In December 2019, the FCA issued its Consultation Paper (CP19/32) on Operational Resilience. The CP laid out the FCA’s intentions clearly, building on the existing requirements to manage operational risk and business continuity planning with the aim to further strengthen operational resilience. Although CV19 has delayed the closing date for feedback to the CP until the 1st October 2020 with the final rules not expected until 2021, the message from the regulator is clear. To reinforce the point, Operational Resilience was one of the six ‘cross-cutting’ priorities in the FCA’s 2020-21 Business Plan.
Taking Operational Resilience seriously is no small undertaking for firms. It requires firms to:
The focus of operational resilience
For solo regulated firms, the focus of any Operational Resilience work should be on business services. However, dual regulated firms are also required to identify risks to their finances. Finally, the regulator has made clear that outsourcing of services does not diminish their responsibilities:
“Firms who use outsourced and other third-party service providers should take responsibility for managing risk arising from those arrangements. Greater levels of risk management are needed when a firm increases its dependence on outsourced and third-party service providers”.
In summary, building and managing ongoing Operational Resilience is a significant additional undertaking for firms.
The earliest solutions have been in the marketplace for almost twenty years and, with the new focus from the FCA, new providers are entering the market and expanding the choice even further.
However, this comes at a time when the regulatory calendar is incredibly busy. To bring together regulatory change initiatives from a variety of regulators in one place, in May this year, the FCA published its ‘Regulatory Initiatives Grid’. Of course, not every initiative is relevant to every sector of finance services. However, the point remains that compliance professionals in firms have got their hands full, and overlay the operational uncertainties that CV19 presents, it is enough to make some reach for a large glass of something very strong!
To complete the picture, taking a broader perspective the latest, i.e. 2019, “Cost Of Compliance” report from Thompson Reuters identifies some significant, if predictable, findings:
43% of respondents expected their compliance teams to grow
66% of respondents expected their compliance budget to grow
24% of firms expect to outsource all or part of their compliance
63% of respondents expect to spend more time liaising with regulators
41% of respondents expect to spend more time reviewing FinTech and RegTech
Whilst some professionals will understandably feel burdened by this agenda, others we have spoken with are beginning to see it as a tipping point that is forcing a fundamental rethink about how they ‘get things done’.
In the FCA’s latest Business Plan, another of the ‘cross-cutting’ initiatives is ‘Innovation and Technology’. In it, the regulator states:
“We will invest in new technologies and skills so that we can make better use of data to regulate efficiently and effectively. We will deepen our engagement with industry and society on artificial intelligence, specifically machine learning, and focus on how to enable safe, appropriate and ethical use of new technologies”.
And:
“We want to use technology to reduce the burden of regulatory reporting on firms. We will replace our Gabriel system with a new platform for collecting firms’ data”.
These statements are significant in that it is clear the regulator recognises the increasing burden of compliance and sees technology as key to moving to a more manageable future. In that context, the final finding from the Thompson Reuters report (table above) is a positive and optimistic sign.
So how can RegTech help?
Taking things back to its most simple level, Deloitte define RegTech as, “technology that seeks to provide nimble, configurable, easy to integrate, reliable, secure and cost-effective regulatory solutions”. Whilst relatively new as a piece of terminology, regulatory solutions are not new. The earliest solutions have been in the marketplace for almost twenty years and, with the new focus from the FCA, new providers are entering the market and expanding the choice even further.
So given the challenges of ensuring that the business processes, identified as part of firms’ Operational Resilience projects, stay ‘within tolerance’, the regulatory agenda and increasing costs of meeting regulatory expectations, what practical steps can firms take to capture the opportunities that RegTech solutions offer?
When looking for a RegTech solution, firms can follow a simple seven-point checklist to help them identify the solutions and providers can support them;
If firms recruit a select group of trusted external providers that meet these criteria, they can be confident that part of their regulatory responsibilities can be supported by external trusted hands. And regarding costs, experience has shown both me and my colleagues that using non-dedicated, internally built solutions using software like MS Office start cheap but quickly become problematic and costly as regulatory and industry standard technology changes need to be incorporated.
Of course, there is a risk you could make the wrong decisions, however, as Theodore Roosevelt so aptly put it, “In any moment of decision, the best thing you can do is the right thing. The worst thing you can do is nothing.” So Operational Resilience may be just another task on the current ‘to do’ list or for those that choose to engage with the RegTech agenda, it could be the tipping point to a different, more resilient and compliant future.
