Article

Regulatory

Financial Services Internal Audit Planning Priorities 2021

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2021. We hope this informs your 2021 planning and assurance approach.

1.1. Ethical and Responsible Artificial Intelligence



Why is it important?

Artificial Intelligence (AI)-driven systems have an unprecedented scale of impact on our lives with often unforeseen or unintended societal implications. Ensuring that this impact is aligned to our ethical values and principles is challenging, and discrete from traditional model validation. 

The AI regulatory environment is evolving at pace including new legislative proposals and regulatory guidance from both EU and UK regulators.

What’s new?

In February 2020 the European Commission (EC) published a White Paper which set out policy options for a future EU ethical and legal AI framework, whilst guidelines issued in 2019 by the EC’s High-Level Expert Group on AI (AI HLEG) laid out expectations that all business AI systems should be trustworthy before they are developed and deployed and at-scale. 

As a consequence, efforts to implement ethical values must be of high priority. Ethical considerations should be taken into account within the context of relevant regulations, guidance, court cases and legislations, such as General Data Protection Regulation (GDPR) and the Equality Act 2010. 

Certain AI applications will be subject to higher scrutiny based on the sensitivity of the input data and the impact of the output on customers.

What should Internal Audit be doing?

Area of Focus

Impact
Description

Regardless of intent, AI should be used to benefit the customer and should not be used to inadvertently cause harm to society. Internal Audit should:  ​
  • Assess whether AI is being used to improve stakeholder outcomes (e.g. better use of data insight to improve customer products and services)​. 
  • Assess whether AI is being used in a way that does not cause harm (e.g. ensuring pay day loans adverts are not targeted at vulnerable customers)​.
Justice​ AI should treat people fairly regardless of protected features (e.g. race, gender) and endeavour to reduce not amplify existing inequalities. Internal Audit should:
  • Assess the approach to using protected features or proxies as model inputs to avoid discrimination (e.g. using a customer’s address (a proxy for race) as a key model input for determining insurance premiums)​.
  • Assess whether the approach helps reduce inequality, for example, adjust for historical biases in input data to avoid ‘codifying’ human bias (e.g. hiring algorithm build on existing workforce data worsening the gender pay gap)​.
Autonomy​ AI should be well understood and non-manipulative, empowering people to challenge and overrule AI decisions. Internal Audit should assess the approach in place to support the following key objectives:  ​
  • Maintaining Control: keeping ‘humans in the loop’ e.g. meaningful human review of automated credit lending decision before approvals​.
  • Understanding Decisions: ensure transparency and explainability (e.g. transparency of algorithm to explain credit decision rationale)​.


Key contacts: Damian Hales and Malhar Vadodaria

1.2. Algorithmic Trading



Why is it important?

Algorithms are increasing in their capability, prevalence and complexity. However, they have the potential for unexpected and unintended results. The risk of algorithms malfunctioning has wide-ranging consequences for all stakeholders involved, which could include the possibility of financial loss, damage to firms’ reputations and severe disruption to financial markets. Regulators are placing greater scrutiny on firms to ensure that the use of algorithms supports appropriate compliance with regulations.

What’s new?

  • Global regulators are continuing to respond to the growing use of algorithms and have started to expand on their expectations in relation to electronic and algorithmic trading controls. There has been a noted increase in focus in Asia-Pacific countries with the Hong Kong Monetary Authority (HKMA) setting out its supervisory expectations for Algorithmic Trading activities in March 2020. The Bank of Japan has also recently conducted a review of Foreign Exchange (FX) trading which examines the role of algorithmic trading in the FX market and analyses its impact on market liquidity. The review calls for continued work in the area to better understand the implications of algorithmic trading for market functioning.
  • The FICC Markets Standards Board (FMSB) published a Spotlight Review entitled Emerging Themes and Challenges in Algorithmic Trading and Machine Learning in April 2020. The review looks at hot topics in Algorithmic Trading in FICC markets with the aim of fostering discussion in relation to future standards work.
  • The FMSB also published a Transparency Draft on Algorithmic Trading in FICC Markets in June 2020 and invited comment on the proposed Statement of Good Practice (SoGP) for FICC market participants who engage in Algorithmic Trading or who operate trading venues that allow Algorithmic Trading.
  • The Markets In Financial Instruments Directive (MiFID) II – Regulatory Technical Standard (RTS) 6 continues to be a key regulation with respect to Algorithmic Trading and it is likely that regulators will place further scrutiny on the quality of firms’ Annual Self-Assessments going forward. The COVID-19 outbreak has resulted in an increase in volatility in financial markets which has tested the effectiveness of some firms’ Algorithmic Trading controls. Real-time monitoring is an example of this where large intra-day price movements resulted in a significant increase in the number of alerts for review.

