Against this background, boards and executive teams should ask themselves two broad sets of questions. The first concerns what steps are being taken to remain resilient and support customers through near-term economic pressures; and the second, whether their own strategic plans align with medium-term structural changes in their operating environment.

Indeed, a strong grasp of the ever-evolving regulatory environment must inform how financial services firms answer these questions.

Near-term economic pressures

Disruptive economic factors will command attention in the near term. The credit risk outlook is increasingly precarious, and lenders will need to be able to demonstrate to supervisors how they are managing the associated risks. Many insurers and investment funds will also face credit-related pressures in their portfolios and may need to boost their credit teams if the volumes of defaults and corporate restructurings begin to rise.

Where credit risks crystallize, they will feed through to regulatory capital positions. Firms will also need to be vigilant for sudden bouts of volatility within the capital markets.

Central banks and regulators will be working hard to understand market vulnerabilities, with continued stress-testing of individual firms, funds, and the wider system. Margining practices will be under scrutiny.

There is also a major conduct risk component to the current economic situation, with consumers feeling the cost-of-living squeeze. Conduct supervisory standards are substantially higher now than in previous downturns, and firms will rightly be expected to support their customers through a period of economic hardship.

This is a particular dilemma for lenders, who will need to make judgements about when and how to exercise forbearance. It will also be a challenge for insurers, who may see rising numbers of policyholders struggling to cover their premiums, creating the possibility of protection gaps that will draw supervisory attention.

Embedding climate & nature risks

Climate and nature risks will increasingly shape the financial services operating environment. Less advanced firms may find themselves given progressively less leeway for shortcomings in the year ahead.

Efforts are underway in numerous arenas to improve the structure and content of transition plans, and firms will need to shift gears to keep up with new rules, guidelines, and greater supervisory scrutiny.

Firms will also need to keep an eye on the still-evolving nature-related risk disclosure framework being developed by the Taskforce on Nature-Related Financial Disclosures, a financial services industry advisory group whose members represent more than $20 trillion in assets. The Taskforce’s risk disclosure framework is due to be finalized in Fall 2023.

Technology transforming the sector

Technology enables firms to provide new and better products and services, develop deeper insights, and do so ever-more efficiently. However, as supply chains and delivery services models become more complex, both the regulatory regime and firms’ risk management and control frameworks have struggled to maintain pace with technological innovation.

Nowhere is this clearer than in relation to digital (and particularly crypto) assets. Regulated firms have increasingly been engaging with an evolving ecosystem of digital asset technology providers and developing client offerings. The European Union’s Markets in Crypto-Assets framework will enter into force this year, but a further regulatory response may be needed to tackle issues such as leveraged trading and crypto-lending as regulatory uncertainty and gaps will persist.

In the United Kingdom, meanwhile, the Financial Services and Markets Bill, once passed, will give authorities the power to oversee digital assets markets. The secondary legislation that will clarify which activities and market participants they will regulate, however, is yet to emerge.

The transition period for the U.K.’s operational resilience framework will soon enter its second year, and U.K.-based firms need to demonstrate measurable progress with regards to important business services. The 24-month implementation period for the E.U.’s Digital Operational Resilience Act begins this month, and firms within the E.U. will need to begin their work post-haste to be on track for the early 2025 deadline.

The resilience of the delivery of financial services in which third-party suppliers are involved is a major issue. In some cases, firms will need to develop contingency exit strategies and business continuity plans for third-party exposures, including substitute service delivery methods.

Long-standing concerns about model risk management also now have a distinctly technological flavor, with supervisors scrutinizing how firms are deploying artificial intelligence and machine learning. When finalized later this year, the U.K. Prudential Regulation Authority’s (PRA) proposed principles on model risk management will require a large amount of work to catalogue, categorize, and risk-assess models that for some firms could number in the thousands given the PRA’s expansive definition of model.

A general principle will be relevant for firms across all sectors and regions: people, and not models, should be responsible for decision-making. Boards and executive teams should be able to demonstrate that they understand the functioning of their models, including those based on new technologies such as machine learning.

Rising geopolitical tensions

Finally, rising geopolitical tensions will continue to be another feature of the changing risk environment in which financial services firms are operating. International markets are increasingly fragmenting, as nations and business leaders look at how to build supply chain resilience and security through greater localization of production and supply.

Given the volume of alerts generated by transaction monitoring systems, the inherent limitations of legacy systems and data, and strengthened baseline expectations, it is no wonder that some firms feel they are having to run ever-faster just to keep up. The status quo does not appear sustainable, and operating model reform will need to be part of the response, including considering changes to internal structures, resourcing models, and technology strategies.

Resilience and strength

Financial service firms face many headwinds as the new year begins but will do so from a position of resilience and strength, having successfully navigated the vicissitudes of the last three years. The major challenge will be to navigate the choppy near-term waters without losing sight of the medium-term processes of structural change playing out in relation to geopolitics, technology, and sustainability.

Regulation continues to be a major force that will shape the operating environment for financial services, and an integrated view of the regulatory landscape — as well as an ability to connect such a view with business strategy decisions — remain imperative for firms looking to stay at the forefront of the industry.

