A number of major themes will dominate the banking regulatory landscape for 2020, according to industry watchers.
Those themes range from emerging technology to social governance issues, though what is not clear yet from a regulatory standpoint is exactly how the economy-altering impact of the coronavirus will upend the banking industry.
“Resilience; environmental, social and governance; and data and technology issues are emerging as key elements from the non-financial risk agenda that has grown in prominence since the last financial crisis,” notes EY. “Banking regulation itself is in a phase of adjustment, as the risk portfolio expands to include a set of less familiar challenges, such as personal data privacy, cloud usage and climate risk. All the while, technological innovation, geopolitics and a competitive landscape are threatening revenue generation.”
Deloitte agrees, noting that the financial crisis of 2008-2009 and misconduct issues prompted a tidal wave of reform that the industry is still receding.
“The international consensus on regulatory reform is fraying,” says a report from Deloitte. “Political appetite for globalization is retreating, and trade tensions are mounting. Technological change and social concerns, including environmental sustainability, are rising on regulators’ agendas. Financial services firms need to be prepared to respond to these trends.”
Comply Advantage adds that reform is not an American thing—it’s global, with sweeping regulations coming out of Europe, including the U.K.
“But with little room to breathe after Anti-Money Laundering Directive 5 (5AMLD), it’ll be time for 6AMLD,” the site notes. “Due to be transposed in law across EU territories on 3 December 2020, the legislation builds on from the earlier recommendations made by FATF and is set to change the way that many territories process predicate offenses, with a total of 22 predicate offenses defined and required for money laundering.”
Here are some regulatory topics to keep in mind as this year rolls on:
Tailoring by bank regulators
Recent tailoring rules fine-tune a number of requirements for banks. You should be aware of:
- Enhanced Prudential Standards for domestic and foreign holding companies
- Volcker Rule tailoring regs based on the size of trading assets and exemption of community banks
- Simplified reporting requirements and capital requirements for qualifying community banks
- The lengthening of exam cycles for smaller banks, branches, and agencies
- The raising of asset thresholds that determine whether smaller banks are subject to lesser requirements
Good governance frameworks
Regulators are continuing to focus on governance and looking for gaps in oversight and controls; this scrutiny is being seen at all levels, from the boardroom to business operations and audits. Tips for executive management and boards include:
- Ensuring a focus on oversight
- Setting strategy
- Ensuring accountability
- Defining roles and responsibilities
- Holding business lines accountable
- Making an honest assessment of the resiliency of the firm’s culture
Operational resilience
Operational resilience became a household topic of discussion following the financial downturn of 2008-2009 and is again on radars as the world grapples with the economic fallout from the coronavirus. Institutions should expect regulators to closely watch operations, and firms should:
- Get boards and senior management to take an active role in setting up a resilience strategy
- Adopt a risk-management approach that includes multiple lines of defense
- Establish clear tolerance levels which identify what levels of service disruption are tolerable
- Assemble a toolkit that institutions can turn to recover from and resume operations after a major disruption
- Test the resumption of business operations
Cybersecurity and privacy
Data breaches continue apace and IT cybersecurity spending suggests banks may not be doing enough to stop them. Key focus areas should include:
- Outsourcing risks
- Privacy
- Cyber resilience
- Cybersecurity governance
The Federal Deposit Insurance Corporation has a long list of cybersecurity resources. Bank Info Security noted that a number of cybersecurity measures are currently in the works for banks with $50 billion or more in assets covering:
- Cyber risk governance and management
- Internal and external dependency management
- Incident response, cyber resilience, and situational awareness
For data privacy, expect new national regulations following the passage of the California Consumer Privacy Act.
One Span notes that top security regulations in the U.S. will likely include amendments to the safeguard and privacy rules under the Gramm-Leach-Bliley Act.
“In 2020, the Federal Trade Commission is expected to announce changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act, which requires financial institutions explain to their customers the organization’s information-sharing policies and practices and to safeguard sensitive data,” the site notes. “The revised regulations will likely incorporate feedback provided from the proposed changes the FTC announced in 2019.”
These changes were modeled on cybersecurity regulations from New York which went into effect last year.
What to watch for globally
Canada: FINTRAC’s updated Know Your Customer guidance permitting digital onboarding and amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act
European Union: Anti-Money Laundering Directive 5 (AMLD5) and the upcoming AMLD6
Brazil: The new General Data Protection Law
Thailand: Thailand Personal Data Protection Act