The Model Office Blog

RegTech: if not now when?

[fa icon="calendar'] Mar 26, 2021 10:46:59 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience, cyberrisk, levies

[fa icon="comment"] 0 Comments

“Business is no difference to sport, data and technology is a very powerful tool, but only if every individual in your team knows how and why they are using it” Sir Clive Woodward England Rugby world cup winning manager

At Model Office we love sports analogies and we would recommend any business who either believes in data analytics or not read or watch Moneyball, an account of Oakland Athletics baseball team’s 2002 season and their general manager’s attempts to assemble a competitive team. The story focuses on the adoption of a ‘sabermetric’ system that employs quantitative diagnostic technology to collect and summarise relevant data from game activity.

This data can measure and predict performance trends and showcase players who are most suited to influencing how a team wants or needs to play to win.

Why is this relevant to financial services I hear you ask?

Well the rule book demands a certain standard of performance as do clients and yes business stakeholders. We are witnessing a digital revolution, some call it the 4th industrial revolution and this provides retail investment advice firms, networks and support services to employ data analytics and diagnostics so they embed an evidence based practice and can assess behavioural trends such as individuals and firm competence, conduct and how this influences their culture and clients. Great for compliance with the Senior Managers and Certification Regime (SM&CR).

The results for a business who does employ such technology can be impressive. RegTech alone can offer high level and granular analysis of how firms governance, risk and compliance management processes are effecting performance. The FCA’s 5 Conduct Questions Programme showcases that firms who monitor and manage compliance risk management create a constructive culture which has a positive effect for sustainable professional performance.

How can RegTech help?

Utilising diagnostic technology can help market participants due to:

  • Increased evidence to showcase good practice that can help reduce regulatory levies such as professional indemnity insurance (PII) and streamline audit practice saving time and costs
  • Technology integration where application programming interfaces (APIs) can enable tech to ‘talk’ and data share and deliver streamlined regulatory reports across key areas such as:
    • Client data quality
    • AML/KYC/PEP sanctions
    • PROD and Client Segmentation ensuring;
      • Services and products are suitable for end client needs
      • ESG analysis to assess client needs and objectives
      • Vulnerable clients are identified and provided the correct services
    • Assessing missing information from client valuations
    • AI text analysis to auto-audit compliance policy documents and automat client file reviews
    • Advice suitability checks identifying underinsured or underinvested clients
    • Assessing adviser supervision and adviser training and competence requirements
    • Ensuring Investment, Mortgage, Insurance advice is compliant with COBS, MCOBS and ICOBS
  • Self-Audit and aligning business models with the regulations ensuring firms know they comply and assess and rectify blind spots and weaknesses
  • Increase Management Information (MI) and cut time and costs associated with compliance
  • Move away from ‘swivel chair’ compliance where disparate solutions (mainly spreadsheets) are used, to a single source SaaS or Cloud based dashboard providing heatmapping, AI algorithms to highlight trends and produce streamlined reports

One message that the FCA presents in their business plans is that both financial services providers, networks and support services plus the bodies that regulate them must act to adapt to, and enjoy the benefits of, technology and innovative approaches. This takes courage and a medium-long term view so the real benefits that RegTech can deliver more cost and time efficient practice than current strategies.

Back to sport, you only have to look at examples such as Sir Clive Woodward’s excellent speech at the PFS 2017 Festival of Financial Planning at how important it is for business to adopt and embed analytic and diagnostic technology into their everyday practice. This way they will have all the evidence as to how to ensure sustained professional practice and win!

So, with such benefits in a changing market, the question has to be asked: ‘RegTech, if not now when?’.

Read More [fa icon="long-arrow-right"]

PRODing to ensure suitability and client best interests

[fa icon="calendar'] Feb 19, 2021 9:39:01 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience, cyberrisk, levies

[fa icon="comment"] 0 Comments

Having attended another excellent Octo-Members virtual pub event Wednesday (I also enjoyed a ‘virtual’ alcohol free beer 🍺) the topic circled the old chestnut for suitability and appropriateness of centralised investment propositions (CIP) for the business and their clients.

