Fiat Chrysler (FCA) and Peugeot-owner PSA have officially signed the papers to join via a binding agreement for a 50/50 merger of stock. PSA shareholders are set to receive 1.742 shares in the new and merged company, for each PSA share they already own. Vice versa, each FCA shareholder will receive 1 share of the new firm, for each FCA share they already hold.
The deal will conclude in around 15 months, creating a joint firm estimated at €170 billion in sales per year, or 8.7 million vehicles sold each year. As a consequence of the deal being struck, shares in PSA have risen 1.5% in Paris, whilst FCA stocks rose 0.3% in Milan.
A joint statement clarified that this deal will allow both firms to “address the challenge of shaping the new era of sustainable mobility,” whilst saving the companies around €3.7bn a year.
“Our merger is a huge opportunity to take a stronger position in the auto industry as we seek to master the transition to a world of clean, safe and sustainable mobility and to provide our customers with world-class products, technology, and services,” Carlos Tavares, chairman of Peugeot-maker PSA, said in the joint statement.
Moving forward, Tavares will take up the role as CEO of the merged company for the next five years, taking a seat on the board.
The news comes after recent debacle surrounding the collapse of London Capital & Finance. The ban, set to be introduced on 1 January, will comes just as consultancies and financial managers encourage clients to place money into ISAs before the end of the tax year.
Currently, various mini-bonds have ISA status and would therefore be included in said advice, however the FCA believes many consumers may not have the expertise required to understand and therefore appropriately evaluate the risks involved in certain mini-bonds.
According to reports the ban will exclude mini-bonds that raise capital for individual companies or properties.
The intervention comes in regard of the recent administration of London Capital & Finance, whereby over 11,000 customers were left in debt and at a loss when the financial management firm collapsed after peddling 6.5% to 8% yearly returns on mini-bonds.
Subsequently, the FCA was under immediate scrutiny and was heavily criticised for not taking action when warned about the firm’s operations three years prior.
[ymal]
Both the FCA and LC&F are now under investigation by a leading high court judge, Dame Elizabeth Gloster, and the SFO respectively.
Andrew Bailey, Chief Executive of the FCA said: “We remain concerned at the scope for promotion of mini-bonds to retail investors who do not have the experience to assess and manage the risks involved. This risk is heightened by the arrival of the ISA season at the end of the tax year, since it is quite common for mini-bonds to have ISA status, or to claim such even though they do not have the status.
“In view of this risk, we have decided to complement our substantial existing actions with a further measure which will involve a ban on the promotion and mass marketing of speculative mini-bonds to retail consumers. We believe this will enable us to further consumer protection consistent with our regulatory principles and the FCA Mission.”
A press release from the FCA has also stated: “The FCA ban will mean that unlisted speculative mini-bonds can only be promoted to investors that firms know are sophisticated or high net worth. Marketing material produced or approved by an authorised firm will also have to include a specific risk warning and disclose any costs or payments to third parties that are deducted from the money raised from investors.”
According to Simon Hill, Head of Legal & Compliance at Certes Networks, this is mostly due to the fact that financial institutions are not only heavily regulated by data privacy requirements, but they are also under mounting pressure to be open to consumers and businesses about how they are protecting their data from potential breaches.
Additionally, no bank or financial services organisation wants to face the consequences of a data breach. This is demonstrated by the fallout of numerous data breaches in the industry over the years - from Capital One in 2019, to Equifax in 2016 and Tesco Bank in 2017. In the case of the Capital One data breach, a hacker was able to gain access to 100 million Capital One credit card applications and accounts. This included 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Additionally, an undisclosed number of people's names, addresses, credit scores, credit limits, balances and other information dating back to 2015 was involved, according to the bank and the US Department of Justice.
What’s more, the damages of these data breaches are not only reputational, but also financial. As a result of Equifax’s data breach, the organisation reached an agreement to pay at least $575 million and up to $700 million to compensate those whose personal data was exposed. In 2016 Tesco Bank was fined £16.4 million by the Financial Conduct Authority (FCA) over its "largely avoidable" cyber-attack that saw criminals steal over £2 million from 34 accounts. This clearly shows that these consequences can arise no matter how ‘large’ or ‘small’ a data breach may seem; companies that do not encrypt their data adequately enough to safeguard it will be penalised.
On top of this, the increasing expectations of consumers means that banks and financial institutions are trying to achieve a balancing act: how can they protect data privacy, while at the same time remaining transparent about how data is being protected? However, it doesn’t have to be a trade-off between meeting customer expectations and meeting cyber security compliance requirements. Banks and financial services organisations can utilise technology to the fullest extent while still protecting data and avoiding the unthinkable repercussions of a data breach.
The balancing act
To achieve this balance, banks and financial services organisations need to take greater measures to control their security posture and assume the entire network is vulnerable to the possibility of a cyber-attack. Robust encryption and controlled security policies should be a central part of an organisation’s cyber security strategy. When stringent policies are generated and deployed, it enables greater insight into applications communicating in and across the networks. New tools are now available to enforce these policies, not only impacting the application’s workload and behaviour, but the overall success of the system access.
Conclusion
Banks and financial services organisations should not have to worry about keeping data secure and protected when it is entirely possible to do so. Adopting new ways to look at how organisations define policies through micro-segmentation and separating workloads by regulations, is one example of how to keep data more secure. Also, ensuring policies define only those users who have a critical need to see the data limits network vulnerabilities. And lastly, a robust key management system that is automated whereby keys are rotated frequently, can also help to safeguard system access and strengthen the organisation’s security posture.
The retail banks were responsible for the highest number of reports (486) – almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.
