Financial services companies in 2023 are operating in an ever more complex regulatory environment. This year, banks will be continuing to implement the Basel Committee on Banking Supervision’s capital reforms, born of the 2008 financial crisis. At the same time, they will be required to adapt to more contemporary challenges by strengthening their handling of conduct-related concerns and operational risks such as cyber incidents and natural disasters—all with an ever-increasing reliance on third-party vendors.
Basel IV/Basel 3.1 Regulatory Reform
The new year marks the beginning of the implementation of Basel 3.1, or Basel IV as it is informally known in the industry. This phase represents the finalization of the Basel III reform package and is expected to be completed by 2025.
As banks worldwide work to implement the Basel IV capital standards, it is important to understand their evolution over the last three decades to appreciate the key changes being introduced.
Evolution of Basel Capital Standards—from Basel I to Basel IV
The previous Basel capital standards began with a simplistic approach that included a definition of eligible capital and a set of simple risk-weights, depending essentially on the institutional nature of banks’ counterparties and not on intrinsic risks. The initial Basel Accord had three simple objectives:
- to make sure banks held sufficient capital to cover their risks;
- to level the playing field among international banks competing cross-border;
- to facilitate comparability of banks’ capital positions.
In 1996 the accord was updated to include a market risk component. This was the first time the Basel framework allowed banks recourse to internal models. However, standards remained fraught with limitations such as insufficient recognition of risk mitigants, very broad risk buckets, and lack of flexibility, since all regulatory capital was being captured through a simple credit risk number.
In these earlier phases, the Basel capital standards focused on regulatory capital (numerator) such as the definition of capital instruments, capital buffers, introduction of capital deductions, and other items such as leverage and liquidity ratios. However, Basel IV is turning this focus upside down, instead focusing on the denominator side of the equation, such as risk-weighted assets (RWA). Basel IV focuses on changing the methods of calculating the RWA for all types of risk including credit, market, and operational. In anticipating this change, it does not matter whether a bank is using the standardized approach (SA) or internal models approach, since both methods are going to be changed.
The limitations in the previous Basel capital standards are being addressed by making sure Basel IV is more risk-sensitive. This means that banks with risky portfolios will have higher RWAs than banks with less risky portfolios.
The application of the new standards differs for banking books and trading books.
The banking book includes all exposures that are not actively traded by a bank but are instead expected to be held until they mature. These are generally accounted for at historical cost, meaning they are not “marked to market.” The risk management of the banking books therefore focuses on:
- Credit risk (probability that the bank does not recover the entirety of interests and principal);
- Liquidity risk (maturity mismatch between assets and liabilities); and
- Interest rate risk (sensitivity of assets and liabilities to variations in interest rates).
By contrast, the risk management of trading books focuses on variations in market values. This includes instruments held with an aim of reselling at a later date. Since a bank’s remuneration relies heavily on the profit/loss it books upon selling the instruments, they are usually booked at market value.
In this context, the key objectives and outcomes of Basel IV capital design principles are summarized below.
It will be important for banks to begin acting early in 2023 to meet the implementation deadline of January 2025. This should involve creating a strategy based on the parts of the Basel IV framework that are unlikely to change materially in the policy making process. Global banks must also consider the risks (and potential opportunities) of implementation divergences across regions where they operate—this is expected to be one of the key challenges facing big banks.
Basel IV Capital Regulatory Regime—Current State of Play and Future Outlook
Culture and Conduct Regulatory Expectations
Turning to another regulatory trend in the new year, it is expected that the UK’s Financial Conduct Authority (FCA) will continue in 2023 to focus on conduct, conduct risk, and culture. Financial services companies should prepare for scrutiny of the design and efficacy of their conduct risk frameworks, including how well they are embedded throughout the organization.
Particular areas of regulatory focus may include:
- Proactive review and identification of potential conduct risks;
- Ownership and accountability for managing conduct risk at all levels within the business;
- Governance frameworks for the oversight and strategic direction of conduct decisions; and
- Processes that enable ongoing monitoring and maintenance.
Regulators will want to see companies demonstrate benefits for their customers and employees rather than solely looking at return on investment and responding to shareholder demands. Ensuring there is the right conduct risk framework in place will be key to satisfying these expectations.
Recent events such as the COVID-19 pandemic, service outages, and cyberattacks have drawn intense regulatory scrutiny across all jurisdictions. The UK’s Prudential Regulation Authority (PRA) responded in 2021 by publishing a supervisory statement titled “Operational resilience: Impact tolerances for important business services” (PS6/21). The statement assumes disruptions will occur that impact services for a period, but seeks to ensure that companies have a plan and can respond. Under the regime companies are required by March 2025 to:
- Identify “important business services” whose disruption could cause harm to customers, the wider economy, or financial stability;
- Map supporting processes and make contingency arrangements to restore the services;
- Set tolerance levels for service outages beyond which actual financial harm would occur;
- Supplement existing stress tests using severe but plausible scenarios; and
- Integrate existing approaches such as business continuity management.
