Operational resilience has never been more important, and regulators are keen to prevent past mistakes being repeated. fscom’s Jamie Cooke, Alison Donnelly, Tony Brown and Simon Whittaker offer timely advice.
COVID-19 is wreaking havoc on the world’s financial services, but they are also beset by another pandemic of problems for which there is also no panacea.
As with the desperate search for a coronavirus vaccine, huge global efforts are being made to find solutions to the issues thrown up by ever-advancing information and communication technology (ITC) which, ironically, was once regarded as a cure for the industry’s ills.
Industrial-scale financial malpractice, data breaches and identity fraud are among the ‘diseases’ that have taken hold and they now lie firmly in the sights of regulators, including the Financial Action Task Force (FATF), which brings together the governments of 39 countries to defend the world’s financial services from criminality. In a move to counteract cyber fraud, the FATF is currently drawing up a new framework to provide a mutual starting point for countries as they develop their own upgraded digital identity regulations.
Meanwhile, in the European Union (EU), the Fifth Anti-Money Laundering Directive (5AMLD), transposed into UK law and enacted in January 2020 as the Money Laundering and Terrorist Financing (Amendment) Regulations 2019, has, for the first time, brought crypto businesses into a comprehensive regulatory regime requiring them to perform customer due diligence (CDD) and submit suspicious activity reports (SARs). In addition, the EU is developing new ways to strengthen digital operational resilience for the financial sector, including crypto assets, as it works towards a new harmonised and convergent Digital Finance Strategy amid major concerns about security risks. It has also adopted an upgraded prudential regime – the Investment Firm Directive (IFD) – that will apply to all investment firms authorised in the EU. Member states must impose the associated Investment Firm Regulation (IFR) by June 2021, which includes new rules for fixed and variable remuneration, disclosure and reporting obligations, and a requirement for some firms to establish a remuneration committee.
The UK’s Financial Conduct Authority (FCA) has also firmly signalled its intent to scrutinise operational resilience more thoroughly, along with the controls and testing methodology used for new technology, citing its concerns about businesses wanting to innovate faster than their infrastructures allow, often using third-party providers to do so. Against this backdrop, experts at regulatory compliance consultants fscom are in no doubt what, once the current crisis passes, the biggest challenges will be.
“Regulation, regulation and regulation,” says Tony Brown, fscom’s senior financial crime manager.
“The biggest theme out of 5MLD, for example, is bringing crypto firms, crypto exchanges and crypto custodian wallet providers under supervision. These are traditionally technology companies, that are suddenly now going to be held to financial services standards. Companies need to have an appropriate roadmap in mind, knowing where the risks are, having time dedicated to get policies and procedures up to speed.”
A year of concerns
It’s not surprising regulators are nervous, given the scale of some of the governance issues seen over the past 12 months.
Danske Bank became embroiled in possibly the biggest money laundering scandal in financial history after its woeful oversight allowed an estimated €200billion of suspicious transactions to flow through its branch in Estonia. And in March 2020, Swedbank was hit with a record fine of the equivalent of €386million by Sweden’s financial watchdog after serious deficiencies were exposed in the bank’s anti-money laundering safeguards, and for withholding information from authorities.
Worldwide, data breaches also reached record levels in 2019. In total, more than 60 per cent of all leaked records were exposed by financial services organisations, which was partially related to Capital One’s 100 million customers’ details. Hacking and malware were the cause of 75 per cent of the industry’s events.
Brown insists the industry needs to learn from the past to prepare for the future.
“A key takeaway from 2019, if we use Danske Bank as a case study, is gaps and discrepancies in governance, specifically among the C-suite executives,” he explains.
“It’s about having appropriate governance, having the right people with the right expertise, the right independence, in executive roles to challenge the norm and, ultimately, breed a good culture.
“For 2020, I’m predicting increased scrutiny and focus on demonstrating effective governance. There’s a very fine but very specific difference between doing things right and doing the right thing.”
Technology itself is not the solution, says Brown; rather, it is a tool to help you achieve the latter of those.
“Financial services firms are spending more and more money on technology as a means of demonstrating compliance, and there’s been a lot of reliance placed on these technology solutions as being a sort of silver bullet for identification and verification. But, unfortunately, there’s no such thing as a silver bullet, and my challenge to firms is this: show me what you do, on an ongoing basis, to make sure that the systems you’re using are effective and appropriate, and that they’re free from the ability to be abused with fraud.”
In the UK, FCA statistics show that firms reported 459 technology and cyber incidents in the sector in 2019, with the most common root causes being change management issues, third party failures, and failures in hardware or software.
Simon Whittaker, fscom’s cybersecurity consultant, believes that the rising trend of third-party failures that lead to data breaches will mean financial institutions have to start auditing the performance of their suppliers and the levels of security that are applied to them. But that alone will not satisfy regulators, he says.
“The European Commission has put out a consultation about operational resilience where they are trying to understand what we, as organisations, think should happen next. Legislation is expected to be put forward later this year that I think will contain items including supplier relations, supplier policies, training of staff internally, and making sure that risk is not something that is outsourced in any way.”
Whittaker also forecasts a regulatory cybersecurity clampdown, with the onus of responsibility shifting to data processors.
“I think we’re going to start seeing the UK’s FCA asking for and receiving much more technical information, and they’re going to start asking questions. It’s going to change from ‘tell me about this thing that you’ve done’ to ‘show me the evidence’.
“I also think that they’re going to be enacting things in a similar way to the Information Commissioner’s Office, with the introduction of the Data Protection Act 2018, which requires your data processors to be held liable for issues, as opposed
to just lying with the primary target.”
Spotlight on e-payments
Another area of concern for the FCA is the number of complaints around electronic money issues received by the Financial Ombudsman Service.
Alison Donnelly, a fscom director who previously worked as an e-money specialist at the FCA, says that concern can be broken down into three specific areas: safeguarding, capital adequacy and business principles. And she warns that payment and e-money institutions can expect more supervisory attention as the FCA ramps up.
“Firms need to be aware that the FCA’s power and capacity to do that is significantly enhanced; its supervision department has been beefed up,” she says.
As to the impact of Brexit on the UK’s fintechs, Jamie Cooke, fscom’s co-founder and managing director, is not optimistic if no trade deal can be struck with the EU.
“I’m a proponent of change bringing positive impacts, but unfortunately, I think many of the impacts of Brexit for fintechs could be negative,” he warns. “If we don’t get a trade deal negotiated, we will leave on World Trade Organisation rules, there will be no single market access for UK financial institutions and that leaves them in the situation where they have a revenue or cost choice: to give up any revenue they make from European consumers, or get authorised in another European jurisdiction to provide services to those consumers and that would clearly have a cost implication.”
These interviews were conducted before the full impact of the COVID-19 pandemic became clear. In response to the crisis, fscom has opened its portal to all clients for the remainder of 2020 and offered its Regbite training sessions as a series of free webinars. Topics include operational resilience, customer due diligence, and managing compliance programmes. For more information, visit fscom.co.uk.