Top 5 Dangerous Trends For UK Compliance Officers 2022
Across a plethora of consultancies and other leading advisers, a number of surveys, projections and recommendation are available, all listing several issues that they consider vital for Compliance & Risk Officer to be aware of this year, post what seems to be the peak of the Covid Pandemic.
Changing of the Work Environment
Leveraging Integrated Risk Management (IRM)
Cyber Security/Cyber Attacks and Data
Data Protection and Vulnerable Customer Management
Digital Transformations Via Cloud Computing
Mohamed Yassin2021-10-28 Outstanding job on every level. We are very pleased with their work. Done on time, done on budget and they know what they are doing.
They handled everything with extreme professionalism and delivered our project in a timely manner. We couldn't be happier with the end outcomes, Lee and his team were extremely thorough, understanding and responsive throughout each stage of our contract. We look forward to working with them in the future on our project. Thank you, Lee and Compliance Consultant team. st33n2021-10-10 Very professional company to deal with. Did everything I asked and much more. The quality of the work was exceptional. Lorena de Carta Financiera2021-07-01 Really Excellent service, speed in the resolution of problems
Most organisational leaders simply consider regulatory compliance one of the many costs of doing business today. It’s the norm for businesses to be required to comply with at least one, if not multiple sets of regulations. There are plenty of intangible and non-mandated reasons to perform compliance-related duties. Apart from the fines and the bad press, the primary reasons that business owners willingly jump through the necessary hoops most often involve protecting their customers and their own brand.
“Nothing ventured, nothing gained” is an adage entrepreneurs and companies the world over readily embrace, because they know risk is a key element for any business operation. However, keeping those risks to a minimum is critical to your firm’s survival.
A common area of concern for most modern businesses is compliance risk, or the potential financial losses and legal penalties that can arise by failing to comply with regulatory, legislative and industry guidelines. And each year, the number of rules and regulations only increase. However, if you do not keep up to date with these trends and issues, whether core or peripheral, they will come back to bite you!
Changing the Work Environment
For many the hybrid work environment is now the new normal work environment except for those with essential manual intervention types of onsite work; the way we work has forever changed.
Whether this change is permanent, semi-permananent or just an extended passing fad, Compliance and risk concerns that arise from the new ‘normal’ work environment are increasing. They are also complex and challenging whereby compliance leaders must work cross-functionally to stay abreast of changes impacting business operations. Three concerns stand out as perhaps the most important of these challenges.
Cybersecurity is a Bigger Priority for Everyone.
We have lived with the increasing Cyber threats for decades as one business process after another underwent “digital transformation,” each iteration and implementation exposed more of the enterprise to those dangers. Covid 19 has accelerated digital transformations, and arguably these may not have been fully beta tested. A distributed workforce means increased complexity to maintain cybersecurity across an unprecedented variety of work locations. Are your policies and procedures adequate for the new cross disciplined workplace your company finds itself in?
The ability to map and maintain order over IT assets.
Compliance officers need to know where IT assets exist physically to understand privacy obligations, such as the new UK GDPR, as well as Chinese privacy law and where data is transferred to for processing or storage, as well as other regulatory compliance concerns. Mapping IT assets is critical to regulatory compliance and business continuity. A hybrid work environment makes the task more complicated, so companies must assure they have strong capabilities on this front.
Cultivating a “Speak Up” Culture for staff Will Be More Challenging.
Some staff will feel forgotten or marginalised because of their choice, or the company’s choice, of them working from home, or minimal trips to the office. This is a very important aspect of the human element and the employee psyche. It could also have an affect on compliance and ethics. In the hybrid environment, however, it becomes a lot easier for people to ignore the fundamentals of ethics and compliance. We are not suggesting that employees don’t care about ethics and compliance, because most still do. But working remotely can leave more employees feeling less connected to the day to day business — so when they do see misconduct, they may just report the matter to regulators directly, or worse still, not report at all. Compliance leaders must demonstrate the importance of ethical conduct and give employees practical ways to report misconduct – whether they’re working on premises, remotely, or in a hybrid capacity.
