Regulatory

Financial crime continues to be an area of regulatory focus. In previous years, insight papers have highlighted how regulated firms still struggle with key areas of the risk-based approach such as governance, customer risk assessment, customer due diligence, and monitoring. Recent European Regulators publications have placed a specific onus on regulated firms to address failures proactively and be able to demonstrate how they have successfully implemented change.

The conflict in Ukraine has placed a renewed emphasis on sanctions compliance. Firms now face a strong increase in the number of individuals to focus on, increasing the risk of penalties applied for breaches. The European Regulators also expect the rise of fraud incidences observed under the COVID-19 pandemic to abate slowly, as tools put in place to control its spread begin to take effect.

Key areas of the risk-based approach to AML / CTF, long identified as being weak, are still found to be requiring improvement, particularly among smaller firms.

The European Regulators continued monitoring of the application of EU AML / CTF regulations with a focus on limiting weaknesses in governance and oversight, risk assessments, initial and enhanced due diligence on customers as well as transaction monitoring.

Since March 2022, the US, UK, and the EU, have expanded sanctions on an unprecedented scale and scope as a result of the Russian invasion of Ukraine. These measures have had a significant impact on companies’ sanctions risk management frameworks and related sanctions breaches. Under these rules, there are significant fines for non-compliance and the possibility of companies being ‘named and shamed’ even when no penalty is imposed.

The European Regulators have highlighted that financial crime reduction will be achieved through an increase in authorisation rejections on the basis of non-compliance with Money Laundering Regulations (MLRs) or for financial crime reasons. This forms part of a wider focus on reducing the impact of fraud on society, which the European Regulators will achieve through improved supervision and proactive assessments of firms’ anti-fraud systems and controls.

The European Regulators have also flagged that efforts into supervising crypto assets firms’ compliance with the MLRs will be ongoing, and sanctions imposed swiftly, where firms are found to be posing harm to consumers or market integrity.

Regarding occupational fraud, remote working was the factor most commonly cited as a significant contributor to fraud. Another emerging cause of fraud risk in 2022 has been the conflict in Ukraine which has exacerbated already fragile supply chains and rising commodity costs including crude oil, metals and grain, contributing to historic levels of inflation and rapid interest rates. The strain on organisations leaves them not only susceptible to internal management fraud but to external threats including via cyber attacks. As fraud prevalence continues to remain on the public agenda, regulatory initiatives have been introduced, aiming to help auditors and organisations tackle the threat and restore confidence in the markets. For regulated financial firms, the European Regulators have set out a commitment to reduce and prevent serious harm as a result of fraud.

Russia and Ukraine Conflict: For those organisations with direct exposure to Russia, exiting a formerly important market to comply with sanctions may lead to substantial losses. Geopolitical uncertainty has also been a driver in the stock market sell-off that has resulted in significant recent falls in some indices. In trying to smooth over the adverse impact of sanctions or appease shareholder expectations, firms might be incentivised to “improve” results therefore creating the risk of financial statements fraud.

Cost of Living: High energy and commodity costs have added to the ongoing supply chain crisis, a convergence that has contributed to increasing levels of inflation. Reduced consumer spending will result in many businesses experiencing cash shortfalls. Inflation also diminishes corporate profits as the value of money decreases. Such factors heighten the risk of fraud through the fabrication of revenues, questionable forecasting, as well as insider fraud by employees whose salaries will not match the high inflation and increasing living costs.

ISA 240 Revision: The updated standard seeks to clarify the external auditor’s role and objectives in identifying fraud with a focus on enhanced professional skepticism. Enhancements include more detail regarding the identification and assessment of risk, while also addressing the inherent challenges audits face particularly where management are colluding in fraud. An example includes the need for whistleblowing policies to enable employees to disclose concerns about actual or suspected fraud.

Online Safety Bill: Included in the wide-ranging bill are proposals to tackle scams on user-generated platforms such as social media and search engine companies. Example content includes romance scams, fake stock market tips and other fraudulent advertising.

Significant technology, regulatory and infrastructure developments are driving major change, growth and innovation in payments. There is significant regulatory focus across a variety of areas for both incumbents and new providers, where there is significant potential to expand into new markets (for example, payments are being increasingly intermediated by BigTech and other non-traditional parties). Fees are also being reduced through regulation and competition and banks’ historic data advantages are being diminished by Open Banking and the Payment Services Directive 2 (PSD2), with this set to increase with the future introduction of Open Finance. At the same time, growth in the payments industry is increasing at a significant rate and interoperability is increasing through use of common standards which are also delivering richer data. There are also fundamental infrastructure changes occurring, requiring structural changes to the payment ecosystem, and requiring changes to the payment plumbing and data flows for ecosystem participants.

