Our quarterly internal audit hot topics will give you a thematic view across new and emerging risks on the regulatory horizon that's applicable across financial services.

For more insight and guidance, get in touch with our team

Regulatory priorities

Internal audit risk radar

Our risk focus radar combines our view of key priorities with an extract from the UK Regulatory Initiatives Grid (where key milestone or formal engagement is planned), representing the risks and key priorities raised by the FCA (Financial Conduct Authority), PRA (Prudential Regulation Authority) and leading UK regulatory bodies.

We identify the risk priorities at a single glance for the four key sectors segmented by time and risk dimensions to help develop audit-planning and forecast upcoming requirements.

Cross sector priorities

Financial resilience

Key developments

The PRA provided an update on its 2024 supervisory priorities and its expectations of firm in the Dear CEO letter sent to UK deposit-takers on 11 January 2024. Financial resilience was highlighted as a key focus area for deposit-takers and international banks. Ongoing assessment of individual firms' capital and liquidity positions and planning is one of the ways the PRA will aim to achieve this objective.

More recently on 4 April 2024 the FCA published results of the final Financial Resilience Survey issued in October 2023. From 1 January 2024, this survey was replaced with the new financial resilience regulatory return FIN073. Through FIN073, the FCA will be able to continue to collect financial resilience information on liquidity, income, and net-asset position, while reducing the burden on firms. For the final survey, firms were asked nine questions, some with multiple parts. In total, there are 19 individual data points collected from the survey, including optional questions. Areas of focus include amount of liquidity resource, estimated cash needs, and expected cash inflows, negotiated extensions with creditors/delayed payment, net profit or loss in the given period, expectation on decrease in profits/increase in losses, impact of the current macroeconomic environment, revenue size, and support under a government-backed loan scheme.

What should happen now?

  • The PRA expectation is for organisations to continuously analyse a broad range of forward-looking liquidity and capital indicators, using stress-testing to assess their financial resilience, and should have realistic and effective contingency plans in place. The PRA also expects firms to consider changes in depositor behaviour in the current funding environment, and to proactively take into consideration forthcoming changes in bank funding and liquidity conditions
  • The letter and the survey provide organisations with areas for consideration in their assessment of their financial resilience. They're encouraged to reflect on events that have taken place in the global banking sector during 2023 and any implications they can draw from this for their own risk profiles.
Consumer Duty

Key developments

The FCA highlights that under the Consumer Duty, firms should act to deliver good outcomes for all customers, including those with characteristics of vulnerability.

On 20 February 2024 the FCA published its findings on its webpage, following a review of firms' implementation of the Consumer Duty. It has also published the results of the second survey of firms carried out in November 2023, together with a summary of the key information it found. The FCA welcomes the improvements made by various organisations to deliver better outcomes for their retail customers since the Duty came into force in July 2023. However, there are areas for improvement.

The FCA will conduct consumer research as well as gather information from firms and consumer representatives to make its assessment. It intends to share its findings by the end of 2024.

In addition, on 20 February 2024, the FCA published a speech by Sheldon Mills, FCA Executive Director, Consumers and Competition, on the Consumer Duty. In the speech, Mr Mills summarises the FCA's view of the progress organisations have made in the implementation of the Duty, the challenges firms face when assessing their products and services against the price and value outcome under the Duty. With only a few months till 31 July 2024, Mr Mills identified areas of particular focus by organisation which include gaps in monitoring data, fair value in closed products, keeping customer connection, and vested rights.

More recently the FCA published a press release on 15 March 2024, announcing that it's to conduct a review into firms' treatment of customers in vulnerable circumstances. The review will look at areas including firms' understanding of consumer needs, the skills and capability of staff, product, and service design communications, and customer service. They'll also consider whether these support the fair treatment of customers in vulnerable circumstances, the outcomes consumers in vulnerable circumstances receive, and whether they're as good as the outcomes of other consumers.

What should happen now?

