2020 was a banner year for disruption to all industries. From the lasting economic impacts caused by the Covid-19 pandemic, to continued regulatory change, 2021 will see Crown Dependencies (“CDs”) financial services businesses having to navigate and mitigate a number of new and emerging risks.
This risk mitigation will require continued focus, as financial services businesses simultaneously adapt to changing client demands; adopt long-term remote working practises for staff, accelerate digital technologies; and expand the management of ESG and climate related financial and non-financial challenges.
Below are the top regulatory challenges (in no particular order) that we see challenging CD financial services businesses in 2021, along with our suggestions to help answer the question: “What steps can I take now to prepare for these challenges?
Key regulatory challenges for financial services in 2021:
Volatility will expand through 2021, forcing financial services businesses to demonstrate continued agility through change management. We saw businesses quickly and effectively move to remote working during 2020.
Ensure your governance and management routines demonstrate your capacity to identify, manage and mitigate risk. This includes documenting your change management practices in order to satisfy regulators amidst continued and more permanent remote working, embracing more flexible operating models, continuing consolidation, and the use of expanded digital platforms.
Key steps to effectively integrate organisational change include:
1. Identify change drivers: Conduct horizon scanning to monitor change drivers (e.g. new acquisitions, products, delivery channels and regulatory obligations). Identify and link these changes to your existing lines of business, products and risk data.
2. Assess impacts: Assess the impacts of new or changed regulatory obligations; determine gaps in coverage or consistency and opportunities for convergence; analyse the downstream effects to your people, processes, and technology.
3. Design strategy: Identify short-term and long-term goals; develop processes to effectively embed change, including training and communication plans for impacted stakeholders; design dashboard reporting and management protocols.
4. Implement changes: Update and enhance policies and procedures, map templates, process flows, risk control self-assessment and testing programs; enhance existing technology infrastructure; and communicate key changes to your staff and stakeholders.
5. Continuous monitoring and improvement: Review monitoring and testing procedures; review KPI/KRI data and assess complaint data; determine enhancement opportunities, review your remediation approach for identified issues; and continue to streamline and simplify your business operations.
As regulators refine their risk-based approach to supervision, the quantity and quality of information that they require regulated businesses to provide will continue to increase.
Any transformative technology has risks as well as benefits; using technology to mitigate the costs of operating in the CDs and to reduce operational risk are no different. Financial services businesses will need to ensure that they have sufficient understanding of their system capabilities and controls.
Consolidation of businesses continues in all three of the CDs, consolidators should be ready for the challenges that post-acquisition integration poses.
Key technology actions to consider:
1. As regulators’ requirements for data evolve, focus on your system’s ability to be able to meet these requirements accurately and efficiently, and consider such requirements in any new system developments.
2. Define the areas of your business impacted by your respective IT systems and determine the risks that this may pose.
3. Develop a roadmap and strategy to measure and assess your control environment for technology systems.
4. Assess exposure to integration risks and define your strategic goals to mitigate them, for example the use of parallel systems until full integration is complete.
5. Integrate technology risk management within your broader risk strategy.
In 2021, risk management foundation and culture will be tested. An effective three line of defence model will be fundamental to regulatory supervision and enforcement. Be prepared for critical assessment of the adequacy of your enterprise wide risk management frameworks.
Key risk management actions to consider:
1. Evaluate existing core risk management activities, framework, and coverage for effectiveness.
2. Carry out post project reviews to ensure regulatory obligations are met or exceeded.
3. Evaluate existing risk frameworks for scalability to support firm strategy and growth objectives.
4. Review recent changes to business operating models to ensure new or elevated risks are adequately accounted for in risk assessments.
5. Evaluate your existing your internal control environment scope, coverage and responsibilities; strengthen any identified gaps or potential exposures and escalate any significant issues.
6. Review and cleanse existing data; assess the quality of that data to support data driven assessments.
7. Support your enterprise and operational risk priorities through the use of technology, data and skilled technology risk professionals.
Financial services businesses using digital platforms need to continuously demonstrate resilience and control effectiveness against expanded cyber and vulnerability threats. Be prepared for more focus on the protection of proprietary data, customer data, core processes, and exposure from third parties.
Key risk management actions to consider in order to maintain stability and respond to regulatory pressures:
1. Embed operational resilience as a key criterion across all management decisions and business activities.
2. For critical business services, in addition to scenario execution and impact tolerances, consider assessing business as usual service resilience and service level assessments of all threat vectors.
3. Adopt the NIST (National Institute of Standards and Technology) cybersecurity framework to enable you to assess and improve your ability to prevent, detect, and respond to cyber-attacks.
4. Consider assessing cyber and enterprise risks quantitatively based on frequency and loss magnitude using the FAIR (Factor Analysis of Information Risk) methodology.
