Forward-thinking firms will pay attention to these critical risk areas in the coming year.
Strong, well-resourced, business-specific risk and control infrastructures have always been a required core competency for financial services firms, but 2018 is set to test the resilience and strategic approach of all firms with the added challenge of greater personal accountability for senior individuals. While the detailed risks run by firms are, by their nature, firm-specific and unique, there are a series of high-level risks applicable to all financial services firms irrespective of geography or sector.
All things cyber – whether risk, attack, crime or resilience – are never far from the headlines with companies around the world vulnerable to attack in the online world. In terms of cyber resilience, cyber risk, cyber crime as well as headline-grabbing cyber attacks, it is clear that the universally expected good customer outcomes will be under threat should cyber resilience fail. What had previously often been seen as simply an IT issue has become an important issue for senior managers around the world, with the UK Financial Conduct Authority stating its goal, in common with many other financial services regulators, to “help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld”.
Senior managers need to ensure cyber risks are effectively identified, managed, mitigated, monitored and reported on within their firm’s corporate governance framework. For some, cyber risk may be well outside their comfort zone but it does need to be considered, and there is wide-spread evidence that simple steps, done consistently well, can go a long way toward protecting a firm and its customers.
Incentives and remuneration
The risk and reward incentives associated with remuneration and compensation are once again in the spotlight. In June 2017, the Financial Stability Board published a consultation updating its principles and standards for sound compensation practices, which had been one of its first policy priorities in 2009 in the immediate wake of the financial crisis. Compensation tools, along with other measures, are seen as having the potential to play an important role in addressing persistent misconduct risk by providing both ex ante incentives for good conduct and ex post adjustment mechanisms that ensure appropriate accountability when misconduct occurs.
Firms would be well-advised to review their approach to remuneration and any possible links to misconduct.
If nothing else, there is a crystal-clear reminder that the accountability for misconduct “lies first with the board of directors”. Firms must not and cannot simply push the management of misconduct and the associated governance and compensation expectations down and away from the board table.
There has been an increasing focus worldwide on the needs of vulnerable customers, and financial services firms’ approach to them. Vulnerability can come in many forms. Retail customers in general may be seen to be vulnerable when being sold or dealing with particularly complex or sophisticated products. Binary options, which are seen as high-risk products, are a particular case in point, and retail sales have been banned or severely curtailed in numerous jurisdictions.
Senior managers should prepare for greater regulatory interest in their firm’s strategic approach to potentially vulnerable customers, both from a product suitability and an older customer perspective.
Implementation and embedding of regulatory change
With much change set for 2018, there has been a huge focus on the updates needed to processes, systems and controls; however, that is not the end of the story. As the post-Markets in Financial Instruments Directive I (MiFID I) experience shows, there needs to be just as much focus on checking that the updates and changes made have been implemented, embedded and, tested.
A particular example is transaction reporting. After MiFID I, the concept of transaction reporting was well-established, but the UK Financial Conduct Authority continued to see some firms submitting transaction reports containing poor-quality data. In one snapshot the most common fault was the late submission of the required reporting.
All firms should be aware they are on notice not to repeat the widespread and apparently persistent transaction reporting failings seen in the past. As illustrated by recent enforcement actions, not only are any fines and remedial actions likely to be more severe but there is also the specter of greater personal liability.
The pace of technological change in financial services has been described as an inflection point. There are extensive potential benefits from the successful deployment and use of technology with improved efficiency and productivity, together with greater commercial opportunities at the top of the pile.
The balancing of commercial and compliance needs is perhaps at the heart of the technology risk issue. Without sufficient appropriate investment in technology and associated skills, firms will lack the infrastructure to enable them to thrive into the medium term, but the potential millstone of legacy systems needs to be tackled to ensure firms are able to reap the benefits of all aspects of technological innovation.
A version of this post originally appeared on Thomson Reuters Regulatory Intelligence.