Keith Pearson, Head of Financial Services EMEA at ServiceNow, explains how banks can ride this wave of changes and emerge more resilient and productive than ever before.
At the start of this crisis, much of the banking industry was in a different position from many businesses. The 2008 recession spurred a need for improvements and, combined with the emergence of tech-savvy fintechs, the industry has seen a major shift as customer expectations have adapted. The pandemic has forced organisations to accelerate innovation already part-underway in the banking industry.
As banking experienced its first wave of transformation, institutions focused on customer engagement, uniting physical and digital channels for an improved customer experience. Banks invested heavily in front office digital technology, creating visually appealing mobile apps, engaging online banking experiences and technologies for bankers to personalise customer engagement.
However, this digital engagement layer is not enough. Regulations like PSD2 reinforce the necessity to remain compliant, adding additional pressure to the digital transformation process which in turn has been accelerated by COVID-19. Banking is therefore in the midst of its second wave of transformation, where financial institutions are creating and seeking out critical infrastructure to better connect underlying middle and back office operations with the front office, and ultimately, with customers.
Many financial organisations are still struggling because they have yet to streamline, automate and connect the underlying processes that are enabling customer experiences. Which poses the question: why is connecting operations so difficult?
In most cases, multiple systems are still glued together by email and spreadsheets to track end-to-end status. Around 80% of a middle office employee’s time is spent gathering data from systems to make a decision, with only 20% spent actually analysing and making the decision.
In most cases, multiple systems are still glued together by email and spreadsheets to track end-to-end status.
The disconnect negatively impacts customers. For many, experiences like opening a bank account or getting a mortgage involve clunky, manual processes riddled with paperwork and delays. When front and back office employees lack the ability to seamlessly work together, customers can be asked for the same data multiple times, elevating frustration.
Customers have little patience and can be inclined to publicly broadcast problems when left unresolved. In a world of social media and online reviews, this could be detrimental to a company’s reputation.
With digitally native, non-traditional financial services players gaining market traction by offering a seamless customer experience, maintaining satisfaction is crucial for traditional banks to ensure that customers don’t switch. Banks must focus on making it easy for customers to do business with them by offering faster cycle times with more streamlined operations.
Fintechs and challenger banks like Starling have shown what connected operations can do, having been built with digitised processes from day one. Modern consumers expect round-the-clock service from their bank. As financial institutions look to the future, developing a model of operational resilience that is capable of withstanding unforeseen issues, like power outages or cyberattacks, is critical to minimising service disruption. Having connected internal communications between front and back office staff means customers can be notified about any problems, how they can be fixed and when they might be resolved, as well as receiving continuous progress updates instantaneously.
Automation can go a step beyond this. Today, customers expect companies to not only do more and do it faster but to prevent problems from arising in the first place. With connected operations and Customer Service Management (CSM), banks can proactively fix things before they happen and resolve issues fast, enabling frictionless customer service and replicating the ‘fintech effect’.
[ymal]
In the European Union and the UK, PSD2 and the Open Banking initiative are giving more control to the customer over personal account data. Digital banks such as Fidor and lenders like Klarna are seeking to reinvent banking by offering customer-centric services. But the process of streamlining underlying operations is not simply about providing customers with a fintech-esque experience. More than 50% of a financial institution’s business processes are also impacted by regulation.
Financial services leaders are focusing on streamlining and taking cost out of business operations while also placing importance on resilience. Regulators are pushing banks to have a firmwide view of the risk to delivering their critical business services.
Banks must invest in digitising processes to intuitively embed risk and compliance policies, which are generally managed separately and often manually from the business process, leading to excessive compliance costs and risk of non-compliance. With the right workflow tools for monitoring and business continuity management, banks can minimise disruption by gaining access to real-time, actionable information about non-compliance and high risk areas, encompassing cybersecurity, data privacy and audit management.
Increasing openness of financial institutions to RegTech solutions, or managing regulatory processes in the industry through technology, will prove key during this second wave of transformation. Banks will increasingly move away from people and spreadsheets and toward regulatory solutions that provide a real-time view of compliance and provide an end-to-end audit trail for Heads of Compliance, Chief Risk Officers and regulators.
With a unified data environment aided by technology, financial institutions can drive a culture of risk management and compliance to improve business decisions.
Increasing openness of financial institutions to RegTech solutions, or managing regulatory processes in the industry through technology, will prove key during this second wave of transformation.
The banking industry is still in the midst of its second transformation, and the pandemic hasn’t made it any easier. But riding this wave and successfully digitising processes to connect back and front office employees will present a profound difference to customer service.
The bank of the future will be frictionless, digital, cloud-enabled, and efficient; interwoven into the fabric of people’s lives. It will continue to be compliant and controlled but will deliver those outcomes differently, with risk management digitally embedded within its operations.
Demonstrating the operational resilience of its key services will not only drive customer confidence but will also provide a greater indicator of control to regulators and the market, adjusting overall risk ratings and freeing up capital reserves to drive more revenue and increase profitability.
The institutions that will thrive in this increasingly digital and connected world are the ones that are actively transforming themselves and the way they do business now, by taking lessons from fintechs, following regulations and paving the way in defining the future of financial services.
