Webinar: RCSA – Now and the future with Yiorgos Polymeris
With credit and market risk now being better managed, regulators are shifting their focus to non-financial risks such as misconduct, data security, sanctions compliance, record keeping and consumer duty.
Penalties for non-compliance are growing—the UK’s FCA tripled the number of fines it handed out in 2022, while the US’s SEC imposed a record $6.4bn in financial penalties. Against that backdrop, it is more important than ever for banks to demonstrate compliance with an ever-growing catalogue of operational risks.
Here is a rundown of the key risks that banks need to watch in 2023:
Unauthorized electronic communications risk needs to remain top of mind in 2023 following a year of bumper fines for e-comms misuse at a slew of leading Wall Street banks.
So far, banks have been hit with around $2bn of fines, mostly due to employees sending messages on unmonitored personal devices and encrypted platforms such as WhatsApp, out of the gaze of compliance supervisors.
Such books and records violations mean banks need to rethink their e-comms strategies in a digital and remote working age to avoid further penalties.
Banks that are failing to make proper use of their data will find it challenging to keep track of their exposure to operational risk or turn that data into meaningful insights that can ensure risk controls are optimized.
Failure to invest in the right technology to safeguard against operational risk means banks may find themselves on the wrong end of regulatory penalties for control gaps that could have been avoided if they had access to better quality data and analysis.
Acin’s free Data Quality Assessment is an ideal first step to find data quality issues across a range of criteria, allowing firms to quickly pinpoint, assess and prioritise potential weakness in their controls.
The Bank of England’s Prudential Regulation Authority’s (PRA) said last year that it was folding climate risk into its wider supervisory remit. In October, the regulator said that while some firms have made ‘considerable progress’, the extent to which firms have embedded climate risk into their risk frameworks is uneven and further progress is needed across the board.
Aside from climate risk, banks must also be increasingly wary of potential regulatory fines for greenwashing if ESG-related claims are found to be misleading or omit important information.
Acin’s Climate Change Risk report sets out the state of play and what firms can do to better mitigate climate risk.
The FCA’s new consumer duty rule, due to be introduced later this year, will hold retail banks accountable for poor customer outcomes (similar to FINRA’s Regulation Best Interest rules for broker-dealers in the US).
Retail banks must ensure they always put their customers first and that decisions are made in good faith and avoid any harm to those customers.
Banks must monitor their adherence to this rule on an ongoing basis and put in place plans to fix any shortcomings. The FCA says it will be focused on detecting and responding to consumer duty breaches, with potential financial penalties for serious misconduct. Upgrading risk and controls frameworks will be key in demonstrating compliance.
Global banks saw a 52% increase in fines for anti-money laundering (AML) failures last year, paying out almost $5bn in penalties related to AML shortcomings, sanctions breaches and know your customer (KYC) slip ups.
US regulators are stepping up AML penalties, with FINRA last year introducing tougher rules that eliminate the cap on fines for larger financial institutions.
Cyber risk continues to be a major concern for banks. Ransomware attacks on financial services companies increased sharply in 2021, with more than half of organizations (55%) reporting an attack, according to a report published last year by cybersecurity firm Sophos. US banks paid out almost $1.2bn in 2021 as a result of ransomware attacks, according to FinCEN.
A cyberattack on fintech company ION Group this year impacted several European and US banks, who were forced to revert to manual processes during the outages.
As banks continue their digital transformation efforts, ensuring there is no disruption for customers will be paramount.
The PRA’s ‘Dear CEO’ letter in January noted a material increase in services being outsourced to third parties, particularly to cloud providers.
As the recent ION case demonstrated, cyberattacks on third-party vendors can still create havoc for banks who have come to rely on those services.
In the case of the ION hack, derivatives traders at affected banks in the US and Europe had to manually record trades on spreadsheets. The CFTC had to delay publishing its weekly trading stats because ION’s customers were unable to compile their daily positioning reports fast enough.
Such incidents will only intensify regulatory scrutiny around banks’ exposure to third-party risk and potential impacts on business continuity.
As the amount of operational risk grows, banks face an increasingly complex task to manage known risks while monitoring for emerging ones, all while regulators step up their scrutiny of how banks are managing operational risk.
Without an effective operational risk management framework in place, banks leave themselves vulnerable to steep regulatory fines and potential reputational damage.
By using Acin’s peer comparison network, banks can keep track of evolving operational risks, review how their controls stack up compared to others and demonstrate compliance efforts to regulators.
To learn more about how Acin can help protect your bank against operational risk, get in touch with us today.