Before we get started, I’d like to say that geoFence was designed and coded by US citizens to the strictest standards!
The UK Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) commissioned no cybersecurity skilled persons reviews ( Section 166) in the first three quarters of the 2020/21 financial year. The FCA commissioned one s 166 for Lot J (technology and information management) over the same period. The PRA commissioned none.
The number of cyber incidents at UK banks, asset managers, wholesale brokers and exchanges rose from 21 in 2019 to 55 in 2020, a 161.9% increase.
In the first three quarters of 2020/2021 the PRA ordered a total of 15 s 166 skilled persons reviews and the Financial Conduct Authority (FCA) issued 45 (see table). There was no double-counting of investigations jointly commissioned in the data, a spokeswoman for the FCA said. In 2019/20, the FCA ordered a total of 59 s 166s and the full year 2020/21 total looks on course to equal or slightly exceed that.
Surprisingly few cyber and IT operations deep dives
Lawyers and analysts were surprised to see so few regulatory deep dives into firms’ cybersecurity and operational resilience, given the increased cyber threat and reliance on digital systems during the pandemic. Despite the work from home shift during the pandemic, just one s 166 has been issued for technology and information management (Lot J) across both regulators — by the FCA to a wholesale financial markets firm.
“There is a growing body of thought, that technology and information management is actually a prudential issue. It’s another indicator of a bank’s systemic stability. One of the things that I’ve seen from this [s 166 data], and I’m a bit surprised [there are so few commissioned in cyber and IT]. There’s been an awful lot more announcements from regulators that they’re going hard after cyber resiliency, because nobody can go into bank branch because of COVID, and everything is online. The robustness of the banking system depends on the digital health of the bank,” said John Byrne, chief executive at Corlytics, a regulatory data and analytics company in Dublin.
Gavin Stewart, head of strategy execution for Grant Thornton’s financial services group, was also curious about the low number of s 166s for Lots J and N (CBEST penetration testing).
“[Supervisors] won’t be comfortable asking [IT/cyber] questions to a certain level. IT matters are beyond the general level of expertise,” he said.
There are other s 166 lots that cover cyber (Lots K, L, M) and operational risk (Lot I) but neither regulator has ordered reviews in these.
This lack is surprising given the FCA confirmed in November it was investigating investment platforms after a number locked out customers leaving them unable to trade. There are no Lot J s 166s underway at any investment firms.
“I was surprised by the lack of s 166 reviews relating to technology issues given that investments platforms fell over in November and also because of the FCA’s general concern around data security, particularly in light of the surge in working from home. The FCA is definitely concerned around technology and will be having conversations with firms around these issues and developments. It may be that we will see more s 166 in this area coming up in the next few months. Or it may be that firms have managed to give the FCA some comfort around, additional infrastructure that they’re putting in,”said Lucy Kerr, financial services regulatory specialist at law firm RPC.
“Another possibility is that with a strain on the regulator’s resources from COVID-19 and Brexit, this is something that is coming down the pipeline. But they haven’t got there yet,” she said.
A total of 13 s 166 were started at retail investment and investment management firms in Q1-Q3. Seven for Lot C (controls and risk management); two for Lot B (governance and individual accountability); two for financial crime (Lot E); and one for client assets.
“I query whether in terms of technology and information management, if these cases are showing up elsewhere in the numbers. One thing that we were concerned about at the start of the pandemic was that typically for retail customers a lot of verification is done in person and with original documents. Since COVID-19, some policies and procedures around know your customer (KYC) have had to change. KYC is therefore an area where the potential for fraud is raised. It is possible that investigations into this area are actually falling under Lot E (financial crime), rather than in the technology category,” said Kate Langley, regulatory and white-collar crime lawyer at RPC in London.
PRA focused on controls, risk management
Proportionately, the PRA had issued far more s 166s than FCA 2020/21 year to date, Kerr said.
“One thing that does stick out in the numbers is proportionately the PRA has issued more s 166 reviews in the last year than the FCA. The PRA only has about 1500 firms under supervision so this is obviously a much higher proportion of its supervised firms that are subject to a s 166 review than at the FCA,” Kerr said.