The COVID-19 pandemic has rendered daily life unrecognisable, and across the globe people are trying to determine how to navigate the strange new world we are living in. At the same time, businesses are having to alter their practices to keep functioning despite the changes that the rapid spread of COVID-19 has caused. The pressure is being felt across all sectors and financial services are no exception.
However, despite the uncertainty of the current environment, regulators still require businesses to comply with certain standards - as made clear in the recent information published by the FCA, which lays out the expectations of the regulator over the coming weeks and months.
With this in mind, there are steps financial services businesses can take to stay on the right side of the FCA during these unprecedented times. Imogen Makin, Director at DWF, outlines the most important ones to consider.
There will undoubtedly be some teething problems for businesses as their workforces get used to the mass remote working required to comply with the current isolation rules. The FCA, and other regulators, know that this situation has never occurred before, and are therefore understanding of any problems or issues encountered in transitioning to this new way of working. However, the key here is just that, that these problems should be identified and reasonable steps taken to rectify them sooner rather than later.
Financial businesses must make it a priority to deal with any problems efficiently and effectively to minimise the risk of criticism from the FCA. Enforcement outcomes over the last few years suggest that firms' response times, both in terms of the identification and rectification of any problems, are important.
Another key issue linked to business being done from home is potential market abuse. Firms’ systems and controls for the prevention and detection of market abuse has been an area of focus for the FCA for some time, and the risks around mass remote working have brought this back to the forefront of the FCA's agenda. The FCA has stated that firms could consider whether they need to introduce enhanced monitoring, for example, in order to mitigate market abuse risks.
It is clear from the FCA Primary Market Bulletin published on 17 March 2020 that the regulator expects firms to continue to comply with their obligations under the Market Abuse Regulation and relevant FCA rules, notwithstanding the operational difficulties they may be facing. Firms therefore need to ensure that their analysis of market abuse risks in this new working environment is clearly documented, alongside any actions taken to mitigate them.
The FCA has stated that firms could consider whether they need to introduce enhanced monitoring [...] in order to mitigate market abuse risks.
Further to the new rules brought in by the government to only travel when it is essential, the FCA published a statement outlining the responsibilities of Senior Managers to determine which employees must continue to travel to work.
Senior Managers responsible for identifying which of their employees need to travel to the office or business continuity site should document clearly the rationale for requiring any work-related travel and ensure that this is kept to a minimum in order to both appease the FCA, and keep their workforce as safe as possible.
The disruption caused by the COVID-19 pandemic is unchartered territory; it has affected education, work, and almost all aspects of everyday life.
With this in mind, it is important for financial services businesses to consider that their customers are likely experiencing many stresses and uncertainties themselves and so regulators, including the FCA, have made it clear that they expect customers to be given flexibility and leniency, for example, in relation to mortgage payments.
Firms will need to ensure that they strike the right balance between protecting consumers' interests, whilst also maintaining their own liquidity and financial resilience, all of which are important in the eyes of the FCA.
[ymal]
As in all successful relationships, communication is key - and the relationship between firms and regulators is no different. The FCA accepts that businesses are doing all they can to keep functioning during these extraordinary times, but they are nevertheless still required to comply with their Principle 11 obligations.
Firms should make sure they maintain an open dialogue with the FCA and inform them of problems sooner rather than later; for example if a firm is unable to meet FCA requirements in relation to recorded lines, the FCA has stated that it expects to be notified. The FCA's publications in relation to COVID-19 suggest that the regulator is prepared to be forgiving as long as firms have kept them informed and have taken reasonable steps to deal with any challenges that arise.
Firms regulated by the FCA do not need to fear - everyone is getting to grips with the new working environment simultaneously and some initial challenges are inevitable. The FCA has demonstrated that it is willing to be reasonable, but it will not allow COVID-19 to be used as an excuse for bad behaviour. The points outlined above provide a few tips to FS businesses to maintain good relations with the FCA for when the world returns to normal (whenever that may be).
Grainne McKeever, Marketing and Communications Consultant at Imperva, shares an outline of the regulations with which financial services must comply in 2020.
The Sarbanes-Oxley Act (SOX) was introduced following a number of financial scandals involving huge conglomerates and obliges companies to establish internal controls to prevent fraud and abuse, holding senior managers accountable for the accuracy of financial reporting.
The financial crisis in 2008 meant even tighter rules for financial services with the Dodd-Frank Wall Street Reform and Consumer Protection Act in the US bringing a great deal of new regulations for the sector. In Europe, in a joint move between the UK, France and Germany, banks were forced to contribute to the region’s economic recovery by paying an annual tax levy.
The UK experienced a complete overhaul of its financial regulatory structure when the existing tripartite system was abolished and replaced by a new framework consisting of the Financial Policy Committee (FPC), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). Since then, new regional directives have materialised, including the New York State Department of Financial Services’ (NYDFS) regulation, and the Monetary Authority of Singapore’s (MAS-TRM) guidelines.
Driven largely by digital transformation, the emergence of much more rigorous privacy and security regulations around the globe such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States, has created additional regulatory layers for organisations to comply with. While GDPR is not specific to financial services, it has had an enormous impact on this industry.
