In the UK, 2017-2018 Priorities for Financial Services Firms Published

By Bernadine Reese, Managing Director
Risk and Compliance, UK




The UK Financial Conduct Authority (FCA) has issued its annual business plan for fiscal year 2017-2018. The FCA is the conduct regulator for 56,000 financial services firms and financial markets in the UK and the prudential regulator for over 18,000 of those firms. Its annual business plan and mission statement gives firms and consumers greater clarity about how the regulator intends to prioritize its interventions in financial markets over the next 12 months.

The plan sets outs FCA’s cross-sector and individual sector priorities for the next 12 months. It identifies the following cross-sector priorities: culture and governance, financial crime and anti-money laundering (AML), promoting competition and innovation, technological change and resilience, treatment of existing customers, and consumer vulnerability and access.

The main individual sector priorities focus on the need to continue with the implementation of the Markets in Financial Instruments Directive (MiFID II); improving competition in all areas of financial services; supporting the implementation of ring-fencing in retail banking; and assessing the developing market for automated advice models (robo-advice) in the retail investment market.

A fundamental part of the plan is the risk outlook, which identifies key trends and emerging risks that help form the regulators’ priorities for the coming year. Technological change, cybercrime and resilience are noted as major risks. However, many of the largest risks detailed in the FCA’s risk outlook are external: international events, demographic changes, the course of the UK economy, and the impact of the UK’s decision to leave the European Union (EU), commonly known as Brexit.

We published a recent Flash Report, which lays out specifics and reasoning around each of this priorities. Financial firms in the UK are advised to familiarize themselves with the report so they can determine where to focus their compliance efforts and to better understand the regulator’s expectations.

2016 Was an Eventful Year – This Is How We Covered It

As 2016 comes to a close, I want to look back on the events that made this year unique in ways both rewarding and challenging – and summarize the topics Protiviti professionals discussed, and our readers engaged with, here on The Protiviti View.

Perhaps the most seminal events of 2016 with the biggest implications were Brexit and the election of Donald Trump as president. The Brexit was brought about by sovereignty and immigration issues as those who voted to leave the European Union believed the UK – and no one else – should address UK-related decisions and control over its own borders. The U.S. presidential election arose from many issues such as immigration, trade, healthcare reform and jobs, among others.

We covered the implications of these events, both general and industry-specific, in special reports (here and here) and on the blog (here and here). But other events made waves too – record-setting security breaches across industries, including massive unauthorized release of financial data from offshore accounts, and DDoS attacks enabled by the Internet of Things.

In technology, Google’s AI robot AlphaGo defeated GO champion Lee Sedol, and Uber launched its fleet of driverless cars despite some opposition. Both of these events speak to the future of artificial intelligence, an emerging risk we continue to track in our PreView newsletter). Also in technology, the financial services industry seems poised for change and excited by the possibilities of new financial technology in payments, compliance and more.

Finally, natural disasters and viral diseases like the Zika virus created real economic damage, raising questions about resource availability and business continuity planning. We summarized the potential implications of these unpredictable business disruptors here.

Given the flavor of events this year, it is not surprising our top two most read blog posts had to do with cybersecurity and cyber awareness. Our third most popular blog had to do with money laundering and increased regulatory scrutiny in that area.

The posts that saw the most love on social media were submitted by our fraud investigation experts and focused on fraud prevention and fraud risk management. 2016 was a big year in fraud, as the much-awaited Fraud Risk Management Guide was released by COSO and the FCPA launched its Pilot Program. (Also, SEC gave six out of its 10 highest whistleblower awards this year).

Also widely shared was anything related to cybersecurity and the protection of personal identity, an issue that continues to affect billions of people and to which no company or entity seems to be immune.

This is plenty to look back on and think about in planning for the new year. Once again, I want to thank both our readers and contributors for their participation and engagement. We look forward to continuing these conversations in 2017.

Jim DeLoach

Brexit Raises Questions About Personal Data Protection

mark-petersBy Mark Peters, Managing Director
IT Audit Practice Leader, UK




Not all border crossings are visible. The decision by the United Kingdom earlier this year to leave the European Union (EU) brings a basket of challenges and opportunities for the management and protection of personal data through cyber checkpoints, once the UK goes its own way. Personal data is a crown jewel of commerce, and the secure transfer and storage of data across national and regional borders is a hotly contested topic.

We examine this issue in our recent point-of-view paper, Responding to the Challenges and Opportunities Presented by Brexit — Data Protection and Management Implications, available for free download from our website.

