Author: Admin Page 1 of 14

What Can We Expect From the New Head of the FCA?

What Can we Expect From the New Head of the FCA?

Chancellor Rishi Sunak overlooks Chris Woolard and chooses Nikhil Rathi to take the FCA forward into the post COVID-19 world.

There’s a new face at the FCA, but it’s not the man most expected. After a relatively positive stint as interim Chief Executive, Chris Woolard had been favourite to take the role on permanently. However, the decision to shun him in favour of Nikhil Rathi, boss of the London Stock Exchange, could have a number of implications for the future direction of the regulatory watchdog.

Woolard shunned

Woolard had been busy during his time as interim boss. He took on insurers who attempted to shirk responsibility for business interruption cover, he brought in his own QCs and hired law firm Herbert Smith Freehills to help the regulator deal with legal complexities and launched an inquiry into sub-prime lender, Amigo.

However, there is a sense that the FCA needs to be shaken up after the Woodford savings crisis, its failure to pre-empt the London Capital & Finance mini bonds scandal and the slowness of its response to malpractice in the investment sector.

Rathi, by contrast, is an outsider to the FCA and may bring a much needed freshness to the role while his track record of working in the Treasury may also have played a role in Sunak’s decision. Certainly his time at the Treasury may well help him to handle some of the upcoming challenges such as Brexit, although others may fear it makes him a little too close to Government.

The coming years will bring a number of challenges which could create friction between the FCA and Government. Rathi will do well to ensure he is seen to keep his employers at arm’s length and avoid any implication of political influence.

What to expect

As he takes his role, Rathi arrives at a pivotal time. The COVID-19 crisis has placed an enormous pressure on the FCA in maintaining its operations. It has already had to reset its priorities to ensure it can maintain the right focus despite the restrictions of the pandemic.

The financial world faces winds of change in the shape of new technology, climate change and a desire for greater accountability and better conduct. Each of these issues were front and centre of his attention as he set out his goals for the future.

The regulator also is fighting for its reputation. It has faced considerable criticism over the past few years and, like other regulatory watchdogs around the world, is under pressure to improve oversight and accelerate the conduct of cases. Rathi will need to hit the ground running and show that he can steer the regulator through the choppy waters which are on the way.

What Can We Learn From the Commerzbank Fine? - Waymark Tech Blog

What Can We Learn From the Commerzbank Fine?

The Watchdog’s second biggest fine for failing to have proper financial controls in place should serve as a warning to the rest of the sector.

The FCA has made anti money laundering one of its key focuses for 2020 and this month it showed it means business with a £37, 805,400.00 fine to Commerzbank London for failing to implement proper controls over a five year period. It’s the second biggest fine of its kind and offers some key lessons for the wider sector.

Listen to the regulator


The scale of the fine is partly down to the fact that the Bank was aware of the problem, had been warned by the regulator but failed to take action. The FCA said it had warned Commerzbank on three separate occasions about the risk of financial crime going undetected but had “failed to take reasonable and effective steps to fix them.”

Maintaining due diligence


The regulator found that the bank failed to undertake effective due diligence checks on clients. As of March 1st 2017, checks were overdue on 1,772 customers. In the meantime, many of these customers were able to continue doing business with their London branch through their Exceptional Control Scheme which the FCA argues got out of hand.

The rules apply to you


AML requirements have toughened up in recent years, and regulators have very publicly stated this is a priority. However, many financial institutions, for one reason or another, haven’t fully understood the implications of the changes or that these rules apply to them. With the EU’s sixth anti money laundering directive coming into force in December, firms will have to continually update and review their measures to maintain compliance.

Getting the technology right


Companies are increasingly leaning on automated compliance monitoring systems. However, these are only effective if functioning properly. The FCA noted a failure to address known weaknesses with the automated tool for monitoring money laundering risks. In 2015, the bank noticed that 40 high risk countries were missing from its tool and 1,110 high risk clients had not been added.

Enhanced due diligence


Companies will be coming under increasing pressure to ensure their due diligence processes are as good as they possibly can be. This means enhanced ongoing monitoring of any situation which by its nature presents a high risk of money laundering or terrorist financing and maintaining up to date data and documentation.

