finance
monthly
Personal Finance. Money. Investing.
Contribute
Newsletter
Corporate

Grainne McKeever, Marketing and Communications Consultant at Imperva, shares an outline of the regulations with which financial services must comply in 2020.

The Sarbanes-Oxley Act (SOX) was introduced following a number of financial scandals involving huge conglomerates and obliges companies to establish internal controls to prevent fraud and abuse, holding senior managers accountable for the accuracy of financial reporting.

The financial crisis in 2008 meant even tighter rules for financial services with the Dodd-Frank Wall Street Reform and Consumer Protection Act in the US bringing a great deal of new regulations for the sector. In Europe, in a joint move between the UK, France and Germany, banks were forced to contribute to the region’s economic recovery by paying an annual tax levy.

The UK experienced a complete overhaul of its financial regulatory structure when the existing tripartite system was abolished and replaced by a new framework consisting of the Financial Policy Committee (FPC), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). Since then, new regional directives have materialised, including the New York State Department of Financial Services’ (NYDFS) regulation, and the Monetary Authority of Singapore’s (MAS-TRM) guidelines.

Driven largely by digital transformation, the emergence of much more rigorous privacy and security regulations around the globe such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States, has created additional regulatory layers for organisations to comply with. While GDPR is not specific to financial services, it has had an enormous impact on this industry.

A common requirement of many regulations is to appoint a Chief Information Security Officer (CISO), Chief Technical Officer (CTO) or, in the case of GDPR, a Data Protection Officer (DPO). Each of these appointments come with specific obligations these roles must manage to ensure their organisations stay compliant.

[ymal]

Data Protection 

Many regulations are designed to protect personal customer data. The GDPR, for example, places the emphasis on commitment to individuals’ data privacy by implementing a Data Protection by Design approach, implying organisations need to build privacy and protection into their products, services, and applications.

Data privacy is also one of the key requirements of the NYDFS regulation which mandates that firms should implement and maintain policies and procedures for the protection of their information systems and the non-public information stored in them. For MAS-TRM, the protection of customer data, transactions and systems is included in its risk management principles and best practice standards.

Data Discovery

To protect your assets, first you need to know where your databases are located and what information they contain. Only when you have full visibility of what regulatory content your databases hold can you conduct an assessment to prioritise and assign a risk profile to datasets.

To protect your assets, first you need to know where your databases are located and what information they contain.

Data Monitoring

A recurring requirement of data regulation is that organisations should have visibility of user access to be able to answer WHO is accessing WHAT data, WHEN, and HOW that data is being used. This is certainly true of the GDPR which requires organisations to maintain a secure environment for data processing. For MAS-TRM, establishing appropriate security monitoring systems and processes is outlined as a requirement in the guidelines, “to facilitate prompt detection of unauthorised or malicious activities by internal and external parties.”

Incident Reporting

Reporting incidents in time is critical for avoiding regulatory penalties, which can be severe and costly for an organisation, both financially and in terms of reputational damage. However, security teams are often overwhelmed with large volumes of incident alerts risking a genuine threat slipping through the net.

Using advanced machine learning and peer group analysis to distil the number of alerts that bubble to the surface will make it easier to recognise a real breach in time to stop it from accessing internal networks.

With a plethora of privacy and security regulations grounding themselves in organisations across the world, there is no choice but to adhere to them to ensure the security of others, as well as making sure that accountability is at the forefront of all businesses in the financial sector. By financial services adhering to data protection, data discovery, data monitoring and incident reporting they will be able to continue to flourish whilst having security at heart.

According to Roberts Lasovskis at investment platform TWINO, the year ahead is an opportunity to get onboard with the changes happening all around us, embrace regulation, and create solutions that focus on the customers.

Lendy’s collapse in May and FundingSecure in October put a combined £240m of savers’ money at risk, while Funding Circle’s new withdrawal processes have raised investor concern among even the most well-established lenders. But there is light at the end of the tunnel, and the industry can be optimistic for 2020, providing last year’s lessons are learnt.

Firstly, there is one particular aspect of the two peer-to-peer collapses last year that has attracted much of the criticism from both media and investors. Both Lendy and FundingSecure came advertised as ‘approved by the FCA’, yet in collapse, both displayed structural faults and warning signs that should perhaps have been noticed earlier. Managing credit risk is an expensive learning process, but should be taken very seriously, and using as many data sources and as much testing as possible. Inevitably, these high-profile failures will cause a tightening of regulation across the industry. That is a good thing.

The sector should not just tolerate and survive regulation; it must embrace it. Higher levels of scrutiny from administrators lead to better industry structures and more robust business models that generate greater trust from consumers. This is an inevitable step for a maturing industry, and now is the time for peer-to-peer to ensure its regulations are fit for purpose, and that investor money is not put at unnecessary risk.

Higher levels of scrutiny from administrators lead to better industry structures and more robust business models that generate greater trust from consumers.

As well as building consumer trust and engagement in the sector, increased regulation encourages the development of better products. When regulation works well, companies are forced to innovate and adapt to meet the new challenges, eliminating the number of shortcuts or ‘easy options’ that are taken when developing a product for consumers. Ultimately, this creates safer and more sustainable returns for investors.

Beyond regulatory intervention, it is paramount that in 2020 the peer-to-peer industry prioritises transparency - with investors, borrowers and other industry partners. Transparency and clear communication are key to rebuilding trust in the sector, and even in specific products. Take Funding Circle as an example. It is undoubtedly one of the most successful businesses in the sector, and yet has been suffering a recent crisis in trust, which has been largely caused by customers not fully understanding what procedural changes are going to mean for their money.

The changes in question are not necessarily the full problem. The model is no less safe and the business is no less high-profile. Nor do investors automatically object to the idea of a delay before they can access their money (look at fixed-term savings accounts for example). As with all peer to peer lending platforms, it is simply a question of understanding risk - customers misinterpreted the changes as a sign that their money was under threat and understandably rushed to protect it.

