Our quarterly internal audit hot topics give a thematic view of new and emerging regulatory risks across financial services. 

If you would like support with any of the issues, please get in touch with our team

Regulatory priorities

Internal audit risk radar

Our risk focus radar is a combination of our view of key priorities and an extract from the UK Regulatory Initiatives Grid, representing the risks and key priorities raised by the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and leading UK and European regulatory bodies

It gives a single view of the four key sectors segmented by time and risk to help develop audit planning and forecast requirements.

Cross sector priorities

Key developments

Stress testing continues to provide supervisors, banks, and other market participants with a common analytical framework to compare and assess the resilience and capital positions of banks and the banking system against shocks. On July 5 2024, the European Banking Authority (EBA) launched an informal consultation on its draft methodology, templates, and guidance for the 2025 EU-wide stress test. The methodology defines how banks should calculate the stress impact of the common scenarios and sets constraints for their bottom-up calculations. The templates and guidance will be used to collect data from banks relating to the stress test. 

What should happen now?

The EBA expects to publish the final methodology at the end of 2024, launch the exercise in January 2025, and release the results by the end of July 2025. The outcome of the stress test will inform the 2025 supervisory review and evaluation process (SREP).

Key developments

July 31 2024 marks the first anniversary of the Consumer Duty's application to new and existing products and the deadline for firms to produce their first annual Consumer Duty board report. This is also the date of implementation for closed products and services. The Consumer Duty is now in force across all of retail financial services. A speech by the FCA's Sheldon Mills welcomed the improvements organisations have made in the first year of the Duty. These include new data and metrics to better understand customers, changes to employee bonus structures, improved data handling regarding customer vulnerabilities, and more proactive communication. The FCA is pleased that the Duty is already having a tangible impact on consumer outcomes and has also been driving improvements in firm culture, conduct and governance. However, there are still areas where organisations need to continue to improve.

The FCA has published a Consumer Duty programme grid that includes thematic work across sectors and specific sectors, products, or services. It prioritises price and value initiatives as it knows this is an area that organisations have found challenging. On September 18 2024, the FCA published its findings, following a review of firms' implementation of the price and value outcome under the Consumer Duty. It focused on three areas: cash savings accounts, guaranteed asset protection (GAP) insurance and cash balances held by platforms. 

More recently, on October 9 2024, the FCA published its findings, following a multi-firm review of 23 payments firms to determine how those firms have implemented the Consumer Duty. The organisations were drawn from across the payments portfolio and included e-money issuers, merchant acquirers, money remitters and open banking firms. Of the 23 firms, it rated just over half as satisfactory and didn’t view them as presenting a risk of significant poor consumer outcomes, although some minor actions may still have been needed. The remaining firms had only partially implemented the Duty and required significant work to comply with it. These firms present either a moderate or higher risk of delivering poor consumer outcomes.

What should happen now?

Organisations are encouraged to read the Call for Input and engage with the regulators, who are keen on their views, to ensure it can maximise the benefits of the Duty. Some of the key messages from the recent reviews include:

  • the outcomes of the Consumer Duty should be considered holistically
  • effectively identifying target markets helps assess the impact on different customers.
  • An analysis of cross-subsidies, where relevant in a firm's business model, can be helpful in identifying where different consumer groups may be at risk of not receiving fair value
  • Evidence is vital in fair value assessments, but firms should be proportionate in their approach
  • Prompt action should be identified and taken if fair value assessments show consumers are at risk of not receiving fair value.

The FCA states that it will act when it sees firms not making improvements in response to feedback or if firms' products and services offer poor value when compared to similar products and services. It reminds firms that their boards must annually review and approve their assessment of whether the firm's actions are consistent with the Duty. They should expect the FCA to ask for the results of their monitoring and board reports:

  • Payment firms should evaluate their products, services and processes against the Duty rules and guidance on an ongoing basis. They should make sure they’re putting consumers at the heart of their business and are acting to deliver good outcomes for retail customers.
  • Although firms may take a proportionate approach to implementation of the Duty, it should cover all relevant areas of their business. It has found that many firms need to take further action to fully embed the Duty, which they should do without delay
  • Firms that identified gaps in their compliance with the rules should act immediately, putting plans in place to address shortcomings leveraging the detailed findings and regulatory expectations set out

Key developments

The EBA published a report on July 16 2024, on a review of the application of gender-neutral remuneration policies by institutions and investment firms under the CRD IV Directive (2013/36/EU) and the Investment Firms Directive ((EU) 2019/2034) (IFD). It explains that the industry encounters no major challenges in adopting and implementing gender-neutral remuneration policies. However, some organisations fell short of supervisory expectations and still haven’t  adopted remuneration policies that explicitly contain measures ensuring that remuneration is awarded gender-neutrally. They didn’t conduct annual policy reviews, didn’t monitor whether the remuneration policy is indeed applied in a gender-neutral way and didn’t calculate the gender pay gap (or didn’t provide such information to the public). Although the focus of the review was on equal pay, the EBA also looked at the gender pay gap and the monitoring of indicators on equal opportunities and equal pay. 

