an accountability framework, and a list of accountability obligations, which look a lot like conduct rules.  The regime also introduced a requirement for relevant firms to defer a portion of the variable remuneration of any person found to be non-compliant with the regime until an investigation concludes, whether or not any or all of the remuneration is subject to clawback.  Singapore: Individual Accountability and Conduct Guidelines  The Individual Accountability and Conduct (IAC) Guidelines were introduced in Singapore in 2021. Like the MIC regime in Hong Kong, Singapore’s IAC Guidelines are not supported by underlying legislation and are described as “best practice standards”.  The level of adherence to IAC Guidelines among the financial institutions will impact the Monetary Authority of Singapore’s overall risk assessment of the relevant organisation or individual.  These guidelines focus on embedding a strong culture of responsibility and ethical behaviour by ensuring individual accountability and a supportive governance framework within regulated organisations.  Prevention is better than cure While there are similarities between the accountability regimes outlined above, none is the same.  The instances of enforcement action taken under these regimes are very low and, if prevention is better than cure, this may be a good measure of success.  Just one enforcement action was taken against an individual for non-compliance during the first four years of the UK’s SM&CR, for example. Following a review of Australia’s Banking Executive Accountability Regime, and amid public criticism citing the lack of enforcement action, the Australian government is currently proposing the wider reaching Financial Accountability Regime (FAR).  The FAR contains additional requirements and extends the regime beyond banks to other financial service providers regulated by the Australian Prudential Regulation Authority.  Elsewhere, the United Arab Emirates does not have a specific accountability regime. However, its laws and regulations, which pre-date 2016, give financial services regulators enforcement powers to hold individuals to account and apply sanctions.  Looking at just one member of the United Arab Emirates, Dubai, the Dubai Financial Services Authority has taken enforcement action against 32 individuals since 2016. The majority of these cases have related to individuals providing investment services.  Perhaps it is still too early to reliably judge the effectiveness of these various models of individual accountability regimes.  Sometimes, there is a benefit in not being first past the post in introducing a regime of this nature and being able to stand back and learn from global experiences.  With our Individual Accountability Framework, Ireland is building on a solid foundation of banking regulations and governance requirements. The IAF is only one of many regulatory changes impacting financial services providers. Other requirements on the way include the EU’s Digital Operational Resilience Act (DORA) and the inevitable evolution of governance codes, and other regulations, addressing sustainability and other emerging risks.  World-class standards are laudable, but their true outcome is only evident when we have a high level of public trust and a financial services sector that is efficient and competitive, driving a better future for society and a prosperous economy. Níall Fitzgerald, FCA, is Head of Ethics and Governance at Chartered Accountants Ireland Impact of individual accountability on organisational culture Chartered Accountants Ireland welcomes the timely publication by the Central Bank of Ireland (CBI) of the Individual Accountability Framework (IAF) draft regulations and guidance, and the certainty of action required for Irish financial services firms, writes Níall Fitzgerald.  The framework contains measures, including conduct standards and prescribed responsibilities, designed to enhance customer-focused cultures and embed responsibility and ethical behaviour across financial services in Ireland.  While it promotes the necessity for cultural change, the CBI agrees that more is required to achieve this. Insights from the introduction of similar measures in other jurisdictions show that an individual accountability regime better impacts on organisational culture when supported by: Promoting individual accountability but emphasising collective decision-making Being accountable as individuals for actions and behaviour is not new. Professionals are accountable to codes of ethics. There are also many laws and regulations that hold individuals accountable for their roles in an organisation, such as fiduciary duties of directors. However, many organisations thrive on collaboration, teamwork and diversity, which improve collective decision-making. Individual accountability is not designed to override this, and emphasising other positive behaviours, such as these, supports the objectives of the IAF. Promoting a ‘just culture’ and avoiding a ‘blame culture’ A blame culture focuses on identifying culprit/s, penalising them, and moving forward on the assumption that the same issue/s won’t happen again, because an example has been set.  A just culture acknowledges that mistakes and underperformance can occur, but that both are better addressed by reflecting on what went wrong and focusing on what can be learned to improve future outcomes.  Individual accountability exists in both scenarios, but the latter will have a more positive impact amongst the workforce, helping to achieve the objectives of the IAF. Promoting trust and integrity Certain informal reactions to a regime such as the Individual Accountability Framework can undermine its objectives. In some jurisdictions individuals with prescribed responsibilities prepare personal compliance files, for example, privately maintained outside of the firm’s documentation system.  A ‘cover your actions’ (CYA) approach has developed in these jurisdictions, whereby there is a tendency to give advice formally (e.g. in writing), which would differ if given informally (e.g. verbally).  Notwithstanding the risk of breaching privacy and confidentiality rules, these informal practices are indicative of low levels of trust and integrity within a firm.  Embedding a culture of psychological safety can deter this risk and foster greater trust within the organisation.

