Financial Services Internal Audit Regulatory



Financial Services Internal Audit Planning Priorities 2023

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2023. We hope this informs your 2023 planning and assurance approach.

1.1. Financial Crime and Sanctions

Financial crime continues to be an area of regulatory focus. In previous years, insight papers have highlighted how regulated firms still struggle with key areas of the risk-based approach such as governance, customer risk assessment, customer due diligence, and monitoring. Recent European Regulators publications have placed a specific onus on regulated firms to address failures proactively and be able to demonstrate how they have successfully implemented change.

The conflict in Ukraine has placed a renewed emphasis on sanctions compliance. Firms now face a strong increase in the number of individuals to focus on, increasing the risk of penalties applied for breaches. The European Regulators also expect the rise of fraud incidences observed under the COVID-19 pandemic to abate slowly, as tools put in place to control its spread begin to take effect.

Key areas of the risk-based approach to AML / CTF, long identified as being weak, are still found to be requiring improvement, particularly among smaller firms.

The European Regulators continued monitoring of the application of EU AML / CTF regulations with a focus on limiting weaknesses in governance and oversight, risk assessments, initial and enhanced due diligence on customers as well as transaction monitoring.

Since March 2022, the US, UK, and the EU, have expanded sanctions on an unprecedented scale and scope as a result of the Russian invasion of Ukraine. These measures have had a significant impact on companies’ sanctions risk management frameworks and related sanctions breaches. Under these rules, there are significant fines for non-compliance and the possibility of companies being ‘named and shamed’ even when no penalty is imposed.

The European Regulators have highlighted that financial crime reduction will be achieved through an increase in authorisation rejections on the basis of non-compliance with Money Laundering Regulations (MLRs) or for financial crime reasons. This forms part of a wider focus on reducing the impact of fraud on society, which the European Regulators will achieve through improved supervision and proactive assessments of firms’ anti-fraud systems and controls.

The European Regulators have also flagged that efforts into supervising crypto assets firms’ compliance with the MLRs will be ongoing, and sanctions imposed swiftly, where firms are found to be posing harm to consumers or market integrity.

Area of Focus

Financial Crime



Internal Audit should continue to focus on reviewing the keystone features of financial crime frameworks in order to ensure they are designed to maximise firms’ management of financial crime risk while not interfering with important themes such as financial inclusion.

Sanctions Risk Management

Internal Audit should place particular focus on how risk assessments, enhanced due diligence on customers have been adapted to the current heightened risk of sanctions evasion, particularly where beneficial ownership is less transparent, and higher risk jurisdictions are involved in the ownership chain.

Customer screening should also be taken into careful consideration as fundamental tool supporting initial and ongoing-due diligence on customers.

Fraud Risk Management​

Internal Audit should place renewed emphasis on the ability to manage fraud risk effectively.

This should comprise of establishing whether firms assess their exposure to fraud risk and respond appropriately by designing and enhancing their fraud risk control environment.

Implementation of Financial Crime Programmes​​

Internal Audit should assess whether financial crime change programmes are tracked to completion while benefitting from ongoing senior stakeholder information and challenge. Specifically, firms should have clear project plans outlining milestones, accountabilities and delivery dates. senior management should also be tracking projects and ensuring that key deadlines are being met. The Risk Committee, the Audit Committee and Chief Executive Officer should be involved in order to ensure appropriate governance and challenge.

Challenger Banks and Crypto Asset Providers​​

Internal Audit should continue to challenge the maturing financial crime compliance framework against MLRs and industry guidance to ensure that these firms are proactive in improving adherence to regulations while their business grows and evolves.

Where the firm offers crypto assets, Internal Audit should understand how the business achieves compliance with the European Regulators’ guidance on crypto currency.

1.2. Fraud Risk Management

Regarding occupational fraud, remote working was the factor most commonly cited as a significant contributor to fraud. Another emerging cause of fraud risk in 2022 has been the conflict in Ukraine which has exacerbated already fragile supply chains and rising commodity costs including crude oil, metals and grain, contributing to historic levels of inflation and rapid interest rates. The strain on organisations leaves them not only susceptible to internal management fraud but to external threats including via cyber attacks. As fraud prevalence continues to remain on the public agenda, regulatory initiatives have been introduced, aiming to help auditors and organisations tackle the threat and restore confidence in the markets. For regulated financial firms, the European Regulators have set out a commitment to reduce and prevent serious harm as a result of fraud.

