Ed Sibley: Central Bank of Ireland's financial regulation functions restructure, relevant issues this year and forthcoming priorities
Address by Mr Ed Sibley, Deputy Governor of the Central Bank of Ireland, at the Association of Compliance Officers of Ireland's (ACOI) annual conference, Dublin, 10 November 2017.
Good morning ladies and gentlemen. I am delighted to be here at the Association of Compliance Officers of Ireland's (ACOI) annual conference. Thank you for the invitation to speak here today1.
It is the second time this year that I have spoken at an ACOI event, which I hope is evidence of how important I consider the role of compliance to be to our mandate of safeguarding the stability of the financial system and protecting consumers.
When I spoke at your event in March2, I covered, among other topics, my expectations of compliance officers. This warrants repeating. My comments today will also cover the recent restructure of the Central Bank's financial regulation functions, a summary of relevant issues arising from our work in 2017, and some of our priorities for 2018.
Central Bank restructuring of Financial Regulation
On the 1 September 2017, the Central Bank's financial regulation function was split into two distinct pillars: prudential regulation and financial conduct.
The restructuring reflects the critical and equal importance of both our financial stability and financial conduct mandates, the ongoing evolution and increasing complexity of Ireland as a financial services centre, and a strengthening of our approach to conduct supervision, over and above our longstanding work on, and commitment to, consumer protection.
The two pillars, led by me as Deputy Governor, Prudential Regulation, and by Derville Rowland as Director General, Financial Conduct, are working as equal partners to drive delivery of our mandate of safeguarding stability and protecting consumers; and that vision of a financial services sector that serves the needs of the economy and its customers over the long term.
The new structural arrangements are designed to enhance how we operate as One Bank, recognising the interlinkages, dependencies and need to challenge each other across financial stability, prudential regulation and financial conduct disciplines. As the Governor of the Central Bank has stated3 "Measures applied to protect consumers range from working to ensure financial stability, through prudential and macro prudential regulation, supervision and enforcement to [provision of] personal financial information."
Approach to Prudential Regulation
Delivery of this vision of financial services in Ireland requires that regulated firms:
- have sufficient financial resources, including under a plausible but severe stress;
- have capitally accretive business models over the long term;
- are well governed, have appropriate cultures, effective risk management and control arrangements in place, which are commensurate with their size, scale and complexity; and
- can recover if they get into difficulty, and if they cannot, are resolvable in an orderly manner without significant externalities or taxpayer costs.
To this end, my number one priority is to ensure that my teams deliver an effective, intrusive, analytical and outcomes-focused approach to supervision. In other words, that we do our job and that we do it well. Our approach will continue to be risk-based and anchored by our PRISM4 supervisory methodology, underpinned by the credible threat of enforcement.
Compliance & Risk Management
There are some obvious similarities between the work of the regulator, and the work of compliance.
- The execution of our work involves risk-based and targeted engagement with firms and sectors, based on consideration of their impact and their risk profile.
- We complete intensive onsite engagements, both firm-specific and thematic, across a broad range of risks.
- We undertake detailed analytical assessments to support and challenge the ongoing supervisory and inspection efforts and identify and guard against the build-up of risk.
- The complexity of our work continues to increase with growing rulebooks, increasing expectations, faster pace of change and more complex business models and organisational structures.
- Our resources are finite, and we cannot look over the shoulder of all activity or transactions - and so need to rely on governance, systems and controls, analysis, sample testing and, ultimately, our own judgement.
- Moreover, it is critical that we focus on the delivery of our core roles and responsibilities, at the same time as being flexible enough to deal with emerging risks and changes that demand our immediate attention.
Bringing risk under control is, perhaps, one of the key factors that distinguishes modern times from the distant past5. Risk management can be a liberating factor, taking the fate of human society out of the control of oracles and soothsayers. As societies moved from uncertainty and prophecy towards informed and calculated risk, this necessitated skilled and dedicated individuals to manage the level of risk in line with risk appetite (implicit or explicit), to provide unambiguous warnings at appropriate junctures, and to call a halt to activities outside of risk appetites before risks crystallised, thus protecting others from negative outcomes.
