Regulatory has been saved
Financial Services Internal Audit Planning Priorities 2021
Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2021. We hope this informs your 2021 planning and assurance approach.
1.1. Ethical and Responsible Artificial Intelligence
Artificial Intelligence (AI)-driven systems have an unprecedented scale of impact on our lives with often unforeseen or unintended societal implications. Ensuring that this impact is aligned to our ethical values and principles is challenging, and discrete from traditional model validation.
The AI regulatory environment is evolving at pace including new legislative proposals and regulatory guidance from EU regulators.
In February 2020 the European Commission (EC) published a White Paper which set out policy options for a future EU ethical and legal AI framework, whilst guidelines issued in 2019 by the EC’s High-Level Expert Group on AI (AI HLEG) laid out expectations that all business AI systems should be trustworthy before they are developed and deployed and at-scale.
As a consequence, efforts to implement ethical values must be of high priority. Ethical considerations should be taken into account within the context of relevant regulations, guidance, court cases and legislations, such as General Data Protection Regulation (GDPR).
Certain AI applications will be subject to higher scrutiny based on the sensitivity of the input data and the impact of the output on customers.
Area of Focus
Regardless of intent, AI should be used to benefit the customer and should not be used to inadvertently cause harm to society. Internal Audit should:
AI should treat people fairly regardless of protected features (e.g. race, gender) and endeavour to reduce not amplify existing inequalities. Internal Audit should:
AI should be well understood and non-manipulative, empowering people to challenge and overrule AI decisions. Internal Audit should assess the approach in place to support the following key objectives:
1.2. Algorithmic Trading
Algorithms are increasing in their capability, prevalence and complexity. However, they have the potential for unexpected and unintended results. The risk of algorithms malfunctioning has wide-ranging consequences for all stakeholders involved, which could include the possibility of financial loss, damage to firms’ reputations and severe disruption to financial markets. Regulators are placing greater scrutiny on firms to ensure that the use of algorithms supports appropriate compliance with regulations.
- Global regulators are continuing to respond to the growing use of algorithms and have started to expand on their expectations in relation to electronic and algorithmic trading controls. There has been a noted increase in focus in Asia-Pacific countries with the Hong Kong Monetary Authority (HKMA) setting out its supervisory expectations for Algorithmic Trading activities in March 2020. The Bank of Japan has also recently conducted a review of Foreign Exchange (FX) trading which examines the role of algorithmic trading in the FX market and analyses its impact on market liquidity. The review calls for continued work in the area to better understand the implications of algorithmic trading for market functioning.
- The Markets In Financial Instruments Directive (MiFID) II – Regulatory Technical Standard (RTS) 6 continues to be a key regulation with respect to Algorithmic Trading and it is likely that regulators will place further scrutiny on the quality of firms’ Annual Self-Assessments going forward. The COVID-19 outbreak has resulted in an increase in volatility in financial markets which has tested the effectiveness of some firms’ Algorithmic Trading controls. Real-time monitoring is an example of this where large intra-day price movements resulted in a significant increase in the number of alerts for review.
Governance and control framework:
1.3. Tax Strategies and Responsible Tax
Financial Services firms continue to be at the forefront of a complex and rapidly evolving tax environment. Furthermore, there is increasing pressure from a range of internal and external stakeholders for firms to be more transparent in their tax affairs. This is causing an evolution in the breadth and depth of tax strategy documents that are required to be published online.
As tax governance frameworks evolve, firms are increasingly enhancing their monitoring and testing capability around how their tax control frameworks operate. Internal Audit will have a key role in reviewing the robustness of this testing and also challenging whether firms are in compliance with regulatory requirements (as well as good practice requirements) and that reputational and financial risk is being managed through a robust tax governance framework.
There are a number of recent and upcoming regulatory changes which means that tax should remain a focus area for Internal Audit, for example:
- Directive on Administrative Cooperation (DAC6) – Implementation of the latest EU DAC6 which goes live on 1 January 2021 (delayed from 1 July 2020) has required firms to think about the design of additional processes and governance procedures in order to support this new reporting obligation.
- It’s important to ensure that there is good tax governance in place around new and complex tax areas, some of which have been exacerbated by the impacts of COVID-19. Examples include partial exemption for VAT, displaced and/or remote workers in an Employment Tax context, and Permanent Establishment/Transfer Pricing risks on the direct tax side.
