Internal Audit. Expect More. - PwC UK

Internal Audit. Expect More.2020 Internal Audit Planning

Asset and Wealth Management

September 2019

The asset and wealth management industry is under considerable pressure. The increase in passive investments, and their resultant lower fees, signals an overall trend in declining fees, alongside the market expectation that AUM will continue to increase. The globalisation of the industry has opened up new markets, but this has increased the complexity of the regulatory environments in which firms operate, resulting in increased risk and a higher cost base. Productivity remains a key issue, which firms are seeking to address through measures such as better management and use of data. This is all occurring in a tense geopolitical environment, which has caused volatility to return to the financial markets.

Internal audit functions themselves are not immune from these disruptive forces and are continually being asked to do more with less. More today than ever, there is a conflicting demand on internal audit functions to demonstrate adequate assurance coverage of end-to-end risks, while at the same time delivering insight and value into key current and emerging risk areas.

This paper seeks to provide you with PwC’s view on the market issues impacting asset and wealth management industry in 2019 and beyond, collated through our own experiences and insights from our subject matter experts.

We have seen a shift in the approach to audit planning, with internal audit functions performing targeted risk-focused reviews, which, when reflected upon collectively at the end of the year, can give stakeholders valuable insights into key themes. Whilst this document is structured into specific sections there are some clear themes that cut across a number of topics, such as governance, accountability and conduct, customer focus, emerging technology and transformation.

We would encourage Heads of Internal Audit to use this pack in their risk assessment process to identify relevant topics for incorporation into their audit plan, as well as wider themes that can be reported to stakeholders at the end of the year.

Steve FrizzellPartner

Steve FrizzellPartner

UK Financial Services Internal Audit Leader

T: +44 (0) 7802 659053E: [email protected]

PricewaterhouseCoopers LLP, 7 More London Riverside, London, SE1 2RTT: +44 (0) 20 7583 5000, F: +44 (0) 20 7212 7500, www.pwc.co.uk

PricewaterhouseCoopers LLP is a limited liability partnership registered in England with registered number OC303525. The registered office of PricewaterhouseCoopers LLP is 1 Embankment Place, London WC2N 6RH.PricewaterhouseCoopers LLP is authorised and regulated by the Financial Conduct Authority for designated investment business and by the Solicitors Regulation Authority for regulated legal activities.

PwC

UK economic outlook 1

Risk radar 2

Key themes 3

Brexit 4

Climate change 6

Customer outcomes 8

Governance and accountability 12

Financial crime 19

GDPR 20

Operational resilience 21

Transformation 25

Outsourcing 27

Cyber security 28

Emerging technology 29

Technology 33

Contents

Further regulation 36

Asset & Wealth Management timeline

38

MiFID II 39

Capital and liquidity 46

Financial risk 51

Market 54

Other asset and wealth management specific regulation

56

Tax 58

Contact details 63

References 64

September 20192020 Internal Audit Planning

ContentsPwC

PwC

UK economic outlook

2020 Internal Audit Planning

2020 is likely to bring another year of significant economic uncertainty. Whilst firms have taken action to prepare for political and economic change, the level of ambiguity around, for example, the implementation of Brexit will likely result in further unexpected changes to the risk landscape over which IA is expected to provide assurance.

We project UK economic growth to remain modest at 1.4% in 2019 and 1.3% in 2020, compared with its long-term trend rate of around 2%. These projections assume that a Brexit deal is eventually agreed leading to an orderly exit from the EU. Risks are weighted to the downside due to the possibility of a more disorderly Brexit.

Consumer spending has continued to drive the economy, but the housing market has cooled and job creation is likely to slow over the next year. Business investment has been on a declining trend as a result of ongoing Brexit-related uncertainty and this is expected to continue until this is resolved.

Consumer price inflation is projected to remain close to the Bank of England’s 2% target, with interest rates expected to remain on hold for at least the rest of 2019.

% 2019 2020

Real GDP growth 1.4 1.3

Consumer spending growth 1.6 1.3

Fixed investment growth (0.4) 0.1

Inflation (CPI) 2.0 2.0

House prices 1.2 2.1

Source: UK Economic Outlook, July 2019, PwC UK

If the UK could further improve its performance to match Sweden in terms of its employment rates for women aged 25-54 and older workers, and the proportion of its young people not in employment, education or training, we estimate that the boost to UK GDP could be as much as 12%, or around £250bn.

Realising this potential will require further efforts by government and business to boost childcare provision, support later retirement and flexible working, enhance lifelong learning and improve vocational education and training provision.

Another key feature of the UK economy is that private rents are unaffordable for many key workers in London and Southern England despite a slowdown in the UK housing market in recent years. We expect negative house price growth in London and the South East in 2019, although UK house prices could start to pick up again gradually from 2020 onwards if an orderly Brexit can be delivered, but there is considerable uncertainty around this outlook at present.

To be kept up-to-date throughout the year, sign up for our UK Economic Outlook updates at https://www.pwc.co.uk/services/economics-policy/insights/uk-economic-outlook.html

The labour market has been one of the strongest elements of the UK economy in recent years, with the employment rate at a record high. Employment has grown significantly for women and older workers, while youth unemployment rates have fallen back to levels seen before the global financial crisis.

Our detailed international analysis suggests, however, that there is still room for further improvements. In the new composite PwC Labour Market Performance Index, which combines results from our Youth Employment, Golden Age and Women in Work indices, we find that the UK still ranked only 19th out of 33 developed (OECD) economies in 2018. Iceland and Sweden top these rankings, while most OECD countries have seen improvements in their employment rates for women and older workers since 2007.

1

September 2019

PwC 2

Risk radarAsset & Wealth Management


We present our view of the risk landscape for asset and wealth management, which can be used by internal audit functions as part of annual planning.

The FCA Chair’s foreword to the 2019/20 business plan focuses on technological change and the challenges and opportunities this brings, particularly in terms of operational resilience and accountability. The plan also highlights the ongoing Brexit-related uncertainty facing both firms and consumers, alongside the transition from the Temporary Permissions Regime to full authorisation for EEA firms operating in the UK. Firms need to ensure that they are aware of communications from the FCA in these areas.

An FCA cross-sector focus for 2019/20 is vulnerable customers, particularly in relation to those newly able to access their defined contribution pensions. Firms should be comfortable that they are complying with best practice in regard to these customers.

December 2019 sees SM&CR come into force for asset managers, tying in to a wider FCA focus on governance. Firms should ensure that they are prepared for AMLD5 to come into effect from January 2020.

In the longer term, the LIBOR transition will be particularly impactful for insurers, but asset managers should also assess the impact on their business and consider actions required. Internal Audit functions should consider including LIBOR transition as part of their 2020 plan.

Timing and relevance

Current – Rules currently in force or coming into force in the next 12 months

Medium term – Rules coming into force in 12 to 24 months, and potential issues firms need to address

Emerging – Rules coming into force after 24 months,and issues on the horizon for firms to consider

Prospectus directive

Financial Advice Review

Investment consultant referral to CMA

Platform rules implementation

Fund assessment

Revised UK Stewardship code

EMIR REFIT

Vulnerable customers

Securitisation regulation

Outsourcing

Remuneration

Suitability of advice

SM&CR

GDPRConflict of interest

Asset Management Market Study remedies (including Assessmentof Value)

Gender pay gap

Change management

Distance marketing directive

Illiquid assets and open-ended funds

Sanctions and anti money-laundering act 2018

Money market funds regulation

MAR

Sustainablefinance

IORP directive

P2P platforms regulation

EMIR REFIT

CASS

FCA supervisory change

RDR and FAMR review

ESMA annual report

Prudential regime for Investment Managers

MiFID II

PRIIPsSanctions and AML Act 2018

SFTR

Regulation on MMFs

EU MiFID II policy review

LIBOR reform

AMLD VUCITS review

Emerging tech

Cryptoassets

Fund liquidity stress testing

Brexit

Cyber security

Blockchain

Fund benchmark disclosures

Smarter comms

CMA investment consultant reform

Prospectus regulation

FCA review of fund fees

Shareholder rights directive

Governance

OutsourcingTransactionreporting

ICAAP

RDR andFAMR review

PwC

Key themes


3

BrexitArticle 50 extension

Financial services firms were required by European supervisors to prepare for a no-deal Brexit on 29 March 2019. So firms built, expanded and sought authorisation for EU-based legal entities to be able to provide uninterrupted service to EU-based clients, regardless of the form of Brexit. Readiness for 29 March involved discussions and approvals from EU-based supervisors about business models, and the pace at which both customer business and critical activities would be migrated to these EU-27 entities.

When Brexit was then extended to 31 October 2019, many firms encountered resistance to further immediate Brexit moves from customers and staff, and so scaled back and redeployed staff and other resources that had been focused on Brexit preparatory activities. Despite current political events, the new UK Prime Minister and Cabinet are clear that ‘no-deal is better than a bad deal’ and a no-deal is still the default position on 31 October. Boards and senior management are increasingly seeking comfort that all necessary preparations have been completed, and that remaining gaps have been identified and assessed.

With the UK Government’s quickly-evolving Brexit strategy a no-deal looks more likely than ever. Boards and senior management are increasingly seeking comfort that all necessary preparations have been considered and will be concluded by 31 October.


4PwC

Assessing Brexit risks and readiness – Internal audit has a key role to play to give organisations assurance over preparations that have been undertaken to date, and to help business leaders identify remaining gaps and assess the risks in a hard-Brexit scenario. The following issues should be considered in any Brexit readiness review.

Supervisory authorisations and conditions

• Review communications with regulator(s) to confirm the firm’s ability to maintain required authorisation(s) for UK/EU business, irrespective of the Brexit outcome.

• Review communications with European supervisors (whether ongoing or if there is a requirement to reopen discussions) on progress towards agreed commitments associated with authorisation(s).

• Review and challenge the business and financial performance of EU based entities, including projections for the significant change of a no-deal Brexit, and the impact this may have on meeting regulator requirements for authorisation(s).

• Assess the impact of no-deal vulnerabilities on the business. Has a framework been prepared to examine key risk areas? For example:

– Grandfathering of internal models;

– Reliance on regulatory Memorandum of Understandings; and

– Additional local supervisory reporting.

Operational risks

• Can Brexit programme resources be recovered from redeployment? Has programme governance been re-established with updated objectives, leadership, reporting requirements and any gaps identified? What impact will a ‘mid-week’ Brexit date have on plans (i.e. 25 verses 31 October)?

• What is the status of, and plans for, staffing of UK/EU units? Are redeployments and local recruitment planned? Have any skills shortages been identified along with required training and investment?

• Has an assessment of no-deal been considered for systems readiness, data transfers, impact on cyber-security and supervisory reporting requirements?

• What are the implications for distribution channels (e.g. potential regulatory developments and interpretation following no-deal)? Do brokers/agents have appropriate licences to write UK/EU business? Have status updates been obtained from business partners, agents and feedback on plans from clients?

• Has a Brexit scenario analysis been undertaken to consider how alternatives might influence:

– Strategy articulation;

– Customer / product strategy;

– Client readiness and migration strategy; and

– Lead times for implementation?

• How far have Brexit plans been implemented? Are Boards/Committees ensuring implementation of an appropriate governance programme, target operating model (including changes required before 31 October) and whether a suitable risk and scope assessment has been undertaken?

• Is the Brexit strategy still appropriate and fit for purpose? Has a review of the decision-making process been undertaken to consider the:

– Portfolio allocation (customers and products);

– Requirement to split EU/UK risks and the impact on claims/underwriting processes; and

– Effectiveness and sustainability of the operation post-Brexit?

Brexit strategy, governance and implementation programme

PwC

Tax andcapital policy

Financialmarkets

Slowing economy

Trade and regulatory

barriers

Regulatory,legal and data

People and mobility

Wider impacts of

no-deal Brexit

06

01

02

03

04

05

Second order risks

Potential macroeconomic issues that could impact firms and how these might be considered:

Tightening labour market

• Reduction in GDP growth

• Reduction in investment and deal activity

• Unemployment, reduction in consumer spending and squeeze in real wages

• Reduction in asset values

• Labour supply and skills shortages

• Civil unrest

Impact on product lifecycle

• Loss of EU subsidies and development funding

• Expansionary tax/fiscal policy

• Increases in EU taxes

• Changes to EU tax policy/regulation and corporate restructuring

Changes to policy environment

• Increase in regulatory and non-tariff barriers to trade

• Import VAT

• Warehousing and distribution

• Long-term depreciation in real effective exchange rates

• Restrictions on data transfers

Challenges to distribution channels

• Supply chain disruption

• Data challenges relating to GDPR

• Legal challenges

Reduced mobility and resource capability

• Skills shortages

• Increase in staff/resource strain

• Challenges toshort-term mobility

• Impact on UK nationals living in the EU

Fall in market confidence and disruption

• Increase in risk premiums and financial market volatility

• Sharp fall in consumer and business confidence

• Sudden sterling depreciation and heightened FX volatility

Assessing readiness to manage second order risks

• Model impacts of second order risks on balance sheet, product life-cycle and lines of business (incl. volatility, longer supply chains, changes to credit risk, sources of funding, consumer behaviour and business confidence).

• Manage and prepare for risks. For example: market volatility (FX risk), Sterling depreciation, reducing asset values, increased unemployment, trade barriers and tariff introductions, loss of contract continuity and fragmentation of liquidity.

• Ability to meet PRA/FCA focus areas post Brexit; Customer Outcomes, Operational Resilience, Resolution and Corporate Governance Code.


5

PwC

Climate change and Environmental, Social and Governance (ESG)

Climate change

It has become a requirement for firms to consider risks associated with climate change. The PRA expects firms to show that the Board understands and assesses the financial risks from climate change that affect the firm, and is able to address and oversee these risks from within the firm’s overall business strategy and risk appetite. Firms are expected to allocate responsibility for identifying and managing financial risks from climate change to the relevant Senior Management Function(s) (SMFs). Firms are also expected to use stress testing and scenario analysis to inform risk identification and understand the short-term and long-term financial risks that climate change presents to their business models.