A common requirement of many regulations is to appoint a Chief Information Security Officer (CISO), Chief Technical Officer (CTO) or, in the case of GDPR, a Data Protection Officer (DPO). Each of these appointments come with specific obligations these roles must manage to ensure their organisations stay compliant.
[ymal]
Many regulations are designed to protect personal customer data. The GDPR, for example, places the emphasis on commitment to individuals’ data privacy by implementing a Data Protection by Design approach, implying organisations need to build privacy and protection into their products, services, and applications.
Data privacy is also one of the key requirements of the NYDFS regulation which mandates that firms should implement and maintain policies and procedures for the protection of their information systems and the non-public information stored in them. For MAS-TRM, the protection of customer data, transactions and systems is included in its risk management principles and best practice standards.
To protect your assets, first you need to know where your databases are located and what information they contain. Only when you have full visibility of what regulatory content your databases hold can you conduct an assessment to prioritise and assign a risk profile to datasets.
To protect your assets, first you need to know where your databases are located and what information they contain.
A recurring requirement of data regulation is that organisations should have visibility of user access to be able to answer WHO is accessing WHAT data, WHEN, and HOW that data is being used. This is certainly true of the GDPR which requires organisations to maintain a secure environment for data processing. For MAS-TRM, establishing appropriate security monitoring systems and processes is outlined as a requirement in the guidelines, “to facilitate prompt detection of unauthorised or malicious activities by internal and external parties.”
Reporting incidents in time is critical for avoiding regulatory penalties, which can be severe and costly for an organisation, both financially and in terms of reputational damage. However, security teams are often overwhelmed with large volumes of incident alerts risking a genuine threat slipping through the net.
Using advanced machine learning and peer group analysis to distil the number of alerts that bubble to the surface will make it easier to recognise a real breach in time to stop it from accessing internal networks.
With a plethora of privacy and security regulations grounding themselves in organisations across the world, there is no choice but to adhere to them to ensure the security of others, as well as making sure that accountability is at the forefront of all businesses in the financial sector. By financial services adhering to data protection, data discovery, data monitoring and incident reporting they will be able to continue to flourish whilst having security at heart.
Compliance is a must-do activity, not a nice-to-have. According to Colin Bristow, Customer Advisory Manager at SAS, it is essential that companies extract maximum value from compliance processes, reducing the possibility of it being considered a cost centre.
Technological innovation can help to lift some of the compliance burden. The level of technology you can realistically implement depends on how advanced the organisation is to start with. One company’s moonshot could be another’s business as usual. Assessing the starting point is just as important as considering the benefits and end goal.
This is the question that the burgeoning RegTech (regulatory technology) industry is seeking to answer. AI is typically at the forefront. RegTech partly focuses on improving the efficiency and effectiveness of existing processes. As part of that improvement, organizations are using AI, machine learning and robotic process automation (RPA) to smooth the integration and processes between new RegTech solutions, existing legacy compliance solutions and legacy platforms.
Why look to AI for help? Recent regulations, such as GDPR or PSD2, are handed down in the form of large and extremely dense documentation (the UK government’s guidance document for GDPR alone is 201 pages). Identifying the appropriate actions mandated by these lengthy documents requires a great deal of cross-referencing, prior knowledge of historical organisational actions, and knowledge of the relevant organisational systems and processes. What’s more, several regulations attract fines or corrective actions if not applied properly (like the infamous "4% of company turnover" penalty attached to GDPR).
In short, the practical application of regulations currently relies on human interpretation and subsequent deployment of a solution, with heavy penalties for noncompliance. This is where AI can help, reducing the workload involved and improving accuracy. Here are three key examples of how AI can help companies turn compliance into a value-added activity.
Following the deployment of compliance processes, there is often residual risk. This can be as a result of unforseen gaps in compliance processes, or unexpected occurrences that become apparent when operating at scale.
That’s partly because there are usually a lot of steps and processes to be carried out during the data collation stage of compliance programmes. RPA can help reduce administrative load associated with these processes that include a high degree of repetition – for example, copying data from one system to another. AI can then help process cross-organisational documentation, combining internal and external sources and appropriately matching where necessary.
AI can also help to reduce companies’ risk of noncompliance with, for example, privacy regulations. Furthermore, using AI techniques, organisations can automate transforming and enhancing data. Intelligent automation allows companies to carry out processes with a higher degree of accuracy.
Inefficient processes can also hinder compliance. For example, automated systems that detect suspicious transactions for anti-money laundering (AML) processes are sometimes not always as accurate as they could be. A recent report highlighted that 95% of flagged transactions are closed in the first stage of review. Effectively, investigators spend most of their day looking at poor quality cases.
Use of an AI hybrid approach to detection ensures there are fewer, higher quality alerts produced. Furthermore, it is possible to risk-rank cases which are flagged for investigation, speeding up the interaction and relegating lower-risk transactions. Although AI forms an underlying principle across most modern detection systems, maintenance is key to managing effective performance.
AI can also be used to bolster AML and fraud measures more widely. For example, applying AI to techniques such as text mining, anomaly detection and advanced analytics can improve trade finance monitoring. This, in turn, can improve the regularity for document review and consignment checking, improving the validation rates of materials as they cross borders.
