Technology risk in financial services - the road ahead under the FCA
This article was first published in e-finance and payments law and policy in May 2013
Technology risk is on the agenda for the Financial Conduct Authority (FCA). This is the message from the FCA’s 2013 Risk Outlook and business plan ("the Report"), published at the start of the new regulatory regime in April this year. The Report is the first significant statement from the FCA and sets out the new regulator's stall. It will be closely scrutinised as firms try to identify the areas being targeted by the FCA, particularly since it intends to adopt a more interventionist approach and has said that it expects firms to step up to the plate and address the risks identified in the Report. So what can we expect from the FCA?
Benefits and Challenges of technological developments
The FCA identifies technology as one of the future conduct risks that pose the greatest threat to its statutory objectives (protecting consumers, enhancing the integrity of the UK financial system and maintaining and promoting competition in the interests of consumers). It is hardly surprising that the FCA regards technological developments as a conduct risk driver, given the influential role of systems and the rapid market changes that flow from innovative technologies.
The Report recognises the benefits that technologies have brought to consumers, incumbent players and new market entrants. Consumers have access to new products and services as well as easier, direct and faster access to financial markets. Firms, in turn, are able to leverage this direct access in order to increase their competitiveness; and new technologies are removing barriers to market entry.
However, the pace and scope of technological developments present challenges. The increased threat of cyber-attacks; the ability of firms to ensure adequate oversight of operations and technological interfaces; the risk of systems outages, exacerbated by failings in business continuity; poor controls resulting in security breaches, financial crime and unauthorised payments as well as difficulties in validating and testing the integrity of complex IT systems, to mention a few. As the current climate continues to squeeze IT budgets, firms may have to rely on ageing legacy systems that are ill-equipped to cope with increasingly large volumes of transactions, which in turn raises issues of resilience.
Certain technology-driven risks have been singled out by the FCA for immediate attention. These include:
Price comparison websites (PCWs)
The FCA intends to carry out a compliance sweep across PCWs. The last compliance sweep of financial services PCWs was in 2010 and resulted in the FSA's "Guidance on the selling of general insurance policies through price comparison sites" (October 2011). That guidance focused on whether PCWs had the necessary authorisations, whether they were giving consumers proper information as to the roles of the various stakeholders, who consumers should complain to, as well identifying common compliance failures.
Two years on, the FCA notes that, while progress has been made, PCWs tend to drive consumers to focus increasingly on headline price, rather than policy terms and coverage. The FCA is also concerned that, in future, more complex products could be marketed through PCWs, even where those products are not appropriate for the mass market. This could lead to consumers being misled if, for example, they are not made aware that PCWs do not cover all products on the market. Operators of PCWs as well as firms using PCWs will need to start reviewing their business practices and to bear in mind the FCA's concerns when marketing new, complex products.
Mobile and new payment services
Given the increasing interest in mobile payments and new payment services, this area is likely to attract the FCA’s attention going forward. As many players look to develop new products and address new markets in an omnichannel environment, there will be greater focus on how these products are marketed and delivered. The FCA is particularly concerned that consumers should have all the information they need to use these services securely and to protect themselves from financial fraud. Among other things, regulatory action over the coming year is likely to include a focus on how the products reflect the needs of customers, and provide effective security of funds, with the potential for refunds for unauthorised transactions.
Alongside this will be the forthcoming review of the Payment Services Directive, with proposals for legislative revision expected from the EU shortly. While the market has been fuelling speculation about a potential narrowing of certain exemptions, the EU will no doubt be keen to avoid curtailing new technology-driven products by additional constraints. Certainly it is a stated objective of the FCA and HM Treasury to encourage new developments in this field.
Business continuity and consumer protection are clearly high on the FCA's agenda. Last year's system outage at Royal Bank of Scotland Group, caused by an error in the bank's automated batch processing, is already the subject of an FCA enforcement investigation. The FCA intends to ensure that lessons learned from that incident are applied across the sector.
Algorithmic and high frequency trading
As part of its drive to increase standards of market conduct, the FCA intends to focus on the impact of algorithmic and high frequency trading (HFT). This will include supervision as well as an assessment of the resilience of market infrastructure to these and other trading practices. Algorithmic trading has been under scrutiny since the US Security and Exchange Commission and Commodity Futures Trading Commission concluded that an automated execution algorithm triggered the Dow Jones "flash crash" in May 2010.
It remains to be seen whether the FCA intends to follow in Germany's footsteps and pre-empt EU proposals for increased regulation of HFT. The EU proposals, which are unlikely to take effect before 2015, are slowly working their way through the European institutions as part of the review of the Markets in Financial Instruments Directive (MiFID). They include new authorisation requirements for firms that engage in algorithmic trading, the use of "circuit breakers" (temporary trading restrictions triggered by certain market events) to mitigate the risk of trading system errors, minimum resting times between trades as well as systems and risk controls to ensure the orderly functioning of markets.
Big Data and consumer profiling
Among the other risks on the FCA's radar, the Report also highlights the use of Big Data enabling product innovation and customisation, in addition to consumer profiling by firms in their pricing models. While the benefits are clear, these techniques raise issues about data security and data protection compliance (alongside the new fines regime under the forthcoming Data Protection Regulation), as well as questions of equality of access to financial products and services. So we can expect to see closer scrutiny of how the advantages of Big Data are applied and how these products are targeted.
The Report is helpful in signposting some of the FCA’s key priorities in technological risk. This is particularly valuable as firms adjust to the new regime and develop future products. The greater challenge will be meeting the expectation that firms should adjust their business models, practices and cultures to reflect the FCA's objectives. The message is clear: consumer interests and market integrity must take centre stage. Pro-active engagement will be viewed favourably. Sitting back and waiting for regulatory intervention will not.