Ten regulatory insights for Asia in 2018

At the Thomson Reuters ASEAN Regulatory Summit in 2017, participants were asked what the single largest regulatory challenge was likely to be in the next 12 months. Forty-three percent cited the volume and scale of regulatory reform; 17 percent the need to manage and embed culture and conduct risk; and 12 percent AML, know your client (KYC) and financial crime.

The challenge for compliance teams will be to ensure their boards and senior management understand what is happening in the business, and demand and receive quality and timely information about decisions that may affect customers and the business as a whole.

This year will see more senior managers removed from their posts and more action taken by regulators against firms if they fail to disclose material information to regulators in a timely manner.

2018 will also see the continuation of a number of international investigations into financial institutions for alleged AML/CTF and bribery and corruption breaches. A Royal Commission looking into the Australian financial sector is also scheduled to commence this year.

Financial institutions will also need to embed compliance and risk management within their organization, so that compliance has sufficient influence to alert senior management to issues before they escalate. Many firms would consider this has already happened, but recent regulatory investigations have suggested otherwise. It will be more important than ever before for the “tone from the top” to ensure conduct risk and cultural change is on track.

Various reforms outside the Asia-Pacific region will also have an impact, including the Markets in Financial Instruments Directive II (MiFID II) and the European Union General Data Protection Regulation (GDPR). One possible early consequence of MiFID II may be the evaporation of the market for research material following the introduction of the new rules on research costs.

Perhaps the most important challenge, however, is the pressing the need to improve communication and information-sharing between the region’s financial sector and its government agencies, to enable it to fight money laundering, terrorist financing, cyber and data attacks, complex commercial fraud internationally, bribery and corruption and human trafficking. There are a number of positive initiatives already underway.

The Financial Stability Board (FSB), in its third annual report on the implementation and effects of the G20 reforms, placed cooperation and information sharing of financial authorities as a number one priority. At the Thomson Reuters Pan-Asian Regulatory Summit held in Hong Kong in October 2017, 42 percent of participants were dissatisfied with the information they received from public agencies and only 13 percent were satisfied, suggesting there is considerable room for improvement.

Regulators will continue to concentrate on “front-loaded” enforcement and may aim to achieve quick compliance wins with timely civil or criminal prosecutions. More importantly, the scope of regulators’ focus continues to expand, notably into risk culture, management accountability, cyber resilience, fintech and regtech “sandbox” initiatives, data privacy, cryptocurrencies, third-party risk management, AML/CTF, beneficial ownership and bribery and corruption.

Attention will also be given to prudential supervision, complaints handling and remediation of consumer issues as an indicator of culture and executive accountability for business operations. In Asia, the increase in class actions against financial institutions may prompt firms to ensure better product reviews and advice to customers and improve product design.

2018 is also likely to see a continuation of the trend for enforcement agencies to coordinate with their counterparts across jurisdictions. International and cross-agency cooperation on bribery and corruption has already resulted in multimillion-dollar fines. There are already a number of large corporate investigations under way in Asia.

Regulators, worldwide, and particularly those in Asia, are encouraging technology services and bringing them under a supervisory umbrella by introducing “sandboxes”. Australia, Hong Kong, Singapore and Malaysia are all competing to be fintech hubs.

Another urgent issue for regulators will be the need to assess the financial stability issues and money laundering risks presented by cryptocurrencies and the transformation adaption of blockchain.

They will need to establish where responsibility for these products ultimately lies given the lack of market boundaries. It remains far from clear how regulators will view these new forms of technology and how investors can be protected.

Regulators will be more strategic in their enforcement action against illegal capital raisings and gatekeepers, especially when it comes to protecting ageing or other vulnerable citizens from registered and unregistered capital raisings it comes to protecting ageing or other vulnerable citizens from registered and unregistered capital raisings.

Thomson Reuters has identified the following top 10 regulatory insights for financial institutions in the Asia-Pacific region:

Enhanced sharing of information to fight financial crime in Asia.

