ESG initiatives remain high on the agendas for regulators and financial institutions. While this focus is expected to continue to evolve in 2023, the geopolitical impacts of the war in Ukraine and the Russian response to weaponising fossil fuel supplies have added further complexity and a short-term focus by many governments on finding alternative energy sources or extending the existing fossil fuel sources such as coal power stations. ESG regulation continues to develop rapidly with a focus on sustainability beyond net zero into biodiversity and deforestation. The social agenda is gaining momentum with the U.K. Prudential Regulation Authority (PRA)/FCA, for example, publishing requirements relating to diversity and inclusion and the publication of a social taxonomy in the EU in 2022. We expect to see Compliance functions being involved in many aspects of ESG frameworks and in particular, the regulatory focus on greenwashing through a variety of regulatory statements and enforcement actions, is likely to draw Compliance into key decisions in this area. Compliance functions will need to help the business understand new and emerging ESG regulations, integrate ESG considerations into many compliance matters including reviews of marketing materials, and consider and be ready to explain how the organisation’s ESG strategy impacts areas of regulatory concern.
Traditional Compliance Issues
While there are countless traditional compliance issues that require the attention of Compliance, including the consumer protection issues discussed above, our focus here is on three that are at the top of the list every year.
Financial crime compliance
Financial crime compliance, as in years past, will continue to be one of the most dynamic areas of compliance. Barring another major geopolitical event, we expect the 2023 focus to shift from sanctions to anti-money laundering and counter terrorist financing (AML/CFT). The new year will bring new laws and regulations, continued high profile enforcement, and new and added focus on underlying crimes.
On the regulatory front, a few examples of evolving AML/CFT compliance frameworks include:
- Nearly two years after the enactment of the Anti-Money Laundering Act of 2020, the U.S. has a long way to go to implement the law fully.
- The EU continues its efforts to harmonise standards across its member countries and move to launch a regional authority.
- The U.K., no longer subject to EU requirements, has adopted new post-Brexit AML requirements.
The enforcement landscape also continues to evolve with non-traditional players such as cryptocurrency companies, casinos and real estate agents grabbing some of the headlines from banks and broker-dealers. This is a trend that we expect will continue into 2023, although large traditional organisations are likely always to be in the crosshairs.
Recent events, including the war in Ukraine, the global focus on ESG and a never-ending series of cyber events, have resulted in increased regulatory focus on precedent crimes such as kleptocracy, ecoterrorism, human trafficking and cyber intrusions. This requires a financial crimes compliance function to demonstrate how its compliance programme addresses these concerns — from risk assessment to know your customer (KYC) to monitoring for suspicious activity.
All the above comes against a backdrop of continued efforts to innovate AML/CFT compliance that are progressing at different paces due to a variety of reasons, including the risk appetites of institutions and regulatory encouragement or lack thereof. With the dual mandates of comply and innovative, 2023 will be yet another busy year for financial crimes compliance.
The exponential volume of data in financial services is driving increasing concerns from global regulators about data privacy and ensuring that customers are aware of how their data may be used. Gartner has estimated that 65% of the world’s population will be covered by legislation like the EU’s General Data Protection Regulation (GDPR) by the end of 2023 as countries including Canada (Personal Information Protection and Electronic Documents Act (PIPEDA)), China (Personal Information Protection Law (PIPL)) and all European member states have adopted data privacy legislation. Several U.S. states have implemented similar requirements, including California (California Consumer Privacy Act), Virginia (Consumer Data Protection Act), Colorado (Colorado Privacy Act) and New York (Stop Hacks and Improve Electronic Data Security Act (SHIELD). The growing sources of requirements and variation by jurisdiction mean that global financial institutions are required to manage varying data privacy requirements simultaneously. The willingness of regulators to take enforcement action (including significant fines) creates higher stakes for institutions. Compliance will be working with legal and data privacy teams to track these various requirements and manage local requirements in IT systems that are increasingly global in reach.
Cyberattacks remain a growing criminal activity and financial services regulators are focusing on their operational resilience impacts. The European Union Agency for Cybersecurity (ENISA) has highlighted a number of new and emerging cybersecurity threats in its recent publication on the 2022 threat landscape. It notes how the number of cybersecurity incidents since the Russian invasion of Ukraine has been driven by geopolitical factors and “a wave of hacktivism” resulting from that conflict. While ransomware and malware are on the rise again, phishing is the most common access point for hackers, according to the report. The report also raises concerns about cybersecurity at a time when machine learning models are increasingly becoming a target and artificial intelligence (AI)-enabled disinformation is a growing trend. Regulators will continue to focus on developing and testing cybersecurity defenses, the operational resilience of critical business services, incident reporting and senior management’s understanding of IT risks such as cybersecurity.
One final note before we close out our 2023 list of compliance priorities: This year, we did not call out third-party risk management (TPRM). That’s not because it is not important, but because it is pervasive. It affects so many aspects of a financial institution’s processes and operations — how it secures and deals with clients, how it processes and manages data and how it uses myriad technologies to carry out its day-to-day activities — that TPRM, which is a global regulatory priority, needs to be embedded throughout an institution.
Are there other priorities we could have included? Yes, that is always the case. And with the elevated level of uncertainty, we would not be surprised to see changes to the priorities throughout the year. But that is the nature of Compliance: Priorities are broad and growing and their significance is impacted continually by internal and external events.
About Protiviti’s Financial Services Industry Practice
Protiviti’s global financial services industry practice has served more than 75% of the world’s largest banks and many of the largest and mid-sized brokerage and asset management firms, as well as a significant majority of life, property and casualty insurers. The FSI practice provides support to teams across Protiviti’s portfolio of solutions, including regulatory compliance, risk management, internal audit, technology, cybersecurity, data privacy and sustainability.