The root causes for the incidents were attributed to third party failure (21% of reports), hardware/software issues (19%) and change management (18%).
The FCA has recently warned of a significant rise in outages and cyber-attacks affecting financial services firms. It has also called on regulated firms to develop greater cyber resilience to prevent attacks and better operational resilience to recover from disruptions.
According to the new data obtained by RSM, there were 93 cyber-attacks reported in 2018. Over half of these were phishing attacks, while 20% were ransomware attacks.
Commenting on the figures, Steve Snaith, a technology risk assurance partner at RSM said: "While the jump in cyber incidents among financial services firms looks alarming, it's likely that this is due in part to firms being more proactive in reporting incidents to the regulator. It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements.
"However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA.
"As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible. While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.
"The figures also underline the importance of organisations obtaining third party assurance of their partners' cyber controls. Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff.
"Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.
"Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place."
Fig1: The number of cyber incidents reported to the FCA by regulated firms in 2018 broken down by the sector the incident impacted (source FCA):
| Impacted sector | 2018 | % of incidents |
| Retail banking | 486 | 59% |
| Wholesale financial markets | 115 | 14% |
| Retail investments | 53 | 6% |
| Retail lending | 52 | 6% |
| General insurance and protection | 49 | 6% |
| Pensions and retirement income | 35 | 4% |
| Investment management | 29 | 4% |
| Total | 819 | 100% |
Fig2: The root causes of cyber incidents reported to the FCA (source FCA):
| Root cause | 2018 (Jan-Dec) | % of incidents |
| 3rd party failure | 174 | 21% |
| Hardware/software | 157 | 19% |
| Change management | 146 | 18% |
| Cyber attack | 93 | 11% |
| TBC | 93 | 11% |
| Human error | 47 | 6% |
| Process/control failure | 45 | 5% |
| Capacity management | 25 | 3% |
| External factors | 17 | 2% |
| Theft | 11 | 1% |
| Root cause not found | 11 | 1% |
| Total | 819 | 100% |
Fig3: The breakdown of incidents in 2018 categorised as 'Cyber attacks' (source FCA):
| Cyber attack root cause breakdown | 2018 (Jan-Dec) | % of incidents |
| Cyber - Phishing/Credential compromise | 48 | 52% |
| Cyber - Ransomware | 19 | 20% |
| Cyber - Malicious code | 16 | 17% |
| Cyber - DDOS | 10 | 11% |
| Total | 93 | 100% |
They deem it to be a “high risk” product and have recommended limiting P2P lending to 'sophisticated investors’ only. Below, Finance Monthly hears from Frazer Fearnhead, CEO at The House Crowd, on why we shouldn’t’ be restricting P2P lending.
This is likely off the back of the recent collapse of mini bonds provider London Capital & Finance, which persuaded customers to invest in bonds (with a ‘fixed’ 8% interest rate) that weren’t ISA eligible. Sadly, some 14,000 people have lost most of the £214 million they had collectively invested. This has, understandably, increased regulatory scrutiny of similar products marketed to retail investors.
Nonetheless, the FCA is lumping all P2P lending companies in with London Capital & Finance, which is patently unfair. The company marketed a product as an ISA, but wasn’t one at all – it was a mini bonds investment – so we’re not even talking about comparable products here. Plus, it obviously wasn’t acting in a regulated fashion and, as a result, it’s a knee-jerk reaction to lump the whole P2P industry together with it.
Democratising investment options
Peer to peer lending, including products such as IFISAs, allow everyday people to access the sorts of returns that only high-net-worth and experienced investors historically had access to. Restricting this offering (or warning people away from it unnecessarily) would deal a big blow to the P2P lending industry and defeat its key objectives – for borrowers, to democratise access to finance and for investors, support the ability to lend in return for a better rate of interest.
Why should investments with higher interest rates be reserved only for experienced investors or those who already have significant capital? It’s precisely the savers who are working to build up a nest egg for their futures who should have such opportunities, especially since lending is much easier to understand than more complex investments. If they’re only left with options like cash ISAs (which won’t necessary beat rising inflation), they won’t be able to do it.
Why should investments with higher interest rates be reserved only for experienced investors or those who already have significant capital?
The FCA said that “anyone considering investing in an IFISA should carefully consider where their money is being invested before purchasing an IFISA.” Of course, this is still true – all investments should be carefully considered before they’re undertaken. But that doesn’t mean that we should completely rule out one of the most accessible investments available on the market today.
P2P is a diverse landscape
Another issue is that, at the moment, it seems the FCA can’t (or won’t) distinguish between different types of P2P loans with different levels of security. It’s true that many providers offer unsecured loans, but there are others that do offer more security. Lending can be secured against an asset which helps to mitigate the risk of the borrower defaulting, as a legal charge over the asset can force its sale and regain investor capital. Other lenders also operate a ‘provision fund’ as an additional security measure.
The FCA has previously warned of introducing ‘appropriateness tests’ in order to restrict who P2P lenders can market their products to, but the problem with this lies in conflating products that are in fact very different from each other. Not all P2P lending products are the same – levels of security do vary by provider, but if the right due diligence is conducted and processes are put in place to mitigate risk, they can offer consistency and reliability. Similarly, we should not look to compare, for example, a stocks and shares ISA with an IFISA. They are fundamentally different – and, arguably, the IFISA can be a safer option.
Ultimately, there are risks involved in all investments, but the answer isn’t in scaremongering. Appropriate education and transparency is what we need to get people investing their money wisely in a variety of options, and we would like to see the FCA do more to support this.
Here Syedur Rahman of business crime solicitors Rahman Ravelli questions the effectiveness of big fines and the likelihood of criminal prosecutions in the future.
