With the New Year celebrations becoming a distant memory, our conversations with compliance officers are turning to what the top compliance issues for the year ahead are, so we've put together a list of six compliance challenges for 2019 based on what we hear in the City:
# 1 - has to be Brexit!
Now, with the exception of a few politicians, most people are fed up with hearing about Brexit, soft deals, hard deals and no deals. Indeed, a quick Google search shows that the word "Backstop" has never been so well used in the history of the English language. However, unlike others, it's not possible for Compliance Officers simply to tune out of this saga.
With the "meaningful vote" on the PM's Plan A in January being anything but meaningful, the picture is unlikely to get any clearer in the coming days, with new versions of Plan B sprouting by the day and the UK Parliament vying with Her Majesty's Government to wrest control of the process. Anything could happen - from another referendum to a general election, renegotiations or a headlong crash into a no deal!
These multiplying outcomes for Brexit and the little time left leave us in the scary position of not knowing which regulatory/legislative regime we will find ourselves in in just a couple of months, giving us very little time to react in compliance terms.
One has to wonder how much attention is being paid to such a regime when the focus of Parliament appears to be restricted to in-house battles, leadership challenges and votes of no confidence! Indeed, this week, an MP was reporting that there are hundreds of pieces of secondary legislation waiting to be passed through Parliament and a number of bills. However, until the Government is able to confirm what plans need to be in place for Brexit, the legislation has to wait, but with just 72 days until Brexit, one would have hoped that all the necessary legislation was already in place and ready to go.
Recently we have all seen the disruptive impact that drones (or no drones) have had on our airports, and yet, according to Major General Chip Chapman, ex-Head of Counter Terrorism in the UK, while the issues with unregulated drones had been known about for five years, the regulations to control their use have been winding their way through Parliament.
If Brexit has consumed the Government so much that risks like drone use have been parked, one has to ask how many other apparently low-risk regulatory matters have similarly been parked, the consequences of which will also remain unknown until the risk materialises. This leaves companies more vulnerable to regulatory slips than at any other time in recent memory.
#2 - Vulnerable Customer Management
Moving on from an issue that we in Compliance can do little about - ie Brexit - let's move to a compliance issue that we can and should do more to address: vulnerable customers. The recognition about and urgency of providing better safeguards for such customers is growing in stature at a rate of knots. From an Occasional Paper issued by the FCA in February 2015, we have now seen the likes of the Gambling Commission fining firms such as SkyBet, Paddy Power, 888, William Hill, 32Red and the Rank Group for failings in this area.
Coupled with action taken by the FCA in February 2018 - utilising a Serious Crime Prevention Order against an illegal money lender who was targeting the vulnerable, which culminated in a three-and-a-half-year prison sentence for him - we can see that this is a topic to be taken very seriously.
Interestingly and quite importantly, vulnerable customer management is intrinsically linked to a number of other serious compliance topics: fraud, bribery, data protection and AML, for example. One only has to look at the final notices issued alongside the fines mentioned above to see how many times failings in KYC are cited.
Whenever failings in KYC are noted by a regulator, a firm's concern over the levels of compliance for their whole client book automatically rises, even if the firm was not the one to receive the fine or regulatory comment.
KYC remediation is clearly an issue to consider for 2019. KYC skeletons in the closet are bound to come out, perhaps in the UK even more so than ever, with the creation of the National Economic Crime Centre (NECC) and Office for Professional Body AML Supervision (OPBAS) - now what is known by regulators has a very good chance of being known by all.
Inevitably, wherever there is AML regulatory enforcement, there is KYC remediation, and there has been no shortage of enforcement action on a global scale recently. Generally speaking, a regulatory fine against one firm should be taken by all other firms as an industry warning issued by the regulator, so, where action was taken against one firm that resulted in a call for KYC remediation, other firms should seriously consider whether this is something that they should prepare for too.
Outcome testing can be a very useful preventative measure in this regard. If used correctly and proactively, identifying failings for yourself in advance of the regulator, and, in some very proactive cases, even before the customer, can prove a very wise investment. After all, prevention is better than cure.
# 3 - Senior Managers and Certification Regime (SM&CR)
SM&CR! You say - hold on, didn't we have that last year? Well, yes, and the year before and the year before that… this one seems to be caught in a time loop like some regulatory groundhog day. However, in fairness to the Financial Conduct Authority (FCA), it had its work cut out in trying to implement an accountability regime in its sprawling domain, which ranges from individual financial advisers to global financial behemoths.
SM&CR was developed as a result of the 2008 financial crisis and the outcry from the public following their perception of the lack of accountability and punishment of those running and controlling banks and other financial sector firms, while, by way of a ripple effect, the public paid the economic price for the actions of these banking officials and the reckless manner in which they ran their businesses.
The Senior Managers and Certification Regime replaced the Approved Persons Regime for banks, building societies, credit unions and dual-regulated (FCA- and PRA-regulated) investment firms in March 2016.
