Five key risks for firms in 2017

By Susannah Hammond, Thomson Reuters Regulatory Intelligence

Financial services firms and their regulators had a busy but largely straightforward year in 2016. This year already looks to be anything but straightforward with Brexit and the start of the Trump presidency. Well resourced, business-specific risk and control infrastructures have always been a required core competency for firms but 2017 is set to test the resilience of all firms, with the added challenge of greater personal accountability for senior individuals. Although the detailed risks run by firms are firm-specific and unique, there are a series of high-level risks applicable to all financial services firms irrespective of geography or sector.


The expectations on boards and senior managers in financial services firms continue to grow alongside the potential for personal liability. In 2017 there is likely to be a focus on the skills, both collectively and individually, of the leadership team. Firms would be well-advised to review regularly the skill sets of all board members, and also to assess the board’s collective knowledge.

The gap analysis should be documented in detail, accompanied by well-resourced remedial action plans to ensure that specific skill or knowledge gaps are filled by training and/or targeted recruitment. All boards need to demonstrate that they are individually and collectively competent for the roles they perform.

Senior individuals will be expected to have sufficient knowledge and awareness to discuss all relevant regulatory risks with supervisors, and to help them understand the likely impact on the firm and its customers. Board members also need to understand thoroughly the business being conducted.

Senior staff at firms need to have an in-depth understanding of all products, activities and processes, but all too often enforcement actions show that, as people and businesses change, knowledge levels become severely depleted, with the inevitable regulatory consequences.

Particular care is needed with any new areas of business or products, whether the change is by acquisition or internal development. As part of a strategic approach to skills maintenance, the assessment of training and awareness needs should be an inherent part of any business change process.

The issue was summed up by Jeremy Rudin, of the Office of the Superintendent of Financial Institutions, in Canada: “We see that many boards are seeking out and obtaining broader skill sets and expertise, and are ensuring that they have enough members with relevant financial industry and risk management expertise. This type of expertise is a key component of an effective board at a financial institution.”

Rudin went on to say:

“One of the board’s most important responsibilities is in the effective oversight and challenging of senior management … A board that does not have the requisite expertise, or is unwilling, to task senior management to provide it with suitably focused material, is undermining its own effectiveness.”

IT infrastructure

Firms are operating in an age of unprecedented levels of technological innovation but at least some of those advances are being built on potentially shaky IT infrastructures. Firms would be well-advised to review and, where needed, invest in their IT infrastructures, particularly ahead of the next wave of likely regulatory change. Wholesale review of and investment in IT may be long overdue at some firms but could yield immense benefits in terms of governance, compliance and improved line of sight to the risks being run. As highlighted in a 2015 Thomson Reuters survey on personal liability, the issue of line of sight is critical; half the respondents (49 percent) reported that senior managers “do not really know what is going on in their business.”

Few firms have seamless IT systems and more often than not legacy systems have been built on top of one another, creating evermore complex platforms. Compliance functions must ensure they can test that critical processes are operating as required and that they have line of sight to any assumptions, manual workarounds, incompatibilities and gaps. While it is discouraging to find that problems exist, it can be infinitely worse not to know. The point was reinforced by Andrew Tyrie MP, chairman of the Treasury Committee, in relation to a number of IT system failures at UK banks. Tyrie said: “The current situation cannot be allowed to continue. IT risks need to be accorded the same status as credit, financial and conduct risk. They are every bit as serious a threat to customers and overall financial stability. More, and higher quality, investment is probably required.”

With that background the Treasury Committee had made three “suggestions,” which will, in effect, steer the future regulatory and supervisory approach to IT in financial services. In outline the three suggestions are:

– Banks need greater IT expertise at main board and subsidiary board level.

– Far more resources should be put toward modernizing, managing and securing banks’ IT infrastructures.

– Legal, regulatory, structural and cultural changes are needed to the way that banks manage their cyber security risks.

Personal liability

Personal liability as a matter of deliberate regulatory policy is here to stay. Board members and other senior managers need to understand exactly how they should discharge, and evidence the discharge of, their obligations. The UK, U.S., Canadian and Australian regulators have already made policy moves to implement enhanced personal liability. In December 2016 the Hong Kong Securities and Futures Commission set out measures to augment the accountability of senior managers, which reiterated that senior individuals bear “primary responsibility” for ensuring the maintenance of appropriate standards of conduct and adherence to proper procedures by the firm.
The measures further specify that senior managers should:

– Properly manage the risks associated with the business of the firm and perform periodic evaluations of its risk management processes.

