Ten Regulatory Insights for Asia-Pacific in 2017

This will be a positive year for the Asia-Pacific region as it is set to benefit from the political and regulatory uncertainty in the UK, Europe and the Americas. International firms will be looking for stability and the region can meet requirement more than anywhere else.

2017 is a decade since the start of the financial crisis which brought some of the world's largest economies to their knees, altering the regulatory landscape internationally. More importantly, many firms have this year placed compliance at the top of their agendas. They have to address gaps in compliance and senior management decision making where, all too often, organisational interests had not been aligned with those of their customers. Priorities for Asia-Pacific firms this year will include compliance, FinTech, RegTech, cyber crime and financial reforms in China.

Integrity and professional service should be at the forefront of organisations' corporate minds. In the Asia-Pacific region, firms have tended to fall down not so much on regulatory implementation, but rather on compliance processes and mediating effectively with customers when things go wrong. 

In a survey at the Thomson Reuters ASEAN Regulatory Summit 2016, 56.4 percent of 500 delegates said the most common area of misconduct in their jurisdiction was mis-selling financial products, followed by money laundering (23.5 percent) and market manipulation (11.5 percent).

Risk culture, consumer protection and financial crime regulation will be priorities for firms this year. It has taken a while for them to get on top of compliance issues, but the majority are now adopting sound compliance and regulatory governance practices and have realised that short-term goals cannot be sacrificed for customer interests in an endless pursuit of market share and growth. There is evidence of a change in mindset and of a determination to address past compliance failures and deal with consumer concerns.

New Approach by Young Professionals

The 2016 Thomson Reuters regulatory summits in Asia revealed that one of the most influential factors has been the emergence of a new breed of young professionals who take pride in their work and want to move away from past reputational issues. 

There is a sense that financial organisations are concentrating on realigning their goals and aspirations with those of customers to forge long-term professional partnerships. 

Regulators

This year the region's regulators will aim to improve risk culture and will step up supervision of financial institutions found to be involved in poor practices. Regulators will also deal severely with firms which prove unwilling to address behaviour inconsistent with prudent risk management practices. 

In a survey carried out at the Thomson Reuters ASEAN Regulatory Summit, however, 62.7 percent of delegates said they were unhappy with the way regulators dealt with misconduct issues. This suggests regulators may need to work harder to understand the industry. Regulators might consider placing more emphasis on raising public awareness of firms' misdeeds rather than enforcement as a way to curb misconduct.

Integrity will be Crucial for Longevity

Longevity in the market place will be determined by the way boards and senior managers make decisions and lead from the “top”. Where customers’ interests are at stake, they need to act as though there is a regulator in the room. At the ASEAN Regulatory Summit 2016, 69.9 percent of delegates said their organisations had either clearly defined good conduct outcomes or were working toward or aspiring to have clearly defined good conduct outcomes. This suggests financial institutions are making progress.

There is room for improvement and this can only happen when there is a clear “tone from the top”, and where senior managers have instilled a sense of ethical purpose in staff. This article outlines 10 regulatory risk insights for the Asia-Pacific region during 2017.

1. Risk Culture

Risk culture concerns how risks are managed in an organisation. It is how staff identify, understand, discuss and act on the risks their organisation confronts and takes. Risk culture is defined by regulatory expectation rather than a rulebook, so it can be hard for firms to know when they have got it right and all too easy for regulators and the media to tell firms when they get it wrong.

Recent history suggests that culture and risk failures often have their root cause in governance, remuneration, risk management or tone from the top. This year regulators will apply greater supervisory oversight to regulated institutions, making sure that senior executives and boards of directors address cultural risk gaps and can evidence significant improvement in this area.

One way to kick-start improvement would be for firms to introduce training on risk culture and conduct risk, and to explain to staff the conduct expected and how this should be put into practice for customers. Ultimately, it is the core staff who represent an organisation’s culture, which in turn is passed on to customers.

Regulators are interested in culture and risk because it influences conduct. The Financial Stability Board (“FSB”) pointed out in late 2016, that risk culture was, to a large degree, the final frontier in the response to the financial crisis. William Dudley, president of the New York Federal Reserve Bank, has proposed there should be a “culture benchmark” which financial organisations could use to compare their progress.

Regulators expect boards to form a view of risk culture, identify any changes needed and require the organisation to take steps to address those issues. A sound risk culture, across the industry, is something that will take years to come into existence and the tone must be set by chief executive officers (“CEOs”), boards of directors and senior management. Most firms would be in agreement about the central role which boards and senior management must play.

