Global Regulatory Themes and the Chinese Market...6 2019 Global bank regulatory outlook A changing landscape for supervisors: the regulatory environment in 2019 Banks and regulators

Global Regulatory Themes and the Chinese MarketGlobal Regulatory Network (GRN)

About the EY Global Regulatory Network 2

A message from Jack Chan and Effie Xin 3

1. Global Regulatory Outlook 2019 4

2. Regulation and Technology 21

3. Accountability and Technology 30

4. Financial Crime 41

1Global Regulatory Themes and the Chinese Market |

Contents

About the EY Global Regulatory Network

The EY Global Regulatory Network (GRN) helps clients find approaches to their regulatory challenges, providing extensive experience, leadership and strategic insights on financial regulation. The network also helps EY clients understand and adapt to the impact of the changing regulatory landscape.

Led by John Liver and Marc Saidenberg, the network compromises more than 100 former regulators throughout the Americas, Asia and Europe, including many with senior experience in the Basel Committee, the Financial Stability Board, the European Banking Authority, the Federal Reserve Board of New York, the Hong Kong Monetary Authority and Securities and Futures Commission and the International Organization of Securities Commissions. The network helps clients to understand and adapt to the impact of the changing regulatory landscape, advising on topics such as:

• Capital and liquidity

• Recovery and resolution

• Risk management and controls

• Structure and governance

• Conduct and culture

Learn more at ey.com/bank-risk-regulation

The GRN helps to relate the global regulatory agenda to specific regulatory and compliance challenges in regional markets via a two-way dialogue between GRN members and EY local networks.

Eugene Goyne is the financial services regulatory leader for Asia-Pacific who represents the region on the GRN.

2 | Global Regulatory Themes and the Chinese Market

A message from Jack Chan and Effie Xin

The Chinese market is growing in size, sophistication and global importance. The Chinese economy is now the world’s second largest. Its financial markets are increasingly opening to foreign intermediaries. Chinese intermediaries and investment are increasingly going abroad. Chinese regulators are members of the international financial regulation standard setting bodies, including the Financial Stability Board, the International Organization of Securities Commissions and the Basel Committee.

China will set its own standards. But these standards will be influenced by standards set by the global bodies. Further, as Chinese firms expand overseas, they will need to be aware of and prepared for the prevailing international standards.

EY GRN brings together EY partners and staff who are former senior regulators in these international standard setting bodies and key regulators globally. It helps clients navigate the complex global regulatory trends and be aware of the business strategies they need to adopt to stay ahead and manage their regulatory risk.

EY professionals have prepared this collection of the thought leadership from the GRN and global financial crime compliance practice to showcase some of these global regulatory trends and issues that we think Chinese financial firms and regulators should be aware of as they consider the future both in China and abroad. We hope you find it stimulating.

If you would like to know any more about our views on these issues or how EY teams can help you, please contact:

Jack Chan Regional Managing Partner, Greater China +852 2629 3508 +86 10 5815 4057 [email protected]

Effie Xin Greater China Financial Services Market Segment Leader +86 21 2228 3286 [email protected]

3Global Regulatory Themes and the Chinese Market |

Global Regulatory Outlook 2019

Each year the GRN takes a look at the global regulatory agenda and identifies some key topics. These are highlighted in the 2019 Global bank regulatory outlook: preparing for regulation in the digital age.

In 2019 the focus is very much on digital transformation and the regulatory challenges it will present. These themes will resonate particularly strongly throughout Asia-Pacific and in China, where the impact of technology in financial services is already significant and where take-up of new applications across the population is among the fastest and most extensive in the world.

Supervisors in China will therefore already be acutely aware of some of the issues that international policy makers are having to get to grips with.

Data governance is a major topic worldwide. The debate may develop a little differently in China, where consumers appear more comfortable to share their transactional data with FinTechs. However, this may change if cyber attacks lead to security breaches, data theft and financial loss. So the Chinese market will need to be aware of and possibly follow policy developments around operational resilience and data protection.

Another interesting issue for the Chinese market is the presence of its technology giants. Regulators worldwide are thinking about how to supervise Bigtech firms and the implications for the existing regulatory perimeter, a topic the GRN considered in the 2019 Outlook.

1

4 | 2019 Global bank regulatory outlook

2019 Global bank regulatory outlook

Preparing for regulationin the digital age

52019 Global bank regulatory outlook |


A changing landscape for supervisors: the regulatory environment in 2019

Banks and regulators are operating in an environment that is subject to shifting dynamics. The changing digital landscape raises questions about the use and ownership of data and the boundaries of regulation, in light of differing supervisory approaches to new products and services. This is playing out against a geopolitical backdrop that is creating anxiety in the markets about the credit cycle and future conditions for growth and investment.

1

The 2019 annual bank regulatory outlook appears at a time when regulators globally are increasingly turning their attention from post-crisis reforms to a new set of emerging risks and priorities.

This shift reflects a regulatory and supervisory policy focus on the digital transformation of financial services and the challenges and risks presented by technological innovation, new market participants and evolving business models. Regulators are transforming too; trying to integrate new technology and data into their own supervisory processes, regulatory reporting and market oversight.

This outlook considers the new challenges for banks and regulators in evolving markets, while each also addresses a set of legacy issues. The key message for firms in 2019 is that the current regulatory transition signals a need to focus on the people, processes and technology to deliver a 21st century, digitized, fit-for-purpose risk and compliance framework.


Regulatory standards and fragmentation The supervisory and policy agenda is firmly in review mode. Global regulators are reviewing current rules and regulations with an eye toward making them more proportionate and transparent. As the chair of the Financial Stability Board (FSB) said in his letter to the G20 in November 2018, “Safeguarding progress does not mean defending all aspects of reform at any cost. In assessing what is working as intended and addressing any inefficiencies or unintended consequences, the FSB is tailoring not tapering.”1 But there are signs that the consensus on post-crisis objectives is fraying. The implementation of global standards is incomplete and inconsistent across jurisdictions. In some cases, local rules are already subject to review or revision (e.g., in the US, the Federal Deposit Insurance Corporation recently indicated that it will consider easing requirements for resolution plans). It should be noted, however, that local adjustments are often driven by a desire to avoid a “one size fits all” approach that may otherwise cause small and midsize players to comply with rules that are designed for G-SIFIs (Global Systemically Important Financial Institutions).

Business drivers and new technologiesThe increased velocity of the transformation agenda and emergence of new market participants, products, service providers and vendor utilities is unprecedented. The EY Global Regulatory Network explored some of the implications in its recent paper on regulation and technology-enabled innovation.2

Regulators and industry participants see significant opportunities to develop new tools to manage risks and enhance the efficiency, safety and soundness of firms and markets. Global and local policymakers are looking to harness and control the development, deployment and operation of new technologies. But the drive to build a more robust control framework in this digitizing landscape is exposing a number of new risks, which we examine in this paper.

Developing markets present opportunitiesThe growth of emerging market players with their own priorities is an increasing factor on the global stage. In developing economies where applications of new technologies are evolving quickly and are driven by new participants, FinTech is seen more as an opportunity than a challenge. China has several examples of fast adoption, such as commitment to large-scale use of the cloud and the switch from cash to electronic payments. It will be interesting to see what level of regulatory scrutiny accompanies faster implementation in Asia, and to what extent it influences the global agenda.

1 “FSB Chair reports to G20 Leaders ahead of the Buenos Aires Summit,” FSB, November 20182 “How can regulation keep up as technological innovation races ahead?,” EY, July 2018.


A dilemma: the scope of regulation

Having grappled with systemic risk issues and the lack of transparency that characterized the last crisis, supervisors are conscious that similar problems might appear elsewhere in the financial system. The current environment reflects a vibrant and innovative mind-set, but it is also populated by new entrants that have not been through a crisis or experienced seismic market activity; are not subject to the same level of oversight or expectation as financial market incumbents; or may be entirely outside of the existing scope of supervision.

Policymakers, therefore, must assess the existing supervisory framework and decide not only on the extent of the regulatory perimeter, but also the approach to regulation going forward (see sidebar, “Where next for regulation?”).

Questions they need to answer include:

• What set of rules should apply to new entities that take “bank-like” risks?

• How do you treat external entities that create vulnerabilities for banks due to their access to bank systems or external entities upon which banks become critically dependent?

• Should disruptors be held to the same standards as incumbents?

• Will a license or authorization relate to the type of entity or to the type of activity?

The growth of crypto-assets in the last few years illustrates some of the challenges. A consensus that such assets do not yet pose overall systemic risk is accompanied by an equally accepted view that offerings to the public of such assets generate issues around investor protection and financial crime that must be addressed. Lack of agreement on the definition and treatment of such instruments across jurisdictions means that, thus far, the response has been fragmented. Lessons from exploration and testing in regulatory sandboxes and other approaches could be coordinated further to deliver practical and consistent outcomes.

In any event, both regulators and banks are on a steep learning curve due to the fast-moving nature of technology and market applications. Regulators may need to adopt a more collaborative posture with the industry, rather than being a traditional rule giver, when setting standards for new products, services and participants.

Policymakers must decide not only on the extent of the regulatory perimeter,

but also the approach to regulation going forward.

92019 Global bank regulatory outlook | 92019 Global bank regulatory outlook |

Where next for regulation?

Regulators, like the market participants they supervise, must find a way of operating effectively within the new landscape. Post-crisis, the priority for global supervisors was to address systemic issues across international markets and the often-accompanying lack of executive accountability. Now they must decide how best to regulate the new systemic risk presented by the adoption of new technologies, the impact of FinTech on the financial services sector and new nonfinancial market entrants.

Regulators will be looking into a number of issues, such as how they are set up to supervise, and how and what they are supervising. This may lead to a greater insistence on end-to-end chain management so that accountability is not outsourced, and may be a modification of the regulatory perimeter. The latter will depend on whether there is sufficient change to market business models to suggest that significant activity is being conducted beyond the reach of existing supervision.

Alternatively, could there be a move toward activity-based regulation? The extent of the

perimeter is often a result of the scope and type of institutions that national authorities want to capture. Traditionally that has centered on banks, brokers, insurers, asset managers, advisors and various combinations of these. However, in an industry that has seen a paradigm shift in the composition of its participants, with boundaries between regulated and unregulated activities becoming more blurred, a modified approach may be needed.

Historically, some jurisdictions have prioritized the identification of activities as the basis for their scope of regulation, although usually this has been accompanied by a licensing system by type of institution. In the future, a more flexible and proportionate system could allow activities to be undertaken by a wider range of institutions with a calibrated set of applicable rules. These could be shaped appropriately to new entrants depending on whether their role is as a service provider or a provider of services to incumbents. For example, new technology and data giants may be subject to certain conduct, governance and transparency requirements that previously applied only to the traditional financial sector.


Legacy issues: prudential agenda and post-crisis implementation

The largest banks in the world have significantly improved their capital and liquidity position since the crisis. The finalization of Basel III will continue, with a focus on assessing its impact rather than issuing further reforms on capital and liquidity. However, there is still some distance to travel. In terms of the fundamental review of the trading book for example, market risk models and systems will be overhauled, and the costs are difficult to quantify against the backdrop of uncertainty about final outcomes and possible non-uniform implementation in key jurisdictions. Cost and effort are likely to be substantial and may result in a move away from modeled approaches for all but the largest banks. For smaller institutions with more proportionate regimes, there may be different opinions on the criteria for determining what small and less complex means.

There has also been progress on major systemic risk issues of resolution and derivative market transparency, but of course there are still areas to address. Total loss-absorbing capacity and central counterparty clearing will be among the structural issues that continue to pose challenges to institutions and markets in 2019. A key question for governments and regulators is how to balance the time and effort devoted to fine-tuning the legacy risk agenda with the need to focus on new challenges such as cyber risk, operational resilience and data

privacy. It would be unfortunate if lack of attention to the new risk agenda resulted in an unforeseen major disruptive event while firms were focused on finalizing the last vestiges of the previous one.

Evolving risks: new issues on the radar

Banks need to manage and anticipate emerging risks. Digital transformation will help, but as our latest annual risk survey highlights, risk managers must quicken the pace at which they embrace and deploy new technologies.3 New tools and processes may provide substantial efficiencies and improve risk oversight if bank management and supervisors can become comfortable with their utilization as part of the overall business journey to digital transformation. We describe below some of the other journeys that firms must make in structures and processes, governance and controls, data management and protection, conduct risk and sustainable finance.

