POL00411492
POL00411492
www.pwe.co.uk
Regulatory training programme
UK Regulation, Individual
Accountability, Culture, Conduct Risk
and Outsourcing
POL00411492
POL00411492
Topics covered
Regulatory Individual
overview accountability and
Potential extension
of Senior Managers
and Certification
je
Culture
Regime (SM&CR)
The regulator’s view Outsourcing
on conduct risk
Other regulatory
initiatives
4
Regulatory training programme
PwC
POL00411492
POL00411492
~ Regulatory training programme
Pwo ~<e s
POL00411492
POL00411492
Regulatory overview - Agenda
1 Regulatory architecture and approach — UK and globally
ie Current agenda of the regulators
3 Changing face of regulation
Regulatory training programme December 2015
PwC 4
POL00411492
POL00411492
The UR’s financial regulatory architecture
Bank of England (BoE) Financial Policy Committee (FPC)
ary policy and payments systems; + Responsibility for stability and resilience (macro prudential) regulation
: sibility ers for macro prudential s : + Make public pronouncements and warnings; and
+ New responsibility for micro prudential supervision. + No power to regulate individual firms.
FPC powers of recommendation and direction to
address systemic risk
subsidiary
Prudential Regulation Authority (PRA)
+ Mandated to promote the stable operation of the financial
‘effective’ regulation’
Financial Conduct Authority (FCA),
+ Conduct regulator for all firms undertaking investment business; Wholesale
market conduct; Prudential regulator for all firms not covered by PRA or the
EU passport; and
Responsibility for prudential supervision of depo
Strategic objective to ensure that relevant markets function well.
insurance companies (and systemically important investment management
and
of BoE but with own separate Board.
Prudential and
Conduct regulation
’ ‘
Investment firms and exchanges, exchanges financial
including IFAs, investment
Prudential regulation Prudential regulation Conduct regulation
systemic infrastructure central
ee ne eae Prudentially significant firms deposit
and payment systems
takers, insurance some investment firms
exchanges insurance brokers and fund managers
Regulatory training programme December 2015
PwC 5
POL00411492
POL00411492
Supranational regulatory architecture
Regulatory training programme
PwC
European
Banking
Authority
International
<> Monetary World Bank
Fund
Bank for International Settlements
International
Association of
Insurance
Supervisors
Europe:
Insurance and
Occupational
Pensions
Authority
Basel Committee
UK government and
European regulatory bodies
Securities and
Marke!
Authority
December 2015
6
POL00411492
POL00411492
I Change to FCA supervisory approach
FCA now supervises over 70,000 firms — Up from
26,000 it regulated at launch
It believes it now needs to take a different approach to
regulating such a large and diverse range of firms
(particularly it notes with resourcing levels remaining
largely fixed)
So supervision will now place more focus on:
- Prioritising issues identified in a strategic way
- Change intelligence and data analysis processes to
form a more consistent and collective view of key
markets and sectors
- Sectoral and market-wide analysis
Regulatory training programme
PwC
December 2015
7
POL00411492
POL00411492
' What has been happening in the industry?
The media have heightened their focus on Conduct and Culture within the FS Industry that has contributed to recent corporate “scandals”
Regulatory”
PwC
Homeserve hit with record £31m FCA fine for mis-selling
insurance
February 13 2014
Homeserve has been hit with the largest ever fine for mis-selling
products to UK retail customers ~ drawing a line under an
insurance sear The Telegraph
HOME » FINANCE » NEWS EY SECTOR » BANKS AND FINANCE
arket
Property nf
Barclays handed biggest bank fine in UK history over
‘brazen’ currency rigging
Financial Conduct Authority's £284.4m penalty comes amid $6bn in fines for six banks
\ eee for foreign exchange manipulation
UBS fined £9.45m for
mis-selling to wealthy clj
y clients
565 customers had £816m i i
7 Mm Invested in AIt
Enhanced Variable Rate Fund at point ae
was suspended Tuesdayi12 Fi ebruary 2013
BAS 2 sionin News Sport Weather Player, «TVR.