Prompt action


One area where the bank performed well was in promptly agreeing to resolve the issue. The FCA says that the lender agreed to make changes at an early stage of the investigation, earning itself a considerable reduction of the fine. Without these changes, the FCA says the fine would have been £50 million.

Cooperation is seen in a positive light by the regulator. They are looking to use fines to encourage change rather than as a blunt tool of punishment. Those firms that can demonstrate an understanding of the problem and a willingness to change, will receive kinder treatment.

Most importantly, this fine, coming quickly on the heels of Standard Charter’s £1.1bn fine for violating sanctions and anti money laundering rules, shows regulators are upping their games. The UK is continuing to align itself with the more aggressive approach taken towards anti money laundering within the EU in recent years. Although we do not know how closely the UK will continue to be aligned with the EU after Brexit, their actions do nothing to suggest their approach will weaken.

Why third parties present a risk - Waymark Tech blog

Why Third Parties Represent a Risk

With digital technology evolving by the day, more and more financial institutions are turning to third parties to handle an array of business functions. However, this can open up regulatory vulnerabilities which can be easy to miss – as Raphaels Bank discovered to their cost last year.

Third party risk

The FCA issued the bank with separate fines totalling £1,887,252 for failing to manage their outsourcing correctly. In 2015, one of Raphael’s card processor providers suffered a technical incident which caused the complete failure of the authorisation and processing services it provides to Raphael. This meant 5,356 transactions were not authorised at sales terminals.

The FCA investigation found that Raphaels failed to implement adequate processed to enable it to understand and assess the business continuity and disaster recovery arrangements of its provider. In particular, they had not assessed how that provider would support the continued operations of its programmes during a disruptive event.

Back in March, the FCA published new research on cyber resilience in the financial sector which included statements on third parties. Their research stressed the need for businesses to consider the risks and weaknesses of third party systems and resources when assessing their cyber resilience measures.

In January, they also released a paper explaining the implications of operational resilience for firms using third party service providers. We have more details of the FCA’s stance on the Global Regulatory Platform, but the essential message from the FCA is that every firm has the responsibility for managing its third parties. While you might be surrendering control of operations and data, the responsibility rests with you.

That means that if your third party experiences a problem which results in harm to your customers, you may be held accountable for the damage which results.

This has major implications for any company working with third parties, particularly in relation to their exposure to cybercrime. Data obtained last year from accountancy firm RSM under the Freedom of Information Act, found that a fifth of all cyber breaches occurred due to third parties.

Lessons to be learned

The lessons are clear. As a firm, you should monitor all third parties you’re working with. Each one may potentially represent a vulnerability if their processes and systems are not up to scratch.

Extensive due diligence should be conducted before entering into an agreement. You should have a full understanding of what redundancy measures are in place in the event of any disruption of system failure. You should establish how resilient the company is to cyber attacks and what measures are in place if they suffer a breach.

Failure to undertake these precautions will leave you vulnerable to fines from the regulators and in the age of GDPR, these fines can be considerable.

How AI can help boost compliance - Waymark Tech Blog

How AI Can Boost Compliance

According to the Thompson Reuters, Cost of Compliance report, the most common cited problems by compliance professionals are increasing regulatory burden, compliance with anti money laundering requirements, culture and risk, availability of skilled resources.

Those problems are likely to become even more serious after COVID-19 as financial services companies seek to maintain business resilience throughout this unprecedented crisis. Costs will be cut and the compliance department will be one of the first to face scrutiny.

This was already happening before the outbreak. According to Accenture, most compliance departments are having their budgets cut and are being presented with cost reduction targets.

This comes despite the compliance department moving to the fore in recent years. Since 2008, regulators have been tightening their oversight and are constantly adjusting guidance – and bringing in new regulations. Each update will bring new requirements for firms to comply with. Keeping up to date with the evolving landscape and ensuring your teams are doing everything they can to stay the right side of the rules is a constant struggle.

Secondly, the rise of cybercrime and the increasing tendency of businesses to handle data remotely has also seen regulators ramp up the pressure on firms to ensure clients have control over their data, to keep that data safe and identify where breaches occur as quickly as possible.

