Ten key regulatory challenges of 2021 - The future of regulatory: Altering our view - assets.kpmg
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Ten key regulatory challenges of 2021 The future of regulatory: Altering our view kpmg.co.za
Contents
Introduction 2
IBOR Transition 4
Third-Party Risk Management 8
Fundamental Review of the Trading Book 12
Vulnerable Customers 14
Financial Crime 18
Data Privacy 20
Capital & Liquidity 24
Central Bank Digital Currencies 28
Cyber 32
Data: Cloud Computing & Data Sovereignty 36
Contact us 38
Ten key regulatory challenges of 2021 1
Introduction The future of regulatory: Altering our view The disruptions that faced all industries in 2020 will forever reshape the financial services industry. Notable among these are the accelerated use of online and digital technologies, the long term adoption of remote working practices and the demand for adjusted business and risk strategies as the world became a very different place. Together they have impacted all aspects of a financial services company’s physical and strategic operations, technology systems and data security, products and services, customer interactions, and third party relationships. With such change comes regulatory challenges and concerns which in 2021 will begin to set forth the future of regulatory: altering our view. Therefore we present our ten key regulatory challenges for 2021 and help answer the question: What are the steps I can take now to prepare. Michelle Dubois Senior Manager Regulatory Centre of Excellence With acknowledgement to Amy S. Matsuo. National Leader, Regulatory Insights, KPMG US
KPMG highlights the key drivers and actions for firms in the
following Key Ten Regulatory Challenges for 2021:
IBO
trans R
Data ition
T
IBOR Pa hird
Data trans
ition Ri rty
r
sk
be
Cy
Th rty
1
ird
er
Pa isk
10
b
Cy
R
9
2
Bank Digital
Currencies
Central
Central
Regulatory
FRTB
Bank Digital FRTB
3
8
Currencies Challenges
7
4
er e
Ca iqui
om bl
s
st era
pi dit
5
L
6
ta y
ln
l&
Vu
er e
cu
Ca iqui
om bl
s
st ra
cial
L
Data
pi dit
Finan
Cu ulne
ta y
priva e
crim
l&
cy
V
l
Data ncia
Priva Fina e
cy Crim
IBOR Transition: Replacing Data privacy: Protecting your data as the asset
1 the world’s most powerful number 6 that it is
Third-Party Risk Management: Addressing Capital & Liquidity: Balancing inherent tensions
2 the serious challenge of third-party risk 7 to weather the storm
Fundamental Review of the Trading Book Central Bank Digital Currencies: The evolution
3 (“FRTB”): Setting the bar higher 8 rather than revolution of fiat currencies
Vulnerable customers: Ensuring that no Cyber: Protecting the lifeblood of the
4 man is indeed left behind 9 organisation
Financial crime: Chasing shadows of illicit Data: Cloud computing and data sovereignty:
5 events 10 The infinite value of data in the sky
Ten key regulatory challenges of 2021 3
Drivers
— Concerns about the core
nature of IBORs have been
IBOR Transition
swirling for years
— IBORs are dependent on rate
submission by a select group
of banks, which are quote-
based and can be subject to
manipulation. The aim is to
move toward transactional-
based quotes, which
Replacing the world’s most powerful number
provide more transparency
— Banks no longer fund The discontinuation and replacement such as remuneration plans and
themselves on the interbank of the Interbank Offer Rates (IBOR) budgeting tools.
market as before, hence the by Alternative Reference Rates (ARR)
rate was not as representative Despite its popularity, concerns about
represents one of the most ambitious
as before of the true state the core nature of IBORs have been
transformations in financial markets
on inter-banking borrowing swirling for years, driven primarily by
in recent times. Its impact will be far some of those key following factors:
— The risk that many IBORs reaching, affecting sell-side and buy
could be found to no longer side professionals, corporates, and in • IBORs are dependent on rate
represent the underlying general any market participants with submission by a select group of
market it is meant to interest rate benchmark exposure. banks, which are quote-based
measure, due particularly to a and can be subject to manipulation
lack of underlying primary and Although the official cessation date for (as seen in the 2012 Libor scandal
secondary market activity IBORs publication is set to December in the UK). The aim is to move
— IBORs rates are not risk-free, 2021, many jurisdictions such as South toward transactional-based
as they include a credit risk Africa are leveraging this regulatory quotes, which provide more
premium that reflects the reform to significantly change their transparency.
perceived credit risk of the internal interest rate benchmark, and
panel of banks that contribute are thus planning a separate cessation • Banks no longer fund themselves
to IBOR, and thus render date for their own benchmark rate. on the interbank market as
the benchmark not perfectly
suitable for discounting In South Africa, Jibar is the key before, hence the rate was not as
derivatives transactions benchmark used as the reference representative as before of the
interest rate for financial instruments true state on inter-banking
and derivatives; with the three-month borrowing
Jibar rate being the most widely used
and accepted reference for South • The risk that many IBORs could
African Rand-denominated financial be found to no longer represent
contracts. It is estimated that the total the underlying market they are
value of outstanding derivative and non- meant to measure, due particularly
derivative contracts that reset against to a lack of underlying primary and
the three-month Jibar rate exceed secondary market activity
R40 trillion as-of 2018.
• IBORs rates are not risk-free, as
Auguste Claude-Nguetsop they include a credit risk premium
Partner & Head of Market Risk – that reflects the perceived credit
IBOR National Lead Transitioning from
risk of the panel of banks that
IBOR to ARR contribute to IBOR, and thus
IBORs currently underpin a huge range render the benchmark not
of financial products and valuations, perfectly suitable for discounting
from loans and mortgages through derivatives transactions.
securitisations and to derivatives
across multiple jurisdictions. They
are used in determining all sorts of Although the discontinuation date
tax, pension, insurance and leasing of IBORs is scheduled for the end
agreements and are embedded in of 2021, the timeline of the Jibar
a wide range of finance processes replacement is still to fully finalised
8 9
10
7
6 Regulatory
1
challenges
5 2
4 3
and communicated. The SARB has however already a period of higher market volatility and liquidity issues
recommended in Q4 2020 that South Africa transitions following the introduction of newly established ARRs.
to a near-risk free rate as a key overnight reference rate. That could lead to larger than anticipated valuation
This means that jibar will, in future, not be used as a key differences, tax estimations discrepancies and hedge
reference rate for financial contracts in South Africa. effectiveness breaks.
