2020 saw landmark enforcement actions from regulators across Asia-Pacific as financial institutions across the region paid $5.1 billion in fines for anti-money laundering failures.
By March 2020, the COVID-19 pandemic had begun to grip economies, demonstrating the interconnectivity of the worldwide financial sector. The pandemic has wreaked extensive disruption to all businesses and this is likely to continue well into 2021, with credit risks, insolvencies and unemployment all likely to increase.
Remote working and “on-off” lockdowns may continue for some time, forcing firms to interface with customers differently and to be flexible regarding the repayment of loans or other credit facilities. These developments may lead firms to identify new opportunities and seek alternatives ways of doing business. There is some evidence firms have been addressing compliance problems head-on and dealing with issues at an early stage, while balancing commercial initiatives with regulatory requirements.
Regulators in Asia have taken supervisory measures to alleviate the immediate impact the pandemic is having on the financial sector and have granted firms a reprieve as they are forced to adjust their operations.
In the short term, regulators are likely to concentrate on prudential issues such as credit risk, volatility of assets and how affected customers are being treated.
Regulators have also been flexible, with many delaying the introduction of new laws and continuing to amend prescriptive requirements. Governments and central banks have implemented macro fiscal measures and relief from insolvency laws in view of the continuing uncertainty.
These 10 regulatory insights for Asia may help firms to think through the many challenges facing them, and to respond to the compliance and regulatory issues at hand.
1. Operational resilience — ensure continuity
COVID-19 has put senior managers under pressure to rethink strategies across their organisations, while ensuring the business and assets are protected and customer service remains the central focus. Senior managers have had to show initiative and lead from within, and many have reduced operational imperatives in the short term. Many large financial institutions continue to defer customer repayments on loans and mortgages, and are monitoring customer needs.
There is evidence that firms made genuine attempts to reset their culture in 2020, and viewed improvements in culture as essential to business continuity as they readjusted their profit expectations.
The Asia-Pacific financial sector is a growing, competitive environment. Firms are balancing technological innovation with due diligence, risk and compliance measures. At the same time, senior management and their compliance teams need to acknowledge that the current crisis will continue for some time, and must plan for further uncertainty and offset foreseeable risks.
Until the vaccine has been rolled out to all, financial services firms must continue to demonstrate agility in their change management processes. They will need to demonstrate operational resilience in a challenging environment that has witnessed an escalation in sophisticated financial crime, credit reviews and continued business instability. Many firms will decide to redeploy resources to meet operational needs, such as the need to assist customers and businesses who may have to defer or rewrite loans or delay repayments during the crisis.
Business continuity remains the focus during 2021. The following tips may help firms to plan their post-pandemic recovery:
- ensure there is clear accountability for operational resilience at senior management and board level;
- plan for the unexpected;
- communicate effectively to staff and customers;
- understand regulatory expectations;
- concentrate on business continuity and governance processes;
- prioritise compliance activities to deal with immediate issues and redeploy resources to areas that need attention;
- assess new and emerging risks, customer defaults, credit risks, asset valuations, third-party risk, information system risks and data protection;
- assess the aggregate risk and losses across all business lines and develop appropriate metrics to monitor changes;
- ensure the organisation has effective, documented business continuity planning to account for the continuing challenges;
- be proactive and pay attention to clients’ concerns or needs during the crisis with a view to a long-term outlook for resolution.
2. Cyber security, data protection and anti-financial crime management
Financial institutions continue to face challenges in financial crime and protection capabilities, while at the same time needing to meet current obligations. Regulators still continue to expect firms to have effective monitoring systems in place, such as cyber security, online fraud defences, know-your-client (KYC programs), effective anti-money laundering systems, risk assessments, data protection mechanisms and well-resourced compliance oversight.
