Too much exposure to the sun can cause living organisms to wither and die. Too much exposure to the unforgiving glare of the regulatory spotlight can have similarly dire consequences for financial institutions. But today’s highly regulated financial service providers have little hope of shelter from scrutiny. Rather than seeking to avoid attention, the only way to withstand the heat of regulatory pressure is to demonstrate you have nothing to hide. In short, you must show your control of your operations through transparency, preferably in real time.
“Today’s highly regulated financial service providers have little hope of shelter from scrutiny.”
We all know the sheer volume of regulations imposed by finance sector supervisors has increased over the past decade. We also know the pace of change is not slowing. A recent study by regulatory consultancy JWG found that 374 legislative initiatives are due to impact the finance sector by 2021. But the reason why regulation is the second of the three major forces highlighted in this blog series as demanding operational overhaul by financial institutions is that the nature of regulatory oversight and supervision has changed too. To better protect end-users and shore up systemic risks, there has been a concerted and multi-faceted effort by regulators globally to raise standards of conduct. Reforms aimed at ‘electronification’ and automation of processes (thus reducing the operational risks and costs of human error) have been accompanied by new rules that place responsibility firmly in the hands of named individuals.
“To better protect end-users, there has been a concerted effort to raise standards of conduct”
The 2002 Sarbanes-Oxley Act was an early signpost, requiring senior executives at US-regulated entities to sign off on the accuracy and completeness of corporate financial reports. Soon after, the rise of algorithmic trading led Hong Kong’s Securities and Futures Commission to oblige individual users to attest to their competence to pilot execution algorithms. In 2016, the UK’s Financial Conduct Authority (FCA) introduced the Senior Managers and Certification Regime (SMCR), with the aim of restoring customer confidence in the wake of multiple post-crisis scandals, through improved standards of conduct, governance and accountability.
But, as many execs asked, how on earth do you ensure your operations are running in a smooth, efficient and above-all compliant fashion – while meeting punishing ROE targets – in a roller-coaster of post-crisis, post-globalisation business environment? It’s no picnic for a nimble, lean, digital-native start-up; it’s well-nigh impossible for financial institution with physical assets, client relationships, product lines and supply chains built up, knocked down and remodelled over the decades.
“Outsourcing has been latched onto as a shortcut to meet the rigorously high standards expected of financial service providers.”
You can reeducate staff, automate processes and even outsource large chunks of infrastructure, but senior managers are still on the hook, vulnerable to the negative consequences of an outage, a glitch or a slip of the tongue. In particular, outsourcing has been latched onto as a shortcut to ensuring operational processes meet the rigorously high standards expected of financial service providers at a time when the sector is still mistrusted by consumers.
Division of labour along the supply chain and allocation of tasks to highly qualified specialists makes sense, of course, especially when suppliers are commercially motivated by service level agreements. From a regulatory perspective, however, you can delegate responsibility, but not accountability. When an error causes a service disruption or failure to the detriment of clients, it isn’t your supplier that gets a visit from the regulator.
“When an error causes a service disruption, it isn’t your supplier that gets a visit from the regulator.”
When 5,000 customer card transactions failed over an eight-hour period on Christmas Eve 2015, it was not the card processing firm that experienced the underlying technology failure that had to answer to the FCA and the Prudential Regulation Authority (PRA). Rather, it was the UK retail bank whose card customers had been inconvenienced that had to carry the can for their failure to manage their outsourcing arrangements effectively, eventually being fined almost £2 million in May this year.
Due to the timing of the incident, the bank was not fined under the SMCR, but under the FCA’s consumer protection objectives and the PRA’s safety and soundness objectives. However, one of the remedial actions required by the regulators was the allocation of first-line responsibility of the firm’s outsourcing arrangements to a senior manager, in accordance with the SMCR.
“There is every indication that the unsparing scrutiny on operational matters will only intensify.”
There is every indication that the unsparing scrutiny of regulatory attention on operational matters will only intensify. The SMCR will be extended in December 2019 across the whole of the financial services sector, including wealth and asset managers. New guidelines from the European Banking Authority on outsourcing arrangements are due to apply from September. As well as setting operational resilience as one of the cross-sector priorities in its 2019/20 business plan, the FCA is publishing a joint consultation paper on operational resilience with the Bank of England.
“The only response is to favour a new generation of adaptable workflow tools.”
Clearly, regulators are not going to look away now. The only response is to impose an efficient framework of oversight across your operations, regardless of where day-to-day responsibility may lie. This means abandoning ad hoc checks and unstructured communication channels in favour of a new generation of adaptable workflow tools that allow for systematic monitoring and reporting, real-time data aggregation and analysis, as well as task-sharing and resolution. Senior managers must accept that they’re permanently under the spotlight, but a strong supporting cast can share the burden.
 Ready for Digital Regulation? (April 2019)