To avoid a multi-step transition, the SARB has
recommended, as an initial step, that the current jibar
framework, including its governance, be strengthened in Transition Steps
order to secure the transition period, while the MPG and Based on the conclusion of the MPG established by
its work streams continue their work on operationalising the SARB to assist with recommendations for the
an alternative reference rate. replacement of the Jibar and the definition of ARRs ,
Transition to the alternative reference rate will only the critical transition first step will be the establishment
take place when the rate is fully functional, which could of the standard overnight reference rate for the ZAR
take up to four or five years. Any measures taken to overnight index swap (“OIS”) market, using the rate for
strengthen the jibar framework during the interim swap discounting and remunerating collateral. Unlike in
phase would need to ensure that the rate is credible the United Kingdom, where this was a straightforward
and resilient, until full transition takes place. process as the successor rate, SONIA, was already the
established reference rate for sterling OIS, significant
work will need to be done in the South African market,
given that there is currently no liquid market for OIS.
Challenges of
IBOR transition Following the establishment of a liquid market for OIS,
the following pillars will be developed as part of the
The IBOR transition complexity is driven by the
transition journey:
difference in nature between IBORs and ARRs, as well
as the significant impact of the transition on market
• Derivatives market adoption;
participants infrastructures, legal, operational and
systemic risks.
• Adoption in the cash/other markets; and
IBORs are forward-looking rates, meaning that a
borrower knows the interest rate on a loan at the • the transition of legacy contracts and position.
beginning of the interest period. In contrast, ARRs are
overnight indices, implying they are backward-looking
and, therefore, require significant efforts to define a In Summary
term rate structure and a yield curve. ARRs are also
designed to be risk-free (i.e. free of any credit risk Although the Covid-19 pandemic has diverted some
premium). attention from the drive to meet IBOR transition
deadlines, there have not been any plans in any of the
In consequence, the ARRs are, in general, expected to leading IBORs markets to delay the transition planned
be lower than the current IBORs. Further, the ARR will for December 2021. The recommendation made by the
not only be based on the interbank market but will also SARB to transition to a near risk-free rate through a
involve payments made by banks to non-banks. This will staged and incremental approach, with a reformed Jibar
increase the number of underlying transactions used to step in the interim have been co-defined with market
determine the interest rate. participants, thus a guarantee of solid buy-in.
Market participants and professionals should anticipate
Ten key regulatory challenges of 2021 5
8 9
10
7
6 Regulatory
1
challenges
5 2
4 3
Although the discontinuation date of IBORs is
scheduled for the end of 2021, the timeline of
the Jibar replacement is still to fully finalised and
communicated. The SARB has however already
recommended in Q4 2020 that South Africa
transitions to a near-risk free rate as a key
overnight reference rate. This means that JIBAR
will, in future, not be used as a key reference
rate for financial contracts in South Africa
Auguste Claude-Nguetsop,
Partner & Head of Market Risk – IBOR National Lead
Key actions
— Sell Side: Banks will have to manage conduct, basis, legal, operational and systemic
risk. Tax and accounting impacts will also have to be managed. Finally, the key transition
challenges on contract remediation, internal and external communication and liquidity for
term structures rate will also have to be addressed.
— Buy Side: Corporates, insurers and asset managers will face similar risks and challenges
to those highlighted for the sell side. They will also have to deal particularly with
cash-flow management and valuation reconciliation issues, as well as financial reporting.
Insurers will have to handle risk-free yield curves for solvency reporting purposes as well
term structures rates for long dated derivatives transactions.
Third-Party
Drivers
— Ever increasing regulatory
expectations for
establishing controls
Risk Management
over third parties
Addressing the serious challenge
— In certain instances,
the pandemic impacted of third-party risk
ongoing monitoring
and performance
management processes In today’s complex and volatile global organisation’s data;
over third parties markets, third-party relationships
— Whether third parties maintain a
are a critical source of competition
control environment that meets the
and growth for financial services
organisation’s needs; and
organisations. Financial organisations
are increasingly reliant on third-party — Which specific requirements need
suppliers to deliver business-critical to be negotiated into third-party
products and innovative services contracts.
in the fast-paced and ever-evolving
No ‘one-size-fits-all’ TPRM program
digital age.
exists. Each requires an informed
Third-party risk management and precisely defined strategy that is
(“TPRM”) needs to be approached supported by a clearly articulated risk
Thomas Gouws in a more-consistent manner that appetite.
Partner ideally relies on a centralised and
Risk Consulting refined service model across the Holistic risk identification and
entire organisation. Failures by third assessment during onboarding,
parties can rapidly tarnish business and throughout the lifecycle of the
reputations, unleash significant contract, is crucial to maintaining a
downstream operational and line of sight into the risk profile of the
cost implications, and generate entire third-party portfolio. Financial
significant penalties for regulatory services organisations need to take a
non-compliance or misconduct. risk-based approach to assessing and
monitoring third-party products and
services that present the highest risk
Consider today’s volatile to the organisation. This is particularly
true amid today’s disruptive COVID-19
environment a catalyst
environment and on that front
for improvement KPMG has defined four phases for
organisations to consider in response
Financial service organisations should
to the pandemic: Reaction, Resilience,
view today’s risk-laden environment
Recovery, and the New Reality:
as a tipping point toward heightened
TPRM awareness, strategy and — Reaction and Resilience:
execution that ensures sustained and Implementing emergency moves
consistent third-party assessment, to remote working models and
onboarding, oversight and monitoring. rapid reconfiguration of third-party
A properly functioning TPRM program service delivery models; and
provides critical insights that include:
— Recovery and the New Reality:
— Selection and evaluation of third- Preparing for subsequent virus
party service providers; breakouts, new government
regulations and supplier
— How the third party will access,
uncertainty.
