2024 External Issues
Whether in the context of back-office operations, customer-facing services, risk management or compliance, no issue garners more attention today than AI. While animated debate continues among governments, advocates for the responsible use of technology, and the financial services industry — including participants at the Bletchley Park AI Safety Summit in November 2023 — as to how AI should be regulated, financial institutions are grappling with the opportunities and risks of AI. Along with board members and senior executives, compliance officers need to understand quickly the technology to manage the compliance risks it poses. Compliance officers will play a key role in determining the controls needed in business and operations applications of AI to meet local regulatory requirements as well as data governance and model requirements. They would also be well-advised, as discussed further below, to consider how AI can be used to improve the efficiency and effectiveness of the Compliance function.
Consumer protection measures are the mainstay of retail compliance. Therefore, compliance officers will be tracking the rollout of consumer protection measures in the U.S., Australia, Europe, Hong Kong, Singapore and other jurisdictions. After trying for more than 20 years, with limited success, to ensure that financial institutions “treat customers fairly” and then identify and manage “conduct risk” relating to customer interactions, the UK’s Financial Conduct Authority has received new powers (through the Consumer Duty) to regulate customer outcomes — ensuring that regulated firms, effective July 2023, must act to deliver good customer outcomes for retail customers (including vulnerable customers). This regulation raises the bar for UK financial institutions. Another recent example of outcomes-based regulation comes from the Australian Securities and Investments Commission (ASIC), which has fined multiple financial services firms for poor customer outcomes, including misleading statements and financial promotions, unfair contract terms, overcharging customers, and other poor pricing practices.
Operational resilience, with cybersecurity as one of its linchpins, continues to be high on regulators’ agendas globally, although regulatory approaches and expectations may differ by country. Given the interconnectedness of the financial services industry, there is increasing focus on dependencies on critical third parties, outsource arrangements and vendors that play critical roles in delivering important business services and on which financial institutions rely to achieve resilience. Being able to monitor and oversee such third parties, which may number in the hundreds for individual firms, is a key area of focus. In July 2023, U.S. prudential regulators issued their long-awaited Interagency Guidance on Third Party Relationships: Risk Management, and in December 2023 the Financial Stability Board released a tool kit for enhancing third-party risk management and oversight; these are just two examples of recent regulatory guidance. While operational resilience programs are generally not managed by the Compliance function, Compliance nonetheless will continue to play a key role in ensuring that all regulatory requirements and standards are met.
Conduct and culture — and the increasing impacts they have on regulatory risk — will be a focus for compliance officers in 2024. Whether it is the regulation of non-financial misconduct or the proposed mandatory disclosures to encourage diversity and inclusion in the UK, or publication of a consultative Culture and Behaviour Risk Guideline by Canada’s Office of the Superintendent of Financial Institutions (OSFI)[3]outlining outcomes for which firms are accountable and emphasizing how a sound culture and proactive management of behavioral risks contribute to good outcomes, an organization’s culture has never been more important. Compliance officers know that sustainable and embedded implementation of regulatory requirements is effective only when reinforced by senior management action and a supportive company culture. The many impacts of culture on financial misconduct and poor customer outcomes are increasing regulatory focus on board effectiveness, governance, senior management accountability, and remuneration and incentivization. In Hong Kong, regulators have introduced new requirements for remuneration design and claw backs, and in Australia, financial services firms also need to evidence a board-level view on risk culture.[4] In examples of “practice what you preach,” two U.S. regulators, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC), are currently under scrutiny for culture and conduct lapses related to, respectively, ignoring a hostile work environment and deficient vetting of a senior-level hire.
With a slowing, but not stopping, issuance of Western sanctions against Russia, industry and regulatory attention has shifted from implementing the sanctions to evasion and enforcement. Regulators across the globe have published studies and guidance on evasion techniques, such as the May 2023 joint release by the U.S. Financial Crimes Enforcement Network (FinCEN) and the U.S. Bureau of Industry and Security (BIS), as well as the UK National Crime Agency’s (NCA) November 2023 warning on the use of gold to evade Russian sanctions. Contrary to what we have witnessed in the past, where it has taken regulators and other enforcement bodies years to build and report cases of sanction evasion, we are already seeing a steady stream of reporting of Russian evasion — a clear sign of the importance Western governments are placing on trying to cut off evasion channels.