The PRA considers that the financial risks from climate change are far-reaching in breadth and magnitude, have uncertain and extended time horizons, are foreseeable, and that their significance depends on short-term actions.

ESG

Sustainable investing is an investment approach that takes into consideration not only financial metrics but also ESG risk factors. These risk factors could arise due to environmental and climate change, or because of increasing social inequity or as a result of a lack of governance. They increasingly have the potential to impact financial metrics. Sustainable investing looks beyond the 3-5 year business cycle so that risks that could manifest and impact in the medium- to long-term can be appropriately considered.

The European Commission’s Sustainable Finance Action Plan (SFAP) sets out a package of regulatory measures to increase the way asset managers, and asset owners, consider sustainability and ESG in their investment strategies.

The new regulatory changes aligned to the SFAP propose changes to MiFID II and the introduction of a new ESG Disclosure Regulation. All of these changes will require asset managers to implement an ESG Policy, set out how they have integrated their ESG Policy into their investment decision-making. Managers will also be required to make new disclosures on sustainability/ESG to their investors.

Key risks• Firms do not adequately assess climate-related financial risks relating to transition risks and

physical risks and how they will affect their business model.

• Poor articulation of climate change risk assessment, climate change stress tests, and scenarios within the risk management framework.

• Lack of knowledge at Board level, inhibiting effective challenge.

• Firms not reviewing and updating their ICAAP (Individual Capital Adequacy Assessment Process) document with the most up-to-date information on climate change developments.

• The risks resulting from events related to climate change are not appropriately managed leading to financial loss and/or regulatory censure.

• The investment framework is not in line with new regulatory requirements and market practices, and ESG risks are not adequately considered and exposures measured.

• Investment products are marketed on the basis of sustainability cannot demonstrate how they achieve this sustainability objective.

• ESG risks are not modelled to allow management to understand the implications for the credit quality and risk return profiles on the firm’s investment strategy.

Internal audit focus areas• Design and robustness of strategies, policies, processes and systems in place to identify climate

change risks inherent within the business.

• Design and operating effectiveness of controls over the climate change risk assessment process.

• Whether the ICAAP adequately covers exposure to climate change risk, including how the firm identifies and manages it.

• The firm identifies and allocates an appropriate SMF holder to the climate change risk responsibility and ensures this is included within SMF responsibility mapping.

• Design and robustness of strategies, policies, processes and systems in place to manage the approach to ESG issues.

• Tracking and implementation of the numerous regulatory changes focused on ESG and sustainability.

• Governance and adequacy of MI to track, challenge and understand the firm’s exposures to ESG risks.


6

PwC


7PwC

PwC

Customer outcomes (1/4)


The suitability of advice and the need for products and services to meet the needs of customers has been a cross-sector area of focus of the FCA for the last two years. There is particular concern from the regulator around the treatment of vulnerable customers, long-standing/loyal customers and retirement outcomes, coupled with an overarching question as to what level of care firms should provide to their customers, particularly when providing high-cost credit.

The FCA has released a number of key publications this year relating to the treatment of customers, including:

• The retirement outcomes review/feedback and further consultations.

• The consultation and feedback on duty of care.

• The Mortgages Market Study and changes to responsible lending guidance.

• The consultation guidance on fair treatment of vulnerable customers.

The continuous work on affordability and vulnerable customers and their fair treatment is highlighting a number of areas where firms are expected to take in consideration the differing needs of their customers and to work towards ensuring these needs are met throughout the life cycle of the product and customer interactions.

The scope of audits over the fair treatment of customers can draw on a number of areas including:

• What data and management information is available and used to drive behaviours and decisions that are in the best interest of the customer?

• What is the risk of harm embedded in products and processes and how vulnerable customers might be at greater risk?

• How effective is the governance and oversight of customer outcomes? Is there clear accountability and a culture ‘to do the right thing’? What is the customer value proposition of the firm? And how its purpose takes in consideration its customers.

• How are customer outcomes considered at each stage of the distribution chain?

• Do staff have the right support and feel empowered to exercise discretion to meet customer needs?

• Are third party suppliers aware of the firm’s approach to customers and how do management assess the third parties with respect to customer treatment?

• What tools and system solutions are used or could be used to enforce fair customer treatment, accurate and complete identification of vulnerable customers and transparent information for effective monitoring and governance of customer treatment?

PwC 8

September 2019

PwC



Key risks

• Policies for customer vulnerability are insufficient to comply with rules and meet regulatory expectations.

• Staff are inadequately trained and empowered to identify and appropriately handle customer vulnerability.

• Processes, policies and controls across the customer journey are not designed and operated effectively to identify and derive fair outcomes for unique customer circumstances and those that may change over time.

Internal audit focus areas

• Assess the design of the Vulnerable Customers policy and its adequacy in relation to the business model and products offered.

• Undertake an assessment of the firm's’ strategy and culture in relation to vulnerable customers to determine whether the firm has an inclusive and customer-centric approach, driven by a clear purpose and strong leadership.

• Review customer files to assess the effectiveness of the firm's’ approach to vulnerable customers, including:

• How effectively it identifies, documents and records potential vulnerability; and

• How effectively it responds to and monitors vulnerable customers, including whether those customers receive fair outcomes.

Vulnerable customers

The FCA and other regulators have increasingly become more interventionist and forthright in their views when it comes to markets that are not adequately protecting the most vulnerable consumers in society. The FCA published a consultation in July 2019 on the fair treatment of vulnerable consumers, bringing more clarity over expectations when it comes to the identification, management and monitoring of vulnerable consumers.

Firms need to reflect on their purpose, business model, customer culture and capability to identify, manage and monitor vulnerability, and ensure that they have effective policies, controls and capabilities in place to treat vulnerable customers fairly.

9

September 2019

PwC



Key risks

• Demonstrating effective oversight under SM&CR.

• The subjective nature of how to assess the seven criteria, and how to use this analysis to form conclusions and identify appropriate actions.

• How to communicate assessments to the customer in a format that will be understood, and is consistent with peer firms.


• How are the seven criteria being assessed, and is the process clearly defined and documented such that is can be repeated across the fund range and annually?

• Does the assessment consider the criteria at sufficient granularity to be in keeping with the letter and the spirit of the requirements? Are all charges being assessed?

• How will assessments be reported internally to the AFM board, and publicly to investors?

• What is the governance framework for these assessments from product launch to ongoing monitoring?

Assessing value for money in investment funds

From 30 September 2019 new rules requiring Authorised Fund Managers (AFM) to conduct an annual assessment of value for their UK authorised funds come into effect.

The rules require AFM’s to consider at least seven criteria prescribed by the FCA, which include the fund performance, costs and the quality of service received by investors. AFM’s must then report to investors on whether the costs charged to the fund are justified in the context of the value delivered, and any changes the AFM has made as a result of the assessment.

The Prescribed Responsibility for the assessment of value under SM&CR sits with the Chair of the AFM Board. The FCA expects firms to use this process to undertake a ‘root and branch’ review of their business and value proposition offered to their clients.

If firms include the public ‘value’ report in the fund annual accounts, this must be published within four months of the accounting year end date. For firms opting to produce a consolidated report (containing details of two or more funds) there is more flexibility offered on timing for this report. But in either case the FCA expects all firm to have their value assessment procedures in place and documented by October 2019.

10

September 2019

PwC 11



Suitability of advice: Pensions and retirement income

Focus remains on the Retirement Outcomes Review undertaken in July 2018. FCA reviews have found that despite firms providing the required information to customers accessing benefits without advice, customers are not fully engaged. Many non-advised customers are potentially making unsuitable decisions about the retirement options available and drawdown investment decisions, leading to a risk that retirement funds are eroded and leave insufficient income throughout retirement.

Amid concerns about non-advised drawdown, the FCA has introduced requirements for providers to make available four investment pathways to assist customers with investment decisions, ensure non-advised customers make active decisions to invest in cash and issue annual decumulation costs and charges information.

Platforms (switching investments)

The FCA published MS17/1.2: Investment Platforms Market Study Interim Report on 16 July 2018. It found the market is working well in many respects, but identified the following concerns:

• Switching between platforms and shopping around can be difficult.

• The risks and expected returns of model portfolios are unclear.

• Consumers with large cash balances on direct-to-consumer platforms may not know they are missing out on investment returns

• ‘Orphan clients’ who no longer have an adviser face higher charges, lower service and challenges to switch.

• The requirement for new annual decumulation costs and charges information may have system implications in order to ensure changes are made prior to the effective date.

• The investment pathway options for non-advised drawdown contracts will require appropriate communications to enable customers to make informed decisions. Firms must ensure communications are created alongside the design and development of the investment pathways.

• Providers will need to engage with customers during the lifecycle of a drawdown. In addition to the investment pathways, providers must ensure that customers who wholly or predominantly invest in cash have made an active decision to do so.

Key risks

• There is a suggestion that the FCA will implement more intrusive remedies if firms do not make urgent improvements.

• Firms must implement changes on switching platforms, and progress existing industry initiatives to introduce standardised times for transfers and improve customer communications, including potentially publishing data on transfer times.

• Review adequacy and appropriateness of communications to customers regarding the investment options. Investigate whether appropriate controls are in place to ensure that cash investments are an active decision.

• Assess the adequacy of controls in place to monitor new business, complaints and issues of non-advised pension drawdowns.

• Assess the adequacy and appropriateness of the controls in place, including management information and root cause analysis, to enable the firm to identify and manage sales and processing activity to mitigate potential customer harm.

• Review the assessment undertaken by management of the non-advised drawdown process, which should have been undertaken. Assess for evidence of whether the end-to-end customer journey has been assessed, and that the required information is provided at the appropriate point.


• Internal Audit functions need to be ready to respond to assess how the business responds to these findings.

• How are the risks and returns of model portfolios explained?

• How is price revealed to customers when they consider changing platforms?

• What is the business doing to identify consumers with large cash balances on direct-to-customer platforms?

• What monitoring is there of ‘orphan clients’ and what steps are taken to ensure they receive an appropriate service?

• Are customers switching platforms on an advised basis and how much is it costing them to do so?

PwC

Governance and accountability (1/7)

We continue to see the regulators focused on governance, accountability, conduct and culture, with the topics specifically highlighted as priorities in both the FCA and PRA business plans, but also underpinning other regulatory focus areas.

Regulators are increasingly interpreting operational failures and/or risk management issues (be it related to operational resilience, financial crime, customer treatment or financial resilience) as potentially due to ineffective Board and senior management governance.

The FCA sees good governance and culture as being critical to reducing potential harm to consumers and markets through enabling effective oversight of decision-making. A key aspect of the FCA’s governance and culture agenda is the extension of the Senior Managers and Certification Regime (SM&CR) to all FCA-authorised firms on 9 December 2019 alongside its focus on ‘purpose’ in creating healthy cultures and looking at firms’ remuneration practices. Firms approaching SM&CR as a compliance-led ‘tick-box’ exercise may fail to address the key underlying issues of concern to the FCA and miss opportunities to address governance problems

The new UK Corporate Governance Code (CGC), which came into force on 1 January 2019, sets the standards of good practice in relation to board leadership and effectiveness, remuneration, accountability and relations with shareholders. Although only applicable to companies with a premium listing of equity shares in the UK, the PRA has indicated it considers the CGC as best practice for all firms it supervises. The FCA has indicated it will continue to review firms’ governance arrangements, particularly in areas such as remuneration practices, dividend distributions and corporate governance at Board level.

Regulators and other key stakeholders are holding organisations to higher standards of governance and proactive risk management. Boards, CEOs and senior management must be able to demonstrate that are able to assess their risks, design robust internal controls to mitigate them, and have robust governance frameworks that drive effective decision making. We have seen the FCA apply significant scrutiny to asset managers with unsuitable governance arrangements, e.g. by subjecting them to Board Effectiveness Reviews. Areas of challenge include the quality of Board MI, level of independent challenge, group dynamic, board skillset and operating model keeping pace with growth.

We present in this section particular topics internal audit functions may wish to include in their annual plan; however, governance and conduct is a theme that should be incorporated and considered across all reviews. The implementation of the SM&CR regime over the next couple of years further highlights individual accountability for firms’ ways of working.


12PwC

PwC 13



Board effectiveness

The presence of strong governance can no longer be viewed as a reactive process; instead, faced with increasing uncertainty, organisations must take a proactive stance to manage risk and realise business opportunities that align with stakeholders’ expectations and ultimately their business strategy.

The new Corporate Governance Code (CGC) came into force on 1 January 2019 and as well as amendments to the existing CGC, a substantial guidance document regarding Board Effectiveness was also published. The regulators have also indicated that they will continue to focus on firms’ governance arrangements at Board level.

Key risks

• Insufficient succession planning processes to support the new recommended tenure and prior experience principles for Board members.

• No clear articulation of responsibilities for chair, chief executive, senior independent director, board and committees.

• Remuneration policy and processes not sufficiently articulated and implemented.

• Lack of process for documenting governance activities.

• Lack of time for key agenda items, and lack of evidence of contribution by individual directors.


Internal audit should clearly determine the scope and purpose of any review. For example, whether the review is of corporate governance (structure, composition, control, quality of management information and documentation) or a formal Board effectiveness review (Board dynamics, leadership, decision making and contribution). Additional Board effectiveness focus areas include, but are not limited to:

• Assess the adequacy of documentation of committee activity and responsibilities of key individuals and committees against the new increased requirements.

• Assess the sufficiency of focus on wider stakeholders amid increased reporting requirements.

• Creation of a detailed questionnaire for all Board members to complete to gain a clear understanding of their views on the effectiveness of the Board, supplemented with sampled interviews.

• Board training, awareness of duties and conflicts of interest management.

• Delegations of authority.

