As we move towards 2024, internal audit is set to become an even more critical function. With the ongoing transformation of the business landscape, increasing regulatory requirements, including the Consumer Duty, and emerging risks, internal audit will need to adapt and focus on planning and preparing for the future.
This means developing a strategic roadmap that aligns with the organisation's overall objectives, identifying emerging risks and trends, and leveraging innovative technologies and data analytics to enhance the audit process. By taking a forward-looking approach, internal audit teams can play a vital role in driving business success and ensuring the long-term sustainability of the organisation.
Our quarterly internal audit hot topics will give you a thematic view across new and emerging risks on the regulatory horizon that's applicable across financial services. This will help you structure conversations and help define your own internal audit plans.
Our 2024 audit risk inventory explains the key priorities for 2024 that are intended to provide a useful reference point from which to drive conversations and help define internal audit plans.
Our risk focus radar is a combination of our view of key priorities and an extract from the UK Regulatory Initiatives Grid (where key milestone or formal engagement is planned), representing the risks and key priorities for 2023 and 2024 raised by the FCA, PRA and other leading UK regulatory bodies.
We identify the risk priorities at a single glance for the four key sectors segmented by time and risk dimensions to help develop audit planning and forecast upcoming requirements.
The authority will be replacing the Financial Resilience Survey with a new financial resilience regulatory return. This will be referred to as ‘FIN073 – Baseline Financial Resilience Report’. Firms that will be brought into scope of FIN073 will need to be prepared to submit the return when it's due, from January 2024.
The FCA will still require firms to complete the Financial Resilience Survey when requested to do so, until the new return comes into force and has written to firms on 20 September to state it will shortly be sending a survey to help it better understand the level of financial resilience. Firms will "receive the survey on one of the following dates: 9th, 13th, 16th and 20th October 2023." The FCA said this is a repeat of a survey firms and individuals may have received in June 2023 and must be completed in addition to this survey.
Specifically for principal trading firms, the FCA published on 4 August 2023, a portfolio letter on its supervisory strategy for principal trading firms (PTFs). Firms in the PTF portfolio derive most of their revenue from dealing as principal, which may include algorithmic trading as well as market making. One of the five key areas of focus for its PTF supervisory strategy is financial resilience. The FCA plans to undertake ‘targeted reviews of firms' capital and liquidity now that the Investment Firm Prudential Regime (IFPR) has been introduced.’
The regulator has made it clear that if an organisation receives the survey, "it is mandatory to complete it," as it will use the responses alongside existing data, to support their ongoing work
All CEOs of PTFs are expected to have discussed this letter with their firm's directors and, where appropriate, board, and to have agreed actions and next steps by the end of September 2023
Consumer Duty requirements came into force on 31 July 2023 for all products and services that are open to sale or renewal and will apply to all closed products and services from 31 July 2024. The requirements make it clear that firms must raise their standards and should be thinking about how they will support their borrowers and meet the higher expectations set by the duty.
In recent speeches, the FCA has been clear on the importance of the Consumer Duty. Most notably the recent review of the general insurance market, organisations are encouraged to consider the regulator's key trends and findings, which include examples of both good and poor practices which are relevant in the context of the Consumer Duty.
In addition, the FCA published a portfolio letter on 8 September 2023 which was sent to all wholesale banks active in the UK, setting out key priorities for the sector and the supervisory work programme for the next two years which included Consumer Duty implementation. Also on 20 September, the FCA published portfolio letters to firms in retail, wholesale and life insurance markets setting out four market-wide priorities for 2023-25 which includes embedding the Consumer Duty.
As part of its work programme, the FCA ‘intends to test the robustness of assessments made and actions taken to implement the Consumer Duty, as well as the effectiveness of the arrangements in place to identify any implications of compliance with the Consumer Duty that might result from changes in activity’. A significant part of the regulator's activity over the next two years will be to test firms against its priorities and expectations. Some key milestones include:
January 2024 - The FCA plans to engage with a sample of retail banks and mortgage lenders on what their enhanced outcome-focused data and dashboards are now indicating about customer outcomes.
