The financial services sector continues to evolve in the UK alongside a regulatory landscape becoming increasingly complex. 2023 presented a myriad of challenges for financial services firms contending with the effects of compounded geopolitical risks triggered by the COVID Pandemic, such as international conflict, hybrid warfare, cyber-attacks and closer to home, the subsequent and well-documented cost of living crisis in the UK brought about by inflation and higher interest rates.
With this as context, we delve into the critical challenges faced by financial services firms in the UK throughout 2023 and provide insights into the regulatory outlook for 2024.
Looking back at 2023:
As a result of the aforementioned challenges, the introduction of Consumer Duty has reimagined the obligation of managing these risks to ensure good outcomes for consumers become an unwavering priority for regulated firms. With the FCA reporting that 25% of UK adults have low financial resilience, the cost-of-living challenges mean consumers are more exposed to risk and more reliant on the financial services industry putting good consumer outcomes at the forefront of their principles of business.
Alongside the aggressive implementation schedule and an unprecedented rate of communication in the run-up to the new principle going live, we are now seeing the FCA make good on its warning to act faster and more assertively upon firms that do not meet the new requirements. Consumer Duty is not “done” by any means, and the FCA expects firms to learn and develop their approach to this area of compliance continuously, ensuring their efforts can be evidenced and reported on effectively.
Resilience is not just a focus for the FCA with respect to consumers; following a joint proposal put forward by the Bank of England, PRA, the FCA, operational resilience continued to be a hot topic, with regulated firms having the responsibility to be self-accountable and capable of demonstrating oversight of critical third parties (CTP’s) and financial market infrastructure entities (FMI’s).
Risks stem from a growing dependency on third parties for services whose failure or disruption could have a systemic impact on the financial industry, contrary to the FCA’s objective to manage stability and market integrity as well as maintain consumer confidence in the UK’s financial system. The number of viable CTPs and FMIs on the market is limited, leading to concentration risk and a single point of failure more likely across multiple firms and the third parties to whom they depend, with limited alternatives on the market to support recovery and substitution of services if required.
Oversight, continuous monitoring and testing are therefore crucial in managing this risk, alongside firms, CTP’s and FMI’s are expected to implement operational resilience frameworks that first identify important business services that if disrupted, would cause the risks above to materialise and then set impact tolerances across those services in the event of specified adverse scenarios.
Firms are expected to be able to remain within the impact tolerances that they have set for their important business services, even if they rely on third parties for the delivery of these services.
Technology is fundamental to withstanding and recovering from disruptions such as service outages and cyber-attacks when considering resilience. With the increasing presence and criticality of digital platforms in financial services, cyber-attacks featured prominently in 2023, with customer data leaks and disruptions to core service representing over 90% of reported cases to the ICO. The total number of cyber security breaches increased threefold from 2022 numbers. Financial services firms grappled with the need to fortify their cybersecurity measures to protect sensitive customer data and maintain the integrity of their core books and record systems.
Further exacerbating the challenges across critical third parties, the continued adoption of technology solutions gained momentum in 2023 as financial services firms sought innovative ways to enhance compliance processes and risk management. Integrating new technologies has posed operational and regulatory challenges, requiring firms to adapt swiftly to stay ahead of the curve.
Regulatory Outlook for 2024:
Consumer Duty remains an FCA priority for firms across the financial service industry as a whole. The regulator will continue working across all sectors to test firms’ implementation to date and roadmap for continued improvement as well as distribution of good practice examples to support the industry. Therefore, firms must continue their work in embedding the Duty, ensuring they are learning and improving continuously and be able to evidence this in their annual board report.
Firms must not regard the Duty as a compliance exercise in its own right but rather as an opportunity to adjust culture, making it central to how business is conducted and its purpose, embedding a new approach throughout an organisation’s strategy, governance, and people.
Scrutiny across customer fees will continue, compelling firms to revisit, refine, and improve their charge structures, ensuring fair service value. Firms will continue to examine their customer lifecycles and enhance aspects that build trust with consumers, from simplified language across all communication channels to building more bespoke and customer-centric suitability assessments at the start and throughout the relationship.
Firms will continue to use data to truly put themselves in the customer’s position, thinking about the quality of the services and products they receive and looking to make improvements in both, evidencing their efforts along the way.
Operational Resilience will perhaps see some of the most significant focus in 2024 and likely be reinforced with related EU legislation in the form of the Digital Operational Resilience Act (DORA) and the Network and Information Systems Directive 2022 (NIS2). While both cybersecurity legislation will impact the European financial sector (in respect of DORA) and the EU’s essential and important services (in respect of NIS2), both apply to UK firms operating in EU markets. Additionally, both will most likely be adopted into UK legislation.
Through 2024, firms that implement robust testing across important business services and those activities with a critical reliance on outsourcing and third-party providers will benefit most from its oversight arrangements. Such oversight will be viewed as dynamic, with internal auditing; monitoring of important business services, impact tolerances, and vulnerabilities all considered when performing scenario-based stress testing. Firms will likely turn to technology-based solutions to better manage this suite of risks, particularly when thresholds are exceeded, prompt identification and timely intervention will be critical to success.
As firms continue to rely on Technology Solutions, they must also consider the ever-increasing risk of cyberattacks. This area continues to be cited as a critical risk to firms and the stability of the wider financial markets.
Regulators and firms alike are expected to heighten their focus on cybersecurity in 2024, specifically emphasising proactive risk management. Financial services firms will likely face increased scrutiny and may be required to demonstrate the effectiveness of their cybersecurity protocols through regular assessments and audits.
An increase in stress-testing with regular monitoring will be expected to identify how firms keep pace with the ever-evolving risk. Contingency plans and recovery approaches must be revisited or implemented, including defined actions, lines of responsibility, and escalation channels.
While discussed separately, the interconnectedness of consumer duty, operational resilience, and technology risk underscores the interdependence prevalent in financial services. As a fundamental responsibility of regulated firms, consumer duty necessitates a commitment to ensuring good outcomes for consumers. The Duty is intrinsically tied to operational resilience, which involves the ability of a business to adapt and endure disruptions while maintaining essential functions for the very customers it provides goods and services to.
On the other hand, technology risk poses a potential threat to a firm’s ability to ensure those good outcomes and its own operational resilience. As firms increasingly rely on technology to interact with consumers and streamline operations, technological system vulnerabilities can compromise customer data security and disrupt essential processes. Therefore, a comprehensive understanding of technology risk is paramount for firms seeking to fulfil their Duty to consumers and fortify operational resilience.
Where technological advancements and risks evolve rapidly, organisations must adopt a proactive approach to manage and mitigate technology-related challenges. By implementing robust cybersecurity measures, staying abreast of emerging threats, and fostering a culture of continuous improvement, firms will not only meet their consumer duty by safeguarding customer interests but also enhance their operational resilience by minimising the impact of technological disruptions.
If you’d like further guidance on how Grath’s technology can help future-proof your regulatory compliance and risk management process, then we’d love to talk.
Get in touch with us at grath.com/contact