1. Embedded compliance with influence.
2. Customer needs - responsible marketing and selling financial products.
3. Data privacy and data protection challenges.
4. Cyber resilience.
5. Impact of regulation and investigations from other jurisdictions.
6. Technological uncertainties - crypto currencies.
7. Class actions as a driver of focus.
8. Executive accountability.
9. China’s intention to improve compliance as a changing dynamic.

Levelling with the regulator
Everyone in the financial sector has a stake in fighting financial crime. In the second half of 2017 a number of banks were found wanting by authorities, in terms of both their AML/CTF compliance and also senior management failure to report serious breaches in a timely manner. Fallouts such as these can affect firms’ brand and the share price, and may subsequently lead to the cancellation or restriction of a banking license.

Often it is not only in the compliance programme itself that lets banks down, but also the communication strategies employed by senior management coupled with a failure to act effectively when faced with serious issues. Firms should be aware that failure to be candid with regulators or enforcement authorities is a serious matter.

Sharing information
Sharing information and collaboration between the public and private sectors has become critical to combating financial crime including AML/CTF, beneficial ownership, cyber, commercial fraud, identity data theft, bribery and corruption and human trafficking. Firms may need to consider structural changes to facilitate such collaboration, and working more closely with regulators and government agencies in future.

Important initiatives are under way across Asia with regulators and enforcement agencies collaborating on AML/CTF intelligence. These include the Hong Kong Police’s private sector initiative, the Future of Financial Intelligence Sharing (FFIS) programme, the Hong Kong Monetary Authority (HKMA)’s Cyber Intelligence Sharing Platform and the Interpol Global Complex for Innovation.

Extent of financial crime
These reforms and initiatives are a beginning but they are insufficient to reduce the growth of financial crime in the region. For example, spending on cyber security products and services is predicted to exceed $1 trillion internationally in the next five years. The average cost of a malware attack to a top-50 company in the United States is $2.4 million, and such attacks take on average more than 50 days to resolve. Ordinary companies will find it impossible to deal with such a high level of costs as cyber crime becomes more widespread.

Last year, customers internationally lost billions to fraud and identity theft, up 16 percent from 2015. In the UK alone, studies indicated that the annual cost of fraud could be as high as £193 billion, far higher than a government estimate of £50 billion.

There are a number of studies which all point to different amounts, but the concern is the extent of losses caused through financial crime, whether inside or outside the private and public sectors, are unknown.

Sharing information and collaboration between public authorities and private enterprises has become a necessity, not an option. The development of big data and artificial intelligence will help combat financial crime.

Financial institutions should consider transforming the role of their compliance departments from an advisory function into one which has a much more direct influence on risk management and monitoring business operations, so that serious issues are not allowed to fester.

A reply of “I did not know” will no longer cut it with regulators and senior executives and directors will be more accountable when things go wrong.

Strategic changes
Financial institutions should also review their compliance functions to determine whether structural changes are needed. They should assess their compliance operations to ensure they are used appropriately in the organization’s overall risk and control framework and are equipped to give early warning alerts.

A good compliance officer — even a junior one, these days — can be the guardian of the institution but to do so he or she will need to understand the business, ask the right questions, be outspoken and guide the institution. In decision-making on major product or business issue, the right question will always be: what would the regulator say or do if they were in the room?

Having effective compliance embedded in the business should ensure compliance is involved in operational risk concerns and actively integrated in business operations. Compliance teams must be able to pinpoint concerns immediately and work through the business issues in the interests of the organization. The following questions may be relevant:

• Will the existing compliance framework identify failures or gaps in business decision-making?
•  Is compliance involved in understanding the business or is the compliance officer only called in once business decisions have been made, and the last to know when failures occur?
• What does an analysis of customer complaints reveal?
• Does senior management regularly meet with the organization’s compliance professionals to ask their advice?
• Are serious issues elevated immediately to the board of directors?
• Are senior management and the board receptive to bad news and outspoken compliance advice or are compliance officers shut down?
• How candid is senior management with the board of directors when serious issues emerge?

