The ability to evidence effectiveness is and will be an overarching regulatory theme for the next few years and defines a new era for financial services businesses in International Financial Centres (IFCs) worldwide. It applies equally to both the regulator and the entities it supervises - we are all in this together.
This rapidly evolving environment is being driven by international standard setters that are now assessing regulators on much more than pure legislative architecture.
In the eyes of these overarching assessors, the legislature is no longer enough, and there is increasing pressure to evidence that laws, codes and underlying guidance are also producing the right results. This new environment is, effectively, bringing regulators and the businesses they regulate much closer together in their pursuit of positive international recognition as robust, safe and transparent centres.
How to evidence effectiveness?
So, what exactly do we mean by evidencing effectiveness? In short, it's about moving from technical compliance to being able to evidence and demonstrate that the work a financial services business, or regulator, is doing in any particular area is having a positive impact on outcomes i.e. what you are doing is effective.
And what does this mean in practice? How do regulators, and the regulated, back up the jurisdictional regulatory frameworks, or the businesses risk framework with data and facts to show that the regime in place is effective?
For regulators, previously it would be enough to set out how the jurisdiction's regulatory framework was equivalent to international standards, now they have to go much further, it includes items such as how many examinations had been undertaken, a description of the risk system and how a business is selected for a visit using this system, providing facts as evidence of the outcomes from an examination, setting out how many prosecutions the jurisdiction has made both of businesses and individuals from a criminal or regulatory angle. These areas are not too hard to provide in facts and figures.
But when it comes to more subjective, or arms' length qualification that provides the evidence of positive results from a regime it becomes much trickier.
Standard setters are asking: how have businesses changed their behaviours as a result? And how do regulators evidence that? Put simply, there will be, and we are already seeing, much more control testing of entity remediation (enforcement activity and/or supervisory examination) to provide the evidence and demonstrate that effectiveness.
An expectation shift
In this environment, the expectations of the regulator have clearly shifted. Gone are the days of where financial services businesses simply had to have a compliance officer, a procedures manual and a business risk assessment (BRA). Now, this is a given, it's essentially seen as technical compliance. What's expected in addition is not as simplistic. Take for example, the BRA. In the new era of evidencing effectiveness businesses need to demonstrate how it produced or produces its BRA, when and why was it last reviewed, are there board minutes and documented debate in relation to it, what evidence is there of any independent assurance or testing of it, what if any questions arose as to whether or not the business has mitigated risk differently as a result of producing it, have service lines altered, have client take-on procedures changed, have resources been increased in x and reduced in y as a result.
The expectations and testing are being taken to another level and it is clear that this regime is here to stay. Businesses that are robust in applying regulatory requirements and follow or exceed best practice should have nothing to fear from this approach. In our experience much of the activity, rigorous testing, questioning and risk assessment will already be happening for sound business reasons. Ensuring a systematic approach to evidencing this may, however, be needed to meet the changed expectations of the regulator.
Drivers for change
This change and the focus of international assessors will see more new activity from both the government and regulator. For example, Jersey and Guernsey are being assessed by MONEYVAL in the next couple of years and this will focus attention, activity and behaviour from the respective commissions and governments. Our expectation is that there will be an increase in supervisory and enforcement activity in the financial crime space and we've seen the first evidence of that recently.
It's likely that there will be a jump in the number of fines or civil penalties for firms and individuals as jurisdictions will be looking to evidence that to the assessment team that comes along. Put simply, now is not the time to be under-investing in risk and compliance. Even minor indiscretions could be pursued more vigorously in this environment.
It will also drive policy changes from a regulatory and government perspective and much of this can be forecast by looking at the recently published National Risk Assessment (NRA) recommended actions in Jersey and Guernsey.
Looking further afield it's interesting to see how the FATF's action in grey-listing jurisdictions demonstrate how the FATF is expecting greater levels of regulator enforcement activity and sanctions.
This will not have gone unnoticed in the other IFCs including the Channel Islands. Recently published enforcement cases show that the regulators and prosecutors in Jersey and Guernsey are continuing to raise the bar. We are seeing pre-emptive action including an increase in fines and public statements for systems and controls weaknesses or procedural failings that could have led to regulatory breaches rather than actual regulatory breaches. We are also seeing scrutiny and criticism where there is a lack of evidence to demonstrate compliance with requirements.
In summary, financial services business cannot rest on their laurels and need to prioritise investment in risk and compliance. Now is the time to get your house in order:
- • Review your risk and compliance frameworks;
- • be ready for increased regulatory scrutiny;
- • consider a board effectiveness review – this is a regulatory requirement, and remember that's where the buck stops;
- • ensure compliance and risk are represented at the top table;
- • make sure your business risk assessment is up to date, and has been updated following the publication of the NRA; and
- • make sure you can point to an AML/CFT strategy.
Staying on top of the regulatory agenda is critical, and remember, evidence everything along with your rationale!