The Risk and Reg Edit: Autumn 2024 edition

Read on for our experts’ views on:

• DORA
• Consumer Duty
• Quantum computing
• Tackling economic crime
• Anti-Money Laundering Directive
• Monitoring transactions to crypto exchanges
• PA's response to the Autumn Budget

DORA: The building blocks for digital resilience

By Laura Hawkins

DORA will enter force on 17 January, only six months after the second package of implementing technical standards was finalised. A very tight deadline for such a major regulatory initiative. And it’s likely that many financial institutions may not meet the full requirements set out in the texts.

Not yet meeting full requirements need not be a critical concern if firms can show they’re moving in the right direction. DORA is not intended as a short-term exercise – it’s a new holistic framework for digital resilience. Many firms implementing DORA will also need to comply with similar but subtly different initiatives, such as the UK’s Operational Resilience policy, and leverage existing programmes of work to align with DORA.

The immediate priority for executives should be to ensure they have a comprehensive roadmap for delivering operational resilience that encompasses all relevant markets, regulations, and aspects of resilience. This should consider areas of commonality between DORA and other regulations – such as mapping dependencies, incident reporting, and managing third-party concentration risks.

Next, firms will want to focus on the most challenging areas of implementation – such as DORA’s requirements for critical third-party service providers. One difficulty is the register of information firms must complete, which requires a vast amount of data. Internal suppliers are also proving to be a challenge for some firms, given DORA’s requirements for similar contractual arrangements as those with external providers.

At the same time, teams should actively engage with other stakeholders to build enterprise-wide resilience. This includes board members – DORA brings enhanced expectations for Board accountability – and critical technology providers which, for the first time, will feel the scrutiny of financial supervisors.

These steps will help firms to look beyond January’s compliance deadline and build greater resilience into their ongoing activities. Over time, this will help firms to seize the upsides of innovation safely - boosting efficiency and reliability, and creating value for customers.

Consumer Duty: Making fair value, business as usual

By Thom Hart and Tania Nemer

The FCA’s recent review of product governance in general insurance and pure protection, which viewed firms’ PROD 4 obligations through the lens of the Consumer Duty, makes for uncomfortable reading.

The review examined firms’ ability to demonstrate Fair Value and good customer outcomes for the products and services they manufacture and distribute. It found that many Fair Value Assessments (FVAs) were inadequate; evidence of effective challenge by senior managers was often absent; and many firms avoided assessing how payments throughout the distribution chain affect Fair Value.

These findings are not only relevant to the firms in the review. They carry an important message for all UK financial institutions about the importance of FVAs. Firms should use the FCA’s guidance on good practice to ensure that FVAs clearly articulate customer value propositions, evidencing what customers are paying for and what benefits they receive. More specifically, CROs could:

• Revisit value propositions to ensure that all costs, including those of distribution, can be justified by the benefits and value that consumers receive
• Consider how assessments of Fair Value may need to vary between different customer groups, including those with vulnerable characteristics
• Ensure that FVAs include an analysis of expected total costs for a variety of customer scenarios, depending on a range of factors informed by the propositions target market
• Create a clear, timebound improvement plan that addresses any Fair Value issues identified since the Duty’s introduction.

The FCA will soon publish its future work programme, and it seems certain that Fair Value will remain a key area of focus. To achieve lasting improvements, firms should develop adaptable Fair Value frameworks that can be applied to all products and services. This will help firms to create organisational cultures that prioritise Fair Value every day – not just when the regulator calls.

Quantum computing: Preparing for a Quantum Leap

By Toby Sibley

Governments, public and private organisations are investing increasingly huge sums in quantum computing (QC), which exploits quantum mechanics to perform calculations exponentially faster than classical computers. QC offers many possible benefits, but its potential to break today’s encryption techniques also poses a major risk to financial institutions.

This threat recently prompted the World Economic Forum (WEF) and Financial Conduct Authority (FCA) to call for a common regulatory approach to quantum security in the financial sector. However, significant uncertainty over the evolution of QC makes it hard for firms to take concrete steps. Some experts believe QC could become scalable quickly, but others expect this to take decades. And while quantum-resistant encryption solutions are emerging, these too are unproven so far.

The only certainty for firms is that advanced preparation will be crucial. Financial leaders have estimated that replacing large organisations current encryption technology could take as long as 8 to 12 years. Firms can’t afford to be caught on the back foot, therefore early and regular engagement between financial organisations and the regulators is key in preparing for QC. To do this, firms must position themselves for a quick response to any future breakthroughs in QC. CROs should take steps to:

• Develop a full asset register, with clear mapping of all current uses of encryption
• Consider streamlining technology architectures, in order to simplify a future transition to quantum-resistant encryption
• Engage with technology and service providers to understand their plans for moving clients onto quantum-resistant encryption protocols
• Develop awareness among senior stakeholders and budget holders, building the business case for a potential large-scale transformation
• Collaborate with regulators and counterparts on shared solutions, especially for key infrastructure like exchanges or payment networks.

Tackling economic crime: The new fraud reimbursement policy

By Daniel Sharpe and Finuala Alexander

October saw major changes to UK Payment Services Regulation (PSR), with the reimbursement of retail victims of Authorised Push Payment (APP) fraud becoming mandatory in almost all cases. Other changes include a reimbursement ceiling of £85k, 50:50 liability for reimbursement costs between sending and receiving payment providers, the right for providers to delay suspicious payments for up to four days, the continuation of loss reporting and Confirmation of Payee, and various omissions for vulnerable customers throughout the publication.

