Yesterday (13 September), the Central Bank issued through its Policy & Risk Directorate, a Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks.  

The Directorate falls under the leadership of Gerry Cross.  A short video about the Central Bank’s thinking on the topic was released in conjunction with the Guidance – see You Tube channel. While its great to see the Central Bank embrace the use of social media, it seems to have a long way to go to have this recognised - at the end of the day on 14 September there had been only 131 views of the video.  That is quite remarkable given that the Central Bank regulates about 10,000 financial service providers and funds in Ireland and protects directly and indirectly a population of 4.8million. 

The Central Bank’s concerns are being driven by the potential impact of inadequate cybersecurity controls on the firms themselves, their customers and the risks for financial stability.

Given that Information technology is now at the heart of the supply of financial services and that the incidence of cyber-attacks and business interruptions is on the increase, the Central Bank is saying that firms should assume that they will be successfully targeted. Its view is that the security and resilience of IT systems, their governance and management must improve to reflect this reality.


Summary of Central Bank inspection findings:

• Alignment between firms’ IT strategy and the overall business strategy is weak. IT capabilities are not matched to the business ambitions.
  
• Firms are not taking a holistic view of IT risks across the business, which results in poor identification, monitoring and mitigation of IT risks.
  
• Shortcomings in IT risk assessment and identification with many firms not maintaining comprehensive IT risk registers and risk identification being backward rather than forward looking.
  
• Older technology supporting key business operations and requiring significant resources and/or investment to manage associated risks.
  
• Non-existent or inadequate data classification frameworks and policies.
  
• Staff not sufficiently trained on cybersecurity risks.
  
• Ineffective firewall management/inadequate intrusion detection processes with weak IT security monitoring.
  
• Deficiencies in governance of IT related outsourcing including a lack of thorough due diligence on prospective service providers, poorly documented/constructed outsourcing agreements and inadequate monitoring of service delivery.
  
• Inadequate and untested disaster recovery and business continuity plans.
  

Expectations of the Regulator

The Central Bank expects that:

• Boards and Senior Management of regulated firms fully recognise their responsibilities for these issues and put them among their top priorities.
• Firms must robustly address key issues such as alignment of IT and business strategy, outsourcing risk, change management, cybersecurity, incident response, disaster recovery and business continuity. 
• Firms make sure that they understand these risks and that they are managed effectively. 
  

The Central Bank's supervisory engagement will reflect the new Guidance when it assess firms.

Director of Policy & Risk, Gerry Cross, said: “Developments in technology have fundamentally changed business processes and models in financial firms.  These advancements have resulted in benefits for firms and their customers.  However, they also bring significant risks as firms become increasingly interconnected and more reliant on complex IT systems, including outsourcing service providers.”  

“The Central Bank is demanding increased effectiveness in this area.  We are undertaking considerable work to require improved IT risk management and cyber resilience across regulated firms. This includes enhanced supervisory capabilities and increased focus on these risk areas."

So what’s in the Guidance? 

Here’s the table of contents:

• Executive Summary
  
• Purpose
  
• Background
  
• Supervisory Issues Identified To Date.
  
• Next Steps.
  

1. GOVERNANCE

• Board of Directors and Senior Management Oversight of IT and Cybersecurity Risks 
  
• IT Specific Governance.

2. RISK MANAGEMENT 

• IT Risk Management Framework 
  
• IT Disaster Recovery and Business Continuity Planning 
  
• IT Change Management
  

3. CYBERSECURITY

4. OUTSOURCING OF IT SYSTEMS AND SERVICES 

• Appendix 1: Glossary 
• Appendix 2: Key International Guidance for Firms
  

If you need to know more or wish to discuss, please contact Peter Oakes at [email protected] / +353872731434.  Peter Oakes is a board director of regulated firms which too must implement this Guidance, he is a former Director of Enforcement at the Central Bank and works across cross-industry in financial services in London and Dublin. 

This is the full speech given by Bernard Sheridan

Introduction

I would like to thank the Financial Services Innovation Centre here in Cork for inviting me to speak at this event this morning.  Technological innovation in the financial sector has undoubtedly been happening for some time but over the last couple of years the impact of Fintech is becoming more evident in the scale and pace of change taking place in what would have been viewed as the traditional retail financial services marketplace.   As I was preparing for today I was struck by the growing and significant level of interest there is in Fintech developments across a wide variety of sources including international regulatory bodies which I think is a clear sign of things to come and of interest to both regulated and non-regulated Fintech firms.