  • Organisation should leverage the latest FCA report on firms' good and bad practices, the speeches and press releases to consider some of the recommendations below. The FCA reminds firms of the four consumer outcomes required by the Duty, sets out examples of good practice and highlights areas for improvement
  • Consumer Duty board reports should be comprehensive and will come under greater scrutiny as the FCA looks to these to evidence the steps firms are taking to drive good outcomes under the duty
  • Firms must be able to evidence that they're delivering good outcomes for consumers and address any gaps in customer data
  • Firms must assess, and be able to demonstrate, that their closed products provide fair value to customers; they should be confident that they don't exploit consumers' lack of knowledge or behavioural biases; Mr Mills emphasises that the FCA won't judge firms with the benefit of hindsight
  • Firms must take action relating to less engaged and 'gone away' customers, including the support offered and how they assess whether these customers understand the products they hold
  • Firms must ensure that the design of their products and services deliver good consumer outcomes over the long haul, even where the firm has vested rights

Organisations should take the needs of vulnerable customers into account at every stage of the customer journey, specifically:

  • Firms need to ensure that the focus on good customer outcomes is understood at all levels, and in their strategies, leadership, and people policies
  • Firms shouldn't wait to see if the FCA will intervene if they identify an issue, but instead go ahead and tackle it proactively themselves
  • Firms should be able to identify where particular groups of customers, especially those that are vulnerable, receive poorer outcomes than other customers and take action to address this
  • Firms in the same distribution chain should share relevant information with each other; this will help firms to quickly address issues to prevent consumer harm and deliver good outcomes
  • Firms must be able to show that their products offer fair value to customers; for example some firms have relied solely on an assessment of similar product offerings in a market – this alone doesn't prove that the customer is getting a good deal. The FCA is also seeing statements being made about value, without any qualitative reasoning outlining why a firm considers that its product offers fair value
  • Firms need to ensure that they're considering the Consumer Duty and its requirements when approving financial promotions
  • Firms should consider the FCA's findings and continue to make improvements in line with good practice; firms that identify gaps should address these; in particular, the findings may be useful for firms when considering what changes, they need to make to meet the 31 July 2024 implementation deadline for closed products and services.
Diversity & Inclusion

Key developments

The House of Commons Treasury Committee published On 23 January 2024 a transcript of the oral evidence session held on 17 January 2024 as part of its 'Sexism in the City' inquiry. The FCA published a statement on 8 March 2024 that responds to the House of Commons Treasury Committee's report on its inquiry. The FCA continues to believe that greater diversity and inclusion (D&I) within firms can only be a catalyst to deliver improved internal governance, decision making and risk management. The FCA notes that the Committee shares its view that change is needed.

The FCA has now received responses to consultations on inclusion and diversity (D&I) from 257 responders to its consultation paper on D&I in the financial sector (CP23/20). Both regulators are working through responses and considering the feedback received, including whether to make any adjustments to their proposed policy. The FCA's early analysis of responses indicates that one area of detailed feedback is how the D&I strategy should work in relation to firms operating on a cross-border basis with a global strategy. There's also interesting feedback on how its proposals on non-financial misconduct interact with existing employment, equalities, and criminal laws.

What should happen now?

The FCA’s main feedback is that D&I strategy should work in relation to all line items operating on a cross-border basis with a global strategy. It believes that there's a link to risk management, and reduced diversity can lead to group-think, which has some potential consequences for risk management. With its secondary competitiveness objective and consumer protection mandate it believes  the work it's doing is relevant, and that stronger diversity in an organisation will support that objective. There's also interesting feedback on how its proposals on non-financial misconduct interact with existing employment, equalities and criminal laws.

ESG (climate and environmental risk)

Key developments

The European Central Bank (ECB) published a report on 23 January 2024 on the results of an assessment of the alignment of the EU banking sector with the EU climate objectives, together with a related blog post by Frank Elderson, ECB Executive Board Member and Supervisory Board Vice-Chair. Responding to the survey closed on 29 March 2024. In the report, the ECB quantifies the most pronounced transition risks in the sector's credit portfolio, analysing 95 banks covering 75% of euro area loans. Key findings were that banks' credit portfolios are substantially misaligned with the goals of the Paris Agreement, leading to elevated transition risks for roughly 90% of the banks assessed; 70% of the banks face elevated reputational and litigation risks as they're publicly committed to the Paris Agreement, but their credit portfolios are still measurably misaligned with it.

