However, there are new compliance priorities, not least the cost-of-living crisis.
The arrival of new regulations often prompts new priorities. 2023 is no exception. But firms also need to build on good habits, ensure they are agile, game-ready, and can adapt to unexpected challenges in the year ahead.
Biggest challenges faced by compliance in 2023
- Climate change & ESG
- Cost of living & vulnerable customer management
- Employment & corporate culture
- Third-party risk
- Employee mental health & wellbeing
- Sanctions check
- Employee-first culture
- Money laundering & proliferation financing
- Putting the 'G' in ESG
1. Climate change & ESG
Following the COP27 summit in Sharm El-Sheikh and renewed commitments by countries, financial institutions, and communities, climate change remains high on the agenda for 2023.
With agreement on a historic loss and damage fund for climate-vulnerable developing countries and progress on how this will be financed, firms now need to keep focusing on the root cause to ensure there is no backsliding on the 1.5⁰C Paris Agreement.
Greenwashing was also a key theme of COP27. Regulators are increasingly showing an appetite to hold firms to account for their bold claims on ESG and climate. Through 2022, there were fines for both Goldman Sachs ($4m) and BNY Mellon ($1.5m). There was also a raid on DWS, after a crackdown on ESG and greenwashing by the SEC and BaFin.
A similar hardline approach is expected in 2023 by the FCA as it consults on and then rolls out new 'greenwashing' rules to fulfil its strategy to protect consumers.
"Greenwashing misleads consumers and erodes trust in all ESG products. Consumers must be confident when products claim to be more sustainable than they actually are. Our proposed rules will help consumers and firms build trust in this sector"
Firms need to provide clear, comprehensive and accessible information to consumers and stakeholders.
What are key climate change compliance considerations?
- Include investment product sustainability labels (backed up with objective criteria) to give consumers greater confidence to choose the right products.
- Check your use of sustainability-related terms (such as 'ESG', 'green' or 'sustainable') in product names and marketing to avoid misleading consumers.
- Provide adequate disclosures for consumers to help them understand product sustainability features.
- Set out extra information for institutional investors and retail investors.
- Ensure (as distributors) that information is clear and accessible for consumers.
2. Cost of living & vulnerable customer management
Soaring energy prices and high inflation are fuelling a cost-of-living crisis. Things are expected to worsen into 2023 as government support is phased out. The FCA is reminding firms of the expected standards to support customers, especially those who are in difficulty.
This isn't new, but the treatment of vulnerable customers will be paramount in the coming months. Firms should ensure they treat vulnerable customers fairly and consistently.
Firms also need to embed fair treatment in their culture, policies and processes. As the cost-of-living crisis continues to bite, this guidance is more important than ever.
The FCA's latest research highlights the scale of the problem:
- 7.8 m people are finding it a heavy burden to keep up with bills (an increase of 2.5 m since 2020)
- 31.9 m people (60% of UK adults) are finding it a heavy burden to keep up with bills (an increase of 6 m since 2020)
- 12.9 m have low financial resilience (or 1 in 4 UK adults), meaning that they could soon face difficulty if they face a financial shock
- Those who are young, female, unemployed, in an ethnic minority group, rent, or work in the gig economy were more likely to have low financial resilience or be in financial difficulty
- There are almost a million more consumers with characteristics of vulnerability compared to 2020
What are key vulnerable customer compliance requirements?
- Look out for signs of vulnerability and ensure all our policies and practices support customers struggling with the cost-of-living crisis, especially vulnerable customers.
- Review Buy Now Pay Later promotions, financial promotions, consumer credit, mortgages, overdrafts etc. to ensure the principles are embedded and customers can make good decisions.
- Assess how to fulfil your obligations under the Vulnerable Customer Guidance (VCG).
- Consider how to better support Borrowers in Financial Difficulty (BiFD) and quickly signpost them to available help.
- Appoint a Consumer Duty Board champion, if you haven't already done so, to promote the Duty at board level.
- Plan how to fulfil your obligations under the Consumer Duty for products and services before the July 2023 deadline.
- Focus on how to deliver good outcomes and meet the diverse needs of all customers, including vulnerable customers, at every stage and in each interaction.
3. Employment & corporate culture
Firms need to focus on several culture and governance-related factors – equality and preventing discrimination.
Several employment updates are on the horizon for 2023, which will strengthen existing equality laws, and tackle discrimination:
- The Bereavement Leave and Pay (Stillborn and Miscarried Babies) Bill.
This bill extends entitlement to parental leave and pay for employees experiencing miscarriage or stillbirth in early pregnancy.
- The Carer's Bill.
