Five Key Risks 2018

All things cyber, whether risk, attack, crime or resilience, are never far from the headlines with companies around the world vulnerable to attack in the online world. In terms of cyber resilience, cyber risk, cyber crime as well as headline-grabbing cyber attacks (Equifax being just one recent example) it is clear that the universally expected good customer outcomes will be under threat should cyber resilience fail. The headlines are borne out by the statistics on cyber attacks which show the threat to be increasing rapidly.

In June 2017, the UK Financial Conduct Authority (FCA) updated its policy approach to cyber resilience and its expectations such that firms should be aware of the threat, able to defend themselves effectively, and respond proportionately to cyber events. As part of that update, the FCA quoted a number of statistics to illustrate the increasing threat from cyber attacks, perhaps the most startling of which was the 1,700 percent increase in cyber attacks reported to the regulator since 2014.

What had previously often been seen as simply an IT issue has become an important issue for senior managers around the world with the FCA stating its goal, in common with many other financial services regulators, to “help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld”.

Senior managers need to ensure cyber risks are effectively identified, managed, mitigated, monitored and reported on within their firm’s corporate governance framework.

For some, cyber risk may be well outside their comfort zone but it does need to be considered, and there is evidence simple steps can go a long way toward protecting a firm and its customers.

In October 2017, the FSB reported on a cyber security workshop held between public and private sector participants. “Effective cyber security requires a strategic, forward-looking, fluid and proactive approach. They noted that it is not sufficient to simply look to past incidents and known risks, but that one must evaluate potential future threats. At the same time, participants stated that up to 90 percent of threats can be mitigated by basic cyber security hygiene,” it said.

There are some basic measures which senior managers and their firms need to consider. Firms can expect increasing levels of regulatory interest in some fundamental questions including:

• What information needs protecting?

• What are the risks to the information and how much risk is
  your firm willing to accept?

• What measures are needed to protect the information?

• Do the security measures work? 

The risk and reward incentives associated with remuneration

and compensation are once again in the spotlight. In June 2017, the FSB published a consultation updating its principles and standards for sound compensation practices, which had been one of its first policy priorities in 2009 in the immediate wake of the financial crisis.

The original principles and standards on compensation did not specifically address the issue of misconduct or provide guidance on the operation of compensation tools in the event of misconduct, but the role of compensation as an important influence on incentives was made clear.

Compensation tools, along with other measures, are seen as having the potential to play an important role in addressing misconduct risk by providing both ex ante incentives for good conduct and ex post adjustment mechanisms that ensure appropriate accountability when misconduct occurs.

The FSB, in collaboration with standard-setting bodies, has proposed guidance to supplement the principles and standards in the form of recommendations on better practice that specifically address the link between compensation and conduct. The recommendations address:

• The full range of responsibility, from senior management to the front line, for conduct issues arising from firm culture and commitment to ethical conduct.

• The integration of non-financial considerations relating to conduct in a balanced approach to performance assessment and compensation.

• The alignment of compensation incentives to the longer time frame misconduct risk may take to materialise.

• The use of transparent, consistent and fair compensation policies and procedures that establish clear expectations and accountability for conduct.

• The recommendations also frame supervisory expectations that supervisors should, within the scope of their authority, monitor and assess the effectiveness of firms’ compensation policies and procedures in managing misconduct risk.

Firms would be well-advised to review their approach to remuneration and any possible links to misconduct.

If nothing else there is a crystal clear reminder that the accountability for misconduct “lies first with the board of directors”. Firms must not and cannot simply push the management of misconduct and the associated governance and compensation expectations down and away from the board table. 

There has been an increasing focus worldwide on the needs of vulnerable customers, and financial services firms’ approach to them. Vulnerability can come in many forms. Retail customers in general may be seen to be vulnerable when being sold or dealing with particularly complex or sophisticated products. Binary options, which are seen as high-risk products, are a particular case in point, and retail sales have been banned or severely curtailed in numerous jurisdictions.

Other forms of vulnerability come from ageing populations. In the United States, there is a continued focus on the need to protect seniors and other vulnerable adults from financial exploitation.

