" class="no-js "lang="en-US"> EXCLUSIVE: "Prepare for scrutiny" - Alison Donnelly, Will Finn, Phil Creed and Azariah Nukajam, fscom in 'The Fintech Magazine'
Friday, March 29, 2024

EXCLUSIVE: “Prepare for scrutiny” – Alison Donnelly, Will Finn, Phil Creed and Azariah Nukajam, fscom in ‘The Fintech Magazine’

fscom’s recent Regulatory Outlook 2023 event covered a wide range of issues impacting financial services companies in the UK and the regulator’s evolving approach

Regulation and compliance are always high on the agenda of financial services companies, but perhaps never more so than in 2023 as the gaze of regulators increasingly turns upon them.In this roundtable discussion, senior executives from governance, risk and compliance firm fscom – Alison Donnelly, Will Finn, Phil Creed and Azariah Nukajam– consider the impact of new rules coming over the horizon, the UK Financial Conduct Authority’s appetite for intervention, compliance challenges, and how financial services ensure they are fit for purpose.

CONSUMER DUTY LAW

One of the key changes to the way financial services operate from this year is the UK’s new Consumer Duty law, which comes into force on July 23. It sets out higher and clearer standards of consumer protection, compelling firms to act with an increasing customer focus.

Alison Donnelly: “It has a broad reach, an imminent deadline, and the cost and complexity of implementation is going to present difficulties.

“There are firms that I speak to that are business-to-business, and they think Consumer Duty doesn’t apply to them. We have to question that, because the definition includes microenterprises and small charities – they might well be brought in scope. And, of course, many payment services firms who are B2B provide payment services to other payment service providers, which means that they may well have a material influence on the outcome for the retail customer. So you can’t be complacent.

“Every payment services firm has customers at its heart, of course, but for new ones like payment and e-money institutions, that haven’t had to document and evidence like this before.

“Firms should be thinking about the end-to-end consumer journey: the way in which they communicate with consumers, the way they identify the needs of their target market. I think that is at the forefront of what the FCA is trying to achieve.”

Will Finn: “I think it’s fair to say that the customer has not always been the focus of business continuity arrangements. Typically, firms are looking at revenue loss or reputational damage. By placing the customer front and centre, it requires firms to look at their arrangements through a new lens, and to ask ‘if these services were to be unavailable, or degraded in some way, how might that harm our customers? And what steps could we take to minimise that harm?’. So it’s a new ask of them.”

“The FCA had such a light touch previously, that anything more will feel like a big uptick”

Alison Donnelly

Azariah Nukajam: “Under the regime, there is now an ongoing obligation for in-scope firms to undertake annual board assessments of their own compliance with the Consumer Duty rules, and to be able to document clearly how they have achieved good outcomes for their customers.“The Financial Conduct Authority (FCA) can request their board assessments as part of its review of firm compliance, and say ‘you aren’t reaching good outcomes, you have not been able to demonstrate it, and we are going to investigate’.

“It will be easier under the regime for the FCA to look at governance around Consumer Duty, and I don’t see them backing down, in terms of their approach.”

OPERATIONAL RESILIENCE

In its December 2022 Financial Stability Report, the Bank of England’s Financial Policy Committee identified non-bank finance as an area of acute risk. It will be looking at the resilience of non-bank financial institutions to shocks and ways to improve their stress testing this year.Meanwhile, payments firms in the UK are already bedding in new rules to improve their operational resilience. They came into force in March last year and companies have until March 2025 to implement them.

Will Finn: “Operational resilience is at the forefront of everyone’s mind this year. The expectation is that firms are well on their way to building their testing capabilities. What’s interesting is how prescriptive the regulator is being in order to drive change and maturity. It’s not allowing firms to define their own criteria; it’s saying ‘you must do scenario testing. It must be severe scenarios’.

“A lot of firms may not have done that previously. Business continuity arrangements, will perhaps have involved some form of testing, but the regulator is requiring scenario testing, which is a step change in sophistication for many firms. Whether that’s proportionate to where a firm is right now, whether it’s undertaken as a tabletop exercise, whether it involves some form of simulation testing, etc, there are options out there.

“The customer has not always been the focus of business continuity arrangements. By placing the customer front and centre, it requires firms to look at their arrangements through a new lens”

Will Finn

“Firms should recognise that they may well have many of the elements of operational resilience in place. They will have technical testing regimes, business continuity plans and incident response mechanisms. So, bring them together and find the gaps between them, so that you can use those to respond to these new requirements. Don’t reinvent the wheel.

