A raft of new rules are heading the financial services sector’s way. Deborah Ritchie speaks to Michael Faber, senior consultant at Shapes First, about the most significant of these, and, importantly, how well prepared the sector is to comply

Financial services regulators have been busy lately, and a number of new rules are coming into force at once. Which are the most important of these?

It has indeed been a busy time in financial services regulation, and it doesn’t look like it will let up any time soon. The current regulatory initiatives are very sensible in my view, particularly those that focus on the consumer – improvement is something that all of us want to see as consumers of financial services.

The consultation papers from the Bank of England, PRA and FCA in 2018 on operational resilience focused on the client or customer, introducing the words ‘intolerable harm’, ‘important business services’ and ‘impact tolerance’. These are not to be confused with recovery time objective or maximum tolerable period of disruption. Initial compliance was set for March 2022, with a date of March 2025 for remediation of vulnerabilities.

New PRA rules on third party risk management were developed around the same time, and while the operational resilience regulations also covered third parties, this was a very specific and targeted regulation for all firms covered under the PRA.

Next is the Digital Operational Resilience Act, or DORA, which was agreed in the EU in November 2022, and is now being rolled out through EU member states. The goal of DORA is to ensure that all FS firms in the EU and their suppliers have consistent and appropriate IT systems and services, including IT risk management frameworks, cyber threat protection, operational resilience planning and testing, and a suitable oversight of third parties and outsourcing.

Next is Consumer Duty, which is a considerable and very important undertaking. Back in July 2022 the FCA published new rules and guidance that required regulated firms, and I quote, “to act to deliver good outcomes for retail customers”. In essence this is about ensuring that FS firms focus on working well for its consumers, that they understand the needs of their consumers, and support them in making the right decision for them regarding their financial needs. Particularly relevant in the current economic climate.

Lastly, the Financial Services and Markets Bill has now passed through the House of Commons and is currently going through stages of agreement in the Lords. The Bill includes revoking all EU retained law relating to financial services, although wouldn’t be revoked until new laws were in place to replace it. Another element is associated with the development of a framework for the designation of critical third parties. The UK FS regulators would, in turn, be given more powers to provide regulation over these CTPs with the aim of ensuring their ability, including transparency, to deliver highly resilient services to the sector.

What more needs to be done to fulfil these new duties?

Regulation is so often seen as just a ‘need to comply’ – without considering leveraging the benefits of such work, which I find disappointing. What we are trying to do, and I hope that firms are trying to do more, is instead of doing a tick box exercise, asking how they can turn this into a business benefit rather than just a cost.

Separately, there is more work to be done in third party management. There are obviously benefits to being able to control one’s third parties but sometimes there’s no global policy for this, so contracts are negated on an individual basis.

The last thing, with all these regulations and compliance, is about the need to embed processes, and make them a part of BAU.

You recently made the move from a career within financial services to joining a consultancy practice. How has your career to date prepared you for this move?

The team and I really enjoy working together for a growing boutique consultancy. Each of us has at least 20 years’ experience as practitioners in the finance sector, and we are all happy to roll up our sleeves and do what is needed.

The skillsets that come from any risk or resilience-related work is far wider than the risk field alone, and we have been involved in business transformation, change, project and programme delivery, as well as business process modelling.

We have also been working outside of financial services, with other sectors, including most recently the medical devices manufacturing field, and what we have found is
that the skills we have learnt within the finance sector can be transferred to any industry or sector. Good practice (often driven by the regulators) in the finance sector, is going to be good practice for any industry or sector.

Take consumer duty – for any company that provides a product or service to a customer, ensuring that whatever is developed for the consumer is appropriate for that consumer and is understood. There must also be sufficient management information to continually assess both the journey and that the product or service still meets any change in requirements. Happy customers usually return...

From an operational resilience perspective, formalising what constitutes important business services are, mapping end-to-end all the processes involved, including resources such as the systems and technology used, people, facilities and information. Understanding where disruption can occur, when a disruption can cause ‘harm’ to a customer and putting in steps to ensure that ‘intolerable harm’ to customers does not occur.

Finally, whatever we do as a business, we are most likely to have some reliance on a third party, and often they’re critical. Knowing about their controls, compliance, and incident and crisis management teams and plans is essential in case something goes wrong, which, history tells us, will happen at some stage.

Regulation aside, what’s on the risk horizon for the financial services sector?

From my point of view, risk is everything, so I just talk about the “horizon” rather than the “risk horizon”! To begin with, there will certainly be more regulation, or at least an expanding of the scope of existing regulations to reach further into the sector (for example, senior managers regime to payments services and e-money firms, or operational resilience to previously out of scope firms that offer services to retail customers).

I can also see a degree of consolidation in the offing, with firms looking to diversify quickly or increase market share – this is happening all the time, anyway,
but it’s only the big deals that make the headlines.

There will also be continued activity in the financial services space among the GAFA Big Tech firms, Google, Amazon, Facebook and Apple, which are using their significant reach to provide financial services in some form or another.

Finally, digital assets are here to stay (for now). Forget Bitcoin, though – the real asset is the technology and what it can achieve over time, with smart contracts just one example.

A number of the areas I have highlighted are included in the chancellor’s package of Reforms announced in December, known as the Edinburgh Reform. The aim is to support the government ambitions for the UK to be the “world’s most innovative and competitive global financial centre”.

We will have to wait and see if this will be achieved, and how much more legislation and regulation will be required to get there.


This interview was published in the Q1 2023 issue of CIR Magazine.

Download PDF

Contact the editor