Governance, Accountability and Conduct
We continue to see the regulators focused on governance, accountability, conduct and culture with the topics specifically highlighted as a priority priorities in both the FCA and PRA business plans, but also underpinning other regulatory focus areas.
Regulators are increasingly interpreting operational failures and/or risk management issues (be it related to operational resilience, financial crime, customer treatment or financial resilience) as potentially due to ineffective Board and senior management governance.
- Board effectiveness
- Risk management, including climate risk
- Diversity and inclusion
- Financial Crime
The FCA has released a number of key publications this year relating to the treatment of customers. The suitability of advice and the need for products and services to meet the needs of customers has been a cross-sector area of focus of the FCA for the last two years. There is particular concern from the regulator around the treatment of vulnerable customers, long-standing / loyal customers and retirement outcomes coupled with an overarching question as to what level of care firms should provide to their customers, particularly when providing high-cost credit.
- Vulnerable customers
- Overdraft prices
- GI pricing
- Easy-access cash savings
- High-cost credit
- General insurer fairness
- Treatment of long-standing customers: Life insurers’
- Assessing value for money in investment funds
- Duty of care
- Suitability of advice: Pensions and retirement income
An increasing number of firms are exploring the use of disruptive technologies such as Artificial Intelligence, Robotic Process Automation, and Blockchain. There are many factors that make these technologies ripe for adoption, including the scale of investment, the potential for these technologies to go mainstream, global reach and technical viability.
Emerging technology brings opportunities but also new risks, requiring firms to rethink their business and IT strategy, governance and architecture. Yet we have found that many firms do not, as yet, have a strategy that encompasses technological innovations and, as a result, are not monitoring their evolution or impact. The adoption of emerging technologies may not be considered in the context of the firm’s risk appetite, or the firm’s maturity and readiness to deploy emerging technologies. Unlocking a firm’s technological potential in a responsible and risk-controlled manner with the right governance mechanisms in place will be crucial.
- Artificial Intelligence (AI)
- Robotics (RPA)
- Cryptographic assets
- Open banking
- Algorithmic trading
Operational Resilience, Cyber Security, Outsourcing and Change Management
Both the FCA and PRA latest business plans list operational and cyber resilience as key areas of focus indicating that regulatory action will continue to increase in this space and signalling of increased supervisory focus on the insurance and asset and wealth management sectors. Regulators expect firms to be operationally resilient, fundamentally shifting the paradigm to a ‘WAR’ (Withstand, Absorb and Recover) footing. This is a material step change from the days of basic business continuity planning with supporting IT disaster recovery.
The frequency and sophistication of cyber-attacks is increasing, with the number of cyber incidents reported to the FCA in 2018 up by over 10 times what was reported in 2017. The Financial Services (FS) industry is a top target as attackers move up the value chain and seek bigger gains, while making more substantial investments. There are numerous examples of attackers with motives to steal money from FS organisations, for example, the compromise of payment systems at the Bank of Bangladesh in 2016 to steal almost $1 billion. As a result, cyber resilience continues to be an area of focus in the most recent regulatory business plans.
Financial services firms are increasingly seeking to outsource critical functions to a concentrated set of vendors to reduce cost and gain access to capabilities not readily available to the industry. Growing outsourcing, particularly in emerging technologies, makes it harder for firms to quantify and manage third party risk. Firms relying on outsourcing arrangements (often to unregulated providers) for the delivery of critical services should note that this is a significant area of focus of the FCA, given some of the recent issues faced by third party providers.
Across the financial services sector, firms are undertaking an increasing volume and complexity of change, delivered as part of projects and programmes that make up large change portfolios. Projects are inherently high risk. They can be complex and cross-organisational, and often there is not the right internal capability to deliver them. All too frequently, despite multi-million pound cost, projects fail to deliver the intended outcomes or benefits, with significant reputational, financial and regulatory consequences.
- Data security and GDPR
- Operational Resilience
- Third party outsourcing
- Outsourcing to the ‘Cloud’ and other third party IT services
- Cyber security
- Managing legacy systems
- IT governance
- Cloud risk management
The PRA has raised concerns around oversight of underwriting and associated controls, as well as related issues with reserving, business planning and capital, and are looking to “join the dots” on these disciplines. Similarly Lloyd’s of London looks to continue its hard line with loss-making syndicates and continue the remedial work of last year’s Business Planning season.
- Underwriting and pricing governance
- Exposure management
- IFRS 17 insurance contracts