®
3 Lines of Defence Consulting Briefing Paper
Q2 2020 Edition
L 3 G R
Key Challenges Facing the Financial Services Sector
QUOTE: “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us, we were all going direct to Heaven, we were all going direct the other way…” Charles Dickens - A Tale of Two Cities
12
®
Briefing Paper Q2 - 2020 Edition
Key Challenges Facing the Financial Services Sector
Contents:
Introduction
Market Abuse Prevention Anti-Money Laundering Senior Management & Culture
COVID-19 and the New Normal
BREXIT
L 3 G R 2
Quote: “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us, we were all going direct to Heaven, we were all going direct the other way…”. Charles Dickens - A Tale of Two Cities
Introduction BREXIT is on the near horizon and COVID-19 is here, continuing to put the financial services sector under great pressure. To operate and survive there are new working practices, a need to be flexible, increased cyber activity, resulting in increasing operational risks and along with scrutiny from investors and regulators. The Q2 2020 Briefing Paper is intended to highlight some of the key areas to think about over the next 6 to 12 months, based on the current environment and regulatory focus.
L 3 G R
At the start of the COVID-19, in March 2020, 3 Lines of Defence Consulting (“3LDC”) issued a White Paper, “Financial Markets Operations Response to COVID-19: Best Practices for Working from Home”, in conjunction with A-Team Insight. This Briefing Paper reconsiders COVID-19 with the developing requirements, along with the sound practical steps to be taken and other key areas of business focus. Business life and the regulatory requirements of financial services firms have not been put on hold because of COVID-19. In fact, quite the opposite as the UK regulator is keen that services to consumers should be maintained, and not be penalised in any way in terms of cost of service. Furthermore, the UK regulator is keen to understand the financial impact on regulated firms of COVID-19. This Briefing Paper considers how firms should respond to the current regulatory hot topics of market abuse prevention, AML, the Senior Management requirements and concludes with COVID-19 and BREXIT.
3LDC provides focussed specialist advisory and support services for the financial sector and draws on extensive hands-on experience within the team to support clients through COVID-19 and beyond. 3LDC is complimented by its sister company, 4 Lines of Defence (“4LOD”), which provides software and tools to enable clients to empower performance and maintain information security. Our team is formed from a partnership of former C-Suite heads of function, senior managers and subject matter experts from across the financial services industry and legal sector. Our senior team members all have over 25 years’ experience, within their field to draw on. In their previous roles they have encountered and responded to the myriad of changes, meeting the challenges that the industry has gone through over recent times. Since it is so topical, we have provided thought leadership and guidance to the current challenges that COVID-19 and the lockdown has brought to all workplaces. Defining best practice for “working from home” processes through to how to maintain regulatory and reporting requirements. Read on to find out how we can support financial services firms with their compliance, regulatory and information security requirements.
3
Market Abuse Prevention Market abuse, conduct and culture continue to be a key focus for the FCA. This is highlighted in Market Watch 63, published in May 2020, which sets out some of the FCAs expectations of firms adopting new working from home arrangements during the COVID-19 pandemic. Firms are expected to continue to meet all their regulatory obligations including, as specifically emphasised, those relating to preventing market abuse. The FCA highlights that firms should review and update their market abuse risk assessments in response to any identified heightened or additional risks arising from these new working arrangements. Performing a Market Abuse Risk Assessment is a vital part of every financial service firm’s Market Abuse Prevention Toolbox. At 3LDC, we bring together senior compliance, risk, front office and operational experts to work with clients to build the optimal Market Abuse Prevention Toolbox, which includes: 1.
Establishing, enhancing and quantifying the company’s appetite for risk
L 3 G R
A zero appetite towards risk is unrealistic and not appropriate, as risk is taken on as soon as firms start to operate a business. We help to quantify an acceptable level of potential risk of market abuse for the firm to enable it to understand, mitigate and manage that risk. 2.
Conducting a risk assessment
Risk assessment forms part of a firm’s Enterprise Risk Management System and is a key element of the Market Abuse Prevention Toolbox.
The firm’s risk assessment is key to assessing where the market abuse and other misconduct risks may occur in the organisation. Companies will have different inherent risks and different tolerance levels for risk according to their business activities. A risk assessment should be owned by the whole business and requires engagement with the board and the leadership team, front, middle and back offices. We facilitate that essential engagement and ownership across the business.
Once a firm’s appetite for risk has been ascertained and the risk assessment has been completed, we can calculate the residual risk and an understanding of what that means. The board and leadership team can ensure the risk appetite and the residual risk align. 3.
Policies and procedures Robust governance requires firms to have clear structures in place with defined roles and responsibilities. The right policies and procedures inform staff of their regulatory requirements and obligations and can be supported with generic and/or bespoke training.