The Financial Stability Board (FSB) published its work programme for 2024 on 24 January 2024. Some of the priority areas of work and new initiatives include addressing financial risks from climate change. The FSB will continue to co-ordinate international work in this area. This will include analysis of the relevance of transition plans for financial stability and a stocktake of regulatory and supervisory initiatives related to the identification and assessment of nature-related financial risks.

Furthermore, on 29 January 2024, the EBA published a survey to allow it to receive information from credit institutions on their methodologies to classify exposures to ESG risks, as well as on the accessibility and availability of ESG data for this purpose. The aim of the survey is to collect qualitative information on credit institutions' current practices to inform its work on the feasibility of introducing a standardised methodology to identify and qualify exposures to ESG risks.

What should happen now?

  • The ECB advises that banks should put in place realistic, transparent, and credible Paris-aligned transition plans that they can and do implement in a timely manner. They should include concrete intermediate milestones from now until 2050 and develop key performance indicators (KPIs) that allow their management bodies to monitor and act on any risks arising from possible misalignment with their transition path
  • Banks can apply the approach used in this report to further develop their alignment assessment capabilities to help determine the transition risks they face as well as meet the impending disclosure requirements under the European Banking Authority’s Implementing Technical Standards (EBA ITS) on Pillar 3.
Cyber resilience

Key developments

The ECB will carry out a stress test during 2024 of the resilience of 109 directly supervised banks to a cyber-attack. In the press release on 3 January 2024, it states that it will test how banks respond to and recover from a cyber-attack rather than their ability to prevent it. "Under the proposed approach to the stress test, a bank's daily business operations will be disrupted by an attack and the bank will test how it responds and recovers, including its measures to activate emergency procedures and contingency plans and to restore normal operations". Supervisors will then discuss findings with each bank including how it coped during regular supervisory review process. The exercise’s main findings will be communicated in the summer of 2024.

On 28 March 2024, the FCA announced the launch of a new cyber resilience assessment tool in its regulation round-up. With the Bank of England (BoE) and the PRA, the FCA has launched a new threat-led penetration test assessment tool, STAR-FS (Simulated Targeted Attack and Response assessments for Financial Services). The tool, which will sit alongside CBEST, would mimic a cyber-attack on an organisation’s important business services and the technology and people supporting those services. This would enable regulators and firms to better understand vulnerabilities and take remedial action, improving the resilience of individual firms and the wider financial system.

More recently, the European Systemic Risk Board (ESRB) published a report on 16 April 2024 on advancing macroprudential tools for cyber resilience. In the report, the ESRB reviews the existing operational tools used to respond effectively to a systemic cyber incident, at both the national and the supra-national levels.

What should happen now?

  • The ECB stress test exercise is predominantly "a qualitative exercise and will not have an impact on capital through the Pillar 2 guidance, which is a bank-specific capital recommendation on top of the binding requirements" - intended that the insights gained will be used for the wider supervisory assessment in 2024
  • To master the stress test, organisations should be adequately prepared with clarity provided on the relevant first and second line representatives as early as possible. The central contact persons and technical experts in the areas such as BCM, risk management, financial controlling and other first, second, and third lines of defence, should establish early contact and coordination with internal and external IT service; assessing evidence with regard to end-to-end coverage of possible cyber scenarios; identify and agree plausible and serious test scenarios for critical core banking systems; and execute playbooks, dry runs, eg, tests of the cyber reporting procedure
  • ESRB will continue its work on developing a comprehensive macroprudential cyber strategy, which will be in line with the implementation of the regulation on digital operational resilience for the financial sector ((EU) 2022/2554) (DORA). Some areas identified for action:
  • Improve their information management and information-sharing efforts
  • National and EU-level crisis management and co-ordination practices in line with EU and international standards
  • Consider the pros and cons of system-wide contingency options and back-up arrangements
Operational risk and resilience