ISO20022: The ISO20022 messaging standard is replacing the existing SWIFT messaging standard and from November 2022 SWIFT messages will start to be replaced for cross-border payment and reporting messages.

There will be further impacts for other payment types through the future introduction of the New Payments Architecture (NPA) e.g. TARGET2 (the RTGS system owned and operated by the Eurosystem) and Euro high value payments. Indirect participants will also be impacted and will need to discuss with their provider as to what steps they must take.

Strong Customer Authentication / Transaction Risk Analysis: Mandatory annual audit requirements persist around Strong Customer Authentication (SCA) bringing e-commerce transactions into scope. All Banks and payment service providers (PSPs) should be utilising SCA for payment transactions. In addition, an increasing number of banks are now adopting Transaction Risk Analysis (TRA) which requires fraud rates to be below a certain level for a bank to exempt the usage of SCA. SCA requirements apply across any channel offering access to ‘payment accounts’ (including cards) across any customer segment (i.e. Retail, Business, Corporate, Private Banking etc.).

The scope of the audit requirement extends across all electronic customer channels, such as internet banking, mobile apps, firm provided software, enterprise software integrations, other software integrations embedded through Application Programming Interfaces (APIs) or other interfaces, and ‘Open Banking’ channels.

The market capitalisation of digital assets has seen substantial growth in recent years and even after the recent tumultuous period it is still highly valued at $993bn*. This market continues to show potential to increase further and reshape activity currently taking place in the traditional financial services sector to meet an array of business and consumer needs. Activity to adopt the widespread use of Cryptocurrency and Digital Assets continues at pace, for example: Security tokens present a $17bn* market capitalisation, Stablecoins are valued at $153bn*, Decentralised Finance (DeFi) is valued at $53bn*, and 17 Central Bank Digital Currencies (CBDC) have been launched as pilots. The digital assets ecosystem is also in a state of major evolution with further institutional interest from major banks and asset managers and several new businesses entering the EU market with Electronic Money Institution (EMI) and Authorised Payments Institution (API) applications to the European Regulators. The issuance of CBDCs and Stablecoins is on the agenda of all major Central Banks. As regulations evolve and further licensing requirements come into force, firms will need to assess their business models and strategy to align with their local regulatory perimeter requirements.

* Data obtained from CoinMarketCap. These values are subject to change on a daily basis.

Regulatory Framework Developments:

Markets in Crypto-Assets (MiCA) is a new framework that is under development by the EU that aims to regulate crypto assets and service providers to enhance financial stability around these products.

Due to the nature of the assets (anonymity), Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) compliance controls are critical and which EU businesses must comply with. Most countries have a registry where entities participating in crypto activities must apply to or register. Part of the challenge within the EU is that each Member State has a different system thereby making passporting rights inaccessible for businesses. It is anticipated that MiCA will help solve this.

To further safeguard consumers, several changes are expected in the regulation for EU businesses and how these products can be marketed.

Transaction reporting underpins the ability of national competent authorities investigate potential instances of market abuse and thus it continues to be important that firms can comply with the obligation to provide transaction reports that are complete, accurate and timely. Firms should regularly reconcile the reports provided to their competent authority with the data in their books and records, along with the data reported to and by their Approved Reporting Mechanism (ARM) to ensure that reporting is complete and accurate. The potential financial and reputational impact on a firm for failings in its transaction reporting could be damaging.

The Markets in Financial Instruments Regulation (MiFIR) has now been in effect since 2018 but resulted in significant changes on transaction reporting, including expanding the volume of in-scope instruments as well as expanding the number of data fields, to the extent that some firms are still finding it challenging over four years later.

The European Securities and Markets Authority (ESMA) issued a statement outlining some planned changes to their validation rules in Q2 2022. The European Regulators regularly provide updates on issues related to transaction reporting via their Market Watch publications, which provides additional information on their concerns in this space and highlights areas upon which firms should focus.

Operational Resilience is a point of focus for European Regulators. Firms are expected to identify and map their Important Business Services, set Impact Tolerances, commence scenario stress testing programmes to identify vulnerabilities, produce ‘Self-Assessments’, and ensure appropriate governance arrangements are in place. The resilience journey is only just beginning. The focus must address the initial operational vulnerabilities identified, expanding the depth and breadth of mapping and testing to detect and address additional vulnerabilities, and embedding Operational Resilience into the whole operating model to withstand severe but plausible disruptions.

