Written evidence submitted by Regulation from Sam Hilton, Research Affiliate at the Centre for the Study of Existential Risk
Good regulation of large firms can be summarised as follows:
The following features are all crucial to making this work well:
This evidence is submitted by Sam Hilton. Sam is a Research Affiliate at the Centre for the Study of Existential Risk and Deputy Director of Research for Charity Entrepreneurship.
Sam worked for 3 years in regulatory policy in the UK government. He led the team responsible for civil nuclear safety policy in the Department for Business Energy and Industrial Strategy and worked on financial stability regulations in HM Treasury. Following this Sam became a Research Affiliate at the Centre for the Study of Existential Risk at the University of Cambridge. In this capacity he continued to investigate the principles of good regulation primarily focusing on regulation of firms developing new and emerging technologies, such as artificial intelligence.
The evidence here is a combination of lessons from the author’s time in the field and lessons drawn from various documents on good regulatory policy. The key lessons from each source are set out in the Annexes.
The principles that guide the regulation of large firms and the regulation of SME are different. We begin with the key principles for regulating large firms (this author’s area of relative expertise) and then look at how this might differ for smaller firms.
The 9 key components of good regulation of large firms are:
1. Regulation that comprises outcomes-focused rules, combined with detailed guidance set out by a regulatory body.
● Outcome focused rules, set out in legislation, provides industry with the flexibility to achieve outcomes through whatever route they choose, as long as they can demonstrate to a regulator that the outcomes are met.
● The rules should be accompanied by clear guidance, produced by the regulator to make it easy to know how to approach the regulations – for example it could set out clear steps which if followed would be a way of minimally complying with the rules. This guidance and codes of practice should be regularly reviewed.
● For example, rather than legislation saying “do steps x,y,z to protect personal data” the legislation should just say “protect personal data”, with additional guidance saying “for example by doing x,y,z ”.
● The rules must include a focus on ensuring lines of accountability so senior staff can be held accountable for what happens within their organisation.
● This approach provides flexibility to firms and ensures firms understand the regulations and are not just ticking boxes. This approach also helps ensure regulatory frameworks are flexible and can be easily adapted to new and emerging technologies.
2. High public trust. Regulations should be built on the back of public consultation and expert engagement.
● A good example of this is in the creation of HFEA (Human Fertilisation and Embryology Authority). They carried out a broad public consultation exercise that worked hard to engage all people who could be concerned by the science of human embryology, including members of the public and religious groups. They also engaged sufficiently deeply with academic and industry experts to ensure the regulation was based on a rigorous scientific understanding of the risks.
● There should also be a high level of transparency of the regulators ways of working and the reasoning behind regulations so that other actors can provide scrutiny and feedback.
3. Highly technically talented regulators.
● A high level of technical expertise is needed by regulators to ensure that inspections and audits can be successfully managed, guidance can be updated, potential issues can be identified and good decisions can be made.
● This should include understanding new emerging technologies and the changing needs of industry.
● Technical expertise is also essential at the policy level as well as in the regulator. Policy makers may impact decisions on safety and ethics through new regulatory policy though oversight of the regulator, and through related policy work such as horizon scanning, research council funding, and risk preparedness.
4. Strong monitoring and enforcement powers, combined with a collaborative approach to regulation so that these powers are rarely used in practice.
● Regulatory bodies should have sufficient power to require firms to provide them with full and detailed information, to inspect firms, to force firms to pause harmful activity, and the ability to levy substantial fines (and potentially even to prosecute individuals in the criminal courts).
● Regulators should have strong enough industry relations to be able to drive change without using those power. This could be achieved by:
A. Encouraging industry self-regulation and allowing industry to identify problems, tell the regulators about these problems and their plans to fix them.
B. Earned recognition where a lighter approach is applied to firms who demonstrate a willingness to self-regulate and collaborate with the regulator.
C. Regulators identifying problems before they occur (for example highlighting if staff do not seem adequately trained in managing specific risks) and issuing warning letters to firms for these minor infringements before they turn into major infringements.
In this way regulators can ensure compliance with minimal effort and only rarely have to issue fines or go through the courts.
5. The regulatory system needs to be proportional to the risks and needs to support economic growth as well as safety and ethics.
● Regulation needs to be proportional to the risks to society, based on citizen’s concerns and the expert views on the risks. More risky activities or riskier firms should face higher scrutiny and greater regulation.
● All regulators should have an explicit mandate to support economic growth. Regulators should be actively trying to make sure that innovation and new emerging firms and technologies are not held back by regulations, through updating guidance or providing regulatory sandboxes.
● There needs to be coordination between regulators throughout the UK. Firms may often end up having to work with multiple different regulatory bodies, both due to carrying out a diverse set of business activities or because the business works across the devolved administrations. This has costs for firms and can make it harder for regulators to build good working relationships with firms.
● The remit of each regulator should be divided by industry area, rather than by topic area. Regulators need to understand the regulated firms well and build strong connections with them. For example at the nuclear sites the Office for Nuclear Regulation (ONR) also deals with general on-site health and safety issues (rather than HSE). This helps the ONR build an understanding of and relationship with sites.
6. Independence from political interference.
● There should be a degree of independence from political interference, to prevent regulatory capture or undue process.
● Ideally regulators should have independent funding sources. As well as preventing political interference this allows the hiring of the technical experts needed for good regulation and avoids regulators facing cuts or having to work entirely within public sector pay scales.
● Current best practice is for Regulators to be funded by charging industry for their services (perhaps excluding SMEs).