A mainstay of Ireland’s financial services landscape for over 60 years, our credit unions are entering an exciting phase with recent developments presenting new opportunities to adapt and change Credit unions are an important part of the financial services landscape. With offices a common feature of cities, towns and villages throughout Ireland, they play a key role in the day-to-day finances of many Irish people and communities. There are more than 3.6 million credit union members on the island of Ireland.  A history of credit unions Credit unions were first established in Ireland in the late 1950s and quickly became a repository for savings and a source of loans for many people. The total value of loans extended by credit unions in the Republic of Ireland is currently around €5 billion, with total savings coming to about €16 billion.  Average sector total reserves, as a percentage of total assets, is approximately 16 percent, which serves to underpin the confidence of their members, particularly in times of uncertainty and disruptive change. These institutions are not-for-profit financial co-operatives. They are owned and controlled by their members and therefore have a different business model to retail banks. Each credit union is independent, with its own board of directors, charged with overall responsibility for running the credit union.  Because they are part of the financial services sector, credit unions are governed by legislation in Ireland, principally the Credit Union Act 1997, as amended, and regulated by the Central Bank.  Significant amendments to the 1997 Act were introduced by the Credit Union and Co-operation with Overseas Regulators Act 2012, and this is the legislative regime under which credit unions currently operate. The credit union sector has been relatively stable in terms of any legislative or government policy changes. However, two recent developments, the Credit Union (Amendment) Bill 2022 and the Retail Banking Review (November 2022), present new opportunities for credit unions to adapt and change their business models and enhance their product and service offerings to members. The Credit Union (Amendment) Bill 2022 The first major legislative change for credit unions since the 2012 Act, the Credit Union (Amendment) Bill 2022 (the Bill) was published on 30 November 2022 following over two years of stakeholder engagement, with over 100 proposals considered. Highly technical and not an easy read, the Bill is currently before the Dáil, where proposals for amendments will be considered.  There is no fixed timeline for enactment and, post-enactment, commencement of sections may occur in phases, with the Central Bank of Ireland having to amend regulations to accommodate the new provisions.  The main provisions of the Bill involve: the establishment of ‘corporate credit unions’; amending the requirements and qualifications for membership of credit unions; altering the scope of permitted investments by credit unions; changes to the governance of credit unions; maximum interest rates on loans by credit unions; provision of services by credit unions to members of other credit unions; and participation by credit unions in loans to members of other credit unions. Collaboration between credit unions The introduction of ‘corporate credit unions’ should support greater collaboration between credit unions, facilitating a pooling of resources and greater access to funding.  A new form of regulated entity, their membership would be restricted to other credit unions, with lending allowed only to those members. Further collaboration is envisaged with a provision in the Bill allowing all credit unions to refer members to other credit unions to avail of a service that the original credit union does not provide.  While such referral is not mandatory, it is a new option for making additional services available to members—for example, a current account facility where the original credit union may be reluctant to provide this service to all members based on cost or other reasons.  Another provision enabling collaboration allows a credit union to participate in a loan to a member of another credit union. This will facilitate risk sharing associated with the loan and will make it easier for an individual credit union to offer larger loans to its members.  Regarding lending to businesses, and other organisations or associations, there is a further key provision in the Bill for “bodies” (incorporated or unincorporated) to be allowed join a credit union with the same rights and obligations as a “natural person” (member).  This is, however, subject to conditions that a majority of the members of the body would be eligible to join the credit union and the body meets the common bond requirement. Ultimately, this will make it easier for credit unions to lend to such bodies and is principally focused on SMEs. While none of these changes are mandatory, they do provide new options and opportunities for credit unions. Governance changes Regarding changes in governance, two provisions stand out: the option to appoint the manager (chief executive officer) of the credit union to the board; and  reduction of the minimum number of board meetings per year to six, down from the current 10.   