This blog post was taken in part from a recent report written by David Strachan & Suchitra Nair of Deloitte. You can sign up to receive Deloitte’s Financial Markets Regulatory Outlook report, due to be published later in January, here.

The hearing exposed some partisan differences even as broad agreement emerged on what needs to be done to reduce risks for crypto investors. Republicans and Democrats remained apart in their views of the future of a digital-asset world shaken by the swift collapse of a firm regarded as one of the safest bets in the industry. Indeed, the FTX failure showed basic concerns that must be resolved before mainstream firms can assure regulators that investor protections are in place.

Republicans who have been ardent advocates of deregulation used the hearing to slam U.S. agencies for failing to act sooner to halt fraud at FTX and for going too slow in drafting rules. Numerous Democrats argued against taking hasty actions until more is known about the FTX failure, which led to Bankman-Fried’s recent arrest and indictment on multiple criminal charges.

Garden of Eden full of snakes

“My fear is that we will view Sam Bankman-Fried as just one big snake in a crypto Garden of Eden,” U.S. Rep. Brad Sherman (D-Calif.) told the hearing of the U.S. House Financial Services Committee. “The fact is, crypto is a garden of snakes.” Sherman has been a persistent critic of cryptocurrency, which he sees as mainly a tool for tax evasion, funding for illicit activities, money laundering and sanctions evasion.

Republican legislators at the hearing argued against curbs that discourage innovation and argued for moving more quickly to put basic rules in place.

Despite testy exchanges and finger-pointing across the aisle, the hearing showed bipartisan consensus that the industry needs to assure transparency, asset custody, and governance that curbs conflicts of interest and self-dealing.

The FTX case also illustrates the challenging complexities in resolving a digital-asset bankruptcy, Ray said during the hearing. But the process was the same that he followed while overseeing the collapsed energy trading firm Enron, he said. “You follow the money.”

The FTX event could lead to “information being gathered that will inform legislation in a positive way,” said Sarah Riddell, a Morgan Lewis lawyer who worked for the Commodity Futures Trading Commission (CFTC) and participated in drafting the Dodd-Frank legislation.

Riddell compared the job ahead to the post-financial crash rulemaking that required a multi-faced, complicated process. The industry firms that have put compliance in place in their crypto practices could emerge intact, she said. “The firms with good tires will survive the heightened attention this has brought.”

AML as a unifier

U.S. Senators Elizabeth Warren (D-Mass.) and Roger Marshall (R-Kansas) recently introduced bipartisan legislation aimed at mitigating risks that digital assets pose to U.S. national security by closing “loopholes” that enable money laundering using cryptocurrencies. The introduction of the Digital Asset Anti-Money Laundering Act of 2022 comes in the wake of a number of high-profile government actions and scandals in the crypto sector, including the Treasury Department’s blacklisting of the cryptocurrency “mixer” Tornado Cash in August as well as the FTX bankruptcy and founder Bankman-Fried’s subsequent indictment. Amid these scandals, pressure on legislators and regulators to rein in the sector and strengthen anti-money laundering (AML) activities has only mounted.

Among other things, the Digital Asset Anti-Money Laundering Act of 2022 would extend AML obligations to a much broader spectrum of cryptocurrency players. For example, it would require such crypto entities as digital asset wallet providers, miners, validators, and other network participants to comply with portions of the Bank Secrecy Act, including know-your-customer requirements. The Act would also prohibit financial institutions from using or transacting with digital asset mixers and other anonymity-enhancing technologies and from handling, using, or transacting with digital assets that have been anonymized using these technologies.

The Act would also direct the U.S. Treasury Department to establish an AML/counter-terror finance compliance examination and review process for money services firms and directing the U.S. Securities and Exchange Commission and CFTC to establish similar compliance examination and review processes for the entities those agencies regulate.

“Rogue nations, oligarchs, drug lords, and human traffickers are using digital assets to launder billions in stolen funds, evade sanctions, and finance terrorism,” Sen. Warren said in a written statement. “The crypto industry should follow common-sense rules like banks, brokers, and Western Union, and this legislation would ensure the same standards apply across similar financial transactions. The bipartisan bill will help close crypto money laundering loopholes and strengthen enforcement to better safeguard U.S. national security.”

The senators noted that the Treasury Department, U.S. Justice Department and other national security and financial crime experts “have warned that digital assets are increasingly being used for money laundering, theft and fraud schemes, terrorist financing, and other crimes.”

In fact, rogue nations have used digital assets to launder stolen funds, evade American and international sanctions, and fund illegal weapons programs, the statement noted, adding that in 2021, cybercriminals raked in at least $14 billion in digital assets — an all-time high.

Further, Binance, the world’s-largest crypto platform, was reported to have laundered more than $10 billion for criminals and sanctions evaders over the last few years. However, splits among Justice Department prosecutors are delaying the conclusion of a long-running criminal investigation into Binance, it was recently reported. A Binance spokesperson declined comment.

