Having prioritised financial and operational resilience, financial services firms have fared better than expected in 2021 against an economic backdrop that has been better than anticipated. Our Financial Markets Interim Regulatory Outlook evaluates the nine regulatory themes that we expect will shape the financial services industry for the remainder of 2021.
This blog explores “Deploying digitisation and innovation” as a regulatory theme of particular interest to our capital markets firms.
Workforce habits formed during the COVID-19 pandemic significantly increased the demand for digital services and consequently have given rise to a myriad of new control requirements (e.g. trading activities being conducted outside a controlled environment such as trading floors). In addition, alongside financial services firms implementing ambitious digital strategies in the UK and EU, the regulators and supervisors have been progressing with enhancements of their own data and technological capabilities which will shape the future of supervisory engagement.
Cloud and third-party risk management
With cloud underpinning the digital transformation journey, supervisory focus on cloud migration plans will continue in the UK and EU to ensure necessary controls are in place. The regulatory spotlight will now extend to third parties that are playing critical roles in providing business services, including AI and data services, due to a multitude of factors such as concentration risk, single points of failure and vendor lock-in.
In the UK, the PRA finalised its outsourcing and third-party risk management policy, as such firms can expect significant scrutiny to ensure they are on track to comply with the new requirements by 31 March 2022. To ensure compliance, firms will need to conduct a review of the implemented architecture and controls, identify and extract and shortcomings and validate adherence to internal governance arrangements.
This will be of particular importance to capital markets firms who use a variety of external data providers to source market, client and reference data. Contractual arrangements with vendors, especially where critical functions are concerned (e.g. daily prices, issue ratings, etc), would have to be reviewed to ascertain that the firms are able to terminate the contract and/or source the data from an equally reliable alternative source. (In addition, of course, to firms having to meet all general expectations around management of cloud vendors).
Action for firms: (i) Engage with supervisors early and collaboratively. Demonstrate strong governance and risk management capability to support Cloud migration. (ii) In addition to CSPs, consider which other third parties are or are likely to become critical to providing essential business services as part of the firm’s innovation plans.
Regulatory focus on firms’ use of AI continues to grow with increased use of AI to meet consumer demands and boost operational efficiencies. To ensure the deployment of AI is solidly aligned to regulatory compliance principles, regulators in the UK and EU are taking key steps for appropriate risk management.
The EU have published the AI Act, a proposal for a comprehensive legislative framework for trustworthy AI, and the UK will be publishing its national AI strategy later this year, focusing on ethical and responsible use of AI. In tandem, the UK financial services and cross-sector regulators plan to cooperate on supervision of algorithmic harms. As AI is increasingly being integrated into algorithmic trading activities, responding to these drivers will be key. (The general theme of AI in Algo trading is one to which we shall return!)
Actions for firms: (i) As regulatory focus and collaboration on AI increase, take a holistic approach to data protection, conduct regulation and ethics risks in AI. (ii) Assess which current and planned AI systems are likely be captured by the EU AI Act and carry out high-level gap analysis against key requirements
RegTech and SupTech
With the introduction and acceleration of RegTech and SupTech capabilities during the COVID-19 pandemic, UK and EU regulators and supervisors will continue enhancing their SupTech capabilities.
SupTech will help regulators be more effective in their analysis and actions, and in the UK, regulators are stepping up the design and implementation of their own data and innovation strategy. Firms need to stay on top of new developments to avoid being in a position where regulators are better able to detect risks in the reported data than they are themselves. Regulators and supervisors will look to draw further insight from firms’ data to inform their supervisory strategy. Data collection from firms – creating common data standards and modernised reporting instructions for certain use cases – and digital reporting use cases will gain speed. Regulators need to be continually striving to deploy new tools to make more sophisticated use of the data being gathered from financial services firms for e.g. data provided for transaction reporting that is available in the trade repository could have been leveraged for IBOR transition reporting.
As part of their digitisation strategy, firms should consider the implications of SupTech deployment on their own risk compliance management approaches, and the infrastructure necessary to connect with new technology-enabled supervisory processes.
Actions for firms: (i) As part of firms’ digitisation plans, consider the implications of SupTech on their own risk and compliance approaches. (ii) Build in infrastructure flexibility (data and technology) necessary to connect with new technology-enabled supervisory processes or reporting formats and channels.
A copy of the Financial Markets Interim Regulatory Outlook 2021 report can be found here: https://www2.deloitte.com/uk/en/pages/financial-services/articles/financial-markets-interim-regulatory-outlook.html