The extent to which these changes will be adopted remains to be seen, as many credit union boards may be content with the existing practice.   Where a credit union decides to include its manager as a board member, the Bill proposes that this will be done by their direct appointment to the board and not by election at a general meeting of members.  The term can be for any length but cannot extend beyond the individual’s term as manager.  One restriction on the manager as a board member is that they cannot sit on the nomination committee of the credit union, the membership of which is restricted to board members who have been co-opted or elected at general meetings.  Similarly, regarding the frequency of board meetings, the board may be reluctant to change the current practice of having at least one meeting per month, concluding that it cannot adequately carry out its responsibilities with only six board meetings.  Because of the voluntary ethos of credit unions, the historically close involvement of board members with the credit union, and the relatively onerous responsibilities of boards, it may take some time before six board meetings is considered the norm. Other governance changes proposed by the 2022 Bill include reducing the number of board oversight committee meetings, removing the requirement for the board oversight committee to sign the audited annual accounts, and extending from annually to every three years the review of specific policies by the board. The Credit Union (Amendment) Bill 2022 includes substantive policy change in the areas of collaboration, members’ services, and governance. It seeks to give more power to credit unions to determine strategy and, when enacted, will require consequential changes to Central Bank regulations.  To fully exploit the options and opportunities enabled by its provisions will require significant work by the sector. The Retail Banking Review 2022 In November 2022, following its approval by Government, Minister for Finance, Paschal Donohoe, and Minister of State for Financial Services, Credit Unions and Insurance, Sean Fleming, published the report of the Retail Banking Review (the Review).  Driven by the departure of two major banks, Ulster Bank and KBC, this is a broad-ranging review of the retail banking sector in Ireland, including the credit union sector.  In relation to credit unions, the Review states: “Credit unions have a strong and trusted brand, they are present in communities throughout the country, and have been developing their product offering. The credit unions are already a significant player in consumer credit, and they are making inroads in the current account, mortgages and SME segments of the market. These developments, coupled with their collectively strong levels of capital and deposit bases, leads the Review Team to believe that credit unions could play a greater role in the provision of retail banking products and services in the coming years.” Referencing the Credit Union (Amendment) Bill 2022, the Review recommends that the credit union sector develop a strategic plan to deliver business model changes that would enable it to sustainably provide a universal product offering to all credit union members. Provided directly or on a referral basis, this would continue to be community-based. The Review suggests that such a strategic plan should show how credit unions can: viably scale their business model in key product areas such as mortgages and SME lending; invest in expertise, systems, controls, and processes to deliver standard products and services across all credit unions, while managing any risks arising and continuing to protect members’ savings; provide the option of in-branch services for members of all credit unions. Both the Bill and the Review point to new opportunities for credit unions and demonstrate confidence in their future as part of the Irish financial services sector. For these opportunities to be successfully managed, however, credit unions must continue to maintain high levels of governance so that legislators, the Central Bank, their members, and the wider community can have confidence in the sector.  Credit unions have done much for many people in Ireland for more than 60 years. These developments in legislation and government policy point to their continued and increasing relevance in the years ahead. Gene Boyd, FCA, is a risk management consultant and author of The Governance of Credit Unions in Ireland

