UK Finance’s latest must–read blogs

Why trust is good for business?

Until recently, caveat emptor ("buyer beware") was the governing principle of commerce and trading.?

In financial services, this has been replaced by a requirement to treat customers fairly and more recently under Consumer Duty to ensure ‘good customer outcomes’. Companies that are proactive in addressing this shift will reap the rewards, by appealing more to investors and customers alike.?

Loyal customers value trust as much as price.?

Loyal customers are often not looking for the best prices, they are looking for providers they can trust over the long term, with even so-called ‘rate chasers’ also now starting to place a greater emphasis on credibility. Many are demanding a better price from providers they trust less, with some going even further by creating lists of providers to avoid or, more restrictive still, short-lists of ones to consider.?

With its regulatory backing and substantial implementation cost, the new consumer duty should create the greatest uplift in public trust in a generation. It should - but will it? Because just raising standards is not enough. Customers must be informed about what firms are doing and, harder still, they must find out in a way that they believe.?

The race is now on to claim the credit for consumer duty and gain a competitive advantage.?

The FCA’s aim with consumer duty is to improve customer outcomes, but neither they nor the industry are in an ideal position to inform consumers what this means for them in practice in a way that they will believe.?

Read the full blog post from Paul Boscott, Executive, The Fairlife Charity ?

?

Emerging risk: Are compliance execs evolving with or against the regulatory landscape??

In 2024, 7.8% of financial services still do not have a plan to tackle off-channel comms.

A new?Industry Insights report?launched by Global Relay has revealed a substantial shift in the financial space since?2023. The report not only highlights the current regulatory landscape, but also offers an insight into the challenges faced by firms as they implement different surveillance technologies and bear witness to the increasing use of new venues of communication, the risk of social media, and the uncertainty of AI.?

Are employees buying it, or even in??

Although firms made clear progress in integrating regulatory technology and policies into their frameworks, a big issue preventing progress is human behaviour. The report shows that 62.5% of survey respondents agreed that employee buy-in for compliance was their greatest challenge. To help solve this, firms?must clarify regulatory expectations to their employees, and proactively ensure they behave in a way that demonstrates good conduct to encourage a positive culture within the firm.?

Social media is a risk firms are not willing to take?

As well as behavioural challenges, the report also highlights the technological difficulties that compliance officers face in capturing and storing communications across all channels as the number of channels to monitor has increased. 55.6% of respondents note that they consider social media to be an emerging compliance risk, for example.?

A(I) view to the future?

Artificial Intelligence seemingly presents the compliance industry with a world of possibilities and solutions, as it has the potential to expand monitoring and reporting services and high-quality data capture[JC4]?.?

Read the full blog post from Aarti Agarwal, Marketing Co-ordinator, Global Relay ??

? ?

Non-systemic firms and the regulator's direction for RRP compliance?

Since the first set of regulatory requirements for recovery and resolution planning (RRP) were published in 2019 the topic has been a permanent item for board members’ consideration.?

A recent Dear CEO letter reinforced that the PRA remains focused on ensuring compliance.??

The letter of 17 May sent to more than 70 non-systemic firms (including international subsidiaries in the UK) highlighted areas for improvement. The PRA identified that many firms understood the concepts of recovery planning but not the required detail to define appropriate scenarios. The calculation of recovery capacity was also identified as an area requiring focus.?

Recovery scenarios?

In our experience of working across all the RRP capabilities, we would expect firms to have developed a suite of artefacts to demonstrate compliance.??

The first are the recovery scenarios that the recovery plans are executed against. These scenarios provide the context for the failure (or near failure) of the firm. The cause for failure may be driven by internal or external factors and must be both plausible and suitably severe. The regulator is very clear that this as an area to improve for non-systemic firms.?

Calculation of recovery capacity??

Alongside recovery planning the regulator also identified the calculation of recovery capacity as an area for improvement. This involves understanding recovery scenarios and then calculating the financial impact during a period of extreme stress. Firms are expected to be able to calculate impacts across multiple areas in compressed periods of time.??

Scenarios and calculations are specific to each firm, but they should consider reputational effects, operational capability, business model impacts and capital and liquidity optimisation.?

Read the full blog post from Obi Ume, Manager and Robin Hourican, Senior Manager, Be | Shaping the Future UK?

Operational Resilience Testing for DORA Compliance?

Operational Resilience (OpRes) testing aims to ensure that financial institutions can continue their critical operations throughout severe disruptions.?

The goal of OpRes is to maintain service delivery and minimise the potential negative impacts on the organisation itself, the financial system, its customers, and the broader economy by identifying weaknesses, evaluating their impact, and implementing necessary improvements. The sector's reliance on technology and third-party services requires the testing of IT systems, business processes, and third-party dependencies.?

Key Components?

OpRes testing under DORA encompasses an array of activities designed to assess and strengthen the ability of financial entities to endure and recover from disruptions. Tests are to be carried out annually and following any significant changes to the IT environment. Institutions must document test outcomes, implement corrective actions, and report significant incidents.?

Key components of operational resilience testing include:?

1. Scenario Analysis and Testing:?These realistic scenarios should encompass a wide range of potential threats, including cyberattacks, data breaches, system failures, loss of staff, and natural disasters.?
2. Penetration Testing:?Penetration tests are crucial for identifying security vulnerabilities.?
3. Business Continuity and Disaster Recovery (BC/DR) Testing:?BC/DR testing ensures that organisations have effective plans in place to continue operations during and after a disruption.?
4. Third-Party Risk Management:?It's essential to assess third-party resilience as well, even if they themselves are not governed by the DORA.

Read the full blog post from Richard Whyte, Chief Executive Officer, Responsiv. ?

The Ever-Changing Landscape of Artificial Intelligence?

Artificial Intelligence (“AI”) is fast becoming the hot topic across the globe because of its ability to reduce manual processes and concern around “deepfakes”, e.g. synthetic audio or videos created by Generative AI (“GenAi”), which mimics real humans.?

This blog examines the current AI legislative landscape and outlines some considerations for financial services firms to ensure that they deploy and manage AI systems safely.?

Why is this important??

A key risk area for firms is criminals using GenAi to create “deepfakes” to circumvent biometric data security measures, generally used for identification and verification?purposes.?Fraud GPT (which mimics the ChatGPT platform) is available on the dark web and deploys machine-learning algorithms to generate malicious content for cybercriminals, such as persuasive phishing emails, fraudulent websites and?malware. This product, and others like it, will undoubtedly accelerate existing levels of AI-facilitated fraud.?

However, it’s not all bad news. GenAi exceeds “traditional” AI’s capability to identify irregularities in transactions based on?known?fraudulent typologies by also examining customer behaviour, device information and external?fraud trends. Where firms can harness this technology correctly, it should reduce the risk of biometric data misuse. Visa launched a GenAi solution in May 2024,?the Visa Account Attack Intelligence?(“VAAI”) scoring system, which will apply a risk score to transactions in “real-time” to help firms prevent fraudulent Card-Not-Present transactions.?

Read more to find out what is happening in the UK, what is happening elsewhere, as well as the risks of deploying AI solutions and how they can be managed. ?

The full blog post is from Joanne McNaul, Senior Director, K2 Integrity and Kai Kleingünther, Junior Executive, ARQ Group. ?