Leveraging Integrated Risk Management (IRM)
Integrated Risk Management (IRM) is a term that many will bandy about but few actually understand or comprehend the actual concept.
IRM is a holistic, organisation-wide approach to addressing all types of risk which welcomes input from various functions, including risk management, cybersecurity, compliance, and various business units. It’s designed to provide a holistic view of risk across the enterprise and streamline the risk assessment and remediation process. Risks covered are typically Cyber risk, Privacy risk, Legal/regulatory/compliance risk, Supply chain risk, Financial risk, Market risk, Environmental risk, and Social/reputational risk. IRM leverages agile principles, automation, a security-aware culture, and cross-departmental collaboration to outpace the more traditional, compliance-driven model.
Why is IRM important?
IRM is really about marriage between regulatory requirements through compliance activities, security risk objectives and key day-to-day operations. Chances are, there are already synergies and overlap among all the work happening within your risk management, security, and compliance teams. Many firms may have multiple operational procedures and technology standards that align closely with various compliance program requirements. In turn, meeting those requirements often aligns with customers’ expectations of their vendors and service providers. Here are a few examples of alignment:
Protecting the privacy of customer data
Ensuring that your products and services are highly available and resilient to unavailability due to technological or operational issues
Reducing risk vectors through implementing technology safeguards or through administrative procedures maintained within corporate functions such as HR, Legal, Vendor Management, etc.
Taking an integrated approach to risk management allows your organization to scale activities and resources to meet the demands of an increasing compliance scope; by making compliance an output of existing business and security objectives.
How does IRM differ from a traditional approach to compliance?
Traditionally, firms attempt to manage risk in siloed departments and teams, each with its own set of tools. This sometimes leads to conflicts and reporting is sometimes blurred and prioritised in a different way, providing different interpretation to the unwary. Information and insights become siloed in individual departments while disparate processes and disconnected tools work independently, often costing more time and money.
Traditionally, an firm’s compliance team is primarily concerned with ensuring that rules and regulations are followed. This model defines security policy and internal controls based on cybersecurity regulations and standards. If they provide adequate comfort to senior management that all the requirements of a cybersecurity framework, they must naturally be managing risk, right? Unfortunately, that’s not the case.
After all, regulations and standards are inherently backward-looking–established after a critical mass of people or firms has already experienced some unfortunate event. Meanwhile, risks are unique to each firm’s operating model, and they can change quickly and suddenly. This means that many risks are not yet identified or captured by existing laws and standards.
At Compliance Consultant we understand that most traditional companies approach risk management upside down. They create policies, write procedures and train staff in the new way of doing business. Our 4 stage methodology provides actionable results whether you are using regtech to help you or not.
IRM breaks down departmental silos and fosters a unified, security-aware culture from the top-down, always viewing risk management in the context of the firm’s business goals. IRM stresses a risk-first approach beginning with a thorough understanding of your firm’s unique risk profile. Risk management policy and security controls are based on risk assessments with robust testing to ensure proper control function. The goal is to engage all departments to create a holistic yet consolidated view of risk across the enterprise and then design policies and controls to address these risks.
Cyber Security/Cyber Attacks and Data
Design and develop your current customer and enterprise identity and access management programs to ensure appropriate preventions against latest account takeover threats. Do not do this as a siloed department, set up a steering group to address every impacted departments concerns.
In an attempt to take part in the “Big Data” revolution, huge increases in data transfer sophistication have widened the array of entry points to a financial services company’s assets and consumer data, this then widens the number of attack vectors for malicious actors. Weak or poorly monitored access management and authentication controls provide the cracks in the system for cyber attackers to leverage compromised credentials to access the critical and often sensitive resources and data that legitimate users can.
Although huge strides have been made to date, there is an onslaught of additional legal and regulatory compliance requirements that are complicating compliance risks and serving as a key driver for enhancements to cyber security capabilities. Security orchestration, automation, and response (SOAR) tools combine to allow companies to collect data about security threats from multiple sources, initiate a response with limited human interaction, and coordinate post-incident reporting and information sharing. Benefits include faster detection and reaction, broader threat context, integrated data management safeguards, and lower costs.