2. Management Accountability

Regulators in Asia are keen to establish clearer lines of sight to establish where responsibility lies for actions within firms, especially where decisions have been detrimental to customer interests.

In Australia, Hong Kong and Singapore few senior managers have as yet been held responsible for compliance failures but this may change as regulators push for accountability in future.

In 2016 the UK introduced a senior management liability regime, designed to restore trust in financial services, impose more personal risk on directors and provide regulators with a line of sight. The regime includes:

  • A new senior managers regime (“SMR”) for individuals who are subject to regulatory approval which will require firms to allocate a range of responsibilities to these individuals and to review their fitness and propriety regularly.
  • A certification regime which will require firms to assess the fitness and propriety of certain senior employees who, if they fail to carry out their functions competently, pose a risk to the firm and its customers.
  • A new set of conduct rules, which relate to professional conduct, conduct of the business and the activities.

The framework arguably has an extraterritorial dimension in that the SMR will apply to individuals performing senior management functions whether physically based in the UK or overseas.

In a poll during the Conduct Risk Panel at the Thomson Reuters Pan Asian Regulatory Summit 2016, 51.3 percent of delegates said senior management liability should be introduced in Australia and/or the region even though the experts on the panel considered there was no need for such a regime in Asia.

Enhancing senior management accountability would promote higher standards of conduct and have a positive influence on firms’ overall culture because management will want to ensure conduct adheres to compliance and regulatory requirements. More clarity on senior management functions and lines of responsibility can only enhance standards in the financial services industry.

3. Aligning Interests of Customers with those of the Organisation

In the past few years, a focus on short-term outcomes with respect to longer-term customer relationships has eroded customers’ confidence and trust in financial institutions. To regain that trust, firms must be seen to act with greater integrity and accountability. At the ASEAN Regulatory Summit 2016, 65.5 percent of delegates said they thought the culture in financial services still put the bottom line ahead of ethical behaviour and doing what was right.

Financial institutions must work harder to prove to customers and regulators that their culture focuses on consumer interests. Practical steps might include enhancing codes of conduct and introducing training on ethics. Organisations must take swifter action to compensate customers when things do go wrong.

Organisations should not always look to regulators to set integrity benchmarks or standards, but rather should take steps to improve their own systems and procedures to ensure they promote a sound ethical culture, integrated risk management systems and compliance frameworks.

4. AML: STR Processes, Beneficial Ownership and Trade-Based Finance

Anti-money laundering (“AML”) remains one of the most pressing regulatory challenges for Asia-Pacific financial institutions. At the Pan Asian Regulatory Summit 2016, 73.3 percent of delegates said AML and know your customer (“KYC”) were the most challenging compliance issues for their organisations last year.

One focus will be the need to improve suspicious transaction reports (“STRs”). Last year, the Monetary Authority of Singapore (“MAS”) took enforcement action to withdraw the licences of two Swiss banks – Falcon Private Bank Ltd and BSI – following STR issues. Other banks in Asia have been fined for inadequate compliance controls in relation to STR procedures. Falcon was penalised for STR failures going back to 2013 in relation to 1 Malaysia Development Berhad (“1MDB”) transactions and corrupt fund flows to Malaysia. Two bankers in Singapore have already been sentenced to jail terms.

The success of international enforcement efforts relies on two themes: the need for inter-agency coordination between financial intelligence units (“FIUs”) internationally and the need for financial institutions to provide accurate STR data to FIUs in their home jurisdictions.

Financial institutions will need to review their STR processes. They must ensure staff are trained appropriately so that they understand trade finance money laundering and can spot red flags. Staff will also need to have appropriate access to management to enable them to refer decisions or suspicious circumstances. Failure to do so may evoke reputational risk when issues are missed.

Beneficial ownership remains an important issue in the Asia-Pacific region. The Panama Papers revealed a general weakness in this area and may well prompt further regulatory changes this year. The Financial Action Task Force (“FATF”) has continued to stress the need to streamline beneficial ownership processes, to improve disclosure.

5. Regulatory Governance

Since 2014 prudential regulators in the region have been reviewing financial institutions’ governance frameworks to assess whether there are material risks associated with business activities. This looks set to continue for the next few years. One major compliance concern for firms will be keeping up with new regulations and regulatory expectations.