[ymal]

As with all communication, and this goes for most industries, the customer must always come first. Fintech itself exploded as a sector in the wake of the 2008 financial crash, as a reaction to bad practices in the financial services industry. New businesses and solutions were developed to fix the shortcomings in finance and financial services, and to pivot them back to a consumer-focus. Many are predicting an economic downturn in the next year or couple of years, following a decade of growth. Fintech businesses emerged from the last downturn by creating solutions that focused on their customers, and should do so again.

Peer-to-peer is a prime example of how fintech puts customers first, directly connecting those investors who want to see their money grow faster with those seeking convenient loans. For all the perceived problems in the P2P sector, the fundamental market for the products have not changed. By remembering where it came from, and the problems it set out to solve, the sector can still thrive in 2020, even if the predicted economic downturn materialises. To avoid the pitfalls other providers have fallen into, peer-to-peer must embrace regulation, communicate with transparency and focus on leveraging their expertise to provide trustworthy customer-centric solutions.

Make no mistake: if Schwab can pull off a deal for TD Ameritrade then it has pulled off something of a coup. It is not just the deal of the year-in this sector it is the deal of many a year.

The market is slightly stunned but loves the potential Schwab TD Ameritrade tie up and well it might. Schwab’ share price is up by 7.5% since news of the possible deal broke. For its part, TD Ameritrade’s share price is up by 17%.

Schwab already ranks first by market share in the discount brokerage market. Snapping up the number two player TD Ameritrade means that Schwab would tower over the sector.

However, regulatory approval for the proposed mega deal is in no way guaranteed. But if Schwab can get over the regulatory hurdles – and that is a big if – expect Schwab to boost its earnings per share. For starters that will come through better monetisaton of Ameritrade’s sweep deposits. Then there are the synergy cost savings.

KBW suggests that an all-equity transaction could equate to 10%-15% EPS accretion for Schwab. And such a forecast may even be on the conservative side.

Schwab has about $3.9trn in client assets and over 12 million active brokerage accounts. TD has about $1.3trn in assets and services 11 million client accounts. In addition, it provides custodian services for more than 6,000 independent advisers. Only privately held Fidelity, with about 30 million brokerage accounts, is in the same league.

However, Spare a thought meantime for shareholders of smaller rival E*Trade. Any Schwab/TD tie up is the stuff of nightmares for E*Trade and its share price promptly dropped by 10%.

(Source: Retail Banker International)

According to Chris Mangioni, Associate Director at Protiviti, banks, financial and credit institutions (including FinTechs and MSBs) as well as other “obliged entities” must be prepared to take urgent action if they haven't already.

4AMLD originally came into effect through local laws in the UK and other EEA (European Economic Area) jurisdictions in June 2017. This Directive and related legislation brought about some of the most comprehensive and high impact changes to the AML approach that the “obliged entities” have yet to experience.

In May 2019, the European Commission (EC) mandated that obliged European home-based regulated entities must conduct a full assessment of every non-EEA country which they have branches or subsidiaries based, by 3rd September. This includes the following:

If the obliged entity cannot effectively manage the ML/TF risks in a higher risk third country through the additional measures applied, then the organisation shall close-down some or all of their operations in that country. Upon request, the obliged entity must be able to demonstrate to their AML supervisors/regulators the extent of the additional measures applied to help mitigate any the ML/TF risks. EEA Member state AML supervisors can also require obliged entities to terminate business relationships or even cease operations in the higher risk third country jurisdictions identified.

If the obliged entity cannot effectively manage the ML/TF risks in a higher risk third country through the additional measures applied, then the organisation shall close-down some or all of their operations in that country.

These provisions are in addition to the stricter Enhanced Due Diligence (EDD) measures for relationships with clients from or established in the EC high-risk third country list. This list is considered to be a good starting point for firms assessing the ML/TF risks of non-EEA countries. Further, the FATF list of jurisdictions with strategic deficiencies should also have been considered as identifying potentially higher risk third countries.

Existing State: 4AMLD

Many organisations are assessing how to differentiate their TM and ongoing monitoring process for EC high-risk third countries. 4AMLD brought in a stricter EDD requirement for any business relationship or transaction with a person established in an EC high-risk third country (this is not required for branches or majority-owned subsidiaries of EEA entities, where they can show they comply with Group-wide EEA policies and procedures). This stricter requirement includes making enhancements to ongoing monitoring with an obligation to increase the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious. The increase in the monitoring of the business relationship should include the greater scrutiny of transactions.

The EC high-risk third country list originally consisted of 12 countries and now stands at 16 countries after changes made in 2019. One of the proposed additional countries in February 2019 included Saudi Arabia, however, this was retracted by the EC.

Firms that have not yet differentiated their TM and ongoing monitoring processes for clients based in EC high-risk third countries are potentially non-compliant with 4AMLD.

[ymal]

Future State: 5AMLD – Implementation date: 10 January 2020 at the latest

Unlike 4AMLD, there is expected to be no grace period for firms after 10 January 2020. Therefore, it is critical that organisations are taking the necessary steps to plan and implement the necessary changes in advance of the 5th Anti-Money Laundering Directive (5AMLD) being transposed into local EEA law.

Although the date of the 5AMLD related UK Money Laundering Regulations is still to be confirmed, the law will be transposed before obliged entities need to comply with it by January 2020. Other EEA regulators are also progressing with publishing their transposition of 5AMLD into local law.

5AMLD will bring new services and entities into scope for obliged entities. These include crypto-asset related entities (virtual currencies), e-money entities, art intermediaries, tax advisors, letting agents, corporate service providers, high-value dealers and entities involved in the issuance and distribution of anonymous pre-paid payment cards.

Amongst other things, 5AMLD will:

5AMLD is also expected to clarify the technical specifics for EEA Company registry’s concerning ultimate beneficial ownership information. Further, it is likely to create additional reporting requirements upon obliged entities to report discrepancies identified on EEA company registers.

