Other parts of this series:
As I discussed in my first blog on the topic, technology is changing the conduct risk landscape. Whilst regulators look to support financial firms in their efforts to manage the risk originating from these new capabilities, the need to remain competitive means that firms are having to address the most complex areas of this emanated risk without the guidance or regulatory frameworks to support them.
Financial firms have worked hard to implement regulatory requirements and build their frameworks. These frameworks have increasingly been built on the spirit of the rules rather than the letter of the law, with firms seeking to deliver better outcomes for customers, stakeholders and the market.
Examples of the complex areas that financial firms are having to work through:
- Implementing Regulatory Technology (RegTech): Balancing risk and reward and deciding when to implement (scarcity of resource time vs. speed of technology development vs. need to have something now).
- Customer service (Digitalisation): How to meet customers’ emerging needs and wants such as quick access to information and taking into account an ageing population and the different risks posed by technology developments.
- Data Privacy and Data Use: How to manage the need for easy access, sharing and single customer views whilst maintaining ethical use, privacy, security and constant availability. Clarifying policies around data access and data use including: who has access to the data internally; for what purpose can customer data be used; and when can data be used to recommend a new product to a customer.
- Vulnerable People: How to manage the commercial realities and desires of the business without discriminating or acting unfairly towards potentially vulnerable customers. For example, how to balance the aim of reducing the use of cash, branches and paper documents (which all erode margin) against providing access, clear communication and fair treatment for all.
- Understanding and Expectation of Advice: Do customers understand that web-based forms/tools offer generic information and not personal advice? Do they understand the difference and what this means? How do firms manage the risk of a customer mis-buying or being mis-sold a product?
Next Steps for Firms
Conduct regulation in response to new technology has started, but will undoubtedly pick up pace in the coming years. However, firms’ risk and compliance functions should take it upon themselves to work now to mitigate risks by continuing to:
- Build their understanding of new solutions: Work closely with the business to understand what changes they are considering and what this means from a technical/business/customer risk perspective.
- Build technology and data capability in risk and compliance staff: Bring in staff with this skill set and have team members undertake relevant training. Staff needs to understand the changes in the technology and data space to be able to effectively manage the risk they introduce.
- Embrace collaboration with the regulator: Whether this means considering placing solutions in the RegTech sandbox, replying to issued consultations or attending forums. This conversation will help the regulator understand what firms’ problems are, what they are trying to do with their solutions and what the overall risk and mitigation response is. This could help shape the future control environment.
- Support firms to implement data and systems solutions that reduce customer understanding challenges: For example, supporting the business in implementing Cloud and data infrastructure updates that lead to a more consolidated view of the customer, and allow the customer’s need to be better understood and met.
There is an additional benefit to financial firms meeting these challenges and outpacing regulation. By proactively addressing these difficult challenges and effectively implementing controls before regulators dictate a set of actions, individual firms and the industry’s response may well shape regulators’ perspective and therefore avoid a less efficient process and reactionary remediation efforts.