Opinion

Regulation in the time of COVID: importance of operational resilience

Gavin Stewart Gavin Stewart

While we've all been locked down at home, financial services regulation continues to move at pace. Gavin Stewart has been summarising regulatory updates on a daily basis.

Since lockdown began, I've been writing daily blogs on the impact of COVID-19, Brexit and digitisation on the financial services industry. I've compiled this week's updates into a digest form.

FCA at the TSC (again)

Last Thursday, Jonathan Davidson and Megan Butler, the two senior Financial Conduct Authority (FCA) Directors who came in for most criticism in the Gloster Report on LCF, appeared at the Treasury Select Committee. Much of the session concentrated on the regulatory perimeter, but there were other aspects on view that have largely been overlooked, including in the report.

The term "perimeter" is now used with deceptive confidence by MPs, journalists, and in the Gloster Report itself. The reality is much more complex and ambiguous. I've heard it described as analogous to the coast of Norway, with all its fjords, and it's also full of contradictions, with different EU directives (now onshored post-Brexit) drawing their own "borders" across the same territory. As a result, there are numerous activities that are regulated for some purposes but not others, creating enormous scope for confusion and regulatory arbitrage. Unless this can be simplified, policing it will always be a nightmare.

An aspect of London Capital & Finance's (LCF) failure that deserves more attention is the damaging legacy of the FCA 2014 Strategy. The Strategy's failings were set out in the PA Consulting report and are covered in the Gloster Report, but Gloster itself prefers to concentrate on how long it took to replace. Last week, however, Megan Butler spoke persuasively about, when she arrived in late 2015, finding staff demoralised at how the new strategy had shifted focus away from firm supervision and had created an overly complex matrix that confused decision making. I've written often about the long timelines in regulation; LCF is an example of how they apply to fixing internal problems as much as external initiatives.

The importance of operational resilience

I've written elsewhere about how three major external threats - operational resilience, climate risk and financial crime - will shape the non-COVID-19-related regulatory agenda over the next few years. Of these, the approach to financial crime remains fragmented (partly due to the dispersion of responsibility between multiple authorities), while climate risk is rising sharply up the agenda, with our hosting of COP26 and the Prudential Regulation Authority's (PRA) BES (biennial exploratory scenario) stress test, both this year.

This leaves operational resilience as by far the most developed, and yesterday saw the publication of the PRA's policy statement (PS) and related supervisory statements. In anticipation, we've just released a podcast on the subject, the first in our Risk & Regulation Unravelled series.

At this point, it's worth stressing that we are still close to the start of the operational resilience journey. The PRA 's thinking is still developing, and it will learn much from the industry's response to the PS; the threat itself is growing and evolving; and there is also a recognition that, ultimately, there needs to be an international approach. Thus, the PRA has removed its proposals on specific data location requirements for outsourcing arrangements on the cloud, instead opting to require that firms adopt a risk-based approach. Likewise, it has agreed to align its language around access, audit and information rights with the European Banking Authority (EBA) Outsourcing Guidelines.

Efforts to build consensus across international regulators have understandably slowed during the COVID-19 crisis, but they may regain momentum in the run-up to June's G7 summit in Cornwall. As a side comment, it's interesting that the News page of the FCA's website doesn't as yet feature its own operational resilience PS. This will be an oversight but may also be a signal of how stretched the FCA's internal processes have become.

Archegos and regulation

Regulators will be looking askance at the "firesale" of shares in Archegos Capital Management, and it's no surprise that the Securities and Exchange Commission (SEC) and Finra in the US, and the FCA here, are making enquiries as to who said and did what when. Meanwhile, the prudential regulators of the firms involved will be interested in the risk management of the exposure to Archegos and the governance around the relevant decision making. And at a wider level, they will all be curious to find out if this is a one-off or if there are similar exposures elsewhere.

I'm always wary of assuming that history repeats itself in any kind of simple way, but it is always worth looking, critically, for any similarities with previous events. In this context, it's important to remember that the widespread central bank deployment of Quantitative easing (QE) over the last decade means that attempts to make easy comparisons with events that pre-date this period should start with a dose of healthy scepticism.

With all this in mind, it's still relevant to make the simple point that our extended period of low interest rates, which broadly goes back to 2001 and 9/11, leads to a search for yield and potential mispricing of risk. This was a factor in the financial crisis, and it would be naïve to assume that the post-crisis reforms will have fully dealt with this problem. Irrespective of whether any of the firms exposed to Archegos have acted inappropriately, there should be wider questions for regulators around whether the overall regulatory regime remains right.

CMCs, high-cost lenders and the fees'​ conundrum

The FCA's plea to claims management companies (CMCs) and high-cost lenders (HCLs) to "work better together" is an implicit admission that the current system isn't working. This is not primarily the regulator's fault but rather a reflection of the inadequacy of the statutory framework when faced, as the FCA often is, with small sectors of the market that generate large volumes of regulatory work.

The core of the problem is the principle, in FSMA, that firms should pay fees in relation to the cost of regulating them. In practice, however, fee levels are also limited by the number of firms undertaking a given activity and by their size and profitability. There is some implicit cross-subsidy baked in, with the biggest firms largely funding the regulator's infrastructure, but the overall effect constrains the FCA's ability to target resources. The FCA will probably have assigned more resources to both CMCs and HCLs than their fees strictly justify, but their numbers and size mean this is almost certainly less than their potential to cause harm would dictate. Hence the strategy of semi-disengagement.

Stepping back, there are two sides to this conundrum: (1) the trade-offs it requires - any additional resources for CMCs and HCLs need to come from somewhere else; and (2) the reality that the fee structure doesn't reflect the risk profile of the activities the FCA regulates so much as their ability to pay. The CMC/HCL issue is just one of many examples where the outcome suffers as a result.

The current system works relatively well for the PRA, where size is a reasonable proxy for risk but much less so for an FCA concerned with vulnerable consumers and financial crime, where size is often irrelevant. It's unlikely the FCA can improve its performance significantly without a solution to this mismatch.

Financial crime past and present

For a period in the early 2000s, it seemed an FSA Director was making a speech about financial crime every week, so frequently that an outside observer might assume it was the regulator's top priority. In reality, close to the opposite was true, and this was probably the low water mark of FSA activity on Fincrime. There had been a recent series of (at the time hefty) AML fines for deficiencies in systems and controls, but no actual money laundering had been found, and the firms in question seemed to have shrugged them off with zero reputational damage. Supervision and enforcement had both shifted their focus elsewhere. Consciously or not, the speeches were a substitute.

Fast forward to Mark Steward's recent speech, and much has changed. Anti-money laundering is evidently a real priority, and the recent criminal case against NatWest is a first, while there are a further 42 cases in the pipeline, 17 of which are against individuals. Online investment scams too are a priority - clearly a post LCF initiative - with the FCA issuing alerts on its Warning List about +1,000 firms. And the FCA has also just started an Unregistered Cryptocurrency Businesses List as a further potential warning list for the public.

However, some perils lie in wait. 42 open cases seems a lot when the speech only flags two as completed in the past year. There will have been more, of course, but it's evident that cases are generally moving slowly, and the scale of the NatWest one won't speed them up! Meanwhile, warnings are useful but not often effective by themselves, and there will be inevitable questions about follow up. It's good (and inevitable) that financial crime should be more of a priority, but the FSA/FCA has a history of not being good at following through on initiatives, and this will be a test.

To discuss these issues further, contact Gavin Stewart.