You can download TRRI’s 7^th report on Fintech, RegTech, and the role of compliance in 2023 here

On the other hand, there are signs of a slowdown in the growth of the fintech sector. In the first half of 2022, for example, the total capital invested in fintech worldwide reached $59 billion, which was flat year-over-year, according to Innovate/Finance’s 2022 Summer Investment Report. What’s more, there were 3,045 deals completed in the fintech sector, fewer than the 3,401 deals in the first half of 2021.

The slowdown is echoed in the findings from this year’s TRRI survey. There was a fall in the number people feeling extremely positive about fintech and regtech. For fintech overall, this year’s survey reported that 15% of respondents were extremely positive compared with 31% last year. For regtech, 15% of respondents felt extremely positive compared with 26% in 2021. What’s more, less than one-in-ten (8%) of respondents from G-SIBs felt extremely positive about fintech.

It may be unsurprising that respondents felt less positive about innovation and digital disruption given the challenges that firms must address across the board. This year, respondents said that the availability of skills (20% fintech, 16% regtech) and regulatory approach (14% fintech, 18% regtech) were the most significant challenges anticipated in the next 12 months. For G-SIBs, concentration risk and third-party providers ranked highest among challenges for fintech (15%), whereas cultural approach (15%) was the biggest challenge facing G-SIB regtech users. Data governance and cyber resilience also feature highly in the list, with other areas including financial crime and operational resilience also prominent.

Regulators are also adopting technological solutions to help with their supervisory roles and the management of large volumes of data. That means, firms need more interaction with regulators on fintech and regtech. More than two-fifths (43%) of G-SIBs reported having spoken to their regulator about fintech and regtech. This contrasts with responses from other financial services firms, nearly 60% of which reported that their regulator had not spoken to them about the use of technological solutions.

Despite this current slowdown and waning of enthusiasm, the future of the fintech market remains optimistic, the report observes, recommending that financial services firms should continue to invest in technology, IT infrastructure, and associated skillsets. To maximize the potential of technological innovation, firms must continually reassess their technological needs and then invest in solutions tailored to the activities of their business.

The Fintech, Regtech, and the role of compliance survey has, in its lifetime, attracted more than 3,000 respondents. Participants from all sectors of financial services — from globally significant banks to technology start-ups — took part in this seventh survey. The survey results are intended to help financial services firms with planning, resourcing, and direction, allowing them to benchmark whether their approach, skills, strategy, and expectations are in line with those of the wider industry. The report specifically focuses on areas that directly affect the compliance function.

The report also assesses the extent to which firms are turning the technological challenges they are now facing into opportunities, embracing new ways of working and navigating the evolving regulatory approach.

Indeed, as global economies moved away from the worst of the pandemic, it seemed early on that 2022 could provide a sense of normalcy, if not a return to traditional business practices. However, the rocky shoals of the war and global economic turmoil soon put an end to that sunny thinking. Yet many professional service firms and their corporate counterparts in the US and around the world found ways to remain profitable, resilient, and forward-thinking enough to allow some positive direction as we all head into 2023.

The Thomson Reuters Institute, through its blog posts, podcasts, market reports, and in-depth analysis, has chronicled many of the changes that swept through the last year, offering insights into how many organizations are adapting and what solutions are being successfully utilized.

If there were trends to discern in this very busy year, it was that twin issues of talent and technology implementation were impacting corporate departments and professional service firms to a greater degree as the year went on. And some of the most-read pieces on the blog site reflected that. For example, one piece that was very widely received described the different power skills that allow employees to flourish in new hybrid work environments; also, the changing regulatory stance toward the practice of law, especially around whether non-lawyers can own law firms, was of keen interest to our readers.

Further, many law firms, government agencies, tax & accounting firms, and corporate departments were beginning to grasp that the technology needed to meet the growing demands of the digital economy was of paramount importance. Indeed, as we moved toward the end of 2022, it was clear that technology adoption and maximizing its use simultaneously was among the biggest challenges and most promising opportunities that organizations are facing going forward.

Key market reports & in-depth podcasts

Throughout the year, it was the goal of the Thomson Reuters Institute to bring together people from across the legal, corporate, tax & accounting, and government communities and ignite conversation and debate in order to shed some insight on the newest industry developments and the most critical opportunities and challenges market participants are experiencing.

You can explore our top trending Thomson Reuters Institute insights that shaped 2022, or you can relive some of our highlights from this year here. And for further coverage of the legal, tax & accounting, corporate, and government sectors, visit the Thomson Reuters Institute.

We did this in part by providing coverage of these topics on the Thomson Reuters Institute blog site — such as podcasts, videos, and key market reports — and by hosting world-class events, which kicked off in Amelia Island at our 29th Annual Marketing Partner Forum, which brought together global law firm leaders and the best strategic thinkers from around the world to discuss the steep challenges facing firms in the legal market; and continued in New York City with our 21st Annual Law Firm COO & CFO Forum, along with many more in-person and virtual events throughout 2022.

As our reach expanded over the year — the Thomson Reuters Institute blog site reached more than 1 million annual page views this year for the first time in its history — our coverage expanded as well. We created two new resource centers on the site, to accompany those dedicated to covering the legal, tax & accounting, corporate, and government areas. Our new resource centers — Environmental, Social & Governance (ESG) and Technology & Innovation — allow us to offer readers dedicated content and insight into those areas.