PwC 14



Senior Manager and Certification Regime

It came as no surprise to anyone that once again governance and culture featured prominently as a cross sector priority in the FCA’s 2019/20 business plan. SM&CR is an opportunity to establish healthy cultures and effective governance in firms, and is seen as key tool for the FCA. It aims to reduce customer harm and strengthen market integrity by encouraging greater individual accountability and setting new standards of personal conduct.

SM&CR currently covers banks and insurers but will capture all regulated firms from the fixed implementation deadline of 9 December 2019. Firms should learn from the challenges banks have had to overcome since SM&CR came into force. Firms should also not consider this in isolation, or as a ‘one off’ exercise – the governance and culture agenda continues to be an ongoing, permanent fixture of FCA supervisory focus and will likely be fertile ground for enforcement cases if current trends continue.

Key risks

• Insufficient understanding and evidencing of reasonable steps to avoid a contravention from occurring or continuing.

• Insufficient/ineffective training for Senior Managers to enable a complete understanding of their duty of responsibility.

• Failure to anticipate an increased demand by Senior Managers for more support/information to discharge their responsibilities.

• Lack of evidence to demonstrate what a conduct breach might look like and how this might link through to disciplinary proceeds.

• Failure to embed handover procedures.

• Insufficient tailoring of the conduct rules training to specific jobs that staff perform.

• Failure to evidence the effectiveness of the assessment approach for the certification population, including use of subjective judgement and consistency in application.


• All remuneration and governance regulations that apply to the allocation of Senior Manager Function holders and certified individuals have been captured and adhered to.

• Evidencing of reasonable steps.

• Linkage between conduct rules and disciplinary procedures.

• Appropriateness of HR systems to record the information required for certification.

• Appropriateness of systems and procedures in place to record

• Senior Managers’ responsibilities.

• Completeness and appropriateness of Senior Manager and certified staff training as well as conduct training for all staff.

• Appropriateness of conduct risk register design and monitoring.

• Appropriateness of the Senior Manager and certification assessment process.

PwC 15



Culture


Internal audit can perform cultural reviews in a number of ways – e.g. targeted reviews on behaviours or processes, components of every review, or informally through data gathering exercises. Workshops and interviews with all grades should be used to assess how the staff perceive the culture of the firm, consistent messaging and successful embedding of the expected behaviours. Whatever approach is taken, the following issues should be considered:

• Is there a defined culture framework that identifies cultural gaps, and does it appropriately reflect requirements from SM&CR?

• Are roles and responsibilities clear and accountability understood?

• ‘Tone from the top’ – has the firm’s desired culture been defined by the Board and how is culture and conduct measured and governed?

• Are metrics defined and monitored for the Board to effectively oversee adherence to the firm’s culture? What are the measures of success?

• Behavioural indicators – How are the right behaviours cascaded through the organisation for consistent messaging across all stages of an employee’s lifecycle, from onboarding and training through to performance and remuneration?

• Does conduct form part of all employees’ objectives?

• Is there an appropriate framework for incident management, including escalation protocols, and are incidents resolved in a timely manner?

• Is there a willingness to undertake lessons learned and share insights after issues are raised?

• Is there a ‘good news only’ culture for information presented to Boards and committees, which in turn increases the potential for not mitigating risk in time?

The FCA’s recent discussion paper on culture is the regulator’s first tangible output on the topic for some time. Initially, the FCA focused on the importance of the ‘tone from the top’ and individual accountability (for example the SM&CR).

The FCA maintains that senior leaders play a key role in influencing culture, and recognises that everyone influences the culture of a firm, from middle managers to junior employees. Having established the right tone from the top, firms now need to understand how to turn messages into improved behaviours at all levels of the organisation.

Key risks

• Changing culture takes time and is an ongoing evolution, so the firm’s work to drive the right culture will not have an ‘end date’ – they need to continually drive this and keep up the momentum as the market and their business evolves over time. There is a risk that a firm may undertake a one-off exercise to “fix” culture.

• Whilst there is no ‘right’ or ‘wrong’ culture for a business, culture and values need to be considered for their impact on wider topics, such as conduct, customer treatment, diversity and inclusion.

• Focus from the Regulators with an increase in investigations and enforcements.

PwC 16



Risk management framework

A robust risk management framework is fundamental to a firm’s identification, analysis and management of the risks it runs. The framework should comprehensively cover the wide range of risks faced by the firm, including the supporting processes used to manage them, and should be owned by a risk function that carries sufficient weight within the organisation to enable it to communicate and embed the framework effectively.

The firm’s Board-approved risk appetite should be the primary mechanism for ensuring that the firm’s strategy is delivered within adequate constraints, and should be supported by established reporting processes.

Risk management effectiveness during cost cutting

As companies grow, expand their services and evolve over time, they must establish sound governance practices in the management of risk to facilitate informed decision making; achieve strategic goals; and meet the expectations of both internal and external stakeholders.

Financial services organisations are also under increasing pressure to cut costs and increase efficiency. But in cutting costs, organisations often lose sight of the additional risk they are taking on, especially operational risk.

Key risks

• Insufficient consideration of key risks in decision making.

• Inappropriate or inaccurate articulation of risk appetite, resulting in a firm’s inability to embed the right risk culture.

• Ineffective risk management framework and lack of appropriate risk information to effectively oversee the constantly-changing regulatory environment, regionally and globally, as well as divisionally and functionally.

• Second line assurance activity may be reduced.

• Pressure to grow, whilst also reducing fixed costs as a proportion of revenue, may lead to unintended risks being taken on.

• Poorly communicated risk management framework resulting in a lack of clarity of roles and responsibilities across the three lines of defence.

• Lack of sufficient maturity in the framework to enable the firm to demonstrate embeddedness across the organisation.

• Penal tools available to the regulator in the form of a Risk Management and Governance (RMG) scalar where weaknesses in risk management and/or governance are observed.


• Adherence to the risk management framework and risk appetite as the business goes through any cost cutting exercise, considering the impact on culture and morale.

• Changes to the control environment due to changes in operating models and products need to be considered with respect to roles and responsibilities and staff changes.

• Additional controls, reporting and monitoring that may be required throughout the period of change.

• Effectiveness of lines of defence and the risk function’s ability to challenge the business.

• Harmonisation of the various risk management-related components including ICAAP, ILAAP, recovery plan and risk appetite.

• Clearly defined and effectively calibrated risk appetite limits and early warning indicators, supported by sufficient analytical detail and rationale.

• Adequate and timely MI reporting on key risks and variations from risk appetite to enable the Board to monitor and challenge executive management.

• Internal audit should also confirm adherence to the risk appetite.

PwC 17



Remuneration code

In the wake of the financial crisis, scrutiny and oversight of remuneration practices (and the behaviours they drive) has toughened significantly. This translated over time into onerous and complex remuneration regulations covering almost all FS sub-sectors.

The primary focus of remuneration and governance regulations is to mitigate a culture of excessive risk taking, shift the focus from short-term to long-term sustainable and risk-adjusted outcomes, and enhance the focus on conduct in the sector.

In the UK, the PRA and the FCA enforce a series of complex and ever changing requirements. Compliance against those requirements is key.

Key risks

• A detection of minimal or limited compliance against the remuneration and governance requirements by the PRA and/or FCA will result in a heightened focus on the firm and the wider regulated practices. The reverse of this scenario is also possible.

• At times firms have been fined excessively (and publicly named) for breaching conduct standards through the use of ‘aggressive’ sales incentives.


• Confirm all remuneration and governance regulations that apply to the firm have been applied in a proportionate manner.

• If required, confirm that a remuneration committee has been established with terms of reference clearly defining its role and remit in setting and determining remuneration.

• Assess whether remuneration and governance practices are in line with the overall firm-wide risk framework and appetite.

• Assess whether remuneration and governance policies and their application are fully compliant with the regulatory requirements.

• Review controls to ensure Material Risk Takers (MRTs) are accurately and completely identified, and ensure that the list of MRTs remains current and up to date during the year.

• Assess communications to MRTs to ensure they are fully aware of their roles and responsibilities and how this impacts their remuneration arrangements.

• Assess whether there are appropriate processes in place to operate (where applicable) the structural pay requirements (cap, deferral, payment in shares and malus/clawback).

• Assess controls in place to ensure that regulatory submissions are on time, complete, accurate and to an appropriate standard.

PwC


Diversity and inclusion (D&I)

The Equality Act Gender Pay Gap (Information) Regulations 2017 require all companies with 250 or more employees in England, Scotland and Wales to disclose multiple gender pay gap indicators. The government issued a consultation on ethnicity pay gap reporting and it is likely that gender pay reporting requirements will broaden to include ethnicity pay by 2021.

The revised UK Corporate Governance Code encourages greater transparency and promotes diversity of gender, social and ethnic backgrounds, cognitive and personal strengths. The Code sets requirements for the Nomination Committee regarding succession plans and imposes disclosure requirements for the annual report.

Additional requirements apply to the financial services sector, with the PRA setting out requirements on the diversity of the management body, as well as disclosure requirements. Additional EBA/ESMA guidelines apply to those subject to MIFID II.

Beyond the legal and regulatory requirements, the expectations of customers, employees, investors and other key stakeholders continue to change. Many organisations have set out strategic objectives and/or targets in relation to D&I that they should have a framework in place to ensure that they can deliver against.

Key risks

• There is continued public and government scrutiny of the progression of women, with a specific focus on financial services. The government also demonstrates an increased focus on diversity beyond gender. There are risks – primarily reputational – to companies who do not demonstrate that they are taking action to resolve their gender pay gap and wider diversity issues. This could impact upon the company’s ability to recruit and retain staff, obtain investment and/or secure customers.


Internal audit should challenge the Board and management on their D&I agenda and reporting. This can be performed through a targeted review or as part of a cultural or corporate governance review. The following questions should be considered:

• Has the firm’s approach to investigating and resolving its gender pay gap been defined, does it have appropriate investment and senior buy-in to drive change, and is there an action plan to address diversity beyond gender?

• Is there appropriate and sufficient data to better understand the reasons behind the gender pay gap, has analysis been performed, and has management started collecting and analysing data on the ethnicity pay gap?

• Has the Nomination Committee acted upon the requirements of the Corporate Governance Code and ESMA/EBA guidelines as appropriate?

• Have recruitment, retention, progression and other policies and practices throughout the employee lifecycle been examined to eliminate unconscious bias?

• Is there transparency in the way performance is measured and how employees engage with the process, and are performance bonuses and promotions based on clear criteria?

• Is the public reporting of the firm’s plans to resolve the gender pay gap accurate, sufficient and supported by activity being undertaken within the firm, and does the firm report on diversity issues beyond gender and the strategy and actions taken to address them?


18

PwC 19

Financial crime


The fifth Anti-Money Laundering Directive

The fourth EU Anti-Money Laundering Directive (AMLD4) came into force on 26 June 2017, which included some changes to AML procedures, including changes to customer due diligence (CDD), a central register for beneficial owners, classification of politically exposed persons (PEPs) and a focus on risk assessments. The main emphasis of the directive was on a risk-based approach.

The fifth EU Anti-Money Laundering Directive (AMDL5) came into force on 9 July 2018 and member states are obliged to transpose the modified regulations into national law by January 2020. The UK government has consulted on the proposed changes.

Financial Crime

Financial crime continues to be one of the FCA’s cross-sector priorities, with thematic reviews of anti-money laundering (AML) and sanctions conducted by the FCA across a range of financial institutions. The FCA has stated that it’s supervisory approach is to become more data driven in the future, using a range of sources to focus effort on where the risks are deemed to be the greatest. Where the FCA has identified that a firm’s financial crime framework is not considered up to standard, this has often lead to the regulator also considering the role of internal audit and whether financial crime audits are of sufficient coverage and quality.

Key risks

• Risk assessment – Regulated firms must have their AML compliance framework informed by an enterprise risk assessment. This risk assessment must consider a range of factors and be specific to the firm’s business with policies, procedures and controls aligned accordingly.

• Customer Risk Assessment and Customer Due Diligence – assessing the risks presented by a business relationship and undertaking appropriate due diligence to mitigate this reduces the opportunity for money laundering.

• Anti-Bribery and Corruption (ABC) – The FCA has identified that progress (albeit at times slowly) has been made in AML controls, however ABC controls tend to be less well developed and receive less management attention.

• Lack of technical knowledge leading to incorrect implementation of AML controls.

• Lack of governance over updates to policies and procedures reflecting changes in AML regulations including.

• Incorrect configuration of additional system controls for compliance with enhanced due diligence measures for financial flows from high-risk third countries.


• Quality assessment of financial crime audits and development of data analytics to inform internal audit’s risk assessment.

• Assess the design and operational effectiveness of the firm’s Financial Crime framework and enterprise risk assessment process.

• Examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted to comply with MLR (Money Laundering Regulation) 2019.

• Review of governance over AML controls, including updates to policies, procedures and risk assessments.

• Review of additional system controls implemented as part of enhanced due diligence measures for financial flows from high-risk third countries.

PwC

PwC

GDPR


20

Recent enforcement actions from the Information Commissioner's Office (ICO) send two clear messages; firstly, that the ICO has a highly competent team of data protection, cyber security and direct marketing specialists; and secondly, firms holding personal data will be held responsible, regardless of why they, or a third party, were holding it or how they lost it. This has put data protection, and specifically data breach preparedness back to the top of Board agendas.

Data Protection and Privacy

The General Data Protection Regulation (GDPR) in the EU introduced the largest change to data protection legislation since the European Data Protection Directive in 1995. The potential for heavy fines featured large in media headlines and firms undertook wide-scale privacy change programmes in preparation for the GDPR go-live date of 25 May 2018. But, GDPR is much more than a one-off change programme, or a series of business activities designed to avoid a fine – it's the reality of today's modern, customer-centric business.

Key risks

• Lack of sustainability – Embedding GDPR into day-to-day operations requires cultural and behaviour change. Some firms have viewed GDPR as a one-time compliance activity, which doesn’t reduce GDPR risks the firm is carrying. Insufficient drive to operationalise data protection processes throughout the firm to sustain compliance could lead to regulator enforcement and significant fines.