What should Internal Audit be doing?

Governance and control framework:
  • Review the governance structure to ensure key roles and responsibilities are clearly defined at each level, including Audit and Risk Committees, Algorithm Steering Committee and business level Management.
  • Review how the organisation has interpreted regulations relating to algorithms and evaluate whether there are appropriate policies and procedures in place to meet current and emerging regulatory requirements.
  • Challenge Management on their ability to understand and assess algorithm risks and to map algorithm risks and controls to regulatory requirements.
  • Review the risk control framework and assess the adequacy of policies and procedures relative to testing and deployment, controls, monitoring and training across the business.
  • Assess the performance of the algorithm risk control framework during the recent COVID-19 related market volatility.
Lessons learned
  • Re-evaluate algorithm risk assessments in the light of recent market volatility.
  • Review the design of algorithm controls and re-evaluate their effectiveness in stressed market conditions.
  • Reconsider the appropriateness of controls settings in different market conditions and the parameters that the control can be set to without requiring authorisation.
  • Re-evaluate who should have authority to change the setting of the control.
  • Review the escalation process for changing controls settings.
  • Understand what your organisation is doing to maintain its awareness of regulatory developments that may impact your use of algorithms. Actions taken, e.g. changing alerts parameters, use of ‘kill switch’. Communications with internal stakeholders, clients, and external stakeholders.
Current focus
  • Re-evaluate the appropriateness of assumptions and parameters used in previous testing.
  • Re-design tests of design/operating effectiveness where controls gaps have been identified.
  • Focus reviews on scenarios that are likely to occur in volatile markets.
  • Consider the potential impact of your organisation’s algorithms functioning improperly and revise definitions of ‘worst case’ scenarios.
  • Ensure that all control gaps identified have remedial actions in place, that the actions are appropriate to remediate the issue, and that the timelines for remediation are reasonable.


Key contacts: Mark Cankett and Stephen Farrell

1.3. Tax Strategies and Responsible Tax



Why is it important?

Financial Services firms continue to be at the forefront of a complex and rapidly evolving tax environment. HMRC’s revised Business Risk Review+ (BRR+) approach, which came into force in October 2019, has put a lot more emphasis on tax governance and the use of technology to appropriately manage tax risk. Furthermore, there is increasing pressure from a range of internal and external stakeholders for firms to be more transparent in their tax affairs. This is causing an evolution in the breadth and depth of tax strategy documents that are required to be published online.

As tax governance frameworks evolve, firms are increasingly enhancing their monitoring and testing capability around how their tax control frameworks operate. Internal Audit will have a key role in reviewing the robustness of this testing and also challenging whether firms are in compliance with regulatory requirements (as well as good practice requirements) and that reputational and financial risk is being managed through a robust tax governance framework.

What’s new?

There are a number of recent and upcoming regulatory changes which means that tax should remain a focus area for Internal Audit, for example:

  • HMRC’s new BRR+ approach brings in new expectations for large businesses around tax governance and HMRC have begun to ask more questions about the systems which businesses are using.
  • Corporate Criminal Offence of Facilitating Tax Evasion (CCO) – Whilst the CCO regulations were first published in 2017, the new BRR+ approach questions what reasonable prevention procedures groups have put in place.
  • Directive on Administrative Cooperation (DAC6) – Implementation of the latest EU DAC6 which goes live on 1 January 2021 (delayed from 1 July 2020) has required firms to think about the design of additional processes and governance procedures in order to support this new reporting obligation.
  • IR35 – although the proposed reform to the taxation of personal service companies (PSCs) in the private sector has been deferred from 6 April 2020, our observations regarding the preparations which did take place prior to the deferral identified that in some cases directly engaged individuals (where obligation currently rests with end user clients) were not being reviewed prior to the point of engagement, resulting in unintentional potential exposures accumulating. This should be an area which is tackled now, in addition to the ongoing preparations for IR35 rules changes in April 2021.
  • It’s important to ensure that there is good tax governance in place around new and complex tax areas, some of which have been exacerbated by the impacts of COVID-19. Examples include partial exemption for VAT, displaced and/or remote workers in an Employment Tax context, and Permanent Establishment/Transfer Pricing risks on the direct tax side.