Key developments

The aforementioned PRA Dear CEO letter sent to UK deposit-takers, insurance firms and international banks highlighted operational resilience as one of the PRA's key areas of focus. In the supervisory statement SS1/21 (Operational resilience: Impact tolerances for important business services), mandates that by March 2025, financial institutions must demonstrate their ability to remain within impact tolerances for all their important business services (IBS). In this letter, the PRA reminds firms that they have just over a year left to meet the operational resilience expectations as set out in SS1/21. By no later than March 2025, firms should be able to demonstrate that they can remain within impact tolerances for all their important business services.

The PRA continues to observe firms engaging with third party providers, undertaking significant transformations and utilising cloud computing capabilities. It expects these to be well managed, including mitigating the risks associated with these relationships and notifying the PRA of material arrangements. Furthermore, it expects the scenarios tested to include cyber-related disruptions.

What should happen now?

  • There remains great emphasis on Board and senior management responsibility, they're expected to actively oversee the delivery of their firms' operational resilience programme
  • The letter highlights cyber-related disruptions as essential scenarios for testing to ensure both the ability to withstand and recover from such incidents
  • As the shift to BAU comes into play, organisations should begin to assess the shift of processes into BAU and supporting mechanisms to support it in demonstrating the continued enhancement and growing maturity of its operational resilience management systems, processes, and capabilities
  • Managing the compliance of third-party arrangements with supervisory statement SS2/21 (outsourcing and third-party risk management) is essential in mitigating the risks associated with third-party engagements. Organisations should notify the PRA of material arrangements and actively consider the impact of outsourcing and third-party relationships on IBS

Sector-specific priorities

Banking

Credit risk

Key developments

We continue to see persistent inflation, elevated interest rates levels, and more demanding and astute depositors which continues to  exercise pressure on banks. A blog post by Kerstin af Jochnick, of the ECB: priorities to help banks withstand headwinds, highlights that "while asset quality has remained strong so far, with the aggregate NPL ratio of supervised banks standing at 1.85% in the third quarter of 2023 (2.27% excluding cash balances at central banks), we expect some deterioration in banks" asset-quality owing mainly to a weaker growth environment, still-high inflation and higher borrowing costs, all of which are weighing on households and firms.

In the Dear CEO letter sent to UK deposit-takers providing an update on its 2024 supervisory priorities and its expectations of firms, credit risk is one of the key areas of focus. Specifically, the PRA looks to assess organisations credit risk management with a particular focus on how credit risk management practices have evolved, as well as any changes to firms' business mix and credit exposures. In addition, counterparty credit risk, will remain a key area of supervisory focus through 2024, exposures to non-bank financial institutions across certain business lines. In particular, the PRA will look for further improvements in firms' ability to identify and assess correlations across financing activities with multiple clients, and for market depth to be taken into consideration as quantitative tightening reduces the level of reserves in the financial system.

To further improve the PRA's understanding of both credit risks, the Bank of England (BoE) will run an exploratory system-wide exercise in 2024.

Ms. af Jochnick's post highlights that taken together, these developments explain why addressing structural deficiencies in banks’ credit risk management frameworks will remain a key supervisory focus in the future. Its targeted reviews, deep dives conducted by Joint Supervisory Teams and on-site inspections will largely continue from last year. It will make certain adjustments in order to focus on the portfolios that are more sensitive to macroeconomic factors, such as residential and commercial real estate, and small and medium-sized enterprises. It will continue investigating banks’ provisioning practices under the IFRS 9 framework. The ECB also plan to strengthen its engagement with banks on counterparty credit risk management by accelerating the remediation of findings from last year’s targeted horizontal review and on-site inspections, and monitoring how banks meet our supervisory expectations.

What should happen now?