On July 24 2024, The European Central Bank (ECB) published a draft guide on governance and risk culture for consultation. Despite the increased supervisory attention and the improvements already made by some institutions, the ECB has concluded that the progress made to date hasn’t generally been sufficient. The main purpose of the guide is to set out key ECB supervisory expectations when assessing the governance and risk culture of supervised entities, based on the ECB's interpretation of the current regulatory framework. The guide doesn’t prescribe legally binding requirements, nor does it replace the relevant legal requirements in either EU or national law or introduce new rules. The guide builds on the ECB's SSM supervisory statement on governance and risk appetite, which was published in 2016. When finalised and published, the guide will supersede this supervisory statement. In addition, the guide reflects recent updates to standards set by, among others, the EBA, and provides examples of some good practices observed by the ECB over several years.

Following the recent consultations and policy proposals that aim to support progress on improving diversity and inclusion across the financial sector and, through the FCA's consultation, tackle non-financial misconduct (NFM), the FCA highlighted in the regulatory grid interim update that it 'intends to publish a Policy Statement on 'Tackling Non-Financial Misconduct in the Financial Sector' around year-end 2024, to be followed by FCA and PRA Policy Statements on the remaining D&I proposals in 2025'.

What should happen now?

  • Although there’s some progress by the industry, the EBA calls for the identified weaknesses to be tackled. It found the persistence of a gender pay and suggested further work to ensure equal opportunities
  • Monitoring and transparency should be further improved. Additional transparency could support efforts to reduce the gender pay gap by requiring the disclosure of more quantitative indicators on the gender neutrality of remuneration policies. The same is true for disclosures in diversity requirements for the management body. Organisations should consider using a wide range of indicators to monitor the application of their gender-neutral remuneration policies.
  • Competent authorities should review the appropriate application of gender-neutral remuneration policies in the context of other requirements, including those around equal opportunities, and consider diversity at least at the level of the management body.
  • The EBA considers the application of gender-neutral remuneration policies as part of the annual Supervisory Review and Evaluation Process (SREP) or other reviews performed.
  • Good governance and risk culture are important for all banks, irrespective of their size. ECB draft guide on governance and risk culture aims to be a practical tool and isn’t a substitute for the analysis of individual situations and the exercise of supervisory judgement. The expectations set out in the guide are expected to adapt over time. The guide:
    • clarifies supervisors' expectations regarding how management bodies and committees should be composed and function
    • explains the roles and responsibilities of the internal control functions
    • emphasises the importance of risk culture
    • outlines expectations regarding the risk appetite frameworks of banks
    • as well as being intended for the internal use of the various supervisory teams, with the aim of ensuring a common and consistent approach, the ECB recommends that national competent authorities (NCAs) align with the expectations and practices set out in the guide when assessing the governance of less significant institutions
  • Banks are encouraged to continue enhancing their implementation of governance standards, while the ECB will continue to intensify its scrutiny to take timely action to bring about concrete improvements in this area and to escalate non-remediated supervisory findings whenever relevant.

Key developments

On September 27 2024, The PRA published a letter sent to chief financial officers (CFOs) of selected deposit-takers providing thematic feedback from its review of written auditor reports received in 2024. The PRA annually receives written reports from auditors of the major UK-headquartered banks and building societies, as laid out in chapter eight of the auditors part of its rulebook. The auditors respond to questions on issues of supervisory interest. Questions this year related to IFRS 9 expected credit loss accounting (ECL) and accounting for climate risks. 

What should happen now?

Specific to climate risk, the PRA notes “it’s reassured to see firms taking action to consider a wider range of climate-related risk drivers to help identify the exposures most at risk and challenge how to adapt their economic scenarios to incorporate climate risks.” However, the availability and quality of data remains a persistent challenge, there’s scope to further expand the coverage of portfolios for which climate-related risk drivers are formally assessed, scope for firms to further enhance data and processes to challenge the completeness of overlays and embed climate risks in loan-level credit risk assessments, and scope for organisation to consider a broader range of climate scenarios and indicators to allow for timely identification of borrowers and sectors more exposed to climate risk than the wider economy.

Organisations are encouraged to identify improvements that can be made in their capabilities leveraging feedback provided in Annex 2 of the letter on firms' capabilities to quantify the impact of climate risks on ECL. 

Key developments

On July 7 2024, the European Supervisory Authorities: EBA, EIOPA, and ESMA published a press release announcing plans to establish the EU systemic cyber incident coordination framework (EU-SCICF) in the context of the Digital Operational Resilience Act (DORA). It will facilitate an effective financial sector response to a cyber incident that poses a risk to financial stability by strengthening the coordination among financial authorities and other relevant bodies in the European Union, as well as with key actors at an international level.

