by Barnabas Reynolds and Reena Agrawal Sahni, Shearman & Sterling LLP
Introduction: The new individual accountability rules in the U.K. differ from the U.S., but there are areas with similarities.
There has been much debate among regulators and in the general public about whether there should have been more enforcement action against executives and other individuals in banks for misconduct in the events leading up to the 2008 financial crisis and after. The U.K. government has taken several actions against banks and companies for their corporate misconduct and involvement in market manipulation scandals of recent years. However, regulators have found it difficult to hold individuals accountable for being involved in the same misconduct, particularly individuals in management roles. Complex organizational structures of large banks and investment firms that are important for running global businesses efficiently are viewed as contributing to the problem.
New U.K. Regulations
Regulators are starting to address this issue by changing the rules around individual accountability. The United Kingdom is reforming its approach to supervising and taking enforcement action against individuals in senior management positions and individuals who are employed in positions where they could pose a risk of significant harm to the firm or any of its clients (we’ll call them certified personnel). For regulatory purposes, senior managers include not only directors but also chief executives, heads of key business lines, and certain high-ranking compliance and risk management personnel. From March 7, 2016, banks, certain large investment firms, building societies, and credit unions established in the United Kingdom, including U.K. subsidiaries of overseas firms (referred to here collectively as SMR firms) and U.K. branches of third-country or European Economic Area (EEA) SMR firms (known as incoming branches), will be subject to a new Senior Manager and Certification Regime (SM&CR).
The Liability Standard
In the past, U.K. managers were allowed to define their own roles. Any personal liability would have been based on a legal standard of causation. The SM&CR rules aim to clarify areas of responsibility and therefore accountability. They require the allocation of certain prescribed responsibilities to senior managers and the production of Statements of Responsibility for those managers. SMR firms and incoming branches will need to create and manage processes that are effective absent deliberate wrongdoing on the part of a team member, and that minimize the risk and effects of any such wrongdoing. Most notably, the regime, as originally framed, introduced a “presumption of responsibility” for senior managers that effectively reversed the burden of proof by holding senior managers in a particular function responsible for a firm’s regulatory breaches. Senior managers would have been required to rebut the presumption that they were responsible for breaches by demonstrating that they took reasonable steps to prevent them from occurring or continuing.
Such a rule is not without precedent. A similar presumption of responsibility mechanism already exists in Germany, where enforcement actions have successfully been taken against executives in particular positions of importance. However, one of the key concerns about the U.K. presumption of responsibility was that it would deter certain individuals from performing senior management roles and those who were undeterred would demand to be adequately compensated or insured for taking on the increased risk of personal liability. The U.K. Government announced several changes to the SM&CR in October, amongst which is the replacement of the presumption of responsibility with a statutory duty of responsibility. The burden of proving that a senior manager did not take reasonable steps to stop a breach will be on the regulator. The changes, at the time of writing this article, were set out in a Bill laid before Parliament.
The U.S. Is Developing Rules
Although the United States does not have a directly comparable regulatory regime for senior managers, many of the requirements of the SM&CR already are reflected in other U.S. regulations, with some differences. U.S. regulators have broad enforcement powers as part of their supervisory mandate. Just as in the United Kingdom, U.S. regulators have principally directed their enforcement actions at institutions and not individuals at those institutions. However, along with a renewed focus on governance and management, U.S. regulators are now placing more emphasis on the need to hold individuals accountable. For example, the U.S. Department of Justice recently issued new guidelines to bolster its ability to pursue individuals in corporate cases.
Extraterritorial Impact of New Rules
Any fundamental governance-related regulatory change such as this has the potential to be extraterritorial in impact, especially for global financial institutions. The SM&CR has the potential to reach senior managers located outside of the U.K., just as do actions taken by the U.S. regulators or the European Central Bank regarding individuals outside the U.S. and E.U., respectively. Differing standards and enforcement regimes can in theory give rise to conflicts between overlapping oversight requirements. However, the approaches of the various regulators are generally likely to work together, though it’s possible (if unlikely) that oversight in one jurisdiction might prioritize safety and soundness within that jurisdiction at the expense of another.