Thirdly, the need to comply with regulations and maintain the integrity and resilience of systems has seen a dramatic increase in the data management and administration requirements of firms. More than ever, they need oversight of their key systems and to process information and control their data.

For example, if a client asks for their data to be deleted or altered, as they are able to do under GDPR, firms must be able to retrieve that information as quickly as possible and feel certain that they haven’t left some of that client’s personal data lying around somewhere.

Equally, MiFID II requires that they maintain a complete record of all communications with clients over business dealings. They will have to ensure this data is stored safely and can be retrieved at short notice to satisfy regulators.

Compliance teams will also need to maintain a transparent trail of evidence demonstrating what steps they have taken to comply with the regulations. The burden is heavy. However, all this work drives zero revenue into the company which is why compliance is traditionally one of the first candidates to be trimmed.

The challenge is familiar: to do more with less. At a time when workloads are being upped they are being asked to cut costs.

Unsurprisingly, therefore, firms are investing in AI and automation technologies which can variously reduce costs, streamline operations, improve oversight and reduce the risks of human error.

Some of the most common areas in which AI and automation are being used include:

Monitoring regulatory sources:

Applications can constantly monitor regulators for changes and updates to the regulations. They can notify the compliance team who can then determine what action they should take. Systems use natural language processing (NLP) algorithms to analyse news releases and extract salient information.

Checking compliance with regulations:

Both firms and regulators are making use of applications which monitor a firm’s compliance. Rather than spending time on audits, these applications can alert compliance officers and authorities to breaches, record evidence and prompt the user to take action.

Processing large quantities of text and other data:

New regulations normally get to the market in the form of lengthy documents, often comprising hundreds of pages. Compliance officers and business leaders may not have the time to go through all documents. However, applications can use natural language processing to read through the documents and extract the key actionable highlights.

Such systems are not fool proof. They rely on the AI working as intended in order to deliver value. By automating systems, businesses assume they are eliminating the risk of error. However, they are placing a huge amount of faith in the algorithms underpinning the application. Due diligence will be essential to ensure systems can deliver on their promises.

Even so, automation can significantly improve outcomes for businesses. On the one hand they will be able to reduce the time and attention spent on compliance, while on the other, the increased oversight they offer will provide value in many different ways. It will shine a light on areas of the business which hitherto remained in the shadows. As such, they can even help a business improve performance, cut risks and identify revenues. They help take compliance from being an administrative function and turn it into a proactive tool in driving the business forward.

If you would like to understand more about how AI can help your compliance efforts, please get in touch and we will be happy to guide you. We can offer a trial to demonstrate just how effective our systems are.

Please contact Mark for enquiries.

Was EasyJet Responsible for the Recent Data Breach?

Were EasyJet Responsible for the Recent Data Breach?

Has EasyJet mishandled customer data? Were they responsible for the recent data breach? Could they have done more to prevent a cyber-attack?

These are all questions being asked, among many others.

With an annual global turnover in the region of £6.4 billion in 2019, the airline company is facing a potentially very heavy fine from the Information Commissioner’s Office (ICO) relating to the breach, under General Data Protection Regulation (GDPR). This will not include compensation payouts to affected customers if negligence on the part of EasyJet is proven, which could reach up to £3 billion.

EasyJet has said the breach was due to a:

“highly sophisticated cyber-attack.”

eaSYJET

Around nine million customers have been affected with email addresses and travel itineraries stolen. Furthermore, 2,208 customers who stored their debit and credit card details within their profiles on the EasyJet website, have had them stolen.

Why are we only finding out about this now when EasyJet was first alerted to the attack in January 2020?

Good question.

EasyJet has claimed it was only able to inform those customers whose card details were stolen in early April 2020.

When questioned by the BBC as to why it took so long to notify customers, EasyJet stated,

“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted.”

EASYJET

They added,

“We could only inform customers once the investigation had progressed enough that we were able to identify whether any individuals had been affected. Then, who had been impacted and what information had been accessed.”

EAasyjet

It turns out that even the secure CVV digits (the three verification numbers on the back of cards) of those 2,208 customers had been accessed.

