Fergus Allan on GRC in the UK & USA in 2019
We recently shared the opinions of 11 GRC experts on what developments to track in 2019. One of them, Fergus Allan of TORI Global, now provides more dimension and detail to his interesting outlook on what lies ahead.
Key GRC themes in the UK
In Europe there is a shift from implementing new regulation to ongoing supervision – across Europe this year, we have seen the implementation of a variety of new regulations such as GDPR, MiFID II, PSD2 and parts of SMCR, so in 2019 we can expect a shift from change back to run. This shift is going to test both financial firms operating model as well as their three lines of defence.
In order to avoid hefty fines and the potentially unlimited reputational damage, firms should seek to ensure that they have the available resources and strategy to ensure compliance and its associated best practice behaviours are embedded and not merely bolted on, especially in the case of MiFID II and GDPR. To guarantee embedding of behaviour, clear visualisation of controls and governance need to be in place.
Next on the agenda is Brexit, the outcome of which is at best murky, with new bids for leaderships and the implementation of brinkmanship by all involved parties. One aspect of Brexit is the amount of EU laws being transferred to the UK, the figures for which (depending on who you ask!) suggest that between 13-62% of UK laws are derived from EU laws – in these uncertain waters firms need to play it safe in order not to be sorry.
With the result of a hard or no Brexit deal encouraging further lifts and shifts of UK operations abroad, the result of poses problems in ensuring that firms continue to adhere to compliance standards and data management standards. The outcomes of Brexit may see the theme of change to run being made redundant as firms go from run to sprint!
The resilience theme facing financial services covers two aspects, cyber and firms model for risk management. In regards to the former, cyber attacks are on the rise although the monetary losses can be quantified, loss in consumer trust cannot. Cyber attackers’ strategies are growing increasingly complex a trend which is only likely to grow, a simple egg shell defence was not enough 10 years ago and is certainly not enough now – partnerships with the right firms, with the right technology and the right people is essential in providing security.
Firms also need to be proactive in how they identify and manage risks; a clear understanding of your weaknesses and where they sit allows problems to be fixed before they grow arms and legs – having a framework which is embedded into your organisation remains critical in order to avoid these pitfalls.
Key GRC themes in the USA
On the other side of the pond, the US regulatory landscape is significantly different, with the pace of regulation seeing a deceleration and arguably a reversal in some cases under the current administration. This slow down should not be seen as an opportunity for firms to return back to business as usual as this trend could change as quickly as it came, financial institutions should still pursue top-of-class.
One notable changes are the amendments to the Volker rule (Section 619 of the Dodd-Frank Act) the provision which bans banks prohibits banks and their affiliates from carrying out propriety trading. The amendments, if passed, would see the expansion of exemptions, the dilution of definition and possibly the elimination of compliance requirements and reporting, welcoming increased risk to the financial system and a step back from resilience.
Kara Stein, a member of the U.S. Securities and Exchange Commission (SEC), said the proposed changes would constitute a move that “cleverly and carefully euthanizes the Volcker Rule”.