Compliance and risk management are not often considered as being liberating forces, but this is your lineage. I see the role that you play as part of the second line control functions as crucial, and my expectations of you, and how you do your work, are very high. As compliance leaders, you play an important role in financial stability and consumer protection and as supervisors we are comfortable in saying that we expect a lot from you. Your customers and society more broadly deserve a lot.
In this context, I was pleased to see in the ACOI's own material6a recognition of these responsibilities and their continued evolution. Specifically, that there is a recognition that compliance is expected to cover both conduct and prudential risks and regulations, and that compliance needs to consider wider governance matters - such as the functioning and effectiveness of the board. At the same time, compliance functions typically retain responsibility from a second line of defence perspective on a long list of responsibilities more traditionally associated with compliance - such as conduct of business, data protection, financial crime, conflicts of interest, market abuse, client assets, whistleblowing and so on.
The ACOI also notes that "Compliance Officers are being tasked with Cyber Security risk management responsibilities ---- and utilising their skill sets in the areas of drafting and training personnel in what are often complex and grey areas".
In light of all of the above, I would recognise that there are risks of you being spread too thinly; and the evolution of your responsibilities not being matched by the changes in resource levels and skillsets. And, perhaps this is evidenced by the issues that we continue to see in firms, including in compliance functions. You need to be bold and noisy not only in the identification of risk and issues, but also in your own needs, to serve your businesses and your customers as you need to, and they deserve.
By doing so, you can meet our overriding expectation that the compliance function will support and, where necessary, challenge the board and senior management in driving and demanding a risk-focused culture that delivers sound behaviours throughout the organisation and where customers' interests are to the forefront. In other words, a compliance culture that is not simply about ticking boxes, but rather ensuring regulated firms are doing the right thing in the right way, and considering the spirit as well as the letter of the requirements.
Recent Supervisory Experience
Both domestically and internationally, regulation and supervision of financial services firms continues to evolve. In the 10 years since the onset of the financial crisis, multiple reforms have sought to address the root causes of the crisis and other issues. Indeed, there continues to be reforms of the reforms. We are embedding recent changes (such as Solvency II), and implementing further changes, notably MiFID II7. This undoubtedly causes all of you challenges.
One of the most significant changes locally in the last couple of years has been the expansion of onsite inspections activity, which has deepened considerably in terms of intensity and intrusiveness, starting in banking supervision in late 2014 and extending to insurance and the asset management sector more recently. Our analytical work also continues to be strengthened, again starting in banking supervision post the onset of the crisis.
Through this intrusive supervisory activity, we have unsurprisingly identified issues and concerns. I have also heard complaints about the intrusiveness of supervision. I would have more sympathy for these complaints if we were finding less issues of fundamental importance, or to put it another way, if the boards, senior management, and the first, second and third lines of defence were proving to be more effective, and so demonstrating better that our work was not needed.
In this context, and given my audience today, it is worth sharing some of the common and most serious issues we are seeing today. That is not to be overly critical, and it is important that I am balanced in recognising that there is also much evidence of good work, and effective risk management and compliance functions. Nonetheless, it is important that we all learn from the many issues that continue to be identified, and that we all seek to raise standards proactively. By way of illustration, the most critical issues that we are seeing relating to governance arrangements and compliance functions include:
- In the context of the international nature of the Irish financial services sector, there is a continued overreliance on group policies and a lack of understanding and ownership at the Irish board level of the risks and compliance obligations that are particular to the Irish entity;
- Many of the issues highlighted by recent governance inspections raise serious concerns about board effectiveness in overseeing the activities and risks of the firm, including:
- complying with the Corporate Governance Codes8
- issues in boards' annual assessments of their own performance and effectiveness;
- weaknesses in board oversight including: (i) a lack of evidence of appropriate oversight of key issues (e.g. failure to approve plans, slippage in remediation deadlines); and (ii) inadequate reporting to the board; and
- inadequacies in risk appetite frameworks.
