Four major themes dominating the regulatory landscape in 2020

Driven by a renewed focus on issues, such as cyber security, IT failures, business continuity and third-party risk management (TPRM), operational resilience has become a major area of concern for boards and risk officers.

Risk extends beyond regulatory perimeters

Regulator focus is not new and will continue in 2020. But, supervisors have increased their expectations of how banks should be dealing with operational resilience. According to the 10th annual EY/Institute of International Finance (IIF) global bank risk management survey, one of the most significant changes in tenor and tone of the regulatory and supervisory focus in recent years has been the shift in focus from financial to operational resilience. Regulators are now assessing banks’ capabilities to continuously intermediate markets and deliver services to their customers and clients on the assumption that a disruption of some kind is inevitable. The scope of resilience activities is also being challenged, with authorities seeking to understand banks’ abilities to prevent, respond to, recover and learn from disruption, whatever the threat or vulnerability that might cause it.

The key messages – and the likely foundation for forthcoming rules and guidelines – are that firms must:

• Take an enterprise-wide, business service view of resilience that prioritizes the most critical business services and quantifies the amount of service disruption that can be tolerated
• Map assets beyond the firm’s internal ecosystem to encompass reliance on critical third-parties
• Demonstrate greater integration between incident management and crisis management protocols
• Test recovery and resumption of business services under a range of severe yet plausible scenarios
• Require board and senior management to take an active role in setting up the firm’s resilience strategy and adopt a risk-management-based approach that clearly articulates roles and responsibilities

Firms are exposed to potential vulnerabilities and risks due to their interconnectedness with critical third parties, such as data providers, cloud service providers and technology vendors. The debate will continue over the degree to which supervision may have to be extended, but for now it seems that the heightened expectations of supervisors on banks’ end-to end risk management will serve as a type of indirect regulation of third parties.

The ESG criteria used to measure the sustainability and ethical impact of an investment in a business are now just one part of a wider agenda that encompasses climate risk, corporate behavior and social responsibility, inclusion, equality, diversity and an expanding range of other societal issues. Geopolitical and climate-change risks are two of the top 10 major risks to manage over the next decade.

This wider set of issues places increased expectations on corporate risk management, including new board responsibilities and reporting to shareholders, along with enhanced internal governance and comprehensive mapping of rule requirements to bank processes and controls. The aim is for banks to evolve into more aware, more responsible corporate entities which deliver improved conduct and ethical behavior and more desirable social outcomes.

Evolving to encompass emerging risks

These changes will have a significant impact on risk management frameworks. How much more will banks need to change if regulators are asked to promote broader social goals in the financial market space?

Over the next 12 months and beyond, the climate risk agenda will certainly evolve. Policymakers across Asia and Europe have made sustainability and climate risk a prominent feature of their work programs. More than half (52%) of banks view environmental and climate change matters as a key emerging risk over the next five years, up from just over a third a year ago.

And, although ESG disclosure proposals in the US have only gained limited traction so far, the issue is gaining prominence. In 2020, we will look more closely at sustainability and climate risk as these policy proposals continue to develop. 

It will be interesting to see the extent to which policy responses in the banking sector resonate with political leaders in terms of developing broader economic and social policy, and how those policy priorities could shift as economic conditions change.

Those who believe that data is now the business world’s most valuable commodity probably welcomed recent significant measures to regulate its ownership, use and processing. But while the case for an internationally coordinated approach is compelling, data localization rules and differing views on the use of cloud storage, for example, may cause further fragmentation.

Banks need to navigate a complicated and inconsistent set of guidelines, laws and rules, and try to find standards and working practices that anticipate where data protection regulation is likely to land. A good foundation will include:

• A data governance program that clearly defines appropriate sources, uses, access, maintenance and protection across lines of defense
• An assessment of the range of laws and regulations applicable to data
• A review of all vendor agreements and contracts to determine whether practices with respect to third parties conform to data governance policies
• Processes for responding to deletion or opt-out requests, verifying and determining access rights internally and addressing access requests

Artificial intelligence (AI) and machine learning (ML) have emerged as key topics. As evidenced by the recent EY/IIF survey, regulators and financial institutions are focusing on how existing risk management and governance practices need to be enhanced to capture the dynamic and inter-related risks associated with AI and ML. Ninety-three percent of banks expect to enhance their model risk management framework to address ML and AI-related risks.

As with operational resilience and climate risk, a detailed regulatory framework has not yet been developed for AI and ML governance. Firms can take the opportunity to define what “good looks like” to inform and influence regulatory expectations. In the meantime, they will be expected to enhance existing risk management and control frameworks to address AI- and ML-specific risks.

Regulators will be looking at the impact of technological change across the risk and control infrastructure in banks. However, the limitations of legacy systems still prevail in moving to new technology and so the impact of digital transformation on risk management has not yet been fully realized. FinTechs, RegTechs and others have disrupted, but not yet revolutionized, the industry.

Despite significant changes on many fronts, it is still not possible to move on completely from the last crisis due to reforms and policies that still need to be implemented. Of these, Basel III and the interbank offered rate (IBOR) transition are areas where banks must maintain momentum.

At the start of 2020, market participants running Basel implementation programs hope for more clarity on implementation timelines and signs of only limited regional divergence.

As for IBOR transition, the current view from supervisors is that, although a major project for most banks, the overall level of preparedness appears to be below what might be expected. In general, IBOR exposures have not been reduced as much as regulators would wish, and scrutiny of transition plans will intensify in 2020.

In addition to the specific challenges of programs such as Basel and IBOR, firms should ensure that their risk and governance structures keep evolving, particularly in two key areas:

1. Accountability regimes continue to be implemented or expanded in the major international financial centers and are now reaching the stage where the newer models are learning lessons from their forerunners.
2. Financial crime has become a major legacy risk, and local and international pressures to reduce the volume of money laundering and other criminal activity remain high.

In 2020 and beyond, legislators and policymakers must address difficult questions on the trade-off between transparency and privacy, and use of data, so that technology can make bigger inroads in the fight against financial crime.

Regulators will expect boards and risk functions to take responsibility for the expanded range of issues that are now an inescapable part of their environment, particularly the non-financial risks presented by data, conduct and sustainability.

Over the last few years, it was still a matter of debate as to how much the landscape would change, but now it is clear that a tipping point has been reached: the world of governance and risk management has been irrevocably transformed.

The transformation will be accelerated as banks reach the end of post-crisis implementation programs and increase their focus on cost reduction and reviews of resources that have built up to deal with high volume tasks.

There’s a greater need to update compliance and risk management models to incorporate a much more varied set of dynamic and inter-related operational and non-financial risks, and to meet the enhanced expectations of supervisors, investors, clients and other stakeholders.

Summary

In 2020, banks will need to adjust to new sets of requirements. Market fragmentation will not recede any time soon, but regulators will look to set standards in operational resilience, climate risk, data, AI and ML, that have largely been uncharted until now. In the coming year, we may see significant steps in those journeys.