A Difficult Balance
In implementing accountability regimes, regulators must strike a difficult balance. On the one hand, there is a clear need for the rules to operate efficiently to ensure executives are effective in their management roles and to prevent executives from ignoring regulatory breaches. On the other hand, regulators must ensure that the new accountability regimes are fair and do not impose de facto strict liability on executives who take reasonable steps to prevent and detect problems. There is a risk that, crudely applied, the reforms could give rise to a random minefield of rules and regulations on liability that directors and employees will find difficult to navigate and which could deter key individuals from taking up roles of responsibility within their organizations.
In this article, we focus on the new SM&CR and its extraterritorial effect, and particularly on the rules on the personal liability of senior managers. We then compare U.K. regulations with those in the United States. This article does not seek to cover the general regulation of individuals, remuneration rules, firm registration processes, the impacts of resolution and recovery regimes, or other aspects of individual regulation. The new regulatory approach of focusing on individuals is likely to evolve, so this snapshot reveals the direction of travel more than the final destination.
The SM&CR in Summary
The SM&CR represents a fundamental change in the approach to regulating senior managers, certified personnel, and conduct within SMR firms and U.K. branches. Firms, rather than the regulators, will be given primary responsibility for vetting senior managers and certified personnel, and only senior managers will be subject to the regulators’ approval.
The SM&CR is made up of the Senior Managers Regime, the Certification Regime, and a new Code of Conduct. Each of these three elements is summarized in a box to the right. The rules will be applied by both the U.K.’s Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), although each regulator’s approach will differ according to its statutory objectives and areas of competence. In particular, the PRA, as the U.K.’s prudential regulator, will not apply its SM&CR rules to incoming U.K. branches of EEA firms because, under E.U. law, the prudential regulation of such branches is mostly within the competence of the relevant home member state.
The Senior Manager Regime will replace the “controlled functions” that currently are part of the Approved Persons Regime (APR) with a new set of PRA and FCA senior management functions that will cover a narrower range of individuals. The regulators intend to grandfather all controlled functions to their Senior Managers Regime, so that an individual who is already authorized under APR and whose activities cover a senior management function, for example as a chief executive, will not need to go through the authorization process in order to continue as an approved person under the new regime. Individuals who are currently approved persons but who do not perform a senior management function will no longer be required to be authorized by the regulators and will no longer be approved persons from March 7, 2016; although they will likely fall into the certified personnel category.
A separate Senior Managers Regime for certain U.K. insurance firms, based on the E.U. Solvency II Directive, and which we don’t cover here in detail, is also being implemented in the U.K. The U.K. Fair and Effective Markets Review recommended that aspects of the new regime be extended to certain other types of financial institution. In the October announcement, the U.K. Government confirmed that it will adopt that recommendation. It is expected that the SM&CR will be extended, during 2018, to all U.K. authorized investment firms, asset managers, insurers and consumer credit firms. The detail of the expanded regime, as fleshed out by regulatory rules, remains to be seen.
Focus on Personal Accountability
This regulatory revamp of senior management responsibilities takes the law into two difficult and uncharted regions. First, it raises more acutely than ever the issue of personal liability in a world in which regulators want to hold senior management, not just firms or rogue employees, accountable for wrongdoing. Second, the revision of the existing regime highlights the tension between business-line management, which is crucial for successful and efficient management in global businesses, and top-down management of each legal entity (so-called entity-level management), which is a key element of post-financial crisis regulation.
Personal liability in financial services is an area where there is somewhat limited jurisprudence, and there are uncertainties as to where the line of liability is to be drawn. More importantly, it is difficult to identify what well-intentioned senior managers can do to protect themselves.
Generally, under the enforcement rules of the Financial Services and Markets Act 2000 (FSMA), the FCA and PRA can only take disciplinary action against a senior manager where the relevant regulator is satisfied that the person is guilty of misconduct and, if he or she is guilty, that it is appropriate in all circumstances to take such action. According to current FCA guidance (DEPP 6.2.4G), the FCA can only impose a penalty on an individual if it is proven that the person was personally culpable, i.e., where the behavior was deliberate or where the approved person’s standard of behavior was below that which would be reasonable in all the circumstances existing at the time of the conduct concerned.