These are significant changes in their own right, but the wider regulatory environment adds another dimension. Care by be taken by firms to ensure customer interactions consider Consumer Duty requirements. Whilst marginal gains are being made in reducing the overall size of the problem, it’s also about recognising that changes to PSR are, alone, are unlikely to turn the corner on APP Fraud. It’s important to remember that reimbursement doesn’t prevent fraud from occurring, or from causing emotional harm to customers.

The UK’s updated economic crime strategy for 2023-26 gives a sense of what a more holistic, systemic approach is needed to tackle fraud, as set out in the UK's updated economic crime strategy (2023-2026) and Economic Crime Plan 2. The UK needs an integrated public-private approach, including enhanced data sharing between payment providers and law enforcement. A truly joined-up national response needs to include all players in the end-to-end fraud journey from digital platforms and financial services providers to law enforcement and regulators. It needs an integrated public-private approach with enhanced data sharing not only between payment providers but across public and private sector. To do this, a unifying vision for industry-wide action is needed alongside appropriate and proportionate policy and crime reduction targets as well as a more holistic understanding of how fraud, money laundering and other crimes are linked / interdependent.

In response to the amended PSR, payment providers are already stepping up their prevention and detection efforts by building customer profiles, flagging suspicious behaviour, and analysing patterns of payment activity. CROs can build on this and foster a more holistic approach to economic crime by:

• Becoming more proactive on detection, for example by identifying vulnerable customers
• Working with technology firms to build customer awareness and enhance fraud prevention
• Forging data-sharing partnerships with other payment providers and other industries
• Engaging with financial regulators, Pay.UK and industry bodies for systemic policy change.

Anti-Money Laundering Directive: A new paradigm

By Elena Kalaitzi and Peter Meedom

In July 2024, the European Union (EU) introduced new Anti-Money Laundering (AML) Regulation and the 6th Directive on Combating Money Laundering and Terrorist Financing (AMLD6). It also created a powerful new Anti-Money Laundering Authority (AMLA). AMLA will supervise at least 40 financial institutions across all Member States, along with firms assessed as being at a high risk of financial crime. It also has the mandate to harmonise supervision across Member States and will oversee and coordinate the activities of national financial intelligence units.

This package will place new requirements on regulated entities - such as stricter controls around Politically Exposed Persons, broaden the definition of the beneficial owner including lower thresholds at 25 percent or more (instead of more than 25 percent), and even lower thresholds of 15 percent or less in higher risk situations.

But firms will need to work smarter as well as harder. Article 75 of AMLD6 will provide the legal authority to share customer information through formal, regulated partnerships. This is a valuable opportunity to reduce financial crime, but it will require significant efforts to establish compliant agreements, policies, processes, and documentation.

The new regulations take effect in July 2027 and direct supervision from AMLA should begin in 2028, but financial institutions cannot afford to coast.

• In the short term, the priority for CROs should be to conduct an impact assessment, to identify gaps and remedial actions, and to develop a roadmap for implementation.
• In the medium term, CROs of large financial institutions should contact the new body, establish a designated liaison, and engage with AMLA over the development of Regulatory Technical Standards.

Looking further ahead, firms will need to adapt their financial crime prevention efforts to fit a very different AML paradigm. This may drive up implementation costs in the next two to three years, but in the longer-term, AMLA should ensure a more uniform regulatory framework in the EU with more effective supervision – reducing financial crime and the cost of doing business.

Monitoring transactions to crypto exchanges: Navigating the crypto conundrum

By James Berry

Transaction monitoring is a perennial area of focus for banks, but the decentralised world of cryptocurrencies poses a unique and growing set of challenges for CROs.

Cryptocurrencies are not formally overseen by the FCA, and the distributed technology that powers crypto makes conventional supervision impossible. Instead, UK banks are only permitted to exchange money transfers with regulated Crypto Exchanges (CXs) – and it’s notable that CXs are not covered by the Financial Services Compensation Scheme.

Given the absence of clear guidance, different high street, challenger, and online banks have taken varied approaches to their transfer limits for CXs. One online bank has banned all crypto transactions; in contrast, one clearing bank allows daily transfers of up to £50k per day in line with its standard transaction limits. The limits of most banks sit somewhere in between, with daily and monthly limits far below the standard transaction limits set for online banking.

It is interesting to observe that the banks who have been sanctioned by the regulator in the past for financial crime failings tend to enforce lower transactional limits to cryptocurrency exchanges in comparison to their peers who have not. Perhaps these cryptocurrency exchange transaction limits are a good indicator of financial crime risk appetite.

There are of course some key controls that all banks can take to optimise their management of crypto transaction risks including:

• Gathering as much customer data as possible at onboarding, and performing regular updates to understand if the transactions to crypto exchanges are in line with customer expectations
• Monitoring for unusual values or volumes of transactions, including those originating from or directed to unusual jurisdictions.

In the long term, banks have an important role to play in the management of cryptocurrency risk. In the meantime, firms can still take steps to minimise crypto-related risks – and apply those lessons learned in this tricky area to other aspects of transaction monitoring.

PA’s response to the Autumn Budget

In case you missed it: Watch as our Global Head of Financial Services, Caroline Wayman reflects on the UK’s Autumn Budget.