NEWS
Home UK World Business Politics Tech Science Health Education Ent
Business I YourMoney Market Data. Markets. Companies. Economy
Lloyds hit by record £117m fine over PPI
handling
© 5 June 2015 Business
Barclays fined a record £290m
June 27 2012
US and UK authorities have fined Barclays more than $450m for
attempting to manipulate the London interbank offered rate, a
benchmark interest rate that is used globally to set the price of everything
from credit card fees to corporate loans.
ember 2015
8
POL00411492
POL00411492
FCA business plan 2015/16
Mid/long-term risks identified
fairly static against 2014 —
focused on unfair contract terms,
technological developments, poor
culture and controls, financial
crime, pensions and back books
Plan on conducting
a cross-FS review of
culture, in particular
the promotion,
appraisal and
remuneration
decision-making
process for a firm’s
Increased supervisory focus .
P ry middle management
on thematic reviews (though
will do less of these),and.
market studies. Likely to
carry out further case studies
and deep dives on specific
topics with fewer firms
Incorporated FCA’s
ll tisk outlook for first
time (since this
impacts the year’s
focus areas)
Regulatory training programme December 2015
PwC 9
POL00411492
POL00411492
FCA risk outlook
Pension products and Poor culture and practice Poor culture and controls
distribution methods in consumer credit firms threaten market integrity
Financial crime Pace of technology Use of large back books to
developments subsidise new customers
Unfair contract terms
Regulatory training programme December 2015
PwC
10
POL00411492
POL00411492
Cross-sectoral reviews
Thematic review of culture
+ Are culture change programmes driving
the ‘right behaviours’
+ Reviewing employee complaints and how
these are dealt with
+ Analysing remuneration, appraisal and
promotion decisions for middle
management
Regulatory training programme
PwC
FCA is working with PRA and
Bank of England
Also reviewing how firms are managing
ongoing cyber risks
December 2015
1
POL00411492
POL00411492
I
Potentially relevant reviews
Mortgage lending Review staff Complete thematic Thematic review of
market study remuneration and review of unauthorised. packaged bank accounts
incentives transactions
+ Assess how firms have + Focused on consumer + Looking to ensure that + Assessing how banks have
implemented Mortgage credit firms firms are not placing implemented new FCA
Market Review (MMR) * Looking at whether unreasonable obstacles or rules on packaged bank
tules remuneration and bonuses responsibilities on their accounts
* Identifying barriers to are linked to collecting customers * Likely to be the next big
competition (i.e. why might debts or include Treating + Linked to FCA work on how compensation issue for
consumers not get access to Customers Fairly (TCF) firms treat and adapt firms to manage
credit and how can issues processes for vulnerable
consumers switch consumers
providers) 1 2 3 4
Regulatory training programme December 2015
PwC 12
POL00411492
POL00411492
I e e
Changing face of regulation:
The UK Payment services supervisory architecture
Henin na pea
Regulatory training programme December 2015
PwC 13,
POL00411492
POL00411492
' The Payment Systems Regulator (PSR)
What i What will it do? How will it operate? I How does it work
with FCA?
The PSRisasubsidiary The PSR will regulate The PSR has three Economic, not conduct, FCA is a conduct
of the FCA but has its six key interbank statutory objectives: regulator; concurrent regulator. Firms that
own statutory payment systems — To promote competition powers but _ provide payment
objectives. Its staff of Bacs, Cheque and 1) competition and FCA and PRA have services must be
50 is headed by Credit, CHAPS, Faster 2) innovation in veto power authorised or registered
Hannah Nixon. It has Payments Service, payment systems and by the FCA and comply
an annual budget of LINK and Northern to ensure that with its conduct and
£15.9 million that is Treland Cheque 3) payment systems are reporting requirements.
funded through annual Clearing and two card operated and developed
fees from those the PSR _—_ payment systems — in a way that considers
regulates MasterCard and Visa the interests of all
Europe but NOT service-users
American Express or
Diners Club
Regulatory training programme December 2015
PwC 14
POL00411492
POL00411492
' How will the PSR achieve those objectives?
The PSR has set out its programme of work in its Annual Plan and Policy Statements. The main features of the PSR’s work broadly fall
into four work streams:
raf
Developed to ensure that service
users’ interests are being considered
Internal
work stream
Payment strategy Market reviews
forum
Compliance reports
and Disclosure
©
®y
Developed to improve the overall
Payments System.
