EY: How financial firms can prepare for the 2024 regulatory landscape

Report Link: How firms can respond to the 2024 regulatory landscape | EY – US
Size of Report: 28 pages

EY’s report differs from most of the others and is worth a read for those in risk and compliance roles. Whilst the topic might oftentimes seem dry, this report does a great job to summarise and explain a lot of what is happening in the next few years.

EY makes the case that some of the industry instability seen recently was caused by regulation being out of step with technology and the speed at which consumers can now react. As such, the regulatory landscape needs to take some big leaps. With a lot happening in payments and financial services there are lots of regulatory and supervisory changes on the horizon that need to be acted on now, with largely APAC/Australia region and Europe region leading the way on initial drafts.

The global economic environment does lead to 2024 bringing about asset quality and at present many countries are regulating data, technology and climate issues in ways that follow national agendas. This adds layers to complexity.

The report highlights that a growing number of regulators are performing stress tests on ever larger numbers of banks and even on smaller banks. For board and oversight roles, some regions are looking at putting remuneration compensation clawback clauses into contracts.

With Regulators moving to data-driven supervision, enhancing their role as data hubs, they focus on improved data, transparency, access, interoperability, data harmonisation and standardisation. This will drive organisations to use (collaborative) tools to help prove they are delivering transparency and oversight.

As digitalisation becomes business-as-usual, some firms are struggling to update legacy systems. The latest EY/IIF global risk management survey found 94% of chief risk officers say they need “some” or “many” new skills and resources to meet the changing needs of the risk-management function, with data science and cyber topping the list of the most desirable skills.

In Payments lots is going on:

• the EU PSD3 (Payment Service Directive) introduces a new regulation on a Framework for Financial Data Access (FiDA). FiDA introduces “open finance”, the next stage of the evolution of open banking. It expands data access and usage beyond payment and transaction data, while also including other areas of financial activity.
• Several jurisdictions globally are developing open finance frameworks. In Southeast Asia, a growing number of initiatives are underway to link domestic payment systems and enable frictionless cross-border payments.
• Several markets have a digital identity initiative (India, Sweden, Norway, Denmark, Canada etc), whilst countries that do not have a digital ID programme yet are considering one. And several markets are exploring AI and data acts, such as the European Commission AI act issued late 2023, giving companies 18 to 24 months to comply.
• Regulation will also cover buy-now-pay-later (BNPL) and embedded finance players who will face the same level of scrutiny as retail financial services players do. Australia already regulates BNPL in this manner, and the UK is in the final stages of a long consultation.
• Whilst Instant Payments is driving financial crime, it will require instant monitoring and enhanced analysis. The problem area regulators will increasingly seek to improve will be protecting consumers especially from the growth in scams, from which bank transfers account for the majority.

For example, Australians lost a record sum of more than US$2bn to scams in 2021, scams are made possible by a wide variety of technologies. Linked to this, the EU “single rulebook” regulation provides guidelines for completing customer due diligence, disclosing identities of beneficial owners etc and this introduces the sixth Anti-Money Laundering directive, which includes national provisions on oversight, Financial Intelligence Units and information-sharing requirements and establishing the European Anti-Money Laundering Authority.  This all points to the need to use more sophisticated technology to support fraud detection, such as AI.

Threading all the above, operational resilience is a key regulatory focus globally. There is a shift to view compliance through a consumer harm lens.  In Australia, APRA has made operational resilience a heightened focus, whilst in Europe firms must now comply with the EU’s Digital Operational Resilience Act (DORA) from 1 January 2025; making 2024 paramount for DORA readiness.

If you have enjoyed the content and would like to engage with us, please feel free to:

• Follow our Stanchion LinkedIn Page and join our engaged community.
• Request a call with our Chief Growth Officer, Norman Frankel.
• Visit our website for more information.