Russia and Ukraine Conflict: For those organisations with direct exposure to Russia, exiting a formerly important market to comply with sanctions may lead to substantial losses. Geopolitical uncertainty has also been a driver in the stock market sell-off that has resulted in significant recent falls in some indices. In trying to smooth over the adverse impact of sanctions or appease shareholder expectations, firms might be incentivised to “improve” results therefore creating the risk of financial statements fraud.

Cost of Living: High energy and commodity costs have added to the ongoing supply chain crisis, a convergence that has contributed to increasing levels of inflation. Reduced consumer spending will result in many businesses experiencing cash shortfalls. Inflation also diminishes corporate profits as the value of money decreases. Such factors heighten the risk of fraud through the fabrication of revenues, questionable forecasting, as well as insider fraud by employees whose salaries will not match the high inflation and increasing living costs.

ISA 240 Revision: The updated standard seeks to clarify the external auditor’s role and objectives in identifying fraud with a focus on enhanced professional skepticism. Enhancements include more detail regarding the identification and assessment of risk, while also addressing the inherent challenges audits face particularly where management are colluding in fraud. An example includes the need for whistleblowing policies to enable employees to disclose concerns about actual or suspected fraud.

Online Safety Bill: Included in the wide-ranging bill are proposals to tackle scams on user-generated platforms such as social media and search engine companies. Example content includes romance scams, fake stock market tips and other fraudulent advertising.

Area of Focus

Consider the risk assessment


The fast-changing economic outlook demonstrates the importance of a dynamic fraud risk assessment. What might have constituted a reasonable risk assessment six months ago may no longer be suitable as new risks arise. Internal Audit should consider challenging management on changes to the firm’s risk appetite vis-à-vis the present outlook. By extension, they should seek to understand and quantify what the key gaps and vulnerabilities are given the emerging new risks, such as those resulting from the conflict in Ukraine and rising inflation.

Assess the design of the framework​

Internal Audit should also consider the robustness of the existing fraud risk framework. An optimal framework should not only take into account the risk assessment, but it should incorporate governance upon which the organisational tone and culture are set. Its design should reconcile identified risks with effective controls to help with the detection and prevention of fraud. That latter undertaking may not always be fully understood in-house, for example, with highly sophisticated cyber attacks emanating from state-sponsored actors able to overwhelm internal capabilities. As such, input from a team specialising in fraud risk should be considered. The framework should also include timely resolution of fraud instances and lastly, have a ‘refresh’ aspect to make it sustainable especially given the speed at which recent crises have unfolded.

Changing Nature of the Regulatory Landscape

Evolving regulatory landscape will have implications for both organisations as well as auditors. For Internal Audit, collaboration and interaction with key stakeholders, including with Regulators, as well as coordination with other risk, control and compliance functions will allow for a proactive understanding of the fraud risk threat environment in line with regulatory expectations.

1.3. Payments Sector Regulatory Developments

Significant technology, regulatory and infrastructure developments are driving major change, growth and innovation in payments. There is significant regulatory focus across a variety of areas for both incumbents and new providers, where there is significant potential to expand into new markets (for example, payments are being increasingly intermediated by BigTech and other non-traditional parties). Fees are also being reduced through regulation and competition and banks’ historic data advantages are being diminished by Open Banking and the Payment Services Directive 2 (PSD2), with this set to increase with the future introduction of Open Finance. At the same time, growth in the payments industry is increasing at a significant rate and interoperability is increasing through use of common standards which are also delivering richer data. There are also fundamental infrastructure changes occurring, requiring structural changes to the payment ecosystem, and requiring changes to the payment plumbing and data flows for ecosystem participants.

ISO20022: The ISO20022 messaging standard is replacing the existing SWIFT messaging standard and from November 2022 SWIFT messages will start to be replaced for cross-border payment and reporting messages.

There will be further impacts for other payment types through the future introduction of the New Payments Architecture (NPA) e.g. TARGET2 (the RTGS system owned and operated by the Eurosystem) and Euro high value payments. Indirect participants will also be impacted and will need to discuss with their provider as to what steps they must take.

Strong Customer Authentication / Transaction Risk Analysis: Mandatory annual audit requirements persist around Strong Customer Authentication (SCA) bringing e-commerce transactions into scope. All Banks and payment service providers (PSPs) should be utilising SCA for payment transactions. In addition, an increasing number of banks are now adopting Transaction Risk Analysis (TRA) which requires fraud rates to be below a certain level for a bank to exempt the usage of SCA. SCA requirements apply across any channel offering access to ‘payment accounts’ (including cards) across any customer segment (i.e. Retail, Business, Corporate, Private Banking etc.).