store and/or transmit the9 10
1
8
7 Regulatory
2
challenges
6 3
5 4
Yet many organisations within the financial sector and use distributed or centralised models.
beyond, still lack the critical technology and skills that
— Optimise the process: Financial organisations can
underpin effective TPRM programs.
optimise the risk-stratification process in two ways:
There is no time to lose on the journey to TPRM maturity. risk segmentation — establishing a disciplined
Successful TPRM transformation demands strategies risk-scoring methodology across third-party services
that overcome the roadblocks that have plagued systems — and enhancement of the service-delivery
throughout their initial build and subsequent iterations. model to reduce costs and increase accountability.
These include: Organisations should segment third-parties into three
categories: those presenting nominal risk to the
— Inadequate executive support and tone at the top;
organisation and that do not need to be risk assessed;
— Resistance to organisational realignment; those that are appropriate for the standard TPRM
— Large resource needs to operate the program; process; and those that present a homogenous risk
profile and are more efficiently managed centrally, via
— Insufficient accountability from third-party a specialty program.
organisations;
— Evolve and innovate: Financial services TPRM
— Lack of investment in technology enablement; and programs typically revolve around the gathering
— Resistance from third parties to and assessment of third-party data. Organisations
co-operate with the TPRM process. are focusing their limited budgets on new tools.
We see leading TPRM teams using automation,
data analytics and natural language processing, as
Many financial services organisations still have a long well as incorporating scoring services for affordable
way to go before they reach maturity. True transformation and scalable monitoring across select risk areas,
is driven by a constant cycle of program uplifts, process performance management, and contract compliance.
optimisation and innovation. Firms grappling with TPRM programs are exploring how they can use
uncertainty and disruption can no longer ignore these key machine learning to evaluate internal data around
steps to TPRM maturity: risk events and identify risk events that may be
— Agree on the vision: A key consideration for an caused by a third-party. They are automating the
enterprise wide TPRM program is designating monitoring of third-party compliance with SLA terms,
program ownership and determining where TPRM sits identifying opportunities to recoup fees for missed
within the organisation. commitments, and taking a more-proactive approach
to reputational risks.
— Build the model: TPRM programs are complex,
meaning development is not a one-time exercise but Whilst we see more organisations wisely taking a
a work in progress requiring organisations to ‘strike proactive approach to TPRM, it remains a work in
the right balance.’ Key to efficiency is a centralised progress for many. Financial organisations have no time
and sustainable service-delivery model that facilitates to lose in addressing the serious challenge of third-
risk assessment on behalf of, and with input from, the party risk and the pressing need for a more-consistent
business. Financial services organisations may opt to approach that ensures operational resilience.
Ten key regulatory challenges of 2021 99 10
1
8
7 Regulatory
2
challenges
6 3
5 4
Key actions
— A single TPRM program leader with a reporting structure to senior management and
the Board;
— An enterprise-wide outsourcing and third-party strategy and a defined risk appetite;
— Clear responsibilities and accountabilities across the TPRM program and lifecycle;
— An inventory of third-party services to which the program applies, with clearly
defined services;
— Consistency of execution across the organisation’s business units to drive quality data
for analysis and integration with the second and third lines of defense;
— A risk-based approach to assessing third-party services, tied to the program’s
risk appetite;
— Risk assessment and due diligence prior to contract execution and decision-making;
— TPRM technology architecture that supports efficient workflow, task automation
and reporting across the entire business;
— A documented and well-understood audit trail;
— A service delivery model that’s aligned to the organisation’s operating style;
— Integration of TPRM activities and technology organisation-wide into processes,
such as procurement, legal and finance, and into existing risk- oversight functions
and activities;
— Collection of real-time data around the TPRM program’s ability to manage third-party
assessment, onboarding and monitoring;
— A comprehensive data model for collection of third-party information, including service
details, risk scoring, contract information and performance monitoring;
— Internal data feeds that monitor and record specific events and incidents attributable
to third-parties, and external data feeds that monitor for real-time information on the
third-parties, such as adverse media, changes in business ownership, corporate actions,
cyber vulnerability scores, financial viability ratings;
— A process to update third-party risk profiles when there are changes to the risk score
and real-time tracking of performance against service level agreements (SLAs) and
real-time tracking of risks against key risk indicators (KRIs); and
— Data-driven decision making, where risk assessments and performance monitoring
influence contracts and decisionsFundamental Review of
Drivers
— The Basel Committee on
Banking Supervision has
made it clear that a “more
the Trading Book (“FRTB”)
coherent and consistent
set of rules” is required Setting the bar higher
to “reduce variability in
market risk capital levels
across banks” Despite the Basel Committee’s one- calculating market risk capital for
year reprieve on the deadline for FRTB their trading books – and assessing
implementation, delaying the initial hard the use of internal models if the
deadline of December 2022 by one- business case provides evidence
year, South African’s banks still have of potential cost savings. Smaller
much to contend with before January banks are considering the use of the
2023 and the mandatory twelve months simplified standardised approach, as
back-testing. In addition to complex it comes with less complexity in its
decisions over modelling approaches, implementation and can provide an
infrastructure, data management optimal cost-benefit ratio in some
and reporting, the banks also must specific cases. It remains however to
Auguste Claude-Nguetsop integrate FRTB alongside other be seen if the SARB will allow it given
Partner & Head of Market Risk – regulatory requirements such as SA- the risk of regulatory capital arbitrage
IBOR National Lead CCR and the IBORs transition, which that is posed by the SA approach
mean a very challenging and narrow when selected by a D-SIB.
path to a successful implementation.