The capital, liquidity and leverage requirements of the Basel Committee on Banking Supervision (“BCBS”) and BCBS Insolvency 11 may also pose challenges for firms. Many of the BCBS changes have an implementation target date for 2017 or 2018 which means banking standards will need to be overhauled once again.

Further regulations on over-the-counter and derivative regulations are also due to be implemented this coming year, and financial institutions will need to address other international rules such as automatic tax information exchange.

Many financial institutions lack the resources needed to carry out an in-depth analysis of the proposed changes and implementation, but they cannot be ignored.

6. Cyber Resilience

There are indications Asia remains vulnerable to cyber attacks, and here too supervisory authorities need to work more closely with business to ensure a coordinated response. The issue remains high on financial institutions' agendas and regulators are focusing on cyber risk as part of operational risk.

It has been estimated cyber security breaches costs the international economy more than $400 billion annually. It is, however, difficult to estimate the extent of the harm in Asia-Pacific as many countries, and notably China, Japan, Singapore, Hong Kong, Philippines, Malaysia and Indonesia, rarely exchange information about cyber attacks. 

 

Although facilities have been established to fight cyber crime in Asia, notably the Interpol Global Complex for Innovation ("IGCI"), part of INTERPOL ("ICPO"), which is based in Singapore, efforts to fight cyber crime continue to be hampered by the lack of coordination. Experts have warned cyber crime will continue to increase if this is not remedied. This is of particular concern where sensitive personal data is stolen by hackers and yet there are too few rules to enforce disclosure when this occurs. 

Firms should evaluate their cyber risks and resilience continuously and decide how they are best managed or mitigated. At the Pan Asian Summit 2016, 26.5 percent of delegates said their CEO was responsible for cyber crime compliance, while 28.4 percent thought it fell within the chief information officer’s remit. It was concerning many delegates did not know who bore the responsibility in their respective organisations. The answer is the board and the CEO. 

Last year, the Bank of Ireland produced some cross-industry guidance setting out best practice in respect of cyber security risks. The guidance also proposed some benchmark requirements which financial institutions may find useful:

  • The board should drive a culture of security and resilience throughout the firm.
  • Staff members should receive adequate training in relation to cyber security and the threats they may encounter. Firms should periodically test staff responses to various cyber attack scenarios.
  • Cyber security should be a standing agenda item for discussion at board meetings.
  • The board should understand what assets and information are the most valuable to the firm.
  • The board should satisfy itself that the policies and procedures in place are sufficiently robust.
  • A clear reporting line to the board should be established for cyber security incidents.
  • The board should appoint a chief information officer or equivalent with accountability for information security.
  • Firms should have in place appropriate processes to verify requests by all methods of communication.
  • Where firms are requested to make payments to third parties, they should ensure client verification with AML requirements.
  • Firms should periodically engage an external specialist to carry out tests of their systems on a regular basis.
  • Firms should satisfy themselves that members and third parties they utilise have cyber security standards and that these parties have a minimum impact on the firm.
  • Each firm should have a contingency plan in place in case their systems are breached or their data compromised.
  • Firms should report any substantial attacks to the regulator or authorities.
  • Firms should ensure that mobile devices with access to their system or other applications are protected from the network.
  • Firms should ensure that they are kept up-to-date on cyber security threats.

It is crucial Asia does not lag behind, otherwise financial institutions in the region will continue to be significant targets for hackers and organised criminals. Improvements in cyber coordination must include the need to make the disclosure of significant cyber attacks mandatory; only then will governments and regulators will understand the true extent of the threat.

7. Corruption

The publication of the Organisation for Economic Cooperation and Development (“OECD”)'s Foreign Bribery Report in 2015, followed by the allegations concerning Unaoil and Mossack Fonseca, have helped to raise awareness of foreign bribery risks and to shake a previously held assumption that this is mostly confined to developing countries.

Corruption affects all industries, and the financial sector is no exception. The most notable recent example has been the 1MBD scandal which affected bankers in Malaysia, Singapore and Switzerland.

If financial institutions are to combat foreign bribery and reduce their exposure to the associated reputational risks, they would be well-advised to review their compliance, due diligence and audit procedures, with a particular focus on areas such as outsourcing and offline transactions.

Audits play an important role in combating bribery and often tend to be the main way in which such misconduct is uncovered. Firms need to raise awareness of the main risks and ensure staff members have relevant training so they know what to look out for and can focus on preventing and detecting bribery in susceptible areas.

