Month: May 2020

FCA Warns Banks on Customer Communications - Waymark Tech Blog

FCA Warns Banks on Customer Communications

The COVID-19 crisis has created numerous challenges for the financial sector, but one which often goes unseen is the logistical challenge of maintaining communication with customers. With lockdown in place it is difficult for banks to maintain the speed and efficiency of paper based communications. However, the FCA has reminded the sector of its obligation to do everything it can to comply with communication obligations.

Back in March, the regulator warned financial advice companies not to work in the office, and to avoid face to face contact with clients. Alternative arrangements were to be made online, but this left a gaping hole for those customers who, for one reason or another, were unable to access online services. Maintaining a business as usual service for these clients is proving to be a major problem.

In its recent guidance, the FCA is keen to ensure that despite these problems, offline clients are protected as much as possible.

Notifying the FCA of issues

While the regulator still expects firms to try and comply with paper-based requirements, it acknowledges this may not be possible in every case. There will be flexibility with timescales and they will be more understanding. However, they do expect firms to demonstrate what steps they have taken to minimise the impact as far as possible and to notify them of any problems they expect to encounter by emailing firm.queries@fca.org.uk

For example, a firm would need to collect and send out paper documents as often as possible ensuring that while the service might be slower than normal, offline customers do not miss out. Funds should be returned to clients as quickly as possible if a delay means they cannot proceed with the transaction.

Clear communication

At times of uncertainty, transparency becomes even more important than usual. Firms will be required to provide regular updates about how they intend to treat incoming and outgoing post. Customers should be updated on evolving market conditions and shown how they can check their statements if they arrive late.

Face to face alternatives

Face to face meetings for issues such as suitability assessments may not always be possible. However, the FCA has urged companies to investigate alternative options such as phone conversations or online due diligence checks. Firms should send out the results of any assessment either online or through other means.

The FCA has experienced plenty of problems of its own. Back in April, it admitted it could be many months before it is able to address its key regulatory priorities. It is making its own adjustments and has said it may have to redraw its business plan to take into account the evolving situation.

Maintaining business continuity is an issue for all businesses. While online technology, makes it possible to deliver more services remotely, it is the small minority who can’t access the internet who are at risk of being disadvantaged. Inevitably, these people are more likely to be older or more vulnerable and will be even more adversely affected by delays to their services. The FCA, then, is striking a balance between being understanding for customers but keeping up the pressure to protect those clients who may suffer.

Protecting Against Cybercrime During COVID-19 - Waymark Tech Blog

Protecting Against Cybercrime During COVID-19

Cyber criminals are “making hay while the sun shines” during the pandemic, but regulators promise to be more understanding. What does that mean in practice?

An uncertain economic situation, financial volatility and a workforce working from home all make for a cyber criminal’s dream come true. The number of threats are growing and vulnerabilities are widening. Keeping data secure is more difficult than ever and this may have a number of compliance and regulatory issues for firms.

Home and mobile working

Most companies have dramatically upped their work from home provisions and they have done so with relatively little warning. Most professional people are almost as well connected at home as they are in the workplace. Broadband speeds are fast and people’s personal computers are generally high spec.

However, home networks will usually not be as secure as a company’s. In the home, you will have increased the number of endpoints coming into your central system which is like making lots of holes in the walls of a building. Even the most secure operation can become compromised.

In March, the UK’s National Fraud and Cyber Crime Reporting Centre reported that Coronavirus related frauds rose by 400% in March. This was said to be linked to the increase in home working. They have issued fresh guidance about the steps firms should take before moving to a work from home model.

Compliance issues

Despite these challenges, the Information Commissioner’s Office has confirmed that firms will continue to face the same reporting obligations as always under GDPR. Privacy rights remain ‘paramount’ according to the watchdog which means breach notification rules still apply.

However, the regulator has said they will allow for flexibility given the unprecedented situation we now find ourselves in.

In a statement, the UK’s Information Commissioner, Elizabeth Denham said:

“We see organisations facing staff and capacity shortages. We see the public bodies facing severe frontline pressures. And we see the many businesses facing acute financial pressures. Against this backdrop, it is right that we must adjust our regulatory approach.”

elizabeth denham

What this means in practice is that the regulator will be more understanding when considering action. It says it understands the operational challenges confronting companies including staff shortages, reduced operational capacity and financial constraints. They use this, they say, to foster an ‘empathetic and pragmatic approach’ throughout the pandemic including how enforcement powers are executed and what technical advice they take.

So what does this mean in practice?

Although they are being more flexible, data protection is still vital which means the rules around breach notification still apply. Any organisation which suffers a breach will still have to report it to the ICO within 72 hours of discovering it. Even so, they have ceased all audits and if the problem is caused as a result of the pandemic, they will take this into account. The commissioner appears wary of being seen to chase healthcare organisations while they are trying to save lives.

Any organisation which processes data will still have to pay their annual fee to the ICO, but will not prosecute any organisation failing to do so if they can provide evidence that they cannot pay due to the fallout from the pandemic.

Last but not least, any fines issued are likely to be lower, for all breaches. The ICO says it takes affordability into account before issuing any fine. Given the impact on companies finances, therefore, that is likely to mean any fine issued will be much lower than before the coronavirus outbreak.

Most importantly, this is no get-out-of-jail-free card. The ICO is being more flexible and it will be more understanding, but a company must still meet its obligations to safeguard data and report breaches. Failure to do so will still result in a fine.

More importantly, failure to take adequate measures will have much wider reaching consequences than just the wrath of the regulators. The ICO may be more understanding, but there’s no guarantee customers will be.

The move to a home working situation also makes your systems and the personal data of your customers more vulnerable. The reputational and financial impact of a hack will be just as high as always.