EasyJet has warned all affected customers that their email addresses had been stolen during the cyber-attack and has advised them to be aware of potential phishing attempts. No details on the exact nature of the attack have been provided by the airline company, however, it confirmed the investigation is ongoing and believes the attackers were targeting the airline’s intellectual property. It didn’t believe they were stealing data to use in identity fraud. EasyJet maintains its stance that it does not think that any of the nine million customers’ personal data has been misappropriated and has further advised that it has been acting under the recommendations of the ICO.

Until the ICO has completed its investigation, EasyJet faces a more pressing issue. The law firm, PGMBM has issued a class-action claim against the airline which could mean a possible liability of more than £18 billion. PGMBM has filed the claim in the High Court of London on customers’ behalves. One of the reasons for this lawsuit is the fact that it took EasyJet four months to inform customers of the breach, even though it had informed the ICO earlier than this.

The British Airways cyber-attack and subsequent data breach in 2018 should have been a warning to all airline companies. Unfortunately, passenger trust is extremely low during the current crisis and this breach has most certainly not helped that.

The ICO is still investigating the data breach. It said that the general public has a right to expect companies to maintain their personal data in a secure and responsible manner and where that does not occur, it will “take robust action”. Due to the coronavirus pandemic though, they may need to be more lenient in regard to the EasyJet data breach, considering how badly the airline industry has been affected. They must, nevertheless, act adequately because they have been deemed as having not done enough around GDPR enforcement.

What can we learn from the EasyJet fine?

Keeping on top of data protection under the GDPR rules has never been more important. These turbulent times we are experiencing have meant significantly increased cyber-attack attempts and a growing number of cyber criminals with the majority trying to access stored personal information and intellectual property. If your own business does not have data control protocols in place, it is high time to plan and implement them – without delay.

Final thoughts

EasyJet has advised affected customers that they should be weary of any messages claiming to come from either EasyJet Holidays or EasyJet itself. Regrettably, the COVID-19 pandemic has brought with it an increase in the occurrence of phishing attempts and Google is purportedly blocking over 100 million attempts each and every day. This does not include those phishing emails that manage to slip through the net, so the public needs to be more alert than ever to these potential threats.

No doubt, the trust of most airline customers has been significantly affected and organisations will need to work hard in gaining it back. EasyJet, especially, will need to clarify why it took so long to publicly announce the cyber-attack. Yes, it has been working with the ICO to handle the issue, however its customers’ data was still out there, without them knowing, for months. Perhaps the fact that EasyJet has been liaising with the ICO and NCSC will reduce the impending GDPR fines, but still, a cyber-attack occurred and the customers whose personal data was stolen should have been notified sooner in order to take appropriate safeguarding action.

Opportunity Knocks: How to Protect Against Money Laundering During COVID-19

Opportunity Knocks: How to Protect Against Money Laundering During COVID-19

The current crisis created a golden opportunity for fraudsters. A heady cocktail of disruption to business processes, financial pressures and multiple online transactions mean the stage is set perfectly for cyber criminals and money launderers. Regulators, therefore, have been issuing guidance to companies about how they can reduce their exposure.

The Institute for Chartered Surveyors acknowledges where some of the biggest risks will come from. Their guidance document on anti money laundering states:

“In particular, firms should consider whether the current economic climate may make them or their customers more susceptible to financial difficulties or other pressures, thus creating risk and potential weaknesses for criminals to exploit.”

In France, guidance from the Commission de Surveillance du Secteur Financier (CSSR) has identified a number of activities terrorists and criminals can exploit, including:

  • Online payment services
  • Clients in financial distress
  • Mortgages and other forms of collateralised lending
  • Credit backed by government guarantees
  • Distressed investment products; and
  • Delivery of aid through non-profit organisations.

The FCA’s revised business plan for 2020/21 places a firm focus on mitigating problems caused by COVID-19 including the heightened vulnerability to cybercrime and money laundering. It expressly confirms that it will continue to take enforcement in this area. It is also consulting on extending its Financial Crime Data Return to strengthen risk-based supervision in this area.

Stay alert

All the guidance from various authorities hammers home similar messages. The risks are higher and firms must have effective systems and controls to detect and mitigate the risk of money laundering. To avoid enforcement action, firms will have to be able to point to documentary evidence which shows they have taken necessary steps.

