The Risk and Reg Edit: Autumn 2023 edition

With this in mind, we’ve curated a shortlist of five hot topics for financial firms this autumn. These topics span a range of risks and regulations, but they’re connected by the vital importance of maintaining and building trust in financial institutions. Our authors look forward to hearing from you.

Consumer Duty: Reality bites

The Consumer Duty has been in force since the end of July. Regulated firms have much to do if they are to back up their customer-centric intentions with proof of positive customer outcomes. Regulators face a learning curve too, as they get to grips with how to verify compliance.

It’s simple: doing right by customers is the best way to ensure compliance with the new Duty. The real challenge lies in understanding how institutions can know, and show, that they are meeting its requirements. Specifically, firms need to be able to demonstrate:

• That customers are getting good outcomes
• How any shortcomings will be rectified
• That future business models will meet this standard.

The clock is ticking; by July 2024, boards will need to attest that they are satisfied their organisations are delivering good outcomes. Leaders should ask themselves: Can we answer those questions? If not, what steps do we need to take?

Access to banking: What’s the real issue?

The ‘debanking’ of high-profile individuals has generated a lot of media heat, although the FCA’s initial review found no evidence of political views leading to account closures. Even so, further work is planned to ensure that banks and payment companies are not unfairly denying access to their services.

This poses a broader, related question about access to products and services for the wider public and, in particular, for vulnerable customers. The FCA is aiming to safeguard access to basic banking services, especially for disadvantaged groups such as refugees, the homeless and those in financial distress. There are also growing questions over fair access to SME banking, particularly for businesses with founders from minority groups.

Banks should note those concerns, taking the opportunity to learn from the FCA’s findings – and its ongoing work to examine these issues – to ensure they are meeting both the letter and the spirit of regulations. Sometimes one issue can help to shed light on a bigger problem.

Sanctions: Staying ahead of the curve

Sanctions can be an attractive policy tool for governments. They not only have the ability to target specific companies or individuals; they also allow enforcement to be delegated to banks and other financial institutions.

In response to a surge of sanctions since Russia’s invasion of Ukraine, the FCA has reviewed more than 90 financial institutions’ enforcement controls. This has included a sprint test based on a synthetic data set, allowing regulators to check firms’ responses against an ‘answer sheet’. The FCA identified five thematic weaknesses covering governance, skills, screening tools, KYC checks, and the reporting of breaches.

To address the FCA’s concerns and avoid a sanctions backlog, firms should act now to identify shortcomings, enhance controls, assure they are working effectively in practice, and make the investment needed to bring their first, second and third lines of defence up to the required standard.

Tackling APP fraud

The UK’s Payments System Regulator is putting the finishing touches to the Authorised Push Payment (APP) fraud rules entering force in 2024. Mandatory customer reimbursement requirements will step up the pressure on retail banks and payment providers to tackle this growing area of financial crime.

APP fraud is a particular challenge for firms because, by manipulating victims into initiating payments, it allows criminals to circumvent existing controls. The fraudulent activity occurs outside banks’ infrastructure, so there are few anomalies to detect. Furthermore, when contacted, customers verify the activity since they mistakenly believe in its legitimacy.

There isn’t a simple response to this threat. The solution lies in a combination of measures, which include recruiting customers into lines of defence. Multiple tactics need to be deployed in a coordinated approach. Three key elements include:

• Profiling sending accounts’ specific risks and vulnerabilities, coupled with dynamic messaging to trigger the desired customer response.
• Profiling receiving accounts, leveraging data-sharing initiatives to target mules.
• Strengthening and accelerating trend analysis of specific scam types, together with effective tagging and customer warnings.

Operational resilience: No longer a ‘Nice to have’

Operational resilience continues to be a major priority for the FCA, PRA, and Bank of England. By 31 March 2025 at the latest, regulated firms and financial market infrastructures need to meet a series of regulatory requirements aimed at ensuring the continuity of their operations in the face of external shocks.

That date is not as distant as it seems. The need for scenario exercises to identify vulnerabilities, and the likelihood that 2024 will be needed for remedial work, means that firms that haven’t started resilience testing are already running late.

Furthermore, the PRA’s SS2/21 sets out stringent requirements for firms’ ability to rapidly switch between third-party service providers. Firms must be ready to demonstrate they can manage stressed exits and their associated back up processes, data retrieval, and readiness testing.

Operational resilience continues to be a matter for boards and the C-suite, with regulators increasing their focus on senior managers’ ability to learn from the experiences of others. Clear leadership and strong governance on this issue should be a critical priority – if it isn’t already.

People trust us because of our deep knowledge of the regulatory system. Our experience working with regulators, banks, insurers, building societies, and others means we’ll give you advice that works in the real world. If you’d like to discuss any of the below issues in depth with our experts, get in touch now.