The bill gives carers a week's unpaid leave to look after a dependant with care needs.
- The Employment Relations(Flexible Working) Bill.
This bill will give employees the right to request flexible working twice a year and reduce decision times from three to two months.
- The Fertility Treatment (Employment Rights) Bill.
The bill allows employees to take time for fertility treatment and protects them from discrimination.
- The Protection from Redundancy (Pregnancy and Family Leave) Bill.
This bill protects employees from redundancy during or after pregnancy or after periods of maternity, adoption or shared parental leave. Employees on maternity leave must get priority for suitable alternative employment.
What are key employment & corporate culture compliance considerations?
- Review and update existing provisions in all equality policies, codes, contracts, handbooks and procedures – to ensure they reflect the forthcoming changes, which are all currently going through parliament and expected in 2023
- Make sure that rules and procedures that support certain individuals or groups do not inadvertently discriminate against others
- Provide information and training, so employees understand their rights and entitlements
4. Third-party risk
Another 'hot' topic is third-party risk. Working with third parties already poses considerable compliance risks – from bribery and forced labour to security, data privacy, competition and conduct. Firms already need to ensure that they:
- Vet third parties thoroughly and conduct due diligence
- Include (anti-bribery and other) clauses in all contracts
- Communicate expectations and values clearly
- Share information only on a "need to know" basis
- Have proper oversight of activities.
However, in 2023, there is another significant change on the way via the Worker Protection (Amendment of Equality Act 2010) Bill. This will reinstate employers' liability if employees experience harassment by a third party, such as a client, supplier or member of the public.
Employers will need to be proactive and prevent sexual harassment of employees by third parties at work. Employees would, however, need to make a successful claim at a tribunal before their employer can be found liable for failing to prevent harassment.
What are key third-party risk compliance considerations?
- Review monitoring and oversight of third parties – to identify key operational risks, especially IT infrastructure
- Put appropriate clauses in contracts to combat bribery, cyber, security, and other risks
- Adopt a zero-trust security model, which demands authentication, authorisation and validation for every data exchange with suppliers
- Train your team to recognise harassment – e.g. using the 4Ds model
- Consider what extra measures and protections to implement to protect employees from harassment by third parties – checking that any changes do not unfairly single out or discriminate against groups sharing certain protected characteristics (e.g. gender)
- Ensure that any social events and venues are appropriate, reflect your values, and don't put employees at increased risk of third-party harassment
5. Employee mental health & wellbeing
17 million days were lost to stress, anxiety and depression in the UK in the year 2022, according to HSE statistics. The number of people who suffer from work-related stress, anxiety or depression is 914,000.
An estimated $1 trillion is lost globally each year due to productivity losses, caused by depression and anxiety. These statistics highlight the scale of the problem, but not the anguish or stigma experienced by employees.
Employee mental health and wellbeing will continue to concern firms into the new year. The cost-of-living crisis and the Great Resignation have only made matters worse, with burnout levels now soaring.
New guidelines from the World Health Organisation (WHO) may be a game-changer and help provide renewed focus into 2023. The WHO is calling on companies to:
- Look out for workplace issues that are known to impact mental health – e.g. bullying, discrimination, and inequality
- Adjust the physical environment by exploring nudge strategies that promote walking
- Provide better training for managers to support their team's mental health – e.g. focusing on improving their knowledge, attitudes, and behaviours, to help reduce the stigma and prevent discrimination
- Arrange digital worker training that is available 24/7 to ensure support is available when it is needed – e.g. to improve knowledge and attitudes, and help people recognise signs of emotional distress
- Review any effort-reward imbalances (where there is high effort but low rewards in terms of pay, promotion, job security, respect and appreciation), which pose increased risks of depressive disorder
Companies can play a vital role in promoting wellbeing, ensuring leaders rolemodel a healthy work/life balance, and insisting workers take breaks and annual leave.
What are key mental health compliance considerations?
- Address negative behaviours, heavy workloads and toxic environments which create stressful environments
- Help workers gain practical skills to manage stress – e.g. mindfulness
- Offer duvet days, which can be taken at short notice for workers facing a mental health crisis
- Provide opportunities for leisure activities – such as yoga, walking, aerobic and strength training – which are known to promote positive mental health
Creating a more supportive environment makes people feel respected and valued. Firms can also reduce the stigma and inspire all employees to fulfil their potential.
Despite firms' best efforts and those of IT Security, cybersecurity risks continue to glow red on the dashboard into 2023.
In 2022, we saw a 42% increase in cyberattacks - from the Distributed Denial of Service (DDoS) attack on the European Parliament website to ransomware attacks on AirAsia, Nvidia, Costa Rica's banking operations, Uber, and many others.