This is a subject that has stood the test of time in generating debate over issues such as value chains, fund managers ego’s, regulatory stance of shoe-horning or retro fitting and off course the old ‘can I use one platform or investment proposition across my client base’ question…

The truth of the matter when debating and attempting to find solutions is that there is no definite solution, it all depends on variables such as the client’s on-going needs and objectives, the firm’s business model, regulatory directives such as PROD and advice suitability, technology solutions and research tools and good old trusted professional behaviour across all relevant stakeholders such as product manufacturers, fund managers and wealth managers, advisers and planners.

What is crucial is that the trusted behaviour meets the high standards the FCA set across conduct (behaviour) and competence (skills) plus ensuring the right culture is in place for individuals to ‘do the right thing’ by their clients. Integrity is key.

It was clear (to me) from the Octo-members virtual pub debate that there are many moving parts but also each component is no silver bullet. For example technology built well is an enabler to efficiency’s across communications, operations, systems and controls but on its own is not going to solely fix the CIP or advice suitability conundrum.

What’s needed is a joined up approach with suitability being the end product of the sum of many parts coming together seamlessly.

The PROD rules can help here. They are aimed at ensuring the product manufacturers build their products with the end user’s needs in mind I.e. the client. Plus, they also need to ensure such products are distributed correctly to the end user, so the Retail Investment Advice (RIA) firms research and due diligence comes in as does, wait for it…client segmentation.

Figure 1 Product Governance Product manufacturer requirements

Read More [fa icon="long-arrow-right"]

Dealing with increasing regulatory levies

[fa icon="calendar'] Feb 12, 2021 10:43:14 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience, cyberrisk, levies

[fa icon="comment"] 0 Comments

It's not going away any time soon is it? With IFAs reporting a 76% hike in Professional Indemnity Insurance (PII) premiums the hardened regulatory levies are really biting and squeezing firm margins at a time of economic uncertainty given the on-going pandemic. 

At Model Office-MO® we continue to press that regulatory levy stakeholders such as the Financial Services Compensation Scheme (FSCS) Financial Ombudsman (FOS) and PII need to take firm’s soft data i.e. their competence, conduct and culture into account when assessing firm’s risk and potential consumer harm.

Unfortunately and presently, there is a trend to look at the market risk rather than individual firm risk, this can be seen in the recent FSCS plan and budget 2021/22 statement which sees a forecast levy of £1.04BN which represents an increase of £339M from the previous year and there is a £78m supplementary levy (£44.5m invoiced this month). 

This increase is down to the fact the FSCS anticipates an ongoing increase in complex pension advice claims and additional failures of self-invested personal pension (SIPP) operators. It also expects increased firm failures due to the economic impacts of the coronavirus pandemic, as do the FCA who estimated up to 4000 firms are at risk of failure given the data received from their  financial resilience questionnaires.

As we wrote in March 2020, we also have had the FOS increased limit rise from £150,000 to £350,000 and reports of 300%+ increases in PII premiums post FCA DB pension transfer directives means the industry is now facing a real dilemma. Indeed due to this rise, the FCA says nearly 300 financial advice firms reported their PII cover  for claims was non-compliant. So, we have a perfect storm, increasing regulatory levies, a pandemic and increasing potential for customer harm!

What can we do I hear you ask?

The FSCS talk about the fact they are attempting to reduce levies through data analysis and sharing with the regulators , the FCA’s consumer investment data review 2020 wants to ensure customers are educated on financial scams and their 2021/22 business plan wants to ensure all firms offer suitable advice, are resilient and are cyber-secure and the FOS, well….

In relation to these points, firms who use RegTech to audit and analyse their business governance, risk and compliance (GRC) competence and conduct can increase their profile in evidencing data and culture that showcases they are a good risk for PII insurer underwriters which can then have positive influence on renewal rates.

We do remain concerned that the apparent ‘homogenous’ approach to calculating levies and monitoring risk is severely penalising the majority of firms who are doing a good job in operating compliant businesses. At the end of the day, the regulator and FSCS have created a cause and effect conundrum; the higher the levies, the higher the costs to the end user, i.e. the client which completely defeats the FCA premise of consumer protection!

What is very apparent from our work in the RegTech sector is that technology can provide evidence based practice to identify good and bad GRC practice and ensure firms evidence they are ‘walking their talk’ on regulatory GRC competence and conduct requirements.

