When we compiled last year's challenges in the first weeks of 2020, the first reports from China were emerging about a novel coronavirus. Then everything changed.
Little did we know how it would come to take over our personal lives and workplaces. We could be forgiven for not featuring it in our Top 10 Compliance Challenges list, when practically no one in the world outside China took it seriously enough.
As COVID-19 infections have mushroomed, the first two months of 2021 are likely to be taken over by the immediate response to be pandemic. But beyond that, vaccination offers the hope of a more stable future - an environment where firms can, and will be expected to, focus on compliance again.
The 10 biggest challenges faced by compliance in 2021
- Post-COVID workplace
- Company culture
- Employee mental health & wellbeing
- Focus on fraud
- Big data & people analytics
- Vulnerable customer management
- Compliance resilience
- Money laundering - 6AMLD
- Climate change
1. Post-COVID workplace
As the restrictions associated with the pandemic start to ease, which they no doubt will as we go into the second quarter of 2021, it’s likely that many businesses will have seen their operating models disrupted to the extent that they will never be the same again.
For smaller businesses, a return to a full office working model may be more feasible but employee expectations have changed for ever. Some will want to return whilst others won’t feel safe doing so – even with the mass availability of vaccinations. Also, many employees will have enjoyed the extra time spent at home with families and not having to deal with expensive and stressful commutes.
How will you convince employees who have settled into a WFH routine, and perhaps enjoying a better work-life balance than ever before, that it's time - safe, even - to return to the office? What if they don’t want to pay for season tickets, spend their time commuting on cramped trains, or no longer see what the office adds to their work?
Whilst many technology companies will move to a full remote working model after the pandemic, for financial services, the outcome is likely to be more nuanced. But the most likely outcome is that a significantly larger portion of the workforce will be working remotely – some all of the time, others for part of the time.
What will this mean in terms of staff compliance? The biggest change is that firms will need to look at their compliance risks again, but this time on a longer-term basis. The management of conduct risk is the biggest challenge in these circumstances.
The issues are many and varied, including the management of front office staff in investment management firms, ensuring that documentation is properly maintained and disposed of, trades are carried out in a timely manner and client access via telephone is maintained when necessary.
Remote oversight is likely to form a more prevalent component of risk management, including the management of compliance risks, which also include the prevention of market abuse, inappropriate advice and lack of adherence to sales procedures.
Firms will need to consider:
- What it means to be productive - how that is measured when people work remotely and what adjustments are required in respect of performance reviews
- How you'll provide a safe and COVID-19 secure environment when people go back to the office
- What flexible working means in reality and the ways it can be offered to different groups (e.g. part-remote options) - what extra measures are needed to support remote workers into the spring
- Creating a roadmap for new recruits taken on during lockdown who may have missed out on traditional inductions and now have serious catching up to do
- Reconfiguring the work arena to promote greater wellbeing, help people reconnect and rebuild rapport after the lengthy absence, including reintegration of those continuing to work remotely and a delayed welcome for newcomers
- Making adjustments for those affected by COVID-19 - e.g. extra break-out areas, rest facilities for anyone with long-COVID, shorter working days etc
- Introducing or updating of bereavement policies or practices for those still coping with loss
It's ironic that after four years of uncertainty, bickering and tense negotiations, when the Brexit deal was agreed and signed between the UK and the EU at the 11th hour and 59 minutes, hardly anyone took notice. Of course, we've been too busy watching the COVID-19 numbers to pay attention to the 1,246-page deal that keeps trade flowing between the UK and the EU, albeit with some friction.
The big issue here is that firms have got the continuity that needed - to carry on all aspects of operation and business development as before. The spectre of thousands for lorries stuck at the ports has passed - although we were reminded of it when France shut down all traffic from the UK for a few days to keep out a new strain of COVID-19.
Crucially the Brexit deal does not include clarity on equivalence in financial services. The EU has resisted giving "equivalent" status to the UK, even though its regulations are fully harmonised at this point in time. Instead, the current arrangement allows for the EU to withdraw equivalence rights for UK financial firms with only 30 days’ notice, and the U.K. has no right to contest that. The UK is also left having to negotiate a patchwork of individual EU nations’ regulations.
Obviously, this leaves the future uncertain for financial services firms and many have been forced to move assets and staff to the EU financial capitals to avoid disruption. It also magnifies the compliance challenge of knowing and applying the rules - and avoiding simple mistakes like an executive flying over from London to meet a client in the EU.