– Understand the nature of the business of the firm, its internal control procedures and its policies on the assumption of risk.

– Understand the extent of their own authority and responsibilities.

It is not just mainstream financial services regulators which are set to increase the levels of personal liability. In the UK, for instance, the Information Commissioner’s Office is to be given powers in the spring of 2017 to fine directors individually up to £500,000 for breaches of the Privacy and Electronic Communications Regulation, which covers issues such as nuisance calls.

Culture and conduct risk

The rise of culture and conduct risk as a regulatory concept has been relentless. Many firms and individuals remain uncomfortable that they can and will be held accountable for such a qualitative regulatory expectation. Culture has become just as much of a focus as conduct risk, as regulators have sought to move away from a black-and-white rulebook stance to a more holistic, outcomes-based approach. Firms must accept that the focus on culture and conduct risk is here to stay, although detailed development of the practical implications remains a work in progress.

While many firms still need to formulate their own specific approach to conduct risk there are two persistent challenges: the need for continuing board engagement and the need for high-quality reporting and management information. Anecdotally, many boards have struggled to reach a consensus on what “good” looks like for their firm in terms of culture, conduct risk and the associated “tone from the top.” This challenge is compounded by the need to have line of sight to the conduct risks already arising in the business. The majority of firms have good quantitative management reporting infrastructures in place; far fewer have strong qualitative reporting mechanisms.
In common with other regulators, William Dudley, president and chief executive of the Federal Reserve Bank of New York, has used a number of his speeches to stress the importance of culture and conduct risk. In one, he shared an everyday checklist proposed by Ignazio Angeloni of the European Central Bank, who posed six questions that seek to make responsibility for culture both individual and routine:

– Are you doing what you promised to do?

– Are you using your best knowledge and intention in doing it?

– Are you doing what public authorities, superiors, colleagues and business partners expect you to do, and if not why?

– Are you conforming to the mission and the values of your company, as they are publicly stated?

– Will your actions enhance public confidence in your company and in the financial sector?

– Finally, and crucially, would you behave similarly if your actions were publicly observed?

Dudley went on to say that,

“the discipline of asking ourselves these questions on a regular basis and answering them thoughtfully and honestly may be more challenging, thought-provoking and effective than one might initially think.”

The challenges with regard to culture and conduct risk are huge, but if firms are able to develop, implement and embed a strong approach which can be evidenced they will have taken a significant step toward mitigating any risks arising.


Complexity in a firm only becomes an issue when the risk and control infrastructure is insufficiently well-designed or resourced, particularly in terms of high-quality IT and data aggregation, to manage the complexity itself, and the risks arising. Complexity is exacerbated by size (the concept of “too big to manage”) and by certain activities such as the manufacture and distribution of unduly opaque products.

Regulators are being more creative in how they supervise firms. Ever-larger fines have proved to be a diminishing deterrent to poor behavior and are being supplemented by a wider range of remedial actions including heightened personal liability. In the UK, the risks associated with unmanaged complexity have been recognized and hardwired into the statutory objectives of the Prudential Regulation Authority.

New threshold conditions have been introduced, including a requirement for a firm to be capable of being effectively supervised. This was a clear indicator that complex, opaque activity, products or structures, and indeed any perceived barriers to effective supervision, will be frowned upon. The PRA has made it plain that firms should keep the maintenance of safety and soundness in mind at all times, even when this requires firms to act more prudently than they might otherwise choose. In other words, firms must not allow themselves, or the product portfolios they create, to become unmanageably complex.

It is a challenge but firms must ensure they can demonstrate that their entire business is under the control of senior managers, that there is line of sight to all risks and there is a comprehensive suite of management information and data to provide evidence of all aspects of compliance.

Thomson Reuters Risk Management Solutions

For the trusted answers that help you anticipate, mitigate and act on risk with confidence. Manage enterprise risk, corporate governance, customer and third party risk, regulatory compliance and financial risk effectively, and accelerate business performance.