While focused on the pandemic and other immediate matters, risk managers are anticipating persistent and longer-term regulatory trends
Friday, March 5, 2021
By Jeffrey Kutler
Following a familiar pattern since he took office, President Joe Biden on February 24 issued executive orders to unwind actions taken by his predecessor. One of that day's revocations was a 2017 order, Core Principles for Regulating the United States Financial System, which sought to “rationalize” the regulatory framework, but which out-of-power opponents of the Trump administration characterized as a rollback of essential policy implemented after the global financial crisis.
Biden's move - and a related one that restored authority to regulatory agency staffs that Trump had recently assigned only to presidential appointees - conformed to expectations of more robust enforcement under a Democratic-led government. Those were not contradicted by Biden's nominees to head the Securities and Exchange Commission and Consumer Financial Protection Bureau, respectively Gary Gensler and Rohit Chopra, Obama administration veterans who fielded mostly cordial questions in their March 2 Senate confirmation hearing.
“Our rules have to change” along with evolving markets and technology, said Gensler's prepared statement. “I believe financial technology can be a powerful force for good, but only if we continue to harness the core values of the SEC in service of investors, issuers and the public.”
Although Biden is seen as a moderate Democrat, his leanings are “markedly more pro-regulatory and pro-enforcement than his predecessor's,” Mark Srere, co-leader of the investigations, financial regulation and white collar practice group, Bryan Cave Leighton Paisner, has written. The appointees “will be more focused than their Trump counterparts on priorities like increased consumer protection, data privacy, improving the safety and soundness of financial institutions, and support for smaller rather than larger financial institutions.”
Is it just another, par-for-the-course pendulum swing, or might this be part of something wider-ranging and longer-lasting than a two- or four-year political cycle?
Projecting to 2030
If recent surveys of the risk landscape and risk manager attitudes are any indication, regulation is not merely a near-term, cyclical matter. Instead, it is regarded as a long-term constant and, if anything, increasingly pervasive, affecting both highly and less regulated industry sectors, whether through direct activity oversight, or by way of overarching policies governing information security and privacy, anti-corruption and -money laundering, and environmental, social and governance (ESG) principles and compliance.
One benchmark is the executive perspectives survey of consulting firm Protiviti and the Enterprise Risk Management (ERM) Initiative of North Carolina State University's Poole College of Management. “Impact of regulatory change” ranked seventh among this year's top 10 risks, which had “pandemic-related policies and regulation impact business performance” in first place.
However, that more general regulatory-impact issue jumped to No. 2 when the 1,081 board and executive-level respondents projected the top risks in 2030, with No. 1 being “adoption of digital technologies may require new skills or significant efforts to upskill/reskill existing employees.”
“Regulatory risk is elevated when viewed through the lens of a longer time horizon,” said the ninth annual Protiviti-N.C. State report, which was released in February and based on survey responses late in 2020 from multiple industry sectors worldwide. “This portends a focus on environmental priorities, social change, data privacy requirements and tax increases, as well as an impetus for developing alternative products and services.”
The longer-range regulatory trend could also “giv[e] rise to yet another risk relating to the emergence of substitute products or services that may affect the viability of the business model. It's disrupt or be disrupted.”
Regulatory themes and undercurrents were also evident in the World Economic Forum's Global Risks Report 2021, which, like Protiviti-N.C. State, introduced a 10-year horizon and catalogued more than 30 specific and often interconnected risks in economic, environmental, technological and other categories; and in two Deloitte reports on financial services, the 12th biennial risk management survey and the 2021 Banking Regulatory Outlook.
Also affecting the regulatory climate, at the intersection of technology and geopolitics, is what Eurasia Group describes as a “global data reckoning”; and how, as stated by Control Risks CEO Nick Allan, “Nation states are now turning their attention to how they can control and influence the technology platforms that citizens and businesses use to communicate and share data . . . Tension between nation state and global business will only increase.”
The World Economic Forum warned that in the context of tech-regulatory conflict, “geopolitical schisms could make for different playing fields in different parts of the world. Businesses may need to prepare for panic in financial markets and altered sales reach, as well as identify alternative service providers - if they exist - in the short-term disruption following government intervention.”
In a recent article, John Romeo, managing partner and head of Oliver Wyman Forum, suggested that in the spirit of stakeholder capitalism, social responsibility and reconciliation, “a reappraisal of business's relationship to government is needed,” one he defined as more open, and with “clearer guardrails.”
“Companies would also do well to reconsider their stance on regulation,” Romeo wrote. “They have every right to express their views, but blanket opposition to new rulemaking misunderstands the nature of representative government and is unlikely to be sustainable.”
Hostility may now be harder to sustain against regulators and other policymakers who have won respect and high marks for their roles in providing economic relief and maintaining financial stability over the past year.
Existential and Other Threats
The Protiviti-N.C. State report - a project led by co-authors Jim DeLoach, Protiviti managing director, and ERM professor Mark Beasley - led off its executive summary with a litany:
“The continuing global challenges and potential existential threat posed by the ongoing COVID-19 pandemic. Political divisiveness and polarization. Social and economic unrest. Gridlock. Artificial intelligence, automation and other rapidly developing digital technologies. Rapid shift to virtual, remote work environments. Changes in the geopolitical landscape. Shifting customer preferences and demographics. Fragile supply chains. Wildfires and hurricanes. Volatile unemployment levels and record low interest rates. Escalating competition for specialized talent. Immigration challenges. Cyber breaches on a massive scale. Terrorism. Big data analytics. The future of work.”