For the leading banks, the obvious
Furthermore, the Covid-19 pandemic
fallback if internal modelling does
has added a layer of operational
not reliably yield capital benefits that
complexity to a host of other challenges
justify the heavy systems costs,
to be considered for the FRTB journey.
is to adopt the standardised SBA.
Under the Basel Committee on Most appear already to discard the
Banking Supervision’s FRTB, banks basic simplified SA approach, as
have a choice of methods for they are willing to make significant
calculating market risk capital: a investment in new systems to collect
sensitivities-based approach (SBA) risk sensitivities data and upgrade
set by the regulator; a simplified their risk engines capabilities. The
standardised approach (SA); or – if simplified SA doesn’t require this
trading desks pass certain tests – an complex technical infrastructure
internal model approach (IMA). to run, and will likely be the choice
in the African subsidiaries and for
The largest SA banks are treading
smaller local banks.
a fine line between seeking a
sensitivities-based approach to10 1
2
9
8 Regulatory
3
challenges
7 4
6 5
Transition to a less volatile risk
capital framework
The market turmoil brought about by the Coronavirus
outbreak has exposed a double-counting defect in the Key actions
current market risk framework (Basel 2.5).
— Banks need to re-look at their data
To calculate minimum market risk capital requirements, collection, their data transformation
banks add together two versions of VAR. The first is regular and warehousing, their data quality
VAR, which estimates the losses a bank’s portfolio would management processes and, in general,
suffer if it was subject to the worst trading day in the past upgrade their data management
year. The second is an estimate of losses for the same to ensure they can support FRTB
portfolio if it was subject to the worst trading days in the demanding requirements on items such
bank’s history, known as stressed VAR. as look-through obligations for index and
fund constituents
But as current conditions are a crisis scenario, the
requirements are partly duplicated, hence, South African — Banks need to ensure investments are
banks have experienced multiple instances in 2020 where secured and maintained to overhaul
their existing risk infrastructures
their VAR was higher than their Stressed VaR, a clear
which requires specialised expertise
evidence of the double-counting defect under Basel 2.5.
to support the enhanced risk
FRTB promise to address the problem by replacing the methodologies that FRTB introduces
overlapping requirements (VaR and Stressed-VAR) with a
— FRTB requires that options and
single measure of risk. However, the new rules could still lead
embedded derivatives which are issued
to higher capital than expected from back-testing exceptions. and held in the Banking book must be
Overall, as the final implementation date for FRTB has now transferred and held in the Trading book.
been delayed to 2023 along with the rest of Basel III as a That is a sizeable task which needs to
consequence of Covid-19, gauging the impact remains a way be given a high priority as banks need to
off – and, even then, its true final cost will not become clear identify every asset held on the Banking
until it is thoroughly tested in the next market crisis. It would book which contains an embedded
have been a perfect test of the reliability and suitability of derivative. The effort will be comparable
the new rules if they had been implemented prior to the to identifying LIBOR related assets in a
bank’s portfolio
pandemic. The next crisis will be the ultimate real life
back-testing of the model and the FRTB framework.
Ten key regulatory challenges of 2021 13Drivers
— The number of customers
identifying as vulnerable
is increasing due to tough
economic times and the
impact of the COVID 19
Vulnerable Customers
pandemic
— There is increased
Ensuring that no man is left behind
regulator scrutiny
combined with public
pressure on financial The concept of the vulnerable to a greater degree of harm than the
services firms to do the customer is receiving increasing average customer; and the second
right thing, even when no focus in South Africa in recent times, element being the onus that is
one is watching
particularly as we struggle through placed on the financial institution to
— Looking after vulnerable difficult economic times and fight the treat the vulnerable customer fairly
customers is not just a COVID 19 pandemic. The Ombudsman and with due consideration of their
compliance exercise, it’s a
for Banking Services in South Africa circumstances.
business imperative
has stated that “financial service
providers are expected to provide
consumers with appropriate products Identifying the
and services and a level of care that vulnerable customer
has due regard to the capabilities
of the consumers in question. The This brings me to question how we
level of care that would be deemed identify vulnerable customers and
appropriate for vulnerable consumers their needs. Defining vulnerable
may be different from that which customers is a fluid concept,
would suffice for other consumers. particularly at a time where this
It is crucial that financial firms category of customer has expanded
Michelle Dubois acknowledge this and implement dramatically as a result of not only the
Senior Manager processes and procedures to cater for COVID pandemic, but also as a result
Regulatory Centre of Excellence the needs of vulnerable consumers, of globally constrained economic
as these customers may face a circumstances. An example which is
significant risk of harm”. particularly relevant, at this time when
The term vulnerable customer was many financial institutions are offering
first defined by the UK Financial pandemic relief is premium holidays.
Conduct Authority (“FCA”) in 2015, By their very definition, the customers
as “someone who, due to their making use of these offers are
personal circumstances, is especially vulnerable. Do these customers fully
susceptible to harm, particularly when understand the long term financial
a firm is not acting with appropriate implications of taking a premium
levels of care.” This definition has holiday and the implication on the
two elements to it that we should total cost of credit? Is this a short
examine further to ensure a complete term solution that might come back to
understanding of the concept of the bite them later on? More importantly
vulnerable customer - the first being is this a solution which treats the
the customers personal circumstances vulnerable customer fairly and gives
that may result in them being prone them a sustainable financial solution?1 2
10
3
9 Regulatory
4
challenges
8 5
7 6
In the same way, we must consider the impact of The Bill goes further to say that a financial institution
rising unemployment; short term income reduction in must ensure that its financial customers are provided
numerous sectors as various stages of lockdown are with financial products and financial services, as the
implemented; and the impact of illness and economic case may be, that perform as that institution has led its
uncertainty. It might be a short-term concern or it may financial customers to expect, through the information,
be ongoing, so our existing parameters as financial representations and advertising provided by or on behalf
institutions need to take cognisance of this. of the institution to those financial customers. Although
not expressly mentioning the vulnerable customer it is
clear that the regulator would like to see a more defined
The onus on financial services firms
move away from a product centric approach to one that
puts the customer’s needs first.