Throughout the year, the blog site offered a steady stream of analysis and market insight reports that shed light on what participants in the legal, tax & accounting, and corporate fields were experiencing in their respective marketplaces in today’s economy. For example, in the 2022 Report on the State of the Legal Market, we saw that the legal market has remained resilient, even though numerous key challenges remain for many law firms, including a hot market for legal talent that has driven up costs. Even so, the report showed that many law firms have managed the difficult market with a good level of success last year.

On the other side of the table, our reports on corporate law departments and corporate tax departments shed further light on the immense pressure these departments were under from their corporations to transform the way they operate, with special emphasis on working more efficiently and cost-effectively. Indeed, coming out of the pandemic, it appears the dramatic changes undertaken by corporations during that time — especially around talent management and adopting new technology — may only be the beginning.

Also, our series of twice-monthly Insights podcasts offered in-depth discussions throughout the year on topics ranging from the viability of the new cryptocurrency economy to the most common misconceptions in the legal industry around artificial intelligence, and from how financial institutions were managing Russian sanctions to how organizations can benefit from client feedback programs.

Now, as we move into 2023, the Thomson Reuters Institute will continue offering insight into the latest events and trends, bringing leaders together, and mapping out the opportunities and challenges facing corporations and professional service firms going forward.

The US Department of Justice (DOJ) announced charges in November against multiple defendants in connection with fraudulent email schemes that targeted Medicare and Medicaid programs, private health insurers, and other victims. The defendants were charged in connection with multiple business email compromise schemes that involved money laundering and wire fraud and resulted in losses of more than $11 million.

Business mail compromise schemes are a type of phishing attack that attempts to deceive an entity into transferring funds or disclosing sensitive information.

In these cases, fraudulent emails were sent to public and private health insurance programs that requested future payment be sent to “new bank accounts that did not belong to the hospitals” and instead were sent from “accounts resembling those associated with actual hospitals.” Based on these deceptive emails, five state Medicaid programs, two Medicare administrative contractors, and two private health insurers made payments to the defendants and their co-conspirators instead of the hospitals.

“These defendants defrauded numerous individuals, companies, and federal programs, resulting in millions of dollars in financial losses to vital federal programs meant to provide assistance to those in need,” said US Attorney Ryan K. Buchanan for the Northern District of Georgia in a DOJ statement.

The DOJ detailed some of the charges and allegations against the defendants, as follows:

• • • A Columbia, SC man was charged with three counts of money laundering and one count of unlawful procurement of naturalization. He alleged used a stolen identity to open bank accounts in the name of a shell company in order to receive more than $1.4 million fraudulently diverted from a Medicaid program, a hospital, and others. He also allegedly laundered $583,000 of the proceeds.
    • An Atlanta man was indicted on four charges of money laundering after he allegedly used false identities to open bank accounts in the names of the false identities and shell companies. He received approximately $2.4 million from Medicare and several private companies. He laundered approximately $679,000 of those proceeds.
    • Another individual from Atlanta was charged with three counts of wire fraud, two counts of aggravated identity theft, and six counts of money laundering for using stolen and false identities to open accounts in the names of shell companies. She received nearly $830,000 in proceeds and laundered approximately $535,000 through large cash withdraws.

Holidays increase risks

Last year, there was a “30% increase in the average number of attempted ransomware attacks globally over the holiday season” from 2018 to 2020, compared to monthly averages, according to research from cybersecurity firm Darktrace. Researchers for the firm “also observed a 70% average increase in attempted ransomware attacks in November and December, compared to January and February.”

This increased holiday risk is also true in the healthcare sector. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert for Labor Day 2021 because they had “observed an increase in highly impactful ransomware attacks occurring on holidays and weekends — when office are normally closed — in the United States.” Attacking on or around holiday weekends “provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware” because IT departments are at limited capacity for extended times.

Because staffing in all departments is often reduced during the holidays, it is important for all employees to be alert for suspicious emails that might include links that would expose the provider or insurer to malware or that might be an attempt to fraudulent divert payments from the intended recipient.

In fact, the average weekly attacks in the healthcare industry increased 69% in the first half of 2022 compared to 2021, according to a recent report from research firm Check Point, with healthcare providers being among the victims of some of the more serious cyberattacks. In the third quarter, healthcare was the most targeted industry for ransomware attacks with 1-in-42 entities impacted by ransomware, according to Check Point.

For example, a January attack on Broward Health in Florida exposed the medical information of more than 1.3 million individuals to cyber criminals, according to Check Point. In October, a ransomware attack hit CommonSpirit health system, which operates 142 hospitals across 21 US states. The attack blocked access to the system’s electronic health records and disrupted patient care.

Whether it is a business email compromise scheme to divert payments from Medicare and Medicaid or another phishing email that exposes a provider or insurer to a costly malware attack, it is imperative that everyone be alert to cyberthreats, especially as we head into the holiday season.

