The Risk and Reg Edit: Spring 2024 edition

Risk, compliance and financial crime teams across financial services continue to play a key role in keeping firms safe, secure and resilient. This update provides risk and regulatory leaders with a briefing on fast-moving risk themes to stay ahead of in the coming months.

The new corporate governance code: Changes and implications

Culture and behaviour are integral to good risk and regulatory management. Although the UK Corporate Governance Code (the Code) already expects firms to assess and monitor organisational culture, changes to the Code published in January 2024 now require companies to demonstrate how culture has been effectively embedded. The Code is principles-based, allowing for flexibility, but requiring firms to explain any departures from the Code – the FCA understands that a prescribed ‘one size fits all’ approach to diversity and inclusion is unlikely to be effective.

The amendments to the Code are a combination of changes to the annual reporting process, through which Boards indirectly demand improvements in risk management, and internal control frameworks for culture and behaviour. The key changes to note are as follows:

1. Board leadership and company purpose

Boards must demonstrate how their desired culture has been embedded. For Chief People Officers (CPOs), defining and obtaining credible data to meet this goal poses a challenge.

2. Composition, succession, and evaluation

Boards need to be proactive in promoting diversity, inclusion, and equal opportunity. A key challenge for CPOs will be to build a diverse pipeline of talent for promotion to board and other senior roles. In addition to this, the Financial Reporting Council (FRC) is looking to go beyond policy and support diversity and inclusion practices. Chief Risk Officers (CROs) and CPOs will need to work together to encourage these practices across the organisation.

3. Remuneration

Contracts with senior employees now need to include provisions for malus and clawback. CPOs need to establish suitable decision-making processes and communication plans, as well as update employee contracts and rewards as appropriate.

4. Audit, internal controls

Rewarding positive behaviours and embedding the desired culture are enablers of an effective risk management and internal control framework, encouraging CROs and CPOs to work hand in hand.

There is a need to focus on the individual, not just the culture defined by the Board. CPOs and CROs need to work together to establish clear links between purpose, values and strategy. This includes risk strategy and the behaviours that underpin risk management and internal controls.

A need for strengthened support for vulnerable customers

Almost 50 percent of adults in the UK will be considered to have a vulnerability at some point in their lives. Yet identifying and responding to vulnerability is still a developing capability for many financial services firms. This is a growing focus for the Financial Conduct Authority (FCA), which is carrying out a post-implementation review of its 2021 guidance on the treatment of vulnerable customers. The review is taking place in light of the expectations created by the Consumer Duty, and more recent final rules on the treatment of borrowers in financial difficulty.

Findings released by the FCA in 2023 suggest that some institutions’ processes need updating to reflect growing customer vulnerability and heightened regulatory expectations. Key areas of weakness include narrow or one-off assessments of vulnerability; poor data sharing between business units and distribution partners; and insufficiently tailored customer support.

In response, firms should identify their vision for the treatment of vulnerable customers and use inclusive design to make this a reality. That might include reviewing existing capabilities, designing a target operating model, reviewing customer journeys, aligning policies with regulatory expectations, and reviewing frameworks for governance, communications, and testing.

Fulfilling the Consumer Duty when supporting the vulnerable will not only help those customers experiencing vulnerability, but will also improve customer outcomes across the board, helping firms to step up their levels of customer centricity.

Striking the balance between AI innovation and risk

There are few precedents for the speed with which a technology as groundbreaking as Generative AI has become available to so many users. Financial services firms are under pressure to strike the right balance between innovation and managing the risks of AI. Experimentation must not be swamped by risk aversion, but firms also need to avoid pursuing too many, or too risky, projects.

AI implementation in first line teams is not always backed up by an enterprise-wide understanding of how AI is being developed – or the potential risks it poses. Institutions often lack effective oversight of AI risks ranging from narrow, technical issues of AI itself (e.g. model drift, third party management or ethical risks) to broader conduct, data management, security and cyber risks.

Firms should aim to develop a holistic, integrated framework for AI development. This needs to provide a cross-cutting view, bridging traditional siloes and establishing a consistent, integrated vision across front-line business units and key support functions like risk, data, or legal.

Clear oversight of the whole lifecycle of each AI model or use case will ensure that all functions are clear on their roles and on when – and with what resources – they should get involved to optimise AI development as part of their journey to the intelligent enterprise.