• New structures, new processesWith fundamental structural regulatory reform measures largely in place, the ongoing challenge is to make recovery and resolution work in practice, and validate that financial institutions meet expectations for operational continuity in resolution. And while regulators previously focused on resilience in extreme conditions, more attention is now being paid to less extreme disruptions and on resiliency in business as usual.

Challenges for industry participants: legacy issues and evolving risks

3 “Ninth annual EY/IIF global bank risk management survey: Accelerating digital transformation,” EY/IIF, October 2018.

2


Supervisors also are focusing on legacy issues which were on the radar without satisfactory conclusion, and which have been carried forward in the new landscape. For example, booking models have been a source of contention for some time. In 2018, the European Central Bank (ECB) outlined its expectations,4 which will require banks to address practices that are linked inextricably to operational resilience and business continuity issues, such as remote booking with third-country entities or branches. Regulators in Hong Kong also are reviewing the remote booking issue.

The shift to alternative reference rates (ARRs) is a fundamental part of global benchmark reform. In recent months, regulators in the US and UK have asked firms to provide board-approved summaries of their assessments of key main risks relating to the discontinuation of interbank offered rates (IBORs) and the transition to alternative benchmarks. Regulators expect firms to consider a wide range of scenarios and impacts, including quantification of their IBOR exposures.

The transition will be a significant effort over the next few years for firms that have extensive exposure to IBOR-linked products and contracts. Although this is a very specific technical development, it has an impact on many parts of the banking operation, from front office, treasury, lending, valuation and market risk to IT systems, accounting, finance, legal and compliance.

The journey to more efficient structures

For booking models, the challenge for firms is to reconcile the relevant operational drivers, including capital and liquidity efficiency, tax considerations, client preferences, Brexit and any relevant structural requirements, such as intermediate holding company implementation, while adhering to legal entity governance obligations and external scrutiny from regulators. In doing so, firms will have to allay supervisors’ concerns that structures may be too artificial or opaque.

As for reference rates, the move from IBOR to ARR necessitates management of contract continuity and product viability risk together with robust governance, including identification of a senior manager responsible for overseeing the analysis required and implementation of transition plans.5

4 “Supervisory expectations on booking models,” ECB, August 2018.5 See also “End of an IBOR era: key transition challenges for the financial services industry,” EY, April 2018.


To supplement existing rules and guidance, regulators are now turning

their attention to specific measures to strengthen operational resilience.

• Governance and controls: Enhancing the frameworkGovernance and risk management: In the shifting post-crisis regulatory landscape, several trends have emerged in recent years to enhance the governance and risk management framework:

• The emergence of greater executive accountability measures in certain jurisdictions

• An evolution in the three-lines-of-defense framework, including the transfer of risk ownership and management responsibilities to the first line

• Heightened focus on risk culture

• A revised approach to risk appetite to include nonfinancial risks

• Greater use of data management, advanced analytics, artificial intelligence (AI)and robotics in compliance and risk monitoring

As a result, regulators now expect to see a framework that has a more integrated risk control function, and more robust independent challenge by the second and third lines, combined with a more developed internal audit role to allow it to independently review the risk appetite framework and overall risk governance.6

Operational resilience and cyber risk: For many years, supervisors have issued rules and guidelines on systems and controls, business continuity, contingency planning, IT security, cybersecurity and so on. However, the era of digital transformation has brought these issues into sharper focus with the increased threat of cyber attacks and the internal challenges of enhancing or replacing legacy IT systems. These systems and staff perpetuate different classifications, inconsistent risk measures and the inability to aggregate data, while new technologies and products test the effectiveness of existing processes.

To supplement existing rules and guidance, regulators are now turning their attention to specific measures to strengthen operational resilience. In the US, the Office of the Comptroller of the Currency and the Federal Reserve have identified operational resiliency and cybersecurity as priorities in their 2019 bank supervision programs. In terms of cyber resilience specifically, the December 2018 Basel Committee report will be a guideline for future standards.7

Risk management frameworks typically focus primarily on the resilience of individual systems and processes, but UK authorities have challenged

6 See also “Ninth annual EY/IIF global bank risk management survey: Accelerating digital transformation,” EY/IIF, October 2018.7 “Cyber-resilience: range of practices,” Basel Committee on Banking Supervision (BCBS), December 2018.


firms to improve their approach to end-to-end mapping of critical business services (including vendor resiliency), and to better align it to their operational risk frameworks.8 In terms of measurement and assessment, regulatory attention is likely to move toward enhanced stress-testing standards considering resilience, impact tolerances (including impact on end customers) and refining performance metrics.

Third-party risk management: This is another issue rising to the top of the priority list. As firms seek ways to reduce costs, outsourcing and the use of vendor services and cloud computing are now significantly more fundamental to their operations — making the need for a robust third-party risk management framework more essential than ever before.

Consequently, regulators are becoming concerned about financial institutions’ increasing reliance on service providers to support some of their critical infrastructure, the use of the same providers by too many financial institutions, and the widespread use of the cloud. This is a new systemic concentration risk, which supervisors have yet to fully address. The recent UK paper9 is an early indicator of what supervisors’ expectations will be, such as the requirement that outsourced providers meet the same requirements as internally provided services. Final guidelines on outsourcing also are expected from the European Banking Authority (EBA) in 2019.10

8 “Building the UK financial sector’s operational resilience,” Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), July 2018.9 “Building the UK financial sector’s operational resilience,” PRA, BoE and FCA, July 2018.10 “EBA Draft Guidelines on Outsourcing Arrangements,” European Banking Authority, June 2018.



The journey to enhanced governance and resilience

In risk governance, front-office staff need to be more fully trained on risk, and compliance officers are being called on to advise and support development of the control function on the front line. The second- and third-line control functions also must evolve and make greater use of new techniques and technologies. We have been exploring these challenges in our series of papers on regulation and technology-enabled innovation,11 and we will discuss the implications for risk management in more depth in 2019.

Regulators will expect banks to position operational resilience squarely as a boardroom priority, alongside financial resilience. This is critical to enable the business to take greater ownership of resiliency preparation and oversight. Boards are reviewing resiliency, but have not yet tackled the full breadth and depth of the issue. Where they specifically focus on operational resilience, it is typically through a cyber or technology resilience lens or by looking at third-party dependencies. Some boards have not yet recruited directors with the necessary skills and capabilities to provide oversight and effective challenge. Boards will need to drive a cultural shift in their firms to consider the topic more holistically and move to a mind-set of: “This is very likely to happen, so let’s be prepared.” Key actions to strengthen operational resilience, both in-house and in using third-party vendors (especially as regards cyber risks), include:12

1. Establishing appropriate governance frameworks for resilience, with appropriate accountabilities and reporting lines

2. Identifying and assessing both the impact of and potential mitigants to potential resiliency threats

3. Designing and maintaining contingency plans to address any issues arising

4. Testing of processes/technologies for day to day resiliency as well as under stress conditions, including the efficacy of any contingency plans

In terms of third-party risk, firms still tend to undertake resilience testing without involving the key third parties they may depend on. This is an increasingly significant omission given their rapidly growing reliance on outsourced services, or on other parts of the organization in the case of larger groups. Many of the new service providers are operating in a partly regulated or unregulated space. What is their operational resilience capability? An end-to-end business services view of resilience is essential. Management should acquire a good understanding of the end-to-end capabilities and vulnerabilities of the operating environment, with regular updates provided to the board.

11 “How can regulation keep up as technological innovation races ahead?,” EY, July 2018.12 See also “Getting serious about resilience: a multiyear journey ahead,” EY, 2018.


• Managing and protecting data are prioritiesRegulators have made it clear that data is high on their agenda, and they will be increasingly demanding on this front, with more frequent and detailed reporting and ad-hoc investigations. The CEO of the UK Financial Conduct Authority (FCA), Andrew Bailey, has said; “My assessment based on events over the last year or so is that data issues have been the fastest-rising risk on our landscape.”13

Data management needs further work: Banking is a data-reliant industry. Banks require timely, accurate and meaningful data, and these requirements are equally important for supervisors, clients and markets. Clients are expecting user-friendly communication tools, and marketing departments are calling for more smart data. Investors and the wider market require greater access and transparency. All of this necessitates a more strategic approach for data governance and management. The BCBS Principles for effective risk data aggregation and risk reporting (BCBS 239), released in January 2013, were designed to generate an uplift in data quality and management, but this remains an area of focus for supervisors. There is still work to be done, as further automation of the middle and back office has the potential to be quite transformative.

Data privacy in sharp focus: Looking ahead, banks will not only have to better manage data, but also contend with more stringent demands for data privacy. The General Data Protection Regulation has been in force across the European Union since May 2018, and more data privacy regulation will surely follow in other parts of the world.

At the same time, open banking initiatives are taking hold in many jurisdictions, creating an immediate tension between data access and data protection, and raising questions around liability for data breaches. The regulatory perimeter issues mentioned earlier are brought into sharp focus, because financial firms providing data to third parties generally retain much of the privacy and security risks associated with how it is used, but do not benefit from any reciprocal obligation for those third parties to share their own data.

This area of regulation is essential to allow the customer to control their personal data, which will mean approaching the challenges somewhat differently in order to safeguard public policy objectives. If data privacy regulation becomes too onerous, it could compromise open banking or act as an effective barrier to entry for new participants. How regulators manage this trade-off between security and openness will be a crucial part of data regulation.

13 “Speech by Andrew Bailey at the Annual Public Meeting of the FCA, September 2018.


The journey to strategic and compliant data management

Significant investments have been made in storage and accessibility, but challenges in data stewardship still remain. Data architecture must be designed to harness data not just for regulatory and risk control purposes, but also to create increased analytical capabilities. The key steps to push through now are risk alignment, standardization of processes and aggregation of data from multiple sources. Machine learning, AI and Natural Language Processing can help to integrate customer, transaction and risk management data to support decision-making processes, but their application must be accompanied by the necessary enhancements in data lineage governance, data ethics standards, including ethics, and overall accountability for their use.

The old refrain of “let the data officer deal with that” is no longer a sufficient response. Institutions will have to develop an integrated data privacy framework with full risk management disciplines of assessment, tolerance, testing, metrics and monitoring with escalation up to board level, supported by entity-wide training and awareness programs. As part of the shifting risk ownership towards the first line of defense, data privacy should be embedded in business-line thinking.


• Conduct risk and financial crime are constant threatsMisconduct issues abound: Conduct risk is a perennial challenge, although at any point in time, there may be particular issues that take center stage. Regulators are as preoccupied as ever with misconduct issues, and the stream of enforcement cases in different jurisdictions shows little sign of abating anytime soon.

However, the message from the regulator that accompanies many of those cases is that the implementation of accountability regimes has made it easier to bring action and impose disciplinary measures. Initiatives to improve culture and ethics in the industry can go so far, but will have limited impact without a framework for accountability and enforcement to back them. For example, in Australia the Royal Commission Interim Report14 has been published at a time when the Banking Executive Accountability Regime (BEAR) has just been implemented. Initiatives such as BEAR will play a key role in addressing drivers of misconduct, such as incentive schemes linked to sales targets, conflicts of interest, ill-designed remuneration structures and absence of deterrent action.

In countries such as the UK, where the Senior Managers Regime has been in place for a little longer, there is evidence that practitioners accept its value in improving internal governance and making the job of compliance and risk management easier. Ultimately, the behavioral change that these regimes will drive will be determined by initial enforcement cases and perceived reasonableness of the regime in practice.

14 Interim Report, The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, September 2018.

Regulators are as preoccupied as ever with misconduct issues, and

the stream of enforcement cases shows little sign of abating.


Financial crime is an ongoing threat: The fight against financial crime continues to be a global priority. In Europe, the EBA has published several regulatory technical standards on anti-money laundering and counter-financing of terrorism issues. The efficiency of national supervisors will be under scrutiny. No doubt this will mean increased pressure on financial institutions, which already have to deal with more complex sanctions regimes and increasing requirements to identify tax avoidance. In addition, the process of proper due diligence and risk assessment may lead to the unintended consequence of under-banked sectors, particularly in correspondent banking.