Said DeLoach: “More than ever, 2020 demonstrated that organizations can no longer afford a reactive approach to risk management. Pandemic risk loomed on the horizon for a long time - it was a matter of 'when,' not 'if.' Business leaders must be vigilant in scanning for emerging issues and make actionable plans to adjust their strategies and business models while being authentic in fostering a trust-based, innovative culture and the organizational resilience necessary to successfully navigate disruptive change.
“Digitally mature companies with an agile workforce were ready when COVID-19 hit and are the ones best positioned to continue to ride the wave of rapid acceleration of digitally driven change through the pandemic and beyond.”
“When they think a decade out,” said the report, “executives are concerned about the future of work. Specifically, they are concerned that their organizations may not be able to upskill or reskill their workforce. And they may be concerned that countless millions of employees may be displaced by widespread adoption of AI and automation in all of its forms.”
It noted that there are overlaps between the top 10 lists of risks for 2021 and 2030., which include cyber, privacy and talent along with regulation. One operational risk for 2030 “recognizes concern about having sufficient data analytics and 'big data' skills to achieve needed intelligence to differentiate in the marketplace.”
“As business leaders look ahead to 2030, strategic and macroeconomic concerns seem to be prevalent across all sizes of organizations,” the report added. “All are concerned about escalating regulatory scrutiny over the next decade, and they are all concerned about having the necessary talent to adopt emerging digital technologies.”
Although cyber threats fell from sixth in 2021 to 10th in 2030, “no one expects data security and cybersecurity to diminish,” according to a Protiviti-N.C. State summary of key themes, and “cyber threats remain a moving target.”
ESG and climate-related risks, which ranked relatively low overall, is a top five issue among those in the energy and utilities sector, and it was noted that “the increased relative impact of regulatory risk over the next decade portends potential climate legislation, among other things.”
“More Risk from More Sources”
Credit risk is seen increasing the most over the next two years, along with ESG and cybersecurity, in the 12th edition of Deloitte's global financial services industry survey. Fifty-seven institutions with an aggregate $27.2 trillion in assets participated, and for the first time, 100% (up from 95% two years before) had a chief risk officer or equivalent, while 84% (83%) said they have ERM programs.
“Financial institutions are seeing more risk from more sources than ever before,” said Deloitte Risk & Financial Advisory partner and principal report author J.H. Caldwell. “The COVID-19 pandemic has changed the risk management environment and presents an extraordinary set of new challenges for financial institutions - everything risk-related has been pressure-tested and challenged.”
Caldwell added, “The rapid economic downturn, coupled with abrupt changes in consumer and business behavior, may mean that systems, programs and models based on pre-COVID-19 data may no longer accurately reflect the post-COVID-19 reality. Institutions will need strong risk management governance while having the agility and willingness to rethink their traditional approaches in a fundamentally altered business environment.”
In Deloitte's survey, 94% said they expected regulatory requirements on their institutions to increase over the next two years; 31% expected a significant increase. Despite a greater regulatory focus on nonfinancial risks in stress tests, only 38% of institutions reported conducting stress tests for nonfinancial/operational risk.
A general concern regarding “standards or regulations that will raise the cost of doing existing business,” which was second to cybersecurity in a ranking of regulatory and supervisory impact, “may become especially more pronounced in a period of weak economic conditions [and] could lead more institutions to leverage technology solutions, such as RPA [robotic process automation] and AI applications, in order to increase efficiency and reduce risk management costs.”
Caldwell said that “digital risk should be one of the biggest singular risks financial institutions should be thinking about,” and institutions should be careful not to lose sight of the risks that come with new uses of technologies and of the need for appropriate controls.
“As the pandemic continues,” the report said, “the focus of regulators is expected to shift from quickly responding to the crisis to ensuring the medium-term resilience of financial institutions, including recovery and resolution planning, capital management, and stress testing.”
The Message on Enforcement
Deloitte's banking-specific outlook outlined “several areas where important regulatory changes are emerging or accelerating in the wake of 2020 and beyond,” including evolving oversight of digital transformation and technological innovation, heightened focus on operational resilience, governance and control of workforce transformation, Bank Secrecy Act and anti-money-laundering compliance, U.S. regulators addressing climate risk, and renewed push for consumer protection.
While continuing to refine post-financial-crisis rulemakings, regulators “are now focusing their attention on existing policy areas such as climate risk, digital currencies, technology and innovation,” Deloitte said. “Meanwhile, they are reviewing their own supervisory processes and reinforcing the core banking supervisory pillars of governance, risk management, capital adequacy and planning, liquidity management, and compliance with laws and regulations.
“Recent enforcement actions send a clear message that existing laws and regulations will be enforced and that banking regulators, rather than easing up on their expectations, are demanding higher levels of accountability from boards of directors and senior management for the laws and regulations that are currently in place. At the same time, regulators are paying close attention to economic trends and forecasts and are carefully monitoring the financial strength of the banking industry, both in the United States and globally.”
In a LexisNexis Risk Solutions survey of U.S. and Canadian banks and other financial institutions on the impact of COVID-19 on financial crime compliance, customer risk profiling (91% of 150 respondents), sanctions screening (83%), Know Your Customer for account onboarding (78%) and efficient resolution of alerts (74%) were all negatively impacted. Seventy-nine percent expected pandemic factors to drive up compliance costs over the next 12 to 24 months, the majority of those costs for technology resources.
“The events of 2020 have been unprecedented, and financial institutions must prepare for increased risk of financial crime for the foreseeable future,” Leslie Bailey, senior director of financial crime compliance strategy, said when LexisNexis Risk Solutions released the results in January. “Compliance teams can optimize resources to better navigate the new normal brought by the pandemic while maintaining the customer experience with a multi-faceted approach that includes efficient technology, intuitive analytics and extensive global risk intelligence.”