U.S. regulators have also weighed in on resilience, consolidating existing guidance into a 2020 interagency paper titled “Sound Practices to Strengthen Operational Resilience.” This guidance focuses on how existing rules/governance can be leveraged, including:
- Operational risk management,
- Business continuity planning,
- Third-party risk management,
- Cybersecurity risk management, and
- Recovery and resolution planning.
In the EU, the Digital Operational Resilience Act (DORA) was adopted in 2022, and financial services companies will have until 2025 to implement it. DORA focuses on ensuring that companies can withstand, respond, and recover from the impact of information and communications technology incidents through robust measures and controls on systems, tools, and third parties.
Across all jurisdictions there is an opportunity to leverage existing process, policy, and governance. In the UK, for example, “business services” are likely to form part of the “critical functions” identified as part of recovery and resolution planning. Companies must now focus on:
- Mapping of the underlying processes to identify interdependencies and vulnerabilities;
- Risk assessments to prioritize critical supporting services;
- Scenario testing to ensure that tolerance limits can be maintained;
- Documentation of policies, approaches, vulnerabilities, lessons learned, and remediation plans; and
- Annual self-assessment of operational resilience processes.
Outsourcing and Third-Party Risk
The financial services industry, often hampered by legacy technology, is increasingly leveraging agile fintechs to respond to customer and regulatory requirements for real-time, technology-driven services and cloud-based solutions. In response to the changing environment and several high-profile outages due to failings in IT providers, the PRA published “Outsourcing and Third-Party Risk Management” (SS2/21), which took effect in March 2022. This supervisory statement focuses on the full lifecycle of vendor management alongside key topical themes including:
- Governance: ensuring board-level engagement and senior management accountability supported by accurate management information;
- Pre-outsourcing: establishing robust processes for assessing materiality and in-depth due diligence;
- Contracts: addressing findings from materiality assessments, applying pre-defined check lists, and remediating existing agreements;
- Data security: defining and documenting vendors’ responsibilities to set expectations that security measures must be in line with in-house requirements;
- Audit: providing audit teams full access to information and optionality for pooled audits;
- Fourth-party providers: understanding and monitoring the extended supply chain;
- Intra-group arrangements: subjecting them to the same requirements as external outsourcing; and
- Business continuity and exit plan: covering stress testing and managed exits.
EU and U.S. regulators have set out similar requirements to the PRA that complement their operational resilience frameworks. EU regulators are leveraging DORA to this end, and the U.S. published proposed interagency guidance on third-party relationships in 2021.
Greater regulatory reporting requirements, such as the Basel standards above, combined with the challenges of a technology-driven economy, such as data breaches and money laundering, have led to the emergence of “regtech.” Regtech companies facilitate efficient and cost-effective compliance to regulation through the use of collaborative technologies including cloud computing and big data. Key areas of focus for the industry include:
- Financial crime: automating processes and accessing real-time data online to facilitate “know your customer,” anti-money laundering, anti-fraud, and transaction monitoring;
- Regulatory reporting: powered by real-time data collection and big data analytics;
- Risk management: analyzing data from previous regulatory failures to predict potential risk areas, assess exposures, and detect regulatory risks; and
- Compliance: real-time monitoring and tracking of current-state compliance and upcoming regulations.
Regtech’s role in the financial services industry is growing, and there is an opportunity for regtech to develop and share best practice across the industry focusing on:
- Enhancing data quality while also improving and integrating with legacy processes and technology;
- Interpreting regulatory requirements into machine-readable formats and transmission methods; and
- Adopting common data standards across the industry.
There are many regtech vendors and offerings. To pinpoint the right partners and solutions, financial services companies should conduct an internal assessment of known issues (e.g. audit points) and inflight technology programs that could be leveraged, alongside a view of forthcoming regulatory requirements.
2023 will be a pivotal year in the global financial services industry. Success will hinge on keeping lockstep with critical regulatory change, continuing a strong focus on conduct risk, and ensuring a proactive approach to managing new challenges. Amid this complexity, it’s easy to lose ground to your competitors and face scrutiny from regulators, investors, and clients. It’s important for businesses to act now to stay on top of these challenges and implement sustainable change that will meet client, regulator, and industry requirements now while also setting up for long-term business success. We’re here to help.