Has there ever been a more challenging climate for the second and third lines of defence?
COVID-19 has quite clearly changed the entire 2020 landscape for financial services. A flurry of economic challenges and hurdles has put tremendous pressure on the business models of both traditional organisations and upstart, digitally native firms. Risk functions, in addition to dealing with financial challenges, are grappling with assessments of their risk universes, searching for previously overlooked single points of failure in operations, IT, and supply chains. Compliance functions are racing to ensure that they meet unwavering regulator expectations with respect to financial crime, market and consumer conduct. Internal audit departments, as their counterparts in the second line, are adapting to the work from home (WFH) environment, adjusting audit priorities and leveraging digital capabilities wherever possible to compensate for their inability to perform onsite audits.
For the second line, sudden economic shifts often result in the perfect storm – a disrupted market that provides new opportunities for those inclined to engage in dishonest practices, such as fraud, bribery, investment schemes and market manipulation. and increases the vulnerability of some market participants. The websites of governmental agencies and regulators globally offer myriad warnings and advisories about these risks.
Financial institutions need to take reasonable steps to ensure that their compliance monitoring programmes are designed to identify fraudulent activity and market abuses, intentional or inadvertent. In the current environment, compliance assurance programmes should include enhanced scrutiny of the following areas:
- Transaction monitoring. Pre-COVID-19 transaction monitoring models may no longer be fit for purpose given significant changes in consumer behaviour. In response, monitoring rules should be recalibrated to avoid 1) overwhelming numbers of false positive alerts, which distract analysts from reviewing truly malicious activity, and 2) missing new patterns of behaviour indicative of criminal activity.
- Fraud management. New fraud schemes have been devised to take advantage of government support measures and public demand for certain goods. Shortages of many goods also heighten the potential for both public and private sector bribery. Financial crime prevention teams should be evaluating how wrongdoers can take advantage of the current situation and incorporate new rules and keyword typologies into fraud management processes to identify and flag potential criminal activities.
- Market abuse surveillance. Insider trading, market manipulation and investment schemes have been on the rise in parallel to the unprecedented market shifts that have occurred over the past few months. Traders working from home have introduced new challenges related to information leakage and potential insider trading. Vulnerable parties, such as unsophisticated investors, may be more susceptible to manipulation activities such as “pumping and dumping.” Firms should be evaluating their control environments to ensure that their prevention and detection capabilities are fit for purpose.
- Conduct risk and treatment of vulnerable customers. Regulators expect firms to have in place sufficient forward-looking conduct risk metrics and indicators and to be performing analysis of their activities and transactions so that they are assured that conduct risk is being properly managed. Given the dramatic changes in many customers’ circumstances, increased numbers of customers are considered to be vulnerable and the impact of the firm’s decisions on those consumers during the pandemic is likely to be subject to significant regulatory scrutiny. Enhanced compliance assurance and testing in this area is a top priority.
As with other second line functions and with the third line, WFH compliance departments have had to adapt and modify their methodologies for monitoring and testing. While for most compliance departments the focus has been on managing the immediate, short-term shock of the crisis caused by COVID-19, much remains to be seen about the mid-to-long term effects. History has taught financial institutions that crises often lead to a wave of regulatory mandates in the future – along with the remediation efforts and costs required to manage these – and that practices developed to deal with crisis situations can actually lead to operating model improvements.
In our experience with our clients over the past couple months, we have seen three common themes emerge as firms have responded to the compliance monitoring challenge. While the first appears to be an interim, tactical change, the last two point to an acceleration of many executives’ strategic plans for a more a dynamic assurance model.
- Repositioning staff. Following government actions to protect consumers and markets, many firms have had to respond quickly to huge demand from their consumer and business customer bases seeking to take advantage of the benefits put into place. This has also led to a large volume increase in customer contact and service requests. In response, some first line personnel have been temporarily seconded to customer service roles and even second- and third-line personnel have been redirected to assist. This short-term solution has both risks and a potential benefit. Risk arises from asking people with limited training and experience to step into roles with which they are unfamiliar, heightening the chances of error, and from withdrawing second and third line personnel from their assurance activities, at a time when they are already challenged to deliver these activities effectively.
- Enhancing active assurance techniques to provide an immediate feedback loop. To support their organisations with rapidly evolving demands, assurance functions have changed their ways of working to operate in more responsive ways. This has included greater involvement in emerging topics and issues, including the areas of increased risk noted above, flexibility to ensure that reviews do no inhibit first-line performance, and increased use of data and analytics. Some clients are delaying “deep dive” reviews until later in the year to prioritise emerging risks. We’ve seen active assurance applied most towards data-focused reviews of key risk indicators in the financial crime space, operational resilience, and in response to government actions such as new government loans and guarantee schemes, furloughs and payment holidays.
- Increasing use of technologies to support active assurance. Across the majority of our client base, becoming a more digital organisation across the first, second and third lines was a top priority for most executives prior to the COVID crisis. The consequences of the pandemic have accelerated this trend.
In all likelihood, many of the changes to ways of working that have been introduced to respond to the current environment are here to stay, and the assurance functions that respond most innovatively to ways of working during the pandemic are likely best poised for future success.