Sustainable finance — a new risk dimension: The demand for accountability is not only reaching deeper, but is also broadening in scope. Environmental, social and governance (ESG) issues, and in particular the sustainable finance agenda, will become a key element in firms’ strategic planning and risk profiling. The September 2018 report by the Task Force on Climate-related Financial Disclosures noted that “…the majority of the firms surveyed disclose information aligned with … recommended disclosures.”16 The disclosures so far vary in scope and quality, mainly describing climate-related risks and integration into risk modeling, rather than the financial impact on the company itself. A more prescriptive approach may be the next step, including possible inclusion of ESG in supervisory evaluations and stress testing. Regulators will be taking the proposals further in 2019.

15 “Banking Conduct and Culture: A Permanent Mindset Change,” remarks by Group of 30 Steering Committee Vice-Chair Gail Kelly, November 2018.16 “Task Force on Climate-related Financial Disclosures: Status Report” FSB, September 2018.

The journey to better conduct and crime detection

The challenge for the conduct agenda now is to move from setting the tone from the top to embedding positive culture and behavior throughout the firm. The recent report by the Group of Thirty emphasizes that “Middle management in particular plays an integral role in embedding cultural reforms. Leading by example and ensuring that day-to-day activities at the front line are consistently aligned with company values is critical.”15 Firms that apply such rigor will be better placed to drive positive change across their organizations.

In recent years, huge figures have been incurred — both in terms of costs and staff numbers — by firms responding to deficiencies in financial crime detection. This is the area with the greatest potential to leverage advanced technologies. It is now essential to make processes more efficient via the use of AI and machine learning in both client profiling and smarter transaction surveillance.


The journey to a healthy risk and compliance framework

Change will be needed throughout and across entities, groups and their vendors. But it can and should be driven from the top.

At board level, greater diversity is becoming not just a regulatory expectation, but an operational necessity. Now boards must include individuals who understand not just financial risks and regulation, but also IT; models; KPI, MI and metrics; cyber; resilience; third-party risk management; financial crime; accountability; and the evolving agendas of technology and sustainable finance. The upside of executive focus on these challenges is the opportunity to break down silos and inject more skill diversity into corporate governance and risk oversight.

At a management level, now is the time to review and enhance:

• Operational committees, to deliver representative governance

• Risk frameworks, to achieve greater alignment and improved data quality

• New business and product approval mechanisms, to facilitate sound market and customer outcomes

The aim is to get the right stakeholders at the table to evaluate the risk implications on an end-to-end basis of operational, strategic and business decisions across the value chain, including the product life cycle, marketing, client segmentation, pricing and remuneration.

If boards and senior management take care not to underestimate the importance of legacy issues, become proactive about the future, build the right skills and develop new ways of working, they can deliver more agile and efficient risk and compliance frameworks equipped with the latest technologies, and new roles with new skill sets.

3

Boards and senior management can deliver more agile and efficient risk

and compliance frameworks.


Further reading“Ninth annual EY/IIF global bank risk management survey: Accelerating digital transformation” EY/IIF, October 2018.

“How can Regulation keep up as Technological Innovation Races Ahead?” EY, July 2018.

“As technology moves ahead, are utilities the upgrade you need?” EY, October 2018.

“As technology advances, will accountability be a casualty?” EY, December 2018.

“End of an IBOR era: key transition challenges for the financial services industry” EY, April 2018.

“Getting serious about resilience: a multiyear journey ahead” EY, 2018.

“EY’s response to ‘Building the UK financial sector’s operational resilience’” EY, 2018.

“What’s after what’s next? The upside of disruption” EY, 2018.

“Fintech ecosystem playbook” EY, November 2018.

Regulation and Technology

In its paper, How can regulation keep up as technological innovation races ahead?, the GRN set out some key considerations for banks and regulators as they assess their readiness for a digital future.

In today’s China, along with the rapid development of the financial services industry and the huge investment in financial technology companies, it objectively puts forward higher requirements for relevant special regulatory supervision. Accordingly, the related issues mentioned in this article have also received greater attention from all parties. It stressed that it will continue to follow the principle of ‘righteousness, security, inclusiveness and openness’, and that it will set up a system of rules for the regulation of Fintech, improve and innovate the regulatory mechanism and create a favourable policy environment for Fintech development.

The PBoC will face the same dilemma as regulators elsewhere in the world: can China balance security and operational resilience with speed of innovation? The growth of new services such as open banking illustrates the dilemma:

“China’s open banking experiment has seen innovation thrive and consumer adoption accelerate faster than anywhere else in the world”, Effie Xin, Greater China Financial Services Market Segment Leader.

Clearly the influence of Fintech in China’s financial services sector generates huge potential to leverage data from, among other things, e-payment, messaging and social media sources. However, as the GRN has pointed out, the challenge is governing, not just mining, data. Technology-led approaches to protect data have the potential to manage the risks.

2

21How can regulation keep up as technological innovation races ahead? |

22 | How can regulation keep up as technological innovation races ahead?

How can regulation keep up as technological innovation races ahead?The digital revolution brings new risks and old risks with new twists, challenging regulators and firms to adapt and adopt new strategies to keep markets and customers safe.

“


It’s “time to face the future.” That’s the headline message of the 2018 edition of EY’s Global Regulatory Outlook. As the final pieces of the post-crisis puzzle slide into place — including the conclusion of Basel III negotiations in December 2017 and the commencement of the EU’s MiFID 2 in January 2018 — the wave of reforms across key financial centers, devised in response to the financial crisis, and the resulting G20 agenda for post-crisis regulatory reform, has crested.

The story so far Before we turn to the subject of regulation, though, we should review the state of the financial markets as this technological revolution gains momentum. Financial markets are changing rapidly. Technology companies have been at the forefront of this rush of innovation. Many such firms started out as providers of technology approaches to traditional banks. Operational platform providers offering, for example, products that record, monitor and report transactions continue to expand in parallel with increasing regulatory requirements.1

Others, including well-known global digital platforms, have no previous track record in financial services but have already attained a dominant position in their respective markets. They have been quick to exploit corners of financial markets subject to lighter or phased regulatory burdens, such as payments facilitation and platforms that connect buyers and sellers of financial services such as loans and insurance. Their strategies have enabled them to build market share without immediately shouldering the same costly operational and regulatory burdens as full-service financial institutions.

Meanwhile, the launch of “open banking” initiatives in many jurisdictions has revealed a new landscape of opportunities. New rules mandating permissioned access to customer financial information held by banks to other service providers have opened up opportunities for all firms, particularly new market entrants. Application program interfaces (APIs) set standard access and security protocols that enable approved third parties to gather customer data made available by financial firms (with the customer’s consent). Somewhat controversially, financial firms providing data generally retain at least some of the privacy and security risks associated with how it is used but do not benefit from any reciprocal obligation for those third parties to share their own data.

Nonetheless, this innovation enables technology firms of all stripes to offer tailored services — including account aggregators, budget tools or investment platforms — directly to financial customers who are increasingly happy to share their data in return for customized products. These services will themselves generate even more data for service providers to monetize.

Against this backdrop, we see our clients using a range of new technologies, including artificial intelligence (AI), robotics, analytics and blockchain, to digitize their businesses, launch new ways of servicing their clients and deliver vital market services more efficiently. At their most successful, many of these new developments are delivering increased revenues, reduced costs for firms and better customer experiences. But now market participants and regulators alike are turning their attention to the other consequences of increasingly digitized markets.

1 ASEAN FinTech Census 2018, EYGM Limited, 2018.

Change has never happened this fast before, and it will never be this slow again.Graeme Wood, Australian digital entrepreneur, philanthropist and environmentalist


• A top 10 US bank is piloting natural language chatbots, powered by AI, to respond to customer inquiries (including emojis), tailor offerings and enhance the customer experience.

• A UK banking leader uses AI to monitor and analyze sales conversations, which is expected to drive efficiencies in compliance monitoring.

• Using its capital market blockchain platform, a top Australian bank has issued a prototype cryptobond that can automatically pay coupons to holders when due.

• A leading bank in Singapore is working with graduates from its accelerator program on an AI-powered tool that counters money-laundering.

• A top Swedish bank uses an AI platform to enhance customer relations.

New risks, and new twists on old risks, inevitably follow from the introduction of new technologies, new market entrants and new ways of working. Systems can fail and undermine market stability, machines can make decisions with unintended consequences that harm customers and markets, and the almost-limitless data that is the lifeblood of the digital world can be manipulated, misused, stolen or, because of its sheer volume and complexity, even inadvertently used to disguise criminal behavior.

Despite these and other potential hazards, regulators and firms see significant opportunities to use the same technologies employed by financial firms to manage risks and enhance the efficiency, safety and soundness of markets. Global and local policy bodies are more aggressively addressing the need to harness and control the development, deployment and operation of new technologies. But the drive to build a more robust risk, regulatory and control framework to operate effectively in this digitizing landscape is exposing a number of practical issues and potential conflicts for all participants. Perhaps the greatest of these challenges is effective engagement among financial firms, nonfinancial new entrants, regulators and governments to devise approaches that work to the benefit of all.

The rise of regional innovation hubs

New players, including well-known

platforms, have been quick to

exploit the less-regulated corners

of financial services, such as

payments facilitation.

Banks around the world are working with FinTechs or internal teams to drive innovation, new products and enhanced services.


New technologies are already making an impact …There are many and varied examples of how the digitization of financial markets has enhanced and extended the end-user experience. API-powered online platforms — which allow multiple firms to interact and access and update data — have grown significantly and improved access for smaller firms and individuals that might otherwise have struggled for attention. Algorithms fronted by bots that use natural language processing (NLP) to understand written or spoken customer queries now deliver financial advice based on pre-programmed investment strategies and responses to standardized questions posed to potential investors. Proponents argue that these technologies can increase access to financial services and advice, as well as, some say, its consistency.

Complex algorithms have also transformed the speed and volume of trading in capital markets. Investors use algorithms to make decisions about when and where to trade and, in some cases, what and how much to trade, too. Bare-bones early models are giving way to algorithms augmented with advanced AI capability such as evolving “brain-like” neural network technology. Such enhancements enable the algorithms to adapt and improve their decisions as they absorb increasing amounts of data about the outcomes of trades.

The addition of NLP enables the machines to “read” news and other digital information sources to further evolve strategies and initiate trades in response. The Bank for International Settlements estimated in its 2016 report, “Electronic Trading in Fixed Income Markets,”2 that up to 85% of trading in key asset classes such as equities and futures was initiated, in whole or in part, by computers. There is, however, no consensus around the question of whether these systems enhance or weaken financial stability.

Finally, distributed ledger technologies (DLT), often referred to as blockchain, are underpinning new methods of record-keeping and transacting and even new mediums of exchange. Cryptocurrencies have led the charge, with proponents touting them as a secure, anonymous store of value. Supporting them is a burgeoning array of exchanges and providers of “wallet” technology to record and transact in these new instruments. Although cryptocurrencies have attracted the most publicity (and caused considerable controversy), other DLT applications hold the promise to achieve less-controversial goals, such as creating more secure ways to record identities, transactions and changes of ownership. Commonwealth Bank of Australia, for example, has recently launched a prototype “blockchain bond” featuring embedded issuance and payment agency functions such as recording ownership and initiating (via a “smart contract”) payment of interest to the owner of record as of the coupon date.

One of the biggest challenges of building a risk, regulatory and control

framework in this digitizing landscape is successful engagement among

financial institutions, nonfinancial new entrants, regulators and governments.

2 “Electronic Trading in Fixed Income Markets,” Bank for International Settlements, 2016.


Tapping the new tools to strengthen risk management and complianceWhile the rapid pace of industry innovation continues and even intensifies, traditional firms and regulators are just beginning to use and explore how new tech can deliver risk management and regulatory compliance more efficiently and effectively. Firms have started to consider how best to deploy AI tools to enhance existing control processes.

Some are using machine learning to administer and improve traditional control testing activities. Others are employing AI to enhance the scope and effectiveness of monitoring and surveillance tools that seek out fraud, market abuse and money laundering. Still others are experimenting with machine learning and NLP to power internal “bots” that monitor customer calls and identify potential breaches of policy. Management is looking for ways to extend the scope of these efforts and discover new opportunities to lower compliance and control costs while improving regulatory performance. But cost, the difficulty of working around cumbersome legacy systems and, in particular, uncertainty over how regulators will respond to “teething troubles” in this experimental landscape are all limiting investment.