As 5AMLD is now less than 6 months from the final implementation date in early January 2020, what necessary steps and measures has your firm taken to help ensure it can comply from day 1 or face potential regulatory backlash and increased scrutiny, including possible associated reputational risks? 

 

Below Marcin Nadolny, Head of Regional Fraud & Security Practice at SAS, explains more on the date push back and what this will mean for banks moving forward.

UK companies must be able to demonstrate that they are moving towards compliance from September 2019, but no enforcement action will be taken for 18 months. For the rest of the EU in general, the timeline is unchanged. However, national competent authorities have the flexibility to provide limited additional time to become PSD2 compliant (see the recent EBA opinion).

The big picture

But whichever country you’re in, it’s essential that companies recognise the urgency at play. In the new digital world, payment security is absolutely essential. The question now is not whether PSD2 compliance should remain at the top of the priority list. It’s how quickly companies can realistically achieve it. In a nutshell, PSD2 simultaneously massively increases the amount of financial data moving into banks’ systems while also making it mandatory that they run fraud controls on that data in real time.

As PSD2 ushers in the age of open APIs in finance, the traffic volume that payment processors will have to handle will be enormous. Consumers’ personally identifiable data will be at heightened risk, and we will observe increased malware attacks and data breaches via the newly created attack vectors. If businesses aren’t prepared for the change, it’ll be a fraudster’s paradise.

Is your organisation ready to cope with this new heavy traffic and identify fraudulent activities? It might be like finding a needle in a haystack. Fortunately, AI is coming to the rescue. Emerging technologies, such as predictive models, network analytics and anomaly detection, all have the power to increase your efficiency in finding and fighting fraud.

[ymal]

Real-time fraud detection

PSD2 is more than just a regulation. It’s the start of a major transformation for the payments industry. With the move to digital-first, open models, there’s an increased need to operate processes in real time – providing instant payments, for example – and that means that fraud prevention will need to move at the same speed.

Adequate anti-fraud protection is required by the regulation. Banks are expected to fill out certain tests as a fraud assessment, including reviewing behavioural profiles, checking known compromised devices and IDs, applying known fraud scenarios to transactions, and detecting malware signs. Analytics can help speed up detection, find suspicious behaviours and collate data points by ingesting new data sources. This builds a picture of "normal" behaviour against which banks can measure transactions.

At present, not all banks are applying all these anti-fraud measures. Some base their protection on simple rules and aren’t able to detect fraud in real time or stop transactions in progress. These abilities aren’t technically required by the regulator until PSD2 comes into effect. Real-time fraud prevention used to be a luxury – but now it’s a must-have. Banks must take the initiative to ensure they can detect fraud in process in incredibly short time frames.

Third parties enter the market

The other major change included in PSD2 is the arrival of third-party providers in the market. These nonfinancial companies, including GAFA (Google, Amazon, Facebook and Apple), e-tailers and fintechs, will be able to work as payment processors going between customers and banks. This means the banks have a much bigger traffic volume to handle and review for fraud. Legacy systems and processes simply can’t handle it.

In order to cope, banks need to have systems in place that are able to assess for fraud at huge volumes and in real time. Not only that, but transactions from third parties might come with limited contextual information. So, banks will have to enrich them with additional data on variables including digital identity, reputation and past behaviour.

AI applications will be essential to handle that ongoing enrichment at speed. Humans alone simply can’t process that level of information. So, it’s essential that banks invest in AI to augment the skills they have and lighten the load of compliance.

Managing the risk

The risk to banks posed by these growing data streams is not just in terms of payment fraud. There is also a heightened cybersecurity risk. New data flows and new payment systems present possible system back doors and new attack vectors that hackers will be quick to discover. By attacking third party infrastructure, malicious actors will be able to gain access to consumers’ personal data.

Addressing this problem is not the sole responsibility of the banks. But it highlights the level of risk associated with the increase in data volume and connectedness. Reputational damage and heavy fines are a very real possibility for institutions that don’t get their act together in time.

Compliance will require many changes to anti-fraud and customer identification processes. The technology required to handle this additional burden is out there. Banks must invest wisely and ensure they are fully equipped, whether next month or by 2021.

PSD2 is undoubtedly going to have a major impact on the future of payments in the European Economic Area (EEA), says Stefan Nandzik, VP of Corporate Communications at Signifyd.

Yet, big conversations need to be had about the impact PSD2 will have on other industries. E-commerce heavily relies on the payment transactions which PSD2 aims to improve, so why is the sector skirting around it?

In fact, so little of the PSD2 discussion has revolved around retail that some merchants are still unaware that the regulation will apply to them, while others wonder just what the new rules will mean for their online operations.

So, let’s be clear: ignoring PSD2 will not make it go away. Neither will relying on the talk of delays for all or parts of the regulation beyond the regulation’s 14 September deadline -- though there will be delays and frameworks for compliance in the UK, as recently announced by the Financial Conduct Authority (FCA), and we expect that more jurisdictions will follow.

There is a sense of deja vu in European retailers’ reaction to PSD2. Remember businesses’ response to GDPR as its consumer-privacy requirements were barrelling toward them? It’s not that unfair to characterise some retailers’ GDPR strategy at the time as: “Let’s ignore it and hope it goes away”.

However, it didn’t and PSD2 won’t either. But just as forward-thinking enterprises embraced GDPR and turned implementation of the consumer protections into a competitive advantage, smart retailers have the opportunity to do the same with PSD2.

A winning PSD2 strategy requires rethinking what PSD2 is all about.

In order to turn PSD2 requirements into a competitive advantage, retailers need to find a way to provide seamless customer experiences while still measuring Strong Customer Authentication’s (SCA) three elements of possession, inherence and knowledge, ideally without ever prompting their customers to take additional checkout steps or turning over the checkout flow to the card brands.

The infrastructure that will tell the issuing banks that SCA has been completed — think 3D Secure — will be upgraded and improved, but the substance of the regulation and its requirements will be with us going forward.