The roadmap for the EU Commission’s milestone Corporate Sustainability Reporting Directive is taking shape and now is the time to start preparing for a brave new era in non-financial reporting, writes Conor Holland With the Corporate Sustainability Reporting Directive (CSRD) now approved by the European Council, entities in the EU must begin to invest significant time and resources in preparing for the advent of a new era in non-financial reporting, which places the public disclosure of environmental, social affairs and governance matters (ESG) matters on a par with financial information. Under the CSRD, entities will have to disclose much more sustainability-related information about their business models, strategy and supply chains than they have to date. They will also need to report ESG information in a standardised format that can be assured by an independent third party. For those charged with governance, the CSRD will bring further augmented requirements. Audit committees will need to oversee new reporting processes and monitor the effectiveness of systems and controls setup. They will also have enhanced responsibilities. Along with monitoring an entity’s ESG reporting process, and evaluating the integrity of the sustainability information reported by that entity, audit committees will need to: Monitor the effectiveness of the entity’s internal quality control and risk management systems and internal audit functions; Monitor the assurance of annual and consolidated sustainability reporting; Inform the entity’s administrative or supervisory body of the outcome of the assurance of sustainability reporting; and Review and monitor the independence of the assurance provider. The CSRD stipulates the requirement for limited assurance over the reported information. However, it also includes the option for assurance requirements to evolve to reasonable assurance at a later stage. The EU estimates that 49,000 companies across the EU will fall under the requirements of the new CSRD Directive, compared to the 11,600 companies that currently have reporting obligations. The EU has confirmed that the implementation of the CSRD will take place in three stages: 1 January 2024 for companies already subject to the non-financial reporting directive (reporting in 2025 for the financial year 2024); 1 January 2025 for large companies that are not presently subject to the non-financial reporting directive (reporting in 2026 for the financial year 2025); 1 January 2026 for listed SMEs, small and non-complex credit institutions, and captive insurance undertakings (reporting in 2027 for the financial year 2026). A large undertaking is defined as an entity that exceeds at least two of the following criteria: A net turnover of €40 million A balance sheet total of €20 million 250 employees on average over the financial year The final text of the CSRD has also set timelines for when the Commission should adopt further delegated acts on reporting standards, with 30 June 2023 set as the date by which the Commission should adopt delegated acts specifying the information that undertakings will be required to report. European Financial Reporting Advisory Group In tandem, the European Financial Reporting Advisory Group (EFRAG) is working on a first set of draft sustainability reporting standards (ESRS). These draft standards will be ready for consideration by the Commission once the Parliament and Council have agreed a legislative text. The current draft standards provide an outline as to the depth and breadth of what entities will be required to report. Significantly, the ESRS should be considered as analogous to accountancy standards—with detailed disclosure requirements (qualitative and quantitative), a conceptual framework and associated application guidance. Readers should take note—the ESRS are much more than a handful of metrics supplementary to the financial statements. They represent a step change in what corporate reporting entails, moving non-financial information toward an equilibrium with financial information. Moreover, the reporting boundaries would be based on financial statements but expanded significantly for the upstream and downstream value chain, meaning an entity would need to capture material sustainability matters that are connected to the entity by its direct or indirect business relationships, regardless of its level of control over them. While the standards and associated requirements are now largely finalised, in early November 2022, EFRAG published a revised iteration to the draft ESRS, introducing certain changes to the original draft standards. While the broad requirements and content remain largely the same, some notable changes include: Structure of the reporting areas has been aligned with TCFD (Task Force on Climate-Related Financial Disclosures) and ISSB (International Sustainability Standards Board) standards – specifically, the ESRS will be tailored around “governance”, “strategy”, “management of impacts, risks and opportunities”, and “metrics and targets”. Definition of financial materiality is now more closely aligned to ISSB standards. Impact materiality is more commensurate with the GRI (Global Reporting Initiative) definition of impact materiality. Time horizons are now just a recommendation; entities may deviate and would disclose their entity-specific time horizons used. Incorporation of one governance standard into the cross-cutting standard requirements on the reporting area of governance. Slight reduction in