Developed to drive innovation in the
Payments Industry
Developed to ensure that there is
fair competition
+ It will help to develop and agree
strategic priorities for the long-
term development of payment
systems
+ Some topics the forum will be
considering include the Current
Account Switching Service
(CASS) and Account Number
Portability
PSR has concurrent powers with
the Competition and Markets
Authority (CMA) to launch
investigations where it suspects
competition may be adversely
affected
Two Market Reviews that the
PSR intends to perform by April
2016 are: the supply of Indirect
Access to payment systems and
ownership and competitiveness
of infrastructure provision
Other reviews are likely to be
prompted by complaints the
PSR receives
ii. Compliance Reports
To demonstrate that
interbank operators are
taking the interests of service
users into account with
decision makers
ii. Disclosure
Pan-GB Operators will have
to publicly-disclose Access
Requirements and reporting,
enabling the PSR to check
compliance
* Develop a Sponsor Bank Code
of Conduct
+ Evaluate the proposed EU
Interchange Fee Regulation.
+ Reduce barriers through the
‘Innovation horizon scanning’
programme
+ Review of interchange ATM fees
+ Customer access to redress for
payment systems failure
+ An industry led Hub to help
Indirect Payment Service
Providers (PSPs) obtain
information on accessing
payment systems
Regulatory training programme
PwC
December 2015
15
POL00411492
POL00411492
Changing face of regulation:
Who are the competition regulators?
Firms operating in the UK Firms also operating in the EU
+ As of 1 April 2015, the FCA and Payment Systems Regulator + Subject to the EU Commission if the activity or issue is
became ‘concurrent’ sector regulators alongside the deemed to have a ‘cross-border’ impact in the EU
Competition and Markets Authority (CMA)
* The FCA and CMA will share powers for the financial
services’ market, but cannot investigate the same subject
matter at the same time
Regulatory training programme December 2015
PwC 16
POL00411492
POL00411492
What is competition law?
Competition law aims to promote healthy competition in markets by:
banning anti-
competitive agreements!
addressing market
imbalances caused by
state aid
regulating mergers of
private firms
making it an offence for
a business to abuse its
dominant market
position?
‘anti-competitive agreements are often referred to as the Chapter J prohibition in the UK or the Article 101 prohibition in the EU
? abuse of a dominant position is often referred to as the Chapter II prohibition in the UK or the Article 102 prohibition in the EU
Regulatory training programme
PwC
December 2015
17
POL00411492
POL00411492
I Competition law remedies available to the FCA
Firm specific remedies
Market level remedies
Market investigation
reference to the CMA
Undertakings in lieu of
areference
+ Financial penalties — up to
10% of global turnover in
the relevant market
+ Varying or cancelling
permissions
+ Injunctions
Regulatory training programme
PwC
* Changing or withdrawing
rules and recommending
the same to the PRA
+ Issuing general guidance on
how the Financial Services
and Markets Act 2000
(FSMA) works, rules or
FCA functions
+ Recommending the further
development of industry
self regulation
+ Referring a market to the
CMA for in depth
investigation if the FCA
considers use of its powers
would not be appropriate
(e.g. covering non
regulated firms)
* Taking no further action in
the market for 12 months
subject to firms agreeing to
change anti-competitive
practices
December 2015
18
POL00411492
POL00411492
Practical challenges for Post Office Limited
Understanding and
engaging with wider The potential impact of new
regulatory bodies regulators such as the PSR
Managing a relationship with
the regulator,
of the organisation and their
change in supervisory
approach
Impact on competitors —
both regulatory and
technological
Keeping pace with
regulatory change
The impact of the FCA’s ‘business The potential impact of new
as usual’ regulatory agenda competition powers on strategy
and market
Regulatory training programme December 2015
PwC 19
POL00411492
POL00411492
- I Individual Accountability and Potential
Extension of the Senior Managers and~ ~
~ Certification Reg e (SM SOR AR) :
julatot ‘ory aing Peolamms
POL00411492
POL00411492
I Individual Accountability and Potential Extension of SM&CR-—
Agenda
1 Background and timeline
le Scope extension
( 3 Possible impact on you
i Individual conduct rules
ipyay Wider Impact
Regulatory training programme December 2015
PwC 21
POL00411492
POL00411492
I
: F
SM&CR: Background and timeline
February 2015 ~ CP15/5 published setting out regulators
approach to NEDs and the application of the presumption
of responsibility to SMs
March 2015 — Government announce commencement February 2016 - Grandfathering
date for new regime and regulatory roadmap published. arrangements to be communicated
March 2015 — Consultation on foreign banks published to regulators
December 2013 - Financial setting out application of new regime to all UK branches of March 2016 ~ Senior Manager
Services (Banking Reform) Act EEA and non-EEAs Regime rules come into force
2013 received Royal Assent, May 2015 - CP18/15 published by PRA on corporate March 2017 - Compliance with
providing regulators with the governance. This paper is designed to compliment the certification regime complete and
power to implement previous publications on individual accountability under conduct rule training rolled out to
Governments wishes SMR and SMIR. all relevant staff
Additional
consultation
FCA and PRA issue
PCBS recommendations lation enacted joint Consultation 4 Summer 2015 2016 and beyond
Papert publish: ed following
industry feedback
June 2013 —Frustrated they July 2014 — Regulators publish CP 14/13 to June 2015 - PRA PS2/15 and FCA PS 15/16 publish final
were unable to hold individuals consult on the Senior Manager Regime, rules setting out changes to the Remuneration Codes
accountable for failures during Certification Regime and Conduct rules July 2015 — PRA PS16/15 and FCA CP15/22 publish final
the banking crisis, the November 2014 - Regulators publish CP rules for the Senior Managers and Certification Regimes.