Regulators are learning from their own and the industry’s early forays into new technology. Many efforts are intended to help speed up and improve the experience of new entrants to the market. A growing number of regulators are operating regulatory “sandboxes,” innovation labs or innovation hubs to test out new, technology-led services. These facilities enable firms to test services in a safe environment and identify potential risks well before they seek authorization for themselves or their products.

Regulators are learning from early forays into new technology, with many

efforts intended to speed up and improve the experience of new entrants to

the market.


Effective risk management necessitates a fundamental reassessment

of how all market participants contribute to a more transparent,

balanced and connected ecosystem.

In other cases, governments and regulators are exploring centralized digital records of individual and company identities, which allow firms to treat the identity of registered, potential new clients as already initially recognized by a “trusted source.” Such records depositories can eliminate thousands of hours of repetitive due diligence. The Monetary Authority of Singapore (MAS) is also working closely with local and foreign banks to establish a Know Your Customer (KYC) Shared-Services Utility with the intent to streamline end-to-end KYC. The Utility, which Singapore hopes to launch later this year, will access trusted identity sources, including Singapore’s “MyInfo” digital ID, to verify customer identification and verification. It will also centralize key KYC activities including collecting and validating KYC documents, along with screening against sanctions and blacklists.

Others are increasingly looking at opportunities to employ technology to support their own policy and supervision efforts. Some are using machine learning, for example, to enhance surveillance of market activity and check the validity and accuracy of reports and models that firms submit to them. Others, such as the UK’s Financial Conduct Authority (FCA) and the MAS, are thinking further ahead to opportunities to fundamentally rewire how some regulations are communicated and fulfilled by digitizing and automating the process. The FCA, for example, has recently conducted proof-of-concept tests to explore fully automated regulatory reporting. In these tests, machines both published and directly interrogated and collected firms’ data, which could ultimately reduce intermediate processing and enhance the consistency of reporting obligations and returns.

Regulatory and policymaking bodies, including the Financial Stability Board (FSB)3 and the MAS4 in Singapore, are exploring the possibilities of supervisors scaling up capabilities in AI and NLP. These technologies could help supervisors monitor political, economic and market activity; spot signs of trouble ahead; and, perhaps most important, match the speed and pervasiveness of computer-generated trading and transactions.

Finally, regulators are analyzing new products such as cryptocurrencies to determine what purpose they serve, how they are marketed and to whom, and how they perform over time. Regulators can then determine whether to apply regulations analogous to those governing similar activities and products, where possible, or define a new class of asset or service where not.

3 “Regulatory and Supervisory issues with Fintech,” FSB, 2017.4 “New $27 million grant to promote Artificial Intelligence and Data Analytics in Financial Sector,” MAS, 2017.


But when it comes to using new tech to control new tech, it’s early days yet …For all the progress that firm management and market supervisors have made, they are still groping their way forward as they attempt to identify and describe the risks posed by new technologies and new ways of doing business. Attaining clarity and establishing accountability over how the “machines” (which are, in fact, complexes of hardware and software) are designed and built and how they operate are proving difficult. So is anticipating what could go wrong. This challenge grows more acute as the pervasiveness, complexity and intelligence of machines accelerate.

At the same time, confidence in the effectiveness of traditional controls has eroded in the face of massive increases in the volume of data and the speed of processing, which can only be matched with digital tools. Market stakeholders each have their own views of how much protection should be in place over the data flowing into and out of these digitized markets, how that protection should function, and who should provide it. Regulators and supervisors are exploring these issues and asking many questions, but finding the answers (and the funding) to satisfy them is most often the obligation of the management of traditional financial firms.

These efforts are all steps in the right direction. In our view, however, effective risk management in a rapidly digitizing landscape necessitates a more fundamental reassessment of how all market participants should contribute to deliver a more transparent, balanced and connected risk management ecosystem. Firms, investors, regulators and their advisors need to revisit old principles, ask new questions and collaborate much more than before to deliver answers that meet future needs rather than patch the past. Below are some of the

overarching considerations that we think should guide these efforts. Over the coming months, we will share our thinking on these and other questions that need to be asked, as well as some of the options we see to move the dialogue forward.

Shared compliance effort

Scale, consistency and investment in leading practices and common standards are the keys to reaping maximum benefit from technology in financial markets. Creating these conditions encourages improvements in how machines learn, leverages their speed and capability, and supports genuinely market-wide services as well as risk management. But most financial firms are constrained by scarce resources, limited reach, high investment requirements and fragmented processes. Collaborative effort could help address the issues impeding more widespread adoption in critical compliance and market monitoring activities.

Standardizing to accelerate path to more effective digital compliance

Machines operate on rules, and algorithms improve as data inputs accumulate. But firms and regulators employ inconsistent and unclear definitions and standards for rules and requirements, along with the fragmented data and processes used to meet them. The siloed information and activity that results limit opportunities to deploy new technology where it could be most effective: in providing market-wide services and approaches. Roadblocks to date slowed progress toward data standardization, but combined industry and regulatory effort may drive a solution.


Rethinking accountability and transparency to share the load

Senior bankers have been left in no doubt that they will be held accountable for their organizations’ failings, large and small. But that accountability is approaching its practical limits. Regulators often hold bank executives accountable for every aspect of the business, including outsourced services and data that third parties access and reuse. Machines are also influencing ever more day-to-day decisions, even as the logic the machines use to reach these decisions grows ever more opaque as technology advances. We will revisit current approaches to accountability and consider some of the specific challenges and possible responses to help management meet their obligations.

Reassessing risk managementto accelerate progress

New technologies are generating both new risks and new ways in which old risks can arise. The practice of risk management was built around quantifiable risks such as market, credit and liquidity. And while the misconduct scandals of the past decade have drawn attention to less-quantifiable types of risk, risk-management frameworks at many firms are often

still fragmented, backward-looking and focused on discrete details rather than the big picture. Traditional risk-management principles need reimagining to address a world in which risks can manifest themselves in milliseconds and multiply exponentially, sometimes outside the control of any single person, firm or function.

Governing, not just mining, data

The use and management of data will make or break the financial markets of the future. The growing volume of data poses opportunity and risk in equal measure. Customers see the benefits of faster, customized services that open access to data can enable. But it’s increasingly clear that advancing technology can create opportunities to abuse that access, especially as cloud approaches add complexity and new dynamic to the data ecosystem. Only technology-led approaches to monitor, analyze and protect data can match the scale and magnitude of these risks and enable their management. In future publications, we will look at some of the specific issues and approaches that could improve existing data governance frameworks.

Summing upTechnological advances offer opportunities to massively improve the efficiency and outcomes of financial markets. Technology’s rapid rise and the increases accompanying scale and complexity also create new challenges for meeting regulation’s unchanging objectives: managing market instability and avoiding harm to customers and counterparties. As market participants and supervisors explore the use of technological advances, we expect regulators — together with other market participants — to ask new questions of old methods to build a more agile and digitally enabled regulatory foundation for the future.

Accountability and Technology

The GRN paper entitled, As Technology Advances will Accountability be a Casualty?, examined how digitization is raising questions around who is responsible for the outcomes that are being driven by new applications. The GRN paper highlighted the importance of transparency and explainability around artificial intelligence (AI) and policies to ensure challenge and validation of AI applications.

These issues have been identified in China. In June 2019 the China New Generation of Artificial Intelligence Governance Committee presented their ethics guidelines for trustworthy artificial intelligence: “The New Generation of Artificial Intelligence Governance Principles – Developing a Responsible Artificial Intelligence”. The main topic was “Responsible AI”, covering eight essential criteria: Harmonious and Friendly, Fair and Square, Inclusive and Shared, Respect of Privacy, Security Controllability, Undertaking the Responsibility Together, Open and Collaborative, and Efficient Governance.

In particular, the guidelines have emphasized that AI developers, users and other interested parties should have a high sense of social responsibility and self-discipline, and strictly abide by laws and regulations, ethics and standards. Also, that the AI application process should ensure that people have the right to be informed and be notified of all possible risks and impacts.

Another challenge for accountability is presented by the increased presence of Bigtech. A striking example is mobile payments, where two firms account for over 90 percent of the overall Chinese market. Given the size of the Chinese population, this represents a huge responsibility and security obligation from a service provider to the functioning of the market and the business continuity of firms.

If Bigtech, for example, remains outside mainstream regulation, how will it be made accountable and how will requirements be constructed that are proportionate to such enormous scale?

3

30 | As technology advances, will accountability be a casualty?

As technology advances, will accountability be a casualty?As the application of technology increases, the accountability mandate must evolve to remain an essential part of the governance toolkit.

31As technology advances, will accountability be a casualty? |

Regulators and firms alike can be encouraged by the ways in which digital technologies can improve market oversight and the efficiency and effectiveness of their risk controls. But they must also be mindful of technology’s potential to increase risk and rapidly propagate adverse outcomes across the entire market landscape.

Senior managers of regulated financial institutions, in particular, are examining how they should address the fast-changing risk environment so they can satisfy expanding regulatory expectations and contribute to the safety and stability of financial markets. Regulators will require them to demonstrate that the risk controls they have put in place in their own operations, as well as those performed by third-party providers, are adequate; they also must demonstrate that they can mitigate the risk of adverse outcomes as those operations become increasingly automated. In a recent speech, the UK Financial Conduct

Authority (FCA) Chair, Charles Randell, issued a warning: “There’s also a danger that the use of technology will degrade people’s willingness to judge and intervene, because they feel that they are less personally connected to consumers and consumer outcomes — the logic of the machine has taken over from individual responsibility.”1 The increase in the application of technology, together with a reduction in human intervention, therefore only emphasizes the importance of fulfilling the accountability mandate.

In this paper, we set out to explore how the more familiar ideas of accountability that have existed and evolved in the post-crisis era are now being reassessed in the wake of technological transformation. Starting with a firm’s management and control structures, we then examine the issues around innovation and deployment, and, going beyond the institution itself, in terms of relationships with vendor services and infrastructure providers.

1 “How can we ensure that Big Data does not make us prisoners of technology?” FCA, July 2018.

The increase in the application of technology, together with a reduction

in human intervention, therefore only emphasizes the importance of

fulfilling the accountability mandate.

As digital technologies become ever more integral to the provision of financial services, firms and regulators are having to come to grips with the way technology is changing their operations and relationships with other entities in the financial ecosystem, as well as with technology’s effect on the risk environment.


Accountability regimes under reviewRegulators in key jurisdictions, including Australia, Hong Kong, Singapore and the US, are following the lead of the UK Senior Managers Regime and have implemented, or are developing, regimes that seek to allocate greater individual accountability for risk, compliance and governance to senior management. Such regimes naturally include technology risk, so another trend is for specific guidelines to apply, such as those of the Hong Kong Monetary Authority (HKMA)2 and the Monetary Authority of Singapore (MAS).3 The MAS emphasizes that the “board of directors and senior management should ensure that a sound and robust technology risk management framework is established and maintained.”

Notably, the UK Prudential Regulation Authority (PRA) has defined the specific roles within regulated entities that are accountable for algorithms and specified the extent to which the boards of regulated institutions are to be held responsible for their use.4 These responsibilities include approval, testing, deployment, documentation and audit.

It is expected that a firm’s governing body or, where applicable, its risk committee should set the governance framework for the firm’s use of new technologies, as well as define responsibilities for approval and oversight. In practical terms, duties may be allocated or delegated based on expertise, for example, to the IT, risk and business/product development committees, but this should always be within the parameters of the overall risk management framework established by the board. The traditional three-lines-of-defense model (3LoD) is seeing a shift of risk management toward the first line, so it is essential to include accountability for use of new technology given that applications of FinTech tend to be developed more rapidly in the revenue-generating parts of a firm.

In the 2017 edition of our annual global bank management survey, EY professionals and the Institute of International Finance (IIF) observed that, although institutions have moved significant resources to the first line to support business-leader accountability, the tougher challenge is in making the new model effective and efficient. Much of that challenge lies in the introduction of new technology and the corresponding need to develop a new control framework and communicate clearly its operation and oversight. “Regulators and boards will want strong evidence that risk management and controls remain robust … they will want to know risk management is faster and smarter, not simply cheaper.”5

Regulators face challenges too. They are conscious of the potential gains from innovation and want to deliver a welcoming environment, such as a sandbox, while being cognizant of the potential risks. However, their closer involvement in assessing part of a firm’s business model in the sandbox raises the question of the extent to which they could subsequently take supervisory or enforcement action related to activities previously tested. Holding a firm accountable could be more difficult if the feedback received in a testing environment were highly positive, akin to approval, or felt like advice or guidance from the regulator to the firm.2 “General Principles for Technology Risk Management,” HKMA Supervisory Policy Manual module TM-G-1.3 “Technology Risk Management Guidelines,” MAS, June 2013.4 “Algorithmic Trading: Supervisory Statement 5/18,” PRA, June 2018.5 “Restore, rationalize and reinvent: A fundamental shift in the way banks manage risk,” EY/IIF, October 2017.