Under current regulations, personal data can be transferred between countries within the EU, but it can only be transferred to outside countries that guarantee an adequate level of protection. The new EU General Data Protection Regulation (GDPR) — effective May 2016, with enforcement to begin May 2018 — which aims to harmonize existing data laws and strengthen data protection rules, was a long-time coming, and carries fines of up to four percent of global revenue for noncompliance.

Some UK companies have incorrectly assumed that, following Brexit, GDPR will no longer apply, and have drawn the conclusion that Brexit will simplify data governance. In fact, the timetable for GDPR compliance is likely to run ahead of the UK’s formal exit, which means UK companies will have to comply with the GDPR, even as UK regulators craft their own personal data rules and negotiate transfer terms with the EU. It is likely, as well, that the EU will require companies in the UK to continue to meet GDPR standards as a condition of access to the EU market.

The split also raises questions for UK companies with data centers and cloud providers in the EU, and vice versa. Even if not required by the GDPR, many EU companies restrict suppliers from exporting personal data outside the EU, as part of their internal data risk management policies. That means some EU companies are likely to require suppliers to move data out of the UK and into EU data centers. Now would be a good time to take inventory of data locations and develop contingency plans.

Similarly, any ongoing business change projects approved before the Brexit vote and involving a significant IT investment should be reassessed and modified to address any implications on data storage and transmission. Given the broad definition of personal data under GDPR, virtually all projects will be affected. As a priority, all organizations should evaluate their data center strategy for these projects and decide whether it might be prudent to move or split data centers across different territories.

Organizations that utilize cloud service providers should determine what arrangements those providers have made for segregating data for EU and UK customers.

Client contracts should also be reviewed, and modified as needed, to clarify expectations on data residency and exchange.

As with any significant change, human factors can make or break the transition. Organizations should identify key decision makers who are likely to require early awareness training in order to keep abreast of potential changes in data protection legislation. Areas most likely to be affected include customer management, marketing, legal, compliance, human resources, IT, facilities, contracts, and project management.

We will continue to monitor this situation and revisit, as needed, as details become available. The above is just a summary; download the full paper here.

From New York to Hong Kong: The Need for a Global AML Program

Carol BeaumierBy Carol Beaumier, Executive Vice-President and Managing Director
Regulatory Compliance Practice



Money launderers don’t recognize geographical boundaries and, while they often seek to launder money in those jurisdictions with the weakest regulatory environment, they are also attracted to major markets, which can accommodate large-scale movement of funds. They are masters at exploiting any weaknesses caused by differences among national anti-money laundering (AML) systems, which is why the regulation of money laundering needs to be a global effort.

Three major global financial centers – New York, London and Hong Kong – do share a high degree of commonality with the global AML principles of the Financial Action Task Force (FATF). Despite their common approach to AML, requirements are implemented or enforced differently, with a number of nuances within each jurisdiction – and potentially more in the future as the UK shapes its financial crime regime in a post-Brexit environment. This can be a minefield for global financial institutions seeking to establish and maintain an effective, global AML compliance program.

On the regulatory side, financial regulators have taken a proactive approach to close cross-regional collaboration and joint enforcement activities. This impacts financial institutions, as they may find themselves subject to the same inquiries in multiple jurisdictions at the same time. This regulatory approach highlights the need for compliance teams to be aligned and connected regionally as well as globally.

We discuss these issues, and much more, in a recently published white paper, The Challenges of Managing a Global AML Program. The paper examines the differences among the three global financial centers in four specific areas: regulatory examination and enforcement, correspondent banking, information sharing, and AML technology. It also considers the implications of these differences for financial institutions seeking to implement global AML programs and provides advice on how firms can implement efficiently a compliant AML program that is cost-effective and provides more value to the business.

The white paper offers a comprehensive discussion that’s worth your read. Financial services is, without question, a global business, and while money laundering will not go away any time soon, understanding how to align your global AML program to the nuances of key AML jurisdictions will go a long way in ensuring compliance.

Top Risks in Financial Services: Ever the Same, Always Changing

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the financial services industry.


Cory Gunderson MD NYC

By Cory Gunderson, Managing Director
Global Leader, Financial Services Industry




When we conducted our survey in the fourth quarter of last year, the top risks on the minds of financial services directors and executives, in order of priority, included: regulatory changes and increased scrutiny, cybersecurity, information security, economic volatility, and succession. However, risk is never static. If we were to conduct the survey today, with the significant changes over the past six months, including growing nationalist sentiment across the globe – Brexit being the most recent example – economic concerns would probably rise as high as second place, even with cybersecurity and information security remaining strong and “evergreen” concerns.