As a result, visibility into supply chain actions and outcomes has catapulted to the top of many corporate wish lists — but many business leaders become frustrated when their operations and technologies don’t deliver. Still, experts say, better visibility into corporate supply chains can be achieved, but only if companies are willing to think about their sustainable supply chain initiatives in a more innovative way.

According to a September EY report on sustainable supply chains, visibility has become one of the top priorities among supply chain leaders. Of the 525 large corporations surveyed, 58% said that increased end-to-end visibility in their supply chain was among their top two priorities in both the past two years and the upcoming two years. However, despite that desire, just 37% of supply chain leaders reported achieving supply chain visibility over the past two years, indicating a large gap between the desire for more visibility and the progress many organizations are practically achieving.

Rae-Anne Alves, ESG & Sustainability Supply Chain Leader at EY Americas and co-author of the report, said that visibility is the key first step to compliance. “When companies are thinking through their supply chain and trying to make it more sustainable, they need end-to-end visibility to know is what is happening,” Alves said. “Companies are lacking the transparency that they need from their suppliers through logistics, especially in areas outside of their four walls.  Achieving this transparency will give them the visibility they need across their supply chain.”

Recent research from the Thomson Reuters’ Market Research & Competitive Insights team mirrored these findings. In interviews conducted with senior leaders of US-based companies charged with tracking ESG efforts, large numbers of companies say they have established dedicated ESG efforts but collecting data and measuring those efforts remains disconnected and lacks consistency.

The issues in raising visibility

When it comes to trying to raise the visibility of supply chain practices and outcomes, many corporate leaders have run into an unfortunate reality: the difficulty of gathering and mingling data that lives in disparate systems. One public company ESG head explained that a common supply chain review pulls data from systems as broad as risk management and operations software, human resources software, and procurement and supplier-oriented software.

Combining all of these types of data into one truth remains difficult. “I don’t even know how they collect their data,” said the supply chain head of another public company. “Every vendor has their own process.”

This problem is only increasing as companies are beginning to scale up the types of data that they collect, EY’s Alves added. To take a firmer grasp on their supply chain, many companies are looking to catalog not only emissions from scope 1 (directly owned by the company) and scope 2 (indirect use of energy the company purchases), but increasingly scope 3 emissions that result both up and down the company’s value chain as well. Indeed, the more a company’s data collection scope expands, the more complex the visibility question becomes. Many supply chain-centric software providers have arisen in recent years to try and compile and display all of these data sources, however, currently, there is not a leader that has captured a substantial share of the market.

Some companies have been able to achieve more supply chain visibility, becoming sustainable supply chain “trailblazers” with an “extreme focus on transparency”

“It’s unclear yet whether there will be a provider that is able to deliver the end-to-end capability needed for a digitally network-connected supply chain,” explained Gaurav Malhotra, Partner and Americas Supply Chain Technology Leader at EY. “There are many factors that have to come together, versus just a singular platform from a control tower or visibility standpoint to enable the orchestration.”

Instead, many companies have tried to apply other technological fixes to the issue, often without much success. “Almost everything is run on Excel. It’s truly terrible,” a public company’s supply chain head told Thomson Reuters Institute. “We have very few tools for environmental stuff. Everything is reported through Excel, everything is measured in Excel, everything is rolled up in Excel and it’s extremely inefficient because we have all these different teams.”

Supplying more visibility

Still, some companies have been able to achieve more supply chain visibility. EY’s report designated certain companies as sustainable supply chain “trailblazers” and noted that one of the traits they have in common is an “extreme focus on transparency” through which “[t]hey can significantly or moderately peer into Tier 2 and 3 supply networks.”

EY’s Malhotra said these leaders often undertake two simultaneous shifts to aid this transparency. One involves automating individual supply chain functions so that they can run more efficiently and be consistently reliable. The second involves integrating those individual functions and making sure their output data is portable to enable the needed effective real-time communication, both internally and with external supply chain ecosystem partners.

Currently, he explained, most supply chain networks are “not digitally integrated in their true sense” because they operate in multiple stages. Data is processed by one organization that controls their section of the supply chain ecosystem, then it is transmitted to be able to be consumed or processed by other organizations. While Malhotra concedes that it takes “time and effort to ultimately get to a mostly autonomous state,” he believes combining, integrating, and automating these steps will be the future of supply chain management.

“What we have found is that some leading companies have moved towards an integrated process and singular platform that allows the right level of visibility, orchestration and actioning with their supply chain network partners,” Malhotra said. “Enabling trust, effective execution and accountability with the overall network in play, resulting in a highly efficient, highly integrated, differentiated and reliable supply chain.”

Leading companies are also pushing for data standardization among common supply chain suppliers, Alves added. Many sustainability frameworks are available, and increased regulatory attention continues to add more complexity. Increased standardization can make supply chain data more actionable, and auditable, potentially lowering a company’s risk profile. When asked about top supply chain priorities for the coming year, the ESG head of one public company was clear: “We want to make sure that we have auditable processes in place, that the data is sound.”

