Regulatory

Financial crime continues to be an area of regulatory focus. In previous years, insight papers have highlighted how regulated firms still struggle with key areas of the risk-based approach such as governance, customer risk assessment, customer due diligence, and monitoring. Recent Financial Conduct Authority (FCA) publications have placed a specific onus on regulated firms to address failures proactively and be able to demonstrate how they have successfully implemented change. This year’s FCA Business Plan suggests that the FCA intends to be a more assertive regulator, promising to use its enforcement and intervention powers more proactively, continuing on the path started in 2021 with the criminal prosecution of a large bank for Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) failings.

The conflict in Ukraine has placed a renewed emphasis on Sanctions compliance. Firms now face a strong increase in the number of Special Designated Nationals and Blocked Persons, compounded by new penalties applied for breaches. The FCA has also confirmed that it expects the rise of fraud incidences observed under the COVID-19 pandemic to abate slowly, as tools put in place to control its spread begin to take effect.

• Key areas of the risk-based approach to AML / CTF, long identified as being weak, are still found to be requiring improvement, particularly among smaller firms.
• The FCA’s continued monitoring of the application of UK AML / CTF regulations has resulted in two ‘Dear CEO’ letters, addressed to operators within the retail banking and trade finance businesses: The first highlighted ongoing weaknesses in governance and oversight, enterprise-wide risk assessments (EWRA), customer risk assessments (CRA), customer and enhanced due diligence (CDD / EDD), and transaction monitoring (TM). The second letter highlighted issues with EWRAs, as well as counterparty analysis, and transaction approval and payments.
• More recently (April 2022), the FCA has published an AML / CTF review of UK Challenger Banks, who are typically more reliant on smarter technology and IT systems for client onboarding and risk management. This report highlighted findings around CRA, CDD / EDD, Suspicious Activity Report (SAR) submissions and TM alert management. The report also identified issues with the appropriate implementation of financial crime change programmes and Challenger Banks failing to notify the FCA about any control failures as required under a Principle 11 notification.
• Since March 2022, the US, UK, and the EU, have expanded Sanctions on an unprecedented scale and scope as a result of the Russian invasion of Ukraine. These measures have had a significant impact on companies’ Sanctions risk management frameworks, compounded by the introduction of a ‘strict liability civil offence’ for Sanctions breaches under the Economic Crime Act 2022. Under these rules, there are significant fines for non-compliance and the possibility of companies being ‘named and shamed’ even when no penalty is imposed.
• The FCA’s 2022/23 Business Plan has highlighted that financial crime reduction will be achieved through an increase in authorisation rejections on the basis of non-compliance with Money Laundering Regulations (MLRs) or for financial crime reasons. This forms part of a wider focus on reducing the impact of fraud on society, which the FCA will achieve through improved supervision and proactive assessments of firms’ anti-fraud systems and controls.
• The FCA has also flagged that its efforts into supervising crypto assets firms’ compliance with the MLRs will be ongoing, and sanctions imposed swiftly, where firms are found to be posing harm to consumers or market integrity.

According to the Association of Certified Fraud Examiners (ACFE’s) 2022 report on occupational fraud, remote working was the factor most commonly cited as a significant contributor to fraud. Another emerging cause of fraud risk in 2022 has been the conflict in Ukraine which has exacerbated already fragile supply chains and rising commodity costs including crude oil, metals and grain, contributing to historic levels of inflation and rapid interest rates. The strain on organisations leaves them not only susceptible to internal management fraud but to external threats including via cyber attacks. As fraud prevalence continues to remain on the public agenda, regulatory initiatives have been introduced, aiming to help auditors and organisations tackle the threat and restore confidence in the markets. For regulated financial firms, this includes the Financial Conduct Authority (FCA’s) three-year Business Plan which has set out a commitment to “reduce and prevent serious harm” as a result of fraud.