Like financial services, the EU has not yet given the UK's data protection regime the “adequate” status (ie equivalent to the EU), although the UK regulations are entirely based on the EU GDPR. Such an adequacy decision is a separate process to a trade deal and has been ongoing, and the EU provided that the transmission of personal data from the EEA to the UK shall not be considered as transfer to a third country for a period of six month. However, should the UK change its data protection laws during this period (which is highly unlikely) the EU could revoke that status.
Areas where the UK is likely to diverge from the EU soon:
- Sanctions - For both trade and financial sanctions, the UK has already made provision in its Sanctions and Money Laundering Act 2018 to set its own list of sanctioned, individuals, businesses and entities. HM Treasury will introduce these lists by 31 December 2020, and firms who must abide by UK sanctions will need to screen their customers and suppliers against these lists from this date.
- Solvency II - The UK has identified aspects of the Solvency II regime that could be adapted to be more suitable and proportionate to the characteristics of the UK insurance industry. Right now this is in the early stages, but HM Treasury has already issued a Call for Evidence in readiness for a more formal consultation in 2021.
3. Company culture
There are two other factors that are related to culture, that firms will need to be aware of in 2021 - diversity and inclusion.
Whilst there are societal pressures for firms to be more transparent about how they tackle these subjects, there will be greater regulatory pressure in these areas too. The FCA has already stated that it wants firms to adopt a culture that embraces diversity and inclusion and will include this in its supervisory work in the future.
Examples of what this could look like range from ensuring access to employment for BAME individuals is balanced against those from other ethnic backgrounds. Also, that a suitable proportion of women are present on boards and in senior roles.
But beneath this is the general awareness of the need to understand and be open to people with different ethnic backgrounds, gender identification, sexual orientation etc.
4. Employee mental health & wellbeing
It's been a bumpy year for many employees, some of whom may have faced challenging situations at home, struggled to work remotely in shared accommodation or had to balance work with home-schooling or caring responsibilities. Inevitably, this has had an adverse impact on mental health and wellbeing which may continue well into the new year.
Companies will need to consider how to move away from the traditional model of physical wellbeing that emphasises injury and accident prevention to a more holistic approach which incorporates mental wellbeing and focuses on preventing stress, burnout and conflict
Another trending issue is psychological safety - this pertains to a culture where people are not afraid to speak up when mistakes are made, and at the same time, are not treated unfairly or disproportionately blamed when things go wrong. A healthy psychological culture where people are not afraid to speak up is likely to reduce mistakes made in future and encourage employee engagement and retention.
5. Focus on Fraud
Whilst COVID-19 has been a threat for ordinary people, for professional criminals, it’s a major opportunity – especially when it comes to fraud.
In fact, as far back as June, this was being acknowledged. A survey carried out by LIMRA showed that 42% of its respondents had already experienced increases in attempted fraud. For attacks related to account takeover fraud specifically, that figure was even higher, at 47%.
Two fraud risks to be mindful of:
- Criminals will continue to exploit vulnerabilities as the pandemic continues associated with this situation and use them as levers to carry out social engineering. Examples of such activity include false promises of delivery of vaccines and PPE designed to extract money from firms. Also requests for money to be transferred to individuals apparently trapped in an overseas country and unable to return home due to the pandemic. Firms must ensure that their controls remain suitably robust and that staff remain vigilant to identify and report such activity as it arises.
- And further attempts to exploit remote working models where individuals are not able to interact with fellow workers directly, and real time monitoring for fraud activity is much more difficult. Individuals working alone are more vulnerable to exploitation by fraudsters and may be not realise that they have allowed fraud to take place before it is too late.
There is no doubt that the FCA is going to keep a close eye on the ways in which firms operate their anti-fraud controls in future. In the 2020/2021 business plan, the FCA has reinforced its commitment to fighting financial crime and intends to keep up the pressure of enforcement action where necessary.
But the key to preventing fraud still remains the same – ensuring people are adequately trained and educated on the subject of fraud awareness and apply this knowledge and understanding in their day-to-day work.
6. Big data & people analytics
The year 2021 is going to see a continued focus on a major change in the ways in which data is collected from firms and subsequently analysed.
Financial sector regulators, the FCA and the PRA, have published data strategies which aim for better use of intelligence to identify areas of harm and rectify them quicker. Also, to improve the power of data analytics. This is taking place against a backdrop of an increasing number of firms to regulate, especially in the FCA’s case.
Data compliance issues to watch out for:
- The ways in which the regulators will use data are likely to change and be reflected in supervisory activity. For instance, there is likely to be a greater degree of early intervention and involvement across sectors as problems arise. Also, a deeper understanding of consumer behaviours may lead to a closer focus on how firms work to achieve satisfactory consumer outcomes.
- A greater focus on technological change, not just in terms of upgraded systems (as can already be seen with the replacement of the FCA’s GABRIEL system) but with a drive towards direct and real time data transmission using AI capabilities.