In the Enemy at the Gates report, Akamai Research confirms financial services is one of the most attacked sectors:
- 80% of hackers target the customers of financial services rather than firms themselves
- DDoS attacks on financial services are up 22% (second only to gaming), and there has been a 257% surge in web app and CPI attacks
- Some attacks were thought to have a geopolitical element with a surge against organisations and countries that expressed support for Ukraine
- Customer account takeovers account for 40% of all attack types.
What are key cybercrime compliance requirements?
- Develop a robust cybersecurity culture which focuses on risks holistically across the business – such as remote working, cloud computing, and staff awareness
- Invest in training to ensure better preparedness to identify risks– including phishing, ransomware, DDoS, etc – and combat the threat
- Empower and embed ownership – encourage employees to understand that cybersecurity doesn't belong in the IT Security team but requires collaboration and ownership across the whole company
- Look for patterns and trends to help determine the risk level – such as geopolitical risks, anomalies, Highly Evasive Adaptive Threats (HEAT) attacks, etc.
- Consider moving to a zero-trust security model, which demands authentication, authorisation and validation for every digital interaction
- Be open and transparent with stakeholders and customers – don't conceal or play down incidents out of embarrassment or shame. Instead, acknowledge issues and explain how you will prevent problems in future
- Normalise information sharing – to help security teams react to trends and share best practice
- Start to prioritise cyber and digital resilience in readiness for the new mandatory security requirements of the EU Cyber Resilience Act and the Digital Operational Resilience Act (DORA), which are coming soon.
7. Sanctions check
The Russia-Ukraine war. Human rights violations by Iranian officials amid the protests following the tragic death of Mahsa Amini. The continued forced labour of the Uyghurs in China's Xinjiang region. All of these events and more have sparked a raft of new sanctions.
Sanctions on designated individuals, organisations and countries moved sharply into focus through 2022, and there is no sign of a slowdown in 2023.
Firms need to ensure they do not inadvertently provide products or services to designated individuals and that they meet their reporting obligations. Both individuals and entities may be targeted by multiple sanctions (including financial and immigration sanctions). They may be subject to travel bans or asset freezes, like those on oligarchs' superyachts.
In the UK, the sanctions regime is set out in the Sanctions and Anti-Money Laundering Act (SAMLA), although UN, US and EU sanctions may also apply. You need to be clear about your role.
What are key sanctions compliance requirements?
- Assess your exposure by identifying high-risk activities, people (including beneficial owners), places or transactions – remember, you may be exposed if you transport goods, trade in restricted equipment, renew visas, or provide financial platforms
- Conduct rigorous due diligence to identify whether individuals or entities are subject to sanctions
- Complete adverse media checks before entering new business relationships, as well as for existing relationships
- Assess the reputational and legal risks of continued business. For example, the Yale List tracks whether companies have left or chosen to stay in Russia
- Screen all customers and entities using automated screening tools – such as OFSI's free platform
- Carry out independent checks to verify the identity and ownership of entities
- Be clear about your responsibilities if you identify a designated individual or entity – including asset freezes, terminating payments, restricting sales, etc.
- Document due diligence and decisions to evidence compliance with the sanctions regime
8. Employee-first culture
With the pandemic, followed by the Great Resignation, widespread talent shortages, and now the cost-of-living crisis, firms have found 2022 somewhat challenging.
Perhaps this is responsible for the pivot towards a more employee-focused approach. This 'employee experience' trend looks likely to continue in 2023.
- 47% of employers have focused on upskilling to tackle skills shortages, according to the CIPD
- There has also been a strong focus on skills development in 2022 in the HR profession
- 47% of HR leaders believe employee experience will be a top priority
Employees want firms to meet their personal and professional needs, with the flexibility to accommodate their lifestyle. They continue to gravitate towards firms that align with their ethics, values and lifestyle. They look for authentic managers who show empathy – soft skills training will be a priority so managers can deliver that support.
And, with 49% of workers admitting burnout and low job satisfaction, managers will need to reaffirm the relationship, restore trust and accountability, and deliver support (whether virtually or in person).
What are the key employee-first compliance requirements?
- Arrange regular check-ins with your team to identify problems and show your appreciation
- Build trust with employees by being honest, meeting your commitments, and respecting their diverse needs – they will be more likely to disclose mental health or other difficulties
- Agree boundaries – role-model the right behaviours to prevent burnout (by not sending emails at weekends or late into the evening)
- Develop soft skills training to equip managers with the critical skills they need to support their teams
- Build partnerships with specialist groups and charities – appoint champions, eg mental health, LGBTQ+, neurodiversity, etc.