• Russia and Ukraine Conflict: For those organisations with direct exposure to Russia, exiting a formerly important market to comply with Sanctions may lead to substantial losses. Geopolitical uncertainty has also been a driver in the stock market sell-off that has resulted in significant recent falls in some indices. In trying to smooth over the adverse impact of Sanctions or appease shareholder expectations, firms might be incentivised to “improve” results therefore creating the risk of financial statements fraud.
• Cost of Living: High energy and commodity costs have added to the ongoing supply chain crisis, a convergence that has contributed to increasing levels of inflation. Reduced consumer spending will result in many businesses experiencing cash shortfalls. Inflation also diminishes corporate profits as the value of money decreases. Such factors heighten the risk of fraud through the fabrication of revenues, questionable forecasting, as well as insider fraud by employees whose salaries will not match the high inflation and increasing living costs.
• ISA 240 Revision: Effective December 2021, the Financial Reporting Council (FRC) issued its revised ISA 240. The updated standard seeks to clarify the external auditor’s role and objectives in identifying fraud with a focus on enhanced professional skepticism. Enhancements include more detail regarding the identification and assessment of risk, while also addressing the inherent challenges audits face particularly where management are colluding in fraud. An example includes the need for whistleblowing policies to enable employees to disclose concerns about actual or suspected fraud.
• FCA Business Plan 2022/2023: The FCA published in April 2022 its three-year strategy for 2022-2025 setting out the outcomes for consumers and markets in the UK. Positioning its strategy on three themes or focus areas, one of its commitments is on “reducing and preventing serious harm”. Amongst the outcomes it wants to achieve is in slowing the growth in investment fraud and Authorised Push Payment (APP) fraud cases. It will also deal with problem firms unable to meet its minimum standards, for instance, those with weak controls that are particularly vulnerable to fraudsters.
• Online Safety Bill: Included in the wide-ranging bill are proposals to tackle scams on user-generated platforms such as social media and search engine companies. Example content includes romance scams, fake stock market tips and other fraudulent advertising. Regulatory oversight from Ofcom will include ensuring businesses have systems in place to prevent scams and that financial promotions are only made by FCA authorised firms.

Significant technology, regulatory and infrastructure developments are driving major change, growth and innovation in payments. There is significant regulatory focus across a variety of areas for both incumbents and new providers, where there is significant potential to expand into new markets (for example, payments are being increasingly intermediated by BigTech and other non-traditional parties). Fees are also being reduced through regulation and competition and banks’ historic data advantages are being diminished by Open Banking and the Payment Services Directive 2 (PSD2), with this set to increase with the future introduction of Open Finance. At the same time, growth in the payments industry is increasing at a significant rate and interoperability is increasing through use of common standards which are also delivering richer data. There are also fundamental infrastructure changes occurring, requiring structural changes to the payment ecosystem, and requiring changes to the payment plumbing and data flows for ecosystem participants.

• ISO20022: The ISO20022 messaging standard is replacing the existing SWIFT messaging standard and from November 2022 SWIFT messages will start to be replaced for cross-border payment and reporting messages.
  
  In the UK, this is also impacting CHAPS payments, where the Bank of England is moving to a new Real Time Gross Settlement (RTGS) system utilising ISO20022. Direct participants in CHAPS have been required to start sending messages in the new format from June 2022 and use the full enhanced message set from February 2023. The Bank of England is continually assessing CHAPS participants’ readiness for these key dates.
  
  There will be further impacts for other payment types through the future introduction of the New Payments Architecture (NPA). Other non-UK high value payment schemes will also be migrating and will have their own deadlines for this, e.g. November 2022 for TARGET2 (the RTGS system owned and operated by the Eurosystem) and Euro high value payments. Indirect participants will also be impacted and will need to discuss with their provider as to what steps they must take.
• Strong Customer Authentication / Transaction Risk Analysis: Mandatory annual audit requirements persist around Strong Customer Authentication (SCA), with this now having gone live in the UK from March 2022, bringing e-commerce transactions into scope. All Banks and payment service providers (PSPs) should be utilising SCA for payment transactions. In addition, an increasing number of banks are now adopting Transaction Risk Analysis (TRA) which requires fraud rates to be below a certain level for a bank to exempt the usage of SCA. SCA requirements apply across any channel offering access to ‘payment accounts’ (including cards) across any customer segment (i.e. Retail, Business, Corporate, Private Banking etc.)
  
  The scope of the audit requirement extends across all electronic customer channels, such as internet banking, mobile apps, firm provided software, enterprise software integrations, other software integrations embedded through Application Programming Interfaces (APIs) or other interfaces, and ‘Open Banking’ channels.