However, Alves added that for sustainable supply chain measurement and reporting businesses are “definitely not there yet.” As both public and regulatory attention in the space continue, expect that visualization into supply chain processes and data will become even more important, and leading organizations will continue to invest resources and personnel to get their supply chain data house in order.

Yet, mistakes, data breaches, and data exposure tend to happen when people communicate and share information digitally, and firms need to make it as straightforward as possible for employees to leverage modern UC tools while remaining compliant and secure.

“Increased reliance on simple, easy-to-access but unauthorized chat and text platforms will pose a significant challenge for many types of entities operating in our markets. Internal compliance programs must adopt internal controls consistent with this new landscape. Firms must inculcate a culture of compliance at all levels of their organization to mitigate the risks associated with using unauthorized chat and text platforms.”

— Kristin N. Johnson, commissioner, US Commodity Futures Trading Commission (CFTC), September 2022

In its 4th annual survey report on modern communications compliance and security, security and compliance software firm Theta Lake highlights the complex challenges faced by those professionals tasked with maintaining compliance, security, and data privacy within firms and companies. The report is based on the views and experiences of more than 500 compliance and security professionals from the heavily regulated financial services, healthcare, and government sectors across the United States, the United Kingdom, and Canada. The report provides a snapshot of how communication platforms are being used and the issues with which organizations are struggling and can help organizations benchmark their own practices and expectations against those of the wider industry.

Heightened regulatory focus on modern communications

The survey findings come against the backdrop of fines of more than $2 billion already levied by the US Securities and Exchange Commission (SEC) and the CFTC for failures of organizations to capture, retain, and supervise communications. The situation underscores that a lack of visibility and oversight is one of the biggest risks faced by firms in a modern hybrid workplace. For example, the survey showed that two-thirds (66%) of financial services leaders believe employees are using unmonitored channels, posing heightened compliance and security compliance risks.

“As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.”

— Gary Gensler, chair, SEC, September 2022 

The crackdown on non-compliant communications is the clearest indicator yet that regulators have lost patience with firms that have yet to address supervision and record-keeping risks that were exacerbated by the pandemic.

Attempts to offset these risks is made harder by the limitations of legacy supervision and archiving approaches, which also pose real risks and costs to businesses. As a case in point, 39% of survey respondents cited gaps in coverage as a top challenge with their existing archiving tools, while only 9% reported having no issues. Another 45% said they needed to be able to selectively archive written in-meeting communications like chat without having to record the video or audio. A mismatch between legacy tools built for email and today’s workplace, where 81% use chat and 63% use video equally or more than email, has created critical gaps in records. It has also put a spotlight on dated compliance tools that are unable to capture, retain, and supervise dynamic communications data.

“The time is now to bolster your record retention processes and to fix issues that could result in similar future misconduct by firm personnel.”

— Sanjay Wadhwa, senior associate director of enforcement, SEC, September 2022

As a result, organizations face growing challenges to both enable communications across the platforms that employees and customers use while deploying technologies to appropriately capture, retain, and supervise these interactions to meet regulatory obligations.

“The [survey report] findings show just how integral modern communication platforms have become in today’s workplace, but there’s a lot of catching up to do when it comes to the compliance and security tools currently being used. The more than $2 billion in fines is the biggest wake-up call yet that compliance and unified communications teams need to be in lockstep to ensure a comprehensive approach to record-keeping and supervision.”

— Stacey English, director of regulatory intelligence, Theta Lake

Proactive compliance needs modern tools

The views and experiences of survey participants highlighted numerous challenges that organizations need to overcome in order to stay safe and compliant in an increasingly complex communications environment.

Organizations are seeking specific capabilities in modern compliance tools, including the ability to capture contextual information such as reactions, emojis, GIFs, edits, or deletions as well as features like whiteboards. Tools also need proactive compliance functionality, including the capability to automatically post disclaimers and remove problematic content.

“Let me be clear here: I am talking about more than putting together a stock policy and giving a check-the-box training. This requires proactive compliance, and this type of approach has never been more important than today — a time of rapid and profound technological change.”

— Gurbir S. Grewal, director, SEC Division of Enforcement, October 2021

Unsurprisingly, the control environment across all organizations is varied and complex, as approaches evolve to meet the rapid and constantly changing nature of communications and regulatory expectations.

Some 66% of survey respondents in the financial services industry are using documented usage policies as controls, with 65% using internally built platform controls, and 62% using specialist software to enforce policies. Almost half (45%) of organizations take a more draconian approach, however, by disabling features to limit the risk of new channels. Perhaps not surprisingly, the most frequently disabled features are camera functionality, file sharing, and screen sharing.

In the short term, bans and blocks may work as a control. Given that the features being disabled are essential, however, it is only a matter of time before employees circumvent such policies — an observation reinforced by the recent regulatory enforcement action.

Organizations need modern compliance and security technology to give them the confidence and assurance to unlock the value of the platforms in which they have invested, rather than disable them, allowing staff and customers access to the features they want to use.

For more, you can download a copy of Theta Lake’s 2022 Modern Communications Compliance and Security Report here

Even before the collapse of FTX, complaints from consumers who were hit by other types of digital currency losses have been rising at an alarming rate, the CFPB reported. The CFPB report said the crypto market has become a magnet for fraudsters who see little chance that their schemes will be detected due to the absence of investor protection and the opaque nature of the market.

