As regulators find basic failures in banks’ decisions, reporting and controls – while fresh risks and greater complexity loom on the horizon – banks will be forced to transform their control framework.
A spike last year in the number of data breaches reported by investment banks to the UK’s Financial Conduct Authority (FCA) – to 34 from just 3 in 2017 – underscores a worrying decline in controls across the sector. In a February 2019 speech, FCA Director of Market Oversight Julia Hoggett further flagged access controls as a specific challenge that indicates banks are struggling with the basics.
Fragmented systems for data recording and storing are forcing individuals to report and make decisions without sufficient insight, according to the regulator. This chimes with the experience of Accenture, which has encountered clients unable to report large holdings based on their global position or having difficulty demonstrating intra-group conflicts have been identified and mitigated, all because of problems accessing data across all their geographic markets.
What’s worse, control failures are going unnoticed for longer. The FCA has consistently highlighted that banks are accidentally falling foul of MiFID II requirements to record calls, with some not spotting glitches in their recording systems for months. Also passing under the radar – and proving difficult to fix once uncovered – are issues with inaccurate trade reporting. For example, clock-syncing complications mean some firms have been found time stamping trades in British Summer Time (BST), rather than the required Coordinated Universal Time (UTC).
Prepare for complexity
As technological advances accelerate and regulatory scrutiny intensifies, the challenges facing such banks will only grow, piling more pressure on fragmented, patchy frameworks.
Rapid expansion in computing power is already enabling the creation and use of comparatively untested applications – for example, high-frequency algorithmic trading – that could produce risk control gaps. And while new technologies like AI can be a useful tool for the 1st line of defence, associated governance risks for banks such as AI models discriminating on ethnicity are only starting to be understood.
High-profile data breaches and cyber attacks – often powered by AI and social engineering – have naturally attracted regulators’ attention. This will inevitably result in tougher and more complicated regulatory requirements for banks surrounding data and technology in general.
At the same time, the Bank of England’s proposal that environmental, social and governance responsibilities be placed under the Senior Managers and Certification Regimecould transform previously ‘nice to have’ commitments into an additional layer of real regulatory obligations for banks.
The complexity of such emerging risks – and concerns about banks’ preparedness for them – is evidenced by the response to the Operational Resilience Discussion Paper that was published in July 2018 by the Bank of England, the Prudential Regulation Authority and the FCA. The paper was downloaded a record number of times for a document of this type, reflecting the size of the challenge and the number of people potentially affected.
“The current regulatory environment is relatively stable, compared to the post-crisis period, but the next few years will see a string of new risks and complexities surface for financial institutions – especially at the intersection of AI, data, cyber security, and third parties. This will force a major rethink of control frameworks and op model,” says Rafael Gomes, Managing Director, Regulation and Compliance at Accenture. “There is no black and white solution, but one priority will be using technology to regulate and control other technology; for example, using AI to control cyber risks; or automated data lineage to control 3rd party risks. For those whose basic controls are essentially manual, the task will be monumental.”
| Action plan|
There are several immediate steps banks can take to make their control operating model stronger, although keeping it fit for purpose will require constant feedback and design improvement:
Update the control framework
The first task for most firms will be to update, simplify and deduplicate the control framework, after years of regulatory requirements being layered on. Banks should create an integrated controls framework, combining and rationalising various control requirements into a single framework that can include data and new technologies like AI, advises Anne Godbold, Compliance and Regulatory Change Specialist at Accenture. Banks should ensure continuous updates are fully audit trailed, meaning updates to the framework are made constantly and are fully recorded and stored in a searchable repository.
Making more use of AI can help banks detect and triage potential risk events, for example those associated with algorithmic trading, says Gomes. Similarly, increased deployment of applications like Robotic Process Automation (RPA) will boost banks’ efficiency and reduce their reliance on manual controls. For example, RPA can allow them to source and stay on top of regulatory events while Natural Language Processing will transform regulatory text into action plans.
Developing threat detection, intelligence and analytics to improve their risk response, control and reporting, will enable firms to keep better track of controls-related failures, issues and remediation actions should be monitored centrally, Godbold says. Streamlining the number of tools banks use to perform similar activities will also improve the effectiveness and efficiency of monitoring and surveillance.
Optimise control testing
Many automated controls can self-test and self-report. In addition, outsourcing activities such as testing will allow banks to take advantage of efficiencies of scale and drive down costs, Godbold adds. Pooling specialised resources – for example, by setting up an IT controls centre of excellence to manage IT controls – will help cut costs while increasing capacity. Combining human intelligence and specialists with applications like RPA through a tiered escalation framework will also enable deeper analytics.