Governance and control framework:
1.4. Tax Compliance – FATCA, CRS and DAC6
The Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standard (CRS) regimes are fully implemented in the EU with reporting moving into its fifth year. Previously, tax authorities have focused on implementation activities and have to some extent accepted ‘best endeavours’ compliance. In 2019 authorities have visibly begun to shift their attention to the adequacy of compliance and monitoring activities – with a special focus on documentation of processes. Despite the impact of COVID-19, we expect enquiries to increase in late 2020 and 2021, driven by the publication of the Economic Co-operation and Development's (OECD) Compliance Handbook and the inclusion of CRS compliance as one of the ‘hallmarks’ under the updated EU Directive on Administrative Cooperation (DAC6). If firms are not able to clearly evidence their procedures and effective governance regarding these regimes they run the risk of suffering penalties and reputational damage.
- The OECD is expected to publish its FATCA and CRS Compliance Handbook, putting pressure on authorities to either begin or reinforce their review and enforcement actions.
- Following scrutiny of annual returns, FATCA and CRS audits and enquiries are being launched. For instance:
- UK, Jersey, France and Luxembourg, amongst others, increasing activities in raising enquiries.
- Australia and New Zealand issue questionnaires based on the Compliance Handbook.
- Cayman Islands introduces a new CRS reporting obligation.
- DAC6 reporting on CRS hallmarks went live in mid-2020, with retrospective reporting looking back to 2018 and a monthly deadline for new reporting.
- This DAC6 reporting is subject to a six-month delay in many jurisdictions as a result of COVID-19.
During the implementation of FATCA and CRS reporting, businesses often followed a tactical approach to reporting. With tax authorities now continuing to demand accuracy in compliance despite the current environment, Internal Audit should consider the assurance in place over the data collation processes in place to support reporting, additional requirements regarding non-reportable accounts and DAC6 reporting requirements.
Policies and procedures compliance
Tax authorities will expect to be able to readily obtain sight of documented policy and procedures. Internal Audit should assess the clarity and robustness of the documentation in place to support compliance with FATCA and CRS requirements.
Review whether senior roles are appropriately assigned and documented in a governance framework for reporting requirements. Assess if firms have planned the integration of FATCA and CRS compliance risks into their overarching governance frameworks.
Ongoing monitoring due diligence
FATCA and CRS require ongoing monitoring of changes in circumstance. This is a particular area of interest to tax authorities. Internal Audit should consider the robustness of processes and controls in place to identify reportable changes.
1.5. Financial Crime
This year changes to the Money Laundering Regulations came into force which transposed the European Union’s (EU) 5th Money Laundering Directive (5MLD). The new regulations impose changes to the way regulated Financial Services Industry (FSI) firms operate and, most importantly expand the range of sectors being regulated. The impact of COVID-19 has also been felt with rises in fraud incidents, which are being closely monitored by the European regulators in its remit to protect consumers in the financial services sector.
- The EU regulators have recognised that COVID-19 has created a fast-evolving environment in which targeted supervision of ongoing and emerging risks needs to be carried out quickly. For this reason the EU regulators’ activities are going to be even more reliant on an intelligence-led approach to detection.
- Given the advanced use of technologies and data intelligence in recent years, digital money in the form of cryptocurrencies and virtual assets can frequently be used by money mules or criminals and is therefore seen as a threat. Regulators in Asia-Pacific (“APAC”) have already taken proactive steps in virtual asset regulation. In addition, in the EU the EU regulators have now taken over supervision of cryptocurrency platforms and wallet providers.
- Firms must consider new additional high-risk factors when assessing their clients for enhanced due diligence. These may include, but are not limited to, transactions made in high risk countries, where a customer is a beneficiary of a life insurance policy, transactions related to the oil, arms, precious metals sector, art and antiquities.
- Firms are now required to enhance their records of corporate client beneficial owners. In the event that knowledge of relevant individuals cannot be obtained, firms are obliged to provide a full record of the difficulties encountered in identifying beneficial owners.
- EU regulations provide guidance on Customer Due Diligence (CDD) requirements for cryptocurrency clients; it also clarifies when it is acceptable to forego CDD for e-money clients, thus offering increased regulatory coverage to the broader financial sector.