Increasing Cybersecurity and Data Privacy Needs
While advancements in cybersecurity were a primary focus in 2021, attacks on government organisations and corporations continue to grow in frequency and complexity. More action is necessary, which will include the following cybersecurity developments:
1. Classification of Actions. Artificial Intelligence and Machine learning technologies can classify particular user actions as either normal or abnormal, and commence a workflow item which will assist IT teams in identifying potential threats.
2. Proactive Cybersecurity. IT teams will need to be even more aggressive in their cybersecurity activities. Tactics like threat hunting, endpoint monitoring, and staff training can help organizations identify and remediate vulnerabilities before a cyberattack happens.
3. Privacy Policies for Internal Data. Concerns over data privacy legislation continue to grow due to cloud computing shifts and potential large-scale data breaches. Organizations should look to produce specific, enforceable corporate data privacy policies to maintain their IT GRC standards.
In the current phase of moving to more effective storage and processing solutions, it is vital that firms identify, manage and protect their information assets not only on initial onboarding but throughout the data management lifecycle, by embedding “privacy by design” and automating data protection.
Firms are collecting increasing amounts of customer data to feed predictive analytics for investment and cash flow, personalise marketing campaigns, and introduce or improve products and services. More and more customers of today, from Gen X to Millennials, as they mature carry with them increasing concerns about how their information is being collected, processed, stored and protected throughout, which in turn focuses regulatory attention on customer data privacy and protection declarations and practice. “Privacy by design” principles set a baseline for robust data protection by embedding privacy into the design, operation, and management of new applications, including IT systems, AI platforms, and digital business practices, with the goal of preventing privacy vulnerabilities.
Data Protection and Vulnerable Customer Management
Throughout 2022 we will see a continued focus on a significant change in the way that data is collected from companies and subsequently analysed.
Both the FCA and the PRA have published data strategies that aim to use intelligence better to identify areas of harm and rectify them more quickly. They’ve taken the lead themselves in showing the potential of data management and analytical tools. Their strategy now includes plans to use data to throughout every division, change its culture and environment, train all employees to use data effectively, and ultimately transform “how it regulates and reduces the burden on firms”.
As the regulator ups its game, by using data to inform and improve its operations, how long before it expects every regulated firm to do the same to improve their culture of compliance? Let’s look at the challenges that companies face as a result:
• Firstly, the ways that the regulators will use data are likely to change and be reflected in supervisory activity. For instance, there is likely to be a greater degree of early intervention and involvement across sectors as problems arise. Also, a deeper understanding of consumer behaviours may lead to a closer focus on how companies work to achieve satisfactory consumer outcomes.
• A greater focus on technological change, not just in terms of upgraded systems but with a drive towards direct and real-time data transmission using AI capabilities.
• Companies also need to build protection for the rights of individuals whose data they are processing and conduct a Data Protection Impact Assessment (DPIA) where there is a risk to the rights and freedoms of those individuals.
Vulnerable customer management
Inflation and soaring energy and fuel prices are impacting the cost of living for many families and individuals in the UK. So we can expect that the treatment of vulnerable customers will take centre stage in the near future.
Even before the Covid 19 pandemic, the FCA had targeted this area and urging firms to ensure that vulnerable customers are treated fairly and consistently and insisting firms demonstrate how they embed fair treatment in their culture, policies and processes. As the pandemic and rising prices continue to wreak havoc, this guidance is more vital than ever. Firms need to do more to recognise the scale of the problem.
Some personal data that are processed about vulnerable consumers may be Special Category Data as defined by the GDPR. The FCAs Final Guidance FG21/1 clearly states this.
It may not always be immediately obvious that information about a consumer is Special Category Data. For example, information about changes made for a consumer because of their health may not specifically identify the health issue, but would be likely to constitute Special Category Data as their health issue could be inferred.