Counting on the regulation’s burden to be eased by the EBA’s recent opinion, is not a winning strategy. Neither is looking for loopholes through exemptions, whitelists or convoluted payment paths that will move issuers or acquirers out of the EEA (the so-called ‘one leg out exemption’).

In fact, those aren’t strategies at all, if, for no other reason than the fact that none of the exceptions provided will help even the likes of Stripe, Amazon or Worldpay prevent conversion drop off.

A winning PSD2 strategy requires rethinking what PSD2 is all about. PSD2 is a long-term consumer protection initiative that requires innovation to make it seamless. It is not a problem looking for a quick fix. Workarounds that seek to be clever — relying on loopholes and half-measures — won’t make life easier for merchants or their customers. In fact, they will lead to more misery for both.

Nearly 48% of consumers told polling firm Survata, in a Signifyd customer experience survey, that they felt frustrated by checkout experiences that redirect them to another site for credit card verification, a feature of 3D Secure. The Baymard Institute found that 28% of consumers abandoned their carts because checkout took too long or was too complex.

Fortunately, the technology to build a successful and sustainable PSD2 solution, fully compliant with the requirements for SCA, is available today. Instead of banking on exceptions, retailers should fix the problems that don’t protect their customers’ payment information. Let’s break down an optimal system into its pieces.

SCA and its three elements of measuring possession, inherence and knowledge are at the core of the regulation applicable to retailers. It is also the focus of much of the anxiety around PSD2, because, for most retailers, SCA was considered to be part and parcel with 3D Secure, a safeguard that historically has led to cart abandonment and customer dissatisfaction.

The truth is, leveraging the three elements of SCA is an effective safeguard against fraud. SCA is powerful. It works. Requiring authentication based on something the consumer is (biometrics or behaviour, for instance), something the consumer alone knows (a password from before the transaction, for instance) and something the consumer possesses (a digital device as evidenced by a token, for instance), is a robust and secure method. Even if a fraudster breaches one of the three identifiers, that breach doesn’t compromise the other two identifiers.

The key development for retailers to keep in mind here is the EBA’s June opinion that rightly stated that implementing 3D Secure 2.0 is not the same as implementing SCA. (The protocol doesn’t even have the ability to pass information regarding the inherence element of SCA.)

The truth is, leveraging the three elements of SCA is an effective safeguard against fraud. SCA is powerful.

The EBA stated plainly in its 21 June memo that: “communication protocols such as EMV 3-D Secure version 2.0 and newer would not currently appear to constitute inherence elements, as none of the data points, or their combination, exchanged through this communication tool appears to include information that relates to biological and behavioural biometrics”.

The EBA went on to say that SCA purposefully allows for multiple “authentication approaches in the industry, in order to ensure that the regulatory technical standards remain technology-neutral and future-proof”.

We’ve looked at what’s in place and tested the existing protocol and its infrastructure. Authentication systems that rely on 3D Secure, with their communication among the merchant, gateway, at least two banks, the consumer and often back around again can take an eternity on the web — think 15 seconds or more.

And, of course, we know what an eternity on the web does to conversions — slow and cumbersome checkout processes are a conversion killer. Nearly 48% of consumers told polling firm Survata, in a Signifyd customer experience survey, that they felt frustrated by checkout experiences that redirect them to another site for credit card verification, a feature of 3D Secure. The Baymard Institute found that 28% of consumers abandoned their carts because checkout took too long or was too complex.

The way to completely sidestep the problems with 3D Secure as a protocol is to take ownership of SCA by building or buying a holistic approach to meeting PSD2 obligations. We expect that the best customer experience under PSD2 will involve a machine-learning-based SCA provider conducting dynamic fraud analysis for online retailers, then passing the SCA decision down the 3D Secure rails to eliminate delays in approval, minimise customer friction, and maximise authorisation rates.

Such a system, relying on a vast amount of transaction data, provides the right degree of scrutiny for each order to protect consumers and retailers from fraudulent credit card transactions while avoiding the added friction brought on by a one-size-fits-all, legacy 3D-Secure-powered system.

The holistic approach allows for nearly instantaneous SCA review and more accurate decisions based on the significantly more data processed by the system’s learning machines, as opposed to passing down that data all the way to the issuing banks and back. The system should have the added advantage of shifting all liability away from the merchant, onto the issuing bank in the case of 3D-Secure-authorised transactions, or onto the SCA provider for any transaction that would require a step-up or be declined.

While the details of this innovative approach to PSD2 are important, it’s the underlying approach that is vital to executing a successful PSD2 strategy. It starts with embracing the new SCA requirements rather than trying to avoid them through a pretzel of exemptions.

E-tailers who are planning to bank on exemptions to PSD2 will fail miserably as said exemptions are only sometimes applicable to small value baskets, and are ultimately dependent on the acquiring and issuing banks’ low fraud rates. And retailers can’t control either of these factors.

Embracing PSD2 gives back control to retailers, giving them a real opportunity to build a competitive advantage. When e-tailers take a proactive approach to the directive, it’s possible for them to implement a robust system which meets the aims of PSD2 whilst also maintaining the online customer experience. The future belongs to e-retailers who have the ingenuity and foresight to treat PSD2 as an opportunity, not as the elephant in the room.

Without this integrity – and constant striving for health - a market risks becoming a venue for market manipulation, insider trading and other undetected criminal behaviour. Catherine Moss, corporate Partner at Shakespeare Martineau, explains for Finance Monthly.

Preventing behaviours amounting to market abuse, and tackling a lack of awareness of risk, has been central to the regulators’ quest for fairness for a number of years. So, following on from the July 2016 introduction of the Market Abuse Regulation (MAR), how is the UK faring and with a further review by the European Securities and Markets Authority (ESMA), what does the future hold?

Markets are driven, and develop depth, through pricing; and prices are – and have always been – vulnerable to manipulation. MAR, and its previous manifestations, were designed to identify behaviours which manipulated markets, or which allowed people to buy securities or commodities on a privileged basis with information which was not generally available to other trading parties.