In September 2017, the UK Financial Conduct Authority (FCA), published an occasional paper outlining the findings from a project that considered the impact of an ageing population on the financial services industry. The paper warned that older customers’ needs were not being fully met, resulting in exclusion, poor customer outcomes and potential harm.

Regulators in Asia are increasingly recognizing that product design and services are aimed at “average” customers who may or may not exist. In relation to product design, the financial sector will have to take into account the potential vulnerabilities of certain groups of customers to ensure they receive appropriate product advice.

As an example, the Australian Securities and Investments Commission (ASIC) has been successful in making financial institutions, insurers, car dealers and payday lenders compensate vulnerable people who were mis-sold financial and consumer products.

Regulators have found that often product design is oriented around corporate rather than customer needs. This is borne out by the many registered financial products, collective investment schemes and insurance bond products that have lost billions of dollars for elderly investors, since 2007. Many of those investors did not fully appreciate the risks attached to the products.

In 2018, customer vulnerability will be an area of increasing focus for regulators. Firms may wish to consider developing specific products to fill gaps in the market and must ensure that they take older customers’ needs into account when designing products, developing distribution channels and making representations in written material.

The wholesale processing of customer data and the transfer and use of customer data between jurisdictions has become more complex because different regions have adopted their own approaches. The most recent example is the Chinese data protection laws that came online in November 2017; additional guidance is expected to follow.

Added to this is the GDPR, which will be implemented in January 2018 and will serve as a catalyst for regulators to scrutinize the transfer of data and bulk automotive processing of customers’ personal data. The GDPR will affect not only companies with European subsidiaries but also Asian companies that target EU customers. It will apply to the way data is collected and kept, no matter where the servers are located. Technically, if a firm’s server is in Asia and it holds EU employee or consumer information, the GDPR will apply to the Asian firm.

The GDPR also introduces substantial fines of up to 20 million euros or 4 percent of global annual turnover for failing to adhere to the law. Firms in Asia must therefore have a clear understanding of the GDPR if they have European customers or operate through European subsidiaries and ensure that they have data assessment methods in place.

They must keep accurate records to ensure data transfers and processing meet the relevant regulatory tests and the data is used for legal purposes.

This all makes for a complex regulatory landscape and suggests the need for international harmonization of data controls at least across Asia, to bring simplicity and clarity into what can be a tricky area of diverse legislation.

At the Thomson Reuters ASEAN Regulatory Summit held in Singapore in May 2017, the audience participation survey revealed that 52 percent of firms’ cyber risk appetite was only partially defined and not been properly communicated. Eighteen percent of participants said they had not defined their cyber risk appetite and
that nothing had been communicated to staff. Only 30 percent of the audience confirmed that their firm’s cyber risk appetite was clearly defined and understood. There were similar results across the Asia-Pacific region.

Firms have much work still to do in this area and some Asian firms may perhaps have been rather too complacent about the need to have an effective cyber resilience assessment framework in place.

In October 2017, the FSB published the results of a stock-take it had carried out on cyber security regulations in which it stressed the need for firms to be much better prepared, as “cyber-attacks have the potential to disrupt financial services that are crucial to both national and international financial systems and endanger financial stability”.

Regulators in 72 percent of jurisdictions told the FSB they planned to issue new regulations, guidance or supervisory practices this year to address cyber security for the financial sector.

Regulators appear to be working toward a principles- and risk-based approach, with proportional regulation. Many regulators in Asia are addressing similar topics such as governance, risk analysis and assessment, information security, expertise and training, incident response and recovery, communications, information sharing and oversight.

Firms need to review their cyber security requirements, keeping in mind the following questions:

• What assets and information are the most vulnerable and in need of protection?
• Are there clear reporting lines for incident escalation?
• Is there one person in the organization who is accountable and can make decisions?
• Are there processes in place to communicate with customers if an incident occurs?
• Is there an expert third party who can be called in to assist urgently when an incident occurs?
• Are tests being conducted on the firm’s systems to assess resilience?
• Are there contingency plans in place to protect systems and data?
• Is there a clear process for reporting breaches to authorities, with phone numbers and names?
• Has the cyber resilience programme been effectively communicated to staff and have they undergone training for an incident?
• How involved is the board of directors?