Taking the guidance from the FCA one step further, the
FCA explains further in their definition that, “vulnerable The COVID pandemic has provided an example of just
consumers may be more likely to experience harm. In how critical it is to ensure that products remain relevant.
many cases, this risk of harm may not develop into actual Business interruption cover gave many clients a false
harm. But if it does, the impact on vulnerable consumers sense of security (rightly or wrongly), believing that in
is likely to be greater than for other consumers.” the event of interruption to their business they would
be covered. No one could have reasonably envisioned
That’s a big “if” and raises the question to what lengths
the extent of the current pandemic and not all business
should a financial services firm go to, to ensure that
interruption policies included circumstances such
vulnerable customers are identified, protected and
as these in their contracts, leading to disillusioned
ultimately treated fairly? What increased responsibility
customers and a social media frenzy. Ultimately in
or onus lies with the financial institution to consider
order to treat customers fairly under the circumstances
or ensure appropriate outcomes for the vulnerable
we have to ask the uncomfortable question: are we
customer? The FCA, which is closely followed by other
prejudicing vulnerable customers by strictly relying on
jurisdictions, and in particular our own, is increasingly
the legal provisions in their contracts?
indicating that they are looking for financial institutions to
show that their products and services remain relevant for Another critical component of ensuring appropriate
their customers, even in changing circumstances. outcomes for customers, is making sure that customers,
especially those who are vulnerable, receive ongoing
The second draft of the Conduct of Financial Institutions
product communication. I have to wonder how many
Bill (“the Bill”) released in 2020 makes it clear that when
customers who were retrenched as a result of the
providing financial products and financial services a
pandemic relied on, or knew to rely on, their credit life
financial institution must ensure that the products and
insurance to meet their mortgage payments? Were
services are— (a) appropriate for targeted or impacted
they aware that this was an option that was available to
financial customers; (b) provided in a manner that is as
them? When they signed for their home loan did they
objective as possible; and (c) provided in a manner that
understand that this cover was included in the package?
supports the delivery of appropriate financial products
and financial instruments to those financial customers.
Ten key regulatory challenges of 2021 151 2
10
3
9 Regulatory
4
challenges
8 5
7 6
The strategic advantage of
doing the right thing
And therein lies the upside, its not only about the
warm and fuzzy feeling of doing the right thing. I have
no doubt that a customer who is approached by his
bank after being retrenched with an offer of a claim
Key actions
for credit life cover will be a customer for life. That is
— Information asymmetry is a
the strategic imperative of treating your customers
major Conduct risk. This means
fairly and that is where the importance of data comes
that the financial institution
in – knowing who your vulnerable customers are
has the advantage of having
and what risks they face. Financial institutions have
specialist knowledge about the
the numbers they just need to crunch them wisely.
product they are marketing,
Lapse rates, repudiation stats, claims ratios, they all
while the customer only has
tell the story and identify your Conduct risks. High
the knowledge they are given
repudiation stats may indicate that customers are
by the financial institution.
not informed about circumstances under which they
To mitigate this risk, make sure
may claim, they may have unrealistic expectations
that your customers have as
of the product performance due to misselling.
much information as they need
On the other hand a product with very low claim
to make informed decisions
rates, that happens to be sold as a bundled product
may indicate that customers are not even aware
— Proactively manage the data
that they have this benefit.
you have and use this to
The 2019 Australian Royal Commission investigation identify Conduct risks where
into financial sector misconduct gave increased vulnerable customers may
focus to the concept of vulnerable customers. This have been at risk
report highlights “that asymmetry of knowledge
and power will always be present. Accordingly, — Embrace a customer centric
there will always be a clear need for disadvantaged approach to business. Put
consumers to be able to access financial and legal the customer at the heart of
assistance in order to be able to deal with disputes everything you do and the
with financial services entities with some chance product will sell itself
of equality.” The challenge therefore is for financial
institutions to make sure that no man is left behind.Financial Crime
Drivers
Chasing shadows of illicit events
— How does governance at
the corporate level foster
organisational behaviour For many centuries the metal gold or simply visited with common law or
and root cause measures
was considered a store of wealth statutory illegality.
allowing business to deal
with organised and financial
and value and, because of its relative
There are many approaches towards
crime. If the strategy is to compactness to the value afforded it,
mitigating or eliminating financial
divorce criminals from their an excellent way of moving such value
crime within the wider and somewhat
financial and productive or wealth. Gold is currently priced at
bespoke definition thereof. Regulation
means, what culture do we approximately USD57 000 per kilogram.
and legal reporting obligations have
foster to have that done? The price tag of pangolin scales varies
mostly as an objective to make these
— How do we collaborate
between USD1 200 and USD3 000 per
crimes more transparent, but do not
across organisations, kilogram. A girl child goes for between
necessarily eradicate the scourge.
industries and the USD2 and USD270 000, depending on
Other approaches centre around
government and private the origin, destination and purpose of
education, thinking that awareness
sector divide? Walking such person. Rhino horn goes for up to
talks to the natural goodness of
together does the trick. USD65 000 per kilogramme. Diamonds,
How comprehensive and
humans and so forth. Another,
for many years have been similarly
capable is the safety net that the more we know of it will
considered such a store of wealth, or
we pull over the system somehow deter threat actors. Much
value. All the latter items are trafficked,
money goes into these initiatives. Yet
— Fundamentally, to make which is illicit in nature. These
another approach, driven by the basic
out for ourselves if we see activities are viewed and addressed
concept of financial crime, which is
compliance as a matter based on smuggling, trafficking etc.
of business strategy, or
the conversion of ill-gotten gain to the
All these value storage materials are
do we have a culture of estate of a threat actor, suggests the
however physical in nature, but also
eradicating financial crime? best way to eradicate the scourge is
excellent means of transferring wealth
by permanently separating the threat
between persons, irrespective of
actor from the gain and the productive
where they are. They are further either
means needed for the gain. This entails
held in legal ownership or, in the case
legal and law enforcement action,
of human beings, illegal ownership
supported by investigation.
concepts are applied to them.