RegTech that monitors a firms GRC can then provide hard evidence that a firm is meeting all relevant regulatory requirements at business operations, systems and controls and people management level. This can in turn, provide valuable data to PII underwriters across their risk evaluation metrics that a firm risk (rather than a market risk) is the main factor for assessing the premium levels and any necessary premium risk loading.

RegTech can also integrate with InsureTech and thus provide a powerful GRC audit process for those PII underwriters who are adopting technology in their underwriting processes.

The FSCS can also use such RegTech data to better assess the soft and hard facts across business behaviours in the market and come to an informed (evidence-based) judgement on firm levies. Such GRC conduct and competence data should allow the FSCS to class firms more realistically and thus segment the market fairly into those firms performing well, those who need more support and the rogue firms causing the most damage.

There are other potential solutions some eloquently detailed by Personal Investment Management Association (PIMFA) in their excellent 2020 paper ‘A rising tide lifts all boats; a roadmap towards better consumer outcomes and lower levies’and in their 12 recommendations to bring government, regulators and wider industry to work together. 

The current ‘homogenous’ approach taken, tends to place all firms within the same class and thus we have the issue where compensation is paid by all, not just those that cause the loss (if they are still active and have not attempted ‘pheonixing’).

By using RegTech GRC data, regulatory stakeholders will be able to better segment the market and thus then identify those firms causing detriment who should pay and if found insolvent then any wind up should include terms for payment of a levy from available assets.

Read More [fa icon="long-arrow-right"]

RegTech and Regulatory Levies

[fa icon="calendar'] Dec 11, 2020 11:13:14 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience, cyberrisk

[fa icon="comment"] 0 Comments

Twitter has been very active with the latest FCA call for input: Consumer Investments and the issues surrounding ensuring fair levies and identifying rogue firms who should bear the brunt of these costs.

Indeed the Model Office team have replied to Question 29 of this paper What more can we do to ensure that compensation paid for fairly by those that cause the loss? which you can read below 👇🏽It showcases how RegTech can ensure that FCA, FSCS and FOS plus PII underwriters can better assess individual firm risk rather than benchmarking the industry based on hard market risks. 

Q29: What more can we do to ensure that compensation paid for fairly by those that cause the loss?

The issue the industry faces with climbing regulatory levies is unsustainable with retail investment advice firms (RIAs) expected to shoulder increasing compensation levies against their turnover and squeezing margins thus placing pressure on ability to grow business services to meet client needs and passing on levy costs to their clients.

Also, the fact that the Financial Services Compensation Scheme (FSCS), Financial Ombudsman (FOS) and Professional Indemnity Insurers (PII) all tend to assess market risk rather than individual firm risk is a problem.

In many ways (in our opinion) the FCA are tackling the answer to this question from the wrong starting point. Rather than focus on attempting to identify those rogue firms that are consistently causing consumer detriment through misselling and unsuitable advice. There is a case for adopting Regulation Technology (RegTech) tools that can help identify those firms that are consistently meeting advice suitability regulations and running their businesses in a highly compliant fashion.

RegTech has been on the rise for the last few years and has developed to meet market participants needs for identifying, managing and monitoring regulatory governance, risk and compliance (GRC). As can be seen from the below RegTech Associates regulatory change market map, there are many solutions now available for firms to engage with dependent on their business model, compliance and customer needs.

Image 1 RegTech Associates compliance management market map

What is very apparent from our work in the RegTech sector is that technology can provide evidence based practice to identifying good and bad GRC practice and ensure firms evidence they are ‘walking their talk’ on regulatory GRC competence and conduct requirements.

RegTech that monitors a firms GRC can then provide hard evidence that a firm is meeting all relevant regulatory requirements at business operations, systems and controls and people management level. This can in turn, provide valuable data to PII underwriters across their risk evaluation metrics that a firm risk (rather than a market risk) is the main factor for assessing the premium levels and any necessary premium risk loading.

The FSCS can also use such RegTech data to better assess the soft and hard facts across business behaviours in the market and come to an informed (evidence based) judgement on firm levies. Such GRC conduct and competence evidence based data should allow the FSCS to class firms more realistically and thus segment the market fairly into those firms performing well, those who need more support and the rogue firms causing the most damage.

The current ‘homogenous’ approach taken tends to place all firms within the same class and thus we have the issue where compensation is paid by all, not just those that cause the loss (if they are still active and have not attempted ‘pheonixing’).