• Incomplete implementation – Firms have not yet addressed some of the harder challenges relating to GDPR, such as retention, unstructured data, paper/hard documents, etc. Unstructured data is generally subject to poor security controls and a lack of robust access governance, which can increase the risk of a potential data breach.

• Cross-regulatory requirements not known or breached – Firms that operate outside of the EU will also have other privacy regulations to be aware of and so must ensure processes and policies are compliant with GDPR and other global regulations. Most multi-jurisdiction firms are federated and share data freely across their legal entities. Firms need to determine the legal basis for data transferring and sharing across the business’ legal entities and ensure this meets cross-regulatory requirements.


• Assess compliance with GDPR regulation and adequacy of privacy governance to embed GDPR into day-to-day operations.

• Review GDPR risk appetite and assess if the firm is operating within the approved limits.

• Assess the adequacy of governance and oversight arrangements, including third parties and other group entities, over personal and sensitive data.

• Assess the strength, depth and enforcement of data protection policies, training of staff and data governance structure throughout a firm.

• Lack of ownership – Firms are yet to specify all data owners. Without clear ownership, clear articulation and determination of how data can be handled may not be appropriate and can lead to security vulnerabilities, as well as slow or insufficient breach reporting.

• Lack of, or incorrect consent obtained – Managing customer consent, electronic communications and marketing activities to be compliant with GDPR and upcoming ePrivacy regulation requirements.

• Poor conduct – There is a risk surrounding inappropriate conduct from within the organisation, and the subsequent reputational consequences.

• Data breaches – Data breaches continue to remains a key risk for organisation.

• Data subject requests not processed on a timely basis – Lack of robust processes to deal with data subject requests in a timely manner.

• Lack of third party management – There is a risk that third parties may be acting in a manner that is deemed inappropriate by the organisation in regards to GDPR and the organisation may be vulnerable to potential data breaches or non-compliance.

• Brexit – Risk of flow of personal data from EEA to UK in the event of hard Brexit.

• Deep dives into specific areas, such as data retention, unstructured data, RoDP (Record of Data Processing), DPIA (Data Protection Impact Assessments), etc. to assess compliance.

• Assess the firm’s readiness for transfer of personal data from the EEA to UK in the event of a hard Brexit.

• Assess the firm’s ability to identify and comply with other global data protection regulations.

PwC 21

Operational resilience (1/4)


Regulators expect firms to be operationally resilient, fundamentally shifting the paradigm to a ‘WAR’ (withstand, absorb and recover) footing. This is a material step change from the days of basic business continuity planning with supporting IT disaster recovery.

Operational resilience features heavily in both the FCA’s and PRA’s latest business plans, with key focus areas of outsourcing, change management and cyber security. Regulators started by using resilience questionnaires to benchmark firms against their peers and conducting ‘SpotCheck’ exercises. They are now looking for greater evidence of resilience through a wider programme of supervisory reviews and stress testing exercises.

All eyes will soon turn towards the joint regulatory consultation paper due later in 2019. The discussion paper published in 2018 saw a marked shift in tone as the regulators set out the assumption that failure is inevitable and therefore firms needed to invest resources to understand and improve their response as well as preventive measures. Firms are also expected to look at resilience through the lens of business services they deliver to their customers and to be able to quantify the amount of disruption a business service can withstand whilst still remaining viable.

The consultation paper should provide firms with more specific guidelines on the regulators’ expectations, and will require extensive work by firms to ensure they are meeting these standards. Furthermore, the regulators are clear that their expectations apply to all sectors and all sizes of firms.

Operational resilience framework

Through our experiences of working with firms in their journey to operational resilience, we have articulated the relevant domains in the diagram below. Internal audit functions should consider where they can add the most value in providing assurance over the steps taken by management to mitigate risks across these domains, with the identified critical business services.

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

Business service-led resilience

PwC

Operationalresilience (2/4)


22

2. Resilience framework and standards

An operational resilience framework is in place across the organisation, with clear definition and accountability for the different aspects of

resilience. The framework is current, communicated and

understood by the organisation.

1. Governance

The operational resilience strategy is aligned and

embedded within the Business and IT Strategies. Operational resilience drives investment

and risk decisions. The Board and executive have accurate

and adequate oversight of resilience activity, trends and remediation plans to assist them in making decisions. 3. Profiling

Mapping the business service end-to-end, across

all functions.

7. Scenario

development

The creation of ‘severe but plausible’ scenario narratives

to enable effective stress tests. Scenarios should be

articulated to a sufficient level of detail to make clear the

issue and enable organisations to focus on the

resulting effects.

8. Testing

The undertaking of periodic testing to deliver a view of the likely impacts of stress tests

and also a sense of the consequential impacts of the stress scenarios across the

organisation. Tests should be well documented and provide

clear and actionable outcomes.

9. Impact tolerance calibration

The development and adjustment of impact

tolerances for key business services, built on the creation, performance and analysis of

stress tests. Tolerances should be set by business

service and agreed by senior management.

6. Proving the profile

The process of running ‘real’ data through the business

service profile and, with the aid of past data, validating the use of the key impact metrics

to understand business service performance.

5. Key impacts of identification

Identifying the metrics that can be used to understand the performance of a particular

business service and whether issues are being experienced e.g. trade volumes, number of mortgage approvals, value of

transactions, etc.

4. Layering of enablers

Supplementing the overall business profile with details of

the underlying technology architecture, property,

personnel and third parties involved in delivering

the service.

10. Monitoring of performance

The on-going business-as-usual monitoring and review of

performance against impact tolerances, including the

management of trigger alerts and escalation of potential issues.

Governance and standards

Business service view

Resilience capabilities

PwC

Operationalresilience (3/4)


23

13. Incidentmanagement

Incident response processesare in place to identify, classifyand to help ensure appropriate

measured responses to incidents. Incident-related MI

helps drive strategic operational resilience

decisions and investments.

11. Serviceoperations

Technology services and processes have been

designed so that they ensure continuity, and there is

appropriate investment in these processes

and services.

14. Capability and resources

The organisation has sufficient skills and resources to deliver and help ensure operational resilience. There is a clear understanding of roles and

responsibilities and the organisation’s operational

resilience risks.

18. Continuitymanagement

Appropriate continuity plans are in place for all critical

services and are well understood by the

organisation. These plansare reviewed and assessed

regularly to help ensuresuccessful implementation

in a continuity scenario.

19. Physical security

An organisation has the appropriate controls in place to manage physical access to business premises and that

environmental quality factors are appropriately reviewed and within risk tolerance.

20. Cyber security

Cyber Resilience mechanisms to prevent, detect, respond

and recover from cyber-related threats are in place

and aligned to the wider response and recovery

capabilities.

17. Changemanagement

Assurance and resilience is embedded in change control

and System Development Life Cycle (SDLC) activity, where

testing occurs across application development and infrastructure change. Well-

governed, documented change processes are in place

and are fully understood by the organisation.

16. Risk management

An effective 3LOD model is in place whereby operational

resilience risks are understood, assessed,

monitored and communicated to the Board and executive.

Risk appetite limits for critical services have been defined

and drive risk acceptance and risk mitigation activities. Risk MI assists in both strategic

and tactical decisions.

15. Sourcing andexternal dependencies

There is clear consideration and understanding of the

dependencies on external or sourcing partners and the

level of risk that is introduced into critical services.

Performance, risk and effectiveness of these

relationships are frequently assessed and understood.

12. Capacitymanagement

Organisations can demonstrate through

testing and monitoring the effectiveness of capacity measures.

Governance and standards

Business service view

Resilience capabilities

PwC 24

Operational resilience (4/4)


Governance

Focusing on the composition of the Boardand its members’ skills and overall understanding of the end-to-end view of resilience risks.

Lines of defence

A coordinated approach across the lines of defence to assess resilience, and the right skills to challenge the technology resilience arrangements.

Risk appetite

Assess management‘s approach to risk appetites and impact tolerances. Is there clear linkage of technology risks to IT processes/services and business services/processes?

Reporting

Understand how management adopts a common platform to drive consistent use of data across all risk functions, to drive remediation and/or risk acceptance.

What internal audit could

focus on now

• Is there a Board-level mandate?

• Has the organisation defined a common strategy for resilience?

• Have important business services been agreed by the Board?

• Are the operating models across the organisation aligned in addressing resilience risks?

• How would failures of individual systems of processes impact business services?

• Which systems and processes could be substituted during disruption so that services could continue?

• Who is accountable for resilience?

• How has the organisation adopted a business service lens approach to mapping end-to-end processes?

• Are the right metrics and measures being used to report to the Board in a timely basis on operational and resilience risks?

PwC 25

Transformation (1/2)


Across the financial services sector, organisations are undertaking an increasing volume and complexity of change, delivered as part of projects and programmes that make up large change portfolios. Projects are inherently high risk. They can be complex and cross-organisational, and often there is not the right internal capability to deliver them. All too frequently, despite multi-million pound costs, projects fail to deliver the intended outcomes or benefits, with significant reputational, financial and regulatory consequences.

Over the last 12 months we have also seen the regulator take an increased focus on whether organisations are effectively managing change – this includes how organisations decide what changes to undertake and whether they have implemented the right governance and oversight over the change portfolio as a whole.

It is important for Boards and Audit Committees to get assurance over individual projects and on how the change portfolio as a whole is being managed; this is also sometimes requested by the Regulator. As the third line of defence, internal audit must play a critical role in this.

Change programmes

Delivering programme assurance as third line of defence

Programme- / project-level assurance:

The aim of programme assurance is to provide an independent view of whether the project is set up and operating effectively, and whether key risks that could impact successful delivery are identified and being managed. As part of audit planning, internal audit should look at what projects/programmes are being planned, or are in progress, across the organisation, and consider what programme assurance is required, and where.

Portfolio level assurance:

There may be risks that, while low impact for individual projects, when considered in aggregate across a number of projects could cause significant impact on the organisation. For example, the impact on system infrastructure and resilience of multiple technology change projects; or the collective capacity and capability of the organisation to deliver all of the changes required and maintain business as usual.

Internal audit should also consider how it gains assurance over whether the organisation’s portfolio management as a whole is fit for purpose as this may be the root cause of project failure. For example, the effectiveness of portfolio governance processes to make the right decisions; or project management methodology.

It is important to have a programme assurance framework, tailored to align with internal audit methodologies to underpin work:

Agile change control Managed

risk and opportunities

Smart financing

Delivery-enabling plans

Active quality management

Focused benefits

management

Integrated suppliers

High-performing

teams

Embedded lifecycle assurance

and learning

Clear scope

Governance enabling

decision making

Engaged stakeholders

The 12 elements

of delivery excellence

PwC 26

Transformation (2/2)


Change programmes

Ways to provide programme assurance

There are different ways to provide programme assurance over change programmes. Internal audit functions should consider whether they have appropriate coverage within their audit plans, and have engaged the right SMEs/co-source partners to support on this:

Programme healthchecks

One-off or periodic over the lifecycle. Includes: project planning, risk management, governance, and benefits management.

At portfolio level includes: MI and decision-making, and PMO processes.

Programme healthchecks

Stage gate reviews

Embedded assurance

Deep dive reviews

Stage gate reviews

Point-in-time assessments of the project before, or at, critical stages. For example, Go/No Go decisions, and progression from design to build.

Deep dive reviews

Looking at specific risk areas. For example, testing strategy and management, people and culture, financial management, and system design.

At a portfolio level includes: organisational decision making on change to deliver.

Post-implementation and lesson learned reviews.

Embedded assurance

Delivery of ongoing assurance support/real-time feedback.

For example, attendance and observation at key meetings and for a, and at key decision points.

PwC

Outsourcing


Third party outsourcing

Financial services firms are increasingly seeking to outsource critical functions to a concentrated set of vendors to reduce cost and gain access to capabilities not readily available to the industry. Growing outsourcing, particularly in emerging technologies, makes it harder for firms to quantity and manage third party risk.

Firms relying on outsourcing arrangements (often to unregulated providers) for the delivery of critical services should note that this is a significant area of focus of the FCA, given some of the recent public issues faced by third party providers. As a result, the FCA intends to increase its understanding of outsourced services and core infrastructure provision across sectors, with particular emphasis on service providers that support many firms. To this end the FCA plans to undertake several pieces of thematic and firm-specific work in this area.

Key risks

• While regulators allow firms to outsource critical functions, they will hold senior management to account over actions of their third party providers. GDPR also places additional due diligence onus on outsourcing providers to ensure that vendors have adequate security controls.

• Failures at third-parties can result in significant disruption and can undermine the security of the outsourcing firm as controls are bypassed through the targeting of vendors.

• As a result of the escalating risk, Board-level executives are increasingly focusing on outsourcing practices. But in most cases this has not translated into clear accountability which often results in no-one having a holistic overview of who the firm is doing business with and the associated risks.


• Is a consistent approach to oversight of outsourced arrangements applied across the organisation driven by a clear strategy, risk appetite and robust approval process?

• Asses the identification of outsourced arrangements, particularly the completeness.

• Is there consistent and proportionate oversight of third party arrangements, including defined roles and responsibilities, robust policy and procedures and defined standards for performing, and evidencing effective ongoing supervision?

• Is management information available to support oversight of third party arrangements?

• Assess the management of wider third party arrangements, including ‘Intra-Group’ arrangements.

27

September 2019

PwC 28

Cyber security


Thematic Emerging topics

Cyber governance

Regulation Compliance

Cyber risk management

External attacks

Insider threat

Third party

Data security

Culture and behaviour

Cyber resilience

Security by design

Payment reviews (SWIFT CSP)

Internet of things

Cloud

Blockchain

Quantum computing

Artificial intelligence Security operations

Digital channel reviewAlgo trading

Red teamingAugmented/Virtual reality

Specific reviews

Considerations when approaching a cyber audit

Cyber security

The frequency and sophistication of cyber attacks is increasing, with the number of cyber incidents reported to the FCA in 2018 up by over 10 times what was reported in 2017. The financial services sector is a top target as attackers move up the value chain and seek bigger gains, while making more substantial investments. There are numerous examples of attackers with motives to steal money from financial services organisations; for example, the compromise of payment systems at the Bank of Bangladesh in 2016 to steal almost $1 billion. As a result, cyber resilience continues to be an area of focus in the most recent regulatory business plans.