On July 26 2024, The ECB published a press release announcing it had concluded its cyber resilience stress test, which was launched in January 2024 to gauge how banks would respond to and recover from a severe but plausible cybersecurity incident. 109 banks directly supervised by the ECB were involved, with a sample of 28 banks chosen to undergo extensive testing. These banks had to perform an actual IT recovery test and provide evidence that it had been successful.

Overall, the stress test showed that banks have response and recovery frameworks in place, but areas for improvement remain. The outcome of the exercise will feed into the 2024 supervisory review and evaluation process (SREP).

What should happen now?

  • Participating members will be alerted and will share information on potential systemic cyber incidents or threats. When a systemic risk materialises, the EU-SCICF will serve as a forum for relevant authorities to communicate and co-ordinate on any necessary action and on the use of tools to counter the crisis from a macroprudential perspective
  • The ECB encourages banks to keep working on meeting supervisory expectations by, among other things:
    • ensuring they have in place adequate business continuity
    • creating communication and recovery plans that consider a wide enough range of cyber risk scenarios
    • meeting their own recovery objectives, properly assessing dependencies on critical third-party ICT service providers, and adequately estimating direct and indirect losses from a cyberattack

Key developments

Reflecting the evolution of a larger and more diverse environment of third-party service providers, third-party risk is one of the forthcoming work initiatives announced by the Basel Committee on Banking Supervision (BCBS).

On July 9 2024, the BCBS published a consultative document (BCBS577) on principles for the sound management of third-party risk in the banking sector. These principles will supersede the Joint Forum's February 2005 guidance on outsourcing in financial services with respect to the banking system. The BCBS highlights that, while many of the principles set out in the Joint Forum paper remain relevant, the principles on which it’s consulting are designed to reflect the evolution of a larger and more diverse third-party service provider (TPSP) environment in the banking sector. 

The consultation sets out 12 high-level principles. Principles one to nine provide banks with guidance on effective management of TPSP risks, while principles 10 to 12 provide guidance for prudential supervisors. The consultation closed to responses on October 9 2024. 

What should happen now?

  • The principles are primarily focused on large, internationally active banks and their prudential supervisors in BCBS member jurisdictions. However, smaller banks, which may rely on TPSPs to a greater extent, and authorities in all jurisdictions may also benefit from them
  • It’s noted that many jurisdictions have developed their own TPRM frameworks and standards, which are unique to each jurisdiction. These principles focus on third-party risk management holistically and seek to achieve a balance in improving practices related to the management of third parties and providing a common baseline for banks and supervisors, while maintaining sufficient flexibility, given the evolution of practices in this area
  • The principles are intended to be applied on a proportionate basis depending on the size, complexity, and risk profile of the bank as well as the nature and duration of its TPSP arrangements and their contribution to the delivery of critical services.

Key developments

Recent operational incidents include the July 2024 worldwide IT outage caused by a flawed update distributed by CrowdStrike, a cyber-security technology firm, and the July 2024 outage at Swift, a secure global messaging service for financial services, impacting wholesale payments in the UK and other countries. There were also cyber-attacks on ICBC Financial Services (a US broker-dealer) and ION (a third-party provider of derivatives clearing services) in November and February 2023, respectively. These events demonstrate the importance of operational resilience to maintaining financial stability, particularly as the financial system has become more digitalised and interconnected.

The Bank of England's (BoE) Financial Stability Paper No. 50, published on August 27 2024, provides insights into the evolving approach to assessing operational resilience. Operational resilience in the financial system is a global issue at the top of the supervisory agenda, and other jurisdictions are also taking action to build resilience. The EU Digital Operational Resilience Act (DORA) will come into force on January 17, 2025, and a significant effort by financial institutions within the EU (and/or EEA) is ongoing to ensure compliance. In its 2025 European Supervisory Examination Programme (ESEP), the EBA will focus on information and communication technology (ICT) risk management and building operational resilience towards digital transformation. 

On September 4 2024, the European Central Bank (ECB) published a speech by Frank Elderson, ECB Executive Board Member and Supervisory Board Vice-Chair, on banks' operational resilience. It highlighted that financial resilience alone is far from sufficient to weather operational headwinds – you need operational resilience. The ECB has flagged operational resilience as one of the SSM supervisory priorities for 2024-2026. This means, for instance, conducting on-site inspections of banks' cybersecurity management or targeted analysis of banks' outsourcing arrangements with third-party providers, including potential concentrations of risk.  

What should happen now?