What should Internal Audit be doing?

Governance and control framework:
  • Review the governance structure to ensure key roles and responsibilities are clearly defined at each level, including Audit and Risk Committees, Algorithm Steering Committee and business level Management.
  • Review how the organisation has interpreted regulations relating to algorithms and evaluate whether there are appropriate policies and procedures in place to meet current and emerging regulatory requirements.
  • Challenge Management on their ability to understand and assess algorithm risks and to map algorithm risks and controls to regulatory requirements.
  • Review the risk control framework and assess the adequacy of policies and procedures relative to testing and deployment, controls, monitoring and training across the business.
  • Assess the performance of the algorithm risk control framework during the recent COVID-19 related market volatility.
Lessons learned
  • Re-evaluate algorithm risk assessments in the light of recent market volatility.
  • Review the design of algorithm controls and re-evaluate their effectiveness in stressed market conditions.
  • Reconsider the appropriateness of controls settings in different market conditions and the parameters that the control can be set to without requiring authorisation.
  • Re-evaluate who should have authority to change the setting of the control.
  • Review the escalation process for changing controls settings.
  • Understand what your organisation is doing to maintain its awareness of regulatory developments that may impact your use of algorithms. Actions taken, e.g. changing alerts parameters, use of ‘kill switch’. Communications with internal stakeholders, clients, and external stakeholders.
Current focus
  • Re-evaluate the appropriateness of assumptions and parameters used in previous testing.
  • Re-design tests of design/operating effectiveness where controls gaps have been identified.
  • Focus reviews on scenarios that are likely to occur in volatile markets.
  • Consider the potential impact of your organisation’s algorithms functioning improperly and revise definitions of ‘worst case’ scenarios.
  • Ensure that all control gaps identified have remedial actions in place, that the actions are appropriate to remediate the issue, and that the timelines for remediation are reasonable.


Key contacts: Mark Kennedy and James Paul

1.4. Tax Compliance – FATCA, CRS and DAC6



Why is it important?

The Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standard (CRS) regimes are fully implemented in the UK (and in many other jurisdictions) with reporting moving into its fifth year. Previously, tax authorities have focused on implementation activities and have to some extent accepted ‘best endeavours’ compliance. In 2019 authorities have visibly begun to shift their attention to the adequacy of compliance and monitoring activities – with a special focus on documentation of processes. Despite the impact of COVID-19, we expect enquiries to increase in late 2020 and 2021, driven by the publication of the Economic Co-operation and Development's (OECD) Compliance Handbook and the inclusion of CRS compliance as one of the ‘hallmarks’ under the updated EU Directive on Administrative Cooperation (DAC6). If firms are not able to clearly evidence their procedures and effective governance regarding these regimes they run the risk of suffering penalties and reputational damage.

What’s new?

  • The OECD is expected to publish its FATCA and CRS Compliance Handbook, putting pressure on authorities to either begin or reinforce their review and enforcement actions.
  • Following scrutiny of annual returns, FATCA and CRS audits and enquiries are being launched. For instance:
    - UK, Jersey, France and Luxembourg, amongst others, increasing activities in raising enquiries. 
    - Australia and New Zealand issue questionnaires based on the Compliance Handbook.
    - Cayman Islands introduces a new CRS reporting obligation.
  • DAC6 reporting on CRS hallmarks went live in mid-2020, with retrospective reporting looking back to 2018 and a monthly deadline for new reporting.
  • This DAC6 reporting is subject to a six-month delay in many jurisdictions as a result of COVID-19.

What should Internal Audit be doing?