[ymal]
Compliance never stands still. Businesses have to contend with a constantly evolving landscape, potentially across several regions. AI can help to optimise the processing of these regulations and the actions they require, helping companies keep up to date. Companies that need to effectively comply with several differing regulations require a wide range of understanding across all parts of the business. The size, complexity and legacy systems of the business can be significant obstacles.
To mitigate this risk, companies can use natural language processing (NLP) to automate aspects of regulatory review, identifying appropriate changes contained in the regulation and then relaying potential impacts to the appropriate departments. For example, AI could help geographically diverse companies determine whether changes in the UK have an impact on their Singapore office.
It’s important to note at this point that AI and RegTech are not expected to widely replace humans. We are seeing early AI entries in the RegTech space, but they’re primarily helping with lower-hanging fruit and repetitive tasks. AI is primarily enhancing the work humans do, making them more effective in their roles.
AI does not come without some considerations, however. There is a great deal of focus and scrutiny on associated possible bias in AI deployments. Other discussions are exploring the transparency and governance of applications and questions around who owns generated IP. As a result, it’s essential that AI works closely with humans, enhancing activities and balancing an appropriate level of manual oversight.
AI is augmenting compliance practices by providing faster document review, deeper fraud prevention measures and greater contextual insight. It is also reducing noise in high-transaction environments and lightening the documentary burden on staff. From the start of the regulatory review to the end of the compliance process, AI holds part of the overall solution to a more efficient and valuable compliance function.
Without this integrity – and constant striving for health - a market risks becoming a venue for market manipulation, insider trading and other undetected criminal behaviour. Catherine Moss, corporate Partner at Shakespeare Martineau, explains for Finance Monthly.
Preventing behaviours amounting to market abuse, and tackling a lack of awareness of risk, has been central to the regulators’ quest for fairness for a number of years. So, following on from the July 2016 introduction of the Market Abuse Regulation (MAR), how is the UK faring and with a further review by the European Securities and Markets Authority (ESMA), what does the future hold?
Markets are driven, and develop depth, through pricing; and prices are – and have always been – vulnerable to manipulation. MAR, and its previous manifestations, were designed to identify behaviours which manipulated markets, or which allowed people to buy securities or commodities on a privileged basis with information which was not generally available to other trading parties.
The UK has had a legal framework around insider dealing and market abuse for a number of years. However, the introduction of MAR in 2016 formed a further part of a Europe-wide attempt at greater harmonisation, in response to scandals which came to light in the financial crisis and the greater complexity of the financial markets and emergence of alternative trading platforms. In the move towards a more congruent, European-wide, regime encompassing not only securities trading but trading in fixed income and commodity markets and related benchmarks, did the EU fulfil its markets’ needs? Leaving aside the question as to whether the latter could ever be achievable given the myriad trading venues now available, have market participants found the legislation fit for purpose?
The upcoming review of MAR will be undertaken by ESMA, looking into how well the regulations and directives are being implemented, whether the regime should be broadened, whether cross-market order book surveillance should be made subject to an EU framework; and, suggesting purposeful legislative amendments. Consideration is to be given to extending the regime to the foreign exchange markets. In addition, aspects of MAR which are still - unhelpfully - subject to specialist debate as to their scope, for example buybacks, insider lists and managers’ transactions, are to be further considered by ESMA.
At its simplest, there is a need to balance the desire of a company to access public money and trade its securities on a public platform against the requirement to adhere to the rules which apply to that market and its participants. It is crucial to the health of a market to ensure that information which may unfairly disadvantage other parties is not only managed securely but released in accordance with that market’s rules. Julia Hoggett, Director of Market Oversight at the FCA, put it starkly: “The life blood of all well-functioning markets is the timely dissemination of information, without which effective price formation cannot take place. The malignant form of that same life blood is the misuse or inappropriate dissemination of that information.”
However, as companies and their advisers know, market abuse legislation - whether EU or local - has been traditionally quite complicated and tricky to comply with. As the recent survey results from the Quoted Companies Alliance (QCA) demonstrates, issuers and their advisers have exhibited a broad range of responses to legislation which is meant to direct efforts to maximum harmonisation. However, these requires additional processes and procedures to be put in place, understood and adhered to.
Lack of certainty as to the MAR requirements, for example, on the duration of closed periods, is striking. The FCA has quite rightly observed that “awareness is not present in all market participants.” Given the FCA’s stated objective of making effective compliance with MAR a state of mind - at least amongst the community it regulates - it must be asked how this is to be achieved within the current, or future, legislative framework where achieving certainty as to the meaning of the legislation appears difficult.
Clearly, with the introduction of any new regulation, some companies and issuers adapt faster than others, particularly if they are larger and better resourced. It is obvious from the QCA’s survey results, however, that many smaller and mid-size issuers are still navigating MAR’s complex requirements hesitantly. But more worryingly, it can be seen from the pattern -and lack - of regulatory announcements that some issuers, particularly in less obvious and well-policed trading venues, seem not to have recognised the breadth of its application. Education clearly is key and greater regulatory and market promotion of the constraints which issuers are to work within is to be encouraged.
With the introduction of any new regulation, some companies and issuers adapt faster than others, particularly if they are larger and better resourced.
So, what should be done to ensure that the requirements of MAR become part of an issuers “state of mind”? Effective regulatory response can seem sometimes to be limited to the publication of extensive decision notices which are picked over by advisers, keen to ensure that practical examples of poor behaviour, or the failure of systems, can be relayed as precautionary horror stories to their clients.