The work to continue to invest in operational resilience continues. Regulators are encouraging banks to continue to prioritise operational and cyber resilience, integrating this into their core business strategies: 

  • IT and cyber risk remain a key challenge on banks' operational resilience. This can have a material financial, reputational, and legal impact on banks. In order to help banks pinpoint their vulnerabilities to cyber risks, the ECB's cyber resilience stress test showed that, although banks do have high-level response and recovery frameworks in place, there’s room for improvement to ensure that their recovery capabilities are sufficient to handle even worst-case scenarios. They must be able to protect customers' assets and data to maintain confidence in the banking system. The ECB expects all boards to have a sound understanding of IT and cyber risks to enable them to assess the impact of these risks on banks' various business areas
  • Operational incidents may become more correlated among financial institutions that outsource critical functions to a common provider. The drive towards digitalisation may increase market concentration. The ECB advises prudential supervisors and other supervisory authorities (such as competition authorities) to work together to ensure this does not undermine financial stability
  • The ECB guide on outsourcing cloud services to cloud service providers (CSPs), when finalised, will provide specific good practices for banks to use as a basis for tackling cloud outsourcing risk
  • Building operational resilience is also about people, so investment in human capital is essential. Financial institutions must ensure that employees at all levels have the appropriate skill set. Recent ECB analysis of the effectiveness of banks' management bodies indicates some boards still lack depth of skills

 

Sector-specific priorities
 

Banking

Key developments

The PRA published a letter on September 10 2024 sent to chief risk officers (CROs) of lenders relating to the thematic findings of the internal audit review of the credit risk management framework (CRMF) for non-systemic banks and building societies. The review was designed to provide assurance to the firms' boards and to the regulator on the overall effectiveness of the control framework and in the specific areas of focus, which were the governance and control environment over credit and affordability assessments, approval processes, and portfolio management. 

33 UKDT non-systemic banks and building societies took part in this exercise, representing 13% of non-systemic firms' lending exposures; six were banks, and the remainder were building societies. The PRA notes that its findings reinforce the need for some organisations to continue to enhance their portfolio management controls and affordability assessments, with consideration of changes in the macroeconomic environment to ensure that new lending is sustainable. 

What should happen now?

Areas for improvement include:

  • affordability assessments
  • the quality assurance and underwriting process
  • the quality of management information
  • the calibration of firms' credit risk appetites

The PRA encourages the senior management function responsible for identifying, assessing, and mitigating risks to the business, and a source of independent challenge, to consider whether its organisation is well placed to assess how the points raised in the letter relate to their business and review how they’re being addressed. It recommends that organisations should consider using the points raised in the letter as a reference when they next review and assess their CRMF controls to identify areas that might need strengthening.

Key developments

On August 6 2024, the BoE published a paper setting out findings from its second assessment of the resolvability of the eight major UK banks (namely Barclays, HSBC, Lloyds Banking Group, Nationwide, NatWest Group, Santander UK, Standard Chartered and Virgin Money UK) as part of the Resolvability Assessment Framework (RAF). The RAF is the BoE's approach to assessing the extent to which banks are prepared for resolution, checking for well-tested capabilities and the ability to react quickly and flexibly. The BoE has used this second RAF assessment to assess the major UK banks' progress against issues outstanding from the first assessment in 2022 and to undertake more detailed assessments of their preparations under the adequate financial resources outcome. 

The BoE concludes that the banks have continued to improve their resolution preparation, including embedding this into their everyday business and addressing issues raised in the first assessment.

What should happen now?

  • The BoE tested for the first time through the RAF how the banks' preparations for resolution work in practice. The BoE expects the banks to address the feedback from both this and the previous assessment and to continuously maintain and improve their resolvability capabilities. The BoE plans to engage with the major UK banks over the coming months so that they can continue to make progress on resolvability.
  • The next RAF assessment for the major UK banks will focus on the continuity and restructuring outcome, including banks' readiness to plan quickly for and execute restructuring options to address the causes of failure and restore viability. 

Key developments       

The objective of the Corporate Governance Code 2024 (the code) published on January 22 2024 is to "enhance transparency and accountability of UK plc and help support the growth and competitiveness of the UK and its attractiveness as a place to invest”. 

The code suggests annual reports should include a statement of how the board has monitored and reviewed the effectiveness of internal control frameworks; a declaration of effectiveness of the material controls as at the balance sheet date; and a description of any material controls that haven’t operated effectively as of the balance sheet date, the action taken, or proposed, to improve them, and any action taken to address previously reported issues. 

The FRC notes that the scope of internal controls hasn’t changed from the 2018 Code and provided example areas where material control might exist which include 'reporting' in addition to financial, operational and compliance controls.

Provision 29 relating to internal controls will apply for financial years beginning on or after January 1, 2026. Boards will be required to provide a declaration of effectiveness of the material controls as at the balance sheet date for accounting periods commencing on or after January 1, 2026.

What should happen now?

The key change to the code from 2018 is the explicit declaration requirement. The FRC explained that if the 2018 requirements were already being met, the effort needed to meet the provision shouldn’t be too great. The following could be considered as your organisation embarks on setting up its internal controls framework to meet this requirement:

  • Leverage the FRC's guidance on the definition of material control and identify all material controls, ensuring there’s a framework in place for all the controls to be assessed at least annually
  • Material controls will differ from organisation to organisation. Undertake a scoping exercise to determine the material risks and controls for your organisation, engaging the board to judge what’s material
  • Define and implement an assurance strategy

The FRC is aware of the need to give organisations time to put the internal controls framework in place.