  • Organisation should take comfort that  supervisory expectations for banks and help national supervisors set their own priorities for the banks they directly supervise. As highlighted by the ECB, the European banking sector is generally in good shape. Alongside actions taken by banks themselves, the ECB can help strengthen the sector’s resilience even further by following through on its priorities with supervisory guidance and measures to ensure that banks remain a healthy cornerstone of the European economy
  • Being prepared has often its own reward. There are several actions organisations can take to help them better navigate uncertainty and benefit from emerging trends. This includes regularly assessing credit risk. As the pace of change accelerates, organisation should consider early warning systems and risk measurement infrastructures.
Model risk

Key developments

The House of Commons Treasury Committee published a letter on 10 January 2024, from the PRA (dated 8 January 2024) relating to, among other things, the resourcing of the PRA for the approval of firms' internal ratings based (IRB) approaches. The PRA acknowledged in the letter the recent difficulties in its approval of firms' IRB approaches for the calculation of risk-weighted exposure amounts for credit risk. The difficulties were due to considerable engagement from the PRA for firms seeking IRB permissions for the first time using the PRA's modular approach; the short data histories available to relatively young firms may extend the timeline (typically 18 months) for approval of their IRB approaches; firms with existing IRB permission seeking change or update typically require two or more submissions and consequently they're taking longer than the expected six months to process. The PRA states that there has been a bottleneck in the processing of IRB submissions, with demand exceeding its capacity on occasions. It intends to increase its capacity in 2024 and expects that pressure on its resources will abate once existing IRB firms have completed their transition to hybrid models.

Model risk continues to be a key area of focus for regulators. On 21 March 2024, the ECB recently fined Crédit Mutuel  EUR 3.54 million for internal models breaches the bank didn't apply floors set by the ECB for calculating credit risk for certain exposures. This constitutes serious negligence as said floors were clearly stipulated in the relevant ECB decisions. 17 May 2024 is a key milestone for SS1/23 MRM principles for Banks. The PRA highlights in the Dear CEO letters that ‘before the model risk management (MRM) principles for banks come into force, it expects firms within scope to conduct an initial self-assessment of their MRM frameworks and, where relevant, prepare remediation plans to address any identified shortcomings’.

More recently on 19 February 2024, the European Central Bank (ECB) published a revised version of its guide to internal models under the Single Supervisory Mechanism (SSM). The revised guide provided:

  • Clarifying how banks should go about including material on climate-related and environmental risks in their models
  • Outlining how banks can revert to the standardised approach for calculating risk-weighted assets, which might help support banks' efforts to simplify their internal model landscapes
  • Helping banks to move towards a common definition of default and consistent treatment of 'massive disposals' (that is, bulk sales of non-performing loans)
  • Detailing how to measure default risk in trading book positions in the chapter on market risk
  • Clarifying issues regarding counterparty credit risk

Clarifying how banks should go about including material on climate-related and environmental risks in their models.

17 May 2024 a key milestone for SS1/23 MRM principles for Banks. The PRA highlights in the aforementioned Dear CEO letters that "before the model risk management (MRM) principles for banks come into force, it expects firms within scope to conduct an initial self-assessment of their MRM frameworks and, where relevant, prepare remediation plans to address any identified shortcomings".

What should happen now?

  • Organisations applying for IRB permissions, should take considerations of the major challenge on using short data histories, building models to manage and measure the risk in their business with relatively limited data and using external data which may not be representative of  their business. These challenges can add to the timeline for approval.
  • Existing IRB firms require several attempts to develop models the PRA can safely approve; they should take consideration of the impact that two or more submissions can have on timelines and the regulator’s workload.
  • Strong model risk management processes and discipline is essential to meet the requirement of SS1/23. SS1/23 would support organisations in knowing the limits of their models, the interdependencies of models, understanding multiple data sources used for model build, and managing model risk in a holistic basis. To meet this requirement isn't about the bare minimum but requires a reliable self-assessment and robust implementation plan to remediate gaps

 

Financial crime

Key developments

The FCA published on 8 February 2024, a corporate document on reducing and preventing financial crime. As it passes the midpoint of its three-year strategy the document summarises the progress made in this area and work delivered over the last 18 months prioritising tackling fraud, money laundering, and sanctions evasion. Looking ahead the FCA identifies four areas of focus where further collaborative effort can help shift the dial decisively on reducing and preventing financial crime. These are data and technology, collaboration, consumer awareness, and metrics.