the number of data points required within the disclosure requirements. ESRS and international standards By adopting double materiality principles, the proposed ESRS consider a wider range of stakeholders than IFRS® Sustainability Disclosure Standards or the US Securities and Exchange Commission (SEC) published proposal. Instead, they aim to meet public policy objectives as well as meeting the needs of capital markets. It is the ISSB’s aim to create a global baseline for sustainability reporting standards that allows local standard setters to add additional requirements (building blocks), rather than face a coexistence of multiple separate frameworks. The CSRD requires EFRAG to take account of global standard-setting initiatives to the greatest extent possible. In this regard, EFRAG has published a comparison with the ISSB’s proposals and committed to joining an ISSB working group to drive global alignment. However, in the short term, entities and investors may potentially have to deal with three sets of sustainability reporting standards in setting up their reporting processes, controls, and governance. Key differences The proposed ESRS list detailed disclosure requirements for all ESG topics. The proposed IFRS Sustainability Disclosure Standards would also require disclosure in relation to all relevant ESG topics, but the ISSB has to date only prepared a detailed exposure draft on climate, asking preparers to consider general requirements and other sources of information to report on other sustainability topics. The SEC focused on climate in its recent proposal. The proposed ESRS are more prescriptive, and the number of disclosure requirements significantly exceeds those in the proposed IFRS Sustainability Disclosure Standards. Whereas the proposed IFRS Sustainability Disclosure Standards are intended to focus on the information needs of capital markets, ESRS also aim to address the policy objectives of the EU by addressing wider stakeholder needs. Given the significance of the directive—and the remaining time to get ready for it—entities should now start preparing for its implementation. It is important that entities develop plans to understand the full extent of the CSRD requirements, and the implications for their reporting infrastructure. As such, they should take some immediate steps to prepare, and consider: Performing a gap analysis—i.e. what the entity reports today, contrasted with what will be required under the CSRD. This is a useful exercise to inform entities on where resources should be directed, including how management identify sustainability-related information, and what KPIs they will be required to report on. Undertaking a ‘double materiality’ analysis to identify what topics would be considered material from an impact and financial perspective—as required under the CSRD. Get ‘assurance ready’—entities will need to be comfortable that processes and controls exist to support ESG information, and that the information can ultimately be assured. The Corporate Sustainability Reporting Directive represents a fundamental change in the nature of corporate reporting—the time to act is now and the first deadline is closing in.

Companies preparing for the commencement of the Protected Disclosures (Amendment) Act 2022 in the New Year will need to overhaul whistleblowing policies and processes, but the effort will bring clear benefits, writes Gráinne Madden Encouraging people in an organisation to speak up about their concerns should be a no-brainer. Why would an organisation not want to know about a potential risk? Why would an organisation want an employee to feel the need to go to an external body, such as a regulator or the media, to highlight internal problems? International research repeatedly reinforces that there are two main reasons why people fail to speak up about their suspicions of wrongdoing. First, there is the fear of retaliation. Current Irish and UK law is seeking to address this by offering protection. The second reason people fail to speak up about their suspicions of wrongdoing in an organisation is fear of futility. This is the fear that nothing will be done, even if they do speak up—and this is why having clear policies and processes in place is so important.  The absence of a whistleblowing policy and process in an organisation will certainly send the message that the organisation does not really want to hear about any problematic issues that may exist or arise.  As it stands, in Ireland and the UK, workers are entitled to legal protection against dismissal, or other reprisal from their employer or colleagues, when disclosing concerns about certain issues. Until now, however—except in certain sector-specific areas—most organisations have not been required to put a whistleblowing policy or procedures in place, or to follow up on such disclosures.  