When we compiled last year's challenges in the first weeks of 2020, the first reports from China were emerging about a novel coronavirus. Then everything changed.
Little did we know how it would come to take over our personal lives and workplaces. As COVID-19 variants have emerged, much of 2021 has been taken over by coping with the effects of the pandemic. But now, the success of the vaccination rollout may offer a return to more normality - it with it the need for compliance once again.
Biggest challenges faced by compliance in 2021
- Post-COVID workplace
- Company culture
- Employee mental health & wellbeing
- Focus on fraud
- Big data & people analytics
- Vulnerable customer management
- Compliance resilience
- Money laundering - 6AMLD
- Climate change
1. Post-COVID workplace
As the restrictions associated with the pandemic start to ease, which they no doubt will as we go into the third quarter of 2021, it’s likely that many businesses will have seen their operating models disrupted to the extent that they will never be the same again.
A return to a full office working model may be more likely for smaller businesses, but employee expectations have changed forever. Some will want to return whilst others won’t feel safe doing so – even with high vaccination levels. Also, many employees will have enjoyed the extra time spent at home with families and not having to deal with expensive and stressful commutes.
How will you convince employees who have settled into a WFH routine and perhaps enjoying a better work-life balance than ever before that it's time - safe, even - to return to the office? What if they don’t want to pay for season tickets, spend their time commuting on cramped trains, or no longer see what the office adds to their work?
While many technology companies will move to a fully remote working model after the pandemic, the outcome will likely be more nuanced for financial services.
But the most likely outcome is that a large proportion of the workforce will be adopting a hybrid working model – working only some of the time in the office.
What will this mean in terms of staff compliance? The biggest change is that firms will need to look at their compliance risks again, but this time on a longer-term basis. The management of conduct risk is the biggest challenge in these circumstances.
The issues are many and varied, including the management of front office staff in investment management firms, ensuring that documentation is properly maintained and disposed of, trades are carried out in a timely manner, and client access via telephone is maintained when necessary.
Remote oversight is likely to form a more prevalent component of risk management. That includes managing compliance risks, preventing market abuse and a lack of adherence to sales procedures to inappropriate advice.
- Measuring productivity - how can it be measured effectively when people work remotely, and what adjustments are required regarding performance reviews.
- How you'll provide a safe and COVID-19 secure environment when people go back to the office.
- What hybrid working means in reality and the extra measures needed to support those working remotely post-lockdown.
- Creating a roadmap for recruits taken on during lockdown who may have missed out on traditional inductions and now have serious catching up to do.
- Reconfiguring the work arena to promote greater wellbeing, help people reconnect and rebuild rapport after the lengthy absence, including reintegration of those continuing to work remotely and a delayed welcome for newcomers.
- Making adjustments for those affected by COVID-19 - e.g. extra break-out areas, rest facilities for anyone with long-COVID, shorter working days, etc.
- Introducing or updating bereavement policies or practices for those still coping with loss.
It's ironic that after four years of uncertainty, bickering, and tense negotiations, when the Brexit deal was agreed and signed between the UK and the EU at the 11th hour and 59 minutes, hardly anyone took notice. Of course, we've been too busy watching the COVID-19 numbers to pay attention to the 1,246-page deal that keeps trade flowing between the UK and the EU, albeit with some friction.
The big issue here is that firms have got the continuity that is needed - to carry on all aspects of operation and business development as before. The spectre of thousands of lorries stuck at the ports has passed - although we were reminded of it when France shut down all traffic from the UK for a few days to keep out a new strain of COVID-19.
Crucially the Brexit deal does not include clarity on equivalence in financial services. The EU has resisted giving "equivalent" status to the UK, even though its regulations are fully harmonised at this point. Instead, the current arrangement allows the EU to withdraw equivalence rights for UK financial firms with only 30 days’ notice, and the U.K. has no right to contest that. The UK is also left having to negotiate a patchwork of individual EU nations’ regulations.
Obviously, this leaves the future uncertain for financial services firms, and many have been forced to move assets and staff to the EU financial capitals to avoid disruption. It also magnifies the compliance challenge of knowing and applying the rules - and avoiding simple mistakes like an executive flying over from London to meet a client in the EU.
Like financial services, the EU has not yet given the UK's data protection regime the "adequate" status (i.e. equivalent to the EU), although the UK regulations are entirely based on the EU GDPR. Such an 'adequacy' decision is a separate process from a trade deal and has been ongoing. The EU provided that the transmission of personal data from the EEA to the UK shall not be considered a transfer to a third country for six months. However, in the highly unlikely event that the UK changes its data protection laws during this period, this could change.