Here are the key lessons that firms can take away from this:

  • Identifying weak points: As institutions shift to work from home models, their risks multiply. They will be moving much more data across the cloud as their workforce shifts to a predominantly work from home model. They must maintain system security by establishing clear protocols and endpoint security.
  • Maintain oversight: Disruption to business processes must not be permitted to compromise monitoring and oversight of transactions. This may become more difficult due to the expected increase of online payment transactions as well as interruption to their regular working patterns.
  • Managing delays: The FCA acknowledges that disruption may force firms to prioritise or delay some operations such as customer due diligence. However, where this happens, they must show they have taken a risk-based approach. For example, delays to due diligence to high risk customers should be avoided.
  • Verifying client identity: Travel restrictions can make it more difficult to verify the identity of clients. However, firms should be able to ensure numerous verification procedures are carried out remotely. For example, by accepting scanned documents by email or asking clients to submit digital photos to compare with other forms of ID.

COVID-19 is a gift for a fraudster. It hinders the ability of financial firms and regulators to maintain oversight and to safeguard against the possibilities of fraud. By understanding the challenges and what alternative options are available to them, firms can minimise the interruption to their processes and strengthen their defences against criminals as much as possible.

FCA Warns Banks on Customer Communications - Waymark Tech Blog

FCA Warns Banks on Customer Communications

The COVID-19 crisis has created numerous challenges for the financial sector, but one which often goes unseen is the logistical challenge of maintaining communication with customers. With lockdown in place it is difficult for banks to maintain the speed and efficiency of paper based communications. However, the FCA has reminded the sector of its obligation to do everything it can to comply with communication obligations.

Back in March, the regulator warned financial advice companies not to work in the office, and to avoid face to face contact with clients. Alternative arrangements were to be made online, but this left a gaping hole for those customers who, for one reason or another, were unable to access online services. Maintaining a business as usual service for these clients is proving to be a major problem.

In its recent guidance, the FCA is keen to ensure that despite these problems, offline clients are protected as much as possible.

Notifying the FCA of issues

While the regulator still expects firms to try and comply with paper-based requirements, it acknowledges this may not be possible in every case. There will be flexibility with timescales and they will be more understanding. However, they do expect firms to demonstrate what steps they have taken to minimise the impact as far as possible and to notify them of any problems they expect to encounter by emailing firm.queries@fca.org.uk

For example, a firm would need to collect and send out paper documents as often as possible ensuring that while the service might be slower than normal, offline customers do not miss out. Funds should be returned to clients as quickly as possible if a delay means they cannot proceed with the transaction.

Clear communication

At times of uncertainty, transparency becomes even more important than usual. Firms will be required to provide regular updates about how they intend to treat incoming and outgoing post. Customers should be updated on evolving market conditions and shown how they can check their statements if they arrive late.

Face to face alternatives

Face to face meetings for issues such as suitability assessments may not always be possible. However, the FCA has urged companies to investigate alternative options such as phone conversations or online due diligence checks. Firms should send out the results of any assessment either online or through other means.

The FCA has experienced plenty of problems of its own. Back in April, it admitted it could be many months before it is able to address its key regulatory priorities. It is making its own adjustments and has said it may have to redraw its business plan to take into account the evolving situation.

Maintaining business continuity is an issue for all businesses. While online technology, makes it possible to deliver more services remotely, it is the small minority who can’t access the internet who are at risk of being disadvantaged. Inevitably, these people are more likely to be older or more vulnerable and will be even more adversely affected by delays to their services. The FCA, then, is striking a balance between being understanding for customers but keeping up the pressure to protect those clients who may suffer.

Protecting Against Cybercrime During COVID-19 - Waymark Tech Blog

Protecting Against Cybercrime During COVID-19

Cyber criminals are “making hay while the sun shines” during the pandemic, but regulators promise to be more understanding. What does that mean in practice?

An uncertain economic situation, financial volatility and a workforce working from home all make for a cyber criminal’s dream come true. The number of threats are growing and vulnerabilities are widening. Keeping data secure is more difficult than ever and this may have a number of compliance and regulatory issues for firms.

Home and mobile working

Most companies have dramatically upped their work from home provisions and they have done so with relatively little warning. Most professional people are almost as well connected at home as they are in the workplace. Broadband speeds are fast and people’s personal computers are generally high spec.