The EU Whistleblowing Directive will, however, bring major changes to which organisations operating in EU jurisdictions must now respond. In Ireland, the Protected Disclosures (Amendment) Act 2022 will commence on 1 January 2023, giving effect to the EU Directive. New requirements for organisations There are several key additional requirements that will apply to organisations under the new Act, which are considered below. Employee thresholds For workplaces with more than 50 employees, there will be a requirement to have formal channels and procedures for receiving and, crucially, following up on disclosures. Workplaces with between 50 and 249 employees have until December 2023 to comply, and 250-plus employee workplaces must comply at commencement.  However, all organisations operating in certain sectors will be required to comply at commencement, even those employing fewer than 50 people. This includes:  public bodies; companies subject to EU laws in the areas of financial services, prevention of money-laundering and terrorist financing; transport safety; and protection of the environment (offshore oil and gas installations and operations only). The 2022 Act states that the Minister for Public Expenditure and Reform may, by order, reduce the threshold of 50 employees for specified classes of employers, subject to a risk assessment and public consultation.  Change of definitions and burden of proof Under the new Act, the scope of protected persons will be extended to include non-executive members, shareholders, volunteers, and ‘pre-contractual’ employees, such as candidates applying for a job during the recruitment process before the work-based relationship even begins. Further, retaliation will be more broadly defined. In respect of alleged detriment (be it an act or omission) caused to a person because of the making of a protected disclosure, the employer will have to prove that the detriment complained of was not in retaliation for, or because of, the person having made a protected disclosure.  Administration and staff Confidentiality regarding whistleblowing must be respected by all reporting systems and access to data by non-authorised staff prevented. For staff who are authorised, appropriate training must be given in respect of the handling of reports. Finally, records must be kept of all reports, as well as ensuring follow-up and feedback regarding these reports within certain timeframes.  Blending culture with policy The required process management will mean that many organisations will need to implement issue management systems. Simply having a policy and process in place isn’t, however, going to be an encouragement for nervous employees. Creating a culture in which people feel safe in speaking up—and feel that their concerns are welcomed—is far more important.  So, in addition to having a sound policy and process in place, what other steps should employers consider? Here are seven recommendations: Train managers and team leads to recognise when an issue could be a protected disclosure and, most importantly, to receive reports of potential issues in a calm and welcoming way. Word can spread very quickly about managers not being open to bad news. Think about how whistleblowing is discussed in the organisation and consider whether it is healthy or whether the narrative needs to be changed. Any pejorative language in connection with whistleblowing or speaking up needs to be identified and stamped out. The focus must be on recognising that people who bring risks to our attention are doing the organisation a great favour. It is worth highlighting that research demonstrates that the people who blow the whistle tend to be the most loyal employees who care greatly about the organisation. Ensure that the confidentiality regime is well- communicated and respected so that employees can be confident their identity will not become known if they disclose an issue. Do not become complacent if the whistleblowing policy is not used—rather than indicating a spotless organisation, it could be signalling a poor work culture where people either fear speaking up or just don’t care enough to bother. Remove any ‘good faith’ requirement from policies. The focus should be on the issue reported, not the motivation of the person reporting. Furthermore, there is no ‘good faith’ obligation under Irish or UK law or the directive. Make sure that penalisation is not tolerated. State this clearly in the whistleblowing and speaking-up policy, making sure there are clearly defined processes for reporting claims of penalisation and for following up on claims of penalisation. Provide feedback to a discloser on any action taken in response to their disclosure. The ability to do this will depend on the nature of the issue and the rights to confidentiality of other parties. At the very least, a discloser should be reassured that their concerns have been dealt with appropriately. It is likely that most organisations will need to overhaul their whistleblowing policies and processes in response to the Protected Disclosures (Amendment) Act 2022. The requirements may seem daunting, but help and advice on good practice is available. The benefits are clear, not just in terms of risk management and protection of brand and reputation, but also for the common good.