“And plan your audit and testing regimes for the next few years now, so that when 2025 rolls around, you will have met that requirement and can say ‘we have tested, we have retested, we have developed these organisational capabilities, we can evidence that we have done what is required of us’.”

THE REGULATORY APPROACH

The Consumer Duty law and the drive for operational resilience among fintechs and paytechs are two examples of the increasingly interventionist stance taken by the FCA. What’s behind it?

Alison Donnelly: “There were some big failures, and there were things that the FCA had to get involved in, which required a lot of supervision – more than they had anticipated. So I think there’s an element of that. And, certainly, the FCA had such a light touch previously, that anything more will feel like a big uptick. “The fintech sector’s been regulated for 10 years, a bit more for e-money and payment services, but there was tolerance, at the beginning. I think that has now gone.”

Will Finn says, from a cyber risk perspective, the FCA’s more interventionist stance follows a rise in major cyber security scares. He cites two examples of this: firstly, the shutting down of two major datacentres, one Oracle and one Microsoft, at the height of the heatwave last July, because their cooling systems weren’t able to regulate the temperatures of the servers; and secondly, the war in Ukraine impacting companies, which were forced to relocate their outsourced services in Ukraine elsewhere following Russia’s invasion.

Will Finn: “There’s been an absolute recognition over the past couple of years that things that would’ve been called black swan events aren’t black swans. “Firms are probably quite pleased with the way they responded to the COVID pandemic. Most managed to work remotely quite quickly and they took that as good evidence of their business continuity preparedness. And it absolutely was, at the time. But I think regulators are recognising that what was unlikely, four years ago, may no longer be unlikely.”

THE CYBERSECURITY THREAT

Cyberattack made it on to the World Economic Forum’s top 10 global threats and was a hot topic of discussion at Davos this year. So, what should firms be doing about their own cybersecurity in 2023?

Will Finn: “The regulators have been clear in what they expect. It starts at the top of the organisation: you must have your governance in place and must support your risk assessment. Identify the risk, make it specific to your business, assess it, ensure that the controls you have in place mitigate it – physical controls in your offices all the way through to your malware controls on your network, infrastructure and systems. You need to repeat that process very frequently; you must audit and test your controls.

“Cryptocurrency companies have been wanting greater regulation for years

Phil Creed

“The challenge for firms is to mature and evolve this in a constant improvement lifecycle. And that’s very much a culture change, similar to what’s now required in operational resilience. Firms are being encouraged to become learning organisations, so they’re not scared of risk, because we absolutely know we have the structures in place to find vulnerabilities, to fix them, and then to repeat that cycle.

“Many compliance people perhaps are nervous around IT, and I think the IT fraternity are guilty of giving the impression that ‘what we do is really complicated, and you can’t understand it’.

“As consultants, we can bridge that gap. We can help the compliance guys explain what they require to the IT guys, so the IT guys go, ‘oh, it’s not just another overhead – you want to know more about these controls. We already have these controls monitoring data’. Bringing two viewpoints together is where there’s real value.”

FINANCIAL CRIME

Another challenge for payment firms, amid a steep rise in financial crime, is increased ‘scrutiny at the gateway’, as Phil Creed puts it.

Phil Creed: “Regulators are making it more difficult to get authorised. The authorisation rate for Q4 2022 was 12 per cent, which is a far cry from what it used to be, five to 10 years ago. We’re also seeing a lot more proactive communication such as ‘Dear CEO’ letters and more Skilled Person Reviews. This is not just when a firm is in some sort of distress; we have seen Skilled Person Reviews being used as a proactive tool by the FCA, to understand better the high-risk companies in its portfolio.

This could be considered unreasonable due to the burden these reviews put on a firm. However, it is the direction of travel of a more proactive regulation, and something that financial services need to be aware of.”

WHAT TO DO ABOUT CRYPTO?

Following a crypto winter and the high-profile collapse of FTX, the industry is heading for a regulatory clampdown. But is it focussed on the right area? Phil Creed: “Cryptocurrency companies have been wanting greater regulation for years. However, the regulatory narrative for crypto seems to be focussed around financial crime rather than wider areas of compliance, such as, for example, client asset management.