Operational Resilience should remain a key priority and an area of focus for Internal Audit. Firms need to demonstrate that a full assessment of their Operational Resilience has been completed, vulnerabilities have been identified, and there is a focus on the remediation activities to complete in order to demonstrate that Important Business Services can operate within their impact tolerance.

Amongst the broader suite of activity required to continue on the Operational Resilience journey, the following areas are likely to be key focus and challenge for Boards and senior management over the next three years:

• Scenario Stress Testing: Testing is likely to be the key area of Operational Resilience policy expectations which continue to evolve, as firms gain experience in the stress testing necessary, and the Regulators assess and feedback on the approaches being followed.
• Third Party Risk Management: Third party dependencies pose a significant threat to a firm’s operational resilience. Visibility, oversight, and assurance is imperative to adequately understand and manage the risks posed by third party and outsourced arrangements (including technology giants and those responsible for providing IT services). Boards and senior management cannot outsource their ultimate accountability and responsibility for their Operational Resilience and therefore need to gain assurance over the risks posed by the web of third and fourth parties in the service chain, especially when the service being provided is critical in providing a firm’s Important Business Service.
• Transition to Business As Usual (BAU): As firms look to build longevity in their Operational Resilience framework and transversal capabilities, embedding Operational Resilience across the organisation will transform meeting policy requirements and expectations into sustainable BAU activity.

Where smaller businesses are not required to currently comply with Operational Resilience-related regulatory requirements, some businesses are challenging themselves on how Operational Resilience is achieved through existing controls in place, with proportionate enhancements taking place to identify important business services and map this to resources in place, e.g. technology, data, people, processes, suppliers and facilities.

It is expected that Internal Audit will already have identified Operational Resilience as important due to the continued focus on this topic by businesses and the Regulators focus on this area. As a result, Internal Audit should have either scheduled or delivered a review of the progress made to assess and respond to the final policy statements. The majority of Internal Audit functions we engage with across the Financial Services sector have already performed a number of reviews on the topic. With the current direction of travel, even internal audit functions at organisations who are currently out of scope for the regulations should be considering and challenging management on whether the operational advantages of proportionate compliance with the regulation warrants attention. There is a need to now move from programme readiness assessments reviews to broader engagement with the business including progress against Management’s remediation of vulnerabilities, further embedding of the framework and continued development of scenario stress testing. The key areas of focus for Internal Audit functions moving forward should be:

• Providing robust challenge on the inputs and outcomes of scenario testing, challenging the approach undertaken to ensure that it is sufficiently detailed and enables identification of vulnerabilities for remediation.
• Challenging the approach to third party risk management (TPRM) and consideration of current key areas of TPRM such as engagement with Cloud service providers and the linkage to Operational Resilience e.g. the sophistication of mapping to enable delivery of Important Business Services.
• Assessing management’s ability to monitor and report on the performance of Important Business Services along with the ability to remain within Impact Tolerance limits, with consideration over the firms understanding of remedial actions and the plans in place to remedy these.
• Monitoring the embedding and ownership of the Operational Resilience requirements within the First Line of the business (i.e. has a resiliency culture been achieved), as well as the links from a process and technology perspective to existing related disciplines (change management, disaster recovery, business continuity planning, and risk management).

Artificial Intelligence (AI) is becoming increasingly common in business processes throughout the Financial Services (FS) sector. FS firms deploy AI across multiple service lines and are now harnessing its power in areas such as compliance, fraud detection, resume screening, credit scoring, product pricing and product recommendations, to name a few. Despite its growing use, we have seen that senior management is often unaware of exactly where and how and also the nature and extent of the risks faced by their organisation in relation to the use of AI. Moreover, Regulators are becoming increasingly active in their efforts to protect consumers from algorithmic harms such as bias that leads to discriminatory or unfair outcomes, outputs that mislead consumers or distort competition, and the collection of personal data that infringes on privacy rights. Thus, the growing use of AI systems in the FS sector requires an increased awareness of the risks inherent in those systems and an improved ability to manage those risks. This requires formalising an AI risk management framework and ensuring that teams in the Second and Third Lines of Defence have the required skills, knowledge and experience to be able to independently assess and provide assurance over the effectiveness of the AI control framework.

The focus for European Regulators is to address concerns about a lack of consistency and the overlapping nature of regulatory mandates and to promote dialogue on the types and sources of algorithmic harms, provide policy recommendations for AI systems auditing and assurance, and coordinate the supervision of AI systems.