At the Thomson Reuters ASEAN Summit in 2017, the second biggest regulatory challenge identified by participants was the volume and scale of regulatory reform in the Asia-Pacific region and also the impact of developments in other jurisdictions. Legislative initiatives aside, there are also numerous international investigations and government inquiries that may affect operations.

In 2018, firms will be required to meet multiple regulatory deadlines and to assess any impact from a raft of European regulations that may affect their operations. The two most important are MiFID II and the GDPR (already referred to in point 4). MiFID II will have extraterritorial impact on those firms engaged in dealing with EU entities, have EU branches or provide services to EU clients.

Asian financial institutions will have to conduct an impact analysis on their investment banking business with EU clients which considers booking models, trade flows, identity documentation and characterization of stakeholders.

Most banks have already undertaken the MiFID II assessments implementation, while others indicated in Thomson Reuters surveys that there would be technical over-runs and implementation challenges to meet the January 2018 deadline.

Major investigations and inquiries
A number of investigations into alleged misconduct in financial services in Asia will continue this year. The most notable perhaps is the 1 Malaysia Development Berhad (1MDB) scandal where authorities from the United States and Switzerland are investigating fund flows through banks in Malaysia, Singapore, Hong Kong, Thailand, the United States, Switzerland and the United Arab Emirates relating to AML/CTF, corruption and embezzlement.

Regulators are also reviewing individuals and entities mentioned in the Panama Papers and the Paradise Papers which may point to illegal activity in the Asia-Pacific region. They are also investigating fund flows into offshore jurisdictions.

Added to this are numerous international corruption and bribery investigations, with prosecutors increasingly working together across jurisdictions. Last year a number of deferred prosecution agreements were agreed across jurisdictions involving multimillion dollar fines.

Financial institutions would do well to review their bribery and corruption procedures and conduct due diligence on any suspect accounts. They must therefore be more vigilant when dealing with offshore jurisdictions and may not be able to rely upon a corresponding bank’s due diligence concerning customers’ bona fides or beneficial ownership issues.

Additionally, recent co-agency investigations have revealed that companies in Asia breached U.S. sanctions relating to North Korea and used complex corporate structures to funnel funds through Asian banks in relation to commodities for North Korean entities. This is another area where financial institutions need to be vigilant.

Last but not least, in November 2017, the Australian government announced a Royal Commission, headed by Justice Hayden QC, a retired High Court judge. The inquiry will review the conduct of banks, insurers, financial services providers and large superannuation funds. It will also consider how well-equipped Australian regulators are to identify and address misconduct.

Regulators in Australia, Hong Kong and Singapore are interested in the conduct of gatekeepers and whether financial institutions and firms are undertaking proper due diligence to verify the source of funds and effectively investigate beneficial ownership. There have been numerous examples where banks have “dropped the ball” in this area, leading to civil and criminal proceedings and hefty fines.

To win back public trust it will be inadequate for financial institutions simply to say their organizations are ethical; they will need to demonstrate this in the way they conduct their business. This will mean dealing with customers and entities fairly and making timely disclosures to regulators and the market.

Terrorism is never far from the news headlines. The financial services industry is at the forefront of the fight against all forms of financial crime. Politicians, particularly in the wake of the recent events in Paris, have a spotlight on firms and regulators alike to be, and to be seen to be, doing everything they can to eliminate money laundering, sanctions breaches and terrorist financing.

Some firms have separate money laundering reporting officer and AML functions, while in others it falls to the compliance function to undertake the work on the prevention of financial crime. Wherever the responsibility falls, firms would be well advised to undertake a widespread review of all aspects of their approach to, and compliance with, financial crime prevention requirements.