In relation to the compliance function, the key issues relate to:
- incomplete registers of obligations (i.e., the firm not identifying its compliance obligations);
- incomplete compliance mandates (e.g., the PCF Holder i.e. the 'Head of Compliance' role holder, is not the effective Head of Compliance in that he/she only had oversight over certain aspects of compliance rather than the full spectrum of compliance issues);
- immature compliance functions and a lack of awareness, at board and management level, of the universe of compliance obligations, particularly those specific to the Irish entity;
- lack of understanding of, or adherence to, international standards and principles for compliance functions and the Central Bank's Corporate Governance Codes9;
- inadequate compliance monitoring within institutions, including inadequate coverage of prudential compliance matters;
- poor compliance monitoring plans which do not provide details on the objectives, timelines and resource needs to monitor or assess compliance in the institution as a whole; and
- inadequacies in the reporting to the board and / or audit and risk committees.
The long and the short of it is that there is still much more work to be done in many firms to meet minimum regulatory standards and legitimate supervisory expectations. This will obviously continue to be a priority for the Central Bank, to drive further improvements and enhancements in governance and control arrangements, such that they are commensurate with the size, scale and complexity of the business.
I will turn now to other priorities for Prudential Regulation for 2018. We are currently going through our planning process for 2018, as well as developing our longer term strategy for 2019 onwards. While not finalised, it is safe to say that the following areas will feature in our priorities for next year:
Core supervisory activity
As referred to earlier, my number one priority is to ensure that my teams deliver an effective, intrusive, analytical and outcomes-focused approach to supervision. This involves our day to day supervisory team engagement with regulated firms, inspections and analysis - the three core functions of prudential regulation. I will strive to ensure that we continue to improve across these areas. In particular, the material increase in the volume and complexity of data being received by the Bank warrants us to enhance our approach to analysing and using this data.
After CRDIV, BRRD, the implementation of the Single Supervisory Mechanism, and Solvency II, the latest material regulatory change is MiFIDII, which will be implemented on 3 January 2018.
Preparation for the "go live date" is a key priority for the Central Bank. In addition to our own extensive preparations, our engagement with industry to date has entailed a heat-mapping exercise, issuing a questionnaire to firms, providing keynote addresses and participating in industry roundtable events. In this regard, we have presented on different aspects of MiFIDII during the year including investor protection, product governance, transaction reporting and transparency requirement changes which are introduced or significantly enhanced under MiFIDII.
I emphasise the important role that compliance officers play in the asset management sector today. You are well placed to support your firms in progressing preparation for MiFID II, and compliance thereafter. The challenges presented to this sector today demand sufficient time and effort from the compliance functions, by doing this, firms will be able to take advantage of opportunities presented in the future. This will also position you to respond appropriately as we continue our supervisory focus through a programme of full risk assessments and thematic inspections.
Importantly, we will be monitoring MIFID II compliance through our regular supervisory engagement and through focused engagement during the year.
I have outlined the Central Bank's views in relation to Brexit over a number of speeches this year and last.
There are, of course, direct impacts on the existing financial services firms operating in Ireland today, including those who have direct exposure to the UK. Our engagement with firms to date shows that much more work needs to be done to prepare for the plausible scenario of a hard Brexit. Our engagement with incumbent firms will, therefore, continue.
Moreover, we will continue to engage proactively with our European colleagues on the key supervisory and regulatory issues and risks that are associated with Brexit. We have had a high degree of success in influencing the policy and supervisory stances within the European supervisory framework, with the aim of ensuring that we are both operating to European norms and influencing them.
We will continue to prioritise our authorisation activity and continue to deliver on our commitment of being transparent, predictable and consistent in our approach to authorisations and material business changes.
Information technology covers a multitude of activities and risks.