The Senior Managers and Certification Regime replaced the Senior Insurance Managers Regime (SIMR) and the Revised Approved Persons Regime for insurance firms on 10 December 2018. This included:
- Insurers and reinsurers
- The Society of Lloyd's
- Managing Agents
- UK branches of third-country firms and European Economic Area (EEA) firms
The Senior Managers and Certification Regime will replace the Approved Persons Regime for almost every other FCA-regulated firm - from very small firms and those with limited permissions (including sole traders and limited-permission consumer credit firms) to many of the largest global firms - on 9 December 2019.
There will be three tiers under SM&CR for this sector:
Core: firms in this tier will have to comply with the baseline requirements.
Enhanced: this will apply to a small number of firms whose size, complexity and potential impact on consumers or markets warrant more attention.
Limited: this will apply to firms that already have exemptions under the Approved Persons Regime. These firms will be exempt from some baseline requirements and will typically have fewer senior management functions.
While SM&CR will apply to all firms that are currently subject to the Approved Persons Regime, it is important for firms to establish which tier they belong to. To aid in this discovery, the FCA has published a Guide to SM&CR for solo-regulated firms.
However, it is not just the UK. The growing and rapid changes within the finance sector have seen a notable trend in regulators from multiple jurisdictions focusing on the importance of a firm's culture and conduct, and the accountability of the individuals running these firms.
While the specifics of the regulations may have some jurisdictional nuances, since SM&CR was introduced in the UK, we have seen similar regimes popping up in other countries, such as Australia and Hong Kong, with the aim being the same: to improve accountability by imposing stronger consequences for conduct that is not in line with the standards expected by the regulators, so that they can create a sounder financial market, improve consumer confidence and eradicate consumer detriment at the hands of those in charge of financial institutions.
While the UK has SM&CR, Hong Kong has the Manager In Charge Regime (MICR) and Australia has the Banking Executive Accountability Regime (BEAR). As yet, Singapore has not implemented an official regime, but there is an emerging trend that puts greater emphasis on executive accountability, as well as conduct and culture.
The USA has also responded in a similar way. On 9 September 2015, Deputy Attorney General (DAG) Sally Quillian Yates issued a memorandum titled "Individual Accountability for Corporate Wrongdoing".
While the Yates memo was, in part, a response to criticism about the lack of individual prosecutions in the aftermath of the 2008 crisis, it applied to many industries, including those outside of financial services.
Although the US Department of Justice (DOJ) has long enforced a policy of holding individuals and corporations criminally and civilly liable for corporate misconduct, the "Yates Memo" announced the implementation of more aggressive enforcement policies for corporate and individual prosecution.
So the USA, UK and Asia all now appear to be singing from the same song sheet. How long before the rest of the world follow suit and introduce a SMR of sorts? Undoubtedly, it won't be long before those who are entrusted with running financial institutions and managing the public's money will be held personally accountable, no matter where they work in the world - at least, we should hope so!
# 4 - Whistle Blowing
This leads on nicely from SM&CR, because, in May 2018, the FCA and PRA brought a joint prosecution against the CEO of Barclays Bank, resulting from him failing to act with due skill, care and diligence with regard to the bank's whistle-blowing procedures, following receipt of an anonymous whistle-blowing letter to the bank in June 2016.
Perhaps there are some key messages to be taken away from this enforcement action:
- Individuals will be held accountable. With a personal fine of £642,430 (10% of the CEO's net relevant annual income), it is clear that the regulator will use its powers as and when it deems it necessary, and the fines being imposed for failing to discharge a senior management role effectively are significant.
- However, of note is the fact that the CEO - while found to have not acted with due skill, care and diligence - was not found to be in breach of the requirement to act with integrity. Had he been in breach, it would most likely have led to his dismissal.
- Despite the fine being levied against an individual, when that individual is the CEO, the reputational damage caused by not only the fine but also the fact that it was made against the CEO also brings the firm into disrepute. A firm and its senior management should not underestimate the domino effect of reputational damage, and the dynamic manner in which it will travel around the world. Proven or not proven, innocent or guilty, bad news always makes good press, and the public at large will not necessarily distinguish between the actions of the CEO and those of the firm.
- The bank has not necessarily gone unscathed. The UK regulator has imposed enhanced scrutiny and monitoring of the bank's whistle-blowing systems and controls, which includes annual reporting to the FCA and PRA, and the US regulator (the DFS) fined the bank $15million for the actions of its CEO.
- It would be wrong to tar the whole regulated sector with the same brush, but if an organisation as big and as well run as it should be can still have a CEO who can make such fundamental errors of judgement in relation to whistle blowing, it begs the question of how the rest of the regulated market fares?
- Is whistle blowing treated with such low levels of seriousness that regulated firms can make such obvious errors in applying the controls that should surround it?
- Perhaps a new raft of regulatory attention for all firms in relation to whistle blowing will come from this enforcement action - who knows? However, one thing is for sure: if every other person within SM&CR does not learn from the mistakes of this CEO, the personal fines are only likely to get bigger.
