Since the 2008 financial crisis, the financial services sector has seen the introduction of numerous new technologies — digital currencies and automated anti-fraud processes, to name a few. Regulators must now grapple with how to apply decades-old banking laws to a rapidly changing industry.
“Questions are arising about the use and ownership of data, boundaries of regulation, and geopolitical issues impacting market conditions for growth and investment,” EY notes in a recent article on its website.
Business and IT leaders in financial services should be aware of a number of developments in the regulatory landscape and begin crafting plans to adapt to them, according to the piece, titled “Four strategies for banks preparing for regulation in the digital age.”
Financial Regulations Adapt to Technological Change
In its report “Leading in times of change: Banking regulatory outlook 2019,” Deloitte lays out a number of areas where regulations are already changing in response to new technologies and market realities, or where movement is anticipated.
“Firms, regulators, and their customers are considering the opportunities and risks associated with new technologies,” the report notes.
“For example, due to the rapid development of artificial intelligence, machine learning and fintech solutions, once-new technologies are quickly becoming mainstream. … These technology developments and disruption have triggered a debate around the perimeter of financial services regulation.”
The report’s authors note that they do not expect regulators to “come to the rescue” of incumbent firms, but rather that regulatory treatment of technologies such as cryptocurrency will continue to be clarified.
Financial Institutions Must Focus on Four Digital Trends
In its “Four strategies” article, EY advises banks to focus on four areas to prepare for regulation in the digital age. First, financial institutions should reform structures and develop new processes.
“Fundamental structural regulatory reform measures are largely in place,” the piece states. “The ongoing challenge is to make Recovery and Resolution work in practice and make certain that financial institutions meet expectations for operational continuity. Legacy issues that were carried forward into the new landscape remain a focus. Many of these are linked to operational resilience and business continuity.”
Next, banks must enhance governance and operational resilience to cope with challenges including cyberattacks, the replacement of legacy IT systems and supporting staff.
“New technologies and products are testing the effectiveness of existing processes. Firms need to turn their attention to strengthening operational resilience, improving stress-testing standards, reviewing impact tolerances … and refining performance metrics,” the EY article states. “Having a robust third-party risk management framework for outsourcing and vendor services is more essential than ever.”
Banks must also manage and protect their data to both meet customers’ demands for user-friendly tools and meet increasingly stringent requirements for data privacy, the piece states.
Finally, financial institutions must address drivers of misconduct. “The challenge for the conduct agenda,” the EY states, “is to move from setting the ‘tone from the top’ to embedding positive culture and behavior throughout the organization.”
Regulatory Changes Keep Financial Service Companies Alert
The Deloitte report looks at ways that specific regulations are being affected:
The Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA), which became law in May 2018, raises the systemically important financial institution (SIFI) threshold for banks from $50 billion to $250 billion. The law also eliminates the company-run stress test requirement for banks under $250 billion and eliminates the annual Dodd-Frank Act supervisory stress testing requirement for bank holding companies (BHCs) with less than $250 billion in assets.
The report notes that further changes to and implementation of regulations written by banking regulatory agencies are subject to the changeable political climate.
“Regardless of what definitive changes lawmakers and regulators might make, banking organizations should continue to drive effectiveness and efficiencies across their risk and compliance programs so they can meet applicable laws, regulations and supervisory expectations,” the report states.
The Community Reinvestment Act (CRA) was passed in 1977, long before regulators could have anticipated developments like online banking or mobile apps. Deloitte notes that the Office of the Comptroller of the Currency recently became the first banking agency to issue an advance notice of proposed rulemaking, with an intent to modernize implementation of the regulation while preserving the original intent of the law.
The advance notice focuses on three areas:
- revising the assessment area from brick-and-mortar locations to where an institution’s business operations are located;
- providing clear and transparent metrics for what banks need to do to achieve certain CRA ratings;
- increasing the types of activities that would earn credit under the law, to include activities such as small business lending, credit cards, auto lending and small-dollar loans.
Another decades-old law, the Bank Secrecy Act (BSA), passed in 1970, has caused challenges for regulators and financial institutions due to changing technologies. Although the law has not yet been changed, there have been a number of proposals on how to simplify compliance while maintaining the anti-money-laundering (AML) intent of the regulation.
These proposals include increasing filing thresholds for suspicious activity reports, facilitating increased sharing of AML-related information among financial firms and improving communication from government agencies to filing institutions.