Key developments

EBA guidelines EBA/GL/2016/07 provide a detailed clarification of the definition of default and its application, covering key aspects such as the days past due criterion for default identification, indications of unlikeliness to pay, conditions for the return to non-defaulted status, treatment of the definition of default in external data, application of the default definition in a banking group and specific aspects related to retail exposures. On July 22 2024, the EBA published a peer review report on the application of the definition of default under Article 178 of the Capital Requirements Regulation (575/2013) (CRR). The review focused on the guidelines across the following three major areas:

  • Implementation of EBA/GL/2016/07 in the supervisory framework
  • Effectiveness of the procedure for the submission of the application
  • Effectiveness of the assessment for checking compliance with the definition of default 

Each year, the PRA receives written reports from auditors of the major UK-headquartered banks and building societies, as laid out in chapter eight of the auditors part of its rulebook. Auditors respond to questions on issues of supervisory interest. This year, questions related to IFRS 9 expected credit loss accounting (ECL) and accounting for climate risk. On September 27 2024, the PRA published a letter sent to chief financial officers (CFOs) of selected deposit-takers providing thematic feedback from its review of written auditor reports received in 2024.

The PRA was pleased with the “continued efforts by firms to navigate the uncertainty from the higher interest rate environment, progress made in redeveloping new IFRS 9 models, along with enhanced monitoring and governance capabilities, aimed at better capturing risk. However, we continue to see variation in practice and scope to further embed high quality practices.”

For the next round of written auditor reporting, the PRA has asked for auditors' views on progress against the areas of focus,on ECL, set out in the letter. 

What should happen now?

Overall, the peer review found that the Guidelines have been fully or largely incorporated into the supervisory framework by all supervisors reviewed. The report identifies several follow-up measures and recommendations for certain competent authorities, as well as best practices that would benefit other competent authorities. These include: 

  • considering and documenting the elements used to determine the basis of risk-based supervision of the definition of default and the supervisory review and evaluation process assessments
  • potentially aligning self-assessment questionnaires on the definition of default submitted to banks
  • considering the appropriate frequency and depth of assessments
  • establishing minimum checks on IT systems used by credit institutions to calculate elements of the definition of default
  • aligning remedial actions in the context of local versus cross-border institutions

The EBA plans to conduct a follow-up peer review of the implementation of the measures included in the report in two years' time.

Model risk continues to remain elevated. The summary feedback from the PRA's review of auditors' responses as it relates to IFRS 9 ECL include:

  • organisations should challenge the completeness of post-model adjustments (PMAs) to ensure provisions reflect actual expectations of credit losses. This includes the impact of the higher interest rate environment on affordability and refinance risk for retail and corporate exposures
  • organisations should actively monitor their model redevelopment plans to ensure capabilities are enhanced to better capture risk. They should also consider the end state governance and controls for these new models at the point of model redevelopment to ensure alignment with supervisory statement (SSm) 1/23 – model risk management principles for banks
  • default experience remains limited, meaning loss given default (LGD) models remain calibrated on historical data. Organisations should continue to challenge whether the recovery assumptions that drive LGD are realistic and to compensate for the risk of historical bias where uncertainty exists over recovery outcomes.

Organisations are encouraged to engage with their auditor by performing their own assessment against the areas of focus. Annex 1 of the letter provides further feedback and areas of focus that are aligned with and build on the expectations in SS1/23.

Key developments

On September 5 2024, the FCA published a speech by Sarah Pritchard, FCA Executive Director, Markets and International, on taking a targeted and outcomes-based approach to tackling financial crime.

Fighting financial crime remains a priority for the FCA and a key commitment in its three-year strategy. The regulator highlights that financial crime isn’t just an issue for the financial sector but for other sectors too. As such, sharing data and intelligence is a vital tool in staying one step ahead.

What should happen now?

Key points from the speech:

  • Targeted approach to enforcement: The FCA is enforcing its regulations with vigour. In the last financial year, it charged 21 individuals with financial crime offences: the highest number of charges in any single year. In 2023, it secured three times as many freezing orders as in 2022, restraining more than £21 million in assets of individuals under investigation.
  • Authorisation: The FCA wants firms to have the right systems and controls in place before it authorises them, so they aren't used to facilitate financial crime. In the last financial year, 36% of Annex 1 firms – that’s firms seeking to register with the FCA for anti-money laundering purposes only – withdrew their applications or had their applications rejected.
  • Data and technology: The regulator has increased its capacity to identify illegal financial promotions on websites or social media. It’s tackling fraud faster by scanning approximately 100,000 websites every day to identify those that appear to be scams. The FCA has created a dedicated financial crime function within its Consumer Investments department, working proactively to identify outliers, spotting trends earlier and dealing with threats before they "spread like wildfire". 

The cost of financial crime compliance, including customer due diligence and anti-money laundering, can be significant. The FCA believes that all the right elements are now in place to shape that debate. As part of its outcomes-based mindset towards financial crime, it will be sharing its approach, expectations, and findings more publicly and more frequently than ever so that organisations can target their approach and know what good looks like.