Area of Focus

Reporting requirements
Description

During the implementation of FATCA and CRS reporting, businesses often followed a tactical approach to reporting. With tax authorities now continuing to demand accuracy in compliance despite the current environment, Internal Audit should consider the assurance in place over the data collation processes in place to support reporting, additional requirements regarding non-reportable accounts and DAC6 reporting requirements. 
Policies and procedures compliance Tax authorities will expect to be able to readily obtain sight of documented policy and procedures. Internal Audit should assess the clarity and robustness of the documentation in place to support compliance with FATCA and CRS requirements. 
Governance Review whether senior roles are appropriately assigned and documented in a governance framework for reporting requirements. Assess if firms have planned the integration of FATCA and CRS compliance risks into their overarching governance frameworks.
Ongoing monitoring due diligence FATCA and CRS require ongoing monitoring of changes in circumstance. This is a particular area of interest to tax authorities. Internal Audit should consider the robustness of processes and controls in place to identify reportable changes. 


Key contacts: Owen Gibbs and Mark Schofield

1.5. Financial Crime



Why is it important?

In the 2020-21 Business Plan, the FCA re-states that it will pursue its main priorities of combating financial crime and improving anti-money laundering practices, in particular by enhancing the use of technology and data, as well as engaging with multiple agencies and Government bodies. On 10 January 2020, changes to the Government's Money Laundering Regulations came into force which transposed the European Union’s (EU) 5th Money Laundering Directive (5MLD) into the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (MLR19). The new regulations impose changes to the way regulated Financial Services Industry (FSI) firms operate and, most importantly expand the range of sectors being regulated. The impact of COVID-19 has also been felt with rises in fraud incidents, which are being closely monitored by the FCA in its remit to protect consumers in the financial services sector. 

What’s new?

  • The FCA has recognised that COVID-19 has created a fast-evolving environment in which targeted supervision of ongoing and emerging risks needs to be carried out quickly. For this reason the FCA’s activities are going to be even more reliant on an intelligence-led approach to detection.​
  • The UK Sanctions and Anti-Money Laundering Act of 2018 has now (July 2020) resulted in a new UK Sanctions list targeting those involved in serious human rights abuses and violations. The list consists of 47 nationals and two organisations from Russia, Saudi Arabia, Myanmar, and North Korea, who will be prevented from entering the country, channelling money through UK banks, or profiting from the UK economy.​
  • Given the advanced use of technologies and data intelligence in recent years, digital money in the form of cryptocurrencies and virtual assets can frequently be used by money mules or criminals and is therefore seen as a threat. Regulators in Asia-Pacific (“APAC”) have already taken proactive steps in virtual asset regulation. In addition, in the UK the FCA has now taken over supervision of cryptocurrency platforms and wallet providers now regulated under the MLR19. ​
  • Further to the changes made in MLR19, firms must consider new additional high-risk factors when assessing their clients for enhanced due diligence. These may include, but are not limited to, transactions made in high risk countries, where a customer is a beneficiary of a life insurance policy, transactions related to the oil, arms, precious metals sector, art and antiquities.​
  • Firms are now required to enhance their records of corporate client beneficial owners. In the event that knowledge of relevant individuals cannot be obtained, firms are obliged to provide a full record of the difficulties encountered in identifying beneficial owners.​
  • MLR19 provides guidance on Customer Due Diligence (CDD) requirements for cryptocurrency clients; it also clarifies when it is acceptable to forego CDD for e-money clients, thus offering increased regulatory coverage to the broader financial sector. ​
  • The FCA has indicated that regulatory action will become more focused on smaller firms. As part of this strategy the FCA has signalled that it will move more swiftly to enforcement action towards those who fail to meet required standards.

What should Internal Audit be doing?

Area of Focus

Financial crime risk assessment
Description

Internal Audit can support “integrated” financial crime risk management by conducting audit reviews across financial crime domains including assessing whether:​
  • There is effective integration of all financial crime domains including fraud and tax evasion.​
  • There are integrated systems that allow data analysis of customer types and transactional activities across business lines. ​
  • The financial crime risk management framework has been suitably tailored to the firm.
Robust approach to enterprise-wide risk assessments ​ Internal Audit should review the design appropriateness and effectiveness of risk assessments, including determining whether they are comprehensive, whilst remaining proportionate to the nature, scale and complexity of business activities. They should support a robust understanding of the financial crime risks faced and subsequent tailoring of the control framework. ​
Impactful audit insights​ through analytics Internal Audit should adopt various data analytics models and work together with data science and analytics professionals to improve audit processes, reporting and service delivery.​ Internal Audit insights should be monitored and tracked to ensure these are remediated in a timely manner.​
Compliant control environment in the context of COVID-19​ Internal Audit should work to ensure that operational challenges presented by COVID-19 have not adversely affected the quality of financial crime systems and controls.​

Areas affected by increases in the incidence of fraud should be enhanced with new controls, and new operational challenges resolved with alternative processes and means of obtaining information. ​


Key contacts: Katie Jackson and Zeynep Ersoz

1.6. IBOR Reform



Why is it important?