Black box or black hole?A robust technology risk management framework may deliver the necessary governance structure, but at the level of individual processes and applications, there are still significant challenges. The workings of the most advanced decision-making technologies are anything but transparent, and even experts are challenged to understand the logic governing some machine-generated decisions.

Regulators are now including requirements to deliver accountability in the first phase of rulemaking addressing the digital agenda. Article 22 of the EU General Data Protection Regulation (GDPR) contains a ”right to an explanation” provision. This provision gives an individual, when they have been subject to fully automated decision-making (and where the outcome has a significant impact on them), the right

to ask for an explanation as to how that decision was reached or to ask for a human to make the decision. This would appear to create an immediate problem for black box, artificial intelligence and machine learning technology, since transparency and explainability still remain difficult to achieve.

In its 2018 paper on machine learning models,6 the Future of Privacy Forum explained how the 3LoD model could be applied to help address the issue of explainability, i.e., by using specialist personnel in key roles across the 3LoD to take responsibility for data, applying subject-matter expertise and, most crucially for accountability, delivering robust challenge and validation disciplines. In an environment where machines are increasingly developing themselves, the oversight challenge for management becomes exponentially more difficult; therefore, the evolution of the skill set in the 3LoD seems inevitable.

6 “Beyond Explainability: A Practical Guide to Managing Risk in Machine Learning Models,” Future of Privacy Forum, June 2018.

Data owners: responsible for the data used by the models; often referred to as “database administrators,” “data engineers” or “data stewards”

Data scientists: create and maintain models

Domain experts: possess subject-matter expertise about the problem the model is being used to solve; also known as “business owners”

Validators: review and approve the work created by both data owners and data scientists, with a focus on technical accuracy; oftentimes, validators are data scientists who are not associated with the specific model or project at hand

Governance personnel: review and approve the work created by both data owners and data scientists, with a focus on legal risk

New recruits to the 3LoD:

From “Beyond Explainability,” Future of Privacy Forum, June 2018


In the same vein, a recent EY report suggests steps firms can take to make sure that they are accountable for, and build trust into, the AI systems they deploy.7 Institutions should take a holistic approach to those systems by taking into consideration not just their business and technological implications, but also their broader ethical, social, environmental and regulatory impacts — and should do so across their life cycles, from design to implementation, and to continuous monitoring as the systems themselves learn and evolve. The explainability requirement is central to this approach because it requires that firms have a strong grasp of how the system functions and evolves, as well as clearly defined lines of accountability. Leading tactics that institutions are using to achieve this level of accountability for AI systems include putting in place robust policies and standards specific to AI development, using validation tools, conducting regular inventories and commissioning independent audits to confirm all AI algorithms are properly governed and perform as intended.

For financial market participants, this may be a significant step up in terms of the level of rigorous analysis being applied, especially in business areas. However, it seems necessary and even inevitable to enable proper demonstration of the key elements of accountability for technological transformation: data assessment, rigorous monitoring, sophisticated back testing, exposure of bias and evaluation of trade-offs between explainability and accuracy.

In an environment where machines are increasingly developing themselves,

the oversight challenge for management becomes exponentially more

difficult; therefore, the evolution of the skill set in the 3LoD seems

inevitable.

7 “How do you teach AI the value of trust?” EYGM Limited, September 2018.


Reassessing third-party relationshipsSenior managers are reviewing their relationships with third-party providers and scouring service contracts to verify that the third party’s obligations are clearly defined and that third parties demonstrate that their operations have appropriate risk controls and governance in place. In many cases, financial services institutions are requiring vendors to allow audit firms to objectively validate — via SSAE 16 audits and resulting SOC1 reports, for example — that the vendors are in compliance with their risk-control obligations. Such reviews do not shift accountability or reputational risk, which in all cases resides with the regulated entity, but they help ensure that financial firms will deploy robust due diligence, ongoing monitoring and “right of audit” over third-party activities to demonstrate adequate oversight and effective risk management.

Regulators themselves are working to gather information about the connectivity among different financial institutions, as well as about their overall exposure to specific sectors, geographies and individual institutions, and, in particular, in testing more rigorously how interconnectedness works in a crisis or addresses failure of one part of a chain. The upcoming implementation of the operational continuity in resolution (OCIR) requirements in the UK8 marks the first delivery among global supervisors of previously issued guidance of the Financial Stability Board (FSB).9

For this effort to succeed in exposing and managing systemic risks, key players in the marketplace will need to invest in documenting core processes from end to end, especially when they cross institutional boundaries. Doing so will enable regulators to define accountability for specific process components and show clearly where and when the handoffs between institutions occur. Although such mapping can be an onerous task, many senior leaders have discovered the value of closely monitoring the process risks for which they or their firms are accountable and determining how information needs to be shared with other players in the process chain, as well as with regulators.

In the meantime, regulators are recognizing the need to update the existing requirements applying to regulated outsourcing institutions. In its recent report on innovation in the financial sector,10 the US Treasury made a number of recommendations, including “… setting clear and appropriately tailored expectations for chain outsourcing … ,” while the European Banking Authority (EBA) recommendations on outsourcing to the cloud took effect on July 1, 2018.11

For a more detailed look at the issues arising in shared services and utilities, see the EY paper “As technology moves ahead, are utilities the upgrade you need?”

To expose and manage systemic risks, key market players will

need to document core, end-to-end processes.

8 “Ensuring Operational Continuity in Resolution: Reporting Requirements,” PRA, April 2017.9 “Guidance on Arrangements to Support Operational Continuity in Resolution,” FSB, August 2016.10 “A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation,” US Treasury, July 2018.11 “Recommendations on Outsourcing to Cloud Service Providers: Final Report,” EBA, December 2017.


12 “DP 18/4: Building the UK Financial Sector’s Operational Resilience,” BoE/PRA/FCA, July 2018.13 “Consultation on Draft Guidelines on Outsourcing,” EBA, June 2018.

New systemic risks emergeHolding management of regulated institutions accountable for their own and their vendors’ operations is not in itself a comprehensive defense against systemic risk. Consider how cloud services, in a short span of time, have become deeply embedded in the financial services infrastructure. Regulated entities may be accountable for data breaches or service outages at their cloud provider, but holding a senior manager personally accountable for the failure does little to mitigate systemic risk or financial losses.

Recognizing these challenges, regulators are looking more closely at risks across the sector. In the UK, the Bank of England (BoE), PRA and FCA are consulting on how to improve the operational resilience of firms and financial market infrastructures, including how they would respond in the event of systemically significant failures.12 In Europe, the EBA has launched a consultation13 seeking to update and harmonize outsourcing guidelines across the EU. The authority proposes that firms maintain a register of all outsourcing arrangements and submit to regulators more comprehensive information on the outsourcing of critical functions to identify concentrations on a market level along with an overriding obligation on the management body to establish an appropriate framework for outsourcing.

Regulators are also considering whether the scale of operations that are outsourced to the cloud and/or onward via chain outsourcing has reached the point where the zone of accountability needs to be extended to include infrastructure providers. Some market observers are asking whether regulators should require key infrastructure providers to at least disclose their business continuity plans and maintain a prescribed level of operational capital, as is the case for firms inside the regulatory perimeter. Legislation aimed at various aspects of data protection and data sharing, such as the EU GDPR and the US Clarifying Lawful Use of Overseas Data (CLOUD) Act, already impose obligations on remote computing and cloud storage services. Regulators in some jurisdictions, including the Office of the Comptroller of the Currency (OCC) in the US and the Commission de Surveillance du Secteur Financier (CSSF) in Luxembourg, have in their charters the authority to regulate non-financial infrastructure providers but to date have not exercised that authority.

Regardless of whether the regulatory perimeter is extended, however, the obligation is on senior financial services managers to demonstrate that they have comprehensive knowledge of their business processes and understand which process components with their associated risks remain directly under their control and which risks are under the day-to-day control of another organization or a decision-making algorithm.


Summing upSenior managers are reviewing their relationships. The accountability obligation is “technology-neutral”; whether in the case of a dealer using the latest trading algorithm or a stockbroker stacking buy and sell orders on the desk, the obligation to achieve proper customer outcomes — such as achieving best execution or making an appropriate investment recommendation — still applies, and executives are still accountable for compliance with those requirements.

But assessing that compliance requires a new toolkit. Traditional lines of reporting, sign-off, approval committees and the like must be enhanced, and new structures are needed to deal with digital transformation. We see several key areas where accountability can be enhanced.

Governance, risk and controls: setting the framework for the use of new technologies — Risk frameworks need to go beyond governance, approval, oversight and monitoring. As machines increasingly take on decision-making roles, accountability for adverse outcomes needs to be clarified and documented. So, too, do approaches to investigating adverse events and communicating the lessons learned from them. As technology drives lightning-fast processes with errors potentially occurring at a similar rate, it is vital that the response mechanisms can keep up.

Risk transformation: making sure that accountability is embedded in risk control improvements in the 3LoD model — In last year’s risk survey,14 EY professionals and the IIF showed that the industry is on a post-crisis risk management journey and has entered a phase of rationalization leading to reinvention, where success in dealing with technological transformation will be a major goal. The survey highlighted several key areas that also make a crucial contribution to the accountability obligation:

• Embedding balanced risk-taking and risk discipline into businesses

• A digital transformation of risk management; enabling risk management through automation, machine learning and artificial intelligence

• The 3LoD model; developing its operation and roles

Enterprise protection: documenting responsibilities and implementing contingency planning across outsourced activities — Regulators are not yet inclined to be prescriptive about the specific contractual arrangements between an institution and its service providers, but that may change if problems arise from service-level agreements that are incomplete or poorly enforced, especially if such issues become systemic. Comprehensive documentation that clearly allocates responsibility is not only good practice, but essential, and the latest EBA guidelines recommend that such records be available to the regulator.15

Also, institutions may give extended consideration to an outsourcing but may not pay enough attention to a change or exit strategy. This must not be underestimated, given evolving outsourcing models and arising complexities involving the use of technology (cloud, analytics, data lakes, etc.).

14 “Restore, rationalize and reinvent: A fundamental shift in the way banks manage risk,” EY/IIF, October 2017.15 “Recommendations on Outsourcing to Cloud Service Providers: Final Report,” EBA, December 2017.


Traditional lines of reporting, sign-off, approval committees and the like

must be enhanced, and new structures are needed to deal with digital

transformation. We see several key areas where accountability

can be enhanced.

16 “Financial Regulation – 20 Years After the Global Financial Crisis,” keynote address by Ravi Menon, Managing Director, MAS, at Symposium on Asian Banking and Finance, Federal Reserve Bank of San Francisco, 25 June 2018.17“Investment Platforms Market Study: Interim Report,” FCA, July 2018.

Technology disrupters: applying technology to enhance accountability — Maybe the technology itself can help to deliver a greater level of accountability than has been embedded in systems and processes up until now. In a recent speech, the Managing Director of the MAS, Ravi Menon, acknowledged that “Cloud computing has considerably enhanced risk management. Risk assessments are now more comprehensive, more granular and more real-time.”16

There are opportunities that could be explored, resources permitting. For example, in a recent market study, the UK FCA concluded that many “direct-to-consumer” (D2C) investment platforms lack effective best-execution monitoring and thus raise the prospect of noncompliance with basic investor protections.17 It would seem that the integration, if possible, of enhanced monitoring capability could strengthen the integrity of the platform and help management demonstrate greater oversight of the product and how it reinforces positive outcomes for customers. In cases such as this, the tangible cost of development may well be outweighed by the less-tangible benefit of more demonstrable product accountability together with future fines for rule breaches being avoided.