There is ample guidance to assist firms in their work on financial crime. In September 2015, the Wolfsberg Group published FAQs on financial crime risk assessments. The Wolfsberg principles on the prevention of financial crime are not mandatory, but they are internationally recognized as a benchmark for developing regulatory good practice approaches to risk management. Firms would be well advised to use the criteria set out in the FAQ when considering their approach to their next (usually annual) review of financial crime.

More guidance came from the UK FCA in April 2015, when it published updated guidance for firms on financial crime systems and controls. Although the FCA has made it clear that the guidance is not binding, it has nevertheless sought to provide firms with an enhanced understanding of regulatory expectations and to set out steps that can be taken to reduce the risk of financial crime. The guidance also aims to help firms assess the adequacy of their financial crime systems and controls and remedy deficiencies, as well as to adopt a more effective, risk-based and outcomes-focused approach to offsetting financial crime risk. As such, some of the suggestions and practices (both good and poor) may be a useful additional resource for any firm when reviewing its approach to anti-money laundering and combating the financing of terrorism (AML/CFT).

In July 2015, the International Monetary Fund published the overarching staff report from its annual bilateral discussion with the United States. The suite of supporting publications included the Financial Sector Assessment Program technical note reviewing the U.S. approach to AML/CTF, which highlighted outstanding policy gaps and made some high-priority recommendations, including, specifically, the changes needed to the required approach to beneficial ownership.

The issue has become all the more pertinent as the U.S. AML/CFT system is being assessed by the Financial Action Task Force (FATF), which began a monitoring visit on June 1, 2015. The results will be made public in 2016. The last FATF assessment in 2006 found that the United States had implemented an AML/CFT system that was broadly in line with the international standard, with one significant omission regarding customer due diligence.

Less significant deficiencies related to the availability of ownership information about corporations and trusts, and the requirements applicable to certain designated non-financial businesses and professions. The U.S. AML/CFT legal and institutional framework has yet to address the deficiencies identified following that assessment.

In the United States, AML/CFT is also set to get personal for compliance officers. In December 2015, the New York State Department of Financial Services proposed that a senior compliance officer for each regulated institution would be required to make an annual certification as to the firm’s compliance with the transaction-monitoring system requirements used to detect money laundering and terrorist financing. The intention was for there to be potential criminal penalties for the compliance officer if the certification was deemed to be “incorrect or false.”

In the summer of 2015, the European Fourth Money Laundering Directive was agreed and is scheduled to become law on June 26, 2017. The new directive also focuses on beneficial ownership as well as the shift toward a more risk-based approach, whereby firms would have to assess the risks faced and put in place appropriate resources and measures to offset them, which is where the Wolfsberg FAQ will be particularly useful.

In September 2015, the Canadian government published an assessment of inherent risks of money laundering and terrorist financing in Canada.

The report found that the large Canadian banks were “exceptionally vulnerable” to financial crime, with concerns also expressed regarding accountants and lawyers.

The report has been published ahead of the expected publication of the latest FATF visit to Canada in 2016. For Canadian financial services firms or others dealing into or with Canada, the financial crime risk assessment has taken on a heightened importance and will need to be particularly detailed to allay governmental concerns.

One other element for firms to consider as part of their financial crime risk assessment planning process is the publication by the European Council of the proposed General Data Protection Regulation, which has the twin aims of enhancing the level of personal data protection for individuals and increasing business opportunities in the European Digital Single Market.

Firms will need to understand, in detail, the implications and impact of the General Data Protection Regulation, which will apply to anyone who “resides” in the European Union, no matter where in the world they are deemed to be doing business. Nor is the regulation dependent on whether any transaction has taken place.

The links between the data protection and beneficial ownership aspects of AML/CTF are clear, and firms will need to ensure that they can identify all of their clients who are deemed to be resident in the European Union, regardless of where (geographically) they happen to be dealing with them.

A secondary part of the determination will need to be clarity as to exactly where any business is taking place, and to ensure that if it is outside the EU, either the required “adequacy” assessment or the onerous “appropriate safeguards” are in place. The potential for “fortress Europe” in terms of data protection has been turned into a reality that is likely to come into force in early 2018.