Our recent post highlighted the diverse variety of risks that businesses must contend with this year, and the first quarter of 2022 will deliver a host of specific challenges for the UK's financial services market. Spurred by the rapidly changing environment in which markets are operating, UK regulators' strategic goals reflect these economic, technological and social changes.
This is clearly reflected in, for example, the FCA's (Financial Conduct Authority), the PRA's (Prudential Regulation Authority) 2021/22 business plans, the ICO's (Information Commissioner's Office) strategies, and the PSR's (Payment Systems Regulator) strategy for the coming year. Regulatory readiness will be pivotal to firms' success, elevating the importance of proactively identifying, monitoring, and managing risks before they materialise versus remedying the resultant detriment to the customer or the market after the fact.
The rapidly evolving landscape is leading to critical exposures across multiple distinct areas, including supplier risk management, cybersecurity, and fraud and financial crime. These all lead back to the likelihood of increased scrutiny in four key areas.
Consumer protection and improving consumer confidence
and outcomes
The FCA's latest business plan sets out its ambition
to be a more proactive, forward-looking regulator, one that is more
assertive in its pursuit of greater protection for consumers, and
indeed fair outcomes. Among its priorities are ensuring that
vulnerable consumers do not take on unaffordable debt and that
consumer credit markets are responding appropriately to the
increased demand for credit products.
To that end, the Treasury's recently concluded consultation on
Buy Now Pay Later (BNPL) products is significant. Businesses that
defer payments have been excluded from consumer credit regulation
since it was first introduced nearly 50 years ago. Under new
proposals, however, BNPL credit merchants could soon come under the
scope of the FCA's creditworthiness rules (meaning they would
have to conduct creditworthiness assessments to ensure consumers
don't take on debts they can't manage). In addition, the
proposals could give consumers access to the Financial Ombudsman
Service if they have concerns about the conduct of lenders.
The impact of this potential requirement should not be
underestimated. When a similar change in the regulatory environment
occurred in the rent-to-own and home-collected credit sub-sectors,
it required firms to prove robust procedures, adapt and strengthen
policies, and in some cases led to restricting new lending and
remediation costs. In the most extreme cases, it forced firms to
cease trading.
In addition to these developments, the increased reliance on
digital payments and, in parallel, the changing nature of how
payment systems work in practice will also bring into sharper focus
the protection of customer data. Organisations will need to be
increasingly cognisant of the inherent risks here and how to
mitigate them.
Anti-money laundering controls
Another significant incoming development is the extension of the
FCA's annual financial crime reporting obligation.
In an attempt to build a clearer picture of money laundering and
other financial crimes across a more diverse range of sectors, the
FCA has massively increased the scope of its reporting
requirements, with the number of firms required to submit an annual
return nearly trebling from around 2,500 to around 7,000. From
the end of March, the reporting requirements will extend to all
payment institutions (with a few exceptions), e-money institutions,
and crypto asset exchange providers. The return comprises 35
questions designed to draw out information about potential
financial crime, such as high-risk jurisdictions and customers,
sanctions screening systems, and the most prevalent types of
fraud.
Resilience and outsourcing
By the end of March, payment institutions and e-money institutions
must also be ready to comply with the FCA's operational
resilience regime and the PRA guidelines on outsourcing. The rapid
growth of fintech platforms and open banking is also hastening the
need for effective governance and oversight of rules surrounding
payment systems.
To satisfy the FCA's requirements, businesses must be able to
demonstrate they have identified any vulnerabilities in their
operational resilience and mapped and tested impact tolerances
for what the FCA describes as "the maximum
tolerable disruption".
The PRA outsourcing guidelines aim to ensure that firms are
appropriately mitigating third-party risk which could impact their
own operational resilience. The guidelines clarify the PRA's
expectations concerning the need for "proportionate,
risk-based, suitable controls for any material and/or high-risk
third-party arrangements", while also making clear that firms
should be reviewing all legacy outsourcing agreements (i.e., those
agreed before 31 March 2021) by the end of March 2022, or as soon
as possible thereafter.
Data privacy
The need to appropriately protect, manage and use customer
personal data correctly remains imperative. January's
announcement by the UK Government of the launch of the
International Data Transfer Expert Council speaks volumes for the
business benefits that can be unlocked by securing
cross-jurisdictional data flows, but progress will also rely
heavily on building and promoting higher levels of trust in the
sharing of personal data, in relation to GDPR enforcement, other
privacy regulations and antitrust regulation.
Global regulatory landscape
Businesses with international interests will also need to keep one eye on the global regulatory picture.
In the US, the Anti-Money Laundering Act 2020 has introduced tougher penalties for money laundering and new rules that aim to prevent the misuse of shell companies.
In Europe, the EU has in recent weeks progressed two key pieces of legislation concerning digital platforms and services. The Digital Markets Act aims to create a more level playing field for digital companies and stop larger platforms imposing unfair conditions on smaller ones. The Digital Services Act, meanwhile, introduces new rules around targeted advertising and the safety of products sold online. The European Parliament has adopted its position on both acts and is now negotiating with member states.
How should businesses respond?
Good compliance is an entry point for a strong business. If not addressed proportionately, regulatory risk can materially impact consumer trust, shareholder value and trigger deeper regulatory scrutiny.
Businesses should also recognise the opportunities that strong and forward-looking compliance can bring. In the UK, the FCA's regulatory sandbox – a mechanism to test products and services in a relaxed regulatory environment – is now accepting invitations all year round. Previously, applications were restricted to specific time windows.
More holistically, though, risk management requires a broader range of business perspectives and effective collaboration to be truly effective. For example, the active involvement of Product, Sales, Customer, Finance, and Data teams will aggregate a more rounded view of threats, current or upcoming vulnerabilities, and opportunities to shape how to safeguard the organisation, consumers, and the market. While good risk management clearly requires rigour and discipline, it also requires imagination, creativity and collaboration to be fully effective, and avoid surprises. The ability to manage risks first requires an organisation to be able to identify them - especially new risks.
Diverse business perspectives can maximise foresight – for example, understanding consumer needs and concerns to enable the embedding of risk management into the customer journey – and also present potentially unorthodox yet invaluable 'at the coalface' thinking about what might go wrong. Firms dismiss this input at their peril – risk is as much about what you can't see on the horizon as it is what you can. Who would have thought a few years ago that central banks would be integral to enforcing climate-related regulation? Fringe pressure moves to the mainstream, and then into the body of regulatory requirements much faster than you think.
Such cross-disciplinary approaches to risk management will foster a culture of risk awareness and management throughout the reality of how an entire business operates, rather than running compliance as a 'bolt on'. The best compliance teams want to be involved in enabling opportunities within an organisation's risk appetite and in a compliant way, but that requires involvement end to end. Only this way will businesses be able to develop greater enterprise-wide agility that can predict risks and mobilise for future regulation, rather than simply reacting to it when it arrives.
Read our regulatory outlooks for Greater China and the U.S.
Who would have thought a few years ago that central banks would be integral to enforcing climate-related regulation? Fringe pressure moves to the mainstream, and then into the body of regulatory requirements much faster than you think.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.