This investigation effort is technically
One step further down the line is
challenging given the material needed
the concept underlying for instance
to work with and we found it more
hawalas, where wealth and value
than often not strongly supported
transfers on foot of the actions and
financially.
honour of hawaladars, that is, the
immaterial concepts of trust and Whilst the latter approach is fraught
Déan Friedman confidence, to which is now attached with risk, particularly in respect of the
Partner a value. This is no different to the less regulated dimensions where most
Forensic concepts of trust and confidence financial crime occurs, it is seemingly
persisting in a functioning banking the least funded and attended to
system, the difference being that, in environment in the fight against
a transactional banking system, there financial crime. Perhaps because it
exists regulatory frameworks and rules is mostly transactional, difficult to
that render events in what we refer investigate and prosecute, fraught
to as the formal transactional banking with physical danger to body and limb,
system more visible and transparent. In and perhaps not desirable regarding
the digital world the blockchain concept the deployment of discretionary
also gives a value to the concepts of money within an environment where
trust and confidence, but in a different recognition towards the funding of
dimension than the formal transactional such investigation and prosecution
banking and hawala dimension. It is efforts are scant, if not of a high risk
these levels of invisibility that attracts nature. The investigation effort however
different purposes for these systems of requires discipline, dedication and
value transfer, some of which are illicit, specifically sound trade craft.2 3
4
1
10 Regulatory
5
challenges
9 6
8 7
The adage of following the money remains true when investigating
financial crime. It is however much more convenient in a structured
and regulated banking environment where the framework is
compliant. Where the store of wealth or value used for the transfer
thereof is a physical item the framework for the value transfer looks
different. A rhino horn would for instance be layered as trash plastic,
or grain, in a container on a ship. When the store of wealth or value Key actions
is founded in the concepts of trust and confidence, the event of
transfer is by means of a phone call, or a WhatsApp message. In — Have a view of the predicate
the digital world it is by way of an inscription in a ledger protected crimes and issues driving the
by complex logical access control. money laundering aspect of
financial crime. Recently in SA it
In some cases, these two universes, the one licit and the other
was the state capture concept.
illicit, may converge when wealth or value transfer is desired from
the one to the other. That convergence leaves a hole in either one International Wildlife Trade is
of the two universes or an unexplained gain in the other. These currently a major focus point
manifest for instance in the form of a company receiving income predicate to financial crime. But
from sources not explained by its business. There are many more do we have a view of drugs,
complicated ways of doing this. The financial crime investigator thus human trafficking, soft and hard
often needs to search for that of which evidence is not there, or an commodities? Coming soon is
explanation that does not follow logically, much like an analyst of climate change related predicates.
an overhead photograph will search for a shadow to determine the More ideal and logically derived
existence of a physical structure photographed. concepts obtain value and
Profiling as an investigation technique is both subject to criticism becomes tradeable. Pandemics like
and fraught with completeness risk, particularly financial profiling, COVID create predicates. They all
but it remains a manner of identifying the shadows of events converge at the organised crime
destined to be hidden away from the licit eye. When you want to level, casting its shadows in the
work out if cash handling persists financial profiling helps identifying licit transactional environment-can
obligations not covered by licit flows, as an example, or a company we see those shadows?
that cannot be found in a complex transaction string.
— Do we have a deep understanding
A computer profile does not evidence transactions the user
of the attributes of our organisation
does not want to make visible, but it does reflect the existence
making us attractive to financial
of artefacts consistent with for instance layering or the use of a
certain value transfer technique, or inconsistent for instance with crime threat actors, and what is to
the published use of the computer. Anti-forensic techniques used be done about it?
in cybercrime removes the evidence of the event, but often leaves — Where the illicit application of
shadows in the form of forgotten or neglected artefacts. trust and confidence finds use
Not only evidence, but also intelligence, helps to build the many in the licit structures of trust and
views of facts and events we are led to believe exist. confidence, like a bank or mobile
We believe that the many views that can be built discloses the services provider, the licit and
shadows of illicit events, when overlaid with each other, enabling illicit attributes become difficult to
effective factual scenario building. The tradecraft often requires a distinguish and identify individually
novel and innovative approach. Equally, the constitution of such for what it is. Are we able to do
work, the participants thereto and the funding thereof also requires this consistently?
novel and innovative approaches.
Ten key regulatory challenges of 2021 19Data Privacy
Drivers
— The evolving data privacy
regulatory landscape
is transforming the
way organisations and
individuals think about
the use and protection of
Protecting your data as the asset that it is
personal information
— The continued For some time we found ourselves privacy maturity assessment,
sophistication of cyber- commenting on the comparably we find that there isn’t a clear
crime is putting a focus on embryonic state of our privacy privacy governance structure and/
security for privacy within legislation in comparison to or that roles and responsibilities
organisations
jurisdictions like Europe where the for privacy have not been assigned
— Increased public GDPR has been effective for some to employees. A strong privacy
awareness and concern time. After the 7-years hiatus, the governance structure is essential
regarding the collection Protection of Personal Information to comply with POPIA. After all,
and use of personal Act (“POPIA”) finally came into the first condition of POPIA is
information is driving effect on 1 July 2020 and will be “accountability” (as set out in
privacy compliance
enforceable from 1 July 2021. This section 8 of POPIA) and requires that
marks a key milestone in South organisations ensure that all eight
Africa’s privacy regulatory journey conditions of POPIA are complied
– one that will change the way with and that “all measures that
that organisations think about and give effect to such conditions
process personal information in are complied with at the time of
its day to day business activities. the determination of the purpose
Businesses now have less than 6 and means of the processing and
months (from the writing of this during the processing itself”. This
article) to become fully compliant is an impossible task without the
with POPIA. However, with a sound right privacy governance structure
plan and enough determination – embedded within the organisation.