Standard Chartered has hit the headlines for the size of the fines imposed on it on both sides of the Atlantic.
But behind all the big numbers and the column inches it is hard not to wonder if such a costly slap on the wrists is now being viewed by the big banks as nothing more than the cost of doing big business.
Standard Chartered has been ordered to pay a total of $1.1 billion by US and UK authorities to settle allegations of poor money laundering controls and sanctions breaching. It is paying $947M to American agencies over allegations that it violated sanctions against six countries and has been fined £102M by the UK’s Financial Conduct Authority (FCA) for anti-money-laundering breaches; including shortcomings in its counter-terrorism finance controls in the Middle East.
These fines had been expected. Standard Chartered said two months before the fines were imposed that it had put $900M aside to cover them. But this isn’t the first time that Standard and Chartered has had to pay out for its wrongdoing.
Seven years ago, it paid a $667M fine in the US. Like its latest US penalty, it related to alleged sanctions breaches. At the time, it also entered into a deferred prosecution agreement (DPA) with the US Department of Justice and the New York county district attorney’s office over Iranian sanctions breaches beyond 2007. That DPA would have expired by now but has been extended until April 2021 in the wake of the latest allegations.
Will this be the end of Standard Chartered’s problems and the start of a new allegation-free era? It is hard to believe so. But it is fair to point out that it is not the only bank to be hit by huge fines for wrongdoing and then be found to be repeating its illegal behaviour. Which is why it is hard to believe that fines are having any real impact on the way that some of the biggest banks function. If they are prepared to keep paying the fines and / or giving assurances about keeping to the terms of a DPA while reaping the benefits of breaking the law it is hard to see the cycle of behaviour changing.
Let’s be clear, any failure by Standard Chartered to abide by the terms of its DPA could see it facing criminal prosecution. And any bank’s weak approach to money laundering is now increasingly likely to be pounced on by the authorities. The Standard Chartered investigation was a co-ordinated multi-jurisdictional effort by the FCA, the US agencies and the United Arab Emirates. And while Standard Chartered’s full cooperation with the FCA saw it receive a 30% discount on its fine, relying on cooperation to gain a lesser punishment cannot be viewed as a safe approach.
The authorities around the world that investigate the activities of banks and other financial institutions are now more coordinated than ever. They have more legal powers than ever before and are unlikely to be reluctant to use them against those in the financial marketplace that come to be seen as repeat offenders.
There is no clear indication or evidence that the era of big fines may be about to pass or that the authorities are set to view convictions as a more effective deterrent to financial crime than hefty financial penalties. There may also be difficulties when it comes to corporate liability which, in the UK, requires proof that those involved in the wrongdoing are sufficiently senior to be considered the ‘controlling mind and will’ of the company.
But if fines continue to be ineffective in curbing the behaviour of certain banks it can surely only be a matter of time before the authorities rethink their approach to enforcement.
Little did we know that when SM&CR was just a glimmer of an idea at HM Treasury, it would have such an impact on the industry and, in doing so, it would change Worksmart so substantially. Borne out of the ‘Changing Banking for Good’ review led by MP Andrew Tyrie back in 2013, the idea of greater Individual Accountability and Conduct Standards for all landed in the form of the SM&CR in March 2016 for banks, building societies, credit unions and the largest designated investment firms.
Led by the PRA and the FCA, the regulation has had and continues to have, a major impact on these firms in a way foreseen by only a few a number of years ago. I recall my conversations with banks during this time when many firms saw the incoming regulation as a relatively minor additional piece of reporting required by the regulators; how wrong they were.
Unlike most people, the Worksmart team had a rather different take on the incoming regulation. With the overlay of additional corporate governance requirements that SM&CR brings alongside the requirements to manage, maintain and update a Management Responsibilities Map (MRM) and associated Statements of Responsibilities (SORs), the technologists amongst us knew what’s coming. The in-house view was that the new regime needed to be supported and underpinned by technology that not only helped firms meet their regulatory responsibilities but also offered genuine business process improvement capability. As a result, we invested heavily in every area of our business, from re-platforming our SM&CR solution and moving to a SaaS model, to growing our regulatory consulting capability. We also worked hard to deepen our relationships with the trade bodies that support the affected sectors of the market place.
Borne out of the ‘Changing Banking for Good’ review led by MP Andrew Tyrie back in 2013, the idea of greater Individual Accountability and Conduct Standards for all landed in the form of the SM&CR in March 2016 for banks, building societies, credit unions and the largest designated investment firms.
In what seems like the blink of an eye, we became the SM&CR supplier of choice for the then British Banking Association (now UK Finance). In turn, this led us to become the ‘leading supplier of SM&CR solutions’ in the UK. And from there it was a very short, but very proud, step to winning a clutch of ACQ5 Global awards in 2018 for our work in the industry.
All very nice you might say, but how does that help me? Using our experience gained over the last four years, this article highlights the top five challenges you can expect to face as you implement and then manage the regime in BAU. With more SM&CR implementations within the affected markets under our belt than we can now even remember, we’re confident that we’ve encountered most of the challenges the new regime presents.
Challenge 1: Sorting out the Senior Manager Regime (SMR) won’t be as easy as you initially think.
The regulation requires firms to identify which Senior Manager Functions (SMFs) and Prescribed Responsibilities apply to their firm. To help, the regulators provide a list of the SMFs for each type of firm under the new regulation, i.e. Enhanced, Core or Limited, and Prescribed Responsibilities for Enhanced and Core firms.