The Financial Conduct Authority (FCA) has remained consistent with its message that firms cannot rely on LIBOR – dubbed the ‘world’s most important number’ – being published after 2021. It is difficult to understate how widespread references to LIBOR are across products and functions for financial services firms and corporates, and transitioning away to alternative rates is a significant industry challenge. Whilst some would note that firms should be starting to move into the home stretch of transition – offering new products to clients, amending existing contracts to alternative Risk-Free-Rates (RFRs) and updating systems and processes to enable non-LIBOR business, there remains a significant amount of activity for the industry to deliver in a limited time. 

What’s new?

  • Timeframes: The UK’s RFRWG has moved several of their interim target dates for loan contracts. Market participants are expected to be able to offer non-LIBOR loan products by October 2020 and to cease issuing LIBOR loans that mature after 2021 and also accelerate transition of legacy contracts in Q1 2021. The FCA has suggested that announcements on the end dates for at least some of the LIBOR currency/tenor combinations (LIBOR is currently published daily for five currencies across seven tenors or time periods, such as overnight, one week or three months) may be announced before the end of this year – such an announcement would fix the credit spread adjustment for derivatives under ISDA Definitions. In the US, the Alternative Reference Rates Committee (ARRC) has released a ‘Best Practices’ document, laying out USD LIBOR transition timelines.
  • Operations and Technology: Clearing Houses in July 2020 switched euro-denominated swaps from EONIA (European Overnight Index Average) to the €STR for discounting and Price Alignment Interest purposes – USD contracts will move from Fed Funds to SOFR in October 2020. The ARRC has released a transition aid for internal systems and processes, laying out suggested activities for functions to consider as well as possible downstream impact and dependencies. 
  • Contract Transition: Tough Legacy – some contracts cannot practically be transitioned to alternative rates (for example bonds where 100% of noteholder consent is required to amend the language). In the EU, US and UK legislative solutions have been proposed to deal with tough legacy contracts – but none of these have yet been passed into law. Hong Kong’s HKMA has announced key milestones for transition – alternative rates should be offered from January 2021 and new LIBOR products maturing after 2021 should cease from the end of June 2021. In Singapore, the SC-STS (Steering Committee for SOR Transition to SORA) and other institutions have released a report on the future of SGD benchmarks, recommending SIBOR is discontinued to focus liquidity in SORA (the Singapore Overnight Rate Average), the recommended replacement for SOR (Singapore Swap Offer Rate), which uses USD LIBOR as an input. ISDA is expected to imminently publish updated 2006 Definitions – providing fallbacks for new derivative contracts – and is releasing a corresponding Protocol which will allow adhering parties to include fallback language in existing contracts.​

What should Internal Audit be doing?

  • Programme flexibility: The impact of the current environment has led to a shift in target milestones set by regulatory convened working groups. Furthermore, as LIBOR transition has developed, the transition of other IBORs has also gathered pace (e.g. transition of the SOR and HIBOR (Hong Kong Interbank Offered Rate) benchmarks. With moving milestones for LIBOR transition and a gathering of pace in the reform of other similar benchmarks, transition programmes will not only need to keep abreast of changes, but will also need to be flexible enough to respond and adapt to scope and remit changes accordingly. Internal Audit should be able to assess the extent to which a programme keeps track of changes to milestones and regulatory expectations, and how the impact of the reform of other benchmarks is being considered.
  • Conduct risk and mitigation efforts: Managing conduct risks over the transition is also a topic which has been previously raised as a significant area of focus and will continue to be as RFR market liquidity develops further, and contracts start to transition away from LIBOR. Institutions will need to be able to demonstrate that conduct concerns have been adequately assessed and mitigation measures taken – failure to do so could lead to reputational, legal and financial costs – especially as due warning has been provided. Internal Audit should be able to validate and assess risk management measures taken by their firm in respect of conduct risk management. ​
  • Legacy transition: The contractual transition of legacy contracts away from LIBOR and on to RFRs may prove to be a significant undertaking. Aside from conduct concerns noted above, contracts may need to be bilaterally agreed with counterparties. Internal Audit should plan their assurance work in a manner which adapts to Management’s transition style.