Chartered Accountant Eamonn Hughes is playing a leading role in Bank of Ireland’s Responsible and Sustainable Business Strategy. Hughes tells Accountancy Ireland about the four-year plan and his goals as Chief Sustainability and Investor Relations Officer  Before joining Bank of Ireland Group in February as Chief Sustainability and Investor Relations Officer, Chartered Accountant Eamonn Hughes had a longstanding career as a sell-side market analyst with more than 25 years’ experience in capital markets and domestic banking.  Having worked most recently with Goodbody, the stockbroking firm, as Irish Banks and Insurance Sector Analyst and, before that, Head of Research, Hughes also had a clear view of the swift rise in environmental, social and governance (ESG) to the top of the financial agenda worldwide. “I could see that ESG was becoming hugely important in capital markets and the financial sector. The climate crisis, in particular, is a critical threat, but also a significant opportunity,” said Hughes. “For our planet, there is no Plan B, but the discussion about sustainability is not just about climate change. It is also about creating a more sustainable business model. Our vision at Bank of Ireland is to be the national champion in Ireland, to use our balance sheet and resources to drive positive change for a better, fairer society and improve the environment. “This gives me a very strong framework to think about my role, because, if we can deliver on our ESG strategy, we can ultimately deliver a more sustainable business model for all stakeholders and positive returns for investors. “The ESG agenda also involves regulators, so disclosure and risk management are very important—and there are reporting frameworks in place, but they are evolving very quickly. This is one of the challenges we face and is also why transparency and the availability of clear data is so important.  “With my background in capital markets, I can clearly see the mobilisation in capital, and I think the banking sector has a very obvious supporting role to play in society’s sustainability transition.” Investing in tomorrow Bank of Ireland published its Responsible and Sustainable Business Strategy in March 2021, a year before Hughes joined the group.  Bank of Ireland’s four-year Investing in Tomorrow strategy set out its own goals to support the green transition, alongside two additional pillars: enabling colleagues to thrive; and enhancing customers’ financial wellbeing. The Investing in Tomorrow green transition pillar included the setting of science-based targets aligning the bank’s lending portfolios with the Paris Agreement. The international treaty on climate change, adopted in 2015 at COP 21, set out a goal to limit global warming to 1.5 degrees Celsius, compared to pre-industrial levels. “Data is key across all three pillars, because reporting is essentially an output of what we are doing in support of climate change, colleagues, customers and the organisation as a whole,” said Hughes. “We need to focus on how we interact with our stakeholders internally and externally and, in my role, investors are obviously a key priority. As investors now have to produce more disclosures themselves, they will need to engage more with us in terms of what we are doing on our own ESG journey.” Clear reporting strategy How Bank of Ireland communicates with, and reports to, stakeholders on the progress of its ESG strategy is a priority for Hughes in his role as Chief Sustainability and Investor Relations Officer. “Ultimately, we need to explain how we are meeting the targets set out in our strategy, and it is incumbent upon us to develop the capacity and skill sets we need to support reporting and strategy delivery,” he said. “My role is to support in delivering across all three pillars, which involves a lot of data-gathering internally, particularly from a regulatory and reporting perspective.” Detailed progress reports on ESG will now be a core part of Bank of Ireland’s annual reporting cycle. “We need to be able to demonstrate clearly that we are creating a sustainable business strategy, enabling colleagues to thrive in the organisation and enhancing financial well-being among customers, in addition to supporting the sustainable transition,” said Hughes. “Transparency is hugely important. There are a lot of differentials in this space, so we need to standardise our reporting; to be able to explain clearly and cohesively what we are doing and why.” Commercialisation is becoming increasingly important as Bank of Ireland continues to implement Investing in Tomorrow, Hughes said. “Like many banks, we are in the commercialisation phase of our ESG strategy with the creation of sustainable finance solutions for, and increasing engagement with, customers. We are supporting and incentivising customers through competitive rates to buy or build an energy efficient home or to retrofit their home or business to make it more energy efficient.” Sustainable finance fund Bank of Ireland recently announced a €3 billion increase in its Sustainable Finance Fund, which will bring it to €5 billion by 2024. The fund covers green propositions, including mortgages, home improvement loans and business  loans.  