The UK has had a legal framework around insider dealing and market abuse for a number of years. However, the introduction of MAR in 2016 formed a further part of a Europe-wide attempt at greater harmonisation, in response to scandals which came to light in the financial crisis and the greater complexity of the financial markets and emergence of alternative trading platforms. In the move towards a more congruent, European-wide, regime encompassing not only securities trading but trading in fixed income and commodity markets and related benchmarks, did the EU fulfil its markets’ needs? Leaving aside the question as to whether the latter could ever be achievable given the myriad trading venues now available, have market participants found the legislation fit for purpose?

The upcoming review of MAR will be undertaken by ESMA, looking into how well the regulations and directives are being implemented, whether the regime should be broadened, whether cross-market order book surveillance should be made subject to an EU framework; and, suggesting purposeful legislative amendments. Consideration is to be given to extending the regime to the foreign exchange markets. In addition, aspects of MAR which are still - unhelpfully - subject to specialist debate as to their scope, for example buybacks, insider lists and managers’ transactions, are to be further considered by ESMA.

At its simplest, there is a need to balance the desire of a company to access public money and trade its securities on a public platform against the requirement to adhere to the rules which apply to that market and its participants. It is crucial to the health of a market to ensure that information which may unfairly disadvantage other parties is not only managed securely but released in accordance with that market’s rules. Julia Hoggett, Director of Market Oversight at the FCA, put it starkly: “The life blood of all well-functioning markets is the timely dissemination of information, without which effective price formation cannot take place. The malignant form of that same life blood is the misuse or inappropriate dissemination of that information.”

However, as companies and their advisers know, market abuse legislation - whether EU or local - has been traditionally quite complicated and tricky to comply with. As the recent survey results from the Quoted Companies Alliance (QCA) demonstrates, issuers and their advisers have exhibited a broad range of responses to legislation which is meant to direct efforts to maximum harmonisation. However, these requires additional processes and procedures to be put in place, understood and adhered to.

Lack of certainty as to the MAR requirements, for example, on the duration of closed periods, is striking. The FCA has quite rightly observed that “awareness is not present in all market participants.”  Given the FCA’s stated objective of making effective compliance with MAR a state of mind - at least amongst the community it regulates - it must be asked how this is to be achieved within the current, or future, legislative framework where achieving certainty as to the meaning of the legislation appears difficult.

Clearly, with the introduction of any new regulation, some companies and issuers adapt faster than others, particularly if they are larger and better resourced. It is obvious from the QCA’s survey results, however, that many smaller and mid-size issuers are still navigating MAR’s complex requirements hesitantly. But more worryingly, it can be seen from the pattern -and lack - of regulatory announcements that some issuers, particularly in less obvious and well-policed trading venues, seem not to have recognised the breadth of its application. Education clearly is key and greater regulatory and market promotion of the constraints which issuers are to work within is to be encouraged.

With the introduction of any new regulation, some companies and issuers adapt faster than others, particularly if they are larger and better resourced.

So, what should be done to ensure that the requirements of MAR become part of an issuers “state of mind”? Effective regulatory response can seem sometimes to be limited to the publication of extensive decision notices which are picked over by advisers, keen to ensure that practical examples of poor behaviour, or the failure of systems, can be relayed as precautionary horror stories to their clients.

Many issuers seek regular training sessions with their advisers or company secretaries and become more confident as the reporting and transactional cycle demands their attention. Others find it difficult to engage in the processes required. Some, however, are not well-served by the advisers operating in the market and sector within which they trade. The FCA appears keen to seek to educate all issuers but, inevitably, issuers are still tripping up as they fail to understand, or to take advice on, the requirements of the regulatory framework within which they operate.

Whilst the ESMA review of MAR is unlikely to change the regime substantively, some regulatory time should be devoted to tailoring it more expressly to an issuer’s needs and securing a greater measure of awareness. Whilst the regulatory burden is unlikely to be lessened, clarity of approach together with greater support from markets and trading platforms as to the implications of MAR to their issuers would be welcome.

While the goals of these regulations are often described in detail, they frequently fail to outline just how the requirements must be met or the steps that need to be taken to achieve that compliance. Here Sarah Whipp, CMO and Head of Go to Market Strategy at Callsign, answers the question: Is regulatory ambiguity setting banks up for failure?

Take for example PSD2, which called for open APIs and the application of stronger authentication schemes but didn’t describe how best to meet these needs. With financial institutions in somewhat of a quandary, third party groups have noticed a gap in the market and stepped in to help, such as the Financial Data Exchange (FDX), The Berlin Group and the Open Bank project, who each put forth a different approach to meeting PSD2 compliance.

The three predominant authentication schemes that are currently being used are as follows:

For international banks in particular, this presents a tricky challenge, as they must be able to not only offer each of the aforementioned authentication schemes, but all three of these for each of the third-party groups who’ve stepped in to bridge the gap with PSD2. As a result, these banks are tackling an extremely complex policy situation in which the 9 potential authentication methods are even further compounded depending on location or circumstance. In addition, for each jurisdiction these companies operate in, regulations will be interpreted differently, making a coordinated approach very difficult.

The issue lies not in the sheer number of potential authentication methods with no clear direction from the regulators, but the fact that many of these major, global banks are currently relying on the human policy manager – knowledge siloed to a few IT group team members – to comprehend these regulatory needs. Quite often these teams would have insider knowledge, almost like living and breathing black boxes. Of course, if one of these people leaves the company, they are also taking with them a huge amount of valuable information.

Instead, banks must move away from their home-grown policy managers, and evolve to a more sophisticated and transparent policy manager for which sectors across the organisation can have a say. It is not just the IT team that has to review internal policies at these and say they’re fine. Risk & Compliance right through to the Marketing function needs to ensure they are properly following protocol.

Challenger banks, those who have broken ground in the last decade or so and remain digital-first, are actually positioned much better to deal with these issues as much of their infrastructural practices are already grounded in flexible and agile practices. Thus, many banks facing these problems are established institutions, potentially embracing digital transformation in other areas of the organisation. To ensure they can remain competitive and compliant (regulations aren’t going away, they’re only getting stronger), they must also equip their policies for the future.