31 July 2024 - Consumer Duty comes into force for all closed products and services. In addition, management bodies of firms that have had to comply with the Consumer Duty since 31 July 2023 are required to produce the firm's first annual report on complying with the Consumer Duty.
The FCA and the PRA published on 25 September 2023 consultation papers on diversity and inclusion (D&I) in the financial sector. The PRA describes the papers as being published in "parallel", but there are differences in approach, notably in relation to senior manager responsibility for D&I. It's well known that ‘greater diversity and inclusion can create better outcomes for consumers and markets by supporting healthy work cultures, reducing groupthink, unlocking talent and improving understanding of diverse consumer needs." The regulators have been clear that ‘diversity and inclusion are regulatory concerns. Yet, the evidence suggests the financial services sector is not yet where it should be’.
The consultation papers build on ideas discussed in the regulators' joint discussion paper on diversity and inclusion (DP21/2), which was published in July 2021. Both consultation papers close on 18 December 2023. The FCA and the PRA will review feedback and develop final regulatory requirements for publication in policy statements in 2024. They propose to bring rules into force in 2025, that's, 12 months after publication of the policy statements.
The proposals seek to support the progress already made on improving diversity in the wider financial services sector and clarifies and strengthens regulatory expectations around non-financial misconduct, which will apply to firms large and small, across the financial services sector. The proposals have different application provisions, which will need to be examined by firms in detail. The regulators emphasise that "flexibility is at the heart of our proposals," as such some proposals apply to all firms, whereas others apply to large firms (broadly defined as those with more than 250 employees). Notably, there are some new rules and guidance on:
Some key measures of success include clearer guidance on non-financial misconduct and discriminatory practices, improved staff inclusion scores, Board, senior management, and employee diversity increases on average across regulated firms and Improved consumer feedback and improving rates of financial inclusion (as measured through the Financial Lives Survey as an example).
In the aforementioned portfolio letter to wholesale banks, one of the key priorities for the sector and the supervisory work programme for the next two years is on ESG. Wholesale banks have a key role in the transition to a more sustainable future. The FCA expects Banks to be able to demonstrate that their financing activities are aligned with their own transition plans, and that product and public-facing commitments relating to ESG are delivered in practice.
Other area of focus is on ESG Data and Ratings. Recent publication by the ESG Data and Ratings Code of Conduct Working Group (DRWG), supported by the International Regulatory Strategy Group (IRSG) and the International Capital Market Association (ICMA), provides draft code that sets out best practice that aims to enhance consistency, transparency and accountability in the financial services industry. This will ensure the market can have confidence in the integrity of ESG ratings and data products through enhanced systems, processes and controls.
Banks are expected to discuss this letter at board level and agree actions within two months.
The FCA encourages banks to engage early with the Transition Plan Taskforce's (TPT) framework for disclosure and implementation guidance as this will be an area of future discussion with firms.
The FCA has published a press release welcoming the consultation. It also noted that HM Treasury is consulting on whether the regulatory perimeter should be extended to include ESG ratings providers. The Code will be updated and finalised by the end of 2023, ‘if agreed, introducing regulation would take time, as such the Code will play an important role in raising standards in the short-term, as well as continuing to apply to any firms that fall out of the scope of potential future regulation.’
The Bank of England (BoE) published on 18 October 2023 a speech by Elizabeth Stheeman, external member of the BoE's Financial Policy Committee (FPC), on cyber risks and operational resilience. Key points of interest in the speech:
Cyber risks have been at the forefront of UK businesses’ minds and is frequently cited as a key source of risk to UK financial stability: the risk of a cyber-attack is the most cited risk in the latest survey for the second half of 2023, with 80% of firms mentioning it. This is the highest proportion of respondents citing cyber risk ever recorded in the survey.
A cyber-attack could also impact financial stability indirectly if there is financial contagion through liquidity stress, financial losses, and significant price moves that could disrupt market functioning, or through a loss of confidence in financial institutions or payment systems
Ransomware remains one of the most acute cyber-related threats faced by UK businesses, but less sophisticated cybercrime also remains a challenge. Left unchecked, a cyber-attack could impact financial stability directly if it leads to a material disruption of the provision of vital services by financial institutions, markets and financial market infrastructure.