Beulah Simpson it can be done.
Senior Manager
KPMG Privacy Practice Interpreting and applying POPIA
principles in the age of AI and
Privacy Challenges machine learning
of 2021 More and more organisations are
exploring how they can deploy AI
The biggest privacy challenge
tools to generate greater value from
many organisations are facing is
the personal information they have
determining where to start with gathered over the years. However,
their POPIA compliance journey. documentaries such as The Social
Having performed numerous POPIA Dilemma are putting AI and the
readiness assessments we can organisations that use them in the
say that each organisation’s privacy spotlight. With increased consumer
compliance challenges and priorities awareness and regulatory pressure,
differ. However, we have set out organisations have no choice but to
below what we consider to be the navigate the use of AI in a privacy-
top 5 of the POPIA challenges that compliant manner. POPIA, and the
stand out to us: regulations and guidelines currently
published thereunder, do not
expressly address the questions that
Non-existent or poor privacy many organisations will have about
governance structure the privacy-compliant use of AI.
Too often, when we perform a Instead, organisations will need to3 4
5
2
1 Regulatory
6
challenges
10 7
9 8
interpret the principles-based legislation to make with data sprawl (i.e. when personal information is
sense of this challenge itself, including conditions widely dispersed across an organisation).
governing “collection of personal information for a
specific purpose” (section 13), “further processing to
Policies, procedures and controls are not enough
be compatible with purpose of collection” (section 15),
“minimality” (section 10), “notification to provided to While organisations should design and implement
the data subject when collecting personal information” policies and procedures to ensure that its processing
(section 18) as well as consent/lawful justification activities are POPIA-compliant and satisfactorily
(section 11). cater for privacy rights and obligations, policies
and procedures, alone, will not be sufficient. Many
organisations have been focusing all their efforts on
Failing to identify the risk when using a third policy drafting instead of nurturing a privacy culture
party to process personal information where employees are aware and understand their
responsibilities when dealing with personal information
Often, for convenience or efficiency, organisations
and are empowered to action those responsibilities.
(“Responsible Parties”) outsource services which
Compliance can never be achieved if employees
incidentally or intentionally involve the processing
don’t buy into the importance of POPIA within the
of personal information (for example, engaging with
organisation or don’t understand how to apply privacy
financial services intermediaries or outsourcing
principles to their day to day business activities.
actuarial functions, documentation archiving, cloud-
storage, performing criminal checks on prospective
employees or delivery services). When organisations
rely on third parties (referred to as “Operators”
in POPIA), there may be an expectation that the
same level of privacy controls will be applied by the
Operator as those applied by the Responsible Party.
Too often, when we
However, this is an area that is not always sufficiently perform a privacy maturity
considered, vetted or audited - until there is a serious
data breach of course. This poses a key risk to assessment, we find that
organisations which is often not adequately catered
for within the privacy control framework.
there isn’t a clear privacy
governance structure
Organisations underestimate data subject and/or that roles and
access requests responsibilities for privacy
Many organisations have completely underestimated
the privacy risks and administrative burden associated
have not been assigned
with data subject participation. The numerous rights of to employees.
data subjects are summarised in section 5 of POPIA
and requires organisations to take decisive action.
Beulah Simpson
In our experience, many organisations tend to manage
their data subject access requests on an ad hoc basis,
with no centralised or formalised process to ensure
that the organisation is able to respond fully, timeously
or appropriately to a data subject request. This may
prove to be particularly troublesome for organisations
Ten key regulatory challenges of 2021 213 4
5
2
1 Regulatory
6
challenges
10 7
9 8
Key actions
— You don’t know what you don’t know – every big project requires a sound project
plan. Every organisation should consider starting their POPIA compliance journeys (if they
have not done so already) with a POPIA Gap Assessment to establish the organisation’s
existing privacy controls and to identify its POPIA gaps. This will assist the organisation
in prioritising the actions required to comply with POPIA and to allocate the necessary
resources to be compliant by 1 July 2021
— Establish an appropriate governance structure - Ultimately, the privacy governance
structure must be one that is appropriate, having regard to the organisation and must
be effective for identifying, assessing, monitoring and reporting on privacy related risks
and breaches through the governance structures. It must include the appointment and
registration of an Information Officer but may also include appointing deputy information
officer or establishing privacy committees, forums or teams. It is also important that
roles and responsibilities filter down the chain of command and that each employee
understands their privacy obligations
— Recognise when you need professional assistance – Each organisation is encouraged
to use their internal resources to drive POPIA compliance, however, it is important that
these internal role-players have a clear understanding of what this means practically.
When it comes to interpreting and applying POPIA – many organisations may need to
seek professional advice in order to drive POPIA compliance within their organisation
(particularly when it comes to more complex processing activities such as those involving
AI, robotics, machine-learning, automated decision making)
— Don’t overlook the risk posed by third parties – Third parties pose one of the greatest
privacy risks (depending on who that third party is of course). It is important that
organisations enhance their procurement processes to include privacy due diligences in
respect of third party suppliers (Operators), include robust privacy clauses in their third
party agreements and perform privacy audits, particularly in respect of high-risk Operators
— Consider technology enablement – it is important to keep abreast of privacy technology
developments and to consider how technology can be deployed to support your
organisation with POPIA compliance. For example – is there a technology solution that can
assist you in automating data subject access requests and, if so, does it make commercial
sense having regard to the number of data subject requests and complexity of each
request? This is an area that all organisations should keep in mind in 2021 and beyond
— Prioritise cultivating a privacy culture – For privacy to become embedded in an
organisation, it is important for organisations to cultivate a privacy culture – one of the
ways this can be achieved is by establishing a privacy training and awareness programme
which should be revised annually to remain relevant to employeesDrivers
Capital & Liquidity
Balancing inherent tensions to
— Insurers’ capital has
weathered the Covid weather the storm
storm well
— Experience has shown
that legal risk can create
Insurance Capital in 2021 regulatory capital amount is multiples
capital strain of this initial investment. Although
Capital. The word Capital has multiple
legally prescribed (through complex
— The actions of insurers and varied meanings. It can mean:
formulae and ratios), the amount of
are increasingly judged by • the principal or most important the capital requirement attempts
the court of public opinion
(the capital city); to represent the amount of excess
through social media
assets these entities must hold to
• involving the death penalty
remain solvent in stressed scenarios.