The scope of the audit requirement extends across all electronic customer channels, such as internet banking, mobile apps, firm provided software, enterprise software integrations, other software integrations embedded through Application Programming Interfaces (APIs) or other interfaces, and ‘Open Banking’ channels.

Area of Focus

ISO 20022


Internal Audit should perform a detailed review of ISO 20022 programme activities to ensure that regulatory deadlines will be met and how changes to adopt the new messaging standard are being implemented and tested. Additional investigation may also be performed to determine how enriched messaging data may provide key benefits and how these are realised.

ISO 20022 migration is inherently complex, posing significant challenges for impacted firms, in particular Internal Audit should understand the controls in place around the following areas:

  • Appropriate training is in place for the new messaging standard.
  • Upgraded messaging appropriately interfaces to the new standard.
  • Robust and detailed testing of In-flow translations, including the receipt of multi-format messages takes place.

The impact on banks will be significant across business operations and technology stacks which will require careful and comprehensive consideration with significant pressure being placed on technical resources.


Both SCA and TRA must be audited annually by operationally independent internal or external auditors. The audit should include an evaluation and report on the compliance of the firm’s security measures with the Regulatory Technical Standard (RTS) requirements, and the report must be made available upon request by the European Regulators.

For the first year when TRA is adopted, and every three years thereafter, the audit must be performed by an independent external auditor. (i.e. Internal Audit can only perform this work in intervening years).

1.4. Cryptocurrency / Digital Assets

The market capitalisation of digital assets has seen substantial growth in recent years and even after the recent tumultuous period it is still highly valued at $993bn*. This market continues to show potential to increase further and reshape activity currently taking place in the traditional financial services sector to meet an array of business and consumer needs. Activity to adopt the widespread use of Cryptocurrency and Digital Assets continues at pace, for example: Security tokens present a $17bn* market capitalisation, Stablecoins are valued at $153bn*, Decentralised Finance (DeFi) is valued at $53bn*, and 17 Central Bank Digital Currencies (CBDC) have been launched as pilots. The digital assets ecosystem is also in a state of major evolution with further institutional interest from major banks and asset managers and several new businesses entering the EU market with Electronic Money Institution (EMI) and Authorised Payments Institution (API) applications to the European Regulators. The issuance of CBDCs and Stablecoins is on the agenda of all major Central Banks. As regulations evolve and further licensing requirements come into force, firms will need to assess their business models and strategy to align with their local regulatory perimeter requirements.

* Data obtained from CoinMarketCap. These values are subject to change on a daily basis.

Regulatory Framework Developments:

Markets in Crypto-Assets (MiCA) is a new framework that is under development by the EU that aims to regulate crypto assets and service providers to enhance financial stability around these products.

Due to the nature of the assets (anonymity), Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) compliance controls are critical and which EU businesses must comply with. Most countries have a registry where entities participating in crypto activities must apply to or register. Part of the challenge within the EU is that each Member State has a different system thereby making passporting rights inaccessible for businesses. It is anticipated that MiCA will help solve this.

To further safeguard consumers, several changes are expected in the regulation for EU businesses and how these products can be marketed.

Area of Focus

Existing Regulation


Internal Audit should:

  • Assess processes in place to meet AML and CFT regulations across relevant jurisdictions.
  • Assess processes in place to meet compliance expectations around Business Continuity Plans and Operational Resilience. These areas, whilst not specific to Digital Assets, are core components of demonstrating compliance with AML / CFT requirements.
  • Assess processes in place around regulatory reporting requirements that should capture Digital Assets activity / transactions. For example, Tokenised Bonds that are transacted under Distributed Ledger Technology (DLT) should be included in traditional reporting mechanisms under MiFID to the regulator.

New Products and Services

As firms consider new products and services relating to Digital Assets, Internal Audit will have a key role to play in providing assurance that the business maintains a robust Risk Management Framework (which includes assessment of financial risk, AML / CFT and new technology risks) which anticipates and appropriately evaluates new risks posed by Digital Assets products.

Internal Audit should review and challenge the New Product Approval including asset class valuations processes and controls to help ensure the business complies with relevant regulatory requirements.

Internal Audit should also challenge, assess and report on how well management and those charged with governance understand and monitor the risks they face within their current crypto product set in this volatile and evolving environment.