ConclusionThe technological agenda has an unavoidable impact on the operating model and governance of the firm; the two are interconnected. Whatever response a firm makes to technological transformation, it must build in appropriate accountability, starting from the board and executive management and extending outward to:

Risk management and 3LoD

Deployment of machines, bots and black boxes

Relations with third-party providers

The cloud infrastructure

Customers and the public

1

2

3

4

5


Financial Crime

Mainland China financial firms are increasingly operating globally, especially under the country’s Belt and Road Strategy. In doing so, they are subject to foreign laws on many topics such as financial crime regulations including anti-money laundering, countering the financing of terrorism and sanctions. These laws can be complex and can have a long reach. The sanctions for possible breaches, even if they are mistakes rather than intentional, can be costly in terms of money, time, reputation and risks to management and staff. US laws are particularly critical in this regard given the importance currently in international finance and trade of the US dollar and the US banking system. An understanding of the key concepts and how to deal with them has never been more important.

In addition, the Financial Action Task Force (FATF) issued a mutual assessment report on China, which raised some specific items for improvement in China’s anti-money laundering anti-terrorism financing risk management, and that there are possible differences between China’s traditional due diligence standards and other international standards.

The EY presentation, ‘Sanctions: Global and U.S. Regulatory Trends’ included in this collection, highlights ways in which Chinese financial institutions can proactively take steps to meet global compliance standards.

The lessons are clear; supervisors are taking a tougher stance on financial crime and in response market participants must strengthen their monitoring and detection frameworks. Improvements are needed to ‘know your customer’ and due diligence processes, together with better application of technology and data analytics, supported by enhanced oversight and governance structures.

4

41Sanctions: Global and U.S. Regulatory Trends 2019 |

Sanctions: Global and U.S. Regulatory Trends 2019

42 | Sanctions: Global and U.S. Regulatory Trends 2019

Financial Crime Compliance regulations obligate financial institutions to build and implement systems reasonably designed to identify, block and report suspicious transactions and transactions prohibited by law. Global organizations, particularly foreign banking institutions are expected to maintain sound risk management frameworks and continue to utilize innovative tools to mitigate their risk.

Understanding emerging areas of risk as well as effective mitigation strategies, is critical for any Financial Institution operating in the United States, and identifying suspicious activity in a timely fashion is a key challenge.

As regulators across the globe are increasing their emphasis on Financial Crimes enforcement, every institution must reflect on how to make its Financial Crimes Compliance program sustainable and effective. These programs must be embedded in a corporate culture that prioritizes risk identification and mitigation.

Regulatory UpdatesSustained focus by US regulators has shown that they are taking a tougher stance on Financial Crimes when dealing with foreign financial institutions.

• In its Spring 2019 Semiannual Risk Perspective, the OCC states that BSA/AML risk remains high for the banking industry, in a complex and dynamic regulatory environment. Bank management should have processes to diligently review and monitor sanctions programs to effectively manage compliance and operational risk.

• In the recently published “Framework for Compliance Commitments”, OFAC outlined expectations for management to foster a culture of compliance and set the tone from the top, ensuring that there are enough resources to support compliance program needs, including appropriate and evolving technology, and staff to handle large alert volumes.

• OFAC has targeted Correspondent Banking relationships as part of its Correspondent Account of Payable-Through Account Sanctions (CAPTA).

• New York State Department of Financial Services (NYDFS) guidelines detail the relevant attributes of an effective Transaction-Monitoring program and require the senior management of regulated institutions to submit an annual certification stating compliance with regulations.

• US regulators issued a Joint Statement on Innovation, encouraging banks to use “innovative approaches” to meet AML compliance requirements.

Financial Institutions’ have to confront complex and sophisticated Financial Crime Compliance challenges. High-profile enforcements have highlighted that in today’s regulatory environment, global financial institutions often serve as the first line of defense against malign actors.


Regulatory Expectations

Sanctions Expectations: OFAC’s New “Framework for Compliance Commitments”

OFAC recently published a Compliance Program Framework, describing the “five essential components of compliance” expected to be embedded and sustainable within the Sanctions Compliance Program (“SCP”) of all Financial Organizations. These five components will be taken into consideration while determining any potential civil monetary penalties in response to apparent violations.

1. Management Commitment

• Review and approve the organization’s SCP.

• Ensure compliance unit has the required authority, autonomy and resources to operate effectively.

• Foster a “culture of compliance” throughout the organization.

• Demonstrate recognition of the seriousness of apparent violations and implement required measures to reduce future violations.

2. Risk Assessment

• Utilize a risk-based approach to designing and updating a SCP.

• Conduct a holistic risk assessment of the organization from top-to-bottom and update the risk assessment as appropriate.

• Develop a methodology to identify, analyze and address the identified risks from the assessment.

3. Internal Controls

• Create relevant policies and procedures which are clearly communicated to all personnel engaged in the SCP.

• Implement internal controls and processes to enable identification and reporting of prohibited activity.

• Select and calibrate technology approaches that address the organization’s risk profile and needs.

4. Testing and Auditing

• Conduct comprehensive, independent and objective testing or audit on the effectiveness of the SCP.

• Ensure testing or audit function has sufficient skills, expertise, resources and authority.

• Implement immediate and effective action upon learning of a negative testing or audit finding.

5. Training

• Conduct training for all appropriate personnel ona periodic basis (and at minimum, annually).

• Provide job-specific knowledge based on need and communicate responsibilities for each employee.

• Hold employees accountable for training through assessments.


Sanctions Expectations: Challenges in implementing OFAC’s suggested FrameworkFinancial Organizations especially Foreign Bank Organizations (“FBOs”) face significant challenges in implementing an effective and sustainable Sanctions Compliance Program (“SCP”) based on the root causes of violations highlighted in the OFAC framework.

Management Commitment• Investment: Management may shy away from

building a separate SCP due to increasing pressures on cost cutting.

• Awareness: “Culture of compliance” requires weaving compliance into every aspect of operations.

• For FBOs: • Lack of transparency and “under-reporting”

of OFAC issues between branches and Head Office.

• Differences in regional/local regulatory environments and the U.S. can create inconsistencies in management understanding.

Risk Assessment• Comprehensive Evaluation: Enterprise risk

assessments may struggle to evaluate and capture inherent sanctions risk from all customers, products, services, geographies and third parties.

• Frequency: Risk assessments and methodologies should be regularly updated to stay current with regulatory changes.

• Integration of Results: Organizations can treat the risk assessment as a “checkbox” exercise as opposed to actively updating the SCP based on results.

• For FBOs: • Majority of the customer base and product and

services offerings stem from Head Office and may not be effectively evaluated from an OFAC risk perspective.

Internal Controls• Responsiveness: Organizations need to rapidly

adjust their sanctions controls to respond to changing requirements.

• Policies and Procedures: Organizations may struggle to demonstrate uniform and sustainable implementation of OFAC processes, policies and procedures.

• Technology: Screening platforms become outdated due to lack of regular tuning and updates.

• For FBOs: • Lack of a formal escalation process and

expertise to review high-risk and complex OFAC matters.

• OFAC policies and procedures that are not standardized.

• Disparate OFAC screening platforms across branches which can increase exposure to screening coverage failures.

Testing and Auditing• Remedial Measures: Organizations may not

effectively address testing or audit findings. Regulators scrutinize the findings for evidence of SCP sustainability.

• For FBOs: Testing or audit functions are based out of Head Office, and practices and controls of all branches may not be effectively and regularly tested from an OFAC perspective.

Training• Coverage: Organizations may be unable to

provide targeted and frequent sanctions training to all relevant personnel, especially front office resources.

• For FBOs: FBOs may struggle to adequately educate their employees across global branches on US sanction requirements in order to avoid inadvertent violations caused by lack of understanding.

Management Commitment

Risk Assessment

Training

Internal Controls

Testing and Auditing

OFAC Framework Challenges


Focus On: United States Scrutiny of Foreign Banking Organizations

US regulatory agencies continue to emphasize the importance of effective compliance risk management programs, as shown by their statements regarding supervisory priorities. Bank regulators have repeatedly criticized FBOs operating in the US for failing to meet regulatory expectations around Sanctions and AML compliance, and failing to remediate program deficiencies which had previously been identified.

The examples noted below show what US regulatory agencies have focused on in enforcement actions against banks from Europe and Asia in recent years.

• Office of the Comptroller of the Currency (OCC)

2019 – MUFG Bank of Japan entered into a consent order with the OCC related to money laundering deficiencies with its US branches in New York, Los Angeles, and Chicago. The OCC highlighted that branches failed to adopt and implement and adequate compliance program. Internal controls, independent testing and transaction monitoring systems were all deemed deficient. Trade Finance monitoring and CDD on correspondent banking were all criticized.

• Office of Foreign Assets Control (OFAC)

2019 – OFAC delivers $611 million fine to three UniCredit Group banks after violations of a number of US sanction programs. UniCredit was found to have processed $500 million in payments while maintaining US dollar accounts for the Islamic Republic of Iran Shipping Lines and intermediaries. All three banks processed payments through the US in a manner that did not disclose underlying sanctioned entities.

• The Federal Reserve Board (FRB)

2018 – Fine levied against Mega International Commercial Bank of Taiwan for $29 million, for insufficient oversight, risk assessment, staffing, and independent testing. This action follows a 2016, $180 million fine from the NYDFS for serious AML deficiencies and notably, the bank’s lax monitoring of risk exposure in Panama.

• New York State Department of Financial Services (NYDFS)

2019 – Standard Chartered Bank fined $463 million for violating Sanctions laws by concealing illegal financial transactions clients engaged in with Iran as well as Syrian, Sudanese, Burmese and Cuban entities. Further, the Bank facilitated $600 million in clearing transactions originating from its London and Dubai branches, where NYDFS cited significant gaps in customer due diligence and sanctions controls.

• Financial Industry Regulatory Authority (FINRA)

2016 – Credit Suisse Securities (USA) LLC was fined $16.5 million for having a deficient suspicious activity monitoring program and for failing to effectively review trading for AML reporting purposes. FINRA found that Credit Suisse failed to escalate suspicious activity due to the fact that most orders it received from its foreign affiliates came in electronically and were not seen by the firm’s traders.


Focus On: FATF China Mutual Evaluation Report – Key Points

The FATF Mutual Evaluation Report highlighted specific items for improvement in China’s Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) risk management framework, and Chinese Financial Institutions’ Financial Crimes Compliance programs. The report highlighted ways in which Chinese Financial Institutions can proactively take steps to meet global compliance standards. Some of the key steps include:

Increasing focus on robust risk assessments which accurately reflect financial institution’s risk exposure and corresponding vulnerabilities.

Recommendation: • Remain dynamic to

respond to fluctuations in the risk landscape as well as industry developments by using risk assessments to clearly understand the extent of risks.

• These objectives can be achieved through guidance, feedback, and improved typologies.

Recommendation: • Develop monitoring

models that assess whether transactions are in line with their customers’ profiles.

• Effective requirements should be implemented to identify beneficial owners, track changes in ownership, keep data up to date, and continuously screen individual names against Sanctions and PEP databases.

Recommendation: • Given the concentration

of capital flows into and within the Asia-Pacific region, and the spate of Financial-Crime events, Chinese financial institutions must identify, assess and understand risks and develop appropriate and effective methods to mitigate various risks their institution has exposure to.

Recommendation: • Apply mitigating

measures that are commensurate with the risks of the host country and strengthen group oversight over scrutiny of transactions and the reporting of suspicious transactions.

• A well designed system is recommended for identifying and reporting suspicious transactions based on institution’s particular risks, size, geographic reach and its specific nature of business.

Evolving due diligence processes that more effectively monitor transactions and obtain accurate information on beneficial ownership.

Enhancing risk mitigation strategies to meet the advanced level of threats faced by foreign financial institutions. Chinese financial institutions are vulnerable to Financial Crimes abuses.

Developing and implementing a plan for adequately reporting suspicious transactions.

Risk Assessment Due Diligence Risk Mitigation Reporting Suspicious Transactions


Focus On: Moving from Remediation to Sustainability

The effort to remediate gaps identified in a Financial Crimes Compliance program is often a difficult process that can span several years. Consent Orders are not lifted simply by updating procedures; an institution must exhibit ongoing sustainability of the enhancements over several regulatory review cycles in order for regulators to be confident that lifting a Consent Order is appropriate.

Design Effectiveness

• In the design phase of a remediation, the institution develops a detailed action plan based on gaps identified by regulators and further program enhancements that may not have been part of the original regulatory findings.