By using RegTech GRC data, regulatory stakeholders will be able to better segment the market and thus then identify those firms causing detriment who should pay and if found insolvent then any wind up should include terms for payment of a levy from available assets.

For example Model Office-MO® is able to segment GRC activities broadly into 6 keys areas: Focus (all key compliance directives include suitability) Engagement (Client and Stakeholders) Promise (Service proposition, product research and due diligence (incorporating PII risk assessment) advice strategies, tools and technology) Systems (Practice Management operations, systems and controls plus data security and management) People (Human Resource Development, Competence and Conduct) Financial Resilience (Cashflow) The system will then offer a more granular approach across these areas where firms will audit and gain risk based scores across business functions in each key. This offers a risk based approach and ‘hard and soft’ data on the GRC performance on an on-going basis.

Image 2 Model Office 6 regulatory keys

This can then produce a holistic view on a firm’s GRC strategies and gain an appropriate risk based market segmented framework and facilitate a levy directly correlated to the evident firm risk.

We note a risk based approach was investigated by the FCA in CP 18/11 and we would encourage the regulator to adopt RegTech as an enabler to identifying good and bad risk management practice in firms conduct, competence and culture, acting as a benchmark to identify and segment firms by the very nature of the risk they present.

The fact that The FCA Financial Advice Market Review baseline report estimated that a firms direct and indirect compliance costs are (on average) 11% of turnover means there is a real risk that those businesses who are performing well and represent a good risk are suffering and their margins are being severely squeezed, so it is imperative that the regulator walks its talk on RegTech and applies such to ensure firm risk (not market risk) is identified and scrutinised to ensure a fair application of levies and those rogue firms are identified quickly and dealt with appropriately.

If you're interested in finding out more you can book a demo of our software please click below to see MO® in action. 

Read More [fa icon="long-arrow-right"]

Culture, Competence and Conduct

[fa icon="calendar'] Nov 13, 2020 10:21:26 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience, cyberrisk

[fa icon="comment"] 0 Comments

Some interesting themes from regulators are starting to emerge when it comes to Governance, Risk and Compliance (GRC). The FCA in particular have run a number of initiatives looking at how companies of all sizes can ensure they have a constructive GRC culture running through their business.

There are two key areas the FCA are focused on:

  1. Competence (Skills) Here it’s all about recruitment, training and competence, ensuring the right people in the right job with the right skills and responsibilities.
  2. Conduct (Behaviour) The FCA’s excellent 5 conduct questions programme (although focused on wholesale banks) provides firms with a clear GRC management strategy across:
    1. Identification of risks
    2. Who is accountable
    3. What mechanisms are there to improve conduct risk management
    4. Who is in control of strategic oversight
    5. What activities could undermine conduct risk management

Conduct in particular, is very much at the centre of the industry with the introduction of the Senior Managers and Certification Regime (SM&CR) as retail investment advice firm’s now have until March ’21 to ensure all conduct rules training, fit and proper and certification processes are in place and actioned.

The European Commission’s latest public consultation on sustainable corporate governance builds on this and looks at the G in ESG looks at whether companies should:

  • Take into account broader stakeholder interests such as human rights violations, environmental pollution and climate change
  • Ensure directors identify the company’s stakeholders and their interests and manage the related risks
  • Introduce a ‘due diligence duty’ across employee rights, health, environmental impact of business activities across the supply chain

The FCA seems dedicated to ensure culture is front and centre in its approach to supervision. There is much resource dedicated to transforming culture in financial services, with the business strategy, tone at the top, leadership, remuneration and reward and good governance the most salient issues.

So, what can you do?

  1. Review how RegTech can help provide diagnostic assessment of your current GRC practice and provide management information and data on how you are improving competence and conduct. This can have significant benefits, for example Professional Indemnity Insurers have stipulated they will provide favourable renewal terms for those firms evidencing they have good GRC strategy within their business
  2. Ensure Human Resources Development practice and communication lines are clear across the business, not just at the top or board levels.
  3. Systems and controls, operations and practice management are all aligned to the front office via a ‘middle office’ so the business is client and staff centred and allows secure data to flow through to all stakeholders e.g., Directors, staff, clients and the regulator

With the SM&CR extension on conduct and certification implementation deadlines, we should not take our eye off the GRC ball, if we have this right the governance will be spot on and firms will showcase resilience and sustainability benefiting immensely when this pandemic becomes a distant memory.