Crypto firms hiding behind “terms & conditions”

The fledgling crypto industry’s $2 trillion market, made up of complex and illiquid digital assets, lacks controls and account management operations to handle customers’ problems, the CFPB report suggested. The firms often “hide behind terms and conditions” to delay transactions when customers try to claim their crypto assets.

The report found that despite marketing claims that they offered “immediate access” to funds, some crypto firms have often delayed or denied redemptions based on “identity verification issues, security holds, or technical issues.” Many customers also reported the transactions were settled at prices far below quoted levels when unexpected or unexplained fees were tacked on. Some firms cited “market spreads” that led to payouts far below quoted prices. Further, the transaction concerns were most often handled in some form, the CFPB report said, even if they were settled on disadvantageous terms for consumers.

The largest complaint category, representing about 40% of complaints, involved fraud-related matters, and sometimes included use of social media by digital currency participants in a potent mix of deception and opaque fund movement. The CFPB reported that in many instances of fraud reports from customers, the transaction provider declined to accept responsibility or to help in recovering funds, arguing that since they act as intermediaries they are not contractually required to act. In some cases, they required customers to submit to “mandatory arbitration” and clauses that prohibited them from joining class actions.

US regulators have said that since the crypto firms operate from offshore domiciles, they have only limited powers to intercede when fraud surfaces. The CFPB itself said its “complaint bulletin” was meant as a risk warning, but the agency went no further in committing its own enforcement division to pursuing wrongdoing.

Enforcing crypto fraud “time-consuming” 

The CFPB, with its own packed rulemaking and enforcement agenda, suggested that pursuing bad actors would be a drain on agency resources since the anonymity of crypto “makes tracing crypto-assets stolen by fraudsters more time consuming for regulators and law enforcement.” The agency said it would continue to log complaints and follow up with efforts to recover funds from crypto firms it could reach; however, in most cases, it said it would refer complaints to the Federal Trade Commission or other law enforcement authorities.

In its bulletin, the CFPB said the fraud complaints ranged from sophisticated “nation-state” level operations to the types of social engineering scams or cyber breaches seen in ransomware attacks by bad actors seeking payments in hard-to-trace cryptocurrencies. Among the leading scam methods the CFPB noted were: i) playing on a victim’s emotions to extract money or posing as customer service representatives to gain access to customer accounts; ii) using social media posts or targeting different communities in affinity attacks aimed at younger populations, Black and Latino communities, older consumers, and service members; and iii) impersonating crypto-asset developers, founders of major websites such as YouTube, or the official accounts of governments to solicit crypto-asset donations to help the people of Ukraine.

The CFPB also described various tactics that crypto firms used to evade or delay regulations or returning assets to customers, including: i) patterning transactions by using many small transactions to evade money laundering and fraud controls; ii) freezing consumer assets immediately prior to entering bankruptcy or using decentralized finance (DeFi) as part of the crypto-asset ecosystem; and iii) using hacked SIM cards and mobile phone numbers to activate and take control of users’ credentials, or linking transactions and a crypto address with a consumer’s identity on their other transactions.

While the CFPB’s bulletin was intended as a warning to consumers, it cited one area in which it might take direct action — the use of deceptive claims of government savings account insurance, which is guaranteed by the Federal Deposit Insurance Corporation (FDIC). In a May announcement, the CFPB said it could bring action under the Consumer Financial Protection Act, which prohibits any fraud involving deceptive claims around FDIC insurance.

“Our analysis of consumer complaints suggests that bad actors are leveraging crypto-assets to perpetrate fraud on the public,” said the CFPB’s Chopra. “Americans are also reporting transaction problems, frozen accounts, and lost savings when it comes to crypto assets. We will continue our work to keep the payments system safe from fraudsters targeting Americans.”

Indeed, there is even a new generation of consumer that reacts economically to the reputation of an institution, and it is increasingly common for institutions to endanger that reputation by running afoul with certain customers that they chose to accept. It’s these failures in financial institutions’ vetting process and its know your customer (KYC) compliance programs that can greatly cause harm to their reputations and integrity.

Global regulators are focusing on KYC rules as a way to ensure financial institutions across the world are not offering their banking services to illicit actors or being willfully ignorant of the risks that they are taking.

In a new white paper, Financial Institutions & Know Your Customer Rules: From Security to Solutions, published by the Thomson Reuters Institute and Thomson Reuters Regulatory Intelligence, we look at how KYC rules are playing a bigger role in the compliance and security of financial institutions. The paper also examines the challenges that financial institutions are facing in getting in compliance with changing KYC rules both in the United States, the United Kingdom, and around the world. Finally, we’ll see how some institutions and financial third parties are looking for solutions, either by creating new tech products or by outsourcing, to make their KYC challenges more efficient and cost effective.

The paper also shows that global regulators are focusing on KYC rules as a way to ensure financial institutions across the world are not offering their banking services to illicit actors or being willfully ignorant of the risks that they are taking. Regulators see these rules as being able to level the playing field and decreases gaps in screening for potential bad actors.