The UK financial services sector is also categorised as a national critical infrastructure making it a target for increasingly advanced and hostile national cyber capabilities. So called ‘hacktavist’ organisations are increasingly targeting the sector, which they see as a catalyst for social inequality and corruption.

The cyber landscape is continually evolving. New emerging technology and risks continue to disrupt organisations, along with an aging and varied technology estate across organisations providing ever more opportunity for unauthorised and disruptive activity.

Key risks

• There has been an increasing awareness of not just the scale of threats but also the vulnerability of many organisations to potentially devastating cyber intrusions. However, organisations are not always up-to-date with the threats they face to keep pace with the challenge to protect critical assets. For example, a data breach occurred at Capital One when an attacker gained access to the personal information of 100 million customers.

• In light of the Capital One incident, there is a trend of attackers targeting organisations via their third parties; both service and software providers. Given the connectivity suppliers often have and the confidential data they handle, third party risks are evolving and less well defined and managed.

• A sector-wide cyber security skills gap exists, accentuating the importance of acquiring and retaining employees with the right skillset to understand and address the evolving threats to financial services organisations.

• Information security and cyber incidents can cause significant disruption to critical economic functions (CEF) and undermine customer trust. Customers have high expectations around the security of their data, with no accidental exposure being deemed acceptable. The complex and changing nature of cyber risk highlights the need for organisations to engage with specialist third parties in order to ensure they have the right supporting skillsets.


Consider undertaking deep dives into core focus areas, including core general IT controls (such as access management, threat and vulnerability management), data governance and protection (particularly given GDPR), cyber resilience and third parties.

Review whether the organisation has the right ‘defence in depth’ preventative and detective control coverage over critical assets.

It’s no longer sufficient to invest purely in static preventative or reactive detective controls. Assess whether a real-time detect and respond capability been established.

PwC

vd

Emerging technology (1/4)


29

An increasing number of firms in financial services are looking to new technologies to drive improved business performance and in certain cases disrupt the entire sector. Many firms are exploring the use of disruptive technologies such as artificial intelligence, Robotic Process Automation and Blockchain. There are many factors that make these technologies ripe, including the pace of adoption, the scale of investment, the potential for these technologies to go mainstream, global reach, and technical viability.

Emerging technology brings opportunities but also new risks, requiring firms to rethink their business and IT strategy, governance and architecture. Yet we have found that many firms do not, as yet, have a strategy that encompasses technological innovations and, as a result, are not monitoring their evolution or impact. The adoption of emerging technologies may not be considered in the context of the firm’s risk appetite, or the firm’s maturity and readiness to deploy emerging technologies. Unlocking a firm’s technological potential in a responsible and risk-controlled manner with the right governance mechanisms in place will be crucial, and this includes internal audit.

Impacts on your business model

Emerging technologies will have an impact across all five aspects

Strategy Operations Compliance

Customer engagement

Peopleand talent

PwC

PwC 30



Robotic process automation

The demand for large volume and repetitive task automation to increase processing speed, improve accuracy, lower costs and make greater use of data continues to drive the adoption of Robotics Process Automation (RPA) in the financial services sector. RPA uses automated rules-based software that executes pre-programmed tasks across multiple existing platforms. While challenges may exist in the design, implementation, and governance of RPA solutions, the benefits of scaling RPA can generate significant efficiencies for organisations. As RPA continues to evolve, it is now increasingly known as Intelligent Automation (IA) or Process Intelligence (PI), and represents a new wave of disruptive technologies impacting the current workforce.

Artificial intelligence

Artificial intelligence (AI) is emerging as the defining technology of our age, with many financial services firms already utilising AI in some form to support critical business functions. AI has the potential to transform business models, but without assurance over the strategy, how it is implemented and the subsequent outputs and outcomes, they may end up operating in the dark, and exposing the firm to significant risk. The FCA and PRA have given limited guidance around the use and management of AI to date. However, their stance is clear – firms may not delegate accountability and responsibility.

Key risks

• AI algorithms run a risk of learning and imitating human prejudices. These may include errors, bias, instability of performance and lack of feedback process.

• Security risks may be introduced through cyber intrusion, open source software and adversarial attacks.

• The growing adoption of automation may impact jobs and shift demand to different skills, or may introduce risk of concentration over AI control.

• AI solutions are designed with specific objectives in mind, which may compete with overarching organisational values within which they operate.

• Failure to deliver on the purpose and value of RPA where efficiencies are not gained and there is limited innovation and insight.

• Applying the wrong resourcing/sourcing model, introducing people, service and technology risk.

• Lack of stakeholder buy-in on RPA, which impacts progress and results, or results in write-off of the initiative.

• RPA deployed into the environment without a proper operating model, introducing risks to the functioning and management of the solution.


• Is a governance framework is in place and is it focused on the risks and controls along the firm’s AI journey, from top to bottom?

• Is there demonstrable evidence on the transparency, explainability and provability of business-critical decisions using AI?

• Are processes in place to define, detect and intervene/take corrective actions on potential biases impacting decision-making?

• Attach priority to the governance of data: what data should be used; how should it be modelled and tested; and are the outcomes derived from the data are correct?

• Focus on the oversight of human skills, accountabilities and incentives within AI/machine learning-centric systems.

• Are AI solutions developed and maintained with operational and cyber resilience?

• Review the organisation’s strategy and approach to RPA. Consider the policy arrangements in place for RPA.

• Assess management’s methodology to inventory, analyse, prioritise, select and implement projects where RPA makes sense.

• Assess at key stages the change programme in place to govern the identification and implementation of RPA technology.

• Review cyber security and data privacy controls as part of the RPA solution design and maintenance. Review whether business continuity and operational resiliency requirements have been properly considered.

• Assess the people change plan in place for communication, role changes, skill requirements, training, etc.

PwC 31



Cryptoassets

The UK Cryptoassets Taskforce published a paper (October 2018) outlining the risks and benefits of both cryptoassets and distributed ledger technology. It also provided a taxonomy to aid categorisation. Final guidance from the FCA was published in July 2019 to provide clarity over cryptoassets within the regulatory perimeter. HMT plan to consult on potential changes to the regulatory perimeter in late 2019. The BoE is set to release more information on the prudential treatment of such assets over the coming year, and FATF published an update to its financial crime guidelines in June 2019.

Blockchain

Blockchain, or Distributed Ledger Technology (DLT), is a digital and decentralised ledger that keeps a record of all transactions that take place across a peer-to-peer network and that enables the encryption of information. It is a relatively new and advancing technology, and is finding its way into many uses and applications, which will have a profound impact on the way that the financial services sector works in the near future.

Currently, multiple firms interact, while keeping their own view of a transaction in their own systems. This leads to increased cost, delays, disputes and reconciliation effort. Blockchain provides a solution for this, though may also introduce new adoption risks.

Key risks

• Blockchain protocol may itself be secure, but various integration points, human interfaces (like hot wallets) and network design may expose critical vulnerabilities.

• With the increased rate of change, operational and cyber resilience is becoming increasingly complex, with risks regarding the confidentiality, security, and availability of services and data.

• Lack of regulation and standards to provide guidance over governance requirements. Dependency on the market for standards and participation.

• Data privacy and compliance requirements like GDPR.


• Is there a firm-wide approach in place to evaluate the use case and implement blockchain? Focus on the business strategy, processes impacted, and policies, governance and controls.

• Is DLT selection in line with the firm’s Blockchain teams? Consider integration with legacy infrastructure and technology.

• Are blockchain technology implementations robust and resilient, and do they adhere to good practice? For example, key management, smart contracts, privacy, architectural security, governance and consensus hijacking.

• Does the transformation change journey consider risk mitigation through proof of concepts, stress-testing, disaster recovery, regulatory and legal developments, and skills requirements?

• Poor understanding of cryptoassets and their market, credit and counterparty risks.

• Insufficient internal governance processes to demonstrate that suitable care and oversight has been exercised over crypto-related activities.

• Quality of records regarding cryptoasset advice, purchase, custody or transfer is inadequate. Especially with regards to wallet addresses and customer information.

• Cyber risk and loss of customer assets.

• Appropriateness of systems and procedures in place to record Senior Managers’ and material risk takers’ responsibilities and decisions regarding cryptoassets.

• Sufficiency of risk considerations across conduct, cyber, operational and market risks.

• Whether BoE/PRA guidelines and policy on the prudential treatment of cryptoassets is being adhered to.

PwC 32



Algorithmic trading

Algorithmic and electronic trading is a key area of supervisory focus for regulators as there have been several high profile issues resulting in trading errors and the resulting substantial impact to markets.

Key risks associated with algorithmic and electronic trading such as programmatic function errors, inaccurate pricing, loss of exchange connectivity, and hard-coded market abuse, have drawn the attention of investors and clients, as well as regulators.

This has created a need for significantly improved transparency around the potential behaviour of algorithms, their strategies and systems. The governance, controls and risk management of algorithmic and electronic trading is under much greater scrutiny.

Key risks

• Shortage of specialist regulatory, trading and high technology skills to identify risks specific to the algorithms, their trading strategies and systems, to perform adequate testing of algorithm behaviours, and to create appropriate governance and control frameworks.

• Lack of clarity on functional responsibility across the thee lines of defence which leads to gaps in the coverage and implementation of applicable regulation.

• Significant fines due to non-compliance with regulatory expectations.


Internal audit testing needs to be aligned with the risks associated with the low touch and high technology nature of algorithmic and electronic trading. To do this, internal audit functions need to independently challenge the depth of first and second line governance, controls and risk management arrangements by combining core audit capabilities with advanced technical methodologies and tools. Areas of potential focus include:

• Is pricing accurate and does order routing and execution meet best execution requirements?

• Does quote, order generation and execution behaviour adversely impact clients and markets, and have relevant parameters and limitations of trading been fully and properly disclosed to clients?

• Are risk management and code change controls up-to-date with regulation and commensurate to the risk appetite of firms and the risks specific to firms’ algorithms, strategies and systems?

• Do systems deliver latency performance, stability and resilience under stressed market conditions?

Regulation in this space covers the all three lines of defence. For example, MiFID II has a specific requirement for internal audit to review the annual management self-assessment validation report of algorithmic and electronic trading. The deadline for the first annual self-assessment was January 2019.

Regulators expect a comprehensive assessment of the potential impact of algorithms to clients and markets, as well as the governance, controls and risk management arrangements across the three lines of defence.

Many firms have developed multi-year plans to audit algorithmic and electronic trading. This reflects the low touch and high technology nature of firms’ algorithmic and electronic trading environments.

PwC 33

Technology (1/2)


IT governance and risk management

There has always been a regulated requirement for organisations in the financial services industry to demonstrate senior management responsibility. However, emerging and disruptive technologies have been at the forefront of organisational transformation strategies in recent years, which has placed increased focus on IT governance as a critical component of good corporate governance.

Equally, the evolution of the technology landscape has seen a rise in cyber events, data breaches and system failures which has also placed significant reliance on IT governing arrangements to oversee and manage new and emerging IT risks.

Managing legacy technology

A key focus in the session between the Treasury Select Committee (TSC) and representatives from the regulators (PRA, BoE and FCA) in July 2019 centered around IT failures within the financial services sector. The PRA laid out that one of the desired outcomes for upcoming operational resilience regulation is that reliance on legacy systems will be dramatically reduced for critical business services. The Regulator suggests that organisations may conclude that the time to recover their legacy systems will not meet the expectations of the industry going forward. This is in addition to the long-standing shortage of experts with the in-depth knowledge of such systems, susceptibility of legacy systems to cyber attacks, increased operating costs and inherent limitations to innovation of these systems.


• Review whether the organisation has a short-, medium-, and long-term plan for its legacy estate (maintain, upgrade or replace), in line with the organisation’s desired IT architecture.

• Assess whether IT legacy transformation programmes consider all key technology integration points.

• Determine whether the level of knowledge and skills required to support critical legacy systems – both internally and externally – has been determined by the organisation and whether this is integrated into business continuity plans.

• Review the controls in place to maintain resilience in line with regulatory expectations given the heightened level of operational and cyber risk.

Key risks

• Critical systems are no longer supported by third party vendors. Key skills required to maintain these legacy systems are no longer available.

• There is an increasing cost to maintain the legacy estate due to a shortage in skills and support capabilities.

• The legacy estates tend to lack resiliency and may not be agile. This creates additional challenge in developing new products and services based on emerging technology, which is dependent on legacy integration.

• There may not be enough senior levels of awareness, understanding and investment of IT governance and key supporting activities.

• Management information – including IT risks – is often not presented to senior management in a way that can be easily understood and challenged. There tends to be an inability to grasp technology risk appetite at the right level of granularity.

• With technology change focused on speed and agility, IT architecture and service management disciplines are not prioritised.

• The right mix of technology workforce skills and experience between legacy and new digital platforms can be a challenge.

• Review Board-level representation, knowledge and involvement over the IT strategy. Board challenge over underlying key IT activities and risks should be demonstrable.

• Assess whether IT risk metrics are adequately defined and adapted as required to remain relevant and integrated with the organisation’s broader risk profile.

• Review whether IT standards and policies are updated to account for new/enhanced controls based on emerging technologies.

• Assess whether operational resilience requirements are embedded in technology change programmes, technology solutions and IT service management processes –including critical third party arrangements.