Also notable is the FCA’s final notice published on 13 October 2023, issued to Equifax Ltd, a credit reference agency and data, analytics and technology business, fining it £11.1 million for cyber security and outsourcing failings, breaching Principles 3, 6 and 7 of the Principles for Businesses. The FCA considers that the cyberattack and unauthorised access to data was entirely preventable.
The BoE—alongside HM Treasury, and the FCA—has been working to improve and test the financial system’s operational resilience to cyber-attacks.
The FPC has set out the elements of the framework of regulation to strengthen the resilience of the UK financial system as a whole to cyber risk. One is a clear baseline expectation for firms’ resilience that reflect the importance of their services to the financial system. regular testing by firms and supervisors to ensure that resilience keeps pace with the evolving nature of the risk. Cyber stress testing has been used to test firms’ ability to meet this expectation.
The FPC ran a cyber stress test to better understand the ability of firms to restore vital financial services after a hypothetical cyber incident. Organisation are encouraged to pay heed to the number of lessons that came out of the recent cyber stress test, including the need to consider contingencies, prepare suitable mitigating actions, co-ordinate with other firms and financial market infrastructures (FMIs), and communicate throughout the incident.
Jessica Rusu, FCA Chief Data, Information and Intelligence Officer, commenting on the regulatory actions against Equifax reminds organisations that they have not only a technical responsibility to ensure resiliency, but also an ethical responsibility in the processing of consumer information. She goes on to advise that the consumer duty makes it clear that firms must raise their standards.
In her speech, Elizabeth Stheeman also focused on operational risk and resilience.
Firms are making greater use of third-parties, including cloud service providers, who offer services such as shared virtual data storage and processing capabilities. This has the potential to make firms more resilient to operational risks than using only on-site IT infrastructure. However, because the provision of these services is often concentrated in a small number of third-parties, the more important these services become, the greater the threat to UK financial stability if they were to face disruption. This makes the case for greater direct regulatory oversight of the services they provide.
The FPC continues to identify and monitor the channels through which operational risks could affect financial stability. This includes those arising through technological developments such as Artificial Intelligence and the use of blockchain.
Operational resilience is a medium-term priority for the FPC, continuing to improve our macroprudential oversight of operational resilience, considering its growing importance to financial stability.
Given the interconnectedness of organisations at an operational level, The FPC will be undertaking further work to advance and develop their understanding of how financial stability can be threatened by operational risks, and how resilience can be strengthened at the system level.
Credit risk is back, and risk levels are rising. The FPC works to ensure the UK has a stable financial system, its summary and record published on 10 October 2023. The results of its recent test on major UK banks using a severe ‘what if’ scenario that assumed a deep recession, including a big rise in unemployment and a large fall in house prices showed that the banks remained strong in this scenario, while continuing to support UK households and businesses. Expected increases in credit losses related to the challenges facing UK households and corporates are well within the levels of losses projected in the 2022/23 ACS (Annual Cyclical Scenario) stress test. Asset quality remains relatively strong as higher interest rates have so far had a limited impact on credit risk.
There is however evidence that some households are increasing the use of consumer credit in response to cost-of-living pressures and higher debt servicing costs, which could lead to greater debt vulnerability for households in the near-term. Recent publication by the Bank of England (BoE) in its financial policy summary and record (FPSR) of the meeting of its Financial Policy Committee (FPC) on 3 July 2023 was that ‘the banking system is well capitalised with large liquidity buffers.’
Against the backdrop of the most recent FPC test, the FPC warns that the overall risk environment remains challenging. Forward looking indicators of UK banks’ asset quality remain relatively stable overall, though arrears have started to increase from historically very low levels and are expected to rise further.
Sound practices tend to go beyond mere compliance with regulatory requirements, organisations are encouraged to consider ongoing assessment of the robustness of their credit risk management approaches and control environment.
