Financial services regulation transformed dramatically post-2008, in an attempt to avoid a recurrence of the financial markets collapse and protect the interests of financial services clients. We had become used to this “New Normal.” However, with the world coming to terms with the COVID-19 pandemic and its implications, the “Next Normal” in financial services regulation was the topic of our recent webinar.
The ‘Next Normal’ will be the world we live in as we adapt to an era of remote working and mobility. COVID-19 might have changed everything about the way we work and communicate, but one thing that hasn’t changed is the expectations of regulators—and the regulatory obligations of every in-house CCO.
Our transition to remote working hasn’t just put business continuity plans (BCP) to the test—in fact it’s been the longest BCP test in the history of the financial services industry—and it has also created a whole raft of new risks and challenges for compliance officers to deal with.
Monitoring new communications tools
Joe Sommer, chief compliance officer at AMP Capital Investors, says one of his main concerns has been the increased use of new communication tools and how to effectively capture and monitor that data.
“Suddenly many different video systems came out and they have chat functionality and document-sharing functionality,” says Sommer. “What does that mean for our firm? Are there cyber security concerns, are there risks in terms of data privacy or the security of those third-party systems? And once you get through that, you still have to figure out what to capture and how to monitor it.”
And as investment teams adapt to the new remote working environment, they are likely to introduce new products and strategies that need to be marketed to clients. The way they communicate these also poses risks, adds Sommer, particularly around how performance data is being represented and whether client billing reflects current valuations.
Additionally, there is the broader challenge of managing compliance remotely when you can no longer have informal office chats with management or investment teams, and pick up on things you might not have learned from formal meetings, Sommer says.
Focus on business continuity and due diligence
Remote working is unlikely to slow down regulatory exams. Even before the pandemic, exams were being performed offsite. AMP Capital Investors, began an exam in November 2019, which was conducted entirely via secure email and phone interviews. In July, the SEC announced the creation of its Event and Emerging Risks Examination Team to support the Office of Compliance Inspections and Examinations, ramping up its capacity to deal with any compliance issues arising from the pandemic.
One area of focus for regulators is likely to be on BCP, in particular about how those policies and procedures have worked, and what firms have done to change them in response to Covid-19, comments Joshua Mika, a partner at global compliance consultancy, Optima Partners.
“Another area will likely be around third-party due diligence, particularly given the rise of online collaboration tools. Regulators will want to see that third-party vendors have not only been properly vetted, but that the due-diligence process is ongoing and that firms have active files on how those service providers approach cybersecurity and data breaches,” Mika says.
How to stay ahead of the curve
So how can investment firms ensure they meet the expectations of regulators? The first step, says Mika, is for compliance to remain core to the business.
“Compliance having a place at the table is beyond essential,” he says. “That means changing the way you approach communication because you don’t have the ability to walk down the hall anymore and have a conversation, so you have to reach out, you have to be in front of the business people, and you have to let them know you’re there for them.”
Sommer says that it is also vital to listen in on management and investment committee meetings, so you don’t miss out on something that is material to your compliance program.
Another way firms can get a head start is by having what Mika calls a “first day presentation” ready, which can be shown to regulators as soon as they walk through the door. This presentation flags any changes that have been made, specifies how the risks have evolved compared to previous years, and details your plan to deal with the pandemic.
The firms that are most likely to make missteps are those that are disorganized. To be better prepared, Sommer recommends creating a risk matrix that enables firms to track risks and ensure there are policies in place to address them—then review and update them as circumstances change and new risks emerge.