Cyber security remains of paramount importance during the pandemic as new methods of online fraud emerge. Cyber-attacks are predicted to be the world’s fastest growing area of crime by the end of 2021 with an estimated worldwide cost of $6 trillion. The pandemic has driven local and international businesses online, underlining the need to improve identity verification technologies. Identity fraud is growing exponentially, attracting criminals across jurisdictions and posing the largest single threat to international organisations.
Only recently, German authorities closed down an operation that had amassed information from millions of stolen credit cards. This data was traded with other organised criminal groups via the dark web. Cifas, the UK fraud prevention service, found there had been a 32% rise in online fraud between 2015 and 2020, with targets including government payment systems, retail outlets, online payment systems, financial institutions and businesses.
In February 2020, the European Systemic Risk Board published a report which estimated the total cost of cyber incidents for the world economy in 2018 could have been as high as $654 billion. This figure will rise significantly as a result of the pandemic. The shift to employees working from home, where systems are not as secure, is one of the main risks. The Financial Stability Board (FSB), in its report on the financial stability implications of fintechs, emphasised the need for firms to incorporate cyber security in the early design phases of new products and systems. It also recommended greater use of artificial intelligence to help lower the probability of cyber events.
Firms will need to assess relevant threats that expose their own vulnerabilities and ensure they remain operationally resilient. They would be well-advised to carry out internal audits in relation to other financial crime such as bribery and corruption, modern slavery and human trafficking by third-party vendors.
Firms wishing to build resilience may wish to consider the following steps:
- identify the threat landscape;
- assess the efficacy of their online customer verification process;
- assess issues of stolen data and online fraud and address system weaknesses;
- map the cyber and financial network;
- create effective policies and checklists;
- conduct reviews of system effectiveness;
- assess the need for upskilling and training in verification processes and data protection;
- establish formal information-sharing and reporting mechanisms;
- devise adequate response and recovery measures;
- conduct internal audits; and
- ensure appropriate reports to regulators as required.
Data protection is intrinsically linked to cyber security. Widespread home working has meant many firms have found themselves outside their risk appetite; many have had to relax their security perimeters to facilitate working from home and introduce new technology that may not have been effectively tested.
Compliance teams may need to carry out continuous risk assessments, policy and process analysis, to understand where weaknesses lie. In addition to privacy requirements, firms transferring personal data to a third country need to consider whether the destination country has data protection measures in place which are equivalent to those in their own jurisdiction. Assessments should be undertaken on a case-by-case basis before any significant transfer takes place.
3. Anti-money laundering — highest-ever penalties in Asia
Actions by Asia-Pacific regulators resulted in $5.1 billion in regulatory fines and penalties for money laundering across the region last year. The enforcement figures in the 2020 calendar year eclipsed the 2019 enforcement figure, which stood at just $7 million.
Two of the penalties imposed in the region last year were particularly significant and comprised the bulk of the $5.1 billion enforcement bounty. The first major fine was imposed by the Securities Commission Malaysia and Malaysian prosecutors against Goldman Sachs in relation to 1MDB (the Malaysian state-owned and controlled investment fund), amounting to a $3.9 billion penalty. The Malaysian Anti-Corruption Commission also ordered 80 people and groups to pay $100 million in fines for receiving funds from 1MDB.
The second major case was the Australian Transaction Reports and Analysis Centre’s (AUSTRAC) action against Westpac for $980 million (A$1.3 billion), after the bank admitted to breaching AML/CTF laws more than 23 million times. It is the largest single penalty ever extracted by a regulator in Australia.
A particular theme running through these high-profile scandals is that, despite deploying extensive resources on improving their compliance frameworks, firms often continue to wait for regulators and enforcement agencies to call them out on legal breaches. Many of the organisations fined last year had ignored red flags and allowed AML/CFT failings to fester.
Some firms were found to have weak procedures for escalating matters to senior management, while at others problems could be attributed to misconduct involving senior management and undetected errors of judgement on the part of senior executives or boards. Another common failing related to inadequate, incomplete or outdated AML/CTF compliance programs.