7. Substantial international engagement with other regulators and policy makers across the world.
● This minimises risks. For example a financial crisis abroad would likely have severe negative repercussions for the UK. As such UK policy makers have engaged with and supported the Basel Accords. This may reduce the level of flexibility the UK has over our own financial regulations but encourages a strong approach to financial stability globally.
● Prevent nationalistic or protectionist approaches to regulation. That we expect UK regulatory standards to be applied beyond the UK, for example by companies importing to the UK is positive for preventing risks as set out above. But regulatory processes should not be used by policy makers as a tool to promote protectionism.
● Allow peer-to-peer learning. Regulators should share best practice and regulatory innovations with one another. For example every decade the International Atomic Energy Agency (IAEA) organises a peer-review of the UK regulatory process with experts and regulators from around the world coming to the UK to assess the UK’s regulatory procedures (and similarly our experts do peer reviews in other countries). This provides an ongoing way to learn and improve our regulation.
Almost all of the above applies to small as well as large firms.
However in the regulation of SMEs and individuals there is less scope for regulators to build close working relationships with individual firms, and to implement approaches such as earned recognition and self-regulation and inspections may be infrequent and ad hoc (in proportion to the risks).
For smaller firms a more market driven approach can be effective. A key way of doing this is for the regulator to licence individuals to enable them to undertake inspections or make key decisions. For example qualified mechanics can become licenced to be an MOT tester and ensure that vehicles pass the required regulatory bar.
Regulation does not just apply to businesses. It also applies to individuals, to charities and to the government.
Occasionally there will be government carve outs in regulation for parts of government. In particular the defence and security services are often exempt from various international regulatory agreements and as such they may be exempt in national level regulation. This is not necessarily bad as in some cases exemptions need to be made. However the default should be that the government is as bound by regulations as industry.
One way to manage the unique needs of the security services is to have a second regulator, for example civil nuclear activity is overseen by the Office for Nuclear Regulation whereas military nuclear activity is overseen by the Defence Nuclear Safety Authority.
Ideally the remits of regulators should be sufficiently broad that there are no gaps (although not too broad that mandates overlap in a way that creates confusion). However as new technologies emerge there will inevitably be areas that are not covered by regulation or where the regulations or the expertise of the regulator are no longer sufficient to protect the public.
Regular horizon scanning of new technologies and gap analysis should be used to identify these cases. Where the gaps may be significant a public consultation should be carried out to gauge the risks and the level of public concern.
If there are areas of serious concern two options present themselves:
Safety ethics and good corporate behaviour requires more than just regulation. It also requires good policy that empowers and supports business to make ethical decisions and a proactive approach by government to protecting UK citizens from risks. Further thoughts on this are captured in Annex C.
There are many parts that need to be in place to ensure good regulation and it is not always easy to do this well. However Much of the above is based on ideas that are common and understood in the UK policy space and there are many good precedents in the UK to draw from.
The UK Government's papers on regulation (specifically on Regulation for the Fourth Industrial Revolution, the Regulatory Futures Review and the Regulators Code) are good, and between them cover much of the detail on how to do regulation of emerging technology. There is often no need to reinvent the wheel, the work has largely been done already.
Below is a summary of key points from each paper.
The UK Government’s Regulation for the Fourth Industrial Revolution White Paper (2019) sets out a number of excellent best practice for regulators for new technologies. Regulation should be:
1. Outcome focused and flexible, with accompanying guidance.
○ The regulation also needs to be reviewed regularly.
2. Accessible: advice available, long complex processes minimised.
○ It should also be joined-up across regulators.
3. Supportive of innovation and experimentation (eg with regulatory sandboxes).
○ Regulators themselves also need to be innovating and sharing best practice.
4. Based on public consultation, which should discuss ethics and risks and aim to build trust.
5. Internationally supported so that it does not become a barrier to trade and global cooperation.
Prior to this the Regulatory Futures Review (2017) also sets out that regulation should be:
6. Supporting regulated self-assurance and earned recognition: where industry can provide assurance of compliance, it can earn a light touch approach to regulation.
7. Charged to businesses: Where appropriate (not every case) the default should be to charge companies for regulatory services.
Further, The Regulators Code (2014) sets out how regulation should be:
8. Proportionate to risk and not an undue burden on industry.
9. Transparent and simple.
10. Supporting economic growth.
Civil nuclear safety regulation provides a good analogy for other areas of tech regulation and has a highly developed internationally approved regulatory best practice. Based on experience in this sector, we know that regulation should:
11. Be industry-focused rather than topic-focused.
12. Have no unnecessary carve outs for national security. Alternatively a separate regulator could be set up for military use of tech under the Defence Safety Authority.
13. Cover corporate culture: safety culture, clear lines of responsibility, whistleblowing, etc.
14. Ensure independence of the regulator from government, to prevent regulatory capture.
15. Be enforceable - i.e. there should be some powers (ideally rarely used) to issue fines or demand evidence, etc.
It is also worth noting that civil nuclear safety requires much more than just regulation. For example:
16. Technical expertise is needed at both a regulator and a policy level.
17. Horizon scanning is needed to predict and respond to future trends at both a regulator and a policy level.
18. Management of dual-use technologies is needed to minimise the harmful use of dangerous innovations. For example safeguarding nuclear materials.
19. Risk preparedness should be coordinated by central government. This must include risk assessments, resilience planning, emergency exercise, a contact hotline, etc.
20. Information sharing should be facilitated so that vulnerabilities can be identified. (e.g. a leak in a nuclear reactor in the US might necessitate inspections of similar reactors in the UK).