A key FCA focus in 2024 will be "supporting the government's proposals to reform the anti-money laundering (AML) supervisory regime. It considers that the option of a single professional service supervisor offers the best opportunity to deliver on the aims of the reform".

More recently, the FCA published a Dear CEO letter on 5 March 2024, sent to Annex I financial institutions concerning common control failings identified in anti-money laundering (AML) frameworks. In the letter, the FCA sets out details of common weaknesses it has observed in recent assessments of certain Annex I financial institutions' AML frameworks. These include business model, risk assessment, due diligence, governance, management information, policies, and procedures.

The Wolfsberg Group published on 26 March 2024, a framework for auditing a financial crime risk management (FCRM) programme for effectiveness under the Wolfsberg Factors, which it considers are the key elements of an effective anti-money laundering (AML) and counter-terrorist financing (CTF) programme. The Wolfsberg group believes that internal audit (IA) can assist financial institutions (FIs) in the fight against financial crime by measuring FCRM outcomes using the Wolfsberg Factors. IA can leverage these principles to complement their existing audit methodology, while retaining their role as an independent review function.

What should happen now?

  • The FCA stresses in the document that the "financial services industry must continue to lead the charge on reducing financial crime, but others such as Big Tech, social media platforms and telecommunications firms also have a vital role". The FCA advises that bolder and more innovative solutions are needed. As firms are the first line of defence, they must make use of new systems, processes, available data, and approaches to keep up with emerging risks in the future.
  • The FCA document included suggested questions for firms' boards to consider, some of the questions include:
    • How the organisation ensures that systems and controls keep up with the increasing sophistication of criminal groups. Does it keep up with new advances in technology, typologies, and techniques?
    • Is the organisation using third party technology to detect, is the technology calibrated to the risks my firm faces and its customer base?
    • Does your organisation participate in data sharing initiatives and exploring the latest advances in data sharing technology?
    • Is the organisation raising awareness among customers of the fraud risks relevant to the business with customers?
    • Is the organisation using/being consistent with the language/approaches proposed by public bodies or our association?
    • What metrics is the board getting on the organisation's outcomes on tackling financial crime? How are these metrics tied to activities or work programme metrics, and budgets? How does the firm compare with its peers?
    • Organisation should consider the detail weaknesses  highlighted in the FCA letter which touches on alignment of registered and actual activities, financial crime controls that keep pace with business growth, robust business-wide risk assessments (BWRAs) and customer risk assessments (CRAs); detailed customer due diligence (CDD) and monitoring policies that guides staff member on actions to take in order to comply with their obligations under the MLRs 2017; sufficient financial crime resources and training
    • The FCA expects organisation to complete a gap analysis against each of these common weaknesses within six months and take prompt and reasonable steps to close any gaps identified. The senior manager responsible for the gap analysis should have sufficient seniority to be able to carry it out effectively. In future engagements, the FCA is likely to ask firms to provide it with the findings from the gap analysis, evidence of the actions taken to address the gaps identified and the progress of any remedial work and testing to show that the policies, controls, and procedures are effective and working as intended
    • The FCA expects organisation to complete a gap analysis against each of these common weaknesses within six months and take prompt and reasonable steps to close any gaps identified. The senior manager responsible for the gap analysis should have sufficient seniority to be able to carry it out effectively.  In future engagements, the FCA is likely to ask firms to provide it with the findings from the gap analysis, evidence of the actions taken to address the gaps identified, and the progress of any remedial work and testing to show that the policies, controls, and procedures are effective and working as intended.

Capital markets and asset management

Market Watch 78

Key developments

The FCA's Market Watch 78  published 4 April 2024 covers some of its recent supervisory observations, covering the completeness and accuracy of instrument reference data (IRD) under RTS 23. The FCA highlights issues including:

Data quality processes, Invalid issuer legal entity identifiers (LEIs) –  best practice, cancelled instrument reference data, use of dummy values, and breach notifications.