Under the current enforcement regime, the enforcing regulator has to satisfy the applicable evidential standard of proof to show a regulatory breach had occurred. The FCA and the Upper Tribunal, the body responsible for handling appeals against FCA decisions, have generally applied the “balance of probabilities” standard of proof applicable in civil cases. This is in contrast to the higher “beyond reasonable doubt” standard of proof applied by criminal courts or in civil cases where quasi-criminal sanctions, such as deprivation of liberty, may be imposed. Previous FCA jurisprudence suggested that a “sliding scale” standard of proof could be applied, whereby the civil standard could be varied to a standard close to its criminal equivalent in cases of serious regulatory breaches. This approach has now been abandoned. The Upper Tribunal confirmed this year in the case of Carrimjee v the FCA [2015] UKUT 0079 (TCC) that, despite the FCA having power to impose serious sanctions, such as industry bans or substantial fines, FCA proceedings are not quasi-criminal in character and the civil standard should always apply.
The U.K.’s SM&CR has the potential to reach senior managers located outside of the U.K., just as do actions taken by the U.S. regulators or the European Central Bank regarding individuals outside the U.S. and E.U., respectively.
A new liability will apply if: (i) the senior manager’s firm committed a regulatory breach, (ii) the senior manager was a senior manager at the time of the regulatory breach, (iii) the senior manager was responsible for the management of any of the firm’s activities in relation to which the breach occurred, and (iv) the senior manager did not take such steps as a person in the senior manager’s position could reasonably be expected to take to avoid the contravention occurring (or continuing).
Whether the relevant senior manager was responsible for that part of the business to which the breach relates would be a question of fact. The Statements of Responsibility that institutions will be required to prepare (and may agree at a detailed level with the regulators), showing what each senior manager is responsible for, will be crucial in informing the regulator’s determination on this issue (See the PRA’s Supervisory Statement SS28/15, Id., para. 2.71).
Reasonable Steps
The new liability standard requires the regulators to prove, on a balance of probabilities, that conditions (i) to (iv) are satisfied. A senior manager must have failed to take steps that he could reasonably have been expected to take to avoid the breach from occurring or continuing.
The U.K. regulators have published guidance which sets out some types of steps that senior managers would be expected to take to prevent or stop breaches. This guidance published by the PRA in the context of the operation of the former presumption of responsibility test includes actions it would consider as reasonable steps and the evidence it would expect senior managers to provide to demonstrate that reasonable steps were taken. The guidance will serve as the basis of the regulators’ expectations of senior managers in satisfying the new statutory duty of responsibility which requires a senior manager to take reasonable steps to prevent contravention by way of a breach. It would be helpful if the regulators published additional guidance clarifying the types of steps that would not be required in every case, for example, commissioning external consulting reports. One of the concerns with the presumption of responsibility was that firms would focus their attention on creating evidence rather than on operating an efficient and compliant business. Without any further guidance from the regulators, there is still a risk that, though the extent of the duty may have been ameliorated by the removal of the presumption of responsibility, firms and senior managers will be motivated to create extensive paper trails to evidence the details of their decision-making process. The PRA has recognized that one of the challenges in implementing the SM&CR has been encouraging and ensuring that the right outcomes are achieved.
Application in Practice
How the FCA and PRA will enforce the new liability standard in practice is of particular concern to firms and their senior management. For instance, it is not clear if the FCA/PRA are required to prove that there was a causative link between the senior manager’s role and the breach in question. In the absence of such link, there would arguably be no case for the senior manager to answer and it would only be if this test was passed that the senior manager would be tasked with considering — probably again on the balance of probabilities — the reasonable steps element. Although on a strict reading of the legislation, a causative link does not appear to be one of the conditions, it is at least arguable that it is one of the circumstances that the enforcing regulator needs to consider under FSMA before deciding to take enforcement action.
Possible Solutions
The easier question is how senior managers can avoid personal liability under the SM&CR, even without the presumption of responsibility. The answer is: They should take such steps as a person in their position could reasonably be expected to take to prevent regulatory breaches from happening or continuing in the area for which they are responsible. Senior managers will need to be in a position to identify and address actual or suspected regulatory breaches in a timely manner. In respect of the presumption of responsibility, the FCA confirmed in its draft guidance that it would consider any preventative action as a relevant factor in determining whether a senior manager acted reasonably. (The PRA also confirmed that it would only take action against senior managers where this is appropriate in all the circumstances and that such circumstances may include the nature and seriousness of the breach. See para. 2.67 of the PRA’s Supervisory Statement SS28/15.) Presumably the regulators are unlikely to seek to alter this position under the revised SM&CR in light of the removal of the presumption of responsibility, but of course the ultimate position will depend on how the final amending legislative provisions are couched.