If you're interested in finding out more you can book a demo of our software please click below to see MO® in action. 

Read More [fa icon="long-arrow-right"]

Remote working and Governance, Risk and Compliance

[fa icon="calendar'] Oct 23, 2020 10:40:48 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience, cyberrisk

[fa icon="comment"] 0 Comments

Enforcing regulatory compliance can be enough of a challenge when your workforce is in the office. When they are dispersed, how can you be sure that your marketing and communications collateral adheres to FCA rules?

1. Have and communicate clear processes

The first step in managing compliance, whether locally or remotely, is to have clear processes that everyone understands. This means ensuring the compliance team are on the same understanding, systems and controls are managed tightly and SMF’s responsibilities are understood and aligned.  

2. Make sure everyone understands the relevant rules

Training and Competence is crucial here is everyone in your business aligned with the rules relevant to their roles? Are they up to date with their SPS and CPD requirements? With Senior Managers and Certification Regime ‘honeymoon period’ ending March ’21 and ESG, Vulnerable clients, Treating Customers Fairly, Know Your Customer, MiFID II, advice suitability to name a few are all highly relevant to showcasing professional practice, you need to evidence your team know the relevant rules and how they work in practice in their roles and responsibilities.

3. Improve collaboration even when youre not in the same place

Collaborating effectively on marketing projects improves efficiency, reduces unnecessary admin and duplication, and helps you stay aligned as a team and ensure consistency of compliance practice and client service.

4. Consider security

Remote workers are the weakest link when it comes to cyber-resilience. Cyber risk is one of the top business risks facing organisations. Despite this, the majority are not adequately prepared for a cyber incident. You will need to address key issues and employ Cyber strategy aligned to the FCA requirements.

Do you mandate the use of secure work emails? Are there rules about encryption of sensitive material? Are GDPR requirements met? All these issues are potentially exacerbated when teams are dispersed. Read our Cyber-crime blog here 

5. Review technology and automation help?

Our Remote working and FinTech handbook covers plenty of quality technology providers across a range of business strategies that can help during these challenging times. RegTech in particular will help ensure you have the evidence that you have addressed specific issues and have a holistic approach where all the relevant stakeholders are on the same understanding. Download Model Office’s RegTech infographics here.

Your compliance Joke:

'Why do people take an instant dislike to compliance officers? To save time later....'

If you're interested in finding out more you can book a demo of our software please click below to see MO® in action. 

Read More [fa icon="long-arrow-right"]

More Compliance Chat

[fa icon="calendar'] Sep 18, 2020 10:24:23 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience, cyberrisk

[fa icon="comment"] 0 Comments

Dear CEO, there you go that made you tremble didn't it? Well the FCA have been as active as ever this week and produced directives that are indicative of the direction in which UK regulation is likely to move forward over the next few years. (Your compliance joke's at the bottom of this blog)

Firstly we have the latest instalment in The FCA's gripping '5 Conduct Risks'series. seriously this is really good stuff and although focused on the banks, applies to all retail investment firms too. This is very important considering the need to ensure your Senior Managers and Certification Regime (SM&CR) certification process and staff conduct training is on track. 

The key messages are:

  • Despite significant improvement, there remains a lack of awareness, in-depth understanding and the ability to identify day-to-day conduct risks
  • Some firms have taken insufficient steps in ensuring the contribution of personal conduct and behaviour to achieve conduct objectives
  • Although most firms have clear escalation and whistleblowing channels, in practice they are largely unused and followed in only the most serious cases
  • Participants were often unclear on their firm's corporate purpose statements and how their role and responsibilities contribute

The Second issue is symbolic of the work done by regulators around digitisation, in both FinTech and RegTech. This will become even more of a priority for them in the changed world created by COVID-19, remote audits spring to mind.

The FCA's digital sandbox for example, goes form strength to strength and the latest pilotwill enable innovative firms to test and develop proofs of concept in a digital testing environment around three use cases related to coronavirus, including:

  • detecting and preventing fraud and scams
  • supporting the financial resilience of vulnerable consumers
  • improving access to finance for small and medium-sized enterprises.

