The Risk and Reg Edit: Summer 2024 edition
Tags
Our update on fast-evolving areas of change covers recent political developments as well as longer-running risk and regulatory themes to help leaders stay on top of emerging issues.
Read on for our experts’ views on:
UK election 2024
What does the new government mean for financial services?
2024 was long forecast to bring a general election, but few observers expected a change of UK government in July. The new government has begun outlining a regulatory framework aimed at protecting consumers, addressing new technologies such as AI, and supporting UK investment in innovation.
A packed King’s Speech provides some indication on what the government may introduce (albeit with scant details on financial services) which in turn builds on a manifesto that contained only limited focus on our sector. Wholesale regulatory reform is unlikely, but possible changes could include strengthening protections provided by the Consumer Duty and authorised push payments (APP) fraud reimbursement, a systemic response to digitally-enabled fraud and establishment of a new Regulatory Innovation Office which could support a targeted reduction in regulation where it fosters innovation.
As always, CROs will closely monitor the government as the future regulatory landscape emerges. The most proactive firms will be best placed to achieve compliance and optimise their competitiveness. This should include monitoring the think tanks and trade bodies like UK Finance, whilst following planned regulatory or legislative developments, responding actively to industry consultations such as those on APP and the Review of Financial Conduct Authority (FCA) requirements following the introduction of the Consumer Duty.
Consumer Duty: One year on
What’s changed, and what’s next?
The end of July marked the first anniversary of the Consumer Duty rules for open book products, as well as entering force for closed book products. It was also when the first annual Consumer Duty board reports were due – something that has been focusing minds among executives and board members. These events are just the beginning of the journey and there is further work needed – signalled by the FCA’s Call for Input on the Review of FCA requirements, following the introduction of the Consumer Duty published in late July 2024.
Many financial services leaders have spent recent months working to ensure a smooth transition and integration of Consumer Duty responsibilities into business-as-usual. However, regulators are clear that this is not a one and done effort but something that requires continued focus. To underline this, the FCA has regularly published feedback on Consumer Duty implementation, good practice, and areas for improvement. In the FCA’s webinar on 31 July, the regulator highlighted improvements that firms have made since the introduction of the Duty, such as the work on cash savings, enhancing processes on capturing and recording customer vulnerabilities, and developing data and metrics to better understand customers. It also sets out expectations now the Duty is in force, including its supervision and enforcement approach.
Next steps for firms were also covered, with the FCA highlighting its intention to publish a grid outlining its forward programme of Consumer Duty work in the coming weeks. It also stated its future focus will be on thematic work through sector-specific guidance, like the insurance multi-firm review of outcomes monitoring published in June. In our view, CROs should focus on:
- Aligning with FCA guidance, including Dear CEO letters published since the introduction of the Duty, and the expected upcoming sector-specific guidance on the Duty
- Implementing and delivering on plans to uplift closed products and services
- Improvements to the approach and treatment of vulnerable customers, particularly given the FCA’s ongoing review of firms’ treatment of customers in vulnerable circumstances this year
- Enhancing approaches to monitoring, intervening, and evidencing delivery of good customer outcomes
- Looking ahead, particularly to the FCA’s expected focus on sector-specific guidance for firms to act on. This is something that should trigger further improvement work by CROs and their teams.
Using AI to detect fraud
How AI is revolutionising financial crime prevention
Financial institutions have been using AI for decades, but large language models like ChatGPT have revolutionised accessibility to AI. This accessibility has the potential to strengthen fraud risks, but also to toughen fraud prevention. As a result, AI and AI governance is becoming the hottest of topics among CROs.
With AI encouraging many firms to launch generational upgrades of their technology, and the FCA conducting increasingly detailed reviews of fraud risks and controls, now is the perfect time for CROs to update their risk management frameworks. Here are three key areas to prioritise:
1. Understand the threat.
A major recent corporate fraud using fake voices and images highlighted how AI can bring far greater sophistication to the large-scale operations of financial criminals. CROs should begin by conducting a thorough review of current defences, evaluating and strengthening existing controls. They should also initiate a dynamic system of horizon-scanning to keep the threat environment under constant review.
2. Leverage the latest technology.
So far, generative AI has had a limited impact on fraud prevention, but in time it will help firms to develop their own fraud solutions. More broadly, there is significant scope for AI to enhance areas such as authentication – for example, by providing more dynamic biometric and behavioural challenges at login, or by detecting emotional stress in customers initiating payments.