Also read our blog about IBOR reform

1.7. Operational Resilience



Why is it important?

The COVID-19 pandemic has, almost overnight, emerged as the single greatest threat for businesses that may impact not just the continuity of services and operations but the survival of the business itself. Operational resilience plans had to be invoked and crisis management teams had to be quickly deployed. Response teams dealt with unprecedented business disruption, supply chain dependency issues, physical and people access restrictions, as well as infrastructure capacity challenges. It is recognised that most parts of the financial services sector have handled the first stage of the pandemic response remarkably well, moving relatively quickly to digital-only services and with limited disruption to their core services in most instances; however, this is not a time for complacency and organisations should remain alert to the evolving operational resilience risks.

Internal Audit, as the third line of defence, is uniquely placed to play a key role in the response to the crisis, from a position of good organisational knowledge and with a highly relevant skill-set. Functions will need to provide assurance on the resilience practices followed by organisations both on a real-time basis, as the crisis unfolds, as well as later on with the benefit of looking back and leveraging lessons learned. At the same time, Internal Audit needs to advise on the shifting risk profile of the organisation and the state of the control environment, whilst helping to anticipate regulatory requirements or emerging risks. It is important now more than ever that audit professionals are proactive and well-prepared as the situation continues to evolve, while remaining pragmatic and empathetic with stakeholders. 

What’s new?

  • Building the operational resilience of firms and Financial Market Infrastructures (FMIs) is now more than ever a key shared priority for Bank of England (BoE), the Prudential Regulation Authority (PRA) and the FCA.
  • Regulators have been monitoring the operational resilience of financial services firms during the pandemic, looking particularly closely at how firms refine their resilience plans, how they approach the governance of their operational resilience (including the role of the Board and SMF24) and the quality of their crisis communications. 
  • The three supervisory authorities published a shared policy summary and coordinated consultation papers (CP29/19) on new requirements to strengthen operational resilience in the financial services sector. 
  • We believe that in the longer term the COVID-19 experience will validate this proposed UK regulatory approach that focuses on strengthening the resilience of important business services in the face of a wide range of severe but plausible scenarios.
  • The CP principles establish the draft rules that firms will be required to follow, placing particular focus on impact tolerances and the need for regular self-assessments.
  • They build on the concepts set out in the operational resilience Discussion Paper published in 2018, and addresses many of the proposed policy changes based on the responses received. 
  • The PRA has asked Internal Audit functions across a number of firms to undertake an operational resilience audit, against the principles in the consultation paper.

What should Internal Audit be doing?

First phase: Respond

  • Validating and challenging key management information (MI) used by Management to make decisions on mission-critical activity.
  • Challenging Management’s forecasts of business impact (some of these may directly impact financial reporting, e.g. going concern). 
  • Challenging Management’s assessment, monitoring and contingency plans of key outsource service providers.

Second phase: Recover

  • Challenging and benchmarking Management’s scenario-planning and assumptions regarding the nature, extent and duration of the situation, as well as the plan to deliver services during prolonged uncertainty in a way that is safe, flexible and resilient based on a clear action plan. It is important to focus on a planning-driven approach based on the scenarios that the business is likely to face over a prolonged period (including the ‘worst case’).
  • Assess whether the resilience achieved to date was by design, and if not, what lessons should be drawn for the future. Try to assess Management’s ‘crunch points’ in the ability to deliver services against planning assumptions.
  • Validate the modifications needed to operational capabilities to maintain safety, flexibility and improve resilience, and how those modifications can be implemented quickly with the right resources and outcomes. The adaptability and alternative delivery of important business services has been a critical part of this.
  • Understand Management’s strategy to return to ‘business as usual’ after the crisis and move from ‘respond’ to ‘recover’ and then to ‘thrive’; asses how it can turn the crisis into an opportunity to emerge stronger.
  • Review how the business has interpreted the regulation and taken actions in response to this whilst also leveraging industry response and lessons learned from COVID-19.


Also read our blog about Operational Resilience

Did you find this useful?