OPINION: Five key risks for firms in 2021

2020 was a year of crisis management and 2021 looks set to be a year of learning the lessons and re-assessing the “how” as well as the “what” for firms and their business activities. The firms that will have navigated the pandemic best are those with highly skilled in-house risk and compliance functions. The good or better practice in the management of operational risks are not set out in black and white rulebooks but rather require often swift (re)interpretation, analysis, business-specific tailoring and effective implementation to ensure the ramifications can be evidenced.

The continuing uncertainty caused by COVID-19 puts even greater emphasis on the need for risk and compliance officers to prepare their firms for all eventualities. The deployment of skilled resources together with an effective suite of tested policies and procedures should offset many challenges even if geopolitics, for example, are unpredictable.

The need for expert, knowledgeable senior managers alongside highly skilled risk and compliance functions gains even sharper focus with the growing automation of business processes set against a backdrop of increasing personal accountability.

The risks financial services institutions run are firm-specific but there some high-level risks applicable to all firms, irrespective of geography or sector.

1. Post-pandemic review

Many firms, and regulators, may choose not to go back to their pre-pandemic ways of working; however firms handle the hoped-for end of the pandemic there will need to be a consideration and review of decisions taken in the white heat of the initial lockdowns.

Some firms have carried out a continuous review of governance and compliance; others are waiting to undertake a wholesale post-pandemic review. There are arguments for both approaches, or a hybrid, but whichever methodology firms choose, there does need to be a detailed, senior manager-sponsored assessment of how the business performed. Firms should also review whether compliant activities can be evidenced and ensure they can demonstrate that the required good customer outcomes have been maintained.

A post-lockdown world is likely be different, with quite possibly a significant proportion of employees continuing to work remotely either for some time to come or permanently. Governance, risk and control frameworks will all need to remain agile to support the new multi-site and remote working, as well as the compliance challenges involved in ensuring continued compliant activities.

Firms should be aware regulators intend to conduct post-pandemic reviews, and firms will be on the front foot if they have done the same. Firms should expect to share the results of any internal review work with relevant regulators. Any business-wide review is resource-heavy, particularly for the risk and compliance functions. Those functions are seen to have risen to prior challenges, but as post-pandemic budgets are going to be squeezed, they need to remain appropriately resourced to help their firms thrive into the medium term.

2. Financial cyber crime

There will always be those who seek to take advantage of a crisis to perpetrate crime, and in 2021 this will be increasingly associated with cyber risk. Firms need to remain vigilant and ensure they have deployed the best possible defences against all forms of technologically enabled attack.

A May 2020 paper published by the Financial Action Task Force (FATF) reported an increase in COVID-19-related crimes, including fraud, cyber crime, misdirection or exploitation of government funds or international financial assistance, which was seen as creating new sources of proceeds for illicit actors. The paper identified challenges, good practices and policy responses to new money laundering and terrorist financing threats and vulnerabilities arising from the COVID-19 crisis.

Emerging risks and vulnerabilities could result in criminals finding ways to:

• bypass customer due diligence measures;
• increase misuse of online financial services and virtual assets to move and conceal illicit funds;
• exploit economic stimulus measures and insolvency schemes as a means for natural and legal persons to conceal and launder illicit proceeds;
• increase use of the unregulated financial sector, creating additional opportunities for criminals to launder illicit funds;
• misuse and misappropriation of domestic and international financial aid and emergency funding;
• exploit COVID-19 and the associated economic downturn to move into new cash-intensive and high-liquidity lines of business in developing countries.

The need for firms to focus on cyber-enabled financial crime became even more pertinent at the end of 2020 when the United States issued an emergency warning after discovering that “nation-state” hackers hijacked software used by almost all Fortune 500 companies and multiple federal agencies to gain entry to secure IT systems. The U.S. Department of Homeland Security’s cyber-security arm ordered all federal agencies to disconnect from SolarWinds’ Orion platform, used by IT departments to monitor and manage their networks and systems. FireEye, a cyber-security company that said it had fallen victim to the hacking campaign, said it had already found “numerous” other victims including “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East”.

3. Digital transformation and recordkeeping

Technology may be the root cause of cyber risk and associated financial crime, but digital transformation also has the potential to reap multiple benefits for firms. Many have accelerated significantly the implementation of online product and service offerings during the pandemic, to ensure they can continue to provide existing services to customers and remain competitive.

One area for firms to consider in their future digital transformation plans is that of recordkeeping. Record creation and retention has often been a poor relation in terms of investment, but if it has not been documented then, in regulatory terms, it did not happen. A pandemic notwithstanding, regulators still require evidence of compliant activities and decision-making.