What should happen now?

Exchanges, trading venues and investment firms with systematic internalisers (SIs) should consider reviewing the FCA's observations against their implementation of RTS 23.

ESG (climate and environmental risk)

Key developments

The Investment Association (IA) published a report on 8 March 2024, providing insights and suggested actions for asset managers following the commencement of reporting obligations of climate-related disclosures under the ESG sourcebook. The report sets out the IA review of investment managers’ entity, product, and on-demand reporting, some of the key challenges faced in implementing the TCFD reporting requirements, as well as a list of 10 key areas for asset managers to consider in their reporting going forward.

 "The report focuses on key themes that have emerged from the first round of asset manager reporting, which saw large asset managers report in line with the Financial Stability Board's (FSB) Taskforce on Climate-related Financial Disclosures (TCFD) recommendations and make disclosures at entity and product level". Several findings were found in entity level report, product level and on-demand reporting. 

What should happen now?

  • The report sets out areas of future focus for asset managers, which include being consistent with wider sustainability reporting, consumer testing and usability, and data timing
  • The IA strongly recommend that firms reporting in 2024 include a specific statement around compliance with the FCA rules, to avoid any risk that their report doesn't fully comply with the specificity of the FCA’s requirements
  • The IA will also be using this report to inform its ongoing engagement with the FCA around the rules and to evaluate where further guidance from the  regulator might be helpful.
Supervisory strategy for the asset management and alternatives portfolios

The FCA published a portfolio letter on 1 March 2024 providing an interim update on its supervisory strategy for the asset management and alternatives portfolios. The letter explains that the update reflects changes in the external risk environment and work that has been completed since its February 2023 portfolio letter. The update also provides the FCA's forward areas of focus for this sector over the next year.

What should happen now?

The FCA expects firms' CEOs to discuss the letter with their Board and executive committee and consider whether the risks of harm are present and adopt strategies for mitigating them. The areas of focus highlighted in the letter are consistent with the multi-year plan the FCA has previously set out and are intended to provide clarity to organisations on the FCA's areas of regulatory focus for the year ahead. In the event of unexpected future events, the FCA notes that it may need to reconsider the plan but, if this happens, it will provide an update. Supervisory priorities include:

  • Setting and testing higher standards: focusing on assessments of value (AoV), under the Consumer Duty, assessing how asset managers have considered price and value of products and services provided to unit-linked funds, as well as complying with PS 21/3 building operational resilience
  • Reducing and preventing serious harm:  focusing on market integrity and disruption
  • Supporting innovation focuses on work on fund and asset tokenisation; understanding how technological innovation can be safely and effectively implemented in the sector so that potential benefits are realised while risks are managed
  • Promoting competition and positive change; this includes work to implement the Government's Smarter Regulatory Framework (SRF) with a focus on MiFID, AIFMD, and UCITS, in addition to modernising the funds authorisation process and enabling cross-border operation

Insurance

Diversity, equity, and inclusion

Key developments

The International Association of Insurance Supervisors (IAIS) published a draft application paper on 14 March 2024, on supervising diversity, equity, and inclusion (DEI) in the insurance sector. The draft application paper follows on from the IAIS's 2022 stocktake report on DEI in the insurance sector, which was a first step to inform further work to promote DEI in insurers' governance and conduct of business.

The IAIS explains what's meant by DEI and why it's relevant in the context of an insurer's corporate governance, risk management and corporate culture. It highlights at a high level some of the risks that may arise in an insurer due to a lack of DEI. Such risks include safety and soundness risk, misconduct risk, reputational risk, talent risk, and legal and regulatory risk.

IAIS acknowledges that local circumstances, particularly the legal, cultural, and historical context, will influence how DEI is considered, and the actions taken by supervisors and insurers themselves, to enhance DEI within the sector. It advises that the application paper should therefore be read with this context in mind.