Capital markets, asset management, and payments

Key developments

On July 9 2024, ESMA published a report setting out the results of its fifth EU-wide stress test exercise on central counterparty clearing houses (CCPs) together with accompanying Q&As. ESMA tested the resilience of 16 CCPs (14 authorised EU CCPs as of May 2023 and the two third-country Tier 2 CCPs  –LCH.Clearnet Ltd and ICE Clear Europe). The exercise is aimed at assessing the resilience of the system of CCPs as a whole. It covered credit, concentration, and liquidity risks to which CCPs are exposed, as well as an analysis of the clearing ecosystem, with improvements in the methodology compared to the previous exercises. In addition, the exercise includes, for the first time, an analysis of CCPs' exposures to climate risk.

The European Systemic Risk Board (ESRB), in close collaboration with the European Central Bank (ECB) and ESMA, has designed the adverse market scenario, which is used in the credit and liquidity risk assessments and is common across all CCPs. 

This exercise confirmed that, overall, EU, and Tier 2 CCPs proved to be resilient to the different types of risks under the considered scenarios and assumptions. 

What should happen now?

ESMA highlights the following for organisations to consider:

  • Credit Risk Test:  Overall, the results across the different tests indicate a resilient system of CCPs. Where scenarios assumed the default of the same two groups for all CCPs system-wide, most CCPs didn’t experience significant stress. The results using additional scenarios also confirm that CCPs are resilient against an extended set of market and correlation breakdown shocks based on some of the most severe historical market stress events.
  • Concentration Risk Test: CCPs are resilient to substantial liquidity stress events. Some gaps remain in the coverage of concentration risk across CCPs and across asset classes, notably for commodity derivative positions. The analysis shows that concentrated positions have the potential to generate significant liquidation costs for CCPs. The risk isn’t uniformly distributed across the system but is especially relevant at one or a small cluster of CCPs dominating each asset class. Model risk plays an important role in estimations of concentration risk, CCPs should strive to carefully calibrate, support and document model choices and parameter calibration for concentration risk models.
  • Liquidity Stress Test: overall, CCPs proved to be resilient from a liquidity perspective under the baseline market stress scenario, with each CCP maintaining a positive liquidity balance at an aggregate currency level and in the major currencies (EUR, GBP, USD) when assuming no access to FX markets.
  • Climate Risk Test: Climate risks could impact CCPs along various lines, depending on their business and operating models. The bulk of sampled CCPs have begun to integrate climate risk into their stress-testing framework.

Where shortcomings were identified in the resilience of one or more CCPs, ESMA will issue the necessary recommendations.

 

Key developments

On September 23 2024, the Payments Systems Regulator (PSR) published guidance on the authorised push payment (APP) scams reimbursement requirement and supporting the identification of APP scams and civil disputes. The guidance is intended to support payment service providers (PSPs) compliance with the legal requirements and Faster Payments Scheme (FPS)/CHAPS reimbursement rules, setting out high-level factors that PSPs should consider when making a determination on whether a claim is a reimbursable APP scam or a civil dispute.

On September 25 2024, the PSR published a press release confirming its decision on the maximum reimbursement limit for victims of authorised push payment (APP) fraud. Having considered the feedback and information received on its September 2024 consultation paper on reducing the maximum limit, the PSR decided that the maximum reimbursement limit for Faster Payments will be £85,000. The BoE, as the operator of CHAPS, has also considered the feedback to CP24/11 relating to CHAPS. It has also decided that the maximum reimbursement for CHAPS will be £85,000.

More recently, on October 3 2024, the PSR published a policy statement on its decision to set the maximum level that PSPs will have to reimburse victims of Faster Payments authorised push payment (APP) scams at £85,000 per claim (PS24/7). In addition, on October 7 2024, the FCA published two Dear CEO letters to banks and building societies and to payment and e-money institutions setting out its expectations relating to authorised push payment (APP) fraud reimbursement. 

What should happen now?

  • The new APP fraud reimbursement requirements became effective from October 7, 2024. The PSR will closely monitor the impact of the new requirements once they go live and will perform an evaluation of their effectiveness after 12 months of operation
  • If a claim is misidentified as a reimbursable APP scam or a civil dispute, there’s a significant impact on both the consumer and the alleged scammer(s). Therefore, PSPs encourages organisation to consider all the high-level factors in its guidance when assessing a consumer's claim, to ensure the best assessment is made as to whether an APP scam has taken place
  • The FCA letters sets out its expectations relating to the new measures. These relate to matters including the following: anti-fraud systems and control; Consumer Duty, 'on us' APP fraud reimbursement. If organisations haven’t already done so, the FCA requests that they ensure that they have appropriate oversight, systems, and controls in place to comply with its requirements.