Sanctions under the spotlight

Sanctions are under an ever-increasing level of scrutiny by regulators. Ensuring that financial institutions are effective in preventing sanctions breaches is a key priority in the FCA’s business plan for 2024/2025.

However, the FCA's 2023 review of more than 90 firms’ controls identified screening tools as one of the industry’s key weaknesses. Effective screening is at the heart of high-quality risk management, but firms often struggle to optimise their screening parameters in a way that maximises true positives while minimising false positives.

Systematic, accurate calibration is crucial to a high level of sanctions screening. Taking a risk-based approach is key, especially for larger firms, since effective targeting is critical to minimising sanctions evasion at an affordable cost. Firms should also note the FCA’s concerns about over-reliance on screening by vendors; they must ensure appropriate control and oversight are in place.

PA’s SanctionsIQ is a solution that banks can use to boost efficiency and efficacy. It uses the power of machine learning algorithms to optimise screening configurations, validate calibration, and provide actionable insights on how to adapt screening models to a changing sanctions risk landscape.

Motor finance in focus

In January 2024, the FCA announced a review of historical motor finance commission arrangements. This intervention came as the Financial Ombudsman published two Ombudsman decisions relating to Discretionary Commission Arrangements (DCAs). There has also been ongoing activity in the County Courts, with the legal principles that apply to DCAs being tested in a range of cases.

The FCA is currently undertaking work to understand where the use of DCAs by lenders may have led to consumer harm, based on the standards that existed prior to the explicit ban. To do so will require an examination of the prevailing standards at the time and interpretation of what they meant, as well as contemplating what an alternative market might have looked like if the DCA arrangements had not been in place. This last question is the toughest to answer and, in many ways, holds the key to what happens next.

In the meantime, it will be important for lenders and other institutions involved in motor finance to review their governance arrangements and satisfy themselves that they have sufficient understanding and oversight of their ongoing arrangements. The FCA’s expectations include requiring firms to:

• Establish an effective governance framework
• Provide evidence that governance arrangements result in good outcomes for customers
• Maintain internal and external oversight frameworks that ensure compliance with regulatory expectations.

This will also be important as part of the ongoing embedding of Consumer Duty and preparation for the first annual board review. The FCA has paused the usual time limits for complaint responses and referrals to the Financial Ombudsmen Service until September 2024 to prevent disorderly, inconsistent, and inefficient outcomes for customers. Over the summer, the FCA will decide what action to take next - and the extent of any intervention in the market.

A year to go: Operational resilience

UK regulators have been very clear that Operational Resilience is as important as financial resilience. There’s just one year to go for firms to demonstrate they have embedded operational resilience ahead of the March 2025 FCA and Prudential Regulation Authority (PRA) deadlines.

These rules protect the most important services offered to customers and markets, aiming to ensure that customers and markets won’t suffer during periods of disruption. As organisations start to plan for the year ahead, we’ve set out five tips for success:

1. Collaborate

Work with Important Business Service (IBS) owners to make sure they’re equipped with the information and governance they need to protect the services. IBS owners are best placed to help keep the service within tolerance when they’re equipped with the right management information and subject matter expert support.

2. Draw on previous mapping

Use process maps, architecture artefacts, and Business Impact Assessments to refine mapping. Embed mapping as part of how change management, helping IBS owners to identify things that could cause disruption.

3. Think beyond operational resilience

Consider the broader regulatory landscape. For example, there should be careful consideration under Consumer Duty when thinking about the impact of service disruption on vulnerable customer groups.

4. Ramp up simulation and testing

Identify vulnerabilities that could impact services. Firms that rehearse their response to severe but plausible scenarios perform better during real incidents.

5. Make sure supply chains aren’t the weakest link

Test the resilience of supply chain controls. Many IBSs rely on services delivered by third parties.

Above all, institutions should ensure their efforts are consistently making a measurable difference to the resilience of the service. Too often, firms do good work in defining their IBSs, mapping them, and setting tolerances, but fail to embed and apply improvements in a way that drives greater resilience.

People trust us because of our deep knowledge of the regulatory system. Our experience working with regulators, banks, insurers, building societies, and others means we’ll give you advice that works in the real world. If you’d like to discuss any of the below issues in depth with our experts, get in touch now.