The COVID-19 pandemic is a global stress event that is testing all businesses' financial, operational and commercial resilience. Against this backdrop, the financial services sector is having to adapt rapidly and at scale to current constraints and market conditions.
To date, firms have understandably prioritised immediate financial and operational measures such as protecting liquidity and cash flows, and ensuring that they are able to keep core business activities going.
Recognising the strain on resources faced by firms, financial regulators have taken steps to alleviate the pressure, postponing high impact activities such as stress tests, reducing capital buffers, pushing out implementation dates and delaying non-critical supervisory reviews where possible.
As the situation evolves, we expect to see a shift in focus and a re-prioritisation of operational and conduct risks as firms come to terms with managing dispersed workforces.
Over the coming weeks, these will become more apparent and we will look to provide comment and insight as to how the sector is responding to emerging threats such as fraud, data security, Anti Money Laundering (AML) and Customer Due Diligence (CDD).
The financial services industry is at risk from heightened levels of fraud, including cyber fraud, as criminals attempt to exploit the COVID-19 pandemic.
Following recent announcements of emergency measures, there are likely to be significant numbers of applications from both individuals and businesses to access support schemes. Claims may be made fraudulently, but processed rapidly, with less stringent controls than usual (see also AML and CDD below). If approved, funds may be transferred rapidly and with the whole system under stress, recovering funds due to fraud may be a relatively low priority.
The National Crime Agency (NCA) has issued an update on scams related to COVID-19. In particular it expects to see an increase in authorised push payment (APP) fraud, sometimes referred to as bank transfer fraud. In 2019, a total of £456 million was lost to APP fraud, split between personal (£317 million) and business (£139 million) accounts.
UK Finance has called for cross-sector co-operation to fight the rise in APP fraud, and banks and payment providers will need to be alert to the reputational risks of their brands being compromised by association with this type of activity.
The FCA has issued guidance for consumers on COVID-19 related scams, noting that scams may take many forms — they could relate to insurance policies, pension transfers, or high-return investment opportunities, including investments in crypto assets - and that scammers are sophisticated, opportunistic, persistent and very likely to target the vulnerable.
The risk of internal fraud will potentially increase due to remote working and associated reduced oversight and challenge.
Cyber-attacks have surged, ranging from phishing attempts that play on people's concerns and desire for information, to more sophisticated attacks on networks and information flows. Cyber security experts and voluntary groups such as the COVID-19 CTI League are mobilising globally to provide threat intelligence and combat these attacks. More than ever, firms will need to shore up their cyber defences and educate employees, at all levels, to the emerging risks.
Data and security
As remote working becomes the norm, extra consideration is required around ways in which data is accessed and data security profiles. Alongside the cyber security issues referenced above, employees are now potentially working with sensitive data in less secure home-based environments. The balance between locking data down securely behind a corporate firewall and making it more open and readily accessible to employees and business partners is having to shift to support new ways of working and keep existing business processes and operations moving.
We have already seen examples of firms which did not have significant remote working capabilities having to invest quickly in acquiring and implementing technology. Inevitably such rapid roll-outs are likely to be less robust than infrastructure changes planned and tested over a longer period. Regulations such as GDPR still apply, so Risk and Compliance heads will need to re-evaluate the associated risks accordingly and potentially deploy alternative mitigation measures.
AML and CDD
There may be new challenges for firms in running AML and CDD activities remotely or on site but with drastically downsized teams due to social distancing measures.
Usual checks and balances may not be operating as they should for a number of reasons:
- Controls may be weakened by disjointed processes and remote handovers.
- Where sign-offs are required, there may be delays due to technological constraints or availability of authorisers.
- With call centres overwhelmed and funding often required at speed, firms are having to work through rapidly changing guidance for support packages such as those for SMEs and large businesses - under these conditions it may not be practicable to run the same checks as in BAU conditions.
The UK regulators have not made any concessions to AML or CDD requirements, therefore firms will need to ensure that they still maintain robust processes around these activities.
Market integrity and market abuse
Volatility means that surveillance teams are already overloaded with alerts but are being asked to enhance surveillance and consider new scenarios.
The FCA has issued guidance to firms and employees carrying out market trading and reporting either from alternative sites or from home, encouraging them to consider the broader control environment and take appropriate measures. Already a number of trading firms have had to move rapidly to newer web-based communication platforms to ensure the front office trading capability can continue to communicate in volatile markets. The ability to record and monitor employee electronic audio communications will need to play catch up with the increased volume of electronic communication data.
The regulator is making some temporary concessions to business as usual requirements (for example, recording of calls and submission of regulatory data). However, it has stated clearly that “firms should continue to take all steps to prevent market abuse risks”. It also refers to the possibility of enhanced monitoring and retrospective reviews once the current situation is resolved.
People and behaviour
The current situation raises a number of issues around behaviour, for firms and their customers.
- For employees, the balance of trust and expectation may suddenly have shifted. Some will relish the prospect of being more independent, others may feel lost and struggle to engage remotely with the tasks in hand. Firms will need to consider the best way to support the mental well-being and connectedness of their workforce.
- Managers, too, will need to adapt - efficiencies may be lost, at least in the short term, and new chains of command will need to be established. Those firms with an established model for home working will likely adapt better to the transition, whereas firms or functions which previously followed a more autocratic, sign-off driven model may struggle more. However, one should not underestimate the impact of sudden and complete remote working on the day-to-day operations of even the most forward-thinking firms.
- Both individuals and firms may now be under significant new financial pressures, which may translate to uncharacteristic behaviours and, in the most extreme cases, enhanced risk-taking or internal fraud (see above).
- Customer behaviour will naturally impact firms' business and planning. COVID-19 may provoke stress responses that will add to the challenges that firms face in managing their operations and delivering good customer outcomes.
An unexpected outcome of the COVID-19 situation may be a temporary relaxation of the regulators' focus on promoting competition. This may also apply outside financial services as the government and regulators encourage firms and industry bodies to collaborate in order to facilitate effective crisis-management.
It is uncertain how long the current situation will last, but we may be in this for the long haul and the impacts may be enduring, so firms will require long-term adjustments to working practices and culture.
Whilst there will undoubtedly be further regulatory guidance in many areas, firms will need to be proactive in assessing and addressing the new emerging risks and the changing priorities.