A feature of pandemic compliance activity has been to ensure all relevant evidence is in place to document compliant activities, decisions, approvals and governance — particularly those that have changed due to COVID-19. Firms would be well-advised to rethink how evidence is captured within their business and to leverage the potential of technology in record creation, maintenance and retention. Detailed recordkeeping can also help to offset senior individuals’ personal regulatory risk.

4. Skills

There has been extensive discussion about the risks and benefits of digitising the financial sector. Benefits include greater speed, efficiency and convenience together with economies of scale, as well as automated tools that help firms and authorities detect cases of poor conduct. Risk areas include data security, operational incidents, data privacy, pricing, sales practices and the financial exclusion of some individuals.

Before the perceived benefits can be enjoyed and the risk areas managed, there is an acknowledged lack of technological skills, which represents a challenge for firms and their customers as well as for regulators.

Firms would be well-advised to undertake a comprehensive technological skills gap analysis at all levels of the business with a particular focus on the board and senior managers. It may be that specific skills will need to be recruited, though it may be hard to build the necessary knowledge and expertise as the required technological experience is at a premium.

The Thomson Reuters Regulatory Intelligence report “Fintech, regtech and the role of compliance in 2021” found 31% of firms had yet to invest in specialist technological skill sets at board level but knew it was needed, compared with just 7% of global systemically important financial institutions (G-SIFIs).

A total of 22% of G-SIFIs reported having invested and/or appointed specialist skills to the board (12% in the wider population) and a further 56% (42% in the wider population) reported that they had invested in board-level skills to some extent.

4. Skills

There has been extensive discussion about the risks and benefits of digitising the financial sector. Benefits include greater speed, efficiency and convenience together with economies of scale, as well as automated tools that help firms and authorities detect cases of poor conduct. Risk areas include data security, operational incidents, data privacy, pricing, sales practices and the financial exclusion of some individuals.

Before the perceived benefits can be enjoyed and the risk areas managed, there is an acknowledged lack of technological skills, which represents a challenge for firms and their customers as well as for regulators.

Firms would be well-advised to undertake a comprehensive technological skills gap analysis at all levels of the business with a particular focus on the board and senior managers. It may be that specific skills will need to be recruited, though it may be hard to build the necessary knowledge and expertise as the required technological experience is at a premium.

The Thomson Reuters Regulatory Intelligence report “Fintech, regtech and the role of compliance in 2021” found 31% of firms had yet to invest in specialist technological skill sets at board level but knew it was needed, compared with just 7% of global systemically important financial institutions (G-SIFIs).

A total of 22% of G-SIFIs reported having invested and/or appointed specialist skills to the board (12% in the wider population) and a further 56% (42% in the wider population) reported that they had invested in board-level skills to some extent.

5. Outsourcing

Many financial services firms outsource at least some of their activities. Outsourcing can be an efficient and cost-effective way to supplement in-house resources, but it must be managed and delivered appropriately to be of benefit. It is that ability to manage and capacity to deliver that is under question during the pandemic and may need to be reviewed.

Even in more normal times firms should keep all outsourcing agreements under review. Equally, regulated firms should keep all entities (even those in the same group structure) to which processes or other activities are outsourced under review. Any regular review process will now also need to ensure that, with shifting COVID-19 measures and evolving geopolitical realities, any outsourcing remains strategically viable.

Regulators have extended substantial forbearance and regulatory relief to firms to offset the impact of COVID-19, but this forbearance does not mean they will turn a blind eye to future compliance breaches. Firms need to review all outsourcing arrangements, as some firms lacked effective arrangements in place going into the crisis, a point Derville Rowland, director general of the Central Bank of Ireland, made a year ago.

“To put it bluntly, we found significant risk management deficiencies on a widespread basis. More broadly, we concluded that, when it comes to outsourcing arrangements, governance and risk management standards are emphatically not where they need to be,” she said.

The golden rule for successful outsourcing is that while activities can be moved to a different group, company, or a third party, the skills to manage those activities must be retained in-house. This may be less obvious in an intra-group outsourcing scenario but for a separate legal entity with a separate licence, it is essential. Equally, if there is a branch or other structure involved, then the firm needs to consider the efficacy of the outsourcing arrangements and the skills, governance and local responsibilities of the branch.

Any review undertaken of outsourced activities should be reported to the board and potentially also relevant regulators. As with other aspects of compliance, the basics done consistently well will go a long way toward providing firms with a reasonable level of assurance that outsourcing arrangements are, and are likely to remain, under control and working as intended. There are many factors which will determine the continuing strategic viability of an outsourcing arrangement and firms should document, in detail, any assessment made.

It will always be a judgement call, but firms need to consider whether or not they can continue to oversee all their outsourcing arrangements in the circumstances. For some firms it may be a risk-aware decision to bring activities back in-house, shortening and simplifying the control infrastructure needed to manage (often overseas) outsourcing arrangements.