# 5 - Data Protection/Privacy/Cyber Security
No list of areas for attention would be complete without data protection. In the increasingly sophisticated world in which we live, it seems that customer data has become a more valuable commodity than ever before.
In November 2018, a MailOnline report recorded that:
The regulator highlighted the huge failure earlier this year at TSB, which saw 1.9 million customers locked out of their bank accounts, triggering a massive wave of fraud.
Cyber attacks on major banks have DOUBLED in a year due to mistakes by 'overconfident' bankers, warns City watchdog:
- Financial Conduct Authority said bankers making errors in computer updates
- Many banking firms unprepared for hacking attacks - putting customers at risk
- British lenders suffered wave of online failures and hacks over the past few years
Technology disasters at banks and finance firms have more than doubled amid an unprecedented wave of cybercrime, the City watchdog has warned.
Overconfident bankers are making errors in crucial computer updates, which cause chaos, the Financial Conduct Authority says, and many firms are woefully underprepared for hacking attacks - putting their customers at risk.
British lenders have suffered a wave of online failures and hacks over the past few years, from a blackout at TSB to a massive internet raid at Tesco Bank.
Megan Butler, of the FCA, said there had been a 138% rise in technology failures at finance firms during the year to October.
This includes both hacking cases and problems of the firms' own making. The number of cyber attacks rose 18%. She added: "The FCA is deeply concerned that the number of technology incidents reported to us has increased. If your bank stops working, your life and business can be severely constrained."
Other lenders to have suffered brief outages in the past few months include Barclays and NatWest owner, Royal Bank of Scotland. Visa's payments system also went down across Europe for several hours in June.
When you add the GDPR and its vastly increased fining abilities (up to four percent of a firm's global annual turnover) to this, failures in cyber security and data protection suddenly take on a much graver consequence for firms, especially at a time when they are being asked to process even more personal and special category data, such as that associated with vulnerable customer management. Then the remaining damage can be caused by SM&CR, where the individual responsible for data protection receives the personal fines distributed by the regulator where failures occur.
# 6 - Email Phishing
Despite how long this method has been around and all the awareness campaigns, people being tricked into revealing their personal information and parting with their money is still a very real threat! By some estimates, 90% of data breaches have a phishing component to them, and phishers have been remarkably resourceful and have kept up with security measures - for instance, APWG reports that half of all phishing attacks are now hosted on websites that have HTTPS and SSL certificates!
Phishing, of course, is mainly motivated by criminals trying to obtain our personal information, enticing us to part with our money or sending emails with malicious attachments that are designed to block, take over or destroy a website, email account or even a company's entire computer system. If some personal information is already known to the criminal, they will attempt to gain even more information from their victim by what is known as "spear phishing" - ie a more targeted, one-to-one and personal approach than a generic phishing email can be.
The key to success here is that the email will usually appear to come from a trustworthy or known source, such as a bank or government body. The instructions in the email will ask the reader to follow a link, which, once clicked on, will take the reader to a hoax site, where personal information, such as login details, passwords and bank details, will be collected, all under the guise of a legitimate reason.
This can be evidenced by a scam reported to Action Fraud in 2018, where it reported receiving complaints from over 2,000 people that they had received scam emails purporting to be from TV Licensing, with 200 of those complaints claiming to have lost a total of £233,455 to the scam in just one month!
Some of these scams are very clever and look very authentic, so being duped can sometimes be difficult to avoid. However, it's amazing how many people will click on a link in an email purportedly from a bank that they do not have an account with.
Similarly, an email asking for a transfer fee to be paid in order to release your lottery winnings is very welcome indeed, but not when you didn't even enter the lottery.
Here's a quick list of easy precautionary measures against email phishing that you should be communicating to your staff at every possible opportunity:
- Banks will never ask for your pin or full password
- Be wary of emails that refer to you in vague terms, such as "Dear Valued Customer" - if you are that valued, they should know your name!
- Always look at the sender's email address - scam addresses often contain unusual characters, such as "spe11ings" to try to avoid your spam filters
- Don't assume that a phone call or email is genuine, especially if it is unsolicited
- Consider whether you would give your address and bank details to a stranger in the street - if you wouldn't, why would you give them to a stranger on the phone or in an email?
- Remember that if it looks too good to be true, then it most likely is!
Companies are not immune from this phenomenon either. There have been numerous phishing attacks on firms, ranging from emails allegedly sent from a CEO to the company accountants, instructing payments to be made to a criminal's bank account, to phishing emails obtaining access to computer network information, employee information and even employee payroll data!
One of our biggest defences against phishing is vigilance, and this can only be achieved by appropriate education, awareness, employee drivers of quality, assurance over quantity and, of course, the use of common sense.
That's all, folks! It's still the first month of the year, so, no doubt, new challenges, more pressing ones, will sprout. Do post your comments below. We're always happy to hear from you and will incorporate suggestions.