Sounds straightforward and, indeed, for the most part, it is. However, beyond the standard Control Functions such as SMF1 (CEO) and SMF3 (Executive Director) and the Required Functions – SMF16 (Compliance Oversight) and SMF17 (MLRO), Enhanced firms need to decide whether other SMFs apply to them, e.g. SMF18 (Overall Responsibility) and if so, how many individuals are affected. Easy? Maybe, but maybe not. Add into the mix firms that have been regulated for many years, with individuals involved in areas of the business for which they may not be approved (but in a function that requires approval), and things start to get a bit more complicated.
However, the task that was consistently underestimated through the banking implementations involved senior executives scrutinising the detail of their proposed SMFs and responsibilities and reviewing, even renegotiating, their personal Terms & Conditions in return for this (perceived) greater accountability. As a Programme Manager in a major building society said to us: “We’ve only just got sign off on what we proposed to the exec team a year ago”; so be warned!
When agreed internally, firms need to inform the regulator which executives are transitioning to the SMF equivalent of their existing Control Functions (CFs) and seek approval for executives that wish to take up roles that aren’t directly mapped. Additionally, Enhanced firms need to submit a Responsibilities Map that shows how the firm’s governance arrangements fit into place. Where the regulated firm is part of a group and services are shared across the group, then they must explain how this arrangement operates in practice. Add into this a Statement of Responsibility for every individual holding an SMF Function, regardless of whether they grandfather across or have to submit a new application, and it becomes clear that setting up and agreeing on the component parts of the Senior Managers Regime in your firm is not a small task.
The FCA has learnt lessons from the first tranche of firms’ subject to the new regime and has helped by providing feedback both on Responsibilities Maps and Statements of Responsibility, but even with this type of assistance, nothing ever is straightforward, so expect to plan for the unexpected.
The learning from the banking sector is clear - planning and gaining approval for your proposed Senior Manager Regime arrangements takes time. The challenges across the wider financial service sector may vary a little, but the lesson learned by the banks remains true; namely start early and expect things to take longer than planned.
"As part of the senior
managers regime, it was essential
that we had a robust system to
evidence how we have met the
regulatory requirements. Worksmart
has been core to ensuring that we
have met the requirements
of the rules”.
Lisa Nowell, Chief Risk Officer, Masthaven Bank
Challenge 2 – Sorting Out the Certification and Conduct Rules Regimes will also take longer than you plan for.
If the message is about getting started early with your Senior Manager community, then it is equally true for the newly introduced Certification Regime. Many firms in the banking sector simply underestimated the amount of time it would take to define and gain agreement on what roles were caught by Certification. When we ask customers how many members of staff are in their Certification Regime, we often got answers like “anything between 10 and 150” or “we’re still deciding”. Depending on the interpretation of the rules, both responses can be equally valid when an organisation comes to the regime for the first time, however, the discussion on the interpretation of the definition of certified roles will eat into your project timeline. And of course, expect a second-time delay to then occur when allocating which Certification Functions applies to each role. Whilst the guidance is clearer for the wider financial services market, deciding what roles are caught by Certification and what roles fall into Conduct Rules should not be underestimated.
Once decided, planning the design and delivery of training activities for certification staff will again take time. Not only will there be the need to design, organise and deliver the training both on the new regime and the impact of the newly introduced conduct rules, in order to assist each role holder in clearly understanding the conduct rules in the context of their role, training must be as roles specific as possible. Experience over multiple implementations has taught us that training is often an afterthought on the project plan. If this is the case, then your training will probably be delivered late, leaving you exposed to the risk that staff are not fully aware of their responsibilities under the new regulations.
Finally, because the regulator expects competent, not just compliant behaviour from those subject to the Certification Regime, there will also be a debate about what evidence you will need to gather in order to demonstrate competence. If your firm has a fully functioning performance appraisal process, then this may well be a huge step in the right direction. However, if your firm does not have a robust performance appraisal process in place, I suggest the new regulation will be the tipping point to implementing one.
Like SMR, the learning is clear that implementing and embedding Certification and Conduct Rules into a firm will take time, focus and resource to do properly. So be prepared.
Challenge 3 – SM&CR will require a ‘root and branch’ review of some supporting processes.
In the early days of your SM&CR project, the main focus will be on defining communities, assigning functions, etc. However, when the implementation team takes the planning to the next level, questions will almost certainly be asked about the efficacy of the firm’s underlying processes, particularly in the area of HR. These questions come from two areas; the need to have robust processes for recruiting staff into Senior Manager and Certification roles and the need to demonstrate that individuals in those regimes are competent to undertake their role on an ongoing basis. From experience with the banking sector, the processes that are most likely to be challenged are:
- References: The new rules require firms to gain positive work references for the last six years before an individual can be appointed into an SMF or Certification Role. Experience from the banking sector showed the process of requesting, and being able to provide, references was patchy. However, the new rules are clear, satisfactory references for the last six years are mandatory. Therefore, a firm’s processes need to be stringent on seeking and being able to provide regulatory references for all external hires. Expect that effort will need to be put into tightening up your referencing process.
- Job descriptions (JDs): Although the best practice is for job descriptions to be regularly updated, change is such a constant in organisations that JDs are often out of date. Added to that, SM&CR will force attention on accountability, competence etc., and the need to make explicit any new accountabilities taken on as a result of SM&CR. Combined, this means that it is very likely that there will need to be a significant overhaul of JDs across large parts of your firm. Time should be assigned to create and gain agreement to these updated JDs.
- Employment contracts: Our experience in the banking sector was that as soon as JDs were updated, many individuals started discussions, which sometimes led to a negotiation, about employment contracts. Increased pay to reflect the increased accountability was the most common discussion point, particularly for those holding SMF Functions. However, similar discussions were also had in key roles in the Certification Regime.