The FCA Dear CEO letter to professional Insurance Intermediaries shows the FCA believes the general insurance sector carries significant risks of potential customer harm, with the most significant risk within the intermediary portfolio being that of customers purchasing unsuitable or poor-value products. This is attributed to inappropriate sales tactics and insufficient or unclear information at the point of sale.

The letter highlights the importance of robust governance and controls, and the need to embed healthy cultures and behaviours within firms. The FCA will focus on these themes and the letter sets out some of the key related issues, such as bonus and incentive arrangements.

Finally, but not least, the FCA are sending out yet another Financial resilience questionnaire to advice firms (they're clearly concerned) at Model Office-MO® we have made our Financial Resilience Diagnostic free of charge so firms gain heat mapped dashboards and assess the strengths of their firm’s financial ratios and cashflow. You can sign up and download it for free here.

Your compliance Joke:

“How many compliance officers does it take to change a light bulb?”

“Three. One to change it, one to check it and one to check it again and file a report.”

If you're interested in finding out more you can book a demo of our software please click below to see MO® in action. 

Read More [fa icon="long-arrow-right"]

Cyber-crime: an IT or Regulatory Challenge?

[fa icon="calendar'] Aug 13, 2020 3:27:34 PM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience, cyberrisk

[fa icon="comment"] 0 Comments

As we have seen with the COVID-19 pandemic, resilience is a key strategy and concern for the FCA. There are two key areas here: financial and operational resilience. What is often overlooked where operational resilience is concerned is Cyber-crime.

 

In their recent paper Cyber-security – industry insights, The FCA are clearly keen to ensure retail investment advice firms (RIAs) engage in good governance practice in this area.

The paper covers some important strategy that can easily be employed across:

 

  • Governance and risk management: Taking a top-down approach and using enterprise risk management approach to assess and monitor cyber-risks across the business operations, technologies, client service strategy
  • Keeping it simple: Move away from management speak and keep language and communications clear and concise
  • Cyber culture champions: appoint influential and experience staff members to take responsibility for addressing cyber-risk
  • Think strategically: Identify who can attack the business, where and how. Identify vulnerable data management practice and understand the extent of cyber-crime networks across the UK and internationally
  • Link risk and controls: Creating metrics and indicators for critical controls is imperative
  • Use existing standards. Standards provide valuable frameworks devised from good practice; consider the NIST Cybersecurity Framework, ISO27001/2, SANS CIS, NCSC’s 10 Steps to Cyber Security or NCSC’s NIS Directive Cyber Assessment Framework, Cyber Essentials

 

It is important to identify what you need to protect so here the FCA provide some simple yet effective techniques that can easily be applied:

 

  • Consider what you know: The GDPR provides great guidance on data security, so leverage this and re-assess your systems and controls plus identify what you don’t know and find solutions fast
  • Take a holistic approach: Too many businesses employ checklist and tick-box strategy which can create a silo approach, firms now need to think vertically and horizontally across all business activities this can then aid change management records, vulnerability scans, anti-virus management and other sources
  • Know who does what: Identifying roles and responsibilities is a key requirement of the Senior Managers and Certification Regime (SM&CR) so here we need to ensure that we know what staff are responsible for, map it out and also re-assess how personal data for staff and client’s alike is processed in line with the SM&CR and the ICO’s GDPR.
  • Watch out for outsourcing: Identifying and managing stakeholders can be difficult so again along with the SM&CR and GDPR, any outsourced suppliers need to be managed carefully particularly when it comes to processing personal data and related cyber-risks

 

So what can be done to ensure data is protected?

 

Effective cyber-risk strategy requires careful planning and use of the right tools and techniques:

