As we propel ourselves fully into 2020, we move forward from a formidable decade of regulatory reform in the financial services sector. The emergence of digital banks, crypto assets, payments and e-money institutions has resulted in more regulatory scrutiny than ever before and the need to balance the innovation with the regulation continues to prove challenging for firms across the sector.
In this blog post, fscom’s leading experts in the areas of payments, investments, financial crime and cyber security share their insights on the top regulatory themes that will shape the financial services industry in the year ahead.
1. E-money and payment services
“The top three issues for e-money and payment institutions for 2020 all became clear in the second half of 2019.
- Safeguarding will continue to be an area of focus for the FCA following the Dear CEO attestation exercise in July last year. Supervisors will be checking up with both those who promised to make changes and those who declared full compliance to make sure the declaration was well founded.
- Capital adequacy is the second pillar of protecting consumers. Clearly, it is when a firm is financially distressed that the customers’ funds are most at risk. The FCA will continue to question firms on how they calculate their capital requirements, how they monitor capital adequacy and whether they have linked their capital requirement to their assessment of the risks to which they are exposed.
- Financial promotions and the way firms communicate with consumers will continue to be a focus following the application of the Principles for Businesses from August last year. Payment and e-money institutions must be careful not to mislead consumers into believing they are dealing with a bank and where there is a crypto element to the business, it must be clear that the crypto isn’t regulated.”
“Culture and governance remain a cross sector priority for the FCA. Since the financial crisis and other scandals such as LIBOR, the FCA’s response has been very focused on culture and governance. SMCR is a central tactic in this approach.
It is worth noting that while SMCR has been extended to investment firms, it is only the senior management aspect. Firms still need to certify material risk takers as competent by the end of this year. Like all new financial services regulation, there will be a review of the impact of SMCR and the regulator will make further changes where it deems necessary.
It is clear from the FCA’s 2019/20 business plan, remuneration remains a focus for the regulator. In particular, they will continue to assess firms' remuneration plans to ensure that they promote the best outcome for clients.
Finally, on a positive note, the FCA are consulting on a change to the prudential regime for investment firms. Historically, investment firms' prudential requirements have been driven by the Capital Requirements Regulations. These regulations were principally designed for the banks stemming from the financial crisis and have long been criticised as not appropriate for the nature, scale and complexity of investment firms. It is therefore encouraging to see that in Europe, they are to be replaced by the Investment Firm Regulations and Directive. As the national competent authority, the FCA are therefore seeking feedback with a view to implementing the regulations in the UK.
3. Financial crime
“With the transposition of 5MLD into law on 10 January we are expecting an outright commitment from regulators to enforce effective management of money laundering and terrorist financing risk. The FCA has already (January 2020) revamped and re-released its 'Financial Crime Guide’ to firms which is a clear indication of its intent to protect the integrity of the markets it is responsible for. In 2019, we saw the biggest scandals and biggest fines in history so we must be vigilant this year, arguably more so than ever before.
That being said, firms should see this as an opportunity to conduct a deep dive review of current AML/CTF frameworks and look to show off good practices to the regulator or, indeed, enhance and optimise where necessary. 5MLD is the perfect excuse to take stock of where we are internally and create a vision for where we want to be. If that divide is too great, then it's time to invest some thought and effort into systems and controls.”
“For ‘crypto businesses’ finding themselves under the scope of the money laundering directive for the first time, it should not be a blind leap into the unknown. There are reams of examples out there of what to do (and what not to do) when it comes to demonstrating compliance. The big challenge is a shift in mindset from being a technology focused sector to a supervised market, bearing in mind the FCA itself is still learning about managing financial crime risk in virtual currencies. My recommendation is to ensure we have the right people with the right experience tasked with building AML/CTF controls, which may be a blend of ‘old-school’ compliance and ‘new age’ technology, if there is such a thing.”
“It is less about doing things right and more about doing the right thing.”
“Finally, we can be certain that regulators will be looking more closely at culture and governance and, more specifically, how senior management builds fincrime prevention into the core of the business.”
4. Cyber security
“With the recent data breaches in the media, operational resilience has never been more important. Financial services companies face many risks including ransomwares and banking trojans, the requirement to prove compliance however basic ….is not enough.
The FCA has said that 17% of the incidents which firms reported to them were caused by IT failure at a third-party supplier – the second highest root cause of disruption to services. It is imperative that minimum supplier requirements are implemented in relation to outsourcing to IT and cloud providers.
Relying on developing an effective technical control environment alone may not deliver the best results. It needs to be accompanied by positive steps to increase staff awareness and understanding, such as providing training and engaging with high-risk personnel.
If I was the regulator, I would focus on employing technical cyber security people as I believe the focus will move from “tell me about how you’re solving X” to “show me how you’re solving X” in the year ahead.”
“The overwhelming risk of a major failure in a firm’s operational resilience is the reputational risk and loss of client trust. Although regulatory penalties are a deterrent, it is the brand damage and public censure that prove to be the real risks. As forward thinking and as positive as initiatives such as open banking are, they are reliant on trust.
My experience with highly public regulatory issues such as Travelex is that the regulatory response is to invest more resources in supervising and using tools such as public censure to reinforce the importance e.g. LCF.
Cyber security is clearly a significant area of focus for the FCA and it is central to their goals of competition, innovation and market integrity. We will see greater scrutiny ‘at the gate’ through tougher obligations at authorisation but also through public censure because this is an effective tool to promote compliance. They may also use other tools such as attestations to promote more external and internal audit – as seen with safeguarding last year.”
“Yes – Brexit! Still top of the regulatory agenda for financial services firms. The withdrawal on 31 January 2020 has moved the UK onto the next phase, the trade negotiations. The removal of the ‘not leaving’ option from the table now forces minds on contingency planning which many firms may have already addressed. The impact of Brexit will not be quantified until greater clarity is provided on the future trading relationship status. If the UK loses its single market access, such as the WTO arrangement, then authorisation to access the EEA market will be required and this will have cost implications for firms.
“The FCA and the PRA remain focused on mitigating the impact of the withdrawal but at international engagement. To quote Charles Randall, “We are redoubling international engagement to ensure UK influences global standards and remains a key financial centre.”
“Brexit uncertainty continues. One thing marked for change is that payment and e-money institutions will be able to use OECD banks for safeguarding, rather than just EEA credit institutions, once the transition period is over. Deviating too far from EU legislation will be difficult for firms that also have an EEA authorised entity but there is scope for making changes, the benefit of which may outbalance the inconvenience.”
“The two changes that are high up our list is to:
- change insolvency legislation so that one payment or e-money institution can safeguard for the underlying payment service user when there is a chain of payment service providers; and
- extend the FSCS cover to the customer funds held by payment and e-money institutions as a backstop to protect consumers.”
As we continue moving into the new decade, we see a shift from the reform of regulations to one of practical supervisory focus. Firms need to be prepared to respond to this change in focus and the practical implications that will affect them as a result.
As always, if you require any further regulatory advice or assistance in any of the areas discussed in this article, please get in touch with one of the team here.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.