If these larger organisations don’t rise to the challenge they are in danger of dramatically harming the customer experience. They need to be able balance keeping their customers’ digital identities safe and as well as comply with regulations, while making sure users can get on without obstacles. By using the latest AI and machine learning, policy managers must adapt and learn in real time to achieve this goal. Implementing this technology, organisations can build multi-factor authentication journeys that are uniquely tailored to their own business, customers, products or services. Financial legislation is constantly being updated, so flexible technology will help them easily navigate any changes with relative ease.

Letting agents are great in that they manage the trickier and lengthier aspects of tenancies which landlords typically dislike. With that said, finding one which best suits you and your needs can be tricky, CIA Landlord Insurance has put together a handy guide which may assist in laying out the basics.

Who is likely to benefit from using a letting agent?

Typically, landlords who benefit from the use of a letting agent are those who have a large number of properties to manage. Also, landlords do not always live close to the property they are renting out, so a letting agent close to the property may prove wise in order to keep tabs on their tenancies.

Letting agents work well for inexperienced landlords, where they can be utilised for some added security and support. It is highly important landlords are up to date on relevant regulations and legislation, therefore if you are not or you do not feel comfortable in this department, it is most-definitely worthwhile using a letting agent.

What services do letting agents provide?

There are varying levels of service which letting agents provide, from a ‘let-only or ‘tenant-find’ service for example, through to the more comprehensive ‘fully managed’ service.

A ‘let-only’ and ‘full management’ service are typically the two main categories which a letting agent will provide.

A ‘let-only’ and ‘full management’ service are typically the two main categories which a letting agent will provide.

With a ‘let-only’ service, the letting agent takes responsibility for things such as providing rental assessments to give you a better understanding of what you can realistically charge, conduct viewings on your behalf and acquire references from tenants. What can also be expected from this level of service is a tenancy agreement to be provided, credit checks performed and the tenants first payment be taken by them.

A full management service, on the other hand, will incorporate all of the aforementioned elements but you can expect the letting agent to take responsibility for the day-to-day management, too. If for instance, a tenant locks themselves out of the property or there is a boiler fault, the letting agent will arrange for one of its approved contractors to resolve the issue.

What is the cost of a letting agent?

The cost of a letting agent greatly differs depending on factors such as the location and size of your property. As it is a highly competitive market, there is always the prospect of negotiation to get yourself a better deal, so long as you are prepared to haggle. Request a price from a number of sources in your locality, and begin negotiations from there.

If a small independent letting agent is hired, then for a ‘let-only’ service you may be fortunate enough to pay as little as a couple of hundred pounds for the service. However, the likelihood is you will pay the equivalent to a months rent + an annual tenancy renewal fee.

It is important to note, from June 1st 2019 landlords or letting agents are no longer able to charge these fees to tenants. This means that (some) letting agents have been offsetting this loss onto the landlords (therefore paying double what would originally be paid for the renewal fees).

A full management service will typically be a 12-month deal with fees starting at around 12% and can rise to as much as 20% depending on location. If you come across prices lower than this, it may be wise to avoid them for reasons of service quality.

A full management service will typically be a 12-month deal with fees starting at around 12% and can rise to as much as 20% depending on location. If you come across prices lower than this, it may be wise to avoid them for reasons of service quality.

Should I use a letting agent?

With a wealth of information at our fingertips, it may seem lucrative to consider a ‘DIY’ approach for conducting a letting agent’s traditional duties. With plenty of research, it is possible you can do it yourself. Only go down this road if you feel confident in yourself to abide by the relevant regulations and legislation.

One thing to consider if you do decide to use a letting agent, check to see if they are registered with an industry body or trade association. These include the Association of Residential Letting Agents (ARLA), National Approved Lettings Scheme (NALS) and UK Association of Accredited Letting Agents (UKALA) as the main bodies whereby the letting agents have to adhere to certain standards in order to become a member.

The idea of being a landlord is great, but the reality, for the most part, is it is not an easy task. Taking control of all of your own property management may prove extremely difficult depending on the size and number of property’s you own, and the nature of your tenants. You may have the best intentions of delivering everything all of your tenants require but sometimes this may not end up as being the case. If dealing with unhappy tenants is your idea of a nightmare, letting agents will do this for you.

In accordance with your own circumstances and requirements, only you as a landlord can make the decision but by keeping yourself well informed on all aspects discussed in this guide, to begin with, you can improve your chances of making the best possible choice for you.

Here Syedur Rahman of business crime solicitors Rahman Ravelli questions the effectiveness of big fines and the likelihood of criminal prosecutions in the future.

Standard Chartered has hit the headlines for the size of the fines imposed on it on both sides of the Atlantic.

But behind all the big numbers and the column inches it is hard not to wonder if such a costly slap on the wrists is now being viewed by the big banks as nothing more than the cost of doing big business.

Standard Chartered has been ordered to pay a total of $1.1 billion by US and UK authorities to settle allegations of poor money laundering controls and sanctions breaching. It is paying $947M to American agencies over allegations that it violated sanctions against six countries and has been fined £102M by the UK’s Financial Conduct Authority (FCA) for anti-money-laundering breaches; including shortcomings in its counter-terrorism finance controls in the Middle East.

These fines had been expected. Standard Chartered said two months before the fines were imposed that it had put $900M aside to cover them. But this isn’t the first time that Standard and Chartered has had to pay out for its wrongdoing.

Seven years ago, it paid a $667M fine in the US. Like its latest US penalty, it related to alleged sanctions breaches. At the time, it also entered into a deferred prosecution agreement (DPA) with the US Department of Justice and the New York county district attorney’s office over Iranian sanctions breaches beyond 2007. That DPA would have expired by now but has been extended until April 2021 in the wake of the latest allegations.