3. Align fraud with other financial crime.
Fraud doesn’t carry as much regulatory urgency as money laundering, terrorist financing, or sanction breaches. However, many controls in these areas are well suited to fraud prevention. Bringing all financial crime under a unified governance structure will help CROs to support customers and satisfy regulators, as well as enabling a more joined-up overview of risk management.
Finally, CROs should remember that AI and fraud are ecosystem-wide issues. With new threats and solutions appearing constantly, firms should take every opportunity to share information, collaborate with peers, and partner with law enforcement bodies.
Senior manager accountability across borders
Reflecting on accountability with international operations
The collapse of the international banking giant Credit Suisse in March 2023 triggered an urgent review of Switzerland’s banking regulation – including the crucial area of management accountability. As part of this review, the Swiss State Secretariat for International Finance commissioned us to conduct a comparative study of individual accountability regimes in other international financial markets. Our findings were incorporated into the Swiss Federal Council’s final report, which proposed 22 measures to strengthen Switzerland’s ‘too big to fail’ regime. Among these measures is the implementation of senior managers’ accountability regime, aligning with other regimes, such as the UK’s Senior Manager and Certification Regime (SMCR).
Despite its numerous strengths, the SMCR itself is not perfect, and continues to be updated. Eight years after it entered force, the SMCR’s effectiveness is currently under review by HM Treasury (HMT), the Prudential Regulation Authority (PRA), and the FCA. The findings are yet to be published, but the SMCR has previously attracted criticism – both for its administrative costs and for a perceived lack of successful enforcement.
CROs play a key role in this shifting landscape. Personal accountability for CROs should be expected to increase, particularly for those at firms with complex international footprints, with senior managers based in a variety of jurisdictions. Expectations in various countries, including the UK and Switzerland, are changing. To navigate this landscape, CROs who oversee international operations should at a minimum:
Consult supporting documents
Review non-binding supporting documents and supervisory guidance published by the regulators to fully understand applicable accountability regimes and expectations across their firm’s jurisdictions and identify whether a more cross-jurisdictional approach to accountability would drive efficiency.
Review resource investment
Understand whether sufficient resource is allocated to ensuring the firm remains compliant with all regime processes and frameworks as they evolve in multiple countries – such as annual vetting procedures and training requirements.
Clarify extra-territorial reach
Ensure there is clarity on the extra-territorial reach of accountability rules for those in impacted roles.
Monitor regulatory developments
Stay updated on new and emerging regulatory developments that could impact how accountability is assessed – including the findings of the SMCR reviews and relevant initiatives by the new UK government, and the final rules from the Swiss government.
CrowdStrike
Heightening operation resilience following a global IT outage
The faulty update of CrowdStrike’s Falcon software on 19 July impacted many firms, both directly as customers and indirectly via partners or service providers. On the upside, most large financial institutions recovered faster and more effectively than their counterparts in other sectors.
The industry’s rapid response reflects a range of factors, including limited use of Infrastructure as a Service (IaaS) providers for critical systems, and robust 24/7 operations teams. In addition, growing regulatory focus on the operational resilience of core systems – both via the PRA and FCA in the UK, and Digital Operational Resilience Act (DORA) in the EU – means that many banks have been strengthening their resilience and recovery in recent months.
The challenge for CROs now is to ‘kick on’ from the CrowdStrike event and further enhance their firms’ operational resilience to future outages. Key priorities should include:
- Simulating outages (including cyber-attacks, change errors, or supply chain failures) and rehearsing responses to a range of scenarios
- Identifying key services and systems, formalising response priorities, and documenting relevant procedures, technology, data, and supplier dependencies
- Identifying areas of potential vulnerability and making targeted improvements to systems, controls, and backups
- Revisiting the management of updates and patches from external vendors, including for IaaS offerings and other cloud services.
More broadly, CROs should also work with other leaders across their organisations to ensure that governance, leadership, communications, and other key functions are aligned in a way that delivers enhanced resilience, meeting the needs of customers and the fast-evolving expectations of regulators.
People trust us because of our deep knowledge of the regulatory system. Our experience working with regulators, banks, insurers, building societies, and others means we’ll give you advice that works in the real world. If you’d like to discuss any of the below issues in depth with our experts, get in touch now.