The PRA published on 29 September 2023, a Dear CFO letter providing thematic feedback from its review of written auditor reports received in 2024. Model risk remains elevated, for the 2023/24 round of written auditor reporting, the PRA has asked for auditors' views of firms' progress concerning model risk
The PRA sees model risk as a risk that should be treated in the same way as other material risks in banks. Model risk should be part of risk appetite and should be monitored and managed as seriously as any other material risk. The PRA supervisory statement setting out model risk management principles (MRM) for banks (SS1/23) takes effect on 17 May 2024. The principles are aimed to support the strengthening of MRM practices in firms.
Also on 18 July 2023, the FICC Markets Standards Board (FMSB) published for consultation a transparency draft of a statement of good practice for the application of a model risk management framework to electronic trading algorithm (referred to as "algos"). This publication aims to support firms in applying model risk management frameworks in a proportionate manner to models deployed in their algos, taking account of the nature, scale and complexity of such models as well as existing systems and risk controls intended to mitigate associated market, conduct, credit and operational risks.
Some of the main thematic findings from the review of written auditor report include the need to for organisations to:
As a result of the increasing regulatory focus on the effectiveness of MRM practices and the remediation actions firms are taking, the need for internal audit (IA) functions to provide sufficient and robust assurance over MRM to their organisation’s boards has never been more important. internal audit therefore, has a critical role to play in evaluating the level of rigour applied to bank’s self-assessments and providing assurance to the board in this respect.
Areas of contentions in the implementation of SS1/23 are around model definition and scoping, the model risk tiering, and how to ensure the board plays its role in the MRM. Internal audit should ensure there is allocated time in their plans to adequately assess the requirements of SS1/23 on an ongoing basis.
The EBA (European Banking Authority) published its European Supervisory Examination Programme (ESEP) for 2024 on the 19th October 2023. The purpose of the ESEP, which is published annually by the EBA, is to set out key topics for heightened prudential supervisory attention to provide supervisors with a single set of priorities that should be implemented across the EU and to drive convergence in the related supervisory work.
The key topics for 2024 include Liquidity and funding risk, Interest rate risk and hedging and Recovery operationalisation.
The EBA has also set Union strategic supervisory priorities (USSPs) for the 2023-25 period: monitoring and addressing financial stability and sustainability in a context of increased interest rates and developing an oversight and supervisory capacity for the Regulation on digital operational resilience for the financial sector.
For the 2023/24 round of written auditor reporting, the PRA has asked for auditors' views of firms' progress concerning model risk, recovery strategies, and quantifying the impact of climate risks on ECL.
The EBA expects banks to manage liquidity and market-based funding proactively amid rising costs and should ensure reasonable liquidity buffers, which should go beyond regulatory requirements, if needed.
The EBA expects supervisors to ensure that banks have efficient and effective interest rate risk management, and interest rate hedging in place, including related risk management capabilities and systems.
Banks must ensure that their recovery plans are updated and contain credible and feasible recovery options that could be implemented to promptly overcome potential crisis scenarios. Recovery plans should consider risks that have newly emerged in recent quarters.
The PRA published on 27 September 2023, a news release for firms in relation to its intended timetable to complete its work and implement the Basel 3.1 standards in the UK. It has moved its implementation deadline for the Basel 3.1 reform package from 1 January 2025 to 1 July 2025, and reducing the transitional period from five to four and a half years, to ensure full implementation by 1 January 2030, in line with the proposals set out in CP16/22.
To allow appropriate time to fully consider the responses to the credit risk and output floor proposals in CP16/22 without delaying publication of rules on the other parts of the package, the PRA also proposes to publish the first part of its near-final rule set in Q4 2023, focusing on market risk, credit valuation adjustment risk, counterparty credit risk and operational risk elements, with the second part scheduled for Q2 2024, focusing on credit risk, the output floor and reporting and disclosure requirements.