Government made a series of 14/31, the technical paper setting out CP 15/22 also contains consultation on extending the
recommendations in the PCBS transitional arrangements for implementing Certification Regime to wholesale market activities.
paper ‘Changing banking for the new regime August 2015 — PRA PS20/15 and FCA FS15/3 included
good’. November 2014 ~ Regulators publish final and near-final rules on the application of the new
regime for insurers. A similar approach to regimes to UK branches of EEA and nor-EEA firms.
governance without some of the contentious October 2015 ~ Bank of England and FS Bill & HMT
issues present in the banking sector consultation propose extension of regime to ‘all FS firms’
and remove reverse burden of proof from SMFs
Journey to the new regime
Regulatory training programme December 2015
PwC 22
POL00411492
POL00411492
I e
Scope extension
All regulated firms
(including 42,000
Algo-traders, consumer credit firms)
asset managers
By ‘the end of 2018’
Regulatory training programme December 2015
PwC 23
POL00411492
POLO0411492
I e e e e
Why is it being introduced?
ae gage as cae SONY Sian k= _ —=x=>---—O—F—F——]'
Enhance personal Effective and Allows for same high Reduce threat to
responsibility for proportionate level standards to financial stability
senior managers means to raise apply across banking caused by
standards of misconduct of firms
conduct of key staff
Gazeep SES. esses]
Regulatory training programme December 2015
PwC 24
POL00411492
POLO0411492
° ee
How might this impact you?
an approval regime focused on senior management, with requirements on firms to submit robust documentation on
the scope of these individuals’ responsibilities
Bo event regulatory breaches in their areas of
3
&
&
=
&
$
5 a requirement on firms to certify as fit and proper any individual who performs a function that could cause signifi
£ harm to the firm or its customers, both on recruitment and annually thereafter
a power for the regulators to apply enforceable Rules of Conduct to any individual who can impact their respective
statutory objectives
Senior Managers and Certification Regime: extension to all FSMA authorised persons
October 2015,
Regulatory training programme December 2015
25
PwC
POL00411492
POL00411492
Individual conduct rules
Individual conduct rules Senior manager conduct rules
Rule 2: You Rule 4: You SC1: You must take SC3: You must take reasonable
must act with must pay due reasonable steps to steps to ensure that any delegation
due skill, care regard to the ensure that the business of your responsibilities is to an
and diligence interests of your of the firm for which you appropriate person and that you
customer and are responsible is oversee the discharge of the
treat them fairly controlled effectively delegated responsibility effectively
@ e e e
Rule 1: You Rule 3: You Rule 5: You SC2: You must take reasonable SCq4: You must
must act with must be open must observe steps to ensure that the business disclose appropriately
integrity and cooperative proper standards of the firm for which you are any information of
with the FCA, the of market responsible complies with the which the FCA or PRA
PRA and other conduct relevant requirements and would reasonably
regulators standards of the regulatory expect notice
system
Regulatory training programme December 2015
PwC 26
POL00411492
POL00411492
I
The wider impact
accountability
NZI
Sig
Regulatory training programme December 2015
PwC ! 27
POL00411492
POL00411492
I
Industry views
) .