“When you look at high profile collapse of FTX or Celsius in 2022, financial crime has very little to do with it, rather it was financial mismanagement.

“What the industry needs is the Markets in Crypto Assets regulation (MiCA, which is expected to be introduced in 2024). Even this week, I had a client ask me: ‘We want to do the right thing – how should we be managing our crypto assets?’ And there’s no guidance, worldwide. So all firms are operating differently, and that’s not helpful, because this lack of guidance and oversight allows for bad actors and fraudsters.

“One piece of advice I’d give firms is to take a more measured approach to their workforce over hiring and subsequent redundancies. Over the last two years, as cryptocurrency went up in price, firms went on a hiring spree and over-hired a lot; then the crypto winter happened, and they made 20 per cent, 40 per cent or more of their workforce redundant.

“To manage these peaks and troughs in your business, you need to build some sort of redundancy in your workforce – for example, by using the support of a firm such as fscom to provide suitably qualified personnel as and when you need short-term assistance.

“There will be an increased obligation on firms that make claims around the sustainability or impact of their products, to evidence that they do what they say they are going to do

Azariah Nukajam

“Where we have issues occur is when we have been involved in Skilled Persons Reviews. On a number of occasions it was as a consequence of the business doing very well or the market doing very well, which increased customer numbers and trading volume. This also increased volume of compliance activity in onboarding, TM, and SARs reviews. Most firms are not set up to deal with these spikes in activity.”

Azariah Nukajam: “What we can see across a variety of regulators around the globe, is increasing concern around the safeguarding of client assets, and, by extension, a need for intervention around consumer protection. “If we assume that we are trending towards an increasingly regulated crypto environment, some of the things that existing crypto firms should start to think about is how they safeguard the assets of their investors and how they ensure that their internal systems and controls prevent co-mingling of firm and client funds.”

SUSTAINABLE? PROVE IT!

Azariah Nukajam says the FCA will increase its focus around the E in ESG.

Azariah Nukajam: “For payments firms specifically, whilst environmental considerations and social considerations aren’t mandatory at this time, we will see the FCA increase its focus around governance.

“It issued an ESG priorities paper, a year ago, in which it said firms that consider ESG within their broader governance framework need to be able to embed certain practices and measures that demonstrate they understand what they mean when they say they’re an ESG-focussed firm.

“And the way in which the FCA will look at this element is through firms being able to demonstrate good corporate governance, and being able to identify senior management or executive management who can hold themselves directly accountable for the claims that the business makes about ESG, and how it embeds certain practices.

“So, my perspective is that we will see a lot more payments firms step back and reassess the appropriateness of their existing governance framework to be able to manage and implement ESG strategy.”

ESG requirements around greenwashing will likely become mandatory, she says.“We are already seeing that in the investment sector. And the FCA has indicated that it’s being proactive in investigating firms that hold themselves out as having a sustainable impact on the environment. There will be an increased obligation on firms that make claims around the sustainability or the impact of their products, to be able to evidence that they do what they say they are going to do.

“Two things the FCA commented on last year around ESG was consumer protection and consumer trust. It said that when firms that maintain an ESG angle or offering do so without meaningful evidence or tangible benefits to the end users, they create an increasing lack of trust in the financial services sector as a whole.

“The problem is that firms have an idea of what ESG means, but in terms of having a standardised approach and clear metrics by which they define their own success at implementing ESG, there’s a gap. And I don’t think ESG will be seen as real and tangible, until we have better developed and enhanced rules around how we identify ESG and how we measure it.”

The fscom Team
Alison Donnelly: Payments regulation specialist and a Director at fscom
Will Finn: Senior Manager in the cyber (Tech Risk) practice
Phil Creed: Director of Financial Crime
Azariah Nukajam: Head of Investments and Associate Director at fscom


 

This article was published in The Fintech Magazine Issue 27, Page 44-46

People In This Post

Companies In This Post

  1. Marco Santos to Become CEO of GFT Technologies SE Read more
  2. PayPal Plans to Appoint Carmine Di Sibio to Board of Directors  Read more
  3. Yapily Named a Supplier on Crown Commercial Service’s Open Banking DPS Framework Read more
  4. allpay Appointed as Official Supplier on Crown Commercial Service’s Open Banking and Fund Administration & Disbursement Services Dynamic Purchasing Systems Read more
  5. Oliver Wyman Announces Mariya Rosberg as Americas Head of Banking and Financial Services Practice Read more