Regulators are likely to pay particular attention to the adequacy of compliance programs in their 2021 reviews. Solving serious problems is reliant on the will of senior management to act. As the Panama Papers and other similar leaks have borne out, there is a much greater chance in a digital age that whistle-blowing or leaks will expose problems.
Senior manager accountability regimes place a clear onus on senior management and boards to have effective AML/CFT and KYC operations in place at all levels. Recent penalties suggest that regulators will not hesitate to impose penalties where they come across such action. Accountability regimes now require early disclosure to regulators; there are no excuses. Senior managers and boards must ensure they are aware of any current gaps in their AML/CFT and KYC procedures and ensure that they are made aware of any internal failures, and then take immediate action to address them.
Firms may wish to review a number of areas which have led to significant failures in the past, set out in order of priority:
- AML oversight by senior management and the board;
- consumer due diligence monitoring;
- suspicious activity monitoring;
- compliance monitoring and oversight;
- systems and controls;
- regulatory and internal reporting;
- failure to escalate issues to senior management;
- failure by senior management to make decisions;
- customer enhanced due diligence monitoring;
- staff training and competency; and
- internal audit.
4. Consumer/investor protection
Mis-selling of products remains a particular concern for regulators. The Australian Securities and Investments Commission (ASIC), for example, has a new product intervention power which enables it to stop questionable products from going to market and to suspend the sale of unsuitable products.
Consumers understand that investing in financial products involves some risk, but the pandemic has required firms to be even more conscious of the financial risks and volatility of the market. Some firms may need to revisit the target markets for their products, as they have a real-time responsibility to ensure that their advertising and disclosure is “true to label”. Advertising must represent the actual features of the investment products.
Regulators across Asia will continue to monitor advertising, especially on the part of those firms which promote their products as “high-yield” or “low-risk” when that may not be the case. Regulators have emphasised that warnings, disclaimers and qualifications should be consistent with other content in an advertisement for a financial product. Great care is needed in terms of the words used, as regulators have shown themselves increasingly willing to take enforcement action to address false or misleading statements. Being the subject of such regulatory action will have consequences for the firm’s reputation and may well result in the need to pay compensation to consumers and regulatory penalties.
Firms may wish to consider whether:
- adequate compliance procedures are in place to review products at the planning stage;
- the policies and procedures in place are adequate to test products before they go to market;
- compliance is sufficiently embedded in the process;
- the product is appropriate for the targeted market;
- exclusions are properly considered, and the product is in the interests of the targeted market; and
- there is senior management accountability in decision-making processes.
5. Digital transformation — balancing technological innovation with compliance imperatives
Firms are witnessing at first hand the opportunities digital transformation can create. They can use technology to improve the service they provide to customers and enhance market competitiveness, but must also understand the attendant risks and vulnerabilities.
Digital transformation requires firms to make changes to their leadership and culture, improve risk and compliance imperatives and acquire specialist, skilled staff to keep abreast of diverse regulatory changes. Enhanced technology is only half the equation, however; the other is creating a unified compliance culture to manage and address the various business challenges and risks. Thomson Reuters Regulatory Intelligence recently published a report on digital transformation which explored lessons from China. The report concluded that while there are synergies from the effective implementation of new technology, a number of challenges must be overcome before potential benefits can be realised. Firms need to invest in skills, system upgrades and cyber resilience if they are to deliver technological innovation without endangering good customer outcomes.
Regulators have long been aware of a lack of oversight in this area; if fintechs fail, systemic risks may follow, affecting hundreds of millions of people. Chinese regulators have been the first to draft regulations which require micro-lenders to have stronger prudential arrangements in place and to place safeguards around the sharing of customer data. Other regulators are likely to follow suit.
