Nick Andrews, executive chairman and founder of corporate compliance and regulatory advisory firm MPAC, outlines key regulatory changes in the banking sector
Writing in such a short space, it is impossible to provide a full picture of the regulatory tsunami intermixed with the rapid onslaught of change from technology that the banking sector is currently at the beginning of (and also applying to the financial sector as a whole). Only a few high-level issues can be considered in this piece, which readers may find useful if they are too consumed by major work on the revised Markets in Financial Instruments Directive (MiFID II) (strategy change); Brexit (business change), mounting risks vs capital constraints, liquidity and more. It is also good to note, with relief, albeit muted, that the Basel Committee, in its strategic priorities document for 2017/18, has said it will pause for a couple of years on new rules and regulations or even just tinkering with the existing standards, to let the banks carry on with implementing everything that is currently coming down the path. Two years ... is that all?
1. Is fintech a wonder or a curse for your bank?
Technology is changing the way the sector is behaving, with banks responding a bit like the old car companies that would buy innovations to stop them from being implemented and to cut margins. Challenger banks are not, in the main, challenging the traditional incumbents but simply transferring margins, usually due to their cheaper cost base (payments sector) or specialist activity (such as property lenders and localised banks). Inbuilt resistance in the traditional banks stops any effective implementation of the new technology, which is an advantage to the new breed of competitors – how long does it take to get a new and small software system implemented into a bank via the vendor process? By the time it is approved, the technology has changed. Blockchain is not (yet) the answer for the simple reason that the computing power needed to operate such a complex banking system (it is at the end of day a secure ledger) is not cheaply available. However, technology risk is rising and banks must think carefully about how they will adapt – their competitors have huge cost advantages and future advantages as they can turn on a sixpence and buy in new modules and throw out old easily. The inherent resistance to change within a large bank is embedded from top to bottom, but unless they do change, they will simply become repositories of money with the big commercial, non- bank brands becoming the trusted name and app of choice for all an individual’s wants. Watch this space as one tech company tries to change the way that transactions are settled in the UK to real-time settlement that, if it comes off, will shake the whole sector up. Now that is disruptive.
Perhaps the analogy with car companies is not far off the mark. Potentially they are facing the total replacement of the petrol/diesel engine with electric cars within the next decade and must change their entire business model and products in rapid order. And Ford has recently launched its ‘name you can trust’ savings products. The banks should be learning that the traditional industry is potentially dying.
With the negative public and political view on the future services that banks provide, and some banks being unwilling or incapable of change, the regulators likewise are not really watching the massive change technology will bring to business strategies. The US is contemplating changes to the ‘too big to fail’ rules encapsulated in Dodd-Frank (Title II) to ensure that taxpayers are not at risk of a government bailout in time of crisis. This potential change has global ramifications, not least in the EU, with clashes over the European Commission’s proposed reforms of the standards for too big to fail.
2. How should banks address cyber crime?
Boards had until recently considered cyber crime from the viewpoint that ‘someone else is looking after us’. All that changed over the weekend of 14 May with the launch of round one of the WannaCry ransom virus. Too late for some firms – do they pay the ransom? (criminal issue there of course of making such payment). So, what are the banks doing to curb the risk and protect themselves? The New York State Department of Financial Services (NYDFS) applied a new regulation from 1 March, requiring groups supervised by it to establish and maintain a cyber security programme to protect the private data of consumers and to also “ensure the safety and soundness” of the state’s financial services industry. It will apply to any financial institution with a New York state charter which will capture several European banks’ sister companies, subsidiaries and suchlike. Two areas worthy of note in the regulation – a senior individual will be held responsible for attesting that the firm is suitably resilient to cyber attacks; and reports to be provided if any incident has a “reasonable likelihood of materially harming” the company. That will be difficult.
3. The data protection revolution
The Senior Managers and Certification Regime – what it means for youThe NYDFS requirement has parallels to our own Senior Managers Regime (SMR – rolling out across the whole financial sector in 2018) and also to the EU’s General Data Protection Regulation (GDPR) that comes into force on 25 May 2018. This will have wide-ranging repercussions on a bank. With MiFID II now in implementation stage, firms should plan to add GDPR requirements into the project so that clients can be made aware at the very least of what is coming. GDPR will require changes to be made to various parts of a bank’s operations including recruitment, employment contracts, staff remuneration including pensions and all records, appraisals, know your clients and anti money laundering, client facing contracts/paperwork/websites, suspicious activity reports and financial crime data sharing, outsourcing/supplier/vendor processes, transaction reporting and various other areas. This is a major project and has its tentacles across entire operations. This regulation, together with the sting of full breach reporting with maximum fines of the higher of €20m or 4% of global turnover, requires immediate attention. Taking a cynical view, will this see the rise of ambulance chasers attracted to suing the biggest banks (all of which are represented in the UK) for minor breaches of an individual’s data with a view to ‘winning the jackpot’ of €20m?
4. Can new banks succeed?
Regular readers will have noted this writer’s distaste for the use of the term ‘challengers’ for the vast majority of the newly authorised banks – the same old products delivered in a different way does not make a challenger. But there are a number of them trying to pick up current accounts and cross-sell (despite what they say) using a telephone app. Some big numbers are needed in terms of account holders and fees payable to cover the cost of getting started, let alone make a profit – still, with investors not looking at the fundamentals but considering the exit valuation in a few years, anything is possible (same issue applies for some of the payment firms). With app-only banks, not only is cyber crime a major factor but as above, using data mining (big data) to provide all kinds of services to a client via an app will be a major headache to implement and control within the requirements of GDPR.