- The European regulators have indicated that regulatory action will become more focused on smaller firms. As part of this strategy the EU regulators have signalled that it will move more swiftly to enforcement action towards those who fail to meet required standards.
Area of Focus
Financial crime risk assessment
Internal Audit can support “integrated” financial crime risk management by conducting audit reviews across financial crime domains including assessing whether:
Robust approach to enterprise-wide risk assessments
Internal Audit should review the design appropriateness and effectiveness of risk assessments, including determining whether they are comprehensive, whilst remaining proportionate to the nature, scale and complexity of business activities. They should support a robust understanding of the financial crime risks faced and subsequent tailoring of the control framework.
Impactful audit insights through analytics
Internal Audit should adopt various data analytics models and work together with data science and analytics professionals to improve audit processes, reporting and service delivery. Internal Audit insights should be monitored and tracked to ensure these are remediated in a timely manner.
Compliant control environment in the context of COVID-19
Internal Audit should work to ensure that operational challenges presented by COVID-19 have not adversely affected the quality of financial crime systems and controls.
Areas affected by increases in the incidence of fraud should be enhanced with new controls, and new operational challenges resolved with alternative processes and means of obtaining information.
1.6. IBOR Reform
The European regulators have remained consistent with its message that firms cannot rely on LIBOR – dubbed the ‘world’s most important number’ – being published after 2021. It is difficult to understate how widespread references to LIBOR are across products and functions for financial services firms and corporates, and transitioning away to alternative rates is a significant industry challenge. Whilst some would note that firms should be starting to move into the home stretch of transition – offering new products to clients, amending existing contracts to alternative Risk-Free-Rates (RFRs) and updating systems and processes to enable non-LIBOR business, there remains a significant amount of activity for the industry to deliver in a limited time.
- Timeframes: Market participants are expected to be able to offer non-LIBOR loan products by October 2020 and to cease issuing LIBOR loans that mature after 2021 and also accelerate transition of legacy contracts in Q1 2021. The EU regulators has suggested that announcements on the end dates for at least some of the LIBOR currency/tenor combinations (LIBOR is currently published daily for five currencies across seven tenors or time periods, such as overnight, one week or three months) may be announced before the end of this year – such an announcement would fix the credit spread adjustment for derivatives under ISDA Definitions. In the US, the Alternative Reference Rates Committee (ARRC) has released a ‘Best Practices’ document, laying out USD LIBOR transition timelines.
- Operations and Technology: Clearing Houses in July 2020 switched euro-denominated swaps from EONIA (European Overnight Index Average) to the €STR for discounting and Price Alignment Interest purposes – USD contracts will move from Fed Funds to SOFR in October 2020. The ARRC has released a transition aid for internal systems and processes, laying out suggested activities for functions to consider as well as possible downstream impact and dependencies.
- Contract Transition: Tough Legacy – some contracts cannot practically be transitioned to alternative rates (for example bonds where 100% of noteholder consent is required to amend the language). In the EU, US and UK legislative solutions have been proposed to deal with tough legacy contracts – but none of these have yet been passed into law. Hong Kong’s HKMA has announced key milestones for transition – alternative rates should be offered from January 2021 and new LIBOR products maturing after 2021 should cease from the end of June 2021. In Singapore, the SC-STS (Steering Committee for SOR Transition to SORA) and other institutions have released a report on the future of SGD benchmarks, recommending SIBOR is discontinued to focus liquidity in SORA (the Singapore Overnight Rate Average), the recommended replacement for SOR (Singapore Swap Offer Rate), which uses USD LIBOR as an input. ISDA is expected to imminently publish updated 2006 Definitions – providing fallbacks for new derivative contracts – and is releasing a corresponding Protocol which will allow adhering parties to include fallback language in existing contracts.
- Programme flexibility: The impact of the current environment has led to a shift in target milestones set by regulatory convened working groups. Furthermore, as LIBOR transition has developed, the transition of other IBORs has also gathered pace (e.g. transition of the SOR and HIBOR (Hong Kong Interbank Offered Rate) benchmarks. With moving milestones for LIBOR transition and a gathering of pace in the reform of other similar benchmarks, transition programmes will not only need to keep abreast of changes, but will also need to be flexible enough to respond and adapt to scope and remit changes accordingly. Internal Audit should be able to assess the extent to which a programme keeps track of changes to milestones and regulatory expectations, and how the impact of the reform of other benchmarks is being considered.
