In the fast-moving world of financial regulatory and compliance it can be difficult to know when to raise the alarm if you’re feeling the heat of a possible breach. At Grath we’ve developed and built cutting-edge technology that’s designed to help you get ahead of the curve on breach notifications. So, let’s dive into where the current challenges lie.
The FCA and PRA continue to focus on consumer protection across the financial services industry and this is underpinned by the measures and governance expected of market participants. Trust and consumer confidence remain critical objectives for the regulator and to deliver this in partnership with firms; transparency and communication are paramount. Firms are expected to place customer interests firmly at the heart of the organisation and this requires both cultural and conduct standards to be aligned to the obligations.
The regulators expect the highest standard of care and vigilance across all retail markets and products, at every stage of the customer journey. This enables better, more informed customer decisions and helps to mitigate customer harm. In practice, firms and supervision operate dynamically, focusing on principles of good customer outcomes and transparency, underpinned by clear communication and cooperation with the regulator at all times.
There is no prescribed formula, but the FCA and PRA require firms to be open and transparent about incidents that they’d reasonably expect to be made aware of.
To underline its importance, the regulators have incorporated this obligation within their guiding principles:
A firm must deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice.
A firm must deal with its regulators in an open and cooperative way and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice.
With over 56,000 regulated firms in the UK, it’s clear the sheer number of incidents and breaches detected, logged, and managed by firms need to be assessed against internal thresholds before the decision to notify is made. The FCA doesn’t require or expect the reporting by firms of all incidents, issues, and breaches. The FCA expects firms to self-regulate in this regard and apply reasonable, yet practical internal guidelines across its incident management process.
In the spirit of self-regulation, the FCA doesn’t always provide additional guidance on when a firm’s failure to comply with a rule is material, thereby triggering a notification event. The definition of what’s material varies on the circumstances leading to the incident and firms must consider this on a case-by-case basis wherever possible. Firms often organise their reporting based on materiality thresholds, applied to crystallised rule breaches, with more serious or thematic issues notified to the regulator. The challenge is establishing consistency across the industry, with firms applying their own materiality and risk appetite.
Consistency is key
In the absence of prescriptive guidance from the regulator on materiality assessment in the context of when to notify, firms might need to make their own judgement on what constitutes a material event or incident. This means firms need to establish their own approach so that decisions are made with consistent criteria. Whilst notification may boil down to materiality, it’s still best practice to capture all incidents with rationale for subsequent actions taken, or why further steps have ceased, whether the incident is notifiable or not. Firms and their auditors then apply further challenges from their ‘3 lines of defence’ models to capture anything that should’ve been disclosed, or has the potential to present further risk.
Numbers and words
Firms apply a combination of qualitative and quantitative factors when deciding on their notification thresholds. This is based on the firm’s risk environment, appetite, and standards, and in terms of regulatory impact, to their breach log and records. Annualised audits and governance are adept at identifying and strengthening operating models and control environments. This enhances resilience and control to drive the momentum of good customer outcomes as well as confidence in regulatory obligations and expectation alignment.
The big challenge
The UK’s largest firms hold around 96% of client money and assets with a further 67% of the market dominated by medium CASS firms*. Of this combined population, there are still a significant number of firms undertaking governance, controls, incident management and assessment activities using manual methods, including Excel and spreadsheet solutions.
Layering complexity into this, which often involves a variety of legacy, fragmented solutions from various third-party and technology providers, across any number of functional processes and controls, oversight and management information, with further challenges from ongoing multi-faceted governance, and this can quickly become fraught with challenges; including data consolidation, reporting, stability, integrity, and control failure, increasing operational risk.
Technology to the rescue
If this seems a little daunting – fear not – there are many ways technology can help to simplify and strengthen this process, including:
Automation of workflow and controls: fully-mapped regulatory handbooks to controls and processes enables you to immediately assess capabilities and rule change impacts and by removing the manual elements of the operational workflow vastly improve organisational arrangements.
Attestation management: this gives you full visibility and oversight of events in real time, helping to tackle standalone incidents or those arising from control failures, with the ability to trigger focused training or deliver specific task activities to further strengthen your capabilities.
Robust governance: provision of purpose-built risk MI, tailored to your firm’s enterprise risk environment and regulatory obligations. Ability for a fully evidenced-based audit trail and timestamps with the option of auditor self-serving to rationalise your ongoing oversight and audit processes.
Control / breach analytics and management: intuitive and accurate representation of rules, breaches, and incident management, including trend analysis and indicators to revolutionise your ability to enhance and mitigate regulatory impacts and demonstrate good customer outcomes.
Pre-defined materiality thresholds: this lets you set criteria and automatically manage and escalate significant events in a high-volume incident environment, helping to ensure prompt management awareness and intervention.
Automated risk event and incident reporting: the ability to produce risk event records, reporting and remediation in a controlled way, tailored to work with upstream systems or within a purpose built module.
Total capture and accurate reconciliations: integrity of your data, accurate representation and data capture, to fully evidence the inclusion and correct treatment of reconciled transactions, balances and statements to underpin your strengths of protection for your clients at all times and without delay.
That’s where Grath comes in.
Grath can help with it all; with individual components designed by our expert practitioners, specifically for FCA and PRA compliance obligations, operating individually or combined as a full end-to-end solution for global risk and compliance, reconciliations, and governance.
Our cutting-edge platform works seamlessly with your existing technology and solutions to enhance automation and reduce risk. This includes total capture of your data, strong governance of control performance, identification and management of breaches, and resilient reconciliation processing and oversight.
Grath enables governance through intuitive, real-time management information and dashboards, which can be used standalone, integrated, or extracted to support proactive operational model assessment, controls testing, and strengthening. It also supports wider employee training and development.
We pride ourselves on market-leading and laser-focused delivery, with rapid deployment, all managed by a team of industry-leading experts, our expertise becomes a seamless extension of your own.
If you would like to know how Grath’s technology can help take your regulatory compliance and risk management to the next level, then we’d love to talk.
Get in touch with Grath Here