In June 2022, .Yonder Consulting published their report ‘Borrowers in Financial Difficulty’ for the FCA, and confirmed that borrowers in financial difficulty owed on average £8,970 across all regulated credit products (excluding any mortgage debt), with amounts owed generally increasing in line with increasing household income. They went on to confirm;
“Over half of these borrowers have suffered a negative life event through no fault of their own and were facing financial difficulties as a result. Additionally, a significant proportion also had physical or mental health issues, which needed to be taken into consideration when seeking support on their financial difficulties. The majority of borrowers in financial distress, (59%), had missed one or more payments on credit products (including mortgages) in the last six months. While we found there are a range of reasons why borrowers miss payments, there tended to be some prioritisation of what to pay. There is some evidence of borrowers in financial difficulty prioritising payments for housing, car finance, mobile phones, and any debts with family members. ”
Some further statistics
21.4 m in the UK have living standards below a socially acceptable level, many are due to inflation, rising energy prices, tax increases, according to leading economists.
4.2 million people have borrowed money, using credit cards, overdrafts and high-interest loans, according to the debt charity Step Change.
Low-income groups are the worst hit, taking on approximately £10bn in debt, but they are not alone with average debts rising with income.
With the economic outlook still looking downbeat for many going into 2023, firms must remain vigilant to signs of vulnerability and ensure their response, policies, and practices do not further detriment or harm vulnerable customers.
In addition, from July 2022, the FCA introduces a new Consumer Duty requiring firms to “deliver good outcomes for retail clients”.
Not only will firms need to show that their communications are clear, evidence consumer outcomes, focus on creating better value, exercise appropriate forbearance and take remedial action to rectify deficiencies, but should any firm have their data compromised, including sensitive data belonging to vulnerable customers and others, the regulator is likely to make an example of them after all the efforts gone into warning them.
Digital Transformations Via Cloud Computing
The world continues to move into the digital realm. If there’s data to be collected, someone will be out there collecting it, processing it, and utilising it in some manner. At this point I have kitchen appliances connected to the cloud, so it doesn’t matter what type of industry you work in, you can expect the amount of data your company collects and maintains to continue to increase. Governments are increasingly regulating the use and storage of that data, as well as pushing for new innovative products from industry to satisfy an almost insatiable tech appetite. If your company does not yet have a comprehensive data privacy program in place, you must get ahead of this issue and begin to create an effective and practical one. Not only is consumer data protection critical but business sensitive information should also have the same or similar levels of protection to continue to ensure your company maintains the necessary measures to be competitive, profitable and a worth custodian of that data.
Dispersed data that is stored in several various storages is one of the major pain points today. This becomes a silo that prevents responsible persons from quick and convenient work, making them get stuck between numerous spreadsheets and documents. What a modern CISO or DPO needs, is quick access to compliance related information, report generation, and, of course, its security.
A centralised data management platform is now a must for modern companies to ensure that data is correctly and safely stored, can be quickly accessed and supports organisations’ regulatory responsibility management.
Many solutions these days are involving cloud storage or processing of data. Cloud computing has been a prominent development in the IT GRC industry for two decades and is a significant contributor to the digitization of company activities. Team members from different departments and work locations can now access files, data sets, and a wide array of system tools via a single, unified platform.
However, a firm-wide migration of data exposes any organisation to increased non-compliance risks (intended or otherwise). IT GRC teams must learn to fully leverage these technologies while adhering to critical regulatory criteria as it migrates to the cloud.
Regulation is a given whenever consumer data at any level is concerned however, there needs to be a clear balance between protection and innovation. We have seen a vast increase in legislation around the world in the last two years specifically. Compliance Directors and IT Directors not only need to keep up to speed with development, but work together to protect the business. At Compliance Consultant, we have the skills and experiences to engage with projects of this type and advise many types of firm on their GRC application, building a framework and procedures, as well as creating the Governance to control the outcomes.
Digital transformation will continue to be a fundamental enabler for financial services firms. The opportunities and benefits arising from the implementation of technological solutions cannot be underestimated; however, taking best advantage of those opportunities is not without its challenges.
The challenge of cryptocurrencies too will have a profound impact on financial services firms.