The market capitalisation of digital assets has seen substantial growth in recent years and even after the recent tumultuous period it is still highly valued at $993bn*. This market continues to show potential to increase further and reshape activity currently taking place in the traditional financial services sector to meet an array of business and consumer needs. Activity to adopt the widespread use of Cryptocurrency and Digital Assets continues at pace, for example: Security tokens present a $17bn* market capitalisation, Stablecoins are valued at $153bn*, Decentralised Finance (DeFi) is valued at $53bn*, and 17 Central Bank Digital Currencies (CBDC) have been launched as pilots. The digital assets ecosystem is also in a state of major evolution with further institutional interest from major banks and asset managers and several new businesses entering the UK market with Electronic Money Institution (EMI) and Authorised Payments Institution (API) applications to the Financial Conduct Authority (FCA). The issuance of CBDCs and Stablecoins is on the agenda of all major Central Banks including the Bank of England (BoE). As regulations evolve and further licensing requirements come into force, firms will need to assess their business models and strategy to align with their local regulatory perimeter requirements.

* Data obtained from CoinMarketCap. These values are subject to change on a daily basis.

Regulatory Framework Developments:

• Markets in Crypto-Assets (MiCA) is a new framework that is under development by the EU that aims to regulate crypto assets and service providers to enhance financial stability around these products. It is expected that the UK will develop a similar framework going forward. To date the BoE and FCA have issued guidance around digital assets use and several warnings around its volatility.
• Due to the nature of the assets (anonymity), Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) compliance controls are critical and which UK businesses must comply with. Most countries have a registry where entities participating in crypto activities must apply to or register. Part of the challenge within the EU is that each Member State has a different system thereby making passporting rights inaccessible for businesses. It is anticipated that MiCA will help solve this.
• To further safeguard consumers, several changes are expected in the regulation of Financial Promotions for UK businesses and how these products can be marketed.

Cryptocurrency / Digital Assets Adoption:

• The UK has announced they want to be the Technological Hub for Digital Assets (April 2022) and have stated their intention to regulate Stablecoins. It is also acknowledged that the framework would have to account for the risk that some Stablecoins pose. As such, HMRC has suggested amending the ‘FMI SAR’ to deal with failed Stablecoins (FMI SAR gives the BoE powers to oversee and direct the actions of a payment firm to ensure that their services continue in the event of a failure.  
• Two US Senators have issued a bill to establish a crypto regulatory framework, setting out that the Commodity Futures Trading Commission (CFTC) would play a primary role in regulating products.

Prudential Regulation Authority (PRA) Dear CEO Letter (March 2022):

• The letter sets out the PRA’s expectations that Banks and designated Investment firms consider the full prudential frameworks when assessing Digital Assets, along with Pillar 1 and Pillar 2 guidance. 
• The PRA proposes that firms should apply a punitive treatment to Digital Assets under the Pillar 1 framework. These firms also need to include their assessment of how crypto risks affect prudential risk categories in their Internal Capital Adequacy Assessment Process (ICAAP). 
• The letter provides a degree of short to medium term regulatory clarity for firms building a Digital Assets Strategy in advance of the finalised BASEL Committee Crypto Prudential Framework. 

Transaction reporting underpins the ability of national competent authorities (e.g., the Financial Conduct Authority (FCA)) to investigate potential instances of market abuse and thus it continues to be important that firms can comply with the obligation to provide transaction reports that are complete, accurate and timely. Firms should regularly reconcile the reports provided to their competent authority with the data in their books and records, along with the data reported to and by their Approved Reporting Mechanism (ARM) to ensure that reporting is complete and accurate. The potential financial and reputational impact on a firm for failings in its transaction reporting could be damaging, with two recent fines in early 2022 amounting to more than £34m and £27m, respectively.

• The Markets in Financial Instruments Regulation (MiFIR) has now been in effect since 2018 but resulted in significant changes on transaction reporting, including expanding the volume of in-scope instruments as well as expanding the number of data fields, to the extent that some firms are still finding it challenging over four years later. 
• The European Securities and Markets Authority (ESMA) issued a statement outlining some planned changes to their validation rules in Q2 2022, and although the FCA is not planning to follow suit there is the possibility that this may change in the future. The FCA regularly provide updates on issues related to transaction reporting via their Market Watch publications, which provides additional information on their concerns in this space and highlights areas upon which  firms should focus.