Entity-Level Focus
Regulations on living wills, governance, and employee compensation are now all applied on a legal entity-level basis. Similarly, senior management responsibilities are to be applied against an entity-level backdrop. Tensions and problems arise when key business personnel within the entities concerned don’t report directly to senior management. The risk is that the flow of information necessary for senior managers to perform their functions is more limited than what is required to enable them to prevent and detect regulatory breaches.
In a matrix-managed organization, it may be difficult for a senior manager to show sufficient control. One practical solution is for designated senior managers to take steps to ensure that reporting lines are established from relevant business heads and other relevant personnel to the legal entity-level senior managers, whether in the U.K. or overseas, which are clear to staff and operate effectively and as close to real time as possible. Information could flow directly through people not directly accountable to the senior manager. Global business management will still be possible, but relevant legal entity senior managers’ involvement and approval will now be mandatory. The objective is for senior managers to gain an accurate and thorough understanding of the parts of the firm’s business for which they are responsible, including the strengths and weaknesses in the governance and risk management framework. On this basis, senior managers should have sufficient information to be able to determine (among other things) whether improvements to the firm’s systems, controls, and culture are needed to prevent or remedy breaches, whether persons responsible for any failings need to be removed or disciplined, and whether the regulators need to be notified if breaches are identified.
New Criminal Offense
The SM&CR also introduces a new criminal offense for a reckless decision by a senior manager that causes a bank (i.e. deposit-taking institution) to fail. This offense does not apply to non-banks. It will only apply to senior managers working in U.K. SMR firms and not in U.K. branches of overseas firms. The FCA and PRA don’t have the power to impose criminal sanctions for this offense but can instigate criminal court proceedings against responsible senior managers. As is the case for all criminal proceedings, the prosecution will bear the burden of proving a senior manager’s guilt on the basis of the usual “beyond a reasonable doubt” criminal standard of proof. The FCA, PRA, and the U.K. government have not published any guidance on precisely what conduct would be likely to constitute the reckless decision offense; however, courts probably would rely on existing case law and general criminal law principles to make this determination.
The new U.K. rules on personal responsibility place firms and senior managers into a new world of regulatory requirements and obligations ... There is an increased focus in the U.S. as well, and it remains to be seen how the U.S. ... environment will change for individuals at banks.
On this basis, it is likely that a senior manager will be deemed to have made a reckless decision if he or she was aware that there was a risk that such decision could cause his or her firm to fail and it was unreasonable for him or her to take that risk in the circumstances as known to him or her (R. v. G [2004] 1 AC 1034, paragraph 41). The more obvious the risk, the more likely it is that a court would find that the senior manager must have been aware of the risk (Seray – Wurie v DPP [2012] EWHC 208 (Admin), para. 21). The penalties for the offense can be severe and include up to 12 years in prison on indictment and/or an unlimited fine. The Parliamentary Commission on Banking Standards, which proposed the introduction of this offense, acknowledged that securing a conviction for the offense may be difficult in practice (See para. 1182).
Extraterritorial Application of the SM&CR
The SM&CR will apply to personnel of U.K. SMR firms (including U.K. subsidiaries of non-U.K. firms) and of incoming branches of overseas SMR firms (both non-EEA and EEA incorporated), although the application of the new regime will be tailored for branches to reflect the nature of the branch’s activities.
For certified personnel, the Conduct Rules and the Certification Regime will generally only apply to personnel who are either based in the U.K. or perform services for clients in the U.K.(There is some doubt over how this territorial restriction applies to the PRA Certification Regime and Conduct Rules. Based on the available PRA guidance, it would appear that, for incoming non-EEA branches, the PRA Certification Regime would only capture U.K.-based personnel. For non-EEA branches, the PRA has stated that the scope of its Certification Regime would only capture “the U.K. population of Material Risk Takers.” However, for U.K. firms, on a strict reading of the PRA’s guidance, it would seem that the PRA Certification Regime could apply to such firms’ personnel based overseas; see footnote 44 in the Consultation Paper FCA CP14/13/PRA CP14/14). U.K. regulators have provided additional guidance on who is not a U.K. client in this context (See pages 26 to 27 of the FCA CP15/10 (August 2015). For instance, U.K. persons to whom research is provided by a non-U.K.-based employee would not be clients. Similarly, if a non-U.K.-based employee has contact with a U.K. person for relationship purposes, the U.K. person would not be a client in this context. This applies regardless of whether the relevant SMR firm is a U.K. subsidiary or an incoming branch. Examples of certified personnel include staff responsible for benchmark submission and administration, proprietary traders and material risk takers (in line with the Remuneration Code).