Many issuers seek regular training sessions with their advisers or company secretaries and become more confident as the reporting and transactional cycle demands their attention. Others find it difficult to engage in the processes required. Some, however, are not well-served by the advisers operating in the market and sector within which they trade. The FCA appears keen to seek to educate all issuers but, inevitably, issuers are still tripping up as they fail to understand, or to take advice on, the requirements of the regulatory framework within which they operate.
Whilst the ESMA review of MAR is unlikely to change the regime substantively, some regulatory time should be devoted to tailoring it more expressly to an issuer’s needs and securing a greater measure of awareness. Whilst the regulatory burden is unlikely to be lessened, clarity of approach together with greater support from markets and trading platforms as to the implications of MAR to their issuers would be welcome.
Less well known, however, is another more imminent deadline. The PSD2 regulation requires banks to implement facilities for these third parties to test their functionality against a simulated bank environment six months prior to the September deadline, which means that these environments must be in place by 14th March. Below Nick Caley, VP of Financial Services and Regulatory at ForgeRock, explains that despite the importance of this fast-approaching deadline, many of the thousands of eligible banks are significantly challenged in meeting either deadline. And, while there are no formal penalties for not complying with it, there will certainly be consequences that could have long lasting commercial, technical and reputational effects.
Banks which fail to meet the March deadline will need to implement fallback ‘screen-scraping’ - where customers essentially share their security credentials so third parties can access their banking information via the customer interface and collect the data for their own services - as a contingency mechanism at the same time as implementing their PSD2 API by the September deadline, something that would not be in the interests of banks, or their customers, and could lead to graver problems further down the line.
There are multiple problems associated with screen-scraping. Firstly, there are the significant security risks it poses. Screen-scraping involves customers sharing their banking security credentials with third parties, which is an outright, bad security practice. No-one should ever feel comfortable sharing a password to a system, let alone one that provides access to a bank account. Such credentials, whilst clearly able to provide access to banking data, also unlock numerous other account functionalities that should only be available to the account owner. Any increase in the risk that banking credentials could be compromised will not build the confidence of consumers.
Alongside security considerations, there are also cost implications since maintaining more than one interface increases the resources required. Each interface will require strict and ongoing monitoring and reporting to the National Competent Authority. While larger tier one banks might be able to absorb this extra cost, for smaller banks this will further compound the already serious burden of compliance with the regulatory technical standard (RTS).
Beyond these very practical concerns, failing to comply with the March deadline will mean banks are left playing catch up on the developments set to be made as PSD2 comes into effect. Avoiding such pitfalls would mean banks can significantly boost their long-term prospects, giving themselves a strong foundation to stay on top of PSD2, meeting regulatory deadlines whilst crucially increasing their ability to compete in the new era of customer-centric financial services.
Despite the clear importance of the March deadline, many banks are still largely focused on developing their production APIs ahead of the September deadline, rather than their testing facilities. For those banks who haven’t yet found a solution, having development teams put a testing facility live in such a short space of time might seem like an impossible task. The good news is that there are ready-made developer sandboxes that banks can deploy in a short space of time to stay on top of the requirement for a testing facility. These sandboxes are essentially turnkey solutions that are fully compliant with the defined API standards, making the March 14th deadline much easier to digest. Banks should look to these ready-made sandboxes if they haven’t already found a solution.
As the trusted holders of customer banking information, PSD2 gives banks an unrivalled opportunity to add value for their customers. Through development of new interfaces, modernization of authentication methods and the redesign of customer journeys, banks can achieve the new holy grail for any business; delivering intuitive, secure digital services and experiences that are personalised to the customer offering far greater insights and advice.
With the focus on complying with deadlines, it’s also important for banks to keep an eye on the competition. The promise of PSD2 is to provide a level playing field to encourage competition and innovation. There are certainly plenty of new competitors: Account Info Service Providers (AISPs), and Payment Initiation Service Providers (PISPs), retailers and internet giants, all have the opportunity to introduce their own payment and financial management products and services that integrate directly with the established banks.
At the same time, the challenger banks built from the very beginning to be ‘digital natives’ have been leading the way with innovative customer-first experiences and third-party marketplaces that go beyond what is currently on offer from traditional players. This means banks will need to provide better digital services to stay competitive, giving people more freedom and choice in the way they interact with financial services.
The March deadline is the first litmus test for which banks are keeping up with PSD2, and which are falling behind. However, as we have seen, the far-reaching changes that PSD2 heralds means this upcoming deadline won’t just be a test of a bank’s ability to meet technical regulations - it will be a strong indication as to how well each bank will be prepared to stay competitive in our increasingly digital future.
Martin Kisby, Head of Compliance at Equiniti Credit Services, explores the motivations behind the evolution of compliance functions in consumer credit firms.
Risk and compliance departments, once held in low esteem by other business units, have evolved into a crucial function for protecting profitability. This is still a controversial statement in the consumer credit industry, but it’s easily justifiable. To do so, let’s take a look back.
It’s 2008. The consumer credit market is regulated by the Office of Fair Trading (OFT). Firms have a set of guidelines they are required to adhere to, but in reality can interpret or even circumvent them entirely. Business objectives are often, if not always, placed ahead of consumer needs.