These cases highlight the need for financial institutions’ Sanction Compliance departments to be highly engaged and coordinated with their counterparts in transaction monitoring, trade operations and cyber risk management, among others, in order to identify and report evasion. (More about this is found below in our discussion of the convergence of financial crime.) Financial institutions simultaneously need to consider other lessons learned during the early days of the Russian sanctions and modify and enhance their sanctions compliance programs accordingly. Finally, it must be noted that geopolitical tensions across the globe, including U.S.-China relations and the Middle East conflict (including Iran’s potential role), remind us that while much of the sanction attention in the last two years has been on Russia, compliance risk overall is far more pronounced than it has been in recent history and carries with it significant enforcement and reputation risk.
When we consider managing supply chain risk, we generally think about manufacturers and retailers and not about financial institutions. Apart from the credit issues that may stem from supply chain disruption, a financial institution’s supply chain also presents compliance risks including corruption, fraud, export controls and sanctions, ESG requirements, and labor law anti-human trafficking compliance, among others. This requires financial institutions to make sure they are considering these issues as part of a comprehensive third-party risk management program, and in light of stepped-up constituent and regulatory interest, the latter should include supply chain certification requirements that are required in some jurisdictions.
Who would have thought that — following the conviction of FTX’s Sam Bankman-Fried, the multibillion-dollar settlement with Binance and the conviction of its CEO, Changpeng Zhao, amid other crypto industry scandals — there would be optimism about the crypto world? But this is exactly what has happened. The two cases are quite different, of course: The FTX case involves the mishandling of customer funds, while the Binance case is based on alleged money laundering and sanctions violations. With these cases nearly resolved, there is optimism that this chapter of crypto fallout is behind us and that investors can now feel more confident that bad actors will be punished. Crypto prices, in fact, recovered in 2023 following the devastating losses incurred in 2022. The future, however, is not as clear and rosy as some would like to believe. While jurisdictions across the globe (including Japan, Singapore, Hong Kong, Dubai and the UK) continue to welcome cryptocurrency companies and have developed and implemented regulatory regimes to supervise them, the United States remains a bystander, with no defined regulatory regime and where the future of crypto currently depends on the outcome of SEC litigation and on the political will (thus far lacking) for the Congress to act. For now, the disparate national frameworks governing crypto activities will continue to challenge financial institutions and their compliance personnel.
Financial crime has been a perennial issue on our listings of compliance priorities. New anti-money laundering (AML) requirements are never lacking, and recent events, as discussed above, have elevated the focus on sanctions compliance. Beyond these core pillars of financial crime, we are seeing a push toward the convergence of financial crime — a view that includes not just AML and sanctions, but also anti-bribery and corruption, fraud, cybercrime, and market abuse, among other areas. We have seen this push before, but progress has been slow and mixed at best. Two factors may now serve as catalysts to develop more integrated financial crime functions: an overarching, global concern with the proliferation of fraud and cybercrime, and the availability of innovative technologies. Compliance officers will be expected to be the architects of these integrated financial crime-focused Compliance functions and should increasingly expect regulators to ask about their plans and progress.
In our June 2023 edition of Compliance Insights, we argued for the need for the Chief Compliance Officer (CCO) to step up and play a key role in the adoption of ESG strategies. At COP28’s Finance Day in December 2023, we saw how the financial sector remains a vital mechanism for initiating and sustaining change. We expect continued focus on the development and implementation of ESG strategies and policies in many countries, although in some the political realities and costs of adopting green and net zero policies are causing less progress than might have been expected from a climate emergency. We expect that regulators will continue to develop and refine disclosure regimes, and the introduction of the first of the Statements from the International Sustainability Standards Board will bring hope that greater global alignment around disclosure standards and requirements can be achieved. Financial regulators, including those in Europe, the UK, Canada, Japan, Hong Kong and Singapore, will continue to focus on developing and refining climate change stress tests, anti-greenwashing measures and definition of the “S” (social) components, as well as on developing the sustainable finance markets. The planned or expected adoption of reporting and disclosure standards in various jurisdictions, including Europe and the United States, will set further compliance expectations.