4
4.
5)
Surveillance and monitoring systems Does the firm have an automated surveillance system, employ manual monitoring methods or, as with the majority of firms, use a combination of both? Is a company’s monitoring and surveillance systems looking for the right types of behaviours and is it effective in doing so? Is the correct data feeding the monitoring and surveillance systems? Are the thresholds and parameters on the automated surveillance system set correctly? How are alerts categorised and how does the firm measure the success of surveillance and monitoring systems? Does the firm adjust for new threats arising from COVID-19? Important questions that require answers. We can help address these questions. Reporting of suspicious activity, near misses and responses Is the framework established for assessing monitoring and surveillance “hits” appropriate and effective? Moving from a sea of alerts, through false positives and near misses, to identifying reportable suspicions is not easy. Firms need the right monitoring and surveillance tools, parameters, guidance, awareness and people involved. We can help clients ensure that the framework is integrated, involving compliance and the wider business. We can help clients learn from near misses, refining their framework and business model.
6)
L 3 G R
Management Information Strong and insightful management information is essential to managing a firm’s business in a controlled manner, enabling senior management to meet their responsibilities. We can ensure the firm’s management information is more than just data.
3LDC provides firms with a framework to identify, mitigate and manage the risks presented by market abuse, bringing experienced practitioners together to provide the expertise needed by investment banks, brokers and asset managers to protect their business.
5
Anti-Money Laundering There is a long-standing regulatory requirement to have effective procedures in place to detect, prevent and report suspicions of money laundering. The regulatory requirements have expanded over time to encompass sanctions and anti-terrorism financing within its broad scope. The UK and EU’s Money Laundering Regulations are updated regularly to take account of new financial crime threats. As the AML requirements evolve it is essential that firms implement and maintain sound practice policies, procedures and controls to mitigate/manage the risk of involvement in money laundering activity. Remember you can never have a ZERO RISK scenario, if you are running a business. The FCA is currently undertaking a thematic review into assessing firms and their anti-money laundering activities. We understand that they have found that many firms are still not meeting the standards required or following the guidance appropriately. We recommend that you review your current arrangements to ensure that they continue to meet regulatory expectations.
L 3 G R
All firms should ensure they have factored in and considered the latest threats. These include (i) using Cryptoassets and exchanges, (ii) countering money laundering through the use of dual use goods and (iii) the risk impacts of COVID-19 on handling clients/processing transactions whilst working from home. A common issue identified is that the firms do not have automated monitoring systems which are effective, in terms of their business model and/or new threats. Firms must ensure that they are aware of and using the industry guidance available, to help operate a robust framework that matches their activity profile.
Firms that are found to have inadequate controls in place will be instructed by the FCA to remediate. This may also include being required to appoint a Skilled Person to report on their activities, under Section 166 of the Financial Services & Markets Act. This is an expensive exercise in terms of the Skilled Persons fees, the management time, reputation and personal liability for the board, or appointed Senior Manager responsible for AML. Plus, this is all in addition to the actual remedial costs of implementing the required enhancements. It is much more effective to ensure you have a robust framework already. When formulating a remediation plan firms will need to consider reviewing client folders and profiles, policies and procedures, controls and automated monitoring systems, to ensure they can evidence appropriate due diligence and on-going assessment. This is where, as an independent expert, we can provide invaluable support.
3LDC brings together a team of senior level AML and financial crime prevention experts, providing clients with a range of services including: •
Status - Running a health check to determine your current status
•
Gaps - Identifying gaps and areas for improvement
•
Remediation - Designing a remediation plan (as appropriate)
•
Clients - Reviewing client files & profiles
•
Process & Controls - Enhancing current AML processes and controls 6
•
Personal / Confidential Data – Ensuring KYC data is obtained, used and kept securely. Think GDPR.
•
AML Monitoring – Helping tailor automated monitoring systems so they are effective
•
Awareness – Tailored training and updating firms on latest guidance and regulations
•
Policy - Supporting clients to rewrite and update policies as required
•
Pre FCA Review – Supporting management in preparing for FCA reviews
•
FCA imposed Section 166 Reviews - Supporting firms through the S166 process and preparing them adequately for skilled persons interviews
•
Skilled Persons – Helping management and providing support services from within the firm to appointed Skilled Persons
L 3 G R
Through the delivery of the above services, 3LDC provides advice and support to enable firms to assess and enhance their financial crime prevention frameworks.