Bank of Ireland’s inaugural standalone Responsible and Sustainable Business Report, published in June, tracked the progress of its ESG strategy in 2021. More than €1.8 billion in mortgages, home improvement loans and business loans had been drawn down from the Sustainable Finance Fund by the end of the year, the report stated. Thirty-five percent of all mortgages provided by the bank in 2021 were green, rising to 48 percent in the first half of 2022.  Bank of Ireland was also the largest provider of wholesale finance for electric vehicles in 2021, providing finance to 13 of the 15 car manufacturer franchises. The publication of the Responsible and Sustainable Business Report marked a significant “step-change in the tracking and transparency” of the bank’s ESG reporting, Hughes noted.  “Our stakeholders—including customers, shareholders, and regulators—are demanding far greater transparency as to how we are meeting our ESG commitments,” he said. “This report provides insight into our strategic approach, appraisal of our progress to achieve our purpose, and information on the key focus areas we plan to progress in the years ahead. Being clear on ESG, and showing how you are delivering what you sign up to, is now a commercial imperative for all lenders, including Bank of Ireland.” Science-based targets Bank of Ireland has also committed to setting science-based targets across portfolios and operations to align lending practice with the low carbon ambitions set out in the Paris Agreement. “We completed two successful green bond issuances in 2021, raising €1.25 billion with the capital used to finance green buildings, renewable energy projects and clean transportation,” said Hughes. “Thirty-five per cent of the mortgages we provided in 2021 were green and we have also launched a green mortgage product in the UK.” Bank of Ireland is providing finance for the development of at least 750 megawatts of renewable wind capacity across the island of Ireland. The bank is also in the process of decarbonising its own operations—reducing absolute emissions by 88 percent between 2011 and 2021. Social and governance Although supporting the green agenda is a major part of Investing in Tomorrow, the strategy also sets goals for investing in colleagues and enhancing customers’ financial wellbeing. “We recognise the supporting role we can play in Ireland’s response to the climate crisis, but the ‘S’ and ‘G’ are equally important when we consider ESG,” Hughes said. “We have a strategy to improve the financial wellbeing of our customers and to foster a financially inclusive society.” Bank of Ireland was, Hughes said, supporting customers to become more financially confident, while also working to simplify processes, so that the “financially marginalised have easier access to banking services.” Financial health and inclusion  Bank of Ireland is one of 28 banks around the world that have signed the Commitment to Financial Health and Inclusion published in December 2021 under the United Nations Principles for Responsible Banking (PRB). A first-of-its-kind initiative aimed at promoting universal financial inclusion and health in the banking sector, its launch closely followed the publication of the UN’s PRB Collective Progress Report. The report identified financial inclusion as the third most pressing sustainability challenge facing signatory banks, behind climate mitigation and adaptation. “This UN initiative is particularly important in an environment in which we have a cost-of-living crisis and customers are facing major challenges in the medium- to long-term. The question for us is, ‘how can we deliver this particular skill set and support our customers at a time when they really need it?’” said Hughes. Bank of Ireland is also helping customers to “live more sustainably” with the recent announcement of the roll out of bio-sourced debit and credit cards. Launched in October, the initiative will over time replace all plastic debit and credit cards issued by the bank, to help support the reduction of single-use plastic. “If we are to live in a more sustainable way, we need to do things differently, including through our everyday banking. The introduction of bio-sourced cards is a very practical way we can help our customers to reduce their environmental footprint,” Hughes said. “As a bank, we are working very closely with our customers on the sustainability transition. As they deliver, we deliver. It is a symbiotic relationship and an exciting place to be.”