- Fit & Proper (F&P) checks: Like JDs, the approach to F&P checks varied widely between banks. However, the incoming SM&CR regulation is clear, firms must satisfy themselves that every individual in SMR and Certification is fit and proper to undertake their role each year. Some organisations assumed that F&P checks were all about financial soundness when in practice F&P covers three key areas, Financial Soundness, Competence & Capability and Integrity. This means that any F&P check introduced as part of your Certification Regime must be multi-faceted and not just focused on the financials. Firms in the wider financial services sector need their fit and proper checks to be robust. There is lots of guidance out there in the market place now the regime has been in operation for some time. However, we would advise firms to consider the wider market advice on this topic before they decide on what the fit and proper component of their response to SM&CR might look like.
Also a small, but often overlooked point is ensuring that the sensitive data underpinning F&P checks needs to be held securely, with a balance struck between tight control over access and visibility for those needing oversight.
- Competence: As discussed above, because the regulator’s expectations are for competent, not just compliant staff and senior managers, it is up for firms to be able to evidence this. Expect robust discussions about competence and, in the first instance, whether your performance appraisal process is ‘up to the job’. If so, that’s great; if not, however, something needs to be implemented that evidences employee competence on an ongoing basis.
Ensuring robust SM&CR records will ask searching questions of your supporting processes. Anticipate the need to review, and probably, strengthen your processes. If not, the quality of your records, and so decisions, may well be at risk.
Challenge 4 – SM&CR will start to fundamentally change how you operate.
Being compliant with the new rules is not just about providing accurate and up-to-date records, ultimately SMC&R is about a cultural change within financial services. The FCA, our conduct regulator, has been clear on their views and expectations on this. For firms that think they will just implement SM&CR as per the rule book then walk away, they are very much mistaken. It’s no understatement when I say that SM&CR is fundamentally the greatest change in regulation that I’m likely to see in the remainder of my working life.
When talking with senior executives in the banking sector, it’s clear that there is a far greater focus on corporate governance and personal conduct. Whilst many firms are not formally required to adhere to the Corporate Governance Code, SM&CR challenges firms to ask themselves questions such as: Are we effectively governed?; Do our committees and processes deliver the business results we want?; Are our committees effective or are they just ‘talking shops’? This focus on corporate governance is significant and certainly has increased since 2016. Alongside this, there is far more interest in the personal conduct of individuals at all levels in firms by senior executives. One could be cynical and say this new level of interest is the direct result of certain senior managers being personally accountable for the conduct of individuals in the Senior Manager Regime and Certification Regimes. Whilst there may be some truth in that cynical view, the reality remains that personal conduct is, and will remain, under scrutiny like never before.
It is true that culture in a firm is multi-dimensional and often elusive to define and so monitor. However, it is clear the changes brought about by SM&CR in the banking sector go beyond minor upgrades to internal processes and record keeping.
Whilst, in the early days of implementing SM&CR, the focus will inevitably be on defining communities, modifying processes and tightening up record keeping, in the medium to long term SMC&R will force attention to switch to individual conduct and culture change.
Being compliant with the new rules is not just about providing accurate and up-to-date records, ultimately SMC&R is about a cultural change within financial services.
Challenge 5 – Keeping SM&CR records will not be as straightforward as you expect.
The final challenge you can expect is that of record keeping. I expect the immediate reaction of your firm, like many banks, is to use existing systems to store your SM&CR records. However, doing this poses significant challenges, even if they don’t surface immediately.
Banks typically initially held SM&CR records in a variety of places, e.g. F&P records in the HR system, records of committee structures and meeting minutes in a governance system, appraisal records in another system, a record of the Management Responsibilities Map (MRM) on Excel etc. However, keeping records in this way created major challenges for central teams with the responsibility for oversight. The regulator expects ‘point in time’ reporting, i.e. for a firm to explain in detail which exec was accountable for what on any given date once the regime has commenced. So, fast forward a year or even a few months, and managing SM&CR via an Excel spreadsheet will unravel as board members leave, new ones join and others switch role (and so SMFs and responsibilities). As one Operations Director put it: “If you ask me what our MRM was in late September or early November I can tell you, but we completely lost track of what happened in October”.
SM&CR requires firms to model, map and record their governance arrangements, and ‘date stamp’ every change. Add to this the requirement to ensure continued compliance with SM&CR by maintaining records and completing tasks to time and to standard, there is no simple way or shortcut to comply. That is why the team at Worksmart decided to re-platform and upgrade the SM&CR offering taking into account the lessons learnt in banking.
Financial services firms need to think hard about their existing systems and whether they are up to the demands of SM&CR before they go live. And if an existing supplier tells you that their HR/E-Learning/Appraisal system can manage the complex and newly introduced SM&CR requirements, that’s great – but exceedingly unlikely. Your response should be “show me – in real time” or even “let me play with the system for half a day to see how intuitive and capable it really is.” If the solution provider is unable or unwilling to do it, then you should take this as a sign that maybe it’s not all it’s cracked up to be.
In the desire to get SM&CR implemented, record keeping is seldom ‘front of mind’ for the project team. However, the message is clear, if the quality of record keeping isn’t anticipated and confronted, major problems will bubble up after ‘go live’, and the longer sub-standard systems are relied on post live, the bigger the problem will become.
Since 2015, the Worksmart team have been involved in multiple SM&CR implementations in the banking and insurance sectors. Whilst not claiming to be the definitive list, these five challenges were by far the most common we experienced. Our hope is that by being aware of these challenges, your implementation project team will ‘land’ SM&CR without hitting the potholes encountered by many in the banking sector.
My job, with the help of all the Worksmart team, is to continue to support firms implement both the letter and the spirit of the regulation as speedily and painlessly as possible. It’s going to be a very busy year!
Website: https://www.worksmart.co.uk/
Many thought it was too good to be true, but was it? Below Karen Wheeler, Vice President and Country Manager UK at Affinion, gives Finance Monthly the rundown.
YouGov research highlights that 72% of UK adults haven’t heard of Open Banking and according to PwC, only 18% of consumers are currently aware of what it means for them. However, that doesn’t mean the changes aren’t filtering through.
The story so far
The Open Banking Implementation Entity (OBIE) reports there are now 100 regulated providers, of which 17 Third Party Providers (TPPs) are now using Open Banking in the UK. Open Banking technology was used 17.5 million times in November 2018, up from 13.9 million in October and 6.5million in September, with Application Programming Interface (API) calls now having a success rate of 97.7%.
One of the earliest examples was Yolt, by ING Bank. It showcases a customer’s accounts in one place so they can see their spending clearly and budget more effectively. Similarly, Chip aims to help people save more intentionally. Customers give read-only access to their current account and then sophisticated algorithms calculate how much a customer can afford to save, and puts it away automatically into an account with Barclays every few days.
High Street banks have certainly taken inspiration from fintechs. For example, HSBC released an app last year enabling customers to see their current account as well as online savings, mortgages, loans and cards held with any other bank. The app also groups customers’ total spending across 30 categories including grocery shopping and utilities, making it a really helpful budgeting tool.
Perhaps, most advanced of all, Starling Bank allows customers access to its “Marketplace” where they can choose from a range of products and services that can be integrated with their account. The offering currently includes digital mortgage broker Habito, digital pension provider PensionBee, travel insurer Kasko, as well as external integrations such as Moneybox, Yoyo Wallet, Yolt, EMMA and MoneyHub.
Open Banking and GDPR
One key question is whether Open Banking puts the needs of financial services companies over those of the consumer. There is a general cynicism regarding the real reasons for encouraging Open Banking and this is exacerbated when most customers aren’t seeing the benefits.
Also, there is confusion caused by the apparent conflict of interest between Open Banking and GDPR.
In this day and age, do consumers really want more organisations to have access to their data? Can they trust the banks? According to PwC, 48% of retail banking customers cite security as their biggest concern with Open Banking and this is a significant barrier to overcome.
The way forward
It’s hard to overcome cynicism and doubt. Perhaps, once customers begin to enjoy the positives, they will be less sceptical about Open Banking, leading to more opportunities to build longer term customer engagement. For example, if products help them avoid going into debt or nudge them when new mortgage rates are on offer, they will see that banks are using the technology to support wise financial management rather than just serve their own marketing purposes.
It’s also hard to change entrenched consumer habits. To encourage consumers to get in the habit of comparing and switching, financial organisations must create truly compelling propositions. They need to focus on delivering intuitive, useful digital products which make a real difference to customers’ daily lives.
They also need to demonstrate how seriously they take their role in the fight against cybercrime while educating the consumer about how Open Banking works and how to protect their data. For example, many may not realise that one of the key tenets of Open Banking is security. Open Banking uses rigorously tested software and security systems and is stringently regulated by the FCA.
Placing the customer at the centre of their finances and giving them complete control directly increases competition and brings a myriad of everyday benefits to the customer. There is huge opportunity for traditional banks, fintechs and disruptors to use Open Banking to pioneer new products that build longer term customer engagement. However, the current priority is communicating the huge advantages and opportunities that Open Banking brings while reiterating that their data will remain secure.
Martin Kisby, Head of Compliance at Equiniti Credit Services, explores the motivations behind the evolution of compliance functions in consumer credit firms.
Risk and compliance departments, once held in low esteem by other business units, have evolved into a crucial function for protecting profitability. This is still a controversial statement in the consumer credit industry, but it’s easily justifiable. To do so, let’s take a look back.
It’s 2008. The consumer credit market is regulated by the Office of Fair Trading (OFT). Firms have a set of guidelines they are required to adhere to, but in reality can interpret or even circumvent them entirely. Business objectives are often, if not always, placed ahead of consumer needs.
So what was the role of the compliance function back then? Well, it provided some assurance to the OFT that firms were not ignoring its guidelines in their pursuit of profits.
This often led to compliance functions being derided as the ‘Business Prevention Unit’ or ‘Profit Police’ and being allocated minimal resource.
Fast forward to 2014: the financial crash has altered the consumer credit landscape dramatically. Trends in mis-selling, together with poor consumer outcomes, have highlighted the need for fundamental change. The creation of the Financial Conduct Authority (FCA), by merging the OFT and Financial Services Association (FSA), is intended to add more stability and oversight to the sector, ensuring better service delivery for consumers.
Big changes ensued.
The FCA developed a more robust and detailed handbook, which not only provided guidance on how firms across the sector should be operating, but also changed what was previously ‘advice’ into hard and fast rules.
Firms were given only interim permissions and needed to complete an approval process to gain full FCA authorisation. This required firms to demonstrate strict adherence to the new and updated rules and guidelines.
From this point onwards, the role of compliance was transformed. Firms began to allocate significant resource to this function to ensure they could provide continued assurance to the FCA that its rules and guidelines were being followed. It became imperative to demonstrate that mis-selling, unreasonable collections practices, affordability issues and poor customer service were being eliminated.
The compliance department evolved from the ‘Profit Police’ into a pivotal function in every FCA regulated firm.
Risk management also became more prevalent under the new regulatory body, as the System and Controls section of the FCA’s handbook requires firms to assess and manage their risks, and have a Chief Risk Officer as one of their Approved Persons – individuals the FCA has approved to undertake one or more controlled functions.
These complimentary objectives meant that compliance and risk departments were consolidated. Compliance plans were established to monitor specific elements of the FCA handbook and verify adherence to them. Any identified control inadequacies could be migrated onto a firm’s risk register for monitoring and remediation.
Back to the present. Four years on from the introduction of the FCA, firms have, overall, implemented the necessary oversight to demonstrate that they are meeting their regulatory requirements and treating customers fairly.
But let’s be honest – there are selfish motivations too. A strong compliance department, empowered to change processes as best practice dictates, reduces the risk of both regulatory fines and exposure to defaults. This increases revenue and protects profit margins.
In a sector competing on cost at a scale never seen before, and where consumer brand loyalty is decreasing by the day, protecting a firm’s margins is crucial.
As compliance has increased in importance, technology has kept pace and evolved to reduce the time and cost burden regulation could otherwise have imposed. Now, best-of-breed credit management solutions seamlessly integrate compliance monitoring and reporting into their sourcing, approval and collections processes.
Happily, this combination of motivations and technological developments has created a win-win for lenders and borrowers alike: an established and proactive risk and compliance function that not only protects consumers but also contributes to the strategic objectives of the lender’s business.
Consumer trust in banks has plummeted in recent years. The 2008 financial crisis, as well as recent examples of bad practice such as TSB’s IT meltdown which compromised millions of accounts, has led to many consumers questioning whether their bank really has their best interests at heart. Indeed, RBS chief Ross McEwan recently predicted that it could take up to a decade to rebuild lost customer trust following decades of poor treatment.
In fact, as many as one in five customers (20%) no longer trust banks to provide them with a loan – ostensibly one of a bank’s primary functions.
Despite this mistrust, consumer appetite for credit remains high. We’re therefore seeing a rise in alternative lenders offering customers the flexibility and transparency customers desire - and which many traditional banks have conspicuously neglected – which could spell the end of the traditional banks’ role as leaders in the lending sector.
But how has the lending process evolved and what does this mean for traditional banks?
The rise of new consumer lending models
While consumers are willing to borrow outside of traditional banks in the wake of these institutions having cut back on unsecured lending, they will no longer trust a provider which does not operate transparently or ethically – as evidenced by the collapse of Wonga. This, combined with recent regulatory action from the FCA, has heralded a wave of change within the financial lending sector.
Following the lead of disruptive, digitally-focused providers such as Uber and AirBnB in other sectors, a number of fintech disruptors - such as Atom and Monzo - have materialised. These brands have analysed the day-to-day banking issues customers face – such as a lack of transparency and poor user experience (UX) - and designed their services from the ground up to mitigate these issues.
From taxi apps that invite you to register a payment mechanism, to autonomous vehicles that pay for their own parking or motorway tolls, “banking” without the need for a bank will gradually become a more everyday experience. In this vein, so too will consumer lending change through organisations that offer finance at the point of sale itself – both online and in-store - moving from traditional pre-purchase credit to a far more seamless service.
Flexible point-of-sale lending is changing the nature of financial transactions across a range of sectors, including how to fund a holiday, buy a house, and even pay for medical treatments at a rate which suits the customer. The potential of this lending method is huge, with more than three quarters (78%) of consumers saying they would consider using point-of-sale credit in the future.
What does this mean for traditional banks?
People seldom wake up in the morning thinking “I must do banking”. Banks don’t tend to inspire the levels of consumer loyalty seen in other sectors, and they must therefore work far harder to retain customers. Given this, the ongoing reticence of banks, to both lend and offer customers what they want, has created a gap in the finance market, which could be the death knell for traditional banks if left unchecked.
As frictionless point-of-sale lending businesses and customer-centric fintech brands continue to thrive, several key banking functions – such as money management and consumer lending - may be replaced entirely by newer, more agile providers. For example, could the fact that providers are now offering finance in the property sector put an end to the traditional mortgage?
If this growth of smaller, more agile disruptors continues, banks are highly likely to see reduced customer numbers. It was recently predicted that banks could lose almost half (45%) of their customers to alternative finance providers, and if banks do not adapt their offering there is a real danger they may be driven out of the market altogether.
Simply put, if banks do not place a greater focus on what customers want – flexibility and transparency – their status as the stalwarts of the lending market may soon be a thing of the past.
Almost a year in, is MiFID 2 fit for purpose, and what needs to be done to make sure that financial services companies start to comply? Below Matt Smith, CEO of SteelEye, explains.
Failure to comply implied threats of reputational damage and harsh fines from the FCA and so, come implementation day on January 3, those firms which hadn’t digested MiFID II’s 1.4 million paragraphs of rules in time were left living in fear of a crackdown from regulators.
Eleven months in, that crackdown has yet to materialise. And while a number of firms have undertaken the effort and expense to implement MiFID II’s myriad rules in full and have hopefully reaped the benefits of doing so, an equally substantial number haven’t – and regulators appear to be turning a blind eye.
This ‘softly, softly’ approach by the FCA has been picked up by commentators. Gina Miller, head of wealth manager SCM Direct, recently called for the Treasury to investigate the FCA for its failure to enforce MiFID II. This was in response to an April investigation which uncovered fifty firms in breach of MiFID II’s transparency rules. Despite receiving this dossier, the FCA wrote only to eight of the firms.
Given the breadth and complexity of MiFID II, most in the industry weren’t surprised that the FCA didn’t react strictly to non-compliance immediately after January 3. Equally as important as complying with MiFID II was that the markets affected by it continued to function effectively – which necessitated giving some time for the new rules to settle down.
But the lacklustre approach of the FCA is less understandable now we are approaching the anniversary of MiFID II’s implementation day. At the very least, it is unfair to those firms which took the time, trouble and expense to comply with MiFID II right from its implementation date – particularly smaller companies lacking substantial in house resources in technology and compliance.
The FCA’s unwillingness to enforce MiFID II is, unsurprisingly, having an effect on the number of firms making an ongoing effort to comply. As evidence, ESMA recently published its data completeness indicators, which showed a significant shortfall in companies’ compliance with ESMA’s data filing requirements – often submitting unsatisfactory data that is incomplete or late.
Ongoing ambiguity with MiFID II’s rules may be in part to blame. In the build up to MiFID II, many firms didn’t seem to fully understand what was actually required of them. This knowledge deficit was worsened by a lack of clear guidance from the FCA, which has continued.
Across the industry, the FCA has been criticised for this ambiguity, arguing that it makes it near-impossible to comply with the regulation. Even within firms, individuals have come to different interpretations of the rules and, throughout the industry, there is little coherence when it comes to compliance and what needs to be done by when.
The FCA has claimed that its soft approach to enforcing compliance is soon to end, meaning firms could soon have to embrace MiFID II or risk being left behind. But with ambiguity remaining and a number of hurdles ahead, many in the industry are beginning to wonder if the FCA even knows what exactly it is going to be enforcing.
The shadow of Brexit looms large and the future of London as a financial hub is still unclear, as is definitive information on what regulatory regime will apply: a paper backed by ex-Brexit Secretary David Davis suggests numerous reforms to MiFID II. Moreover, the form and scope of MiFID II could soon be set to change considerably, with MEP Kay Swinburne already hinting at the possibility of a MiFID III.
This leaves both the FCA and financial services firms flying blind when it comes to both compliance and enforcement. This climate of uncertainty puts on hold the achievement of MiFID II’s goals of increasing transparency, investor protection and market competition.
If these goals are to be realised, a more responsible stewardship of its own rules – and uniform implementation of them – must be enforced by the FCA. If the FCA delivers on what it promised with MiFID II, out of enforcement a more transparent, competitive and efficient industry should emerge.
Following recent incidents such as TSB's systems failure and Visa's service outage, operational resilience is increasingly vital. Bank of England and FCA recently published a report stressing the importance of business continuity during a disaster. Below Finance Monthly hears from Peter Groucutt, Managing Director at Databarracks, who discusses what businesses need/can to do to strengthen their operational resilience during a disaster to absorb any shock a business may experience.
In July 2018, the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a joint discussion paper aimed at engaging with the financial services industry to improve the operational resilience of firms and financial market infrastructures (FMIs).
At the time it was issued, banks and FMI’s were capturing media attention, following several high-profile incidents.
TSB’s failed IT migration has been well publicised, costing the firm £176.4m in various fees and leading to the departure of its chief executive, Paul Pester. In June 2018, shortly before the release of this paper, millions of people and businesses were unable to pay for shopping due to a sudden failure of Visa’s card payment system.
Financial services lead in business continuity
The financial services industry is a leader in business continuity and operational resilience. It has a requirement of a high level of systems-uptime and is well-regulated. The best practices it introduces are often taken and more widely adopted by other industries. Our own research supports this. Our annual Data Health Check survey provides a snapshot of the IT industry from the perspective of over 400 IT decision-makers. The findings from this year’s survey provided some revealing insights.
64% of financial institutions had a business continuity plan in place, compared to an industry average of 53%. Of the financial sector firms with a specific IT disaster recovery process within their business continuity plan, 64% had tested this in the past 12 months – compared to 47% across other industries. Finally, 81% of financial firms had tested their IT disaster recovery plans against cyber threats, versus 68% of firms in other sectors.
While these findings reinforce the strength of the industry’s operational resilience, incidents like TSB and Visa prove it is not immune to failures.
The regulators want to “commence a dialogue that achieves a step-change in the operational resilience of firms and FMIs”. The report takes a mature view to the kind of incidents firms may face and accepts that some disruptions are inevitable. It provides useful advice that can be taken and applied not only to the financial services community, but other industries too.
Leveraging advice to improve operational resilience
So, what can be learned from this report? Firstly, setting board-approved impact tolerances is an excellent suggestion. This describes the amount of disruption a firm can tolerate and helps senior management prioritise their investment decisions in preparation for incidents. This is fundamental to all good continuity planning; particularly as new technologies emerge, and customer demand for instant access to information intensifies. These tolerances are essential for defining how a business builds its operational practices.
Additionally, focusing on business services rather than systems is another important recommendation. Designing your systems and processes on the assumption there will be disruptions – but ensuring you can continue to deliver business services is key.
It’s also pleasing to see the report highlight the increased concentration of risk due to a limited number of technology providers. This is particularly prevalent in the financial sector for payment systems, but again there are parallels with other industries and technologies. Cloud computing, for example, it’s reaching a state of oligopoly, with the market dominated by a small number of key players. For customers of those cloud services, it can lead to a heavy reliance on a single company. This poses a significant supplier risk.
Next steps
Looking ahead, the BoE, PRA and FCA have set a deadline of Friday 5th October for interested parties and stakeholders to share their observations. The supervisory authorities will use these responses to inform current supervisory activity, helping to dictate future policy-making. The supervisory authorities will then share relevant information with the Financial Policy Committee (FPC), supporting its efforts to build resilience in the financial system.
Firms looking to improve their operational resilience should take advantage of this excellent resource – whether in financial services or not.