So what was the role of the compliance function back then? Well, it provided some assurance to the OFT that firms were not ignoring its guidelines in their pursuit of profits.
This often led to compliance functions being derided as the ‘Business Prevention Unit’ or ‘Profit Police’ and being allocated minimal resource.
Fast forward to 2014: the financial crash has altered the consumer credit landscape dramatically. Trends in mis-selling, together with poor consumer outcomes, have highlighted the need for fundamental change. The creation of the Financial Conduct Authority (FCA), by merging the OFT and Financial Services Association (FSA), is intended to add more stability and oversight to the sector, ensuring better service delivery for consumers.
Big changes ensued.
The FCA developed a more robust and detailed handbook, which not only provided guidance on how firms across the sector should be operating, but also changed what was previously ‘advice’ into hard and fast rules.
Firms were given only interim permissions and needed to complete an approval process to gain full FCA authorisation. This required firms to demonstrate strict adherence to the new and updated rules and guidelines.
From this point onwards, the role of compliance was transformed. Firms began to allocate significant resource to this function to ensure they could provide continued assurance to the FCA that its rules and guidelines were being followed. It became imperative to demonstrate that mis-selling, unreasonable collections practices, affordability issues and poor customer service were being eliminated.
The compliance department evolved from the ‘Profit Police’ into a pivotal function in every FCA regulated firm.
Risk management also became more prevalent under the new regulatory body, as the System and Controls section of the FCA’s handbook requires firms to assess and manage their risks, and have a Chief Risk Officer as one of their Approved Persons – individuals the FCA has approved to undertake one or more controlled functions.
These complimentary objectives meant that compliance and risk departments were consolidated. Compliance plans were established to monitor specific elements of the FCA handbook and verify adherence to them. Any identified control inadequacies could be migrated onto a firm’s risk register for monitoring and remediation.
Back to the present. Four years on from the introduction of the FCA, firms have, overall, implemented the necessary oversight to demonstrate that they are meeting their regulatory requirements and treating customers fairly.
But let’s be honest – there are selfish motivations too. A strong compliance department, empowered to change processes as best practice dictates, reduces the risk of both regulatory fines and exposure to defaults. This increases revenue and protects profit margins.
In a sector competing on cost at a scale never seen before, and where consumer brand loyalty is decreasing by the day, protecting a firm’s margins is crucial.
As compliance has increased in importance, technology has kept pace and evolved to reduce the time and cost burden regulation could otherwise have imposed. Now, best-of-breed credit management solutions seamlessly integrate compliance monitoring and reporting into their sourcing, approval and collections processes.
Happily, this combination of motivations and technological developments has created a win-win for lenders and borrowers alike: an established and proactive risk and compliance function that not only protects consumers but also contributes to the strategic objectives of the lender’s business.
It has equally attracted the attention of retail investors and potential bad actors. Combine the elements of hype tactics, fanciful notions of a new paradigm, and greed, we have the perfect market factors which could induce a frenzy unlike we’ve seen since the beenie babies craze. Oh wait, this sounds awfully similar to 2017, does it not? Below Jamar Johnson, crypto expert and owner of Otravel.ai, explains the potential regulation trends we may be looking at when it comes to cryptocurrencies.
Sure, many are now jumping on the blockchain bandwagon, and it is up to responsible regulators to guide the market and its participants responsibly for the next wave of blockchain mania, if and when it arrives. However, we must take on a more nuanced approach to said proposed regulation: how does a regulator support true innovation while not stifling its stated goals through high-cost barriers to entry as some might argue has taken place in New York with the BitLicense? How does countries like the United States incorporate policy frameworks that are similar to Singapore and Malta which are emerging as a hotbed for attracting blockchain talent? The issue becomes even trickier, when one factors in the opportunities for wealth creation (estimated to be in the trillions) despite the US currently lacks a comprehensive framework towards the blockchain across all 50 states.
Self-regulation organisations are commonplace in other sectors - for example, the Regulatory Authority in the Financial sector (FINRA) plays a major role in the Regulatory organisation of the broker and exchange.
The current EU laws do not provide protection to any investor who can be exposed to the risks of digital asset markets, taking into account the significant prices and the lack of supervision of offers and exchanges.
While many nations have discussed their policy towards the blockchain and cryptocurrencies, some of the smallest countries and regions have quickly moved into the creation of novel laws and programs designed to attract top talent within the blockchain space--like Malta, Singapore, and Puerto Rico being the closest US example, to date.
New and evolving financial technology companies need to comply with a network of laws and regulations that are designed to help customers and finance their finances and reduce the costs of repairing terrorists.
Across the pond, the Financial Authority of the United Kingdom provides fintech companies with a single domestic finance Regulatory Authority, clear qualification and test parameters, the possibility of waivers (on permission and review) and direct cooperation with Regulatory Authority.
The initial coin offer (ICOs) have become a popular way for businesses to earn money by launching a new digital coin in exchange for crypto currencies such as bitcoins or air. In countries like the US, it will be prudent for ICO founders to have clear guidance from a professional lawyer or legal team to help navigate the complex body of legals and regulations surrounding the offering of securities and meeting the Howey Test.