In addition, customers and other businesses are looking to make sure they are only associated with those financial institutions that do not have connections with bad actors. As global financial crime only increases worldwide — with a big boost in such illegal activity seen during the years of the global pandemic — more and more scrutiny will be placed on how financial institutions determine the real identity, suitability, and financial sophistication of their banking customers.

As the paper argues that KYC is here to stay, and its compliance and government oversight likely will only become more stringent. Financial institutions who fail to understand the importance of proper KYC compliance programs and their impact on institutions’ reputation and security are in for a mess of consent orders, bad publicity, and costly fines, among other negative impacts.

To download a copy of the new white paper, “Financial Institutions & Know Your Customer Rules: From Security to Solutions”, please fill out the form below:

“The primary objective of corporate governance should be safeguarding stakeholders’ interest in conformity with public interest on a sustainable basis,” wrote the Basel Committee on Banking Supervision in a recent paper, Corporate governance principles for banks. “Corporate governance determines the allocation of authority and responsibilities by which the business and affairs of a bank are carried out by its board and senior management.”

Governance includes responsibilities such as determining strategy and objectives, selecting and overseeing personnel, meeting shareholder obligations, and aligning corporate culture, activities, and behavior with the expectation that the bank will operate in a safe and sound manner. It is a significant factor in financial services regulation, and many of the rules with which financial services firms must comply are founded in good governance principles. Further, boards have responsibility for the firm’s integrity and for compliance with applicable laws and regulations.

Governance is more subtle than straight rule-based compliance and requires a greater level of tact, persuasion, and cunning to exert a positive influence. This is partly because of the subjective nature of governance. A one-size-fits-all approach to corporate governance is not mandated, leaving the field open to numerous opinions and models. Compliance officers may not, unfortunately, be seen as experts in governance within the firm.

Regulations based on governance

The penalties for financial firms and their managers which fail to employ adequate governance practices can be severe. Three recent regulatory actions have underlined this point: two enforcement actions — MS Amlin Underwriting Ltd. , which was fined by the Prudential Regulation Authority; and Sigma Broking Ltd. , which was fined by the Financial Conduct Authority (FCA), both of which had governance issues at their core — and the release of the FCA’s thematic on the effectiveness of governance in credit rating agencies.

A theme running through all three actions was the role of a financial firm’s board of directors. Sigma was fined £531,000 and three directors more than £200,000, ostensibly for “failing to make reports crucial in fighting potential market abuse.” The main failures related to weaknesses in the firm’s governance such as inadequate oversight by its governing body.

MS Amlin was fined around £9.7 million for failing to comply with its regulatory obligations relating to the governance and oversight of underwriting. The governance failings included underwriting controls, management information, data quality, and risk management strategies and systems.

Meanwhile, the FCA highlighted “strong board governance, clear board-level accountability and independent challenge” in its letter to credit rating agencies, which reported the results of its thematic on the effectiveness of governance.

Board & chair

Regulators have made it clear that they regard a strong board of directors as crucial to a firm’s success. To underline this focus, the UK Corporate Governance Code includes five principles on board leadership that all firms need to follow and sign off on, on a comply or explain basis, in their company accounts. The principles include ensuring that the board: i) promotes the long-term sustainable success of the company; ii) establishes the company’s purpose, values, and strategy; iii) makes the necessary resources ready for the company to meet its objectives; iv) encourages effective engagement with shareholders and stakeholders; and v) creates workforce policies and practices that are consistent with the company’s values.

Chairs of boards of directors are there to lead the board and are responsible for its overall effectiveness in directing the company. Chairs should demonstrate objective judgement throughout their tenure and promote a culture of openness and debate. In addition, chairs should facilitate constructive board relations, and should ensure that non-executive directors are able to make an effective contribution and that all directors receive accurate, timely, and clear information.

Compliance officers

“We believe that governance goes beyond formal governance at the board and in the most senior levels of leadership,” the FCA said in its thematic.

Senior management, at all levels and in most roles, need to be able to apply the characteristics of the board and the principles of good governance, namely: individual competence; clarity of responsibilities and organizational structure; strong risk management; effective control frameworks; accurate, timely reporting; and transparency and trust.

Traditional compliance officers have responsibility for overseeing the firm’s adherence to regulations, policies, and procedures. To do this, they need the seniority, independence, and the mandate to operate at board level. In many ways, compliance officers need to adopt the same characteristics as chairs to fulfil their responsibilities.

In addition, a strong sense of fairness and clear accountability — for their own work, but also an understanding of who is responsible for what — must be part of compliance officers’ basic psyche. They need the resources and knowledge to be able to undertake their roles.

Viewing the firm, and the issues within it, from the chair’s position not only gives compliance officers the necessary perspective from which to report, but it may also help to contextualize findings and give compliance officers confidence and respect when discussing issues with senior management. This is not an excuse to soften messages when it is necessary to be forthright, but having a “chair mindset” may give compliance officers a route to more common ground when they do need to deliver difficult messages.