  1. Invest in training: Ensure all staff are aware of cyber-risk on an ongoing basis. We conduct plenty of Anti-Money Laundering training, but as some of this activity has shifted online, there are no excuses as to ensuring cyber-crime is not a mandatory annual training standard within your business
  2. Be aware of vulnerabilities: knowing weaknesses and your digital footprint is essential to good research and due diligence in your cyber-risk strategy. Also understanding the digital reach of your business is essential
  3. Cyber-security integrated with change management strategies: Resilience is an essential compliance and business strategy, this can be undermined very quickly via a cyber-attack, so including cyber-security within change management strategy can build a resilient structure
  4. Employ detection tools: As with the GDPR, run a systems check and keep a register so you are able to detect any attempted attacks on systems and business services. This involves:
    1. Mapping roles and responsibilities (similar to SM&CR) and identifying those with privileged access to data e.g. data controllers plus monitor systems behaviour and apply the SM&CR Conduct rules to user behaviour
    2. Design logs to assess your firms data and generate relevant alert systems
    3. Apply string access controls to audit database logs to prevent cybercriminals removing any traces
  5. Respond and Recover: Be aware of emerging threats by participate in industry conferences, forums and learn from others. As with any resilience focus firms will need to:
    1. Test and retest scenarios and your defences
    2. Define business tolerance for recovery of systems
    3. Learn lessons from any failures
  6. Use Technology: identifying and applying technology can aid thwarting and a swift response to any cyber-attacks.
    1. Use encryption, this could involve e-mail encryption services such as Origo’s Unipass Mailock
    2. Back up regularly
    3. Update your services
    4. Create strong passwords
    5. Audit using RegTech systems so you are aware of where all the issues may lie prior to your manual audit process

With Cyber-crime on the up in this pandemic, if you apply strategy, tools and techniques we have discussed then you will ensure your business is cyber-resilient.  

Read More [fa icon="long-arrow-right"]

Remote working and managing compliance risk

[fa icon="calendar'] Aug 7, 2020 11:53:38 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience

[fa icon="comment"] 0 Comments

One of the biggest concerns the FCA are banging on about is business resilience through the pandemic we face. It is clear that the regulator expects firms to take full accountability for their own governance, risk and compliance (GRC) affairs and align this with building systems and controls that will identify monitor, manage operational and financial resilience.

 

The pandemic has now brought a new way of working and with it the application of existing and new technologies that can streamline business management practices. With remote working the new norm, we also have challenges in ensuring our staff are aligned, engaged and also are happy, mental health is also a concern when we have to isolate and remove ourselves from the social interaction a workplace brings.

 

Enforcing regulatory compliance can be challenging enough when your workforce is in the office, but when dispersed this is a huge challenge.

 

So what can we do to ensure we keep our finger on the GRC pulse, encourage a resilient and positive working practice and culture?

 

  1. Communicate, communicate, communicate: Employing clear processes, systems and controls that engages all stakeholders is essential. This means everyone knows the risks and challenges faced but most importantly, how they are managed and the part they and others play. The Senior Managers and Certification Regime (SM&CR) is a huge help here, firms should already have their roles, responsibilities and delegation strategy mapped so everyone knows who does what, when and how
  2. The art of collaboration: The has never been a more important time to ensure your C-suite, compliance, operations, teams are working together around GRC. By streamlining working practices around remote working challenges and opportunities, this can enable effective and efficient identification of risks that can impact business resilience. We can also reduce admin and duplication and get the messages we need across quicker to staff and clients alike.
  3. Be security minded: Cyber-risks are on the up during the pandemic, so we have to ensure that operational systems and controls are in place to protect our business practices across, client communications, asset and document management and data security. Remote workers could be the ‘weakest link’ here, as they are working with new systems and technologies, so mandating specific cyber-risk proofed platforms such as back office, e-mail encryption and document protection will be crucial.
  4. Get onboard the same train: All staff need to be of the same understanding when it comes to compliance, resilience and risk management. So ensure you’re up-to-date with your training and competence programme, again the SM&CR and conduct rules training will help here
  5. Automate and streamline: Technology isn’t magic, but built and implemented well it’s a great enabler platform for your business to work more effectively around GRC, keeping staff engaged and happy and your business resilient across constant operational and financial risks.
Read More [fa icon="long-arrow-right"]

The FCA and Your Financial Resilience

[fa icon="calendar'] Jul 31, 2020 10:30:17 AM / by Chris Davies posted in Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, MiFIDII, SMCR, Data, GDPR, Chatbot, Culture, Enforcement, supervision, audit, Conduct, AI, Risk,, Accountability, Platforms, PROD, Product governance, digital,, Regulatory, Reporting, resilience

[fa icon="comment"] 0 Comments

The FCA’s Final Guidance assessing adequate financial resources places a specific spotlight on retail investment adviser firm’s (RIA’s) financial resilience. The minimum standards the regulator uses to protect consumers, reduce market disruption and minimise harm and assess firm’s sustainability are called threshold conditions.   