Useful Resources
The Joint Money Laundering Steering Group – Prevention of money laundering/combating terrorist financing 2020 Revised Version. https://secureservercdn.net/160.153.138.163/a3a.8f7.myftpupload.com/wp-content/uploads/2020/06/JMLSGGuidance_Part-I-_June-2020.pdf FCA – Financial crime: a guide for firms - Part 1 https://www.handbook.fca.org.uk/handbook/document/fc/FC1_FCA_20160703.pdf?date=2018-12-12 FCA – Financial crime: a guide for firms – Part 2 https://www.handbook.fca.org.uk/handbook/document/FC2_FCA_20160307.pdf?date=2018-12-12
The Financial crime guides referred to above, have been retired from the FCA Handbook, however, despite this, we believe that they contain useful information particularly on best practice versus bad practice.
7
Senior Management and Culture The Senior Managers and Certification Regime (SMCR) originally put in place for banks, has now come into effect for other financial service firms from December 2019. Its well publicised aim is to embed good practice, ensuring ethics and good governance is more than a tick box exercise. For investment banks, broker and fund managers who fit into the smaller and medium sized firm categories, this is still new in terms of operating under this new regulatory regime. They may have still yet to redesign their underlying processes to ensure that the fundamentals of SMCR are adhered to throughout the business. Of course, COVID-19 has not made this easy and SMCR may well have been put to one side for the moment. We anticipate that when the COVID-19 pandemic is over, the FCA will increase their scrutiny of firms’ culture and governance throughout the period. The FCA will, especially if issues have arisen give consideration as to how Senior Management performed over this crisis and whether it can demonstrate that this was in a responsible manner. 3LDC supports firms and the individuals appointed as Senior Managers (including those authorised under the FCA’s Senior Manager Regime), in not only meeting their responsibilities around SMCR but in ensuring it is embedded throughout the organisation. We have listed below some of the key areas and tools which have proved themselves to be very effective in ensuring sound practices are operated, when working with clients to assess and enhance their governance frameworks. Our services include:
L 3 G R
1. Healthcheck A healthcheck assessment of the current policies and processes to ascertain if they are working and how the culture and governance formally flows through the organisation. 2. Risk Assessment The risk assessment will evaluate the key areas of risk and the controls that the firm has established, understanding if these are effective and working. We will help the firm to identify gaps and develop a plan for remediation. 3.
Management Information We assess the management information that is produced, to ascertain whether it is clear, effective and helps the senior management. Too often it is just data rather than management information providing valuable insight. You need the right metrics and parameters.
4.
Training Our team works with firms across different areas of the business, using our cross organisational skill sets, gained in senior and C level positions. These encompass control functions, operations, front office, HR, and finance. We run practitioner-led training and mentoring for senior individuals to help them understand and adapt to the requirements of the SMCR.
5.
Non-Executive Directors 3 Lines of Defence Consulting can support NEDs with training and mentoring to help them build awareness of conduct risk, governance and how the businesses operate. We can also identify suitable NEDs for firms if required.
6. Independent Reviews Our team acts as an independent sounding board for many clients, supporting them with whistleblowing, investigations and challenging compliance and other teams. We have for example independently audited the compliance, audit and risk functions, reviewing the first, second and third lines of defence. Thus providing reassurance and protecting the board and senior managers. Our IT security experts can assess firms’ cybersecurity defences, helping to identify risks in operations and processes, and outlining suitable mitigations.
Through the delivery of the above services, 3LDC provides advice and support to enable firms to assess and enhance their governance frameworks. 8
COVID-19 and the New Normal We now wake up to the fact that Distributed / Remote Working model (working from home) has become the new normal and will be with us for some time to come – maybe even into next year. Although the individual circumstances may vary, for example if you are a major bank and need physical access to paper records or a fund manager who can work on systems remotely, it has an impact. A very recent AIMA survey in the hedge fund space indicated that 50% of firms were not looking to return to the office until November 2020 and 20% were looking at January 2021 . Then there is the big question in everyone’s mind as to whether this means everyone will be back in the office or a move to a partially distributed / remote working model. This change of the status quo brings with it a new set of challenges and changes to the way we operate. There are also opportunities for business model and work practice changes going forward. Remember, as regulated entities, the FCA and PRA’s expectation of firms and their governing bodies has not diminished. They are currently tolerant but are definitely not turning a blind eye to the obligations under SMCR. Beyond BCP
L 3 G R
It started as BCP and maybe that emergency team leading the response has now “stood down”. You had to think on your feet, as the plan did not really exist to deal with the global pandemic. Everything appears to be working to the best of your abilities, especially given the scale of response required. However now is a good point for the senior management to take a step back and look at the bigger picture. What are our next steps, where do we go from here and how do we get there safely? Now the focus needs to be more strategic shifting to establish processes, control and communications. Communication is Key
