Ten Key Regulatory Challenges Facing the Financial Services Industry in 2016 
The complexities of the current regulatory environment undoubtedly pose significant challenges for financial institutions, as regulators continue to expect management to demonstrate robust oversight, compliance, and risk management standards. Regulatory mandates, and other stakeholder demands, such as those stemming from customers, investors, and counterparties, are not likely to subside in the foreseeable future, but rather, will likely only be augmented by unforeseen ones. Although these challenges are particularly pressing for the largest, most globally active firms, including insurance companies, smaller institutions are also struggling to optimize their business models and infrastructures in order to address this growing scrutiny and pressure. The following are some of the key regulatory issues that are impacting our clients.
Strengthening Governance and Culture
Despite heightened attention from regulators and organizations to strengthen governance structures and risk control frameworks across the financial services industry, instances of misconduct (i.e. professional misbehavior, ethical lapses, and compliance failures) continue to be reported with troubling frequency.
Regulators have come to see shortcomings in the prevailing industry culture as the root cause for this continued misconduct and are looking to boards of directors and senior management to push organizations toward cultural and ethical change.
Boards and senior management are now expected to champion the desired culture within their organizations, to establish values, goals, expectations, and incentives for employee behavior consistent with that culture, and to set a “tone from the top” by exhibiting their commitment to these actions. Line and middle managers, who are frequently responsible for implementing organizational changes and strategic initiatives, and who interact daily with staff, are expected to be similarly committed to adopting and manifesting the desired organizational culture by ensuring the “mood in the middle” reflects the “tone from the top.” The regulatory focus also extends to how organizations implement their business strategies. Regulators expect firms to place the interests of all customers (retail and wholesale) and the integrity of the markets ahead of profit maximisation.
Further, they will consider the business practices organisations utilize and the associated customer costs relative to both the perceived and demonstrable benefit of a product or service to the customer. Regulators are looking for organizations to conduct business
in the “right” way, doing what they “should” rather than what they “can.” With the recent development of a robust framework by Central Bank of Nigeria (CBN), in conjunction with KPMG, to bolster the consumer protection practices of financial organizations, businesses are sure to focus more on matters pertaining to consumer rights and conduct.
Improving Data Quality for Risk Data Aggregation and Risk Reporting
Although a long-standing industry problem, many financial institutions continue to struggle with improving their risk data aggregation, systems, and reporting capabilities. Banking organisations working to comply with the Basel Committee on Banking Supervision’s Principles (BCBS 239) are particularly pressured, as regulators continue to lack confidence in the industry’s ability to produce accurate information on demand. However, enhanced process controls, data tracing, and risk reporting requirements are also top of mind for broker-dealers and investment banks. Similarly, anticipated requirements, such as the pending Single- Counterparty Credit Limit (SCCL) rule, which would likely require organisations to track and evaluate aggregate exposure to a single counterparty across the consolidated firm on a daily basis, further fuel the industry’s data concerns. Quality remains an ongoing challenge, with data integrity continually compromised by outmoded technologies, inadequate or poorly-documented manual solutions, inconsistent taxonomies, inaccuracies, and incompleteness. For insurers in particular, legacy actuarial and financial reporting systems will struggle to handle upcoming changes in regulatory reporting, new accounting pronouncements, enhanced market opportunities, and increasing sources of competition. Going forward, management will need to consider strategic-level initiatives that facilitate better reporting, such as a regulatory change management strategic framework, as well as more tactical solutions, such as conducting model validation work, tightening data governance, and increasing employee training. By implementing a comprehensive framework that improves governance and emphasizes higher data quality standards, financial institutions should realize more robust aggregation and reporting capabilities, which in turn, can enhance managerial decision making and ultimately improve regulatory confidence in the industry’s ability to respond in the event of a crisis.
Merging Cybersecurity and Consumer Data Privacy
Cybersecurity has become a very real regulatory risk distinguished by increasing volume and sophistication. Financial institutions and around the world, as well as their third-party service providers, are on alert to identify, assess, and mitigate cyber risk. Failures in cybersecurity have the potential to impact operations, core processes, and reputations, but in the extreme can undermine public confidence in the financial services industry as a whole. Financial institutions are increasingly dependent on information technology and telecommunications to deliver services to their consumer and business customers, which, as evidenced by recently publicised cyber hacking incidences, can place customer-specific information at risk of exposure. Some firms are responding to this linkage between cybersecurity and privacy by harmonizing their approach to incidence response for each of the two areas.
Protecting the security and confidentiality of customer information and records is of paramount concern to institutions and regulators alike, as reflected in their business and supervisory priorities for the coming year. For example a recent U.S. court case has affirmed that the Federal Trade Commission (FTC) has authority to regulate a company’s cybersecurity practices under its Unfair and Deceptive Acts or Practices (UDAP) provisions and to undertake enforcement actions related to the security and privacy of consumer data. Through its participation in the Federal Financial Institution Examination Council’s (FFIEC) 2015 Cybersecurity Assessment Tool and its supervisory authority over consumer privacy laws and regulations, the Consumer Financial Protection Bureau (CFPB) may, in time, show similar interest. Areas of regulatory concern related to privacy may include: data access rights and controls; data loss prevention; vendor management; training; and incident response.