Will this be the end of Standard Chartered’s problems and the start of a new allegation-free era? It is hard to believe so. But it is fair to point out that it is not the only bank to be hit by huge fines for wrongdoing and then be found to be repeating its illegal behaviour. Which is why it is hard to believe that fines are having any real impact on the way that some of the biggest banks function. If they are prepared to keep paying the fines and / or giving assurances about keeping to the terms of a DPA while reaping the benefits of breaking the law it is hard to see the cycle of behaviour changing.

Let’s be clear, any failure by Standard Chartered to abide by the terms of its DPA could see it facing criminal prosecution. And any bank’s weak approach to money laundering is now increasingly likely to be pounced on by the authorities. The Standard Chartered investigation was a co-ordinated multi-jurisdictional effort by the FCA, the US agencies and the United Arab Emirates. And while Standard Chartered’s full cooperation with the FCA saw it receive a 30% discount on its fine, relying on cooperation to gain a lesser punishment cannot be viewed as a safe approach.

The authorities around the world that investigate the activities of banks and other financial institutions are now more coordinated than ever. They have more legal powers than ever before and are unlikely to be reluctant to use them against those in the financial marketplace that come to be seen as repeat offenders.

There is no clear indication or evidence that the era of big fines may be about to pass or that the authorities are set to view convictions as a more effective deterrent to financial crime than hefty financial penalties. There may also be difficulties when it comes to corporate liability which, in the UK, requires proof that those involved in the wrongdoing are sufficiently senior to be considered the ‘controlling mind and will’ of the company.

But if fines continue to be ineffective in curbing the behaviour of certain banks it can surely only be a matter of time before the authorities rethink their approach to enforcement.

That is why, when the Competition and Markets Authority ordered the implementation of so-called Open Banking almost three years ago, everyone excitedly welcomed the prospect of upstart new banks and other fintech companies using technology to challenge the Big Five. Here Kevin McCallum, CCO at FreeAgent , talks to Finance Monthly about the different ways big banks are making the most of Open Banking.

More than a year after roll-out began, however, it looks more like the little guy is not yet making the inroads expected. In the new Open Banking race, it is the incumbents which are still leading the field.

When the CMA found insufficient competition in banking, it was no surprise - almost 90% of business accounts are concentrated with just four or five institutions, while 60% of personal customers had stayed with their bank for more than a decade.

The central solution was to be Open Banking, starting with requiring banks to allow rivals and third-party services access to customers’ account data - subject, of course, to the necessary permissions. This, the theory went, would spur competition through innovation - we would see banks reduced to interchangeable commodity services, mere infrastructure providers, with nimble, agile third-party services innovating on top, spurring the banks in to action.

In the same timeframe, we have certainly seen the emergence of digital-only challenger banks like Starling, Monzo, Tide and Revolut. While all of them offer 2019 features like savings round-ups, spending analysis, budgeting and merchant recognition, most of the innovation has happened within the walled garden of the traditional account.

Starling and Revolut are already registered for and engaged with Open Banking. Starling is now supported by MoneyDashboard and Raisin UK, while Revolut’s API is supporting connection to many third-party apps. But it’s fair to say the upstarts were expected to dive in to Open Banking faster and deeper than this, some consider them to be behind the curve.

What we have seen, instead, is the big banks leaning heavily in to Open Banking.

HSBC was amongst the first to offer account aggregation, the practice through which consumers can access account data from rival banks, inside a single provider’s own app, initially through a separate Connected Money app.  Barclays, Lloyds and RBS/NatWest have since gone as far as offering the facility inside their core apps.

Of course, the big banks are incentivised to pull in rivals’ account data. Being the first port of call for all finance matters is attractive, whilst account data from other institutions can be used to aid product marketing and lending decisions.

In truth, we have begun to see the first signs of innovation amongst third-party services which plug in to those accounts. CastLight is helping lenders more quickly understand customers’ affordability, Moneybox is helping users round up spending in to savings, Fractal Labs uses knowledge of account activity to help businesses better manage their cash. We have even seen a large bank powering such new-style services in the shape of TSB’s loan comparison service, powered by Funding Options, which surfaces products from across providers.

But, even so, these use cases are not a step-change from the kind we already had before, albeit using less sophisticated methods of data collection. At FreeAgent, where we have offered bank account integration through more rudimentary means for several years now, we sense strong customer demand for efficient, API-driven bank account access. Most onlookers, and digital-savvy customers of the new-wave banks, expected more than this by now.

Why has the pace of Open Banking innovation to date been relatively underwhelming?

First, only the UK’s nine largest banks were mandated by the CMA to make account data available through APIs by the January 2018 deadline.

Ironically, the upstarts have been relatively more free to sit back. Indeed, unlike the legacy holders, they have no burning platform they need to quickly save; for them, the future is growth.

In fact, though, as smaller, less-well-resourced entities, they also have to plan out their investment more carefully than wealthier institutions, rather than dive headlong in to costly initiatives. Monzo is on-record as saying it will embrace the possibilities slowly, exploring whether to build features like account aggregation “in 2019”. When you’re a bank - even a cutting-edge, agile one - move fast and break things is a hard mantra to follow.

Furthermore, actual technical implementation of Open Banking is, shall we say, non-trivial. Adoption is complex, and far more complex for account providers than for third-party accessing services. In many cases, writing native code to enable integrations, whilst it may be considered messy, has been more straightforward than adopting Open Banking APIs.

Finally, the big banks, the “CMA 9”, have pushed compliance with Open Banking right down to the wire. Whilst they have been first to the punch, had they managed to launch sooner it may have encouraged the upstarts to compete more quickly.

It won’t stay like this forever. The Open Banking timeline has been an ironic inversion of the class of companies we typically expect to be canaries in the mineshaft of technical trailblazing. But banking innovation is about to become more evenly distributed as the balance between big guns and small players levels out.

From September, all banks, even the smaller ones, must be compliant with Open Banking standards. That is going to be an interesting moment for the new wave - can you really be considered the plucky upstart when you are subject to the same compliance framework as the lumbering giants?