Some considerations an organisation should be thinking about include:
How will Basel 3.1 affect your risk profile
Three lines of defence and who’s doing what. Calculating risk weighted assets used to fall with the financial and reporting teams, but it’s becoming a bit more integrated across first and second line now
Second line should provide independent review and sample-based deep dives into the end-to-end regulatory reports submitted by Risk or Finance. This should also include review that processes, reporting, assumptions and interpretations are in line with your regulatory reporting framework and policies
Third line should focus on controls and design and operating effectiveness across all stakeholders and streams involved in the new reporting processes
International banks also need to think about how to align their approach across all territories. The PRA has followed the Basel 3.1 recommendations closely, but not all countries have. So, there will be some divergence across each region, and banks need to think about how to manage consistency.
The FCA issued three insurance portfolio letters on 20 September 2023. The letters cover the letters cover four market-wide priorities: embedding the Consumer Duty; governance and culture; operational resilience and increasing reliance on third parties; and improving oversight of Appointed Representatives (ARs). With respect to the Duty, the FCA continues to see examples of insurers and intermediaries not sharing information, and distribution chains that are longer than necessary.
In each of the letters, the FCA explains that it is updating firms on its priorities for the insurance market for 2023-25. These are the areas where it intends to focus most of its work in the market. The letters also outline the specific risks of harm the FCA is most concerned about, and what it wants firms to do about them. The priorities outlined cover the following four market-wide priorities:
A significant part of the FCA's activity over the next two years will be to test firms against its priorities and expectations. The FCA expects firms in the market to take all necessary action to ensure that its requirements and expectations are met and that they are prepared for the additional requirements that the consumer duty brings to the priority areas outlined in the letters. It will use the Senior Managers and Certification Regime (SM&CR) to engage directly with accountable individuals on areas of concern.
On 20 September 2023, the Bank of England (BoE) published a speech given by Gareth Truran, BoE Director, Prudential Policy, and PRA Director, Cross-Cutting and Insurance Policy, providing an update on reform of the UK Solvency II regime.
The next big milestone is the forthcoming consultation on reforms to the matching adjustment (MA), which the PRA is aiming to publish around the end of September 2023. The PRA expects to publish its final policy in all these areas during the first half of 2024. Implementation of most of the changes is planned for the end of 2024, although the PRA is working hard with HM Treasury to allow its proposed MA reforms to come into force sooner, by June 2024. In 2024, the PRA will consult on transferring the rest of the Solvency II regime (set out in retained EU law) largely unchanged into the PRA Rulebook. This means there will be a single solvency regime for insurers designed for the UK and accessible in one place.
Most recently, the PRA published on 3 October 2023, the statement announcing that it intends to run a dynamic general insurance stress test in 2025. The exercise will assess the industry's solvency and liquidity resilience to a specific adverse scenario and the effectiveness of insurers' risk management and management actions following an adverse scenario. It will also inform the PRA's supervisory response following a market-wide adverse scenario.;
The dynamic nature of the 2025 exercise represents a significant change from previous exercises and will involve simulating a sequential set of adverse events over a short period of time. Consequently, the PRA intends to engage with the industry including trade bodies over the next six months, with a view to providing more details of this exercise (including participation, design, and timelines) during the first half of 2024.
Results of this exercise will be disclosed at an aggregate industry level.
The FCA published on 6 September 2023 a new webpage on firms' response to increased sanctions due to the conflict in Ukraine. The FCA explains that it has carried out a substantial programme of work due to the increased number of sanctions since Russia’s invasion of Ukraine, assessing the systems and controls relating to sanctions compliance for over 90 firms across the financial services sector. This has involved proactive assessments of firms' controls (using a new analytics-based tool), as well as the use of specific intelligence and reporting.
On the same day, Sarah Pritchard, the FCA’s Executive Director of Markets and International, gave a speech reiterating the findings.
The assessment uncovered good practices and several weaknesses across five themes which includes governance and oversight, global sanctions policies, third party reliance, contingency planning, skills and resources, screening capabilities, Customer Due Diligence, Know your Customer and breach reporting to the FCA.
The assessment uncovered some of the following areas of focus:
Some firms are still not able to show that they are providing senior management with sufficient information about their exposure to sanctions or are reliant on global sanctions policies which are not aligned with the UK sanctions regimes.