6. Regulatory reach and burden — understanding the regulatory focus
Regulators’ remits have broadened considerably in recent years. Firms are having to deal with an expanding array of policies that have a far broader application. This significantly expanded regulatory ambit requires firms to: improve their culture, conduct risk, cyber security and data protection measures; vet carefully those areas which are outsourced; revise their financial metrics and upskill their core functions.
Regulators are also carrying out more intensive surveillance of products, and of firms’ consumer protection and remediation practices. Some relaxations have been granted to help the financial services sector cope with more practical concerns during the pandemic, but these are short-term. This enhanced level of oversight adds significantly to the cost of doing business. The recent Cost of Compliance Report found firms were having to spend a significant amount of time each week tracking and analysing regulatory developments.
Regulators have increased penalties considerably, extracting billions of dollars from institutions for misconduct.
Firms must develop strategies to deal with these expanding regulatory requirements. They must ensure they understand the regulatory focus and then develop effective recordkeeping, map compliance issues, and be able to provide appropriate disclosure where required. The cost of compliance has increased considerably as a result; Regulatory Intelligence’s survey indicated that whereas in 2016 firms typically spent 4% of their total revenue on compliance, this could increase to 10% by 2022.
Firms need to create a holistic model for the future that identifies the regulatory issues which will affect them and devise an approach that demonstrates their governance and risk management in a clear and concise manner. Firms should ensure that they:
- develop a practical understanding of regulators’ expectations;
- devise action plans that focus on the important areas;
- map responses to government regulators;
- ensure effective recordkeeping;
- maintain a central log of all their assets, including digital assets;
- consider whether they should make wider use of artificial intelligence to capture the data;
- ensure accountability within the organisation;
- ensure early disclosure of problems;
- engage with regulators to ensure expectations are being met.
7. Accountability — resetting culture
Regulators across the region have been emphasising the importance of senior management accountability and the need for financial institutions to have an appropriate culture. Australia, Hong Kong and Singapore have imposed accountability requirements on senior management to provide a “line of sight” into who can be held responsible when things go wrong. In China, the Financial Stability and Development Committee has asked the country’s five financial regulators to strengthen administrative sanctions on illegal conduct in the financial industry.
Personal accountability risk for senior managers remains high. In-depth consideration of culture and conduct risk has become essential for all financial institutions. Regulators have articulated their expectations in speeches and policy documents, and have taken a keen interest in the design of, and approaches taken by, firms’ in-house senior management accountability processes. Of the firms surveyed for last year’s Cost of Compliance report, 34% said they had discarded a potential profitable business proposition due to culture or conduct risk concerns: a powerful demonstration of culture and risk policies in action. In this regard things are slowly improving.
Getting culture “right” remains a constant challenge for compliance teams. Boards and senior managers must ensure policies, procedures and monitoring processes are in place, backed up by training and development. Culture should be articulated by the board and senior management and be reinforced by suitable reward, recognition and disciplinary procedures. Management mindsets may need to change, to ensure there is a shift to “operating” corporate values as stated — this is a process which will evolve and needs to be monitored.
There are plenty of recent examples where firms’ culture has put “deals” before integrity, and organisational interests before those of customers. This places those firms at risk of enforcement action, even for regulatory failings in other jurisdictions. Firms need to foster a culture of accountability by, for example:
- developing balanced senior management incentive plans;
- putting in place strong governance and controls;
- ensuring appropriate monitoring, reporting and escalation;
- implementing consequence management initiatives;
- devising procedures for disciplinary action.
8. Upskilling and training to meet technology requirements
Upskilling allows organisations to maintain and increase their competitive advantage. Compliance teams will need to develop broader skill sets to ensure they understand the application of artificial intelligence systems and data analysis, alongside a the emerging range of regtech and fintech platforms. The 11th annual Cost of Compliance Report found the main skill compliance officers thought they required for the future, besides communication and management skills, was “digital/technology understanding”.