~ Confusing Challenging
3 Burdensome a ___Diverging approaches
5 Political 5% Difficult =
mA ; Taxing <° = Compliance intensive “3
Over-engineered aaa at Unknown hai s
Time consuming O Obscure 5 +
Prescriptive Un f air a Risk = iE
Contradictory __ Jeopardy
Complicated Compliance <
Regulatory training programme December 2015
PwC 28
POL00411492
POL00411492
~ Regulatory training programme
PwC
POL00411492
POL00411492
Culture — Agenda
1 Timeline of regulation
ie Key challenges
3 Assessing culture
Regulatory training programme December 2015
PwC 30
POL00411492
POL00411492
Culture regulation
A timeline
SM Regime — Strengthening
:OSO - Internal Control Accountability in banking
Integrated Framework Jul 14
May 13 FEMR - Final report
Jun 15
FCA — Tackling serious ACCA & ESRC — Culture and
IIA - Effective Int failings in firm channelling corporate behaviour
Audit in th r un 14 Nov 14
Jul 13
PCBS - Changing banking for FRC - Focus or
good and Behaviour
Jun 13 Apr Sep 2014
Banking Standards Review PRA - To address serio Ggo — Banking Conduct and
Council — Consultation failings in the culture of firms Culture
Feb 14, conclusion May 14 Jun 14 Juli5
Regulatory training programme December 2015
PwC 31
POL00411492
POL00411492
" Some key challenges
Lack of sustained focus on culture and pragmatic action from boards
Forming and sustaining a culture is a constant process requiring commitment, perseverance, and continuous focus and monitoring by the board and
management. Despite increasing regulatory focus, boards have lacked a sustained focus
Accountability
Many organisations cite accountability as one of their key challenges. Layers of governance have slowed down decision making, added
bureaucracy and removed personal responsibility when things go wrong
Competing and conflicting frameworks
There are often multiple and competing frameworks which can mean the expectations about behaviour are not clear or easy to
follow e.g. ethics, values, leadership standards, code conduct, behavioural competency models
Blocking in the middle
Although ‘tone from the top” has improved, there is a perceived ‘muddle in the middle’ which is impacting the ‘echo from the bottom’
and preventing alignment of behaviour through the organisation
Emphasis on negative reinforcement and consequences
Approaches that solely seek to monitor and catch ‘bad apples’ lack appreciation of positive reinforcement. Ultimately this can drive a ‘big brother’ or ‘fear’
culture. There should be a balance of both carrot and stick
Regulatory training programme
PwC
December 2015
32
POL00411492
POL00411492
You can take tangible action
Define your cultural aspirations in line with your strategy 1
Assess your current culture 2
Identify your behavioural priorities 3
Intervene to evolve and align your culture :
Monitor your progress 5
Regulatory training programme December 2015
PwC 33
POL00411492
POL00411492
Assessing culture
Values and behaviours —
Your criteria
Your values and behaviours
should articulate your cultural
aspiration and should form the
basis of your assessment criteria
Reinforces — How you drive
aligned behaviours
Assessment should also consider
the extent to which the values and
desired behaviours are being
reinforced. The six levers below are
how we conceptualise broad
categories of behavioural reinforcer
Value1 Value 4
e.g. Customer
focused
e.g. Respect
Value 2
e.g. Innovate
Value 3
e.g. Excellence
Regulatory training programme
PwC
Performance
mgmt. and
reward
Leadership
action
Organisational
structure
Communication
External
environment
People practices
Techniques — How we assess effectiveness of reinforcers
and alignment of actual behaviours
The following techniques and data points are utilised to provide
evidence needed to draw conclusions about culture
KPIs and other
and interviews metrics
Behavioural Customer voice
obser S testing and tools
©
Big data
Fe
December 2015
34
POL00411492
POL00411492
Lt r - e = se
- The regulator’s view on conduct
~ Regulatory training programme
Pwo <p
POL00411492
POL00411492
I
The regulator’s view on conduct risk — Agenda
1 What is Conduct Risk?
ie Conduct management framework
3 Industry response to conduct agenda
4. 5 conduct questions
isfy Client challenges
Regulatory training programme December 2015
PwC 36
POL00411492
POL00411492
What is conduct risk?