(a capital offence);
These stressed scenarios are usually
• very serious or fatal (a capital error); expressed in terms of an extreme
event (a one in two-hundred-year
• the chief town or city
event), or a confidence level (like a
(South Africa’s capital is…);
99.5% confidence level1). Regulatory
• a capital letter; capital is often expressed as a ratio.
A capital coverage ratio of 2.0 would
• the top of a pillar;
suggest that the entity is holding
• wealth or property that is used double the required amount2.
or invested to produce more wealth
Derek Vice By prescribing a capital amount,
(investment capital, capital goods,
Partner regulators are trying to address one of
the capital sum); and
Financial Services Audit the inherent tensions in the capitalist
• importantly, the root of capitalism. model. This is the tension between
an investor’s required returns and
You can capitalise, be a capitalist,
the protection of consumers and
capitulate and even decapitate.
beneficiaries of financial products.
Clearly capital is important.
Without the regulatory capital buffer,
A common thread between these directors might be encouraged to
is that they are connected to the declare dividends to a point at which
essence, or life, of something. The a few unfortunate events could make
capital of a country was historically the the entity insolvent. In contrast, an
centre of the government and often excessive capital requirement stifles
the economic hub. A capital offence business and drives away investments
is so serious it can cost one’s life. The by reducing investors return on
start up capital is the life blood of an their capital.
entity. And it is fair to say, the capital
It should be noted that failing to meet
markets are the lifeblood of capitalist
the regulatory capital requirement is,
systems around the world.
in certain circumstances, a figurative
However, in financial services, “capital offence.” Consistent failure to
notably banking and insurance, the meet regulatory capital requirements
word capital has taken on a specific can see an entity closed to new
regulatory meaning. It is not simply business or even put into liquidation.
the initial investment that launched Hence companies tend to be cautious
the enterprise. In many instances, the in meeting these requirements.
1
Which itself means that in 99.5% of scenarios we would expect the entity to remain solvent.
2
Put simply, if the regulatory assets are 100 and the regulatory liabilities are 80, then the excess is
20. If the capital requirement was 10, the capital cover would be 2 times. If the capital
requirement was 5, the capital cover would be 4 times.4 5
6
3
2 Regulatory
7
challenges
1 8
10 9
2020 provided a real-world test case of the One of the tools to maintaining solvency during Covid has
appropriateness of regulatory capital cover for financial been a moratorium on dividends. At least amongst the
institutions in South Africa (and internationally). The Covid listed entities, we know that dividends were withheld,
pandemic represents the sort of unexpected events which would offset the abovementioned increase in the
which the regulators are trying to protect consumers and provisions and reduced profits.
beneficiaries against.
This raises the question: is the insurance industry
Insurers’ capital cover from December 2019 to over-capitalised? With capital significantly more than the
September 2020 showed the following trend 3. regulatory requirement, could there be an argument to
release some of this to shareholders? Although in early
2021, this would be rash and impulsive; once/if the year
settles and the vaccines help bring Covid under control,
this could be a debate worth engaging. This might even
be a requirement as investors start seeking returns in a
post-Covid world.
It is important to note that the regulatory capital cover
could be at these levels because the insurers are
intending to use this excess (i.e. it is not simply held to
meet a regulatory requirement). It is seldom the case
that this excess is under-utilised. Quite the contrary,
many insurers are investing heavily into new ventures,
system upgrades, digitisation and managing their asset
allocation to maximise returns on this capital. Often
This is supported by the results of the listed life these funds are ear-marked as “start-up” capital to launch
companies, which showed solvency cover ratios between new ventures. The excess could also be at these levels
1.82 and 1.874 without significant variance from the prior because the insurers have their own view of capital,
year. This was in the context of R8.251 billion of Covid which is to say they allow for aspects not included in the
specific provisions raised by these companies5. And, on standard/prescribed capital models.
the non-life side, apart from business interruption claims,
An interesting impact of this regulatory capital position
the generally positive impact from lockdown on claims
was that many insurers were able to make morally
experience.
significant contributions to Covid relief. From premium
Essentially, life insurers experienced a 5% reduction in holidays, to direct contributions to Covid funds, the
cover through the middle of the year, with a rebound insurance industry showed its moral fibre and supported
by September. Although several factors contribute to its customers in various direct and indirect ways. In
this it clearly shows an overall level of resilience in considering the quantum of capital cover, directors might
the insurance industry. Whilst profitability has been want to consider whether a portion of this cover remains
negatively impacted, the short-term impact of this on committed specifically for such scenarios. Insurers could
solvency has been muted. maintain a similar level with the knowledge that 0.1 of
that cover is specifically designated to provide customer
The relative stability of the capital numbers over the
support in a catastrophe scenario (assuming such cover
period is probably intentional. Insurers maintain a
is not directly required).
target cover ratio and declare excess as dividends.
3
Based on the “Selected South African insurance data” prepared by the Prudential Authority on a quarterly basis. These amounts represent the
median position of the primary life and non-life industries.
4
Based on their June year end/half year results: Sanlam 1.87; Old Mutual 1.82; MMI 1.85; Discovery 1.83; and Liberty 1.82.
5
Based on their June year end/half year results: Sanlam had a pre-existing pandemic provision;
Old Mutual 2.793bn; MMI R983m; Discovery R2.3bn; and Liberty R2.175bn Ten key regulatory challenges of 2021 25You can also read