• The action plan identifies specific steps that will be taken and work that will be produced to address the gaps.

• During this phase, policies and procedures are enhanced and the impacts of implementation are considered.

Effective Implementation

• Indicators to monitor progress need to be developed to ensure project milestones are completed on time.

• Workstream leaders should be appointed for key elements of the plan and held accountable for achieving milestones within associated timeframes.

• Delays should be escalated to senior management and communicated to regulators.

• For sound practice and to meet supervisory expectations, internal audit should validate that key elements of the remediation have been effectively implemented.

Ongoing Sustainability

• Regulators will remain engaged to review enhancements being made in response to the feedback provided, as Consent Orders require periodic reporting on updates against plans.

• Program enhancements will be reviewed for continued progress and improvements each year during regulatory exams. Additional regulatory findings stemming from subsequent exams must also be addressed.


Focus On: A More Proactive Approach to Financial Crimes Compliance

The Financial Crimes risk and control landscape regularly changes. As financial institutions introduce new products, target new customers, enter new markets, and respond to evolving criminal threats and new regulatory guidelines and requirements, Anti-Money Laundering and Sanctions compliance programs are in constant need of improvement and sometimes remediation to fix identified deficiencies.

The extraterritorial reach of US laws and regulatory action has global impacts:• US action,

due to the size and scope, impacts home offices and/or headquarters.

• Local regulators often levy their own enforcement actions in response.

• Local governments enact legislation reform.

With a more stringent regulatory environment, some Governments have taken a stronger posture towards enforcing Financial Crimes Compliance, often resulting in the following business impacts:• Reputational

harm due to negative political attention and criticism.

• ‘De-risking’ approach to certain customer types or products.

The Financial Action Task Force has shifted and enhanced its focus from the presence of controls to the effectiveness of control functions, resulting in:• More critical

Mutual Evaluations.

• Stricter Government Legislation and oversight.

Criminal networks continue to create new scams, focusing on new vectors and vulnerabilities, while continuing to refine old tactics:• ‘Money Mules’

move online as scammers purchase online banking credentials.

• Electronic money laundering grows as criminals expand fraudulent online marketplaces and retailers.

In response to stricter global standards, the Chinese Government has passed regulations related to:• Cross-

boarder cash flows.

• Virtual currency activity.

US Regulators’ International

Reach

Negative, Global Political Attention

Enhanced Global Scrutiny

Evolving Criminal Threats

New Chinese Regulations


Secondary SanctionsSecondary sanctions target banks and other entities doing business with sanctioned persons to discourage this activity and increase the cost of these transactions.

FBOs should monitor payments and trade financing activities for exposure to sanctioned entities through third-parties and countries (intermediaries) that are not sanctioned themselves.

Transshipments and Intermediary Points

Sanctioned entities often use intermediary ports, cities, and countries to add an additional layer of complexity to transactions and trade, in an attempt to obscure their origination or beneficiary.

FBOs should regularly update risk assessments and refine sanctions screening system methodologies to account for new and evolving risk activities.

Shell CompaniesThe use of shell companies in sanctions evasion tactics are used to build relationships with financial institutions and funnel money back to sanctioned entities.

Certain jurisdictions have less stringent rules for establishing companies, making them primary targets for companies in sanctioned countries and state-owned entities in sanctioned countries to facilitate their trade and financing activities.

Sanctions Risks

Sanctions Risks Currently Impacting Chinese Banks

In response to US Sanctions, countries and entities that have been targeted develop increasingly sophisticated methods for evading the restrictions.

Regulators have held financial institutions to a ‘strict liability’ standard in cases where they determine that FBOs “knew or should have known” they were enabling sanctioned activities. Chinese FIs and other FBOs should particularly ensure that their sanctions programs identify the following areas where risk has increased, and employ mitigation strategies to limit their exposure.

Case StudyIn 2017, the US designated a Foreign Banking Organization to be of “primary money laundering concern,” and severed its ties to the US financial system, citing multiple instances where the bank acted as a conduit for financial activity conducted in sanctioned jurisdictions.

The Bank facilitated millions of dollars of transactions for companies involved in a sanctioned jurisdiction’s weapons of mass destruction and ballistic missile programs. The Bank also facilitated transactions for entities sanctioned by the US and UN for similar activities, as well as for front companies operating on their behalf.


Use of Transshipments and Intermediary Points

According to an OFAC advisory, several methods have been used to obscure the involvement of certain transshipments and related trade activity in sanctioned countries. As described below, FBOs should take steps to understand the geographic area of their operations and identify their exposure to sanctions risk associated with these shipping practices.

Shipping and Vessel Related Deceptive Practices

• Disabling Automatic Identification System (AIS) transponders to disguise movements and facilitate illegal trade.

• Physically altering a vessel’s name and identifying numbers to hide the vessel’s true identity.

• Transferring petroleum, coal, and other products to another vessel while at sea, concealing the origin of the cargo.

• Falsifying cargo and vessel documents, such as packing lists, invoices, and last ports of call to obscure the origin or destination of the cargo.

• Manipulating AIS transmission data to conceal the next port of call of other information about a vessel’s voyage.

Intermediary Risk Mitigation Checklist

• Consider exposure to intermediary ports and countries by performing a risk assessment to identify exposure to high-risk countries, considering value and volume of transactions.

• Use internal data such as payment and customer activity to determine whether intermediary risk mitigation tactics are operating as intended.

• Refine screening rules to search for the presence of an intermediary port, city, or region paired with specific keywords in order to target activity while limiting volume of false positives.

• Use internal and external resources to track movements of maritime shipping vessels to their expected destinations.

• Ensure screening system is accurately receiving data from upstream platforms and system settings are tailored to geographic, product and customer exposure, especially in growth periods.


Use of Shell Companies in Sanctions Evasion

Shell companies are another method used by sanctioned entities to access the international financial system. State- owned enterprises use front or shell companies and covert representatives based in intermediary cities and countries to obscure their true origin, beneficiary, and purpose of transactions.

This enables millions of dollars of illicit financial activity to flow through the global financial system. The warning signs below describe activities FBOs should monitor when reviewing transactional activity and engaging with customers.

Potential Indicators of Shell or Front Companies

• Goods or products of the customer entity do not match their profile based on information previously provided to the bank.

• Both parties to a transaction share the same address, provide only a registered agent’s address, or evidence other similarities.

• Multiple high-value payments or transfers between companies or bank accounts with no apparent business purpose.

• Large number of payments or transfers into customer’s account to/from one company.

• Beneficiaries of customer entity are located in high-risk jurisdictions

Example of Shell Company Structure

Foreign Bank

Fake Company Holdings, LP

ABC, Inc (Sanctioned Entity) Fake 123, LP

Ways to Detect Warning Signs

• Conducting Enhanced Due Diligence at the time of onboarding for all customers located in a high-risk jurisdiction.

• Reviewing all corporate documents at the time of onboarding.

• Screening all UBOs at the time of onboarding and on a regular basis thereafter.

• Conducting periodic KYC refreshes to ensure all documentation and information is still valid and accurate.

• Screening all transactions and corresponding SWIFT/non-SWIFT messages.


Beneficial Ownership & AML Risk

The CDD Rule - Beneficial Ownership Due Diligence

As of May 11th, 2018, covered financial institutions are required to comply with the final CDD rule issued by FinCEN. This rule formalizes long standing expectations for an effective AML Program making them explicit requirements. Among other things, covered financial institutions must now identify beneficial owners of all legal entity customers (except for exempt accounts and certain customer types) at the time a new account is opened; and verify the identity of those owners within a reasonable time.

Ownership 25%

Controller Beneficial ownerOr =

• While the rule requires identifying at a 25% equity interest, FinCEN released guidance on April 3, 2018 that financial institutions, based on their own assessment of risk, may consider collecting beneficial ownership information on those with lower equity interests.

• If an individual meets the criteria for both ownership and control, that individual can be identified under both prongs.

• Significant managerial control.

• Executive officer or senior manager (e.g., president, CEO, CFO, COO, managing member, general partner, VP, treasurer) or any person performing similar functions.

• The following information is required for beneficial owner individuals:

• Name• Title• Date of Birth• Address• SSN (US Persons)

or Passport # and Country of Issuance (Foreign Persons)

Initial onboarding

and CIP

Customer due

diligence

CDD: Identification of beneficial

owners

Customer screening

Enhanced due

diligence

Periodic review/refresh

Quality control

Customer risk rating

CDD: Identification of Beneficial Owners

New account


Focus Area: Trade Finance

Recent regulatory actions against major global banks indicate that regulatory agencies expect financial institutions to enhance their controls in order to to prevent Financial Crimes through trade finance services and products.

Money launderers can easily take advantage of transaction complexity, heavy reliance on vast amounts of documentation and a highly manual transaction process, either by forging underlying documents or utilizing shell companies to engage in money laundering. This environment poses a set of unique challenges for financials institutions.

In order to address challenges posed by trade finance activities, financial institutions should focus on strengthening the following components of compliance program:

• Tone from the Top Senior management’s commitment to allocate sufficient resources, including human capital and technological tools to mitigate the high Financial Crimes risk arising from trade finance activities.

• Risk Assessment A holistic risk assessment to understand the risk of trade finance products/services by examining its Customer risk, Product risk and Geography risk.

• Internal Controls Automated transaction monitoring process and tools that can capture the trade based money laundering red flags and prompt appropriate investigations.

• Independent Testing Comprehensive, and independent testing or audit on the effectiveness of the compliance program to ensure proper execution of all mitigating controls.

• Training Training on the trade based money laundering risk indicators and job specific knowledge for all appropriate personnel.


Focus Area: Correspondent Banking

Correspondent Banks (CB) present a higher Financial Crimes risk than other market segments, due to the inherently high-risk of transactions. This causes CB to attract increased scrutiny from both senior management and external regulators. FBOs continue to face increased threats as a result of the evolving regulatory landscape and internal operational challenges.

Head Office and other bank affiliates should be subject to the same due diligence standards as non-affiliates, including an assessment of the risk those institutions pose to the branch/affiliate in question, based on the products/services being offered, profile of the affiliates’ business, location of customers, nature and purpose of the account being opened, etc.

Challenges Banks Face

• Risk-based customer onboarding due dilligence

• Implementing a robust KYCC program to demonstrate sufficient knowledge of the FBO’s customer’s customers.

• Language constraints around Pinyin and the use of Chinese

• Commercial code around Sanctions screening (e.g., specifically for Chinese FBOs).

• Controls to detect and report suspicious activity

• Establishing a framework for identifying, assessing, controlling, and reporting CB risks across the organization.

• Managing cross-border difficulties, limited due diligence in foreign jurisdictions with less stringent AML laws, US legal barriers to seize funds, and monitoring for nested correspondents.

• Taking reasonable steps to ensure a foreign bank is not being used to provide services to a foreign shell bank.

• Outdated technology platforms

• Existing technology requires extensive manual intervention to enable monitoring processes.

• Lack of information, unstructured data, and the inability to consolidate data to enable effective monitoring.

Ways to Mitigate Risk

• Effective risk management

• Enhance control framework based on risk assessment results to manage identified inherent risks.

• Transaction monitoring

• Leverage technology approaches to implement transaction monitoring scenarios specific to nested relationships and correspondent banking.

• Certifications

• Maintain up to date certifications and conduct enhanced due diligence, for nested accounts.

• Data analysis

• Obtain and consolidate data for effective transaction monitoring and sanctions screening.


Innovation

Creating Process and Cost Efficiencies Through Technology

In recent years, regulators have given financial institutions the opportunity to innovate and apply novel, technologically advanced approaches to enhance their sanctions programs. New and emerging technology will help financial institutions make their processes more efficient and will allow them to gain better insight into their risk.

Sanctions program innovation examplesReduce investigation effort: Apply machine learning to prioritize alerts. Prevent alerts with a low likelihood of being a true match from appearing in investigators’ queues while automatically moving alerts with a high likelihood of requiring detailed review to the queues of advanced investigators. Generate draft alert disposition narratives to free up investigator time further.

Track complex data patterns: Track beneficial ownership of entities more effectively by leveraging additional data points acquired from third-party vendors and open-source or public access databases for targeted analysis of risk.

Automate information gathering: Gather information from internal and external resources on behalf of investigators allowing them to focus their time on analysis rather than performing searches.