PwC 34

Technology (2/2)


Cloud risk management

The European Banking Authority published its final report (draft guidelines) on outsourcing arrangements, which comes into force on 30 September 2019. Whilst initial regulatory attention focuses on some financial services firms (banks, building societies, designated investment firms, payment firms, etc.), regulatory focus is moving to other parts of the financial services sector. For now, other FCA-controlled entities are expected to continue to comply with the FCA's F16/5 Guidance for Cloud. Regulatory focus comes as firms move critical functions increasingly to cloud solutions in order to gain access to capabilities not readily available with traditional and legacy infrastructure. Migrating services to the cloud has many benefits, such as providing scalability, agility, cost effectiveness, metered (pay-as-you-go) services, and the enablement of emerging tech. However, there are also challenges to using cloud, requiring new governance and control processes as well as new skill sets within the organisation to appropriately manage cloud-related risks.

Key risks

• A lack of appropriate cloud governance for in-house and outsourced services could lead to cloud sprawl (uncontrolled proliferation of cloud instances and providers), significant security implications, and third party challenges.

• The risks to ‘cloud’ and IT operations may not be well understood, and processes may not be set up properly to manage and monitor critical services. Outsourced services may fail or cease trading, resulting in significant disruption to the firm’s operations.

• Security and/or privacy failures may lead to personal data breaches and regulatory/GDPR fines.


• A cloud strategy is in place and is supported by governance and risk management processes. This includes cloud migration/integration strategies, and defined security architectural requirements.

• There is due diligence on cloud providers to align with business needs focused on ownership, responsibilities, contracts/SLAs, and data security/privacy measures..

• Service management processes are in place for cloud solutions, for example; cyber security, change management, incident management, and ITDR and BCP.

• There is alignment to regulatory guidance on Cloud usage.

• Staff have the appropriate skills to maintain cloud services

PwC


35PwC

PwC

Further regulation


36

PricewaterhouseCoopers LLP, 7 More London Riverside, London, SE1 2RTT: +44 (0) 20 7583 5000, F: +44 (0) 20 7212 7500, www.pwc.co.uk

PricewaterhouseCoopers LLP is a limited liability partnership registered in England with registered number OC303525. The registered office of PricewaterhouseCoopers LLP is 1 Embankment Place, London WC2N 6RH.PricewaterhouseCoopers LLP is authorised and regulated by the Financial Conduct Authority for designated investment business and by the Solicitors Regulation Authority for regulated legal activities.

Sarah IstedPartner

UK Financial Services Risk and Regulation Leader

T: +44 (0) 7834 251939E: [email protected]

For the last ten years, the financial services sector has been responding to the financial crisis. We have seen changes in the culture of organisations, in the products offered and in the level of financial security that organisations are required to hold.

Compliance and risk functions have been fundamental to driving and delivering these changes.

But, despite the changes, trust in the financial services sector is still low. Society trusts what financial services organisations do, and how they do it, less than they trust most other industries.

The industry is now being disrupted by technology, by customer behaviour and by social and demographic changes.

Things that we now take for granted in our daily lives, for example paying for purchases on our mobile phones, seemed like science fiction only a few years ago. Technology, such as blockchain, would have been questioned for its robustness, and the fact that small start ups are genuinely challenging the business models of large institutions would not have been thought credible.

So what will the next ten years look like? Technology might be the obvious driver of change, but what about others? For example, climate change, emerging economies and customer and employee philosophies. And, of course, there will be things that we haven’t yet considered.

In this changing world, the role of internal audit, compliance and risk is evolving but remains as fundamental today as it ever has been.

PwC 38

Asset & Wealth Management timeline


2019 2020Q3 Q4Q2

FCA asset management market study remedies:

1. Rules on fund benchmarks apply to existing funds from 7 Aug 2019.

2. Rules on performance fees apply from 7 Aug 2019.

3. Value assessment and iNEDs rules apply from 30 Sep 2019.

Fund liquidity agenda

1. Final rules stemming from CP18/27 expected.

2. Final ESMA measures on fund liquidity stress testing expected.

Investment firms review (IFR)

New EP will hold a procedural voting in Sep, followed by a voting by Council. Final texts expected to be published in the Official Journal end-Sep/early Oct.

FCA Investment Platform Market Study

1. Final rules stemming from CP19/12 expected.

2. Possible consultation on exit fees expected.


FCA to consult on the implementation of the IFR

UCITS review

Expected EC review of UCITS framework in 2020.


IFR will come into force within 18 months after publication in Official Journal (expected in Oct 2019) so around mid-2021 with a transition period of five years for capital requirements.

Senior Managers and Certification Regime (SM&CR)

Directory of individuals working in FS due to go live in Mar 2020.

PRIIPs regulation

ESMA expected to publish consultation on PRIIPs review


FCA issues PS19/20, finalising the rules for solo-regulated firms and refining rules for dual-regulated firms


Extension of SM&CR to all FCA firms takes effect 9 Dec 2019

Q1

AIFMD review

EC formal review expected

MiFID II

EC expected to conduct a review of MiFID II in 2020 (research, Third country regime, cryptoassets and re-calibration of costs and charges regime with PRIIPS regulation).

Q2 Q3 Q4

MiFID II

Formal legislative proposals expected following EC MiFID II review.

FCA Investment Platform Market Study

Final rules stemming from CP19/12 expected to apply.

PwC

Further regulation: MiFID II

PwC

Further regulation – MiFID II (1/6)


40

MiFID II enhanced and widened the scope of MiFID. It strengthened both investor protection regimes and market structure rules. It introduced new product governance rules and extended existing reporting regimes.

Many areas of the regulation led to deep changes in the market, for the buy-side and sell side alike. Key areas of concern include new research unbundling requirements, the impact of cost disclosure, transaction reporting and market structure. The calibration of pre- and post- trade transparency requirements has been heavily debated, and there is renewed interest in the impact of trading obligations in light of Brexit.

The FCA has been focusing its supervisory efforts on research unbundling, costs and charges, payment for order flow (which links to rules on conflicts of interest, best execution and inducements). It is also expected to increase focus on best execution.

Costs and charges

MiFID II requires firms to provide disclosure of costs and charges to enable clients to make more informed decisions. The new rules require disclosure on ex-ante and ex-post information on all costs charged by the firm for the investment service or ancillary service provided, and all costs and charges associated with manufacturing and managing of financial instruments.

The FCA published supervisory findings on investment firms in the retail sector in February 2019. This highlighted concerns with how asset managers are communicating their disclosures and calculate and disclosure transaction costs. The effectiveness of disclosure of costs and charges provisions in wholesale markets is also under scrutiny. ESMA issued a call for evidence in the summer 2019 to determine whether amendments should be considered.

Key risks

• Firms not taking a holistic approach to developing methodologies for costs disclosure, reflecting MiFID II requirements but also related obligations under the PRIIPs (packaged retail and insurance-based investment products) regulation and UCITS (the undertaking of the collective investment in transferable securities) directive.

• Methodologies for calculating and disclosing transaction costs are likely to face ongoing regulatory scrutiny.

• Difficulties to disclose costs and charges on a transaction by transaction basis for wholesale clients.

Internal audit focus

• Assess whether the firm’s staff have been adequately trained to understand the cost and charges requirements.

• Controls and processes to enable the firm to rapidly provide an itemised breakdown of transaction costs.

• Controls and processes in place to obtain and verify data elements from third parties.

• Transparency of communication to clients.

• System controls to support the capture and communication of accurate and complete data.

The Markets in Financial Instruments Directive (MiFID II)

PwC



41

Transaction reporting

Transaction reporting under MiFID applied only to financial instruments admitted to trading on a regulated market. MiFID II extends transaction reporting by:

• Extending reporting to transactions completed on multilateral trading facilities (MTFs) and organised trading facilities (OTFs).

• Increasing the scope of reportable transactions to instruments where the underlying is traded on venue and instruments where the underlying is an index or a basket which is traded on venue.

• Incorporating a wider range of transaction types and requiring greater volumes of information from transaction reports.

• The FCA plans to continue monitoring markets using this data, but with a particular focus on the fixed income, currency, commodity and non-standard derivative markets.

• Removing the carve out for portfolio managers to allow other firms to report on their behalf. Portfolio managers will now need to report directly.

Key risks

• The regulation poses many challenges for the industry, requiring 65 fields to be reported across new and existing asset classes.

• This is seen as one of the main priorities for the regulators, with the potential for significant fines for non compliance.


• Controls and processes to keep records on all orders and all transactions in financial instruments that have been carried out, for at least five years.

• Evidence of reasonable steps to ensure and verify the completeness, accuracy and timeliness of transaction reports it submits directly to the regulator.

• If reliance is placed on information transmission on external sources, whether the appropriate controls are in place to ensure reporting within the reporting deadline.


PwC



42


Best execution

When executing client orders, firms are required to act in the client’s best interest by taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. In addition, firms must make numerous disclosures, including a quality of execution report and details of how they assess the execution quality of all execution venues used when executing client orders.

The FCA is expected to begin its supervisory work on best execution during H2 2019.

Key risks

• The need for firms to continuously assess whether they constitute the definition of an execution venue.

• Extensive order and transaction data has to be collected and consolidated to identify best execution venues.

• Risk of failure to meet supervisory expectations.

• Intensive interaction between IT systems and external vendors and platforms which increases the risk of operational failures.


• Governance and procedures in place to ensure effective arrangements for complying with best execution requirements have been planned/put in place, in particular a formal order execution policy in order to obtain the best results for clients.

• Monitoring of the effectiveness of the firm’s order execution arrangements and execution policy in order to identify and where appropriate correct any deficiencies.

• Governance over and controls to ensure the firm summarises and make public for each class of financial instrument the top five execution venues in terms of trading volumes where they executed trades in the preceding year, and include information on the quality of execution obtained on each venue.

PwC



43


Product governance

MiFID II aims to strengthen investor protection by enhancing governance around product manufacturing and distribution by:

• Ensuring conflicts of interest are managed as opposed to simply being identified.

• Tightening controls around product manufacturing processes.

• Obliging firms to specifically consider target markets and investor risk during production.

• Imposing requirements for a charging structure review for new products.

• Requiring firms to provide appropriate information to distributors.

Key risks

• Lack of governance and inability to provide appropriate information on the financial instrument and the product approval process (maintain, operate, review), including the identified target market and communication to the distributor, resulting in a breach of rules.

• The firm fails to apply the rules to both existing and new products.


• Governance of the manufacturing process including effective Board oversight and the role of Compliance.

• Evidence to support the identification and definition of the target market and negative target market.

• Communication to distributors to ensure they have sufficient information available to distribute the product to the right target market, and governance, process and controls in place to monitor this.

• Processes in place for ongoing product review.

PwC



44


Suitability and appropriateness of advice

MiFID II obliges firms giving advice to clients to increase transparency over the nature of that advice. Firms are required to provide detail on:

• Whether advice is independent or not.

• The risk of conflict of interests, including the range of products for which advice is being provided and the nature of the advisors’ relationship with product manufacturers.

• How they plan to periodically assess the suitability of advisors.

Key risks

• Firms will have to gain an increasingly better insight into the personal (financial) situation of their clients, and ensure this personal data is securely held.

• Sufficient record keeping to demonstrate the suitability and appropriateness of advice given.


• Complete and accurate identification of products where advice is being provided.

• Assess whether suitability reports issued to clients cover all regulatory requirements including an outline of the investment advice, an explanation of why the recommendation is suitable and whether a periodic review will be performed, what they will cover and what will trigger a reassessment.

• Records have been maintained to demonstrate appropriateness assessments, including the result of the assessment and any warnings given to the client and whether the firm accepted a request by the client to proceed despite such warnings.

• Personal financial records are maintained securely.

PwC 45



Research for investment firms Conflicts of interest

The new requirements were introduced to mitigate conflict of interest risks associated with research and ensure research is not being offered as an inducement. The definition of research has been expanded, from only independent investment research, to also include advisory services provided by front office sales staff and trading personnel. Requirements include:

• Sell side firms must not induce clients to trade by bundling research within their execution services and must provide clients with unbundled costs of trading.

• Sell side firms are required to review and identify any services provided which could be categorised as research.

• Buy side firms have to make explicit payments for research and demonstrate that research contributes to better investment decisions and is therefore not an inducement.

• Investment firms need to provide better reporting to facilitate payments being made for research and to help demonstrate the value that research is providing.

Conflicts of interest processes within MiFID II require firms to pay more attention to conflict management and discourages them from overreliance on conflict disclosure. It sets specific procedures and measures for firms to implement in managing conflicts, requiring firms to:

• Control information exchange between relevant persons if that exchange could harm clients.

• Implement separate supervision of staff where they may be open to a conflict of interest.

• Remove direct links between remuneration of relevant persons in different functions if their remuneration targets create client conflicts.

• Prevent any person from exercising undue influence over any client’s investments.

• Stop any person from being involved in sequential transactions if conflicts arise as a result of their repeated involvement.

Key risks• Failure to define which services should be categorised as research.

• Failure to appropriately govern research pricing resulting in research being priced at a level that could constitute an inducement.

• Failure to make technology changes required to capture data required for increased reporting.

• Failure to mitigate conflicts of interest. There is much greater focus by regulators on conflict management and the policies and procedures surrounding it. Previously firms have depended on disclosing risks and not dealing with their mitigation.

Internal audit focus• Appropriate categorisation of services that are considered research and how each

element is priced.

• Appropriate controls, senior management oversight and audit trails must exist to ensure the research budget is being used in the firm’s clients’ best interests and whether research is being classified correctly.

• Controls in place to ensure conflicts of interest are managed and that there is appropriate segregation of duties between those that produce research and the front office.

• Change controls over new technologies developed to manage the new requirements.

• Accuracy of reporting.

• Assess whether conflict of interest policies and procedures have been updated to reflect the new requirements.

• Assess whether the register of conflicts include all potential risks and not just ‘material’ risks.

• Staff are appropriately trained to identify potential conflicts.

• The conflicts of interest policy covers mitigation of conflicts, and is not overly reliant on just disclosure.

• Communications explain the nature and source of the conflicts of interest inherent to type of activity, providing details about the specific risks related to such practices to enable clients to make an informed decision.