In relation to senior managers of both U.K. firms and branches, the Senior Managers Regime and the Conduct Rules will always apply to persons in designated positions wherever they are located. As such, it has extraterritorial effect and will apply regardless of whether the individual is based in the U.K. or provides services to U.K. clients (Nonexecutive directors of incoming U.K. branches will generally be excluded from the scope of the SM&CR rules). Thus, individuals who perform senior management functions for a U.K. firm or incoming branch will have to become authorized as senior managers regardless of whether they are based in the U.K. or abroad. If a senior manager is employed by other group entities, the potential for conflicting and overlapping requirements arises — and at the very least it will be more difficult to determine the non-U.K. manager’s U.K. responsibilities.
As a result, firms will take steps to minimize the risk of conflicting requirements. Such measures may include reorganizing governance structures according to legal entity structures instead of business lines, and ensuring the delegation of responsibility for the conduct of an incoming branch’s or U.K. subsidiary’s regulated activities to a U.K.-based senior manager. The U.K. regulators have indicated that they will determine the application of the regime to a particular individual on a case-by-case basis taking into account the organizational structure of the firm, its reporting structure, and whether any U.K.-based senior managers have an appropriate degree of accountability, autonomy, and responsibility for the U.K. entity or branch. The regulator’s focus will be on individuals who are directly responsible for implementing the firm’s strategy in the U.K. entity or branch for its U.K. regulated activities.
International Comparisons
Onerous “presumption of responsibility” regimes exist in some jurisdictions, including Germany. Under the German Stock Corporation Act, board members are jointly and severally liable for breaches of their directors’ duties under German corporate law unless they can demonstrate they acted with due care and skill. Where the allegations relate to the directors’ business decisions, the board members may benefit from the operation of the “business judgment rule,” which provides a degree of protection for decisions made on the basis of adequate information and for the benefit of the company.
Directors also bear the burden of proof in relation to satisfying the requirements of the business judgment rule. The reverse burden of proof and the scope of the business judgment rule are currently subject to discussion, and it remains to be seen whether the German legislature or courts will take action to mitigate the liability risk for board members.
U.S. Regulatory Requirements and Oversight
The United States does not have a regulatory regime directly comparable to either the APR or the SM&CR. However, there are several parallels between the U.K. regime and existing U.S. regulatory requirements. Additionally, recent speeches by U.S. bank regulators suggest that, while the U.S. probably won’t implement a directly comparable regime, the policy objectives of the U.S. regulators are closely aligned with those of the U.K. regime.
Several U.S. regulators have recently discussed the appropriate role of supervision in maintaining the safety and soundness of banking organizations and the link between supervision and the culture of an organization. While the U.K. regime explicitly calls for an active role by the U.K. regulators in approving senior managers, the U.S. rules have traditionally provided for the same watchfulness as to the quality and appropriateness of key personnel through more informal supervisory review and consultation. U.S. regulators have been increasingly focused on oversight of personnel who can expose an institution to significant risk and ensuring that organizations have the proper internal controls to monitor and manage such risk. This has manifested itself in more prescriptive regulatory requirements and responsibilities for the board of directors and other executive management, particularly the heads of the risk, compliance, audit, and legal functions.
Enforcement and Penalties
The U.S. business judgment rule presumption generally affords directors and officers protection from personal liability for prudent, informed business decisions made in good faith. As in other jurisdictions, directors and officers generally obtain protection from personal liability through indemnification agreements and directors and officers liability insurance in the absence of bad faith or malfeasance, although such protections are limited in certain circumstances by law and regulation.
Certain statutory authorities allow U.S. regulators to bring cases against individuals for failure to meet their duties. For example, the Federal Deposit Insurance Corp. (FDIC) can bring civil lawsuits against former directors and officers of a failed bank for a demonstrated failure to satisfy the duties of loyalty and care. The degree of protection afforded to directors of failed banks by the FDIC under the business judgment rule has often been the subject of litigation.