The UK Government published its highly anticipated consultation on its Review of Solvency II during April 2022. The proposals form part of wider changes proposed by the Government to the UK’s financial services regulatory framework, and broadly aim to achieve two key objectives – 1. free up Insurers’ capital to enable investment in green infrastructure and projects and 2. maintain the UK’s competitiveness by going “further and faster to capitalise on the UK’s Brexit freedoms and level up the country”. The Prudential Regulation Authority (PRA) has also published its own discussion paper (DP2/22 – Potential Reforms to Risk Margin (RM) and Matching Adjustment (MA) within Solvency II) complementing the Government’s proposal. The PRA is seeking the industry’s views around the reform options for RM and in particular, the calibration of the fundamental spread (FS) within the MA. The Government’s proposed reforms aim to unlock significant investment by Insurers into UK infrastructure, venture capital and growth equity, and other long-term productive assets, as well as investment consistent with the Government’s climate change objectives. This is one of the ways the Government is capitalising on its post-Brexit freedom, ensuring that UK regulations are tailored to the needs of the UK economy, rather than the needs of 28 countries across the European Union (EU).

The consultation sets out detail on the proposed reforms, including:

• A substantial reduction in the RM of around 60-70 percent for long-term Life Insurers based on a cost of capital approach;
• A reassessment of the FS used in the calculation of the MA;
• An additional Credit Risk Premium (CRP) to the FS to capture the uncertainty around the expected loss within FS;
• More flexibility to MA eligibility rules for both the asset universe and the liabilities to which an MA can be applied;
• A reduction in the EU-derived regulations which make up the current reporting and administrative burden; and
• The combined impact of the RM and FS reforms has been estimated by the PRA to result in a release of up to 10-15 percent capital currently held by Life Insurers.

The PRA’s Discussion Paper (DP) outlines its assessment of the proposed reforms for RM and the MA and discusses the potential combinations of reforms to the FS and RM in line with statutory objectives. Both the PRA’s DP and the UK Government’s consultation closed for responses on 21 July 2022. While the consultation and DP continue to remain largely silent on the impact of these changes on the Solvency CR to materially change as a result of the FS changes. The PRA has launched a Data Collection Exercise to further explore this. The PRA also hints that a move to a new calculation mechanism may be phased in over a period of time giving firms and the PRA more time to reflect any required changes within the Internal Model.

With such large RM reductions on the horizon, Life Insurers should consider re-evaluating their approach to:

• Product strategy and pricing – certain products may now be more economically viable to write (particularly in conjunction with proposed changes to MA liability eligibility), enabling more favourable pricing for policyholders;
• Deploying the capital released from the RM reductions – the Government is keen that this is used to support further investment in long-term assets and growth in the insurance market, rather than increasing dividends;
• Hedging – driven by the change in the sensitivity of the RM and consequentially the balance sheet to movements in interest rates;
• Reinsurance strategies and risk appetite – demand for longevity risk transfer could reduce or there could be a shift in reinsurance strategies towards the greater use of fully funded reinsurance; and
• Risk mitigation to maintain policyholder protection – there is a need for firms to employ appropriate risk mitigation techniques. This is in line with current practice where firms are required to conform to the Prudent Person Principle (PPP).

The recently published Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) Business Plans for 2022/23 demonstrate that Operational Resilience remains a top UK supervisory priority. By 31 March 2022 firms were expected to identify and map their Important Business Services, set Impact Tolerances, commence scenario stress testing programmes to identify vulnerabilities, produce ‘Self-Assessments’, and ensure appropriate governance arrangements are in place. Whilst the past 12 months have been very demanding, the resilience journey is only just beginning. The three-year ‘transition period’ for the policy runs until 31 March 2025, and the actions that firms take in that time will be critical to their success. Their focus must now shift to addressing the initial operational vulnerabilities identified, expanding the depth and breadth of mapping and testing to detect and address additional vulnerabilities, and embedding Operational Resilience into the whole operating model to withstand severe but plausible disruptions.

The first key regulatory deadline has now passed as of 31 March 2022 - Operational Resilience should remain a key priority and an area of focus for Internal Audit. Firms need to demonstrate that a full assessment of their Operational Resilience has been completed, vulnerabilities have been identified, and there is a focus on the remediation activities to complete in order to demonstrate that Important Business Services can operate within their impact tolerance by no later than 31 March 2025.