However, home networks will usually not be as secure as a company’s. In the home, you will have increased the number of endpoints coming into your central system which is like making lots of holes in the walls of a building. Even the most secure operation can become compromised.

In March, the UK’s National Fraud and Cyber Crime Reporting Centre reported that Coronavirus related frauds rose by 400% in March. This was said to be linked to the increase in home working. They have issued fresh guidance about the steps firms should take before moving to a work from home model.

Compliance issues

Despite these challenges, the Information Commissioner’s Office has confirmed that firms will continue to face the same reporting obligations as always under GDPR. Privacy rights remain ‘paramount’ according to the watchdog which means breach notification rules still apply.

However, the regulator has said they will allow for flexibility given the unprecedented situation we now find ourselves in.

In a statement, the UK’s Information Commissioner, Elizabeth Denham said:

“We see organisations facing staff and capacity shortages. We see the public bodies facing severe frontline pressures. And we see the many businesses facing acute financial pressures. Against this backdrop, it is right that we must adjust our regulatory approach.”

elizabeth denham

What this means in practice is that the regulator will be more understanding when considering action. It says it understands the operational challenges confronting companies including staff shortages, reduced operational capacity and financial constraints. They use this, they say, to foster an ‘empathetic and pragmatic approach’ throughout the pandemic including how enforcement powers are executed and what technical advice they take.

So what does this mean in practice?

Although they are being more flexible, data protection is still vital which means the rules around breach notification still apply. Any organisation which suffers a breach will still have to report it to the ICO within 72 hours of discovering it. Even so, they have ceased all audits and if the problem is caused as a result of the pandemic, they will take this into account. The commissioner appears wary of being seen to chase healthcare organisations while they are trying to save lives.

Any organisation which processes data will still have to pay their annual fee to the ICO, but will not prosecute any organisation failing to do so if they can provide evidence that they cannot pay due to the fallout from the pandemic.

Last but not least, any fines issued are likely to be lower, for all breaches. The ICO says it takes affordability into account before issuing any fine. Given the impact on companies finances, therefore, that is likely to mean any fine issued will be much lower than before the coronavirus outbreak.

Most importantly, this is no get-out-of-jail-free card. The ICO is being more flexible and it will be more understanding, but a company must still meet its obligations to safeguard data and report breaches. Failure to do so will still result in a fine.

More importantly, failure to take adequate measures will have much wider reaching consequences than just the wrath of the regulators. The ICO may be more understanding, but there’s no guarantee customers will be.

The move to a home working situation also makes your systems and the personal data of your customers more vulnerable. The reputational and financial impact of a hack will be just as high as always.

Coronavirus Gives SM&CR its First Real Test - Waymark Tech Blog

Coronavirus Gives SM&CR its First Real Test

COVID-19 is proving to be the first real test of financial regulations introduced since 2008 with the Senior Managers and Certification Regime in the front line.

Speaking to the Financial Times, the FCA’s interim Chief Executive, Christopher Woolard has suggested that the Senior Managers Regime could give the regulator more weapons in ensuring corporations continue to behave ethically throughout the crisis.

Although he admitted that the FCA had little power to take action against those lenders who did not treat customers fairly, he suggested the regime did give the regulator an option to ensure fair treatment of lenders.

These rules allow regulators to take action against senior managers based on their conduct, including fair treatment of customers. With all commercial lending being unregulated, this will be the only weapon the regulator has to put pressure on banks.

However, since its introduction, the FCA has been criticised for taking relatively little action. After three years, it was only in August 2019 that it secured its first conviction when Barclays Chief Executive Jes Staley was jointly fined £642,000 by the FCA and PRA for his response to an anonymous whistleblower letter.

Since then, the regime has been extended from the banking sector and across all authorised firms, but its impact is still one which exists in the fears and imaginations of senior managers rather than in actuality. However, this crisis could be an opportunity for SM&CR to play a significant role.

Since the outbreak of COVID-19, there have been a number of complaints about how banks have been treating their customers, especially in the way the Government-backed loan scheme has been rolled out. The Federation of Small Businesses has been among those raising concerns about how the loan scheme is being implemented.