- Companies also need to build protection for the rights of individuals whose data they are processing and conduct a Data Protection Impact Assessment (DPIA) where there is a risk to the rights and freedoms of those individuals.
7. Vulnerable customer management
Treatment of vulnerable customers is another compliance issue that has taken centre-stage lately in many sectors.
Even before the pandemic, the FCA had this topic firmly in its sights - urging firms across the financial services sector to ensure that vulnerable customers are treated fairly and consistently and calling on them to embed fair treatment in their culture, policies and processes. As coronavirus pandemic has wreaked havoc on human interactions this guidance is more vital than ever. The response has been mixed though and firms need to be more to recognise the scale of the problem.
- 4.2 million people have borrowed money using credit cards, overdrafts and high-interest loans, according to debt charity Step Change
- Low-income groups are worst hit having taken on approximately £10bn in debt
With the economic outlook still looking downbeat for many going into 2021, it is vital that firms remain vigilant to signs of vulnerability into 2021 and ensure their response, policies and practices do not lead to further detriment or harm for vulnerable customers.
8. Compliance resilience
This is going to be a big one in 2021. Although the pandemic has tested firms’ resilience to a great extent, the FCA and the PRA have their eyes on the longer-term resilience of businesses and have already laid down some firm markers in terms of how they expect firms to demonstrate their resilience.
Essentially, the regulators have asked firms to identify the most important business services they operate, and then put in place measures to demonstrate how these would be able to continue, or be recovered, in stressed conditions. Firms are being asked to identify impact tolerances, showing when the point arises of greatest tolerable stress.
The expectation is that the final proposals from the regulators will be introduced later in 2021, which means there is a lot of work for firms to do to; firstly, they will need to identify their important business services (if they have not already done so) and assess the associated impact tolerances. Although the detail has not yet been firmed up, there is enough material in the consultation papers to start this process.
In addition, firms will be expected to produce and implement communication plans to accompany disrupted services (both internal and external) and demonstrate how these plans will be able to operate in practice, rather than just theoretically.
In short, a lot of work is needed here for many firms in the first half of 2021.
9. Money laundering - 6AMLD
EU Money Laundering Directives have now become a regular annual feature like iPhone updates! We had 4MLD in 2017, 5MLD in 2020 and now the Sixth Money Laundering Directive (6AMLD) is upon us, having been transposed into national laws in December 2020 and set to come into effect in June 2021.
Key compliance changes due to this directive:
- Harmonised definition of money laundering offences - The introduction of a list of 22 predicate offences will reflect the changing nature of money laundering and include new offences such as cybercrime, insider trading and environmental crime. 6AMLD also includes “aiding and abetting” and “attempting and inciting” money laundering as crimes, meaning criminal liability will now be extended beyond those who actually commit the crime and make it easier for financial authorities to go after those who act as accomplices in money laundering schemes.
- Extension of criminal liability to legal persons - Before only individuals could be convicted for committing financial crimes, this has now been extended to include companies or partnerships. Also if it's deemed there was a lack of supervision within a firm, resulting in money laundering, business leaders are now liable for any penalties.
- Tougher punishments - 6AMLD has amended the maximum imprisonment for money laundering offences from one to four years. Additionally, any sentence may be supplemented with sanctions and fines (up to €5 million), including the complete shut-down of a business. Once 6AMLD is set into law, expect to see harsher punishments across the board, although the UK was already tougher than what's being proposed now.
- Cooperation over prosecutions - EU member states are now required to cooperate with one another in the prosecution of money laundering crimes. For example, if a financial crime takes place across two different member states, they now need to work together to prosecute the offender and agree to prosecute in a single member state.
10. Climate change
Climate change is an emerging issue in 2021 from a regulatory and governance perspective as it creates financial, operational, legal and reputational risks. The physical risks due to climate change are manifest in more frequent storms, floods, droughts and wildfires. In addition, there are regulatory risks of policy changes that render investments worth less - for instance, the purchase of diesel cars.
Financial sector regulators now expect firms to manage the physical and financial risks that climate change pose, whether these relate to returns on investments, or the physical risks to insured assets. There are increasing expectations being placed on firms that they can demonstrate the management of these risks is high enough on their agenda (including at board level) as well as additional requirements on disclosures in annual reports for certain insurers.
In addition, banks and insurers were required to nominate a senior manager to hold a Prescribed Responsibility for identifying and managing these risks. So, 2021 is the year when those individuals will need to demonstrate they are able to manage those risks effectively in practice.
Looking for more compliance insights?
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news subscribe to Skillcast Compliance Bulletin.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!