- Conduct risk and mitigation efforts: Managing conduct risks over the transition is also a topic which has been previously raised as a significant area of focus and will continue to be as RFR market liquidity develops further, and contracts start to transition away from LIBOR. Institutions will need to be able to demonstrate that conduct concerns have been adequately assessed and mitigation measures taken – failure to do so could lead to reputational, legal and financial costs – especially as due warning has been provided. Internal Audit should be able to validate and assess risk management measures taken by their firm in respect of conduct risk management.
- Legacy transition: The contractual transition of legacy contracts away from LIBOR and on to RFRs may prove to be a significant undertaking. Aside from conduct concerns noted above, contracts may need to be bilaterally agreed with counterparties. Internal Audit should plan their assurance work in a manner which adapts to Management’s transition style.
1.7. Operational Resilience
The COVID-19 pandemic has, almost overnight, emerged as the single greatest threat for businesses that may impact not just the continuity of services and operations but the survival of the business itself. Operational resilience plans had to be invoked and crisis management teams had to be quickly deployed. Response teams dealt with unprecedented business disruption, supply chain dependency issues, physical and people access restrictions, as well as infrastructure capacity challenges. It is recognised that most parts of the financial services sector have handled the first stage of the pandemic response remarkably well, moving relatively quickly to digital-only services and with limited disruption to their core services in most instances; however, this is not a time for complacency and organisations should remain alert to the evolving operational resilience risks.
Internal Audit, as the third line of defence, is uniquely placed to play a key role in the response to the crisis, from a position of good organisational knowledge and with a highly relevant skill-set. Functions will need to provide assurance on the resilience practices followed by organisations both on a real-time basis, as the crisis unfolds, as well as later on with the benefit of looking back and leveraging lessons learned. At the same time, Internal Audit needs to advise on the shifting risk profile of the organisation and the state of the control environment, whilst helping to anticipate regulatory requirements or emerging risks. It is important now more than ever that audit professionals are proactive and well-prepared as the situation continues to evolve, while remaining pragmatic and empathetic with stakeholders.
- Building the operational resilience of firms and Financial Market Infrastructures (FMIs) is now more than ever a key shared priority for the European regulators.
- Regulators have been monitoring the operational resilience of financial services firms during the pandemic, looking particularly closely at how firms refine their resilience plans, how they approach the governance of their operational resilience (including the role of the Board) and the quality of their crisis communications.
- We believe that in the longer term the COVID-19 experience will validate this proposed EU regulatory approach that focuses on strengthening the resilience of important business services in the face of a wide range of severe but plausible scenarios.
- The EU regulators expect Internal Audit functions to undertake an operational resilience audit.
First phase: Respond
- Validating and challenging key management information (MI) used by Management to make decisions on mission-critical activity.
- Challenging Management’s forecasts of business impact (some of these may directly impact financial reporting, e.g. going concern).
- Challenging Management’s assessment, monitoring and contingency plans of key outsource service providers.
Second phase: Recover
- Challenging and benchmarking Management’s scenario-planning and assumptions regarding the nature, extent and duration of the situation, as well as the plan to deliver services during prolonged uncertainty in a way that is safe, flexible and resilient based on a clear action plan. It is important to focus on a planning-driven approach based on the scenarios that the business is likely to face over a prolonged period (including the ‘worst case’).
- Assess whether the resilience achieved to date was by design, and if not, what lessons should be drawn for the future. Try to assess Management’s ‘crunch points’ in the ability to deliver services against planning assumptions.
- Validate the modifications needed to operational capabilities to maintain safety, flexibility and improve resilience, and how those modifications can be implemented quickly with the right resources and outcomes. The adaptability and alternative delivery of important business services has been a critical part of this.
- Understand Management’s strategy to return to ‘business as usual’ after the crisis and move from ‘respond’ to ‘recover’ and then to ‘thrive’; asses how it can turn the crisis into an opportunity to emerge stronger.
- Review how the business has interpreted the regulation and taken actions in response to this whilst also leveraging industry response and lessons learned from COVID-19.