Last year, the Financial Authority (FCA), the UK's Financial watchdog, issued a statement detailing the risk of investment in ICOs.
In February, the U. s. Treasury Committee, which consists of several politicians, launched a request for digital currencies and a dispersed technology or a blockchain.
Part of the act requires digital exchange and portfolio to apply customer-specific care checks such as banks.
The regulatory environment within the US concerning digital currencies are not clear just yet. But we know they are coming and on its way to being formed (look into places just as Puerto Rico, Wyoming, or New York as an example). But regulations are coming. New announcements and stances are being made on a recurrent basis. The benefits for proper regulatory structure in the US is not there just yet, but the opportunity is too great to ignore: new tax base, the ushering in of the next waves of America’s greatest entrepreneurs, and the shape the narrative for the blockchain revolution currently underway.
The civil rights group wants to highlight the way in which these businesses handle data and asserts that they do not currently comply with the Data Protection Principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy.
Privacy International’s criticisms are based on 50 subject access requests but admits that this investigation has “only been able to scratch the surface” of potential data exploitation practices. In fact, in October the Portuguese data watchdog issued a €400,000 fine to a Portuguese hospital for two GDPR violations, highlighting just how painful fines for non-compliance can be.
With the sheer volume of data financial services companies host, there is clearly scope for major issues if it isn’t managed efficiently. So why are many struggling with GDPR six months on?
The regulations pose so many challenges - industry goliaths can receive hundreds of subject access requests every day, presenting a huge administrative headache. At the other end of the spectrum, SMEs in the financial services sector may struggle to have even the most basic of systems in place to stay on top of data management.
There is also the complexity of understanding exactly what the law requires – what data can and can’t be stored and what the “right to be forgotten” means. Consider for a moment the back-up systems that most businesses have in place – by definition they are designed to not forget things. Does forgetting mean removing references even in long-lost archives? How do companies even begin to know where every piece of data they store on someone is hosted?
Despite the endless advice issued in the lead up to GDPR, many businesses still don’t have the necessary tools in place. Companies need robust processes and systems in place to tackle incoming queries and ensure timely follow-up and resolution. Response is not just a matter of customer satisfaction. It’s now the law.
Fortunately, technology can play a big part in easing the GDPR burden. Some of the time-consuming administration surrounding GDPR can easily be handled by having an automated system to capture data requests thus freeing up the human workforce to focus on more added-value tasks. An automated system can help companies retrieve information requested by customers, especially if they hold multiple forms of data on them.
Ironically, given that many worried GDPR would be the bottleneck to its widespread adoption, AI will prove central to automating subject access requests. Embracing technology that continues to grow increasingly knowledgeable in the intricacies of GDPR and algorithms will automatically see necessary data deleted when customers request to be forgotten.
This removes the burden of compliance from financial professionals, who may legitimately spend hours trawling systems for any reference to one client, when AI can manage this in a matter of seconds. Professionals can utilise this time saving by adding value to clients instead – strengthening relationships and increasing the chances of them being brand advocates, rather than requesting to be forgotten.
No financial services company wants to see its name in the headlines for falling foul of GDPR requirements – both the financial penalties and reputational damage will prove difficult to bounce back from. Clients will inevitably move to competitors if they are suspicious that data processes aren’t up to speed. It’s therefore imperative that all businesses automate their GDPR processes, rather than struggling in silence and risking severe damage to their company in the process.
Almost a year in, is MiFID 2 fit for purpose, and what needs to be done to make sure that financial services companies start to comply? Below Matt Smith, CEO of SteelEye, explains.
Failure to comply implied threats of reputational damage and harsh fines from the FCA and so, come implementation day on January 3, those firms which hadn’t digested MiFID II’s 1.4 million paragraphs of rules in time were left living in fear of a crackdown from regulators.
Eleven months in, that crackdown has yet to materialise. And while a number of firms have undertaken the effort and expense to implement MiFID II’s myriad rules in full and have hopefully reaped the benefits of doing so, an equally substantial number haven’t – and regulators appear to be turning a blind eye.
This ‘softly, softly’ approach by the FCA has been picked up by commentators. Gina Miller, head of wealth manager SCM Direct, recently called for the Treasury to investigate the FCA for its failure to enforce MiFID II. This was in response to an April investigation which uncovered fifty firms in breach of MiFID II’s transparency rules. Despite receiving this dossier, the FCA wrote only to eight of the firms.
Given the breadth and complexity of MiFID II, most in the industry weren’t surprised that the FCA didn’t react strictly to non-compliance immediately after January 3. Equally as important as complying with MiFID II was that the markets affected by it continued to function effectively – which necessitated giving some time for the new rules to settle down.
But the lacklustre approach of the FCA is less understandable now we are approaching the anniversary of MiFID II’s implementation day. At the very least, it is unfair to those firms which took the time, trouble and expense to comply with MiFID II right from its implementation date – particularly smaller companies lacking substantial in house resources in technology and compliance.
The FCA’s unwillingness to enforce MiFID II is, unsurprisingly, having an effect on the number of firms making an ongoing effort to comply. As evidence, ESMA recently published its data completeness indicators, which showed a significant shortfall in companies’ compliance with ESMA’s data filing requirements – often submitting unsatisfactory data that is incomplete or late.
