Last week, the UKs financial regulators – the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) – published their business plans, announcing budget allocation and proposals around supervision for the year ahead.
Its easy to see why the dual release has cast the spotlight on the multi-million pound budgets required to see the financial industry through Brexit. But this risks missing the bigger picture: the regulators are signalling the tone for the next era of financial regulation – and indeed the shape of the financial industry – in the UK.
Compared to previous years, proposals for new regulation are light. The looming ring-fencing deadline in January 2019 aside, UK financial firms wont be expecting the same volume of regulatory changes witnessed in the recent past.
The regulators business plans, however, spell four clear patterns for the future of finance in the UK: the arrival of new and different banks; the extension of standardised resolution practices beyond banks; heightened supervision over the banking supply chain; and a mindset shift from cyber security to cyber resilience.
The drawbridge has been lowered to welcome fintech players into banking. The industry can expect the arrival of up to 30 new banks over the next three years as a result of the joint PRA/FCA “New Bank Startup Unit”, aimed at facilitating the market entry and supervision of firms with digital technologies at the heart of their business model and service provision.
As the PRA makes clear in its statement, resolution planning is a system-wide issue. While 2017 was the first time that no large bank needed to improve its capital position following the Bank of Englands stress testing, further standards will be necessary for operational resilience. The PRA requires banks to ensure resolution strategies are in place should future stresses arrive, and as of January 2022, banks must hold resources to do so without dipping in to public funds.
Standardised resolution practices are set to extend beyond banks, as next year will see the PRA make the case for an insurer resolution regime, mirroring the Bank of Englands Resolution Directorate. In particular, insurers increased holding of illiquid assets such as commercial real estate since Solvency II will draw regulatory attention on issues around asset quality and risk management soundness.
There will also be greater supervision over third-party suppliers to the financial industry. Incumbent firms have pursued collaboration with, and outsourcing to, fintech players to remain competitive. Over the coming year, these outsourcing arrangements will be of particular interest to the FCA.
At a time when “data conduct” is the of media and regulatory agendas, the FCA announced plans to inspect the use of machine learning, data analytics and artificial intelligence, as well as the impact of digital technologies on retail banks business models.
There is a mindset shift from cyber security to cyber resilience in these plans. Shoring up protection is not enough; financial firms need to build agility to preempt and respond to cyber risks. The PRA pulled no punches, describing our financial system as “under almost constant cyber attack”.
Importantly, the regulator calls cyber security a “shared responsibility”, and as such, greater understanding of the potential supply-chain risks to banks will be best understood on a collaborative level between all industry players.
This calls for an industry consortium to facilitate the sharing of information and best practices to promote operational resilience of the financial system.
It is clear that regulators are shifting tack from capital adequacy to operational resilience. What is less certain are the specifics around the required levels of operational resilience.
Forward-looking firms should have their internal systems and third-party provider relationships auditable ahead of time to prove they are up-to-scratch in the new dawn of post-crisis stability.