PwC

Further regulation –Capital and liquidity

PwC 47

Further regulation – Capital and liquidity (1/4)


High level general requirements include:

• The ICAAP should be updated at least annually, or more frequently as required (where significant changes occur);

• Must be approved by the management body;

• Must be consistent with the risk appetite statement;

• The ICAAP document should form an integral part of ensuring that the capital a firm has is adequate; and

• The ICAAP document should document how stress testing supports the firm’s capital planning.

Internal Capital Adequacy Assessment Process (ICAAP)

The Internal Capital Adequacy Assessment Process (ICAAP) is an important discipline that all UK regulated firms are required undertake to assess how much capital they should hold for the risks inherent in their business. This process involves firms identifying and assessing risk applicable to them and applying stress testing and scenario analysis. This enables the firm to identify the amount of capital resource considered adequate to mitigate against the risks to which the firm is exposed by understanding the vulnerabilities that the firm faces under adverse conditions. Firms are also required to undertake reverse stress testing that tests the business plan to failure.

The ICAAP report and the stress and scenario testing results are often the first set of documents and data that the PRA and FCA will assess before a Supervisory Review and Evaluation Process (SREP) visit and the quality of these will set the tone of the questions asked by the regulators.

Key risks

• Poor articulation of risk assessment, the risk management framework and risk appetite, i.e. disjointed from business objectives.

• Stress scenarios are not sufficiently varied and the underlying assumptions are not sufficiently conservative.

• Lack of knowledge at Board level, inhibiting effective challenge.

• Firms overlooking the relationship between risk appetite, capital risk assessment, liquidity adequacy and recovery.

• Firms not reviewing and updating their ICAAP document with the most up to date information and regulatory developments.

• The risks resulting from potential adverse events are not appropriately managed leading to financial loss and/or regulatory censure.


• Design and robustness of strategies, policies, processes and systems in place in identifying risks inherent within the business.

• Stresses are appropriate to the risk exposures and the economic environment in which the business operates.

• Design and operating effectiveness of controls and governance over the ICAAP process.

• Firms’ ICAAPs cover their exposure to capital adequacy risk, including how they manage it and their stress results.

• Firms’ ICAAP documents are appropriately updated with the latest regulatory developments.

• Accuracy and completeness of the underlying ICAAP data.

PwC



48

Stress testing

On 19 July 2018 the EBA published the final guidelines on stress testing. Stress testing of firms’ financial stability is a key tool to assess the resilience of the business to potential adverse events on the profit and loss, balance sheet and ability of the organisation to meet its regulatory capital requirements.

The ongoing political and economic uncertainty associated with Brexit may give rise to some of these adverse events. The outcome of stress testing allows management to determine the impact on capital plans and the management actions which may be required to manage the resulting potential impacts.

Key risks

• Inadequate horizon scanning and firms’ inability to keep up with evolving regulatory demand and expectations.

• Insufficient capital to meet regulatory requirements and adverse events.

• Failure to identify all significant risks to the business, particularly those resulting from external events.

• Failure to regularly update scenarios for stress testing in line with changing uncertainty in the environment.


• End-to-end consideration of financial figures from source data through ICAAP calculations into the ICAAP document.

• Appropriateness of methodologies used in Pillar 2a assessments and stress testing.

• Alignment of content and timing of stress testing with business planning and strategy.

• Appropriateness and governance over stress testing scenarios.

• Validation of models used for stress testing.

• Completeness and accuracy of data used for stress testing calculations.

The MMFR applies to all money market funds (MMFs) in the EU. MMFs are funds that invest in short-term debt. The MMFR seeks to enhance resilience and maintain liquidity, and outlines the types of instruments MMFs are allowed to invest in, such as money market instruments and units in other MMFs. There are also diversification rules that MMFs need to comply with.

On 11 June 2018, the UK Treasury published the Money Market Regulations 2018 (UK Regulation), which makes the necessary amendments to FSMA (Financial Services and Markets Act) in order to allow the FCA to authorise and regulated MMFs.

Money Market Fund Regulation (MMFR)

• Policies and procedures are not updated to bring them in line with the MMFR investment and asset requirements.

• Failure to maintain liquidity and make asset valuations on a daily basis.

• Non-compliance with the new diversification rules.

• The MMF makes investments into restricted assets, and/or has made concentrated investments into instruments provided by one body.

• Lack of transparency of information leading to incorrect decision making and reporting to the FCA.

• Clear documentation exists to support compliance with the investment policy, including all the investment decisions and fund valuation.

• Assess controls and governance activities to ensure compliance with liquidity requirements and reporting requirements (when applicable).

• Assess the internal credit quality assessment procedure for design to ensure there is an effective process to gather information and perform prudent analysis on each instrument and its issuer, as well as ongoing monitoring controls.

• Assess risk management controls around portfolio rules, the design and compliance with the know your client (KYC) policy and stress testing.

PwC



49

Liquidity management / ILAAP

The Internal Liquidity Adequacy Assessment Process (ILAAP) is a mandatory process that firms need to undertake and document on an annual basis.

The process involves firms identifying and assessing all risks applicable to them, incorporating those risks into stressed testing scenarios/assumptions and calculating/identifying the amount of liquidity resources they need to hold in order to mitigate their exposure to applicable risks.

The aim of the process is for firms to demonstrate that they meet the overall liquidity adequacy rule (OLAR) and they hold sufficient liquid resources to ensure they can meet their liabilities as they fall due, both under normal and stressed conditions.

It also aims to demonstrate the robustness of the strategies, policies, processes and systems they have in place (i.e. robustness of their liquidity risk management framework) that enable them to identify, measure, manage, monitor and report their liquidity risk over an appropriate set of time horizons.

The ILAAP document in general and the firms’ stress testing scenarios/assumptions in particular are assessed by the PRA before their Liquidity Supervisory Review and Evaluation Process (L-SREP) visit. The quality of the document/data usually sets the tone of the questions asked and determines the likelihood of additional regulatory liquidity requirements (Pillar 2 add-ons).

Key risks

• Poor articulation of the firm’s risk appetite and liquidity risk management framework (i.e. disjointed from business objectives);

• Inadequate assessment/identification of risks exposing the firm to liquidity risk;

• Inappropriate stress scenarios (e.g. not sufficiently varied and severe);

• Lack of knowledge at Board and senior management level, inhibiting effective challenge; and

• Unrealistic management/mitigation actions included in the contingency funding plan (CFP).


• Assessment of the structure and content of the document in relation to regulatory requirements/expectations and industry good practice;

• Adequacy of the firm’s assessment of the 14 PRA prescribed liquidity risk drivers and additional Pillar 2 risks;

• Adequacy of stress tests modelled (e.g. severity, plausibility and appropriateness given the firm’s business activities and environment in which it operates); and

• Design and operating effectiveness of controls and governance around the ILAAP process, including Board and senior management involvement/challenge.

PwC



50

Fund Liquidity management

All fund operators must consider fund liquidity on an ongoing basis, particularly how the fund’s assets could be liquidated to meet expected (and unknown) redemption requests, aligned to the fund’s dealing frequency.

Liquidity came to the fore post-Brexit for funds investing in illiquid assets, which has generated a number of FCA discussion papers and consultations. However, with the ongoing suspension of the Woodford fund, all fund operators are increasingly under pressure to test their fund’s robustness to liquidity crunches.

This focus will intensify in the next year after ESMA’s fund liquidity guidelines come into force in 2020, which require operators to undertake new liquidity stress tests of their fund assets and redemption requests.

Key risks

• Fund operators over-relying on pre-trade compliance checks to ensure asset compliance with rules.

• Firms not reviewing and updating their liquidity policy with the most up to date information and assets owned by funds.

• Stress tests of fund assets and investors do not consider potential adverse market events, and how they may impact the fund’s liquidity.

• Liquidity management in a fund is considered to be less important than fund performance.


• Design and robustness of strategies, policies, processes and systems in place to identify liquidity risk inherent within funds, particularly how this is differentiated for different fund structures.

• Appropriateness of stress testing currently conducted on fund liquidity, and how this is aligned to a fund’s assets, investor base and dealing frequency.

• Governance and management information over fund liquidity.

PwC

Further regulation –Financial risk

PwC

Further regulation – Financial risk (1/2)

Client assets (CASS)

Client Asset (CASS) rules are in place to protect investors from the risk of loss in the event of a firm’s insolvency. Since the financial crisis, this has been a particular area of focus for the FCA and has contributed significantly to the overall level of FCA fines and skilled person reviews in the last five years.

There have been significant changes to the CASS rules and the auditing standards over CASS compliance in the last five years, both of which have had a big impact on regulated firms. These, along with changing FCA expectations means that firms must continue to assess their CASS arrangements and be mindful of the moving industry standards and FCA expectations. Firms should also start to think about how to get value from the new requirements with many using their CASS risk frameworks to drive out wider operational risk enhancements across other areas of their business.


• Involvement in system change programmes to ensure that CASS has been appropriately considered to minimise the risk of significant breaches.

• The adequacy and maturity of the CASS risk framework, including testing the effectiveness of key CASS controls and attestations.

• Whether key operational areas such as reconciliations align to the specific requirements of the CASS rules.

• The adequacy of governance and oversight arrangements, including third party administrators.

• Assessment of the maturity of the CASS IT risk framework, including clear scoping and allocation of responsibilities

• Remediation reviews of CASS breaches.

• The adequacy of attestation models used across mature businesses for accountability of the CASS control environment.

• Testing – can be as a mock fire test – the adequacy of the firm’s CASS resolution pack, including the speed to which linked documentation can be obtained (please note this is not relevant for insurance brokers).


Key risks

• Complex rules are often difficult to interpret and are challenging to align to existing operational processes, leading to unidentified breaches.

• Changes in FCA interpretation of requirements and how these should be put in to practice, leading to breaches at firms who do not keep up to date with industry developments.

• Changes in products and business models, including acquisitions, lead to the scope of the CASS rules changing and not being identified by the firm.

• Inadequate governance and oversight arrangements, in particular in relation to third parties performing operational processes and IT controls and dependencies that underpin CASS compliance.

September 2019

52

PwC

Further regulation – Financial risk (2/2)


53

Interbank Offered Rate (IBOR) transition

After 2021, the London interbank offered rate (LIBOR) will no longer be guaranteed and so will impact both financial institutions and their customers globally. As an indication of the scale of contracts affected, over £350 trillion of contracts reference LIBOR. IBORs are key commercial reference rates across many products and can also be included as fallbacks or triggers in non-IBOR contracts.

This industry-wide change is as a consequence of the need for change in the interbank borrowing market, and in July 2017 Andrew Bailey, Chief Executive of the FCA, announced at the end of 2021, it would no longer be necessary for the FCA to persuade, or compel, firms to submit to LIBOR. He reaffirmed in July 2018 that the discontinuation of LIBOR will happen and it is something all firms must be prepared for.

The significance of the undertaking firms will need to take should not be underestimated, IBORs have been industry standard reference rates for many years and their discontinuation will impact all functions.

Key risks

• All firms and their clients to analyse the commercial value of their transactions, funding requirements and risks associated with new benchmark rates.

• The sheer volume of product types that will be affected mean contract repapering will require significant investment and business-led inputs for even the simplest of bilateral negotiations.

• All models across valuations, risk, and capital that require IBOR input will need to be reviewed, recalibrated and validated across the middle office.

• Firms will need to consider the conduct risk implications, such as ensuring less sophisticated customers are not disadvantaged by the transition.

• Transition planning will need to reflect uncertain transition scenarios with appropriate risks and milestones being identified.


• Adherence of policies to address potential conduct risk across teams will need to be audited and monitored during the remediation period and post-2021. This increase in the internal audit book of work will need to be managed effectively with appropriate governance oversight.

• Internal processes, controls and systems may be amended and so need to be reviewed and enhanced to meet new requirements.

• There may be significant audit efforts required of third party vendor solutions and contributions to remediation efforts.

• Significant changes in model requirements across the firm will require model reviews and checks on adherence to firm policy.

PwC

Further regulation – Market

PwC

Further regulation – Market


55

On 28 May 2019, the EMIR (European Market Infrastructure Regulation) Refit was published in the Official Journal of the EU, applicable from 17 June 2019, with a few exceptions. The revised rules aim to simplify certain requirements, reduce costs associated with over the counter (OTC) derivative trades for smaller counterparties, and improve access to clearing houses, without altering the core requirements of EMIR. On the same day, the ESMA (European Securities and Market Authority) updated its EMIR Q&As to clarify aspects related to the implementation of EMIR Refit.

Key risks

• Increased regulatory scrutiny over how clearing members and clients provide services under fair, reasonable, non-discriminatory and transparent (FRANDT) commercial terms.

• Re-classification under EMIR Refit may cause changes to an entity’s regulatory obligations as well as the need to update NFC (non-financial counterparty) representations and internal policies and procedures.

• The decision by FCs (financial counterparties) and NFCs on whether to calculate their OTC derivative contract clearing positions and the impact of this on clearing obligations.

• FCs and ‘NFC+’s (NFCs which are not exempt from EMIR due to their large number of derivative transactions) must be able to demonstrate risk management procedures for timely, accurate and appropriately segregated collateral trading involving the use of internal models, and changes to procedures must be validated by the firm’s national competent authority (NCA).


• Review preparations for compliance with the FRANDT commercial terms and how these will be embedded into the provision of services.

• Provide assurance over clearing threshold calculations, notifications to ESMA and the firm’s relevant NCA, and compliance with clearing obligations if applicable.

• Review the adequacy of, and governance over, risk management procedures for collateral trading involving the use of internal models, including changes to procedures.

SFTR was part of the regulatory response to risks in the shadow banking sector (credit intermediation taking place outside banking). It proposed three broad measures: a requirement to secure counterparties’ consent before re-using collateral, additional disclosures for asset managers, and reporting to trade repositories. Reporting will be phased-in, starting from 11 April 2020 for banks and broker-dealers, expanding to financial market infrastructures on 11 July 2020, asset managers on 11 October 2020, finishing with non-financial counterparties on 11 January 2021. While regulators seek to make SFTR reporting consistent with EMIR reporting, it caters for the specific features of the securities financing transactions market. Many of these transactions will be reported to regulators for the first time. ESMA published draft guidelines to facilitate the implementation of reporting, but their final version will only be produced in Q4 2019. Firms will need to start building the required infrastructure on the basis of the drafts if they want to complete this effort in time.