My colleague Gerry Cross, Director of Policy & Risk, addressed this conference last year on the topic of IT and cybersecurity10 and this topic remains high on our list of priorities. The Central Bank will continue to enhance and develop its approach to IT risk. Our supervisory approach and capability has developed considerably in the last few years, and we now have a dedicated IT risk inspection team that will cover all sectors in 2018. While this is still a relatively small team - particularly compared to the resources applied by regulated firms - we are still identifying material issues in too many firms.
Of all the risks facing the financial system in Ireland today, IT resilience and security are still the risks that concern me most. We are ever more dependent on IT, but threats abound, are increasing in complexity and the potential impacts are massive - and could impact on the financial system's ability to deliver its core functions overnight. There is still, therefore, much to be done to increase the resilience and security of IT systems.
Financial innovation / "FinTech" continues to grow in importance and also presents very real threats to incumbent business models. Our approach to, and engagement on, this will be further developed in 2018.
I mentioned data and analytics earlier. As our approach continues to develop and evolve, we must be able to rely on the information receive. We continue to find significant issues regarding the oversight, control and delivery of regulatory returns data. Accurate, timely and verifiable data is a prerequisite for effective analytics and compliance officers have a direct role in ensuring it is provided to the Central Bank. Significant investment is required in information technology and the supporting processes to make sure this is happening.
Outsourcing is a key part of many financial services firms, whether this is to group companies or to third parties and it is clear that there are sizeable benefits to appropriately managed and delivered outsourcing arrangements, including cost savings and increased expertise. However, outsourcing also creates additional risks and with the continued growth of the international dimension to Ireland's financial services industry, including relating to Brexit, the tendency to increase the level of outsourcing is something that we in the Central Bank are very mindful of.
Outsourcing will therefore continue to be a supervisory priority. Building on the work undertaken in recent years, we will be undertaking firm-specific, sector-specific and cross-sector work to obtain a holistic view of the outsourcing landscape and the effectiveness of its management across the Irish financial services sector.
I will conclude here.
Financial services firms are built on the premise of taking risk. But there are wider societal dependencies on the financial system and the services it provides. It is therefore critically important that the financial system works well, and serves the needs of the economy and its customers in a sustainable way over the long-term. As I have referred to in other speeches, and as is evident by recent events, there is a breakdown in trust in many aspects of financial services provision. This is problematic in its own right, but also will cause unnecessary frictions and costs within the system itself.
Compliance functions and other parts of the second and third lines of defence within regulated firms have an important role in play in rebuilding that trust, and in doing so, support and, perhaps counter-intuitively, liberate your firms to be more successful over the long term.
I thank you for your attention.
1 With thanks to Steven Cull for his assistance in preparing my remarks.
2 See The Banking Landscape - Ed Sibley, Director of Credit Institutions Supervision - 14 March 2017.
3 The Role of Financial Regulation in Protecting Consumers - 23 February 2017.
4 The Probability Risk and Impact SysteMTM (PRISMTM) is the Central Bank's risk-based framework for the supervision of regulated firms. It supports our challenging firms, judging the risks they pose to the economy and the consumer and mitigating those risks we judge to be unacceptable. See Introduction to PRISM.
5 See, for example, Bernstein, Peter L. (1996). Against The Gods: The Remarkable Story of Risk.
8 With respect to the appointment of directors and senior management, including assessments of: director independence; conflicts of interest among board members; and suitability of senior management with respect to their knowledge, experience, skill and competence for their roles.
9 For example, Compliance policies and mandates frequently do not reflect Basel Committee on Banking Supervision best practice, as they do not contain information on: (i) measures to ensure the compliance function's independence; (ii) the relationship of compliance with the risk and internal audit functions; (iii) the right to obtain access to information from staff; and (iv) the right to conduct investigations of possible breaches of compliance policy and appoint external experts.
10 IT and cyber security risks facing the Financial Services Sector - 8 November 2016.