Ongoing ambiguity with MiFID II’s rules may be in part to blame. In the build up to MiFID II, many firms didn’t seem to fully understand what was actually required of them. This knowledge deficit was worsened by a lack of clear guidance from the FCA, which has continued.
Across the industry, the FCA has been criticised for this ambiguity, arguing that it makes it near-impossible to comply with the regulation. Even within firms, individuals have come to different interpretations of the rules and, throughout the industry, there is little coherence when it comes to compliance and what needs to be done by when.
The FCA has claimed that its soft approach to enforcing compliance is soon to end, meaning firms could soon have to embrace MiFID II or risk being left behind. But with ambiguity remaining and a number of hurdles ahead, many in the industry are beginning to wonder if the FCA even knows what exactly it is going to be enforcing.
The shadow of Brexit looms large and the future of London as a financial hub is still unclear, as is definitive information on what regulatory regime will apply: a paper backed by ex-Brexit Secretary David Davis suggests numerous reforms to MiFID II. Moreover, the form and scope of MiFID II could soon be set to change considerably, with MEP Kay Swinburne already hinting at the possibility of a MiFID III.
This leaves both the FCA and financial services firms flying blind when it comes to both compliance and enforcement. This climate of uncertainty puts on hold the achievement of MiFID II’s goals of increasing transparency, investor protection and market competition.
If these goals are to be realised, a more responsible stewardship of its own rules – and uniform implementation of them – must be enforced by the FCA. If the FCA delivers on what it promised with MiFID II, out of enforcement a more transparent, competitive and efficient industry should emerge.
A greater proportion of IT decision-makers in the financial/banking sector see key financial services regulations as a driver of innovation (34%) than regard them as a barrier to it (24%).
More than a third (34%) of IT decision-makers across the UK financial sector regard key financial services regulations such as PSD2 and FRTB as a driver of innovation within financial services organisations, while fewer than a quarter (24%) see them as a barrier to it. That is according to survey of IT decision-makers across a range of financial and banking sector organisations, including retail and investment banking, asset management, hedge funds and clearing houses.
The survey, commissioned by software vendor, InterSystems, also found that just 20% of these decision-makers believe their organisation is very well prepared for the roll-out of the new regulations.
Graeme Dillane, financial services manager, InterSystems said: “Historically, firms have responded in a piecemeal fashion by putting in place new siloed applications to meet the needs of each new ruling. The latest round of regulations raises the stakes by effectively demanding businesses break down their data silos, better integrate their data enterprise-wide, and analyse it in real time in the context of new event and transactional data. All of that makes it vital that organisations innovate now.”
To lay the foundations for innovation, firms need automated systems. Currently, however, automation levels are low. Just 21% of the sample said they had fully automated the processes they had put in place to meet regulatory and compliance demands. 33% said they had not automated them at all.
More positively, the survey indicates that IT decision-makers across this sector are aware of what needs to be done to change this. Nearly two thirds (66%) said that they expect innovative technology will have an important role to play in ensuring regulatory compliance for financial services businesses over the next five years.
“It’s clear that financial services businesses increasingly understand just how crucial it is to actively innovate in order to address the challenges presented by the latest industry regulations,” says Dillane, “and the good news is that we are starting to see evidence on the ground that they are seeking out new solutions to help ensure their compliance.”
(Source: InterSystems)
The European funds industry still has major concerns over Brexit and the fear and uncertainty that comes with it, according to new research with European fund managers.
More than half of respondents (55%) say that Brexit continues to be one of the biggest issues facing the funds industry in 2018. However, the study, conducted by online board portal provider eShare with delegates at the recent FundForum International event in Berlin, also revealed the funds industry was generally optimistic about prospects for the industry in 2018 and beyond - 82% believe that the funds market is generally buoyant despite political and economic affairs.
“The fund management industry has faced much pressure over the past few years, with new regulation intended to improve transparency adding many layers of complexity to governance and compliance programs,” said Camilla Braithwaite, Head of Communications, eShare. “But confidence amongst European fund managers remains high despite this, with Brexit the only main concern for many. However, with the major decisions over Brexit and its impact on financial services still to be made, fund managers are proceeding as normal until they know more and the industry is thriving because of it.”
The new regulations, such as GDPR and MiFID II, have undoubtedly affected the industry though, with fund managers increasingly aware of the risks that come with non-compliance. 84% of those surveyed felt that their organisation could improve the operations surrounding risk management and decision-making.
With fund managers facing tough decisions about compliance, investments and many other factors, the ability to be transparent about such matters was one of the most important things identified by survey respondents. 97% said that demonstrating transparency into decision-making is increasingly important for the industry.
As the pressure grows on fund managers to be compliant and well-governed, so the need for transparency increases too. 84% of respondents said that technology is the future for improving governance standards within the funds industry.
“Transparency is essential in modern fund management and demonstrating this is right at the top of the agenda for most fund managers, keen to reassure clients and regulators alike,” continued Camilla Braithwaite. “Technology can play a significant role in this, showing how decisions were reached and supporting governance and compliance requirements. The industry has woken up to the potential of technology to help in this way, and the research would suggest that the mood within fund management is positive.”
(Source: eShare)