Executives must lead by example in implementing their company’s anti-bribery programmes and ensure that proper compliance checks, balances and reviews are carried out.

Fines can be in the millions of dollars. If enforcement agencies become involved, firms must be able to prove they have strong compliance procedures in place as this may be an important mitigating factor in any court defence.

8. Whistle-Blowing Procedures

Corporate whistleblowers can play a vital role in detecting fraud and other forms of corporate and financial services misconduct. Most Asia-Pacific firms have whistleblower protection programmes and regulators in the region have produced legislation that provides for the protection of whistleblowers. At the ASEAN Regulatory Summit 2016, 60 percent of delegates said their firm had a culture that was conducive to whistle-blowing.

In the United States and the UK much has been done to protect whistleblowers. The United States in particular provides financial rewards for whistleblowers whose evidence leads to penalties, convictions and fines against corporations. In Australia, work is underway to expand whistleblower protections but progress has been slow.

In practice, however, there have been many instances of whistleblowers paying a personal price for their disclosures. In too many instances the reactions of both firms and regulators in the Asia-Pacific region have done little to instil confidence in those who are keen to expose corporate malpractice. All too often, whistleblowers who report issues lose their jobs or are subjected to considerable emotional and financial stress, despite the official safeguards that have been put in place.

9. FinTech and RegTech

Regulators in the region are playing an important part in assisting new FinTech start-ups and engaging with, and providing formal assistance to, new market entrants. "RegTech" refers to the broader range of technologies which can help firms to meet their regulatory obligations.

FinTech investment is doubling each year throughout the world: in 2013, it was $4 billion; in 2014 it increased to $12.2 billion; and in the first quarter of 2016 alone $5.7 billion was invested in FinTech operations.

This growth has doubtless been assisted by initiatives on the part of regulators such as the establishment of innovation hubs and regulatory sandboxes which have played an important role in reducing regulatory barriers and allowing start-ups faster access into the market.

Australia, Hong Kong and Singapore have all set up innovation hubs to reduce red tape, improve engagement with FinTech businesses and allow conditional access to the market. This does not mean, however, that regulators have had to compromise fundamental principles of financial service regulation or licensing processes. 

Most of the entities seeking assistance have involved robo advice, market place lending, crowd funding, payment business models, blockchain and RegTech.

RegTech may have the most immediate short-term impact in data management and AML/KYC and may prove most successful where it can make cost savings for firms or encourage proactive regulatory compliance, for example, via self-configuring software.

The trouble is innovation is moving at a fast pace ahead of regulation and can be subject to high risk and fraud; in particular, a number of consumer protection features have yet to be developed. The industry could perhaps learn from events in China.

For example, in 2016 one of China's biggest peer-to-peer (“P2P”) lending platforms, Ezubao, collapsed, and investors lost their money. Ezubao had collected 50 billion yuan ($7.6 billion) in less than two years from more than 900,000 investors through savvy marketing and the promise of big returns.

Such cases show how quickly fraudulent schemes can emerge in a FinTech industry that is loosely regulated.

10. Incentive Fraud and Remuneration

There are two issues in this area: first, the focus on management remuneration and bonuses, and secondly, bonus incentive programmes for staff to sell financial products. 

Prudential regulators will continue to identify practices associated with risk cultures and will review management remuneration policies and practices at regulated institutions and examine how these interact with risk culture. 

The Wells Fargo case in the United States was salutary example of how staff incentive programmes can lead to fraud and illustrated how reasonable goal-setting and incentives can lead to compliance disasters and reputational risk. The tension between short-term results and long-term goals can and will cause tension between management and compliance which can be hard to deal with. 

Firms need to realise incentive systems can have unintended consequences and bring reputational risks if they are not put in place carefully and monitored with due care and attention.

<a data-cke-saved-href="https://www.oecd.org/corruption/oecd-foreign-bribery-report-978926422661..." href="https://www.oecd.org/corruption/oecd-foreign-bribery-report-978926422661..." _blank"="" style="margin: 0px; padding: 0px; color: rgb(45, 75, 140); font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify; background-color: rgb(255, 255, 255);">

Niall Coburn is the Asia-Pacific regulatory intelligence expert for Thomson Reuters. He is a barrister and former director of enforcement at the Dubai Financial Services Authority and senior specialist adviser to ASIC. He is based in Brisbane, Australia.