Areas where the UK is likely to diverge from the EU soon
- Sanctions - For both trade and financial sanctions, the UK has already made provision in its Sanctions and Money Laundering Act 2018 to set its own list of sanctioned individuals, businesses and entities. HM Treasury will introduce these lists by 31 December 2020, and firms who must abide by UK sanctions will need to screen their customers and suppliers against these lists from this date.
- Solvency II - The UK has identified aspects of the Solvency II regime that could be adapted to be more suitable and proportionate to the characteristics of the UK insurance industry. This is in the early stages, but HM Treasury has already issued a Call for Evidence in readiness for more formal consultation in 2021.
3. Company culture
Firms will need to be aware of two other key culture-related factors this year - diversity and inclusion.
Whilst there are societal pressures for firms to be more transparent about how they tackle these subjects, there will be greater regulatory pressure in these areas too. The FCA has already stated that it wants firms to adopt a culture that embraces diversity and inclusion and will include this in its supervisory work in the future.
Examples of this could range from ensuring access to employment for BAME individuals is balanced against those from other ethnic backgrounds. And a suitable proportion of women on boards and in senior roles.
But beneath this is the general awareness of the need to understand and be open to people with different ethnic backgrounds, gender identification, sexual orientation etc.
4. Employee mental health & wellbeing
It's been a bumpy time for many employees, some of whom may have faced challenging situations at home, struggled to work remotely in shared accommodation or had to balance work with home-schooling or caring responsibilities. Inevitably, this has harmed mental health and wellbeing, which may continue well into 2021.
Companies will need to consider how to move away from the traditional physical well-being model that emphasises injury and accident prevention to a more holistic approach that incorporates mental well-being and focuses on preventing stress, burnout, and conflict.
Another trending issue is psychological safety - this pertains to a culture where people are not afraid to speak up when mistakes are made, and at the same time, are not treated unfairly or disproportionately blamed when things go wrong.
Creating a healthy psychological culture where people are not afraid to speak up will likely reduce mistakes and encourage employee engagement and retention.
5. Focus on fraud
While COVID-19 has been a threat for ordinary people, it’s a major opportunity for professional criminals, especially when it comes to fraud.
In fact, as far back as June, this was being acknowledged. A survey carried out by LIMRA showed that 42% of its respondents had already experienced increases in attempted fraud. For attacks related to account takeover fraud specifically, that figure was even higher, at 47%.
Two key fraud risks
- Criminals will continue to exploit vulnerabilities as the pandemic continues associated with this situation and use them as levers to carry out social engineering. Examples of such activity include false promises of vaccine delivery and PPE designed to extract money from firms. Also, requests for money to be transferred to individuals apparently trapped in an overseas country and unable to return home due to the pandemic. Firms must ensure that their controls remain suitably robust and that staff remain vigilant to identify and report such activity as it arises.
- And further attempts to exploit remote working models where individuals cannot interact with fellow workers directly and real-time monitoring for fraud activity is much more difficult. Individuals working alone are more vulnerable to exploitation by fraudsters and may not realise that they have allowed fraud to occur before it is too late.
There is no doubt that the FCA will keep a close eye on how firms operate their anti-fraud controls in the future. In the 2020/2021 business plan, the FCA reinforced its commitment to fighting financial crime and intends to keep up the pressure of enforcement action where necessary.
But the key to preventing fraud remains the same – ensuring people are adequately trained and educated on the subject of fraud awareness and apply this knowledge and understanding in their day-to-day work.
6. Big data & people analytics
The year 2021 will see a continued focus on a major change in how data is collected from firms and subsequently analysed.
Financial sector regulators, the FCA and the PRA, have published data strategies that aim for better use of intelligence to identify areas of harm and rectify them more quickly. Also, to improve the power of data analytics. This is taking place against a backdrop of an increasing number of regulated firms, especially in the FCA's case.
Key data compliance considerations
- The ways in which the regulators will use data are likely to change and be reflected in supervisory activity. For instance, there is likely to be a greater degree of early intervention and involvement across sectors as problems arise. Also, a deeper understanding of consumer behaviours may lead to a closer focus on how firms work to achieve satisfactory consumer outcomes.
- A greater focus on technological change, not just in terms of upgraded systems (as can already be seen with the replacement of the FCA’s GABRIEL system) but with a drive towards direct and real-time data transmission using AI capabilities.