Continuing, sharper focus on the treatment of customers
“The risk of a firm treating its retail customers unfairly
and delivering inappropriate outcomes”
-FSA guidance consultation for NEDs, Dec 2011
+ Top of the FCA agenda following its inception in April 2013
* Core reference to fair treatment of customers — Next stage following ‘TCF’ theme
* Specific focus on risks to customers (rather than the business)
+ Fast becoming a global issue and not simply confined to firms regulated in the UK
Conduct Risk
Regulatory training programme December 2015
PwC 37
POL00411492
POL00411492
Key areas of concern identified
Number of key areas of concern identified by FSA/FCA
Generic practices 1 Market-specifi Product governance 3
Mis-selling
Complexities, bundling
Inertia and pressure selling
Charging practices
Reliance on unfair terms
Complaints handling
Reward structures
Third Party/outsourcing controls
Provider/distributor responsibilities
Regulatory training programme
PwC
Payment Protection Insurance Including —
Low value products e.g. Card / ID * Product design '
protection — suitability, complexity, terms
Complex products with options/add- + Product development, testing and
ons; use of medical terminology approval
Unfair contract terms and claims * Product governance
declinature * Ongoing review
Self-certification
Interest-only
Lending into retirement
December 2015
38
POL00411492
POL00411492
I
Conduct — FCA expectations
Pro-active engagement with conduct and market integrity
‘Customer at the heart of the business’ Conduct management framework
¢ Board/senior management lead i
Conduct strategy and business model
* Robust approach and management framework —
With measurement ane
Conduct identification and mea:
- Risk identification and appetite — All customer touch points
- Active monitoring and remediation/improvement Conduct risk appetite(s) and tolerances
- Horizon scanning for emerging risks
Control measures — Po!
- Effective oversight and governance
- Delivering good behaviours and customer outcomes Conduct monitoring — Metrics, triggers and trends
¢ Detailed framework — Business-specific
ation and issue management
- Appropriate to business and conduct profile
+ market integrity risks
Conduct reporting and governance mechanisms
Regular review of Conduct arrangements
Regulatory training programme December 2015
PwC 39
POL00411492
POL00411492
Conduct management framework
Example overview: ‘What does good look like?’
tia
Active and effective conduct risk governance
Engagement, direction and oversight
C&MI +> Strategy Identifica Appetite(s) Conteor iueeauce Conduct C&MI escalation eet
and business model and assessi and tolerances pales arate fae monitoring and MI and issue mgt +
Conduct governance and control measures
Reward and ‘ He Other
Competence Conflicts Communications re
performance mgt cultural drivers
People and cultural drivers
Products ——p 0 eee eee tion: Post-sales/services ——_—_—
Products, pricing Marketing Complaints HTermination/cancellat
and value and distribution and redress ion
Conduct Risk touch points — Across all operations, including distribution
Defined customer outcomes
Regulatory training programme December 2015
PwC 40
POL00411492
POL00411492
I
Initial industry response to conduct agenda
Since the FCA published their ‘Journey to the FCA’ paper (October 2012) and the regulator was launched (April 2013), firms, stimulated by early Risk Mitigation
Programme (RMP) requirements, made progress in establishing their conduct risk governance arrangements and frameworks. Whilst firms have varying
methods and timeframes to embed conduct risk, they have generally used the following steps:
2012
2013
2014
2015
1.
Conduct risk understanding and awareness ~ Initially by senior executives and than cascaded down to mid -management and front line staff
(e.g. town halls).
Tone at the Top ~ Management reaffirmed ‘Corporate Values’ or created new ‘Values’.
Identification of key risks — Firms started to identify key conduct risks. These were included in a new Conduct Risk Assessment or linked to existing
frameworks; e.g. operational risk frameworks, compliance risk assessments, management of conflicts, financial crime tools. The FCA’s response was to
remind firms that this was not a compliance exercise and that it needed to be owned by the business.
Governance (high-level) — Firms established high-level conduct risk roles (e.g. Head of Conduct Risk) and governance forums (e.g. Conduct Risk
Committees) to oversee conduct risks. These governance arrangements often helped firms establish the steps they needed to und ertake to focus on
conduct; e.g. some firms drafted conduct risk policies and set up new product approval committees.
Conduct Risk Frameworks and Monitoring - Firms started designing frameworks to capture and measure the conduct risk applicable to the
business. Similarly to compliance risks, conduct risk frameworks typically recorded the impact/likelihood of a conduct risk o ecurring and the control
and design effectiveness of controls in place to mitigate conduct risks.