Coronavirus Gives SM&CR its First Real Test - Waymark Tech Blog

Coronavirus Gives SM&CR its First Real Test

COVID-19 is proving to be the first real test of financial regulations introduced since 2008 with the Senior Managers and Certification Regime in the front line.

Speaking to the Financial Times, the FCA’s interim Chief Executive, Christopher Woolard has suggested that the Senior Managers Regime could give the regulator more weapons in ensuring corporations continue to behave ethically throughout the crisis.

Although he admitted that the FCA had little power to take action against those lenders who did not treat customers fairly, he suggested the regime did give the regulator an option to ensure fair treatment of lenders.

These rules allow regulators to take action against senior managers based on their conduct, including fair treatment of customers. With all commercial lending being unregulated, this will be the only weapon the regulator has to put pressure on banks.

However, since its introduction, the FCA has been criticised for taking relatively little action. After three years, it was only in August 2019 that it secured its first conviction when Barclays Chief Executive Jes Staley was jointly fined £642,000 by the FCA and PRA for his response to an anonymous whistleblower letter.

Since then, the regime has been extended from the banking sector and across all authorised firms, but its impact is still one which exists in the fears and imaginations of senior managers rather than in actuality. However, this crisis could be an opportunity for SM&CR to play a significant role.

Since the outbreak of COVID-19, there have been a number of complaints about how banks have been treating their customers, especially in the way the Government-backed loan scheme has been rolled out. The Federation of Small Businesses has been among those raising concerns about how the loan scheme is being implemented.

Although pace has picked up, approval rates are lower than with commercial lending despite the number of companies facing difficulties. The FSB has called for reassurances from the regulator that the banks are not putting profits before people.

The FCA has written to the banks reminding them of their responsibility to treat borrowers fairly at this stressful time, but beyond that it has relatively few direct powers. SM&CR could offer an alternative approach, and Woolard admitted this period would prove to be a test of the scheme.

Nonetheless, the difficulty they’ve experienced in securing convictions so far suggests they might face an uphill battle. The problem for the regulation is that it can be difficult to attribute the action of a company to a single individual. The burden of proof lies with the FCA and, in many cases, this is proving too high a hurdle to clear.

So far, then, SM&CR has been used as an abstract threat – a tool to place more pressure on individual managers to take greater responsibility for good conduct. Whether this will be enough remains to be seen.

COVID-19 is the first period of great stress for the financial sector. It is at these moments that corporate responsibility and regulation comes under pressure. It’s also at moments like these that the cracks show and problems in the existing system are there for all too see. This in itself could serve as a warning to any corporates who do not heed the FCA’s letter and treat customers fairly.

Even though the regulator’s powers may be limited at present, if they are not satisfied by the actions of lenders during this time, they will be more likely to step up their oversight.

This could come in the form of enhanced regulation and stricter rules in the future.

EBA Updates Guidelines for COVID-19 - Waymark Tech Blog

EBA Updates Guidelines for COVID-19

The European Banking Authority has issued a new set of guidelines updating its approach to COVID-19, including issues of default, regulatory requirements and recovery planning.

The coronavirus pandemic has sent ripples of shock waves across the economic and business landscape affecting how businesses can maintain operations as well as sparking increases in defaults. Regulators have been issuing guidelines about how they will mitigate such effects, the latest of which comes from the European Banking Authority which has provided updates on risk, supervision, flexibility and moratoria on loan payments.

Moreover, the EBA has provided further clarity on its attitude to how flexibility will guide supervision in market risk, recovery planning, digital resilience and the Supervisory Review and Evaluation Process (SREP).

Here’s a quick look at what these guidelines are and what lessons firms should take…

To mitigate the impact of exceptional volatility triggered by COVID-19, the EBA proposes to adjust the capital impact and amend its standards on valuation. Among other things it will introduce is a 66% aggregation factor which will be applied on 31 December 2020.

Flexibility

The challenge of COVID-19 is having a considerable impact on firms and the EBA is making allowances. There will be a more pragmatic approach to SREP assessments in 2020 which will focus on the most serious material risks created by the crisis.
It will also delay reporting on the first FRTB-SA figures to September 2021 in recognition of the impact the pandemic is having on businesses and will offer greater flexibility on prudential requirements for competent authorities for banks using internal VAR models.

Recovery planning

The next issue is how businesses will recover. This is a highly fluid situation and no organisation is entirely certain about what recovery plans will look like because they still don’t know the full scale of the challenge. The EBA says the focus should be firmly on understanding which recovery options are necessary and can be applied under the current high stress conditions.

The EBA has also provided clarity on the prudential application of default and forbearance whether in the form of postponement of payment or interest of a credit facility granted by a bank to a borrower in financial distress.

The EBA has clarified that a payment moratorium which abides by the guidelines will not lead to a reclassification under the definition of forbearance, banks should still categorise such exposures as “performing” or “non-performing” according to the applicable requirements. Banks should also assess each individual’s repayment capacity and set up tailored specifications where necessary.

Maintaining resilience

Key to this is digital resilience. As we’ve covered elsewhere, technology is coming to the fore in this crisis. It will create complications and opportunities for businesses looking to ensure digital operational resilience. The regulator says that businesses, will have to ensure business continuity, adequate ICT capacity and security risk management to ensure they can maintain the integrity of systems and continue to offer value and protection for clients. Financial institutions will be able to use the new EBA ICT and security risk management guidelines to focus on priority areas.

The crisis is, and will, have an unimaginable impact on the financial sector. In setting out these guidelines the EBA seeks to ensure allowances are made and to guide businesses through the process of appropriate recovery plans.

Powered by WordPress & Theme by Anders Norén