- Prioritise well-being initiatives, with additional support for employees at onboarding or when they experience key life stressors
- Review hybrid and WFH models to ensure employees are truly thriving in the new environment
- Use initiatives to restore work friendships – with hybrid and remote working, we have become distant and no longer care much about work relationships. This makes us less engaged, prone to burnout, and increases attrition. Work with your team to restore and rebuild those relationships.
9. Money laundering & proliferation financing
Ambitious proposals have been approved to combat money laundering and terrorist financing across the EU. They are designed to improve detection of suspicious activity, take account of technological advances, virtual currencies, and the global nature of terrorism.
A new EU supervisory authority – the Anti-Money Laundering Authority (AMLA) – is also set to become operational in 2023. Consequently, firms can expect renewed focus, coordination and cooperation between countries and Financial Intelligence Units (FIUs) in 2023.
Russia's invasion of Ukraine has also resulted in searching questions and intense scrutiny of London's role in laundering dirty money.
Analysis by Transparency International showed that property worth £1.5 billion was bought by Russians accused of corruption or links to the Kremlin. It's no surprise then that 60% of real estate firms plan to increase spending on AML technology and training to help employees detect red flags and improve the compliance culture in 2023. Other exposed sectors (e.g. luxury goods) will likely follow suit.
Digital assets are also attracting attention and facilitating the rise in illicit finance. The EU's new Markets in Crypto-Assets (MICA) Regulation, being voted on in February 2023, will regulate cryptoasset activities for the first time, requiring transparency, disclosure, authorisation and supervision of transactions.
The UK is also rolling out changes to its AML/CTF regime. There's a new requirement for firms to assess and mitigate the risk of proliferation financing. Artists who sell their work for more than €10,000 and certain account information service providers (AISPs) will be removed from the regulation.
From April 2023, firms will need to report material discrepancies between information held about existing customers' beneficial owners and what is recorded on the Persons with Significant Control (PSC) register at Companies House.
And, from September, the travel rule for cryptoasset businesses will be introduced (in line with FATF Recommendation 16) extending information-sharing requirements to wire transfers. Changes are also anticipated to improve the quality of SARs with a sourcebook update due by Professional Body Supervisors soon.
What are key money laundering compliance requirements?
- Review and update existing policies and procedures to assess and mitigate the risk of proliferation financing
- Train your team, with regular refreshers, to help them spot red flags
Conduct risk-based due diligence at the start of the business relationship and on an ongoing basis
- Remember, this also links to ESG – as we have a moral duty to rid society of drugs, gun crime, trafficking, organised crime, etc. which fuel money laundering and terrorist financing
- For crypto market participants, conduct appropriate due diligence to avoid facilitating money laundering or terrorist financing
- Train employees to recognise material discrepancies (e.g. differences in name or an incorrect entry for a person's date of birth/nationality/correspondence address) and ensure these are reported to your MLRO
- Look out for more changes later in 2023 via the Economic Crime Plan, notably to the enhanced due diligence and supervisory regime
10. Putting the 'G' into ESG
There is a renewed appetite by regulators to hold firms and senior managers to account for what happens on their watch. Evidence of this includes scathing comments by prosecutors following the collapse of FTX , the SMCR and 'Fit' regimes, the new rules on ESG disclosures, the SEC's rules on the clawback of executive compensation , and many ongoing investigations worldwide.
And, they are not afraid to back this up with rigorous enforcement when firms break the rules. The record $6.4 billion in fines in 2022 by one US regulator alone is testimony to that. The message is clear – whether on bribery, competition, insider trading, or anything else.
If we fail to act and put effective compliance programmes in place which uphold the rules and create the right culture, regulators will step in. With all the financial and reputational risk that comes with that.
What are key governance compliance requirements?
- Develop codes of conduct and policies to articulate expectations and values – but don't hide behind the paperwork; what happens 'in the wild' matters more
Provide training with plenty of opportunities for employees to practise applying the rules in a safe space
- Get the tone from the top right – don't ignore or cover up misconduct by executives; instead, provide good role models who have oversight of all parts of the business
- Train new hires from day one - so they understand our expectations, know where to find the code and how to raise concerns
- Hardwire ethics and compliance (E&C) into all your processes, structures, culture, and decisions to deliver the right behaviours – focus not just on what is legal, but what is ethical
- Evaluate your compliance programme – ensure it's not a legal document full of empty promises but actually drives and reinforces the right behaviours
- Implement an independent whistleblowing hotline or channels so employees can speak up
Looking for more compliance insights?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.