The Financial Conduct Authority (FCA) has published its Consultation Paper CP24/20 focused on enhancing safeguarding practices for the Payment and E-Money firms. The FCA’s proposed safeguarding changes represent a significant upgrade to existing practices, and firms should begin preparing now to ensure they can meet the timeframes.

Operational resilience isn’t achieved in isolation. Today’s interconnected financial sector means that third-party vendors, and market infrastructures are integral to delivering IBS. Mapping these dependencies is crucial; firms need to understand exactly what resources—people, processes, technology, and vendors—are involved in each important business service.

“Firms should read this review, consider how their firm compares, and use it to address any shortfalls or gaps and raise standards. It is better for firms to resolve issues now than wait for us to identify and intervene on issues and remediate any harm later.” 

Third-party risks emerge from direct relationships between financial institutions and their vendors or service providers, fourth-party risks arise from the subcontractors of these third parties. Do your supplier relationships look a little like the image, and do you really understand who is dependent on who?

Regulators cannot possibly stay ahead of cybercriminals and it’s simply not realistic to expect them to. Regulations can lag years behind criminal innovation, and like the picture I asked our AI to create for this post, we face an indestructible enemy. If you’re C-suite, start thinking about the regulatory requirements for security as the floor, and then ask yourself “how much do we need to invest to stand up?”

As I said in my post last week: “The operational resilience requirements in the UK share common objectives with the EBA guidelines for Information and Communication Technology (ICT) security risk management, and the requirements laid down by DORA in the EU.” It made sense to me to follow up with a piece on the EBA guidelines.

Ensuring that firms can prevent, respond to, recover, and learn from operational disruptions is something worth investing in.

In recent months, the FCA have sent out Dear CEO letters to the wholesale broking and payments sector. In these letters they highlighted (amongst other things) AML deficiencies within both sectors

The implementation date for open products is fast approaching, with firms required to implement the rules for open products and services (those open to new sale or renewal) by end July 2023.

As discussed in previous posts there are five key parts to the DORA regulations that both European regulated financial service firms and those that supply them with services must comply with. In this post, the second of five, we write about ICT Related Incident Reporting.

The FCA have conducted a review of the Consumer Duty implementation plans from a selection of larger fixed firms. Keep reading even if you’re not a fixed firm. Why? Because this is an opportunity to be proactive.

The reliance on third parties within the finance sector has increased significantly over the last decade. This insight looks to bring together several connected initiatives to strengthen third party and outsourcing resilience.

Consistent with other recent regulation, there is emphasis on prevention of foreseeable harm occurring to consumers, including those identified as vulnerable. In the event that foreseeable harm is caused, firms will be expected to take preventative measures for the future and also go over and above the current redress requirements to the consumers harmed.

Most articles, blogs and webinars (to name but a few) discussing whistleblowing tend to focus on how it can be an indicator and key component of a ‘strong corporate culture’ and its ‘importance in the fight against injustice’. These are some of the key messages and straplines that have been used for a long time and many firms use similar language when referencing their own policy and approach.

Over the past few years, we have witnessed first-hand that some firms, to varying degrees, didn’t really understand the regulatory expectations for both Operational Resilience and the New Prudential Regime for Investment Firms (or IFPR) in the U.K.