The Bank of England is consulting on amending the pillar 2a requirements for challenger banks, particularly in respect of mortgage lending. The intention is to make it less capital intensive for a ‘newby’ to lend on higher loan-to-value ratio loans – the basis of this being to allow these banks, who do not have demonstrable back data, to operate on the standardised risk model. Across the pond, Dodd-Frank tightened the rules, especially on home loans, making certain such loans uneconomic for community banks – too much complex regulation, aimed at the large banks and applied across the sector, has caused many small banks to merge, close or be acquired, consequently reducing competition (challenger bank killing) and creating much larger entities (too big to fail?).
So in the UK, and equally in Germany (there are others of course, but these are the ones that are looking or have come to the UK), we have seen newby banks come into the sector driven by technology, relaxation of rules and general desire for greater competition. Some have already been acquired by major banks looking to either introduce technology that they simply cannot implement or using the newly acquired bank to deliver upon a certain sector of their business expansion (major banks in France and Portugal are two immediate examples).
5. Brexit – what do EU regulators expect from relocating banks?
The EC has made proposals to increase the oversight of foreign banks operating in the EU, meaning that such banks must consolidate their businesses within the EU into separately capitalised subsidiaries or into a holding company. The main effect upon US banks will, according to that group, be contrary to the US rules requiring the separation of broker dealers from the banking part. Putting such EU operations under an EU holding company will not work. UK banks are also required to ring fence their investment banking business from the retail, so may face similar problems.
The FCA is requesting firms to provide their Brexit plans, so expect interrogation on these in the ensuing months
At the same time, the EU is insisting that any bank relocating operations into the EU from the UK will need to bring sufficient staff to operate it as a ‘proper’ bank, no brass plates wanted. This does miss some of the point regarding the technological advances of reducing staff by having more tech. Post Brexit, banks should be suitably well advanced in their planning and there have been several announcements of majors locating their EU headquarters. That doesn’t mean lock stock and barrel (despite what the press may gleefully report), but a small office staffed by tens of people in whichever location. Undoubtedly each bank will have its own preferred location and opinions on the merits or otherwise of each jurisdiction is not for here. But 22 months is not long to obtain requisite authorisation for the activity in that country, let alone relocate or hire someone to run it full-time. Key though, the FCA is requesting firms to provide their Brexit plans, so expect interrogation on these in the ensuing months.
6. Regulators focus on banks’ culture and ethics
Under a Freedom of Information request, the FCA has said that the number of investigations it has opened under SMR since March 2016 is two into individual senior managers and 11 into individuals who are, or are likely to be, certified persons. It will of course be interesting to read the underlying thrust of these investigations in due course and see the interpretation the regulator is taking upon the rules, and, if it comes to it, the severity of the action it will take. At the same time, the Banking Standards Board publishes its second annual findings on what is really happening in its 35 member banks (albeit only 22 responded) in respect of behaviour and ethical standards. Some interesting quotes come directly from the BSB but the evidence provided does suggest that there is a long way still to go internally for behaviours to really change. Simply writing, publishing and training while not believing in it nor demanding change from the top, is not going to change public attitudes and regain trust in banks.
It is worth recalling the level of fines levied by the FCA versus the discount applied for agreeing rapidly and implementing the necessary measures to ensure such misdemeanour doesn’t happen again. In the past four years, total fines have been £4.2bn less the £1.2bn discount – derived from 82 fines, 66 of which were discounted. Despite the magnitude of this amount, there are calls from politicians that discounts should not be allowed unless disciplinary action has been taken against the staff involved and that the changes in behaviour are demonstrable. The Criminal Finance Bill came into being in April 2017 as an amendment to the Proceeds of Crime Act and allows the authorities, amongst many other things, to hold banks to account for the actions of their staff. Again, this requires banks to ensure that the conduct of their staff is suitably monitored in terms of the advice and services they provide. In addition, the Act interlinks with GDPR in respect of financial crime reporting.
In brief• Certain reporting requirements are coming. We are already in the ‘base erosion and profit shifting’ (BEPS) world, with country-by-country reporting that has demanded a significant amount of detailed data to be published and interpreted in the accounts (we will start to see the distortions in the gender pay gap partly driven by the underlying basis of calculation, in the not too distant future.• With the intimation that banks are an endangered species, with the politicians, regulators (both in red tape and capital requirements), tax man, public and competition taking a slice out of the traditional business, and with more to come (MifID II, GDPR, technology, tax, and politics to name a few), conceptually the questions remain – who would want to run a bank and is it still worth it? From a regulatory point of view, the following sums it up very well and was published in April 2017 by a US domestic bank. “Our own estimated cost of complying with regulation has increased from $90 million in 2010 to $440 million in 2016, representing nearly 15% of our total operating expenses. These monetary costs are exacerbated by the toll they take on our human capital. Hundreds of [bank] colleagues have logged tens of thousands of hours navigating an ever more entangled web of concurrent examinations from an expanding roster of regulators. During 2016 alone, [the bank] faced 27 different examinations from six regulatory agencies. Examinations were ongoing during 50 of the 52 weeks of the year, with as many as six examinations occurring simultaneously. In advance of these reviews, [the bank] received more than 1,200 distinct requests for information, and provided more than 225,000 pages of documentation in response. The onsite visits themselves were accompanied by an additional, often duplicative, 2,500 requests that required more than 100,000 pages to fulfil – a level of industry that, beyond being exhausting, inhibits our ability to invest in our franchise and meet the needs of our customers”.
Views expressed in this article are those of the author alone and do not necessarily represent the views of the CISI.