Firms in the UK, for example, have turned their minds to dealing with the growing problem of identity fraud and have upskilled in-house teams to deliver improved identity verification processes, in some cases working with third-party vendors. These initiatives have provided significant cost savings and led to the in-house development of high-level skills which will, in the long term, protect the firm’s reputation and help retain customers.
In the short term, firms may have to redeploy skillsets in-house to balance competing priorities to focus resources where the real risks are seen to lie. More effective online verification processes may be required to meet the growing threat of online fraud and cyber-attacks.
Firms may need to move staff or upskill them, and must provide continuous training to keep any new skills acquired up-to-date. Firms may wish to:
- evaluate risks and skills gaps in the light of the real and present threats facing the business;
- evaluate existing talent to gain assurance the firm has sufficient capabilities to address immediate risks;
- assess whether upskilling or training existing staff to build capabilities will meet these risks;
- if there is found to be a lack of internal resources, consider whether these skills can be hired from the market;
- develop a road map for training and improving compliance capabilities to improve the upskilling staff;
- implement upskilling programs in the risk areas as assessed.
9. Risk management agility and the growth of climate and ESG-related issues
The challenges brought about by the pandemic are expected to continue well into 2021, forcing financial services firms to demonstrate agility. Many of the moratoria afforded to firms by regulators in response to COVID-19,will be short-term. Operational changes such as working from homes and limited in-person customer access have shown both firms and customers that business can be done differently, and that may well change the future of financial services delivery forever.
Supervisory oversight of firms will remain elevated given the emerging consumer protection issues and the need for greater emphasis on governance, data protection, and cyber-security resilience to combat online threats. Senior management will need to be agile in responding to immediate risks.
Firms will need to pay particular attention to addressing emerging climate-related risks, and environmental, social and governance (ESG) concerns more generally. Large institutions have incorporated their exposure to climate risks in their investment, lending, and underwriting decisions, and have integrated these risks into their broader risk management and compliance processes. The FSB has encouraged firms governments to take these issues seriously as set out in its recent paper The Implications of Climate Change for Financial Stability.
Regulators will continue to request information from financial institutions, given the volatility of the markets and the credit risks which may result from the pandemic. The temporary relief provided to firms by regulators is short-term, but the remote working and the pandemic hardships will continue to bring challenges for firms well into 2021. Regulators will expect firms to fully adapt their policies and procedures to deal with such risks. Firms should ensure they:
- understand the immediate risks to the organisation and the operational challenges they bring;
- determine what must be monitored or actioned;
- commence an audit trail and record-keeping system to document the impacts to the business, and the processes, policies and procedures that need to be reviewed;
- communicate relevant issues to staff;
- warn customers of emerging risks and provide advice on how to protect their online identities and data in the current environment;
- ensure appropriate governance and accountability linked to senior management;.
- adapt relevant policies and procedures to reflect operational shifts and ensure sound compliance procedures are in place.
10. Complaints and remediation
Regulators keep a close eye on firms’ consumer protection procedures and expect firms to operate customer remediations efficiently and fairly, in line with their legal and regulatory licence obligations.
Regulators have frequently taken action against firms which were found to have been well-aware they had made mistakes, but had failed to act. Many firms strategically delay or avoid customer repayments for years. A flawed remediation process will have an adverse effect on a firm’s reputation in the long term. Keeping the following pointers in mind may help firms to ensure their approach to remediation meets regulators’ expectations:
- treat customers fairly;
- act promptly to remediate mistakes but without sacrificing quality or resorting to adverse consumer outcomes;
- understand the problem, and establish which consumers have been affected;
- place customers at the heart of all decisions;
- return consumers as closely as possible to the position they would otherwise have been in;
- make the process easy for affected consumers by minimising complexity and consumer action;
- give consumers the benefit of the doubt and err in favour of the consumer (i.e., make beneficial assumptions);
- monitor and record outcomes against goals set in the process;
- identify areas for improvement and address them; and
- ensure proper documentation throughout the remediation process.