What should happen now?

The draft application paper explains relevant matters for supervisors which are equally important for insurers. It highlights areas that supervisors should look out for and provides a non-exhaustive list of possible warning signs that an insurer might need to enhance its DEI efforts. These can be "lack of challenge in board discussions, resistance to change, and longstanding compliance breaches." It also covers warning signs that highlight shortcomings or problems with the embedding of DEI, such as disparaging or dismissive attitudes to promoting DEI, limited or stagnant diversity metrics, poor internal communications on DEI, and DEI-washing.

Potential steps that a supervisor could take, on either an industry-wide or insurer-specific basis, ranges from using soft powers (such as speeches and Dear CEO letters) to more formal interventions (such as the introduction of supervisory expectations, standards, rules or similar). The paper provides a non-exhaustive list of positive actions that's being taken by some insurers to promote DEI internally such as staff training and education on it at all levels and feedback from staff surveys (covering topics such as culture, behaviours, freedom to contribute and remedial action to address issues).

Holistic framework

Key developments

The International Association of Insurance Supervisors (IAIS) published a consultation on 27 March 2024, on revisions to supervisory material related to the holistic framework. The IAIS is proposing to make changes to certain Insurance Core Principles (ICPs) and related standards in the Common Framework for the Supervision of Internationally Active Insurance Groups (ComFrame) that form part of the holistic framework. It's proposing to amend its standards and guidance material relating to Liquidity risk, counterparty risk-appetite, and contingency funding plans, and recovery and resolution plans.

What should happen now?

Feedback on the draft revisions is invited by 27 June 2024. The IAIS plans to finalise the revisions, considering consultation feedback, by the end of 2024, following which the IAIS will also prepare and consult on necessary updates to the associated supporting material.

Claims handling

Key developments

The FCA undertook the review which assesses firms’ claims-handling processes for valuing vehicles which have been stolen or written-off (‘total-loss’ claims) after seeing evidence that some consumers are being offered settlement values lower than a fair estimate of their vehicle's market value. It surveyed 12 firms (that together make up around 70% of the market) to get information about their claims-handling processes, including valuation, or claims on vehicles that have been stolen or written-off. This included a data request to help it assess how settlement amounts compared with initial guide valuations. It also assessed firms' oversight and controls and how far they monitor the outcomes of these ‘total loss’ claims.

The FCA published on 27 March 2024, a new webpage setting out the findings from this multi-firm review into insurers' claims-handling processes for valuing vehicles that have been stolen or written-off (total-loss claims). Results of this exercise is disclosed at an aggregate industry level.

What should happen now?

  • The Consumer Duty came into force in July 2023 and applies to all regulated firms, including motor insurance firms. Under the Duty, firms should put consumers at the heart of their business and act to deliver good outcomes for them. Firms should consider the FCA findings, examples of good practice and areas for improvement in the context of our rules, including the Consumer Duty, to address any shortcomings
  • The regulator expects the relevant senior management function holders to carefully consider the contents of this review and take necessary steps to ensure that their organisation's processes are in line with our expectations
  • The FCA may contact individual firms to discuss the actions they've taken.

A closer look at key priorities

AI adoption: practical steps to overcome data challenges

How can CDOs and data leaders rise to the challenges and opportunities of AI adoption?

Find out more decorative image

Treasury Committee and FCA emphasise focus on DE&I in financial services

The Treasury Committee has released their report exploring diversity, equity and inclusion (DE&I) in financial services. We take a look at the report and the key implications for firms.

Find out more team work decorative image

UK Corporate Governance updates: Managing third parties

The Code update asks companies to report on the effectiveness of their material controls and is now sharpening the focus on how material third party risks are managed. Complying with the regulations requires careful assessment and strategic planning to ensure resilience and compliance.

Find out more team work image

    Events schedule 

    Our in-person and virtual events will put you in touch with our technical teams who have already undertaken engagements and gained valuable experience in these areas. 

    Get the latest technical updates, insights, events and guidance to support your internal audit function, straight to your inbox.