Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
For the last two decades banks have adapted to significant and wide-ranging regulatory change. From Basel III and interest rate reforms to individual accountability regimes and responsible lending, the regulatory changes have been significant. These reforms have largely been inward looking, the result of conduct within the financial system.
However, banks are increasingly subject to changing regulation that stems from external threats and events. Scams, cyber risk, consumer vulnerabilities and climate change are all forces that increasingly drive regulatory reform and changes to the expectations on banks. As a result, banks are having to adapt to regimes that are far more expansive, and harder to predict and prepare for, than in the past.
Online fraud and scams are a growing problem and scammers rely on the banking system to undertake their criminal activity. Because of this, the international response of governments to address scams has included a role for banks. What this role looks like, and the appropriate allocation of responsibility for the resulting customer harm, is a fraught issue – in which different approaches have been taken in different jurisdictions, as we assess below.
The operational resilience of banks and the banking system came into sharp focus with the Covid-19 pandemic. The pandemic brought fresh attention to operational resilience and resulted in international regulatory change. While Covid-19 was an example of external events driving regulatory requirements, the focus of operational resilience has continued to shift.
In 2022, the HKMA introduced significant enhancements to its Supervisory Policy Manual in relation to operational resilience, including a new standalone module OR-2 on operational resilience and updates to modules on operational risk management and on business continuity planning.
Module OR-2 provides guidance on developing a holistic operational resilience framework.
It also highlights the HKMA's expectations on operational risk management, business continuity planning and testing, third-party dependency management, and information and communication technology (including cyber security). Banks had to develop their operational resilience frameworks and timeline by 31 May 2023, and they must become operationally resilient by 31 May 2026 at the latest.
The HKMA expects senior management of banks to be accountable for operational resilience and sets out detailed guidance on the respective roles of the board and senior management in module OR-2.
In addition, banks are expected to put in place effective cyber defence covering their own operations as well as linkages with third-party service providers. In relation to the latter, the HKMA recently shared sound practices observed from its thematic examinations of banks in 2023. The HKMA noted that, in light of advancements in technology and digitalisation of banking services, banks are placing greater reliance on third party services, resulting in increased exposure to cyber risks as threat actors target the weakest link in the supply chain of digital banking services.
Similar to Hong Kong, the MAS introduced updated Business Continuity Management Guidelines (BCM Guidelines) in 2022 to enhance operational resilience and incorporated key learnings from the Covid-19 pandemic. Key additions include requirements for FIs to identify their critical business services (for instance, private banking and wealth management for banks) and map interdependencies on people, processes, technology and other resources (including those involving third parties) for each critical business service.
Similar expectations in respect of managing operational risk, including through robust governance arrangements, will take effect in Australia through CPS 230 Operational Risk Management, from 1 July 2025. Banks are currently reviewing their engagements with service providers and considering appropriate uplifts to service contracts, particularly in light of expectations in connection with fourth parties.
In the UK and the EU, the focus is on risks to banks' operational resilience arising from dependency on third-party providers of critical services (CTPs) – especially information and communication technology (ICT). New regimes are being rolled out which bring CTPs directly within the regulatory universe for the first time. But the approaches are different.
The UK has introduced a new CTP designation regime (under the Financial Services and Markets Act 2023). Service providers designated as "critical" (not licensed) by the UK Government will then be subject to regulators' minimum operational resilience standards rules (covering governance, risk management, technology and cyber resilience) similar to those for banks. CTPs would be required to develop and test ‘financial sector continuity playbooks’ to improve their ability to respond and recover from disruption affecting multiple banks simultaneously. The regime will fully come into effect by the end of 2024.
On the EU level, a similar CTP oversight regime for CTPs has been introduced under the EU Digital Operational Resilience Act. This applies to all types of services, not just ICT. It also has extra requirements for EU regulated banks – including, for example, mandatory requirements for contracts with CTPs. Banks and CTPs must comply by January 2025.
Cyber risk is another supervisory priority of the European Central Bank (ECB) for 2024-2026. In July 2024 the ECB tested the responses of 109 banks to cybersecurity incidents. The test will contribute towards the banks' risks profile evaluations under the ECB Supervisory Review and Evaluation Process. Digital accessibility for consumers has also been at the heart of recent reforms in the European Union. The recently adopted eIDAS 2 Regulation on digital identity will oblige banks that require strong user authentication (ie, two-factor) for online identification to accept for this purpose 'European Digital Identity Wallets'. These are personal digital wallets to be issued through the EU Member States, which will allow EU citizens (and businesses) to identify themselves digitally and present official documents in digital form, with high levels of security. These European Digital Identity Wallets will have to be accepted on a cross-border basis within the EU, with the aim of enabling frictionless access to key online services to EU citizens across all EU Member States.
The global financial crisis led to increased expectations on banks when extending credit and selling financial products. From responsible lending reform in Australia well over a decade ago, to suitability obligations in Hong Kong and product mis-selling laws in the UK, regulators have shown a significant focus on the selling practices of institutions on a customer-by-customer basis.
More recently, regulatory reforms have required financial institutions to take a step back and put the customer at the heart of product / services design and delivery, end-to-end. The focus is now more on achieving good outcomes for customers, particularly retail.
Banks are facing both law reform requiring changes to their day-to-day processes, and the threat of enforcement action from regulators if implementation is not up to standard. For example, Australia's corporate regulator has issued more than 85 interim ‘stop orders’ to suspend the issuing of certain financial products, since that country’s design and distribution regime commenced in October 2021. Indonesia’s Financial Services Omnibus Law issued in late 2023 expressly requires financial institutions to design products and services to suit the needs and capabilities of the target consumers.
While regulators continue to be focused on the appropriate design and distribution of products, banks must also be alive to regulatory expectations on their conduct throughout the product life cycle. In Australia, there is a clear focus from the corporate regulator on treatment of customer hardship during the life of a loan (see, for example, its review of 10 lenders in late 2023 and ensuing report in May 2024 subtitled: “Lenders fall short in financial hardship support”). From taking measures to identify hardship proactively, to ensuring senior management is engaged with the consumer impact of these situations, ASIC's expectations in connection with hardship are another illustration of the need for financial institutions to respond capably to events outside their control.
In Hong Kong, the HKMA and the Banking Sector SME Lending Coordination Mechanism introduced a series of measures throughout the pandemic to support small and medium-sized enterprises facing financial hardship and announced further support measures in March 2024. These include, among others, never demanding early repayments from mortgage customers who repay on schedule, supporting customers facing difficulties by being sympathetic in providing suitable credit relief (subject to prudent risk-management principles), and providing convenience to customers to switch lending banks.
In Indonesia, the Financial Services Omnibus Law prohibits financial institutions from carrying out any action that may cause physical and/or psychological disturbance to consumers. Such actions include seizing security assets in public without the consumers’ prior consent or disseminating information regarding the consumers’ failure to meet their payment obligations.
In the UK, it is over year since the new FCA Consumer Duty, with its high-level outcomes, came into force. It has become the high-water mark of retail banking compliance.
The FCA has since publicised good and poor practice examples to assist firms with achieving the 'price and value' outcome.
The FCA also issued a wider Call for Input to gauge the scope for streamlining or replacing other rules now that that Consumer Duty is in place. It is partly motivated by the FCA's new statutory secondary objective to facilitate the international competitiveness of the UK economy: effective regulation can facilitate innovation and competition. Further reform may follow.
As the scope of regulatory regimes continues to expand, banks that adapt most successfully will be those that are:
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024
We’ll send you the latest insights and briefings tailored to your needs