Five key risks for financial services
Sunday, July 31, 2016
Susannah Hammond assesses what’s coming next on the risk and regulation front for financial services.
The political and regulatory focus on financial services firms continues unabated. While some of the big reforms such as the wholesale recapitalisation of banks is beginning to draw to a close, there are myriad other big, complex, cross border regulatory changes still to be fully developed, implemented and embedded.
In parallel, regulators are increasing the stakes with an enhanced focus on the actions (and inactions) of individuals with key updates in regulatory approaches designed to facilitate holding senior managers accountable for corporate wrongdoing.
Whilst the detailed risks run by firms are unique, there are a series of high-level risks which all financial services firms no matter what their sector or geography need to consider.
The detailed practical effect of how the risks impact each firm and the precise risk mitigation approach required will vary but the high-level risks remain relevant. In no particular order there are five key risks which all firms need to consider:
1. Conduct Risk
Identifying, managing and mitigating conduct risk is one of the highest regulatory priorities around the world with regulators’ attention and resources firmly centred on the behaviour of firms and senior individuals and how they conduct their business. It is a clear regulatory expectation that firms are to create their own working definition as to what conduct risk means for their business.
Anecdotally there has been much debate in board rooms as to what ‘good’ is deemed to look like in terms of conduct risk with one person’s reasonable approach being another’s sharp practice.
Much continues to change with regard to the development of the approach to conduct risk but there are some consistent themes regarding the need for continued board engagement now beginning to include the need for consistent messaging from middle managers, really high-quality reporting and management
information, backed up by internal audit oversight, all overlaid with the practical reality of increasing personal liability.
In many ways, 2016 is likely to be the year when personal liability becomes practical reality. In theory, individuals could already have routinely been held accountable but it was often simpler, quicker and easier for regulators to pursue firms with the aim of achieving better compliant behaviours.
Regulators have themselves come under criticism for their approach with regard to senior individuals and in particular for not having been seen to hold key personnel to account for the failings which led to the great financial crisis.
Whilst previous iterations of rulebooks did enable regulators to enforce against senior managers it was often a costly exercise in terms of both time and money. Firms were (and indeed still are) seen as much easier to enforce against.
The UK has perhaps taken the most decisive steps towards changing the requirements and expectations for senior managers. From March 2016 in the UK banks and the very largest asset managers (UK Prudential Regulation Authority designated investment firms) have been subject to the new Senior Managers and Certified Persons Regime which requires firms to clearly allocate prescribed responsibilities to individuals and document the accountabilities in formal ‘responsibility maps’. The UK SMR rules will be rolled out to all financial services firms in 2018.
3. Compensation Practices
Compensation practices are interlinked with both conduct risk and personal liability. There is a growing sense that the reform of compensation practices instigated by the Financial Stability Board in the immediate aftermath of the financial crisis has not, as yet, been implemented effectively by firms. The point was made in stark terms as part of the Group of Thirty’s report entitled
‘Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform’.
The findings of the G30 work highlight the sheer depth and breadth of work that still needs to be done to address the near universal flaws in bank culture. The report does not define one good or one bad culture, or propose further regulation to govern culture.
Rather, it identifies approaches, processes, and examples of good practice in key areas, including the overall mindset on culture, the need for senior accountability and governance processes, performance management and incentives (compensation), staff development and promotion, and an effective three lines of defence; and identifies specific ways regulators, supervisors, and
authorities can contribute effective
4. Data Protection
After extensive and much delayed debate the final touches are being put on the European General Data Protection Regulation. The first things for firms around the world to be aware of is that the proposed regulation will apply to anyone who resides in the European Union*, no matter where in the world they are deemed to be doing business, and is not dependent on whether or not any transaction has taken place.
All financial services firms will need to ensure that they can identify any and all of their clients who are deemed to be resident in the European Union, regardless of where, geographically, they happen to be dealing with them.
Firms would be well advised to review all aspects of their data protection policies, procedures and controls to ensure that they have a solid base from which to consider and implement any systems or other changes required ahead of the likely implementation date of 2018. Financial services firms cannot afford to take data protection issues lightly. Apart from anything else the new Regulation allows fines of up to 4 percent of global turnover.
The reputational damage and indeed higher sanctions from data protection supervisory authorities are one thing, but poor data protection compliance could lead relevant financial services regulators to ask many more compliance questions of the firm and its senior managers.
5. Regulatory Fatigue
Last but not least is the continued sheer volume, pace and range of changes aimed at reforming financial services. The changes are not limited to just the rulebooks but encompass the regulatory bodies, required structural changes (to banks in particular), the identification of and creation of additional rules for systemic
financial services firms and, last but not least, changes to the regulatory perimeter.
There is a natural focus on the ‘front end’ of the changes with skilled resources being employed to consider and lobby on the practical impact of consultation papers and other policy documents. What happens next needs equally skilled risk management.
Anecdotally many firms are finding that their entire IT change capacity is being used by the need to keep pace with changing regulatory requirements.
This has left some firms with extremely limited capacity to undertake the businessdriven change programs, merging of old legacy systems and removal of manual work-arounds. Firms would always like to have more capacity to upgrade and renew IT systems but skilled risk management is needed to maximise the firm’s current change program capabilities.
Firms may find it useful to take a stand-back view of all the essential, regulatory and indeed ‘nice to have’ IT changes and where possible try to integrate projects wherever feasible. Practical examples of this could include seeking to centralise the compliance, audit and risk databases for monitoring, regulatory
approvals, management information and report generation and regulatory relationship management so that each group office is not replicating effort.
* This article first appeared in the CPAA's Practising Accountant magazine earlier this year (prior to the UK's vote to leave the EU). Discover more benefits of becoming a CPAA member.