1.5. MIFID II - Transaction Reporting

Transaction reporting underpins the ability of national competent authorities investigate potential instances of market abuse and thus it continues to be important that firms can comply with the obligation to provide transaction reports that are complete, accurate and timely. Firms should regularly reconcile the reports provided to their competent authority with the data in their books and records, along with the data reported to and by their Approved Reporting Mechanism (ARM) to ensure that reporting is complete and accurate. The potential financial and reputational impact on a firm for failings in its transaction reporting could be damaging.

The Markets in Financial Instruments Regulation (MiFIR) has now been in effect since 2018 but resulted in significant changes on transaction reporting, including expanding the volume of in-scope instruments as well as expanding the number of data fields, to the extent that some firms are still finding it challenging over four years later.

The European Securities and Markets Authority (ESMA) issued a statement outlining some planned changes to their validation rules in Q2 2022. The European Regulators regularly provide updates on issues related to transaction reporting via their Market Watch publications, which provides additional information on their concerns in this space and highlights areas upon which firms should focus.

Area of Focus

Governance and control framework


Reperformance, the use of audit technology and a risk-based approach is essential for Internal Audit to be effective in challenging management's processes and controls. Specifically, Internal Audit should:

  • Assess the design, implementation and operation of front office transaction reporting controls including eligibility criteria, validations, exception management, reconciliations, issue management and risk assessment processes.
  • Establish how the Second Line functions have designed and implemented appropriate assessments of the First Line control suite.
  • Review the Compliance Monitoring Plan to validate whether it incorporates regular transaction reporting testing.
  • Evaluate the level of management information in place, how often it is generated, and to which senior Managers and Committees it is provided.
  • Review whether the end-to-end trade and transaction reporting process is delineated into key functions and business lines and is documented and actively maintained.

Data Governance

  • Evaluate whether the firm has identified and documented all relevant data sources feeding into the generation of transaction reports, including data formats.
  • Ensure all external data sources are documented and that controls exist to ensure timely resumption of reporting when data issues arise.
  • Assess whether individuals are clearly identified as responsible for the maintenance of data (e.g., counterparty information, instrument, trader's details, algorithms, etc.), including timely resolution of errors and remediation of identified issues.


  • Ensure that a process exists for the regular reconciliation between the firm’s trading records and the reports made to the European Regulators.
  • Examine the most recent reconciliations to understand the operational effectiveness of the process, the remediation of any identified issues, and any communications with the Regulator regarding said issues.

1.6. Operational Resilience

Operational Resilience is a point of focus for European Regulators. Firms are expected to identify and map their Important Business Services, set Impact Tolerances, commence scenario stress testing programmes to identify vulnerabilities, produce ‘Self-Assessments’, and ensure appropriate governance arrangements are in place. The resilience journey is only just beginning. The focus must address the initial operational vulnerabilities identified, expanding the depth and breadth of mapping and testing to detect and address additional vulnerabilities, and embedding Operational Resilience into the whole operating model to withstand severe but plausible disruptions.

Operational Resilience should remain a key priority and an area of focus for Internal Audit. Firms need to demonstrate that a full assessment of their Operational Resilience has been completed, vulnerabilities have been identified, and there is a focus on the remediation activities to complete in order to demonstrate that Important Business Services can operate within their impact tolerance.

Amongst the broader suite of activity required to continue on the Operational Resilience journey, the following areas are likely to be key focus and challenge for Boards and senior management over the next three years:

  • Scenario Stress Testing: Testing is likely to be the key area of Operational Resilience policy expectations which continue to evolve, as firms gain experience in the stress testing necessary, and the Regulators assess and feedback on the approaches being followed.
  • Third Party Risk Management: Third party dependencies pose a significant threat to a firm’s operational resilience. Visibility, oversight, and assurance is imperative to adequately understand and manage the risks posed by third party and outsourced arrangements (including technology giants and those responsible for providing IT services). Boards and senior management cannot outsource their ultimate accountability and responsibility for their Operational Resilience and therefore need to gain assurance over the risks posed by the web of third and fourth parties in the service chain, especially when the service being provided is critical in providing a firm’s Important Business Service.
  • Transition to Business As Usual (BAU): As firms look to build longevity in their Operational Resilience framework and transversal capabilities, embedding Operational Resilience across the organisation will transform meeting policy requirements and expectations into sustainable BAU activity.

Where smaller businesses are not required to currently comply with Operational Resilience-related regulatory requirements, some businesses are challenging themselves on how Operational Resilience is achieved through existing controls in place, with proportionate enhancements taking place to identify important business services and map this to resources in place, e.g. technology, data, people, processes, suppliers and facilities.

