It’s a busy, demanding and unpredictable year ahead in the world of financial services regulation.
Happy New Year!
Now, buckle up because 2018 is likely to be a regulatory minefield. New technologies, new rules and a fresh landscape all have the potential to create enormous problems. Some companies are better set up than others.
Fear and uncertainty
If I had produced this blog a year ago, one of the main themes I’d have been discussing would have been ‘uncertainty’. The landscape was moving quickly and it wasn’t clear what form regulatory changes would have. Brexit was up in the air with few key issues decided.
Unfortunately, I could also say the same thing today.
Brexit may have limped beyond the first phase of talks, but now comes the complicated stuff. Trade will not be discussed until March which means key issues will remain unresolved such as the free movement of people, and what access firms will have to European markets, and whether there will be a transitional period. All these ideas have been suggested, but nothing firm has, as yet, been decided.
Financial services firms, which rely on their access to European markets, and the free movement of talent across borders will have to consider what action they take. Many will spend 2018 taking action to ensure they have a presence within the European Union. Doing this will raise logistical and regulatory challenges both for firms and European regulators. The ECB will want to ensure regulatory consistency for those firms which are moving and, as with many aspects of 2018, they may undergo a learning curve. Expectations of regulators may well evolve over time, which means firms will have to be taking remedial measures on an ongoing basis throughout 2018 and even beyond.
A busy regulatory calendar
The first half of 2018 will be a hectic time for new regulations, which can have a transformative impact on many different industries. Firms are struggling to cope with not one, but several major pieces of regulatory reform. First up is MiFid II followed by Europe’s General Data Protection Regulation (GDPR). Both are two of the most significant regulatory changes ever to hit the financial sector.
MiFIDII (The Markets in Financial Services Directive) was brought in to ensure that the mistakes which led to the economic crash in 2008 could not be repeated. It covers everything from where derivatives are traded to how companies manage risk and offer transparency. Importantly, in this digital age, all communications with clients relating to a deal must be recorded and stored. This includes, where it is reasonable to do so, all telephone conversations.
It’s a big job. Firms will have to manage the storage and retrieval of relevant data as well as connected devices used to make such deals. For example, many cloud apps do not offer the level of storage and retrieval firms will require.
GDPR will also create enormous headaches for managers. It gives individuals greater control over the data that companies hold about them. We all have the right to be forgotten which means a firm will have to be able to quickly access and – if requested – delete any information they hold.
It also raises the stakes for compliance. Failure to abide by the new regulations could see firms being fined up to €20million or 4% of global turnover – whichever figure is higher. Penalties could represent a serious risk to the financial health of an organisation.
In a world in which businesses of all sizes, and in all walks of life, are handling vastly increased levels of personal data, demonstrating compliance will become tougher than ever.
Add to these two measures such as PRIIPS, the Insurance Distribution Directive and others and you have an incredibly busy schedule. Firms will find themselves liable to some or all of these measures, and ensuring compliance will become an enormous headache for compliance teams, as well as a financial burden.
Technology which can lighten that burden will continue to gain value. The so-called RegTech sector has enormous potential and is set to grow further in 2018. These systems can use new and existing data to automate processes and deliver new insights and greater transparency. They lighten the administrative burden of compliance and reduce the risk of falling foul of the regulator. For example, systems can provide aggregated global risk and compliance data, information on enforcement or developments in the regulatory landscape.
RegTech solutions like Enforcd help compliance officers stay on trend and maintain a keen eye on enforcement actions. With features such as real time e-learning, audit trails of activity for internal and external use and reading lists that can be shared across organisations, companies can easily provide evidence to their regulators that they are learning from past mistakes.
The sector has been developing for some time now, but new regulations will make RegTech a necessity. Businesses have often stored call data, but with customers now being given the right to view and in some cases, delete this data, many will need technological innovation if they are to offer this capacity.
Equally, the slew of new regulations will create confusion with some contradicting one another. For example, MiFIDII requires companies to maintain a record of customer communications for five years. GDPR, meanwhile, gives people the right to be forgotten and to demand that their data is deleted. How is it possible to reconcile both measures? Technology will play a role in untangling contradictions such as these.
As financial services embrace new technologies, there is the risk of some consumers being left behind. A good example is the closure of bank branches. Having previously promised never to leave a community without a branch, the Royal Bank of Scotland closed more than 250 branches and axed 680 jobs. Other banks are doing the same as they pivot towards online banking. It’s great for most consumers who regularly use the internet and rarely visit their branch. However, it excludes some who may not own a computer or may live in remote areas.
The regulatory approach has often been to focus on the so-called average consumer, but they now recognise that technology leaves some vulnerable. They will focus resources on groups at risk of coming to harm and what categorises an individual as vulnerable. It is much more dynamic. It doesn’t just mean income, but can include lifestyle, health, recent life events and much more.
As financial services become even greater users of data, they are becoming targets of an increasingly sophisticated army of cyber criminals. These are more than geeks with a criminal bent. They are well-funded, technologically advanced, and in some cases funded by the Government. Earlier this month hackers for the Israeli Government broke into the antivirus giant Kaspersky only to find Russian agents were already there.
Financial institutions are ripe for attack and even though they should have some of the most sophisticated defences in the world, it is impossible to be totally secure as Equifax found out when criminals hacked into its database. Regulators are adapting their approach to take account of cyber risk. EIOPA, for example, has increased its focus on cyber risk and the FCA has produce guidelines on best practice for cyber security.