Key developments

On October 9 2024, the FCA published the findings of a review of 23 payments firms; including PSPs, e-money issuers, money remitters, merchant acquirers, and open banking firms, to determine how those firms have implemented the Consumer Duty.

 The FCA sent a Dear CEO letter to payments firms in February 2023 outlining its expectations on how they should implement the duty. This review was to understand firms' compliance with the duty's higher standards. The review thus included how firms had approached their duty-related reviews, the information they used to inform their gap analyses, and the actions they had taken to deliver good outcomes for customers.

What should happen now?

  • Of the 23 firms, the FCA 'rated just over half as satisfactory and didn’t view them as presenting a risk of significant poor consumer outcomes (although some minor actions may still have been needed). The FCA is encouraged by the commitment of these firms to deliver good consumer outcomes in line with the duty's requirements.
  • The FCA is concerned about the findings in under 'half of the firms in the review who had only partially implemented the duty and required significant work to comply with it. These firms present either a moderate or higher risk of delivering poor consumer outcomes.' Organisations are encouraged to:
    • evaluate their products, services and processes against the duty rules and guidance on an ongoing basis. They should make sure they are putting consumers at the heart of their business and are acting to deliver good outcomes for retail customers.
    • consider the findings and assess how they apply to their organisation leveraging some of the good practices shared. Firms that identify gaps in their compliance with their rules should act immediately, putting plans in place to address shortcomings. 

The FCA will continue to work with these firms to ensure any harm is mitigated promptly.

 

Insurance

Key developments

On June 26 2024, The FCA published its findings of a review of how 20 large insurance firms approached outcomes monitoring under the Consumer Duty. It conducted this review of larger firms to test the implementation of these new requirements and to share findings.  

What should happen now?

Some firms showed good progress in developing a clear and comprehensive firm-wide approach to monitoring customer outcomes. However, many firms need to make improvements in their monitoring, strengthening monitoring MI to ensure it’s outcome (rather than process) driven and comprehensive enough to provide the relevant board or committee a reasonable view of whether the requirements of the duty are being met. 

Some examples of bad practice include:

  • significant focus on processes being completed rather than on outcomes delivered
  • some of the reporting to the board or committee had limited insight into actual customer outcomes. This was often due to the metrics or data not being comprehensive enough, or data lacking analysis and explanation
  • few organisations could provide clear evidence of the direct link of monitoring of outcomes to proactive action being taken to improve these outcomes, where necessary.

All insurers, insurance intermediaries and outsourced service providers operating within the insurance sector should consider the FCA's findings. Retail financial services firms in other sectors may also find its observations useful. Firms that identify gaps in their compliance with the FCA's rules are encouraged to act immediately and put robust plans in place to address any shortcomings.

Key developments

The FCA published a report on August 21 2024, setting out the findings from its product oversight and governance (POG) thematic review relating to general insurance and pure protection products. This review considered whether firms are meeting their product governance obligations for general insurance (GI) and pure protection (PP) products under these new rules. The FCA assessed product oversight and governance arrangements of insurance manufacturers and distributors against what’s required under PROD 4. This included 28 insurance manufacturers and 39 insurance distributors, covering ten different general insurance and pure protection products. The review focused on whether firms have assessed and can demonstrate that their products and services offer fair value and whether they have taken effective action where products may not be providing the intended value.

What should happen now?

The review found that most product manufacturers have materially strengthened their product oversight and governance arrangements and appointed appropriate senior managers responsible for product governance. However, there were some shortcomings or inconsistencies in many firms' arrangements and how they applied them. Many firms weren’t fully meeting the requirements under PROD 4 and couldn’t ensure or prove that their products were delivering fair value. The FCA was very disappointed to see many firms failing to meet their PROD obligations fully. 

Key findings include:

  • many product manufacturers didn’t appear to have implemented effective products
  • governance frameworks weren’t compliant with PROD 4
  • weaknesses in the quality of the fair value assessment (FVAs) undertaken by many firms
  • target market statements were often too high-level and lacked granularity
  • lack of understanding or meeting of responsibilities under PROD 4.2 where several parties were involved in manufacture
  • many manufacturers hadn’t appropriately considered their distribution arrangements or choice of distributors, given the product and target market. Many were also not providing appropriate and timely information to their distributors.

All manufacturers and distributors of general insurance and pure protection products are expected to consider the report urgently and assess whether, and to what extent, the identified issues apply to their activities. Any firm that identifies POG shortcomings is expected to act promptly to remediate them, which includes paying redress to customers where harm is identified.

The FCA is giving feedback to the firms involved in the review. It’s also considering the most appropriate supervisory and regulatory actions it can take to address the identified issues as soon as possible.

Key developments

On August 21 2024, the FCA published its general insurance (GI) value measures data, covering January to December 2023. This is the second full year of GI value measures data.

The latest data collection continues to highlight some products that don’t appear to be delivering fair value as required by PROD4 and the Consumer Duty. The FCA is concerned a number of firms appear to be reporting data that could suggest a large difference between the risk price and the total price paid by the customer. This may present similar risks of harm as those identified in the Guarantee Asset Protection (GAP) insurance market.