It is expected that Internal Audit will already have identified Operational Resilience as important due to the continued focus on this topic by businesses and the Regulators focus on this area. As a result, Internal Audit should have either scheduled or delivered a review of the progress made to assess and respond to the final policy statements. The majority of Internal Audit functions we engage with across the Financial Services sector have already performed a number of reviews on the topic. With the current direction of travel, even internal audit functions at organisations who are currently out of scope for the regulations should be considering and challenging management on whether the operational advantages of proportionate compliance with the regulation warrants attention. There is a need to now move from programme readiness assessments reviews to broader engagement with the business including progress against Management’s remediation of vulnerabilities, further embedding of the framework and continued development of scenario stress testing. The key areas of focus for Internal Audit functions moving forward should be:

  • Providing robust challenge on the inputs and outcomes of scenario testing, challenging the approach undertaken to ensure that it is sufficiently detailed and enables identification of vulnerabilities for remediation.
  • Challenging the approach to third party risk management (TPRM) and consideration of current key areas of TPRM such as engagement with Cloud service providers and the linkage to Operational Resilience e.g. the sophistication of mapping to enable delivery of Important Business Services.
  • Assessing management’s ability to monitor and report on the performance of Important Business Services along with the ability to remain within Impact Tolerance limits, with consideration over the firms understanding of remedial actions and the plans in place to remedy these.
  • Monitoring the embedding and ownership of the Operational Resilience requirements within the First Line of the business (i.e. has a resiliency culture been achieved), as well as the links from a process and technology perspective to existing related disciplines (change management, disaster recovery, business continuity planning, and risk management).

1.7. Artificial Intelligence – Control Frameworks

Artificial Intelligence (AI) is becoming increasingly common in business processes throughout the Financial Services (FS) sector. FS firms deploy AI across multiple service lines and are now harnessing its power in areas such as compliance, fraud detection, resume screening, credit scoring, product pricing and product recommendations, to name a few. Despite its growing use, we have seen that senior management is often unaware of exactly where and how and also the nature and extent of the risks faced by their organisation in relation to the use of AI. Moreover, Regulators are becoming increasingly active in their efforts to protect consumers from algorithmic harms such as bias that leads to discriminatory or unfair outcomes, outputs that mislead consumers or distort competition, and the collection of personal data that infringes on privacy rights. Thus, the growing use of AI systems in the FS sector requires an increased awareness of the risks inherent in those systems and an improved ability to manage those risks. This requires formalising an AI risk management framework and ensuring that teams in the Second and Third Lines of Defence have the required skills, knowledge and experience to be able to independently assess and provide assurance over the effectiveness of the AI control framework.

The focus for European Regulators is to address concerns about a lack of consistency and the overlapping nature of regulatory mandates and to promote dialogue on the types and sources of algorithmic harms, provide policy recommendations for AI systems auditing and assurance, and coordinate the supervision of AI systems.

Area of Focus

Awareness of Regulatory



The regulatory environment related to AI is rapidly evolving and Regulators and industry bodies are still in the process of developing audit and assurance guidelines for AI systems. Therefore, Internal Audit should:

  • Develop a detailed understanding of the current and proposed regulations that impact the use of AI and the relevant audit and assurance guidelines.
  • Ensure that Internal Audit staff have the necessary skills, knowledge and experience to understand the requirements of a robust AI risk management framework.
  • Ensure that Internal Audit function is sufficiently resourced to oversee the growing number of AI systems in use and ensure compliance with relevant regulatory requirements.

SGovernance and Control Frameworks

Firms should re-assess their AI control frameworks to ensure that they are appropriate for the governance of a highly complex and rapidly evolving technology. Internal Audit should:

  • Verify that assessments of the regulatory environment are conducted for each AI systems in each jurisdiction in which the firm operates.
  • Verify that comprehensive risk assessments are performed for all AI systems.
  • Assess whether the governance structure and policies and procedures in place for development, testing, change management and approval of AI systems are appropriate.
  • Verify that periodic AI model re-validations are performed.
  • Assess whether there are adequate control measures in place to mitigate all AI-related risks, including related to data, inputs / outputs and system security controls.
  • Verify that there are appropriate performance monitoring measures in place.

Flexible Approach​

The planned audit scope should be re-assessed each year to allow for evolving technology and changing regulatory requirements. A risk-based approach, which takes into account the purpose and the level of complexity of each system, can be considered for assessing the different AI systems in use across the firm.

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Ce contenu vous a-t-il plu ?