• Delayed implementation leading to infrastructure not being ready on Day 1.

• Trading with non-EU counterparties missing a legal entity identifier (LEI), leading to reporting failures.

• Reporting errors leading to significant remediation efforts on Day 2.

• Assess how the firm is/will be addressing ESMA’s draft reporting guidelines and subsequent amendments.

• Assess whether transactions with non-EU counterparties have been identified and analysed to guarantee compliance with the LEI requirement.

• Review the evidence of reasonable steps taken by management to ensure the completeness, accuracy and timeliness of transaction reports and their submission.

Securities Financing Transactions Regulation (SFTR)EMIR REFIT programme

PwC

Further regulation – Other asset and wealth management specific regulation

PwC

Further regulation – Other asset and wealth management specific regulation


57

Clearing obligations

EMIR is the regulation in place which requires certain types of OTC derivative transaction to take place through a clearing house. EMIR came into force in August, and the clearing obligations came into effect in June 2016. The clearing obligation applies to derivative transactions entered into between financial counterparties (‘FC’) and non-financial counterparties who exceed the clearing thresholds (NFCs) (any combination of them), subject to certain exemptions. EMIR REFIT introduces a new clearing regime by creating new category of small financial counterparties which will be exempt from clearing obligations, expanding definition of FCs, reduced clearing obligations for NFCs and removal of front loading requirements.

Stewardship is attracting unprecedented levels of attention among regulators. The revised Shareholder Rights Directive (SRD II), which took effect from 10 June 2019, forms a core part of this agenda.

SRD II introduces new requirements on asset managers and institutional investors to disclose engagement policies on a ‘comply or explain’ basis, and disclose how their investment strategy will contribute towards the creation of sustainable value.

Key risks

• Categorisation of entity type and compliance with clearing obligations.

• Posting of collateral.

• Counterparty risk.

• Electronic systems and processes, IT risks.

• Disclosures in relation to investment strategies and engagement policies are not sufficiently articulating how they are supportive of long-term value creation.

• Culture not sufficiently conducive to effective stewardship.

Shareholder Rights Directive II


• Compliance with clearing obligations.

• Entity categorisation.

• Process which identifies which derivatives transactions will be subject to centralised clearing and those that will not be.

• Existence of agreements including collateral arrangements with clearing members.

• Policies/procedures in relation to posting of collateral in compliance with agreements and regulations to clearing members.

• Systems connectivity and processes.

• Managing counterparty risk against clearing members and central counterparty clearing houses (CCPs).

• Compliance with the revised Shareholder Rights Directive, including required transparency and disclosures.

• Design of engagement policies articulating the long-term value creation.

• Level of involvement of shareholders in corporate governance.

• Identification of additional information on investment strategies that need to be disclosed and how this information is obtained

PwC

Further regulation – Tax

PwC

Further regulation – Tax (1/4)


59

EU mandatory disclosure regime (EU MDR)

The directive introducing EU MDR came into force on 25 June 2018. From 1 July 2020 any cross-border arrangements (such as transfer of hard to value intangibles, double deductions, significant shift of profits) entered into by taxpayers that fall within certain broadly-defined hallmarks will have to be reported to the tax authorities. There are also transitional rules that require any disclosable arrangements occurring on or after 25 June 2018 to be separately reported by 31 August 2020.

Intermediaries based in an EU Member State will need to disclose reportable arrangements to their domestic tax authority within 30 days of certain specified events. Where reportable arrangements occur within a non-EU intermediary, or the intermediary is subject to legal professional privilege, the burden of disclosure passes to the taxpayer.

The Senior Accounting Officer (‘SAO’) regime, in place for large groups since 2009, requires annual certification by the SAO (often the CFO or Finance Director) that each company in the group has appropriate tax accounting arrangements – essentially that tax returns are free from material error. In the early years of the regime HMRC took a ‘light touch’ approach at assessing compliance with SAO, but now HMRC are increasingly likely to scrutinise and challenge arrangements and distribute penalties.

Key risks

• Groups will need to ensure any reportable cross-border arrangements are appropriately identified and reported. The reporting intermediary will first have to be identified and this may not be straightforward when there is more than one intermediary involved.

• Some financial institutions may have reporting obligations as intermediaries themselves.

• The rules have a heightened focus within large groups as the SAO is personally liable to penalties. Whilst tax compliance procedures and controls may have been subject to review in the past, HMRC has an expectation of continuous improvement.

• A group’s compliance with the SAO regime will be a key determinant in the risk rating assessed by HMRC as part of its Business Risk Review.

Senior Accounting Officer (SAO)


• Review the processes and controls in place to ensure any reportable arrangements are identified and reported completely and accurately.

• Internal audit can look to assess:

– Evidence that the SAO has taken reasonable steps to discharge their duty.

– Communication of tax governance procedures with clear guidance on control framework standards and responsibilities.

– Monitoring of key UK tax risks throughout the year.

– Implementation, maintenance and monitoring of a risk-based testing programme addressing all material processes over an appropriate time frame.

PwC



60

People movement

Following the Organisation for Economic Co-operation and Development (‘OECD’) Base Erosion and Profit Shifting (‘BEPS’) programme, tax authorities (both HMRC and non-UK) have been increasing their efforts to track people movements (e.g. fly-in, fly out bankers) in order to identify whether taxable activity is taking place.

Following a public consultation, in October 2019 HMRC launched a revised BRR process –this is the process by which HMRC risk-assesses large businesses. This assessment is a key determinant of the level of scrutiny applied by HMRC and the level of resource a business needs in response. Previously each large business was classified as either ‘low risk’ or ‘not low risk’. However, the new BRR process has a spectrum of risk ratings.

The process now also takes formal account of Senior Accounting Officer (SAO) arrangements, a firm’s published tax strategy and compliance with the Banking Code of Practice. HMRC notes that both SAO arrangements and the tax strategy are underpinned by the concept of the OECD’s Tax Control Framework (TCF) and companies operating an effective TCF should be rewarded with a lower risk rating.

Key risks

The risk of the following not be correctly captured or reports can result in potential fines and/or tax authority scrutiny:

• Creation of a branch (taxable permanent establishment) in UK or overseas for corporation tax.

• Staff working overseas creating local PAYE and income tax liabilities.

• Supplies being deemed to be made from an overseas location, triggering a requirement to register and account for VAT.

• Groups seeking to achieve ‘low risk’ status will need to be able to demonstrate they have in place an effective TCF, and that this is consistent with SAO arrangements and the published tax strategy.

• A higher risk rating can result in increased scrutiny from HMRC and increased management time dealing with enquiries.

• Failure to provide evidence of this to HMRC may result in a higher risk rating, and so more scrutiny.

Business Risk Review (BRR)


Internal audit should assess management’s processes and controls to:

• Identify appropriate tax/HR policies and ensure they align with the rules in the territories in which the firm operates.

• Track people movements using travel systems or other data.

• Review activities in these jurisdictions for high risk areas.

• Assess the governance, controls, processes and documentation in place to ensure the TCF is effective, fit for purpose and consistent with the SAO arrangements and tax strategy.

PwC



61

Tax strategy

The 2016 Finance Act included a requirement for large groups to publish a Board-approved tax strategy on their website covering tax risk appetite, approach to planning, how they manage their relationship with HMRC and their approach to tax risk and internal governance.

This requirement mainly applies to qualifying groups under the SAO legislation (i.e. £200m aggregated UK turnover per annum or £2bn UK assets) with the intention being that all groups with a Customer Compliance Manager within large business are covered. Large inbound groups are also caught by this requirement. Groups must consider how the strategy will be embedded in practice – as this will be HMRC’s focus – and implement governance to achieve this.

Since 30 September 2017, there has been a corporate criminal offence for ‘failing to prevent the facilitation of tax evasion’. Under the offence, a company can be held criminally liable if one of its associated persons (which can include staff, directors, contractors and some third parties) criminally facilitates the evasion of UK or non-UK taxation.

The offence is modelled on the Bribery Act in that the company can avoid sanction if it can demonstrate that it has reasonable procedures in place to prevent the facilitation from happening. Groups will need to undertake a risk assessment and, based on the output, implement new and enhance existing procedures and controls.

Key risks

• Non-compliance will attract a fine (expected to be £7,500 with additional fines due for continued non-compliance) and can result in an adverse impact on the risk rating as part of Business Risk Review process.

• A successful prosecution would leave a business open to possible unlimited fines, loss of operating licences and prohibition from bidding in public tender processes, in addition to serious reputational damage.

• Failure to carry out a risk assessment may also lead to a ‘high’ risk rating by HMRC as part of its Business Risk Review.

Corporate Criminal Offence (CCO)


• Internal audit should assess controls and procedures in place to ensure the strategy is embedded. This can include, for example, testing of the internal assessment of whether transactions are consistent with group’s stated approach to tax planning.

• Internal audit can assess the controls in place to mitigate CCO risks. These controls can include monitoring and review of procedures.

• In addition, internal audit can test the risk assessment, which is one of the six guiding principles of the rules.

PwC



62

VAT

HMRC’s focus on VAT has increased in recent years. To manage VAT, as a transaction based tax, robust processes and controls are required to allocate correct VAT treatments to all input and output transactions of the business. The implementation of ‘Making Tax Digital’ (MTD) for VAT through 2019 and 2020 has placed a greater level of responsibility on businesses in respect of the maintenance of VAT records and the compilation of VAT returns. These measures are expected to reduce VAT errors through the management of VAT data on its digital journey through finance and other systems through to the VAT return. HMRC has also increased its scrutiny of VAT branches and fixed establishments, conducting detailed substance reviews and issuing a number of challenges to firms on the appropriateness of these structures.

The HMRC’s focus on TP and DPT has increased in recent years. This is not only visible through TP enquiries but also through the increased number of Profit Diversion Compliance Facility (PDCF) cases opened by HMRC, which continues to send further waves of ‘nudge letters’ to taxpayers. In our experience, the majority of tax risks addressed in these PDCF investigations are TP related or have a TP angle.

Another aspect of TP where HMRC has become more focused is the implementation of TP, i.e. operational TP.

Key risks• VAT errors can arise where new products, services and intra-group transactions (or

changes to existing products, services and transactions) are not reviewed and signed off appropriately.

• MTD requires the implementation of significant changes to VAT return preparation processes and may require updates to system configuration and reporting.

• Changes to branch activities or staffing levels can impact the ability of the branch to qualify for UK VAT registration or grouping, leading to changes in the VAT liability of transactions. Failure to identify this can lead to significant VAT exposures.

Failure to develop and implement suitable TP policies may lead to the risk of penalties and additional HMRC scrutiny. The following are common areas of weakness:

• Many TP risks arise from a structural misalignment of operational substance and TP policies. This is particularly the case for older TP policies where the underlying fact pattern has not been reviewed for a long time or since implementation. This can also often be the case for emerging sectors such as FinTech and particularly the payments sector.

• Operational TP, or the implementation of TP, is often not supported by sufficient documentation or coordination between Tax, Finance and other functions. As a result, TP policies are often implemented incorrectly – for example cost recharges for service provisions.

• Attribution policies for branches are often outdated or do not reflect current TP rules, leading to incorrect remuneration for bank branches.

Transfer Pricing (‘TP’) and Diverted Profits Tax (‘DPT’)


• Review of governance and processes for VAT review and sign-off for new products/services and changes to existing products/services.

• Review of governance and processes for allocating or updating VAT data within finance systems.

• Confirm that MTD implementation is underway; for example, a VAT return process schematic identifying the systems involved and where digital links or bridging software will be required.

• Assess the governance and processes to identify and review changes to branch activities or substance levels.

• Review of (i) TP policies and implementation guidelines, (ii) documentation in respect of policies which are potentially outdated or where headcount and location of senior staff has changed recently, and (iii) governance process for TP policy implementation.

• Testing of branch attribution policies and test against fact pattern if concerns exist that the branch attribution policy and operations do not align.

PwC 63

Contact details


If you have any questions on any of the topics in this document, or would like a planning session, please reach out to your relationship contact or one of the following:

Nick ElliottInternal Audit Partner, Midlands and the North

M: +44 (0) 771 470 8731E: [email protected]

Steve FrizzellInternal Audit Partner, London and the South East

M: +44 (0 )780 265 9053E: [email protected]

Fraser WilsonInternal Audit Partner, Scotland

M:+44 (0) 773 987 4087E: [email protected]

Tracy YamInternal Audit Director, Asset and Wealth Management

M: +44 (0) 7483 400022E: [email protected]

PwC 64

References


Reference Link

Making sense of disruption for Internal Audit: Introducing the IA Megatrends

www.pwc.co.uk/risk-assurance/insights/making-sense-of-disruption-for-internal-audit.html

2019 State of the Internal Audit Profession Study

www.pwc.co.uk/services/risk-assurance/insights/2019-state-of-the-internal-audit-profession-study.html

2019 Insurance and Asset and Wealth Management Internal Audit Survey

www.pwc.co.uk/audit-assurance/assets/pdf/internal-audit-2019-benchmarking-survey.pdf

The PwC Internal Audit. Expect More. www.pwc.co.uk/services/audit-assurance/risk-assurance/services/internal-audit.html

Operational resilience in Financial Services: Time to act

www.pwc.co.uk/industries/financial-services/fsrr-stand-out-for-the-right-reasons/operational-resilience-time-to-act.html

PwC Economic Outlook www.pwc.co.uk/services/economics-policy/insights/uk-economic-outlook.html

FSRR Stand out for the right reasons www.pwc.co.uk/industries/financial-services/fsrr-stand-out-for-the-right-reasons.html

pwc.com

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2019 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

190927-165501-SC-OS

Documents

Internal Audit. Expect More. - PwC UK