Our recent post highlighted the diverse variety of risks that businesses must contend with this year, and the first quarter of 2022 will deliver a host of specific challenges for the UK’s financial services market. Spurred by the rapidly changing environment in which markets are operating, UK regulators’ strategic goals reflect these economic, technological and social changes.
This is clearly reflected in, for example, the FCA’s (Financial Conduct Authority), the PRA’s (Prudential Regulation Authority) 2021/22 business plans, the ICO’s (Information Commissioner’s Office) strategies, and the PSR’s (Payment Systems Regulator) strategy for the coming year. Regulatory readiness will be pivotal to firms’ success, elevating the importance of proactively identifying, monitoring, and managing risks before they materialise versus remedying the resultant detriment to the customer or the market after the fact.
The rapidly evolving landscape is leading to critical exposures across multiple distinct areas, including supplier risk management, cybersecurity, and fraud and financial crime. These all lead back to the likelihood of increased scrutiny in four key areas.
Consumer protection and improving consumer confidence and outcomes
The FCA’s latest business plan sets out its ambition to be a more proactive, forward-looking regulator, one that is more assertive in its pursuit of greater protection for consumers, and indeed fair outcomes. Among its priorities are ensuring that vulnerable consumers do not take on unaffordable debt and that consumer credit markets are responding appropriately to the increased demand for credit products.
To that end, the Treasury’s recently concluded consultation on Buy Now Pay Later (BNPL) products is significant. Businesses that defer payments have been excluded from consumer credit regulation since it was first introduced nearly 50 years ago. Under new proposals, however, BNPL credit merchants could soon come under the scope of the FCA’s creditworthiness rules (meaning they would have to conduct creditworthiness assessments to ensure consumers don’t take on debts they can’t manage). In addition, the proposals could give consumers access to the Financial Ombudsman Service if they have concerns about the conduct of lenders.
The impact of this potential requirement should not be underestimated. When a similar change in the regulatory environment occurred in the rent-to-own and home-collected credit sub-sectors, it required firms to prove robust procedures, adapt and strengthen policies, and in some cases led to restricting new lending and remediation costs. In the most extreme cases, it forced firms to cease trading.
In addition to these developments, the increased reliance on digital payments and, in parallel, the changing nature of how payment systems work in practice will also bring into sharper focus the protection of customer data. Organisations will need to be increasingly cognisant of the inherent risks here and how to mitigate them.
Anti-money laundering controls
Another significant incoming development is the extension of the FCA’s annual financial crime reporting obligation.
In an attempt to build a clearer picture of money laundering and other financial crimes across a more diverse range of sectors, the FCA has massively increased the scope of its reporting requirements, with the number of firms required to submit an annual return nearly trebling from around 2,500 to around 7,000. From the end of March, the reporting requirements will extend to all payment institutions (with a few exceptions), e-money institutions, and crypto asset exchange providers. The return comprises 35 questions designed to draw out information about potential financial crime, such as high-risk jurisdictions and customers, sanctions screening systems, and the most prevalent types of fraud.
Resilience and outsourcing
By the end of March, payment institutions and e-money institutions must also be ready to comply with the FCA’s operational resilience regime and the PRA guidelines on outsourcing. The rapid growth of fintech platforms and open banking is also hastening the need for effective governance and oversight of rules surrounding payment systems.
To satisfy the FCA’s requirements, businesses must be able to demonstrate they have identified any vulnerabilities in their operational resilience and mapped and tested impact tolerances for what the FCA describes as “the maximum tolerable disruption”.
The PRA outsourcing guidelines aim to ensure that firms are appropriately mitigating third-party risk which could impact their own operational resilience. The guidelines clarify the PRA’s expectations concerning the need for “proportionate, risk-based, suitable controls for any material and/or high-risk third-party arrangements”, while also making clear that firms should be reviewing all legacy outsourcing agreements (i.e., those agreed before 31 March 2021) by the end of March 2022, or as soon as possible thereafter.
The need to appropriately protect, manage and use customer personal data correctly remains imperative. January’s announcement by the UK Government of the launch of the International Data Transfer Expert Council speaks volumes for the business benefits that can be unlocked by securing cross-jurisdictional data flows, but progress will also rely heavily on building and promoting higher levels of trust in the sharing of personal data, in relation to GDPR enforcement, other privacy regulations and antitrust regulation.
Global regulatory landscape
Businesses with international interests will also need to keep one eye on the global regulatory picture.
In the US, the Anti-Money Laundering Act 2020 has introduced tougher penalties for money laundering and new rules that aim to prevent the misuse of shell companies.
In Europe, the EU has in recent weeks progressed two key pieces of legislation concerning digital platforms and services. The Digital Markets Act aims to create a more level playing field for digital companies and stop larger platforms imposing unfair conditions on smaller ones. The Digital Services Act, meanwhile, introduces new rules around targeted advertising and the safety of products sold online. The European Parliament has adopted its position on both acts and is now negotiating with member states.
How should businesses respond?
Good compliance is an entry point for a strong business. If not addressed proportionately, regulatory risk can materially impact consumer trust, shareholder value and trigger deeper regulatory scrutiny.
Businesses should also recognise the opportunities that strong and forward-looking compliance can bring. In the UK, the FCA’s regulatory sandbox – a mechanism to test products and services in a relaxed regulatory environment – is now accepting invitations all year round. Previously, applications were restricted to specific time windows.
More holistically, though, risk management requires a broader range of business perspectives and effective collaboration to be truly effective. For example, the active involvement of Product, Sales, Customer, Finance, and Data teams will aggregate a more rounded view of threats, current or upcoming vulnerabilities, and opportunities to shape how to safeguard the organisation, consumers, and the market. While good risk management clearly requires rigour and discipline, it also requires imagination, creativity and collaboration to be fully effective, and avoid surprises. The ability to manage risks first requires an organisation to be able to identify them - especially new risks.
Diverse business perspectives can maximise foresight – for example, understanding consumer needs and concerns to enable the embedding of risk management into the customer journey – and also present potentially unorthodox yet invaluable ‘at the coalface’ thinking about what might go wrong. Firms dismiss this input at their peril – risk is as much about what you can’t see on the horizon as it is what you can. Who would have thought a few years ago that central banks would be integral to enforcing climate-related regulation? Fringe pressure moves to the mainstream, and then into the body of regulatory requirements much faster than you think.
Such cross-disciplinary approaches to risk management will foster a culture of risk awareness and management throughout the reality of how an entire business operates, rather than running compliance as a 'bolt on'. The best compliance teams want to be involved in enabling opportunities within an organisation’s risk appetite and in a compliant way, but that requires involvement end to end. Only this way will businesses be able to develop greater enterprise-wide agility that can predict risks and mobilise for future regulation, rather than simply reacting to it when it arrives.