 

Threshold conditions and Financial resilience

The assessment of appropriate resources under threshold conditions considers:

  • the nature and scale of a firm’s business model
  • the risks to the continuity of the services provided
  • the impact of other members of the firm's group on the adequacy of its resources
  • To assess if a firm has adequate financial resources, we consider if a firm:
  • has the ability to meet its debts when they fall due
  • For firms, other than those with limited consumer credit permissions, we also consider if a firm has:
  • taken reasonable steps to identify and measure its risks
  • appropriate systems and controls and human resources to measure risks prudently at all times
  • access to adequate capital to support the business, and that client money and custody assets are
  • not placed at risk
  • resources which are commensurate with the likely risks it faces

With a pandemic to manage through, the FCA are obviously concerned at firm’s who sit outside formal prudential standards for adequate financial resources, for instance Internal Capital Adequacy Assessment Process (ICAAP) requires banks boards to regularly assess and mitigate risks and ensure adequate financial capital is retained to manage these risks.

 

So, we now have a framework that requires RIAs to implement and evidence Governance, Risk and Compliance (GRC) strategy to assess and manage across:

 

Systems, controls, governance and culture:  Here the FCA are interested in conduct i.e. behaviours that drive good outcomes across the firm’s purpose, competent leadership, staff competence and incentives. Plus, employ sound risk management across systems and controls such as whistle blowing or complaints handling. What drives all this is individuals accountability and responsibility, something RIAs should have addressed under the Senior Managers and Certification Regime (SM&CR)

 

RIAs are also now expected to employ a system to identify, monitor and manage risks and employ a quantified risk appetite strategy which is communicated, understood and followed across the firm. Policy and procedures are then required to ensure the risk function is resourced, has appropriate controls, manage conflict of interests and outsourcing risks.

 

Identify and assess the impact of harm: Here RIAs should place a specific focus on conduct and competence, ensuring the right people are in the right place with the right skills and responsibilities. Firm’s need to ensure they can compensate consumers for losses and thus the issue of the Financial Services Compensation Scheme (FSCS) and ability to fund applies here. It’s worth noting that the majority of payments made by the FSCS is against solo regulated firms are those firms not subject to detailed prudential standards discussed above.

 

Continuity of service is also a key area and thus RIAs need to evidence investment in people, processes, systems and controls. Advice suitability is front and centre here, particularly around pension transfers for example.

 

Monitor and manage the potential depletion of financial resources: As I have written extensively on the need for RIAs to balance their charging strategy and move away from the industry wide reliance on ad-valorem charging to client paid fees, the issues we have witnessed during adverse market conditions such as the financial crises and current Covid19 means that there is a risk of depletion of income that can adversely affect the firm’s financial stability. Firm’s need to keep clients close, box clever and shift a percentage of fees to direct charging. This can stabilise cashflow in the short and long term.

 

Business model strategy and sustainability: Whenever I speak at public events, I tend to ask the question how many firms have a bonafide 10-year busines plan. Very few put their hands up! Just as it is so important for clients to have a long-term financial plan, RIAs need to employ a strategic plan that can ensure strengths, weaknesses, opportunities and threats are covered, stress testing is in place and all staff are aligned to this company strategy. This will ensure the FCA have confidence is RIA ability to manage financial resilience across the business and their client needs.  

 

Wind down planning:  Preparing for worst case scenarios is crucial, after all, it is those adviser firms who ensure their clients have adequate life insurance who are providing a holistic service, so RIAs also need to ensure that their business strategy incorporates their own demise if this is an unavoidable outcome of the pandemic.

 

How can firms deal with all this?

 

We need to avoid overwhelm and ensure firms continue to conduct the good work they are doing, so here we would argue that risk diagnostic assessments can help to ensure GRC strategy incorporating operation and financial resilience activities.

 

So, employing technology is a good start, this can ensure RIA’s gain specific management information and data to ensure their business resilience strategies are aligned to their rules and also to their clients and stakeholder needs. At Model Office for example, we have made our Financial Resilience Diagnostic free of charge so firms gain heat mapped dashboards and assess the strengths of their firm’s financial ratios and cashflow. You can sign up and download it for free here.

 

We have also developed an Action Tracker, Compliance Diary system that allows firms to automate audit actions and provides alerts to ensure stuff gets done and identify, manage and monitor risks.

Read More [fa icon="long-arrow-right"]

Subscribe to Email Updates

Recent Posts