Further regulatory compulsions on the big banks - and one in particular - could further spread Open Banking innovation downstream.

As part of conditions attached to its £45 billion government bail-out during the banking crisis, RBS has been compelled to funnel £700 million in previous state aid in to measures supporting business banking competition.

This so-called Alternative Remedies Package includes several pots of innovation funds, and the scheme’s independent administrator has just made the first innovation awards - £120 million to Metro Bank, £100 million to Starling, £60 million to ClearBank. Metro is promising “radically different” business banking, including “in-store debit card printing, lightning-fast lending decisions, fully digital on-boarding, integrated tax”; Starling says it will build “full suite of 52 digital banking products to meet the needs of all sole traders, micro businesses and small SME businesses”.

Even more awards are due to be made through 2019, likely spurring new use cases for Open Banking, and more besides, that many had not yet dreamed of. This level of funding is going to be an enormous catalyst for the kinds of companies that are really well placed to deliver.

The pace of technology adoption doesn’t always happen as quickly as it sometimes can feel.

Sometimes a great idea can take a long time to bubble up and gain widespread adoption. Shortly after the invention of the horseless carriage, Michigan Savings Bank is said to have forecast: “The horse is here to stay but the automobile is only a novelty - a fad.”

Technology becomes successful when innovation becomes normalised, when enough adoption has been seen that what, once, was considered new fades away and becomes part of the furniture.

Although we have spent the last couple of years talking about the Open Banking initiative, and although its roll-out has been slower than expected, this should not distract us from the likelihood that, in a short while, the innovation and adoption cycle around it will have accelerated to the extent we see many, many new use cases all around us spurring more services and more competition.

The ultimate test of Open Banking, then, will not be who is first to market - it will be when we no longer talk about it at all.

To help them take the first steps in creating their own strategic approach, Mobey Forum’s Executive Director, Elina Mattila, explores some of the most important and influential developments that banks need to know about the industry today.

Outside of the main financial services realm, a multi-billion-dollar global virtual currencies market has rapidly evolved and continues to gather pace. But, whilst virtual currencies have been ‘on the list’ of banks for some years, to date most have taken a hands-off approach.

This is now changing. Some of the larger financial institutions are beginning to formalize their positions. And, thanks to a combination of factors, now is a good time for banks everywhere to follow suit and move the strategic evaluation of this market higher up the priority list.

So, what are the factors at play and what do banks need to know about virtual currencies to enable them to form a clear, long-term strategy?

The crypto-crossover with traditional banking

The world now has programmable money in the form of cryptocurrencies, which are being used globally to exchange value outside of the conventional banking system. Crypto makes up the vast majority of volume in the virtual currency market but only a small percentage of the global money supply. Nevertheless, the numbers are large enough for banks to take notice and investment continues at pace.

Digital currencies may know no borders, but banks have always had perimeter control – whether they have chosen to actively engage or not – as they essentially own the transfer of ‘virtual value’ back into the conventional ecosystem, and vice versa.  Now, facilities exist that support crypto trading without a wallet, for example, Bitcoin ETFs (Exchange Traded Funds), bank accounts and futures. In other words, anyone can now trade cryptocurrencies easily through banks or new entrants.

Capitalizing on this, some larger traditional players are starting to establish exchange and custody infrastructure for their clients, a trend which could see major banks exerting far greater influence and control.

Regulation is coming

Of course, there is greater risk associated with trading virtual currencies compared to conventional currencies. New regulations like Anti-Money Laundering 5 (AML5), however, are increasing medium-term clarity. The fact that virtual currencies, including cryptocurrencies, have been brought within the scope of new regulation is creating a competitive advantage for banks. A closely regulated environment plays to their deep regulatory experience and will make it easier for them to forge partnerships with other cryptocurrency stakeholders.

At the same time, new regulations are making it easier for virtual currency companies and exchanges to get access to bank services. This has been considered by crypto stakeholders to be one of the sector’s biggest hurdles to overcome, so banks may now begin to benefit from increased demand from these firms.

Regulation is, therefore, effectively priming the virtual currencies ecosystem for banks to engage by increasing transparency, reducing some of the associated risk, and lowering the barriers to entry. All of this will make it easier for banks to establish a role and to design new payment products.

ICOs and investments

An ICO is an Initial Coin Offering, also called a ‘token sale’. It is a public offering of a new token or cryptocurrency where investors typically, but not always, pay with another cryptocurrency, such as Bitcoin or Ether. ICOs are channeling venture capital investment and associated revenues away from traditional banking systems to crypto exchanges. Their growth demonstrates that virtual currencies, together with the technologies that underpin them, can provide more than just an alternative means of exchange. If jurisdictional challenges can be overcome, these have the potential to disrupt other traditional financial services.

With regulation, however, banks may now begin to evaluate ICOs as a possible investment option for customers.

Gaps are being bridged

The development of decentralized exchanges has triggered a recent surge of activity around creation of stablecoins. Put simply, stablecoins are cryptocurrencies that are either pegged directly, backed by another asset or programmed to ascertain stability against another asset. What’s exciting is that they have the potential to bridge between traditional and crypto assets, and promote stability in an otherwise volatile cryptocurrency market.

Stablecoins represent a far more familiar and serviceable industry for traditional banks, offering them the ability to unlock revenue generation from the cryptocurrency ecosystem, as well as the potential to operate traditional services with new efficiencies.

This is an emerging trend that may have implications for banks in the coming years, and so they may see their roles start to evolve quickly.

What’s next?

There are some credible, greenfield opportunities for banks to explore as they define their role within the virtual currencies market. Whilst the exact future remains difficult to foresee, a combination of these factors, and others, means that banks and financial institutions can now start to make decisions about how to move forward.

To support banks in their strategy creation, Mobey Forum, has released a report entitled: ‘What Banks Need to Know About Virtual Currencies Right Now’. This report, created by the Virtual Currencies Expert Group, provides detailed considerations for banks and financial institutions who are looking to get involved in the virtual currencies market.

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free monthly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every month.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram