In its recently published strategy for the retail banking portfolio, the Financial Conduct Authority (FCA) recognises that the banking industry responded well to the immediate challenges created by COVID-19. Nonetheless, economic conditions are expected to remain difficult over the next two years with the key risks of harm being dominated by the economic and social impact of the pandemic. The FCA identifies four priority areas for retail banks: (1) fair treatment of borrowers, especially those in financial difficulties; (2) good governance and oversight of customer outcomes during business change; (3) operational resilience; and (4) minimising fraud and other financial crime. This blog focuses on the key risks associated with operational resilience and reduction of financial crime; and the steps banks can take to ensure regulatory compliance whilst enhancing returns.
Operational resilience has been a priority for regulators for a couple of years now and new risks created by the current economic environment have re-focused this attention. The FCA considers the level of “incidents and outages” is still too high. The root cause tends to be weaknesses in firms’ governance and oversight of operations and technology, especially in relation to change programmes. The regulator is concerned that governance and oversight will be further stretched by the accelerating rate of operational changes required as banks react to meet the changing needs of both customers and their own businesses post-pandemic. The FCA is particularly concerned about:
- increased reliance on third party suppliers;
- migration of data and systems to the cloud;
- increased traffic through digital / online systems;
- reliance on unprecedented technical innovations;
- capacity challenges in banks’ delivery of, and roll-off from, the various government schemes that have been put in place; and
- change programmes aimed at reducing costs and / or exploring new revenue streams.
To guard against these risks crystallising into harms, the FCA expects banks to take the following steps:
- identify, manage and mitigate risks arising from operational disruption, particularly in relation to change and transformation programmes. Good practice examples are highlighted in the FCA’s Implementing Technology Change review;
- engage with the FCA ahead of implementing operational and technological changes that could have a significant impact on the bank’s risk profile;
- identify and manage operational risks throughout the life cycle of third-party arrangements;
- if third-party suppliers are not correcting issues or mitigating risks, you should highlight this to the regulator;
- ensure appropriate engagement from the board and senior management;
- ensure board members and senior managers have the necessary knowledge, experience and skills for their responsibilities;
- establish clear lines of responsibility for managing operational resilience, and clearly delegate responsibilities where an important business service is supported by a wide range of people and systems - particular attention on SMF24 individuals; and
- have regard to the FCA’s consultation on Building operational resilience: impact tolerances for important business services (no new requirements expected before the end of this year).
Minimising fraud and financial crime
Naturally banks are keen to expand their online presence to meet customer demand; but such expansion can increase the bank’s vulnerability to financial crime. Appropriate steps must be taken to mitigate and manage this risk. The current economic climate exposes banks to more pressing and evolving challenges, such as:
- criminals taking advantage of the ever growing population of vulnerable customers;
- vulnerable customers being used as accomplices (e.g. money mules); and
- increasing speed and volume of transactions.
Banks must make sustained improvements to their systems and controls to adapt to new threats. In particular, the FCA expects firms to:
- ensure continuing adequate investment in well-resourced and capable governance and oversight of financial crime risks;
- make sufficient long-term investment - financial and non-financial - in counter-crime systems to ensure they are effectively spotting, disrupting, stopping and reporting potential financial crime;
- apply the guidance set out in the FCA’s guide to countering financial crime risk and cyber insights report; together with the latest JMLSG guidance;
- be prepared to explain the steps the firm has taken in response to the forthcoming Dear CEO letter on AML frameworks - particular attention will be on SMF17’s and prescribed responsibility D; and
- when conducting its financial crime risk assessments, the bank should consider an overview of risk which the bank is exposed to, including information about emerging risks and any changes to the current risk assessment.
Other than where the FCA conducts targeted engagement with newly identified high risk firms or is responding to firm notifications, monitoring and advancing these priorities will form part of the overarching supervision of retail banks this year.
In any event, in a post pandemic world, investing in operational resilience and reducing financial crime is likely to result in positive reputational and financial returns.