Good communication remains essential, obvious as it sounds, this can start to be overlooked when responding to a long-term change like this. The communications message needs to be driven both externally with clients/investors and your internal teams. Not forgetting auditors and all those other important connected parties. We have seen this addressed internally with the establishment of regular virtual business updates and team building business virtual drinks, as part of the standard new norm for the business operating model. Next steps beyond the emails and virtual meetings may include webinars, podcasts and using other social mediums. Systems and Infrastructure
Further enhancing your IT platforms and structure will be an almost inevitable requirement, if not done already. Not only from the internal efficiency and control perspective, but just as important is the fact that clients now expect you to provide a more efficient service. Information security and cyber-crime risk in this distributed world has increased. So, your model of primarily “protecting assets inside the building” has been superseded by a need to also cover all those new remote laptops and home PCs (some of which may be owned by the employee rather than the firm). We are now seeing many firms starting to look at smart systems to protect their network whilst everyone works remotely. You need to ensure everyone can access systems safely (wrapping protection, detection and response into a single control), to make life simpler. 9
Document Everything Policies, controls and procedures now need to be amended to reflect the new working regime. This will help staff protect against errors and comply with regulatory requirements. Remember, the key changes need to be documented. The changes need to be implemented consistently and, importantly, they need to be communicated both internally and externally. Contracts It is also time to look at your legal contracts, relationships with key outsourcing suppliers/ vendors and clients (including investors). The new normal may have changed how you want to be committed and/or the commitments the parties make to you. Blanket force majeure clauses might not be so appealing anymore. Also do your new business model and/or working practices require changes to be made to the service? Were you happy with the service you received and are continuing to receive? You need to know where they stand, as it impacts on your delivery capacity. Post-Lockdown
L 3 G R
Looking forward into the post-lockdown world perhaps there is the opportunity to make some changes to how we all operate. The distributed / remote working model has proved it is sustainable beyond a short BCP period. Employees have in many cases so far, embraced it positively and processes have continued to run. Maybe adopt some of this into the new norm. Allowing staff to rotate from working at home to being in the physical office can enhance their work time experience. Looking at reducing office space can be cost effective now. Maybe tectonic changes are some way off, but small changes may make a difference going forward. Increased flexibility can make for a happier workforce, and remember a happy workforce is a successful workforce. In conclusion, you need to be constantly monitoring the situation and reacting accordingly.
You need to get the best out of your BCP and continuous operational deployment. Do it now rather than struggle later. Investors, clients, service providers and others will be judging you on your performance, so make the best of a challenging situation. What can 3LDC and its sister company 4LOD, do to help you to adapt to the new normal: •
Review and health check IT governance and structures
•
Review information security, cyber risk and GDPR frameworks
•
Review control framework, to ensure fit for purpose
•
Provide IT software tools to empower staff and manage end point risk – such as PowerPDF, GalaxKey and C-HUB AiRE
•
Advise and support strategic initiatives, including support to manage and deliver on the regulatory implications
•
Assess key outsourced suppliers
3LDC and its sister company, 4 Lines of Defence can help you adapt and thrive in the New Normal environment, assessing the risks and implementing enhancements. 10
BREXIT BREXIT talks with the EU have recently resumed. However, like the Charles Dickens quote, we still have very little certainty as to what the final outcome will be. The Prime Minister has stated that there will not be an extension of time, which means that BREXIT will occur in 6 months’ time and the UK will become a “third country”, and UK trading venues will become third country trading venues. Speculation runs around the percentage likelihood of a deal, whether it will have anything meaningful for the financial services sector or the UK crashes out with a no deal. Many firms put their BREXIT project on hold, especially with COVID-19, but now is the time to start urgently dusting it off again. At present, it still appears to be very unlikely that the UK will be granted long term equivalence and you should factor this into your plans. Outward Looking: It is highly likely that if you have clients based in “mainland Europe”, you may in various sectors such as asset management, be able to take advantage of reinvigorated temporary laws and regulations, designed originally to handle the dislocation of a hard BREXIT. Several EU Member States have legislated to allow UK firms to continue temporarily to provide certain services in their jurisdiction following a no-deal Brexit. There is therefore uncertainty around how some of these provisions will be applied. You need to start planning and/or implementing your longer term model. Inward Looking: If you are coming into the UK to do business, the temporary permissions regime ends at the end of 2020, and you may have to become authorised in some form to continue to provide financial services into the UK, which will encompass appropriate and proportionate governance and control frameworks. All of this is happening while the financial sector is coping with COVID-19, with human and financial resources are stretched. 3LDC can help take some of the load off your shoulders, by providing a combination of project management and subject matter expert support. This can be through advisory services or the provision of hands on resource over this period. We can work remotely or work on site with you when lockdown is lifted.
11
®
G R O U P
Helping You Navigate Business Risk Trusted Partner To Your Sector
3 G R Contact Us +44 (0)20 7129 1270 67 Grosvenor Street, Mayfair, info@3ldc.com London, W1K 3JN, UK info@4ldc.co.uk