Similarly, in the event of a receivership of a large financial institution under Title II of the Dodd-Frank Act, or the Orderly Liquidation Authority, directors and officers can be personally liable in a civil case brought by the FDIC as receiver for gross negligence or conduct that demonstrates a greater disregard of a duty of care than gross negligence, including intentional tortious conduct. Furthermore, clawback provisions allow the FDIC to recover incentive payment and other compensation from directors and senior executives for the two years prior to the company’s failure if they are found to be substantially responsible for the failure. (The Securities and Exchange Commission recently proposed a rule to implement Section 954 of the Dodd-Frank Act that would, among other provisions, require listed issuers, including but not limited to banks, to develop, implement, and disclose policies requiring clawback of “erroneously awarded compensation” in the event of an accounting restatement. Specifically, issuers would be required to recover incentive-based compensation received by any executive officer in the three years prior to a material restatement of the issuer’s financial statements that is in excess of the compensation that would have been received if the compensation had been determined based on the restated financial statements. Such clawback would be required regardless of the reason for the restatement, i.e., not limited to restatements required because of misconduct, and including restatements that are required because of no-fault computational errors. For a detailed overview of the proposed rule see “SEC Proposes Highly Anticipated Clawback Rules” (July 9, 2015).
U.S. banking regulators can, like their E.U. counterparts, dismiss employees as part of enforcement actions against firms. U.S. bank regulators can take enforcement actions against directors and officers (and other so-called “institution-affiliated parties”) for violations of laws, breach of fiduciary duties, and unsafe and unsound practices. For example, the Federal Reserve Board can remove any officer, director, or employee of a foreign banking organization involved in its U.S. branch or other operations upon a finding of improper conduct or as a result of being convicted of certain criminal offenses (12 U.S.C.A. § 1818(e)).
An Area of Development
Just as in the U.K., U.S. regulators and prosecutors have been increasingly focused on individual accountability. William Dudley, President of the Federal Reserve Bank of New York, has suggested that it would be helpful if individuals who are convicted of an illegal activity were prohibited from employment in the financial services industry forever. (“Enhancing Financial Stability by Improving Culture in the Financial Services Industry,” William C. Dudley, President and Chief Executive, Remarks as the Workshop on Reforming Culture and Behavior in the Financial Services Industry, Federal Reserve Bank of New York, (October 20, 2014). Section 19 of the Federal Deposit Insurance Act prohibits anyone convicted of a crime of dishonesty, breach of trust, or money laundering from working at an insured depository institution or bank holding company. Dudley has suggested expanding Section 19 to cover the entire financial services industry.) He suggested that the U.S. should make it more difficult (as the U.K. is seeking to do) for employees who cross ethical boundaries to be able to move from one firm to another in order to escape the consequences, and put forth the idea of a database that would keep track of the hiring and the firing of financial professionals maintained by financial institution supervisors, akin to the regime that currently exists for broker-dealers in the U.S.
Moreover, the U.S. Department of Justice recently issued a memorandum with guidance for civil and criminal prosecutors to pursue the prosecution of individual employees involved in corporate misconduct. The memorandum acknowledges the “substantial challenges unique to pursuing individuals for corporate misdeeds” and suggests that individual accountability for those who perpetuated the misconduct is “one of the most effective ways to combat corporate misconduct.” Under the guidance, cooperation credit for corporations requires that the corporation provide information to the Department of Justice about the role of individual employees in the misconduct, and prosecutors are instructed not to release culpable individuals from civil or criminal liability as part of the resolution of a matter with the corporation.
Conclusion
The new U.K. rules on personal responsibility place firms and senior managers into a new world of regulatory requirements and obligations. It remains to be seen how industry standards will develop to protect well-intentioned senior managers from being held responsible for their firms’ regulatory breaches and how firms might structure reporting lines to allow senior managers sufficient oversight of relevant business parts while allowing firms to maintain organizational and operational efficiency.
Notwithstanding that the U.S. does not have such a formal framework in place, there is an increased focus on individual accountability in the U.S. as well, and it remains to be seen how the U.S. regulatory and prosecutorial environment will change for individuals at banking organizations.