Culture ~ Firms are considering whether the impact of their culture is driving conduct and customer outcomes. Some firms have performed a review of
their culture and identified ‘positive rein forcers' and cultural traits to focus on.
+ Firms have had mixed experiences in improving their identification, monitoring and managing conduct ri
+ Many firms have self-identified weaknesses to their conduct framework and are taking additional steps.
+ FCA recognises further work is required and have provided additional guidance on their expectations — 5 new conduct question asked of firms.
Regulatory training programme
PwC
December 2015
a1
POL00411492
POL00411492
I
5 conduct questions
How do you identify the conduct risks inherent within your business?
Who is responsible for managing the conduct of your business?
What support mechanisms do you have to enable people to improve the conduct of
their business or function?
How do the board and executive committees gain oversight of the conduct of
the organisation?
Do you have any perverse incentives or other activities that may undermine any
strategies put in place to answer the first four questions?
Regulatory training programme
PwC
December 2015
42
POL00411492
POL00411492
Key client challenges
What MI do you use or do How do you define
fai >
you need to create to How does conduct risk link to far AU: or
manage conduct risks? 3 ‘conduct risk’?
your other risk types e.g.
operational, reputation,
What do you need to do compliance
4, rt ha fF
differently? What is required in a good
conduct risk management
framework and how do
you link it to e
5?
Who should be responsible for Te
conduct and associated
initiatives? What does ‘putting the
customer at the heart of
How do you demonstrate that the business’ mean
you are managing conduct practically for your
risks and achieving fair business?
customer outcomes?
December 2015
Regulatory training programme
43
PwC
POL00411492
POL00411492
I
Value to your business
The benefits of getting it right:
* Understanding your business — Greater
understanding of impact and risks associated with
strategy and business model
+ Decision making — Creating alignment between
business decisions and regulatory concerns
* Senior Management engagement — Increase
senior management and business awareness via
interview discussions, their review of risk assessment
and management information
¢ Reputation and brand management — Brand
reputation in the UK maintained by overt recognition
of regulator philosophy
Regulatory training programme December 2015
PwC 44
POL00411492
POL00411492
~ Regulatory training programme
PwC “Ge
POL00411492
POL00411492
Outsourcing — Agenda
1 What is outsourcing?
ie SYSC 8 requirements
3 What the regulator wants to see
vig Key challenges
Regulatory training programme December 2015
PwC 46
POL00411492
POL00411492
I
Outsourcing
The FCA defines outsourcing
“An arrangement of any form between a firm and a service provider
where the service provider performs a process, a service or an activity,
which would otherwise be undertaken by the firm itself.”
Regulatory training programme December 2015
PwC 47
POL00411492
POL00411492
I °
°
SYSC 8: the requirements
x = ‘si . Rule: (1) Take reasonable steps to avoid undue additional
Rule: Retain sufficient Guidance: Notify appropriate regulator sGpericionsl sek ia cutical outspureias:
information to enable regulatory when intending to instigate a critical or (a) Notsindertaie the catechicite Hf Gupectant apesaronal
supervision of compliance with important outsourcing service or activity iuicegan Wd RaCHE a Wey ato muRCeriAly Gin ue EG AURA?