- Companies also need to build protection for the rights of individuals whose data they are processing and conduct a Data Protection Impact Assessment (DPIA) where there is a risk to the rights and freedoms of those individuals.
7. Vulnerable customer management
Treatment of vulnerable customers is another compliance issue that has taken centre stage lately in many sectors.
Even before the pandemic, the FCA had this topic firmly in its sights - urging firms across the financial services sector to ensure that vulnerable customers are treated fairly and consistently and calling on them to embed fair treatment in their culture, policies and processes. As the coronavirus pandemic has wreaked havoc on human interactions, this guidance is more vital than ever. The response has been mixed, though, and firms need to be more to recognise the scale of the problem.
- 4.2 million people have borrowed money using credit cards, overdrafts and high-interest loans, according to the debt charity Step Change.
- Low-income groups are the worst hit, having taken on approximately £10bn in debt.
With the economic outlook still looking downbeat for many going into 2021, firms must remain vigilant to signs of vulnerability into 2021 and ensure their response, policies, and practices do not further detriment or harm vulnerable customers.
8. Compliance resilience
This is going to be a big one in 2021. Although the pandemic has tested firms’ resilience to a great extent, the FCA and the PRA have their eyes on the longer-term resilience of businesses. They have already laid down some firm markers regarding how they expect firms to demonstrate their resilience.
Essentially, the regulators have asked firms to identify the most important business services they operate. Then put in place measures to demonstrate how these would continue or be recovered in stressed conditions. Firms are being asked to identify impact tolerances, showing when the point arises of greatest tolerable stress.
The expectation is that the final proposals from the regulators will be introduced later in 2021, which means there is much work for firms to do to. They will need to identify their important business services (if they have not already done so) and assess the associated impact tolerances. Although the detail has not yet been firmed up, there is enough material in the consultation papers to start this process.
In addition, firms will be expected to produce and implement communication plans to accompany disrupted services (both internal and external) and demonstrate how these plans will operate in practice, not just theoretically.
In short, much work is needed here for many firms during 2021.
9. Money laundering - 6AMLD
EU Money Laundering Directives have now become a regular annual feature like iPhone updates! We had 4MLD in 2017, 5MLD in 2020, and now the Sixth Money Laundering Directive (6AMLD) is upon us, having been transposed into national laws in December 2020 and implemented in June 2021.
Key compliance changes within 6AMLD
- Harmonised definition of money laundering offences - The introduction of a list of 22 predicate offences will reflect the changing nature of money laundering and include new offences such as cybercrime, insider trading and environmental crime. 6AMLD also includes “aiding and abetting” and “attempting and inciting” money laundering as crimes, meaning criminal liability will now be extended beyond those who actually commit the crime and make it easier for financial authorities to go after those who act as accomplices in money laundering.
- Extension of criminal liability to legal persons - Before only individuals could be convicted for committing financial crimes, this has now been extended to include companies or partnerships. Also, if it's deemed there was a lack of supervision within a firm, resulting in money laundering, business leaders are now liable for any penalties.
- Tougher punishments - 6AMLD has amended the maximum imprisonment for money laundering offences from one to four years. Additionally, any sentence may be supplemented with sanctions and fines (up to €5 million), including the complete shut-down of a business. Once 6AMLD is set into law, expect to see harsher punishments across the board, although the UK was already tougher than what's being proposed now.
- Cooperation over prosecutions - EU member states are now required to cooperate in the prosecution of money laundering crimes. For example, if a financial crime occurs across two different member states, they must work together to prosecute the offender and agree to prosecute in a single member state.
10. Climate change
Climate change is an emerging issue in 2021 from a regulatory and governance perspective as it creates financial, operational, legal and reputational risks. The physical risks due to climate change are manifest in more frequent storms, floods, droughts and wildfires. In addition, there are regulatory risks of policy changes that render investments worthless - for instance, the purchase of diesel cars.
Financial sector regulators now expect firms to manage the physical and financial risks that climate change pose, whether these relate to returns on investments or the physical risks to insured assets. There are increasing expectations being placed on firms to demonstrate that managing these risks is high enough on their agenda (including at the board level) and additional requirements on disclosures in annual reports for certain insurers.
In addition, banks and insurers were required to nominate a senior manager to hold a Prescribed Responsibility for identifying and managing these risks. So, 2021 is the year when those individuals will need to demonstrate they can manage those risks effectively in practice.
Looking for more compliance insights?
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, subscribe to Skillcast Compliance Bulletin.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 70+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!