Executives perceive risk in much the same way the body perceives pain. New risks arise sharp and top-of-mind, but recede in perceived importance as the corporate body adapts to the stimulus. My colleague Richard Childs alluded to this “anesthetizing effect” in his recent post on top risks in the consumer products and services industry. In financial services, the reigning top risk – regulatory changes and scrutiny – continued a steady decline in perceived severity, and at least two other top risks from 2015 – social media and disruptive technology – dropped out of the top five.

That’s not to say these risks have receded. If anything, regulations continue to evolve and they change with greater frequency, reflecting the critical importance of a sound financial system to the world’s economy. And the level of investment in fintech – the technology driving the bleeding-edge of financial services – is growing in leaps and bounds. Rather, financial institutions are now dealing with these risk areas on a daily basis, so they are not perceived as sharply as when they first arose.

Similarly, other risks fundamental to a financial institution’s survival – such as market risk and credit risk – are so much a part of everyday life that they don’t even register on a survey like this. Things could change soon, however. We have lived in a low interest environment for well over 20 years, creating an entire generation of risk managers who have never had to manage volatile interest rate risk – at least not on the scale of the 1970s and 1980s. With the Federal Reserve strongly hinting of higher interest rates to come, regulators are keeping an increasingly close eye on this fundamental. Interest rate risk could very well become one to watch. And as in any cycle, the spectre of credit risk looms on the horizon, with many regulators looking at evidence of the risk-compounding scenario of loosened underwriting standards coupled with overheated pricing bubbles.

The bottom line is that the financial services industry, because it is central to the world’s liquidity, movement of capital, financing of business expansion and the safekeeping of wealth, is always going to be risk-heavy – and while the ranking of risks matters, it is not to be seen as an indication of one risk or another going away completely. Financial services firms are in the business of managing risk by their very nature, meaning the rankings are really more a reflection of what’s top of mind at a given point in time.

We are entering a period of increasing volatility. There are going to be stresses on financial institutions’ systems. It is important, going forward, that executives and directors work hard to remain agile and adaptive in their risk management roles, challenging all layers of defense – especially the first line – to remain engaged, and avail themselves of the latest in risk management capabilities. History has shown that when organizations become complacent, or assume that the situation of today won’t change tomorrow, risks have a way of becoming realities, and neither the regulators and policy makers nor the public at large appear to be in a forgiving mood.

Global Instability, Cybersecurity on the Minds of Manufacturing and Distribution Industry Executives

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the manufacturing and distribution industry.


Sharon Lindstrom

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader




Not surprisingly, economic conditions and financial market volatility top the list of manufacturing and distribution concerns for 2016, and the degree of concern is higher than in prior years. Manufacturers, to a greater extent than many other industries, depend on global sourcing so it’s no wonder that manufacturing executives would be more concerned than usual, given the widespread and growing uncertainty about the financial stability of key U.S. trading partners around the world on whom U.S. manufacturers depend for everything, from polymers and resins to product assembly.

In addition to supply chain concerns, manufacturers worry about sales. Global instability makes it harder to predict where production and inventory will go. Top of mind at the moment: the concerns over Great Britain’s withdrawal from the European Union, as well as economic turmoil in China and Brazil.

Cyberthreats surged into the top five risks for manufacturers for the first time this year. We interpret that as a growing concern for critical systems and infrastructure that we haven’t seen previously in this sector. The concern is indicative of a growing awareness by directors and executives of the vulnerability of networked devices in an increasingly connected global economy with increasingly sophisticated data harvesting and analytic tools.

Unlike, say, retailers, who might be primarily concerned with protecting customer data, manufacturers are primarily concerned with protecting trade secrets and the integrity of networked production equipment. Within manufacturing IT, we’re seeing more focus on security architecture, specifically related to robotics and embedded technology communicating machine-to-machine via the Internet of Things.

Given these changes, it is perhaps not surprising that manufacturers cited recruiting and retaining top talent as one of their top 5 concerns. There is an increased demand for accurate and timely analytics with which to counter market uncertainty – and personnel capable of extracting actionable intelligence from the overwhelming and growing amount of available data. Automated manufacturers are also aware that they need a higher level of cybersecurity expertise to thwart potential disruption and maintain a competitive edge.

Finally, regulatory risk appears in the top five again, as it has for three years in a row. Manufacturers have a significant and fairly consistent compliance burden when it comes to occupational, environmental, health and safety requirements. More recent concerns have included ethically sourced materials and labor. Regulatory challenges change over time, of course, but history suggests that compliance with regulations will remain a fundamental performance concern for executives and directors.

You can read the key findings and additional commentary in our manufacturing-specific report, which you can access here. The entire survey is available here.