Digitize and interpret contracts: Scan, render searchable, and analyze text-heavy documentation like trade finance materials (e.g., letters of credit), lending and insurance underwriting materials, client prospectuses and formation documents to understand risk associated with them.


Appendix A

Case Study 1: Global Roll-Out of Enhanced Financial Crimes Compliance Standards

Summary

A Global Asian Financial Institution under the supervision of the Office of the Comptroller of Currency was found to have gaps in the efforts at its branches to monitor international wires flowing through high-risk jurisdictions. The OCC also found significant gaps in the branch’s AML program framework, which included deficiencies in its correspondent banking and trade finance screening. The bank’s branches in the U.S. have since been operating under an agreement with the OCC that requires them to improve their compliance with regulations from the Treasury Department’s Office of Foreign Assets Control, which enforces U.S. Sanctions.

In order to remediate deficiencies and meet the terms set by the consent order, the Bank embarked upon a large-scale multi-year program of change across all FCC disciplines which included the rollout of enhanced AML, Sanctions and Anti-Bribery and Corruptions Standards. The program does not simply focus on rolling out and adopting policies but rather on sustainable implementation of the procedures in all of its branches across the globe.

The Bank is tackling the program in three phases over two years:

• Current State Assessment: The CSA was conducted in three phases across 30 months: (1) data collection from 34 branches (2) completion of detailed AML, Sanctions and ABC questionnaires which tracked recently instituted standards and (3) on-site visits, which included process walk-throughs and interviews with key personnel from 1st and 2nd lines to confirm observed documentation gaps.

• Implementation Planning: Detailed action plans were developed in coordination with 1st and 2nd line stakeholders to address all process and documentation gaps identified through the CSA process.

• Execution: The Bank executed the implementation plans across the Americas, EMEA and APAC regions to manage and deliver enhancements identified during the Current-State Assessment.

Key Takeaways

• To ensure that all adequately own and understand their responsibilities in implementing the FCC framework, the Bank is rolling out a comprehensive global training program covering AML, Sanctions and ABC guidelines in parallel to programmatic enhancements.

• To encourage accountability and sustainable implementation, the Bank ensured that the team implementing the program was a partnership between Bank employees and consultants.

• Whilst the project was led centrally, the roll out of enhancements were actioned by the branches themselves with regional support.


Case Study 2: Multiple Regulatory Findings for a Foreign Banking Organization

Summary

A Foreign Banking Organization’s New York Branch faced an enforcement action by the Federal Reserve that required the Branch in question to make broad enhancements to corporate governance, BSA/AML, Customer Due Diligence, Suspicious Activity Monitoring and Reporting, Office of Foreign Assets Controls and Compliance, Internal Audit and a Lookback of historical transactions. Subsequently, the New York Department of Financial Services found that the compliance department resourcing was not sufficient, significant compliance employee turnover, deficiencies in documentation and knowledge transfers and lack of transparency in transaction methods. As part of the three-year remediation effort, the Bank implemented multiple enhancements in each of the aforementioned focus areas. Some of the major items that were within the scope of the remediation included:

• Corporate Governance: Drafting and implementing a formal governance structure, defining the Bank’s Financial Crimes risk appetite, enhancing formal risk program.

• BSA/AML Program: Addressing resourcing needs, assessing and enhancing the BSA/AML and OFAC training program, instituting the system of internal controls in place, defining the BSA/AML independent testing program.

• Customer Due Diligence Program: Creating a comprehensive customer risk rating methodology, designing a due diligence framework for foreign correspondent banking relationships, designing periodic review procedures.

• Suspicious Activity Monitoring: Drafting scenario selection methodologies, evaluating existing data sources and feeds, implementing a transaction monitoring methodology and developing KPIs and KRIs to track BSA/AML issues, escalation and closure.

• OFAC Compliance: Enhancing Bank-wide sanctions policies, collecting current state screening practices for all foreign Bank branches and conducting an assessment of the screening system.

Key Takeaways

• As part of the remediation efforts, the Bank set up a governance structure that increased transparency between the Branch and Head Office.

• The project design consisted of a remediation steering committee that reported directly to the Bank’s board of directors. Additionally, the governance structure created during the remediation.

The Bank also engaged a third-party to help remediate deficiencies within the aforementioned areas allowing for a comprehensive and rigorous analysis and remediation

• The Bank also undertook a comprehensive training program to embed a culture of compliance within the Branch to ensure sustainability of the new process designs.


Appendix B

Setting the Tone from the Top

Creating a culture of compliance means not only meeting the requirements of regulators, but also weaving compliance into every aspect of a financial institution’s framework- core values, strategic plans, and mission statements. This begins with the Board of Directors and senior management who are responsible for setting an appropriate culture of BSA/AML and OFAC Sanctions compliance.

Governance

• Require the implementation of an effective Risk Governance framework that is consistent with the size, risk profile, and complexity of the firm.

• Oversee compliance within the risk governance framework.

• Clearly define roles and responsibilities across the three lines of defense.

• Message a strong compliance culture across the organization and maintain committees and forums where BSA/AML and OFAC Sanctions risk is a key topic.

Oversight

• Engage with management to understand BSA/AML and OFAC Sanctions program execution, including key performance indicators, issues and required enhancements.

• Exercise independent judgement and credible challenge.

• Support the allocation of sufficient resources, including human capital and technological tools to oversee BSA/AML and OFAC Sanctions program execution.

Change management

• Incorporate BSA/AML and OFAC Sanctions governance requirements into strategic and business planning – compliance should not be compromised by revenue interests.

• Understand the changing regulatory landscape and require effective processes to incorporate business and regulatory changes into the risk governance framework.

• Fully consider BSA/AML compliance requirements in all change management routines.


Oversight

Core Principles• Awareness• Incentives• Management

Emphasis

Change management

Governance

Overview: Compliance Life Cycle

“The processes established for managing compliance risk on a firm-wide basis should be formalized in a compliance program that establishes the framework for identifying, assessing, controlling, measuring, monitoring, and reporting compliance risks across the organization, and for providing compliance training throughout the organization.” (Federal Reserve Supervisory Letter SR08-8)

Governance and oversightA. Identifying regulations/Assessing risks• Inventory• Risk Assessment• Risk Assessment Tool

D. Communication/ Reporting• Issue Tracking/Escalation• Reporting• Regulatory Inquiry Manager• Compliance Manager

B. Policy Framework• Policies• Training• Policy Manager

C. Compliance Monitoring• Monitoring

• TM/Surveillance• KPI/KRI Monitoring• Manual Review

• Testing• Monitoring Tool• Compliance Testing/

Auditing Tool

Advisory Activities• Business lines• Operations• Technology• Regulators

Organization, stature and objectivity

Technology Enablement


Key Regulatory Coverage Areas - AML Programs

A firm’s AML program must align to relevant regulatory requirements and expectations.

Enterprise-wide BSA/AML program framework

Investigation and regulatory reportingModel governance

Program pillars

Executive oversightData governance

KPI/KRI

Risk & control self assessment

BSA/AML risk assessment

Tiered review

Regulatory filings

Information sharing

Management reporting

Regulatory monitoring

Project management

Risk appetite

Data quality

Data analytics

Model inventory

Coverage

Validation

Optimization

Risk model

Risk model

Risk model

Refresh

Refresh

Refresh

Internal controls

BSA officer Training Independent audit

Single customer

view

• CIP• CDD

• EDD

KYC

Sanctions

Activity monitoring

• SDN• Accept list

• Hit

• Scenarios• Refferals

• Hit


Beneficial ownership

Record retention

Sanctions Compliance Challenges

Governance

• Different sanctions obligations across jurisdictions; policies and procedures within a single financial institutions may not be standardized across jurisdictions.

• Difficulty setting the “lowest common denominator” to be followed by all branches and affiliates.

Global transshipment points

• Provide access to a sanctioned jurisdiction through a non-sanctioned country.

• Can require timely due diligence to discover sanctions connection.

• Lack of data in transaction information.

Misunderstanding of risk

• Assumption that some business lines or products do not bring risk to the institution or are mitigated by activities of third-parties.

• Complexity of certain products (securities, trade finance, etc.) creates unclear understanding of what activity should be screened and when.

Testing of screening systems

• Screening systems can become outdated, especially if the institution’s business profile has changed.

• Critical platforms should be routinely tested to determine proper and effective operation.

Effective screening software

• Interdiction software is slow to evolve to capture the ever changing regulatory landscape.

• Limitations of screening software may not be known until a violation has occurred.

• Fuzzy logic algorithms can be complex and settings to capture slight changes in text (e.g., Linguistic, lexical, cultural, etc.) are not completely understood by compliance officers.


Applying Machine Learning to Screening

Screening today is highly manual, with all alerts being reviewed by human analysts. This causes 1) an unmanageable volume of false positives, 2) over-tuning of screening engines which misses potential true positives, 3) a need to prioritize resources to deal with spikes, 4) limited QA ability to identify missed true positives and 5) concerns about watch list data quality impacting detection. Machine learning can be used to help address these challenges, as below:

Today, investigators review every alert generated by the screening engine – most of which are false positives.

Machine learning intelligently scores each alert and separates worthwhile true positives from the rest of the population.

Alerts (100% investigated by human analysts)

Alerts (100% investigated by human analysts)

Worthwhile alerts (“true positives”)

Rejected alerts (“false positives”)

100

70

0

Likely to be true positives

Unlikely to be true positives

Threshold separating true positives from false positives (illustrative)

Mac

hine

lear

ning

prio

rity

scor

e


EY Financial Crimes Compliance Capabilities

EY’s Financial Crimes Compliance services focus is outcome based, centered on an advisory and managed services model using a combination of innovative technology, subject matter knowledge, proven methodologies, and global operating structure that is repeatable, scalable and efficient to meet individual

client needs.

Financial Crimes Service Capabilities

Global Delivery Centers

Financial Crimes Technology Platform

Business Delivery Model

Financial Crimes Program Governance

PlatformsEY business services delivered from the cloud

Managed ServicesEY service delivery centers using EY technology

Co-SourcedEY people in client locations and technology

ConsultingTraditional people and methodology based delivery

1

Sanctions and Customer Screening4

Model Risk Governance and Validation5

On-Boarding and Risk (KYC / CDD / EDD)2

Transaction Monitoring, Investigations and Case Management

3

EY AI & Machine Learning Platform

Data aggregation

Negative news

Client rIsk prioritization

Location validation

Smart-decisioning

Document analyzer

Holistic advisory and managed services in the Financial Crimes compliance domain, covering:• People and Governance• Processes and Operations• Data and Technology

An innovation strategy and portfolio of approaches that deliver improved outcomes for our clients, employing approaches to:• Reduce costs• Increase efficiency• Increase quality outcomes

Scalable approaches, through this business delivery model, providing the option to delivery cost optimized and flexible approaches, meeting objectives that are:• Short-term and tactical• Long-term and strategic

+ + +


Contact usTeam leaders

Jack ChanRegional Managing Partner, Greater China+852 2629 3508+86 10 5815 [email protected]

Geoffrey ChoiAsia-Pacific Financial Services Assurance Managing Partner+86 10 5815 [email protected]

Effie XinGreater China Financial Services Market Segment Leader+86 21 2228 [email protected]

AJ LimGreater China Financial Services Assurance Managing Partner+86 21 2228 [email protected]

Kelvin LeungGreater China Banking and Capital Markets Leader+86 10 5815 [email protected]

Other contacts

BeijingSteven XuGreater China Financial Service Partner+86 10 5815 [email protected]

ShanghaiRon YanGreater China Financial Service Central China Leader+86 21 2228 [email protected]

ShenzhenBenny CheungGreater China Financial Service South China Leader +86 755 2502 [email protected]

GuangzhouTeresa ZhaoPartner, Financial Services+86 20 2881 [email protected]

Hong KongTeresa TsoPartner, Financial Services+852 2846 [email protected]

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation is available via ey.com/privacy. For more information about our organization, please visit ey.com.

© 2020 Ernst & Young, China. All Rights Reserved.

EYG no. 000088-20Gbl ED None.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey.com/china

EY | Assurance | Tax | Transactions | Advisory

Global Regulatory Themes and the Chinese Market...6 2019 Global bank regulatory outlook A changing landscape for supervisors: the regulatory environment in 2019 Banks and regulators

Documents