Although pace has picked up, approval rates are lower than with commercial lending despite the number of companies facing difficulties. The FSB has called for reassurances from the regulator that the banks are not putting profits before people.

The FCA has written to the banks reminding them of their responsibility to treat borrowers fairly at this stressful time, but beyond that it has relatively few direct powers. SM&CR could offer an alternative approach, and Woolard admitted this period would prove to be a test of the scheme.

Nonetheless, the difficulty they’ve experienced in securing convictions so far suggests they might face an uphill battle. The problem for the regulation is that it can be difficult to attribute the action of a company to a single individual. The burden of proof lies with the FCA and, in many cases, this is proving too high a hurdle to clear.

So far, then, SM&CR has been used as an abstract threat – a tool to place more pressure on individual managers to take greater responsibility for good conduct. Whether this will be enough remains to be seen.

COVID-19 is the first period of great stress for the financial sector. It is at these moments that corporate responsibility and regulation comes under pressure. It’s also at moments like these that the cracks show and problems in the existing system are there for all too see. This in itself could serve as a warning to any corporates who do not heed the FCA’s letter and treat customers fairly.

Even though the regulator’s powers may be limited at present, if they are not satisfied by the actions of lenders during this time, they will be more likely to step up their oversight.

This could come in the form of enhanced regulation and stricter rules in the future.

EBA Updates Guidelines for COVID-19 - Waymark Tech Blog

EBA Updates Guidelines for COVID-19

The European Banking Authority has issued a new set of guidelines updating its approach to COVID-19, including issues of default, regulatory requirements and recovery planning.

The coronavirus pandemic has sent ripples of shock waves across the economic and business landscape affecting how businesses can maintain operations as well as sparking increases in defaults. Regulators have been issuing guidelines about how they will mitigate such effects, the latest of which comes from the European Banking Authority which has provided updates on risk, supervision, flexibility and moratoria on loan payments.

Moreover, the EBA has provided further clarity on its attitude to how flexibility will guide supervision in market risk, recovery planning, digital resilience and the Supervisory Review and Evaluation Process (SREP).

Here’s a quick look at what these guidelines are and what lessons firms should take…

To mitigate the impact of exceptional volatility triggered by COVID-19, the EBA proposes to adjust the capital impact and amend its standards on valuation. Among other things it will introduce is a 66% aggregation factor which will be applied on 31 December 2020.

Flexibility

The challenge of COVID-19 is having a considerable impact on firms and the EBA is making allowances. There will be a more pragmatic approach to SREP assessments in 2020 which will focus on the most serious material risks created by the crisis.
It will also delay reporting on the first FRTB-SA figures to September 2021 in recognition of the impact the pandemic is having on businesses and will offer greater flexibility on prudential requirements for competent authorities for banks using internal VAR models.

Recovery planning

The next issue is how businesses will recover. This is a highly fluid situation and no organisation is entirely certain about what recovery plans will look like because they still don’t know the full scale of the challenge. The EBA says the focus should be firmly on understanding which recovery options are necessary and can be applied under the current high stress conditions.

The EBA has also provided clarity on the prudential application of default and forbearance whether in the form of postponement of payment or interest of a credit facility granted by a bank to a borrower in financial distress.

The EBA has clarified that a payment moratorium which abides by the guidelines will not lead to a reclassification under the definition of forbearance, banks should still categorise such exposures as “performing” or “non-performing” according to the applicable requirements. Banks should also assess each individual’s repayment capacity and set up tailored specifications where necessary.

Maintaining resilience

Key to this is digital resilience. As we’ve covered elsewhere, technology is coming to the fore in this crisis. It will create complications and opportunities for businesses looking to ensure digital operational resilience. The regulator says that businesses, will have to ensure business continuity, adequate ICT capacity and security risk management to ensure they can maintain the integrity of systems and continue to offer value and protection for clients. Financial institutions will be able to use the new EBA ICT and security risk management guidelines to focus on priority areas.

The crisis is, and will, have an unimaginable impact on the financial sector. In setting out these guidelines the EBA seeks to ensure allowances are made and to guide businesses through the process of appropriate recovery plans.

Page 1 of 14

Powered by WordPress & Theme by Anders Norén