In November 2017 the U.S. Securities and Exchange Commission’s (SEC) enforcement division published its annual report which highlighted that $1.07 billion had been distributed to harmed investors, up from $240 million in 2016. As the report made clear, retail investors are the most vulnerable and are least able to weather financial loss. The SEC said it: “will continue to address the kinds of misconduct that traditionally have affected retail investors: accounting fraud, sales of unsuitable products and the pursuit of unsuitable trading strategies, pump-and-dump frauds, and Ponzi schemes, to name just a few”.

In September 2017, the FCA published an occasional paper , outlining the findings from a project that explored how the ageing population would affect the financial services industry. When reviewing the treatment of older people, the FCA found risks that their financial services needs were not being fully met, resulting in exclusion, poor customer outcomes and potential harm.

The issues appear to be driven by a range of interrelated causes. These include policies and controls that are not designed to meet consumer needs, and unintended consequences of retail product and service design.

While older consumers are not necessarily vulnerable, they are more likely than other groups to experience vulnerability at some point. The FCA set out what it labelled as “ideas” for firms to consider in ways that fit their business models, such as looking at product and service design, customer support, and reviewing and adapting strategies.

Senior managers should prepare for greater regulatory interest in their firm’s strategic approach to potentially vulnerable customers, both from a product suitability and an older customer perspective. 

With much change set for 2018 there has been a huge focus on the updates needed to processes, systems and controls; however, that is not the end of the story.

As the post-MiFID I experience shows there needs to be just as much focus on checking that the updates and changes made have been implemented, embedded and, tested.

A particular example is transaction reporting. After the original MiFID the concept of transaction reporting was well-established but the
UK FCA continued to see some firms submitting transaction reports containing poor-quality data. In one snapshot the most common fault was the late submission of the required reporting.

The breaches found resulted in numerous enforcement actions, the latest being the October 2017 £34.5 million fine imposed on Merrill Lynch International for failing to report derivative transactions.

The FCA has reiterated that the ability of firms to submit accurate and complete transaction reports is essential if they are to be in a strong position to meet the more complex requirements of MiFID II/R.

As stated in Market Watch 50 : “In the interim period until the new regulations apply, we expect firms to provide accurate and complete transaction reports under the current regime.”

All firms should be aware they are on notice not to repeat the widespread and apparently persistent transaction reporting failings seen in the past. While there has been some softening of the expectation of immediate full compliance with all aspects of MiFID II/R, regulators are unlikely to tolerate any similar errors arising from deemed poor implementation.

As illustrated by the Merrill Lynch action, not only are any fines and remedial actions likely to be more severe but there is also the spectre of greater personal liability. 

The pace of technological change in financial services has been described as an inflection point. There are extensive potential benefits from the successful deployment and use of technology with improved efficiency and productivity, together with greater commercial opportunities at the top of the pile.

Other perceived benefits include advancing technology and better systems, better compliance practices and better customer interactions and outcomes. All these could be a competitive advantage.

Such an advantage comes at a cost and with a number of challenges. As highlighted by the Thomson Reuters report on fintech, regtech and the role of compliance in 2017 , the greatest challenge is seen as the need to upgrade legacy systems. Only 30 percent of respondents reported that they were “very confident” that their firm had a seamless, integrated, well-understood IT platform in place which would be able to support fintech, regtech and insurtech.

Another of the challenges faced is the adequacy and availability of skilled resources. This is true at all levels of the firm and may require a skills audit or review to assess and remediate any gaps.

In October 2017, Helen Rowell, deputy chairman of the Australian Prudential Regulation Authority, said: “Some boards are also recognising the importance of carefully considered succession planning as part of their broader strategic planning. This ensures that boards don’t just look to fill a vacancy as it arises but think about the skills and experience that will need to be replaced as each director’s term is likely to end, as part of ongoing renewal planning. Most notably, recent appointments to some boards have added cyber and digital skills to the mix, to enhance board capability to provide appropriate review and challenge in this ever- changing space.”

The balancing of commercial and compliance needs is perhaps at the heart of the technology risk issue. Without sufficient

appropriate investment in technology and associated skills,
firms will lack the infrastructure to enable them to thrive into the medium term, but the potential millstone of legacy systems needs to be tackled to ensure firms are able to reap the benefits of all aspects of technological innovation.