5. Risk assess and then revisit thresholds and permissions (high risk to low) to ensure appropriate thresholds have been set.
Compliance risk remains an area of key focus in 2021. The challenges of increased local and extra-territorial regulation, coupled with limited resource, continue to place growing pressure on compliance functions within financial services businesses. Leaders of regulated businesses face a mandate that increasingly includes culture, conduct and data privacy, as well as the existing focus on financial crime.
Key compliance risk actions to consider:
1. Increase the frequency at which you refresh risk assessments in order to account for the new environment.
2. Increase the frequency at which you refresh and validate risk and compliance core data.
3. Strengthen the integration of compliance within the business, taking advantage of opportunities to embed compliance resources and new functionalities alongside large operational shifts.
4. Maintain consistent horizon scanning for changes in regulations which may impact your business, including both local and international regulation.
5. Consider evolving consumer and investor standards when managing regulatory risks and client expectations
Regulators will focus on areas of expanded risk in the current economic cycle, including fraud, insider threat and conflicts of interest. Be prepared with expanded data analytics and improved communication, reporting and collaboration across functional groups to help in the prevention and detection of potential misconduct. Develop cohesive connections between fraud, cybersecurity and financial crime teams within all three lines of defence.
Key fraud actions to consider:
1. Strengthen fraud and employee misconduct controls, including digital surveillance, and fraud prevention programs that address ongoing remote working conditions and staff constraints.
2. Align preventive, detective, and reactive capabilities with the risk profile of your business and clients.
3. Revisit target operating models and responsibilities to remove internal friction and duplication of effort between first and second line operations.
4. Operationalise fraud processes and technology through integration of advanced technology tools, including enhanced analytics capabilities.
5. Respond to rapid changes in threats with automation and new capabilities; integrate ethics and compliance efforts for scalability and continued sustainability.
6. Improve communication, reporting and collaboration across functional groups responsible for preventing, detecting, investigating and reporting potential fraud.
7. Aggregate risks and losses across all business lines and develop appropriate metrics to monitor changes.
Financial crime remains a key focus area for regulators in the CDs in 2021. Criminals will take every opportunity to exploit a company’s weaknesses, and the pandemic has provided an ideal opportunity for criminals to use the disruption within businesses to their advantage, bringing expanded risk in AML, sanctions and terrorist financing.
Ensure that you utilise technology, data analytics and real-time surveillance to identify potentially suspicious activity.
Key financial crime actions to take:
1. Leverage data and technology to improve and streamline your risk assessment and transaction monitoring processes.
2. Continue to scan the horizon for developments in the evolution of financial crime and regulatory responses.
3. Align preventive, detective, and reactive capabilities with the risk profile of the company and its customers
4. Develop cohesive connections between fraud, cybersecurity, and financial crime teams within all three lines of defence.
5. Enhance processes and procedures to be able to respond to rapid changes in threats.
6. Develop financial crime capabilities that are both scalable and effective, with suspicious activity reporting that provides adequate and meaningful information.
International efforts to increase tax transparency will continue. Campaign groups will continue to apply pressure to national governments to introduce public registers of beneficial ownership, and jurisdictions around the world will continue to develop their local registers. Covid 19 has caused a number of issues in respect of substance, for example boards that have not been able to meet in the appropriate jurisdiction. Be prepared to meet these challenges and act quickly on new advice and requirements in the jurisdictions you transact in and with. Those who make best use of their data will have an advantage.
Key transparency actions to take:
1. Continue to scan the horizon for new developments such as DACS6. Engage with your clients to understand how these developments will affect their future requirements.
2. Transparency adds another dimension to your relationship with your clients; ensure that you understand how the services you provide fit into the transparency of the overall structure.
3. Align your new business, risk management, compliance and internal audit process processes to new requirements and threats to your clients’ privacy.
4. Develop cohesive strategies for using your data to satisfy the requirements of revenue services and your clients.
ESG will move from being seen as solely “doing good” to a key driver of value, risk and opportunity. Be prepared for stakeholders and regulators to expect financial services businesses to identify and refine ESG and climate-specific risks. Adopt standard data, analysis, and disclosure practices and develop a roadmap to measure progress and impacts.
Key climate and ESG actions to consider:
1. Define your approach/responsibilities to ESG and climate risk, including customer and third-party relationships, across strategies, policies, practices, and mandates.
2. Develop an ESG roadmap and strategy; establish targets and timelines to incorporate climate risk and ESG decision making and reporting.
3. As global standards evolve, identify the tools required to assist with the horizon scanning to forecast ESG risk; establish policies, controls and risk management processes to mitigate climate and ESG-related risks, including reputational risks, through proactive monitoring and identification.
4. Align internal definitions with evolving expectations to include climate risk and ESG-related impacts (e.g., what “ESG” encompasses, what is “green”, what is “sustainable”).