Some firms still lack adequate resources to ensure effective sanctions screening. Firms that have significant backlogs are at greater risk of non-compliance with sanctions obligations.
Sanctions screening tools need to be adequately calibrated and should include the necessary requirements under the UK regime. There were some poorly calibrated or tailored screening tools, with some firms also too reliant on third party providers with ineffective oversight over them.
There were instances of low quality CDD and KYC assessments and backlogs. This can increase the risk of firms not identifying sanctioned individuals.
Timeliness of reporting potential breaches or relevant sanctions information was inconsistent across firms.
Financial crime is never a victimless crime. It not only costs corporations and consumers, but it also damages the integrity and reputation of our markets, and this undermines our international competitiveness.’ The FCA published on 6 September 2023, a speech given by Sarah Pritchard, FCA Executive Director of Markets and International, on calibrating controls to build confident markets. Fighting financial crime remains a key focus of the FCA’s strategy. It has clear expectations of firms. We will increase our focus on whistleblowing in high-risk sectors and expect first line of defence employees to raise awareness of the process and benefits of whistleblowing for organisations and wider society. We will be testing how effectively these messages have been shared and will identify best practice across the industry.
Some considerations organisations should be thinking about include:
Firms should calibrate their financial crime fighting systems to the right risk level, whether it is high or low and expect spot checks by the FCA. Our sanctions update identifies good and bad practice. To calibrate, organisations need to understand their risks and calibrate their controls appropriately and proportionately.
Organisations should not palm off all responsibility for keeping on top of it to external firms. Firms need to understand their risks – both high and low – and make sure they have a proportionate and risk-based approach to deal with them.
The FCA is stepping up its testing of firms' risk-based systems and, as a data-led regulator, is using data and tech to do this. Firms who carry out tick-box compliance exercises should not be surprised to get a visit from the FCA.
The FCA is not able to move directly from whistleblowing to immediate enforcement, as this can be counterproductive. It can imperil the anonymity of the whistleblower and undermine the likelihood of the FCA being able to bring a case to court. It can also spur the wrong doers into covering their tracks and evading capture.
The Transition Plan Taskforce has published its final disclosure framework to help firms reach their climate goals.
Moving towards an effective D&I strategy as regulators set out proposals to boost diversity and inclusion.
The Consumer Duty is now in force for open products, but firms have a long way to go to meet the FCA's expectations.
AI is increasingly being used in phishing and other types of cyber attacks. Find out how you can mitigate these threats.
Non-systemic firms must prepare solvent exit plans from 2025. What are the PRA's expectations and where to start?
Firms have until January 2025 to implement Basel 3.1. We look at banks' progress and typical stumbling blocks.
Our in-person and virtual events will put you in touch with our technical teams who have already undertaken engagements and gained valuable experience in these areas. We do hope you can join us.
Staying ahead of key trends can help you manage challenging market conditions. Join us for our banking and capital markets conference to understand the most pressing issues facing the sector.
Wednesday 29 November 2023 | 12.00 pm - 6.00 pm
With only a year left before the new Basel 3.1 standards go live, join us for a deep dive into the PRA’s Basel 3.1 rules and requirements for implementing this globally accepted regulatory banking reform.
Wednesday 6 December 2023 | 10.00am – 11.15am
In the context of the UK government’s move to establish a regulatory framework for an alternative digital ‘stable coin’, we’ll take a comparative look at the financial crime profile of physical cash, a digital pound and other virtual currencies. Will a digital pound take off, and if so what difference could it make?
Thursday 18 January 2024 | 08.30am – 10.30am
To find out more about what’s happening in internal audit, listen to a special episode of our financial services risk and regulatory podcast.
In the fast-changing financial services landscape internal audit has become a force of innovation. Can your own function keep up with the pace? In this episode, Rob Benson and Vivian Lagan joined by Fotoulla Charalambous, Chief Internal Auditor at EBRD, Carley Eaton, Chief Internal Auditor at Provident Financial Group and Nick Curle, Chief Auditor at NatWest Group to discuss our recent Internal Audit Report 2022/23.