Amongst the broader suite of activity required to continue on the Operational Resilience journey, the following areas are likely to be key focus and challenge for Boards and senior management over the next three years:

• Scenario Stress Testing: Testing is likely to be the key area of Operational Resilience policy expectations which continue to evolve throughout the period up to 31 March 2025, as firms gain experience in the stress testing necessary, and the Regulators assess and feedback on the approaches being followed.
• Third Party Risk Management: Third party dependencies pose a significant threat to a firm’s operational resilience. Visibility, oversight, and assurance is imperative to adequately understand and manage the risks posed by third party and outsourced arrangements (including technology giants and those responsible for providing IT services). Boards and senior management cannot outsource their ultimate accountability and responsibility for their Operational Resilience and therefore need to gain assurance over the risks posed by the web of third and fourth parties in the service chain, especially when the service being provided is critical in providing a firm’s Important Business Service.
• Transition to Business As Usual (BAU): As firms look to build longevity in their Operational Resilience framework and transversal capabilities, embedding Operational Resilience across the organisation will transform meeting the 2025 policy requirements and expectations into sustainable BAU activity.

Where smaller businesses are not required to currently comply with Operational Resilience-related regulatory requirements, some businesses are challenging themselves on how Operational Resilience is achieved through existing controls in place, with proportionate enhancements taking place to identify important business services and map this to resources in place, e.g. technology, data, people, processes, suppliers and facilities.

Artificial Intelligence (AI) is becoming increasingly common in business processes throughout the Financial Services (FS) sector. FS firms deploy AI across multiple service lines and are now harnessing its power in areas such as compliance, fraud detection, resume screening, credit scoring, product pricing and product recommendations, to name a few. Despite its growing use, we have seen that senior management is often unaware of exactly where and how and also the nature and extent of the risks faced by their organisation in relation to the use of AI. Moreover, Regulators are becoming increasingly active in their efforts to protect consumers from algorithmic harms such as bias that leads to discriminatory or unfair outcomes, outputs that mislead consumers or distort competition, and the collection of personal data that infringes on privacy rights. Thus, the growing use of AI systems in the FS sector requires an increased awareness of the risks inherent in those systems and an improved ability to manage those risks. This requires formalising an AI risk management framework and ensuring that teams in the Second and Third Lines of Defence have the required skills, knowledge and experience to be able to independently assess and provide assurance over the effectiveness of the AI control framework.

• The UK Government published its ten-year strategy on AI during September 2021. The strategy has three main pillars:
1. Investing in and planning for the long-term needs of the UK’s AI ecosystem.
2. Supporting diffusion of AI throughout the UK economy.
3. Ensuring that the UK adopts an appropriate approach to the regulatory and governance framework for AI.
• On 8 December 2022, the Centre for Data Ethics and Innovation (CDEI) published its roadmap to an effective AI assurance ecosystem outlining their vision for AI assurance. The CDEI will publish an AI assurance guide to accompany the roadmap which will focus in more detail on the delivery of AI assurance and support practitioners using or providing AI assurance services. The CDEI will also partner with professional bodies and Regulators to set out requirements for AI systems and establish an AI Standards Hub, focused on global digital technical standards.
• The development of AI assurance is further supported by the Information Commissioner’s Office (ICO). The ICO is developing an AI Auditing Framework (AIAF) which is intended to help AI assurance practitioners with tools and procedures for their assurance work. They are also planning to issue guidance on AI and data protection to assist organisations with their understanding of AI.
• The ICO, the Financial Conduct Authority (FCA), the Competition and Market Authority (CMA) and the Office of Communications (Ofcom) have joined forces in the Digital Regulation Cooperation Forum (DRCF) to address concerns about a lack of consistency and the overlapping nature of regulatory mandates and to promote dialogue on the types and sources of algorithmic harms, provide policy recommendations for AI systems auditing and assurance, and coordinate the supervision of AI systems.
• In October 2020, the Bank of England and the FCA launched the AI Public Private Forum (AIPPF) to facilitate dialogue between the public and private sectors to understand better the use and impact of AI in FS and on 17 February 2022, the AIPPF’s final report was published, focusing on the role of data, model risk and governance in the adoption and use of AI in FS.