regulatory requirements of firm's internal control or regulators’ ability to monitor its
regulatory compliance
Guidance: Have effective internal
controls and processes to identify,
i i ‘manage, monitor and report risks for
Rule: For intra-group arrangements, firm may take into eH + A
account the level of control or influence over the service eae Hebe suena
Bae ree ie Operational Compleity ofthe outsourcing
EN Risk
AAP SPIRR UU Rule: Outsourcing is critical or
aa ap important if a defect or failure
Rule: Ensure the respective rights and Bee Derennniee would
obligations of firm and service ‘materially impair firm's ability
provider are clearly allocated and to meet its regulatory
defined in a written agreement TORR CEE obligations or its financial
performance or service
continuity
Rule: (1) Service provider must have ability, capacity
and appropriate authorisations; (2) Establish effective Rule: Critical or important outsourcing
methods for supervising service provider; (3) Proper does not include advisory services nor
supervision and risk management by service provider; non-core services, including legal advice,
(4) Respond appropriately to service failure; (5) ~ training, billing services and security of
Retain necessary expertise for supervision and the firm's pret -s / personnel, purchase
management; (6) Service provider must disclose Eo of standardised services (including
material issues; (7) Ability to terminate without. 817K: market information and price feeds), and
detriment to client service provision; (8) Service das recording and storage of telephone and
provider must co-operate with regulator; (9) Audit electronic communications
and inspection rights for firm, its auditors and
regulators; (10) Service provider must protect firm ss a
and client confidential information; (11) Firm and le Sey perce Oe
Rie " Ms delegate responsibility nor must the
service provider must put in place and maintain a Bear als cahip aa Oblgatious
Cees Rule: Exercise due skill, care and diligence when “~~ towards its clients, or the conditions
centering into, managing or terminating critical or of its authorisation be altered
important outsourcing
Regulatory training programme December 2015
PwC 48
POL00411492
POL00411492
I °
Outsourcing: What the regulator wants to see
Key requirements and expected ac Ss
+ Defined board-approved outsourcing risk appetite
In order to be SYSC 8 Agent a ee Z a “ ing tek stad entities etal
compliant, firms need to senior governance body responsible for overseeing and managing outsourcing risk to regulated entities, including
approving all new or materially changed critical or important outsourcing
demonstrate embedded
operational policies and + Entity specific outsourcing MI and concentration risk metries
rocedures to tackle all the
vhons listed + Clear definition of ‘outsourcing’ and ‘critical or important’ outsourcing that captures both traditional third party vendors
oo and inter-affiliate arrangements through both off-shore service centres and primary operating entities
+ Inventory of outsourcing and critical or important outsourcing arrangements supporting UK regulated entities that is
Specifically, firms need to maintained for completeness and accuracy
evidence effective + Robust procedures for risk assessing, identifying and managing new or materially changed critical or important
management control and outsourcing arrangements, including material sub-outsourcing and effective ‘perimeter management’ and exit planning
oversight ofall critical or I gy critical or important outsourcing arrangements appropriately papered
tmportant outsourcing
arrangements, including + Defined standards for performing and evidencing effective ongoing supervision of critical or important arrangements by
those through group appropriately skilled personnel (retained capability)
affiliates (both core leg al + Effective processes for managing the sub-contracting of critical or important outsourcing arrangements
entities and shared service
centres). + Mechanisms for notifying the regulator for all new or materially changed critical or important outsourcing
+ Outsourcing training and awareness for key personnel, including governance body and board members
+ Clear linkage with other associated regulatory areas, including operational risk management and RRP
Regulatory training programme December 2015
PwC 49
POL00411492
POL00411492
Key challenges
UK risk appetite
and tolerance
Treatment
of inter-affiliate
arrangements
Legal and
supervisory
documentation
Regulatory training programme
PwC
Determining
what can and
cannot be
outsourced
Defining and
identifying
critical
outsourcing
Material change
management
Embedding
outsourcing risk
within
operational risk
framework
Risk assessment
tools and
methodology
Links to
resolution
planning and
operational
continuity
(CP38/15)
UK senior
management
focus and
awareness
Embedding
effective
governance and
oversight
Ongoing
management
and
monitoring
procedures eae
Designing and
embedding
outsourcing
policies and
procedures
Regulatory
Notifications
December 2015
50
POL00411492
POL00411492
a en Pad
Other regulatory initiatives
~ Regulatory training programme
a
POL00411492
POL00411492
I
Indicative range of regulatory initiatives
Regulatory training programme
PwC
Data
Protgétion Re
Digital
Disruption
‘AMLD4
Whistle bi
I
Treatment of
Pryinium finance
49% retail GL
authority in G]
Timing and relevance
Crystallised and ongoing issues ~ Compliance currently required
© Potential issues firms need to comply with in 2016
© Potential ‘horizon scanning’ issues for firms to
comply with in 2017 or later
December 2015
52
POL00411492
POL00411492
This document has been prepared for and only for Post Office Limited in accordance with the terms of our engagement letter dated 17 December 2015 and for no
other purpose. We do not accept or assume any liability or duty of care for any other purpose or to any other person to whom this report is shown or into whose
hands it may come save where expressly agreed by our prior consent in writing
© 2015 PwC LLP. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers LLP which is a member firm of P ricewaterhouseCoopers,
International Limited, each member firm of which is a separate legal entity