What should happen now?

The FCA emphasises that firms must be fully compliant with our PROD 4 rules, which include the following:

  • A firm must make sure that the product approval process identifies whether the product provides fair value to customers in the target market. This includes whether it will continue to do so for a reasonably foreseeable period, including following renewal (PROD 4.2.14A R)
  • A firm must be able to clearly demonstrate how any product provides, and will provide for a reasonably foreseeable period, fair value: PROD 4.2.14C R (1).
  • Where the firm is unable to identify and clearly demonstrate that a product provides fair value, the firm mustn’t market the product or permit the product to be distributed or must have made sure appropriate changes have been made so that fair value will be provided (PROD 4.2.14C R (2).
  • The risk price and the total price paid by the customer should bear a reasonable relationship to the actual costs incurred by the firm or any other person involved in the distribution arrangement, the quality of any benefits, and the costs or quality of any services provided: PROD 4.2.14M E.
  •  A firm must, as far as reasonably possible, ensure the distribution arrangements for a non-investment insurance product avoid or minimise the risk of negatively impacting the fair value of the insurance product or package: PROD 4.2.14N R.

The FCA advises senior leaders (SMFs) and board members to take note of its actions on GAP insurance. They must satisfy themselves that the products their firms offer provide good value to consumers and ensure their firms are compliant with PROD 4 and the Consumer Duty. Where data suggests that value appears low, the FCA states it will be in touch with firms later in 2024 to understand their products and the actions they have taken to improve value. Where it believes a firm has failed to act and is still providing poor value products, it will intervene where necessary to protect consumers.

Key developments

The International Association of Insurance Supervisors (IAIS) considers operational resilience as an outcome that emerges from a wide array of practices and disciplines. On August 8 2024, it published a draft application paper on operational resilience objectives aimed at providing a sound and consistent foundation to support supervisory authorities in developing and strengthening their approaches to supervising insurers' operational resilience. The objectives are outcomes-based and don’t set out new requirements (instead, providing clarity on the application of existing supervisory materials).

The objectives constitute the first phase of a two-part consultation. The second phase relates to the development of a draft toolkit to support the objectives by setting out relevant supervisory practices. This will be progressed in the second half of 2024.

What should happen now?

The objectives address:

  • the relationship between operational resilience, governance, and operational risk management
  • key elements of an approach to operational resilience that encourages the effective and holistic management of insurers' people and processes
  • objectives for insurance supervisors

The consultation closed on October 11, 2024. The IAIS aims to consult on the draft toolkit in the first half 2025, following which the two phases of this work will be integrated into a single application paper.

 

A closer look at key priorities

AI adoption: practical steps to overcome data challenges

How can CDOs and data leaders rise to the challenges and opportunities of AI adoption?

Find out more decorative image

Treasury Committee and FCA emphasise focus on DE&I in financial services

The Treasury Committee has released their report exploring diversity, equity and inclusion (DE&I) in financial services. We take a look at the report and the key implications for firms.

Find out more team work decorative image

UK Corporate Governance updates: Managing third parties

The Code update asks companies to report on the effectiveness of their material controls and is now sharpening the focus on how material third party risks are managed. Complying with the regulations requires careful assessment and strategic planning to ensure resilience and compliance.

Find out more team work image

    Featured events

    Our in-person and virtual events will put you in touch with our technical teams, who have already undertaken engagements and gained valuable experience in these areas. 

    Grant Thornton Financial Services Heads of Audit Symposium Series

    • Insurance and investment management |  Tuesday 28 January 2025 | 4.00pm - 6.30pm
    • Banks |  Thursday 6 March 2025 | 4.00pm - 6.30pm
    Register your interest

    Grant Thornton Financial Services CPD technical update webinar: The UK's fight against fraud: where are we now? 

    If you missed it, our panel of experts recently held a webinar where they examine feedback on the new mandatory reimbursement model for the APP fraud scheme, explore firms can avoid potential pitfalls. They discussed the 'failure to prevent fraud' offence using feedback from businesses that have received and impact-assessed the new industry guidance, due in October 2024.

    Contact us for the recording

     

    Get in touch with our experts

    Rob Benson
    Rob Benson
    Partner, Business Risk Services
    London
    View full profile
    Ravi Joshi
    Ravi Joshi
    Partner, Co-Source Internal Audit...
    London
    View full profile
    Vivian Lagan
    Vivian Lagan
    Managing Director, Model Risk Management...
    London
    View full profile
    Paul Young
    Paul Young
    Managing Director, Finance, Risk and...
    London
    View full profile
    Kantilal Pithia
    Kantilal Pithia
    Partner
    London
    View full profile
    Rashim Arora
    Rashim Arora
    Head of Sustainability and Climate,...
    London
    View full profile
    Tina Bhardwaj
    Tina Bhardwaj
    Head of People and Culture, Financial...
    London
    View full profile