Of the PRA’s 15 s 166 reviews ordered so far, Lot C (controls and risk management frameworks) accounted for the largest number of s 166 at the PRA: four in Q3, one in Q2 and two in Q1, a total of seven. All were at banks and building societies. Lot B (governance and individual accountability) and Lot F (prudential deposit takers) each saw three s 166 issued during the nine months covered by the data. The remaining two were Lot G (prudential, insurance).
Byrne said his data shows regulators worldwide are putting large banks’ systems and control frameworks under the microscope and are seeking to hold senior managers accountable. Last year’s $400 million fine handed to Citigroup by the Office of the Comptroller of the Currency (OCC) for failing to correct “longstanding deficiencies” in its risk and control systems that pointed to a lack of compliance oversight and shortfalls in data governance is a signal of things to come, Byrne said.
Michael Corbat, Citi’s then chief executive, was forced out on the back of the incident that led to the fine.
“Some of the better regulators are also mandating remediation programs that they’re publishing. All the other firm should look at what the OCC asked Citibank to fix. They have to start a governance structure from scratch, and they have to redo risk management from scratch. Basically, that is rebuilding its monitoring system from scratch, looking enterprise wide at its data, and looking at it all again,” Byrne said.
The PRA fined Citi £44 million in 2019 for regulatory reporting failures.
FCA probes conduct of business
The FCA issued 59 s 166s in financial year 2019/20. At the present rate (45) by year-end 2020/21 the FCA will match or slightly exceed the 2019/20 total.
There were 12 s 166 for Lot D (conduct of business) ordered by the FCA. Eight were to retail lenders, two for retail investment firms and one each in the general insurance and retail banking and payments categories.
“Conduct of business and governance are two areas that I will always expect to see s166 reviews investigations, because they cover such a broad range of things. Obviously retail lending is a big focus for the FCA at the moment. So, it may be that they have concerns that some retail customers aren’t getting the leeway that they think they should be,” Kerr said.
Stewart added that Lot D reviews (conduct of business) tend to focus on what and where things went wrong for a firm while lots B (governance and individual accountability) and C (controls and risk management frameworks) seek to find the causes of the failures. Things will always go wrong at firms and these kinds of review will feature perennially, he said.
Financial crime (Lot E) and Lot C both saw 11 s 166s ordered. The majority of financial crime investigations were against retail banking and payments firms (six), three for wholesale financial markets firms and one each for retail investments and investment management. Lot E s166s orders will be high year-to-year partly because the FCA does not have the resource to complete this kind of work, Stewart said.
Governance and individual accountability
From the outset of the pandemic the FCA has been clear with firms that it would not tolerate a repeat of the misconduct and criminality that followed the 2008 financial crisis. That misconduct was embodied by Royal Bank of Scotland’s global restructuring group — disbanded after an investigation into its treatment of small business customers — as well as by Lloyds Bank’s (HBOS Reading) business banking unit employees who were jailed following a criminal investigation. The FCA ordered banks to provide the name of their senior manager in charge of lending to small businesses last year to underscore the seriousness of its intent to prevent a repeat of 2008 misconduct.
Graham Biggar, director general of the National Economic Crime Centre, told the Treasury Select Committee on January 25, that his agency had arrested “three individuals working in a financial institution in London who we believe have been responsible for a number of bounce back loan frauds”.
The FCA ordered seven Lot B governance and individual accountability reviews in 2020/21 so far. One each in retail investments, pensions savings and retirement income and investment management with four at wholesale financial markets firms.
Section 166 use on the rise
Regulators’ use of s 166s is likely to rise, Kerr said.
“I think particularly with the pandemic lockdown and the impact that has on FCA resources that a s 166 review is a very attractive proposal in the circumstances to help outsource, where appropriate, these kinds of reviews. The FCA, has been keen on them for a long time. We saw a massive surge in 2013-2014 period onwards from there, and I think they will carry on being a key tool the FCA uses, and it may be that it becomes a more helpful tool for regulators to use from a resourcing perspective during the pandemic,” Kerr said.
Firms benefit from s 166 said Langley despite the burden they impose on resources.
“Section 166 reviews can be quite an imposition on organisations, but they also provide an opportunity for reform and remediation. So, although it can be a challenging process to go through, it can also help the firm improve. Therefore it is something that should be engaged with properly so that the firm benefits as a result,” Langley said.
Let’s not forget that geoFence is your security solution to protect you and your business from foreign state actors.