When the body responsible for promoting international financial stability becomes interested in a development then everyone should sit up and take notice.  The Chair of the Financial Stability Board (FSB), Mark Carney, recently announced that global regulators are evaluating potential stability implications that emerging financial technology poses to the global financial system including:

“systemic implications of financial technology innovations and the systemic risks that may arise from operational disruptions”.

And the European Commission is also taking an active interest in the changing face of financial services and, in particular the impact of digitalisation, as reflected in its Green Paper on Retail Financial Services published late last year.  The Commission remarked that:

“the retail financial services sector is experiencing significant change as it is affected by digitalisation. New business models are emerging: online-only providers and technology companies are entering the market, offering services (within Member States and sometimes cross-border) including electronic money transfers, intermediation in online payments, financial data aggregation, peer-to-peer funding and price comparison.”

Steven Maijoor, the head of the pan-European body for insurance supervisors known as EIOPA, also addressed the challenges of financial innovation at the launch of its discussion paper on automated advice when he said:

“financial innovation is important and, at its best, contributes to economic growth. However, this can only be achieved and sustained where consumers have confidence in such innovations. Our role as European Supervisory Authorities is to monitor new financial activities and to take action where appropriate.”

Here in Ireland, the Central Bank’s Strategic Plan identifies one of the key external environmental factors as the increased risks arising from technological developments and the increased reliance on information technology by regulated firms, their customers and suppliers.  The Central Bank has also highlighted cyber risk as one of the key emerging threats to regulated firms and potentially across sectors.  However the increased reliance by firms on information technology and systems to deliver products and services means the impact of a cyber-attack on the service provided is potentially much greater.  Our Consumer Protection Outlook Report published in February also highlights financial innovations as a key consumer risk area:

“more firms are moving increasingly towards delivery of services through online and mobile channels.  This is particularly noticeable in banking and payments services but also in other sectors including insurance and investment advice.  The consumer benefits of accessibility and convenience must be matched by service reliability, safety and security, and transparency of cost of services”

So what is behind this mounting interest now in Fintech and its impact?  I believe there is a growing realisation of the significant disruptive nature of new technologies in mainstream retail financial services.  Fintech is transcending traditional boundaries and borders, not just physical but also regulatory as it blurs the lines between regulated and unregulated activities.  As new technologies change the everyday provision and delivery of financial services for consumers and firms, it becomes more challenging for regulators to monitor what is going on as the regulatory rulebooks and supervisory tools struggle to keep pace with developments.  There is uncertainty around the wider long-term impact and implications of Fintech and with uncertainty comes increased risks - and with increased risks comes an increased interest in the Fintech space by global bodies such as FSB and others.

It is within this evolving and dynamic financial innovation context that I am making my remarks to you today and, in particular, outlining how the Central Bank is exercising its consumer protection role in response to the challenges, opportunities and risks presented by Fintech.

Consumer protection and the Central Bank

The Central Bank has a statutory objective of effective regulation of financial service providers and markets, while ensuring that the best interests of consumers are protected. Regulated firms must meet financial soundness rules as well as fitness and probity standards for their senior executives.  They must have appropriate internal governance and controls to ensure they are properly run and importantly must ensure that they treat their customers fairly and ensure that any customer money and assets are securely held.  We carry out our role in an increasingly European context and as members of the three European Supervisory Authorities (ESAs) for banking, insurance and markets.  Our consumer protection objectives are based on the need to ensure that consumers are treated fairly and with respect and dignity by firms, and that firms act in their consumers’ best interests in all that they do. 

We deliver on our consumer protection mandate under three broad functions of gatekeeper/authorising firms and people, policy maker/influencer ensuring the framework is fit for purpose and, finally, as supervisor and enforcer of the rules and standards.    As the financial system context and landscape evolves, so too does our approach to how we carry out these functions.  The disruptive impact of financial innovation is also clearly impacting on our risk priorities and the way we do our work across all three functional areas.

Considering that the mission statement of the Central Bank is “Safeguarding Stability – Protecting Consumers” it should not be surprising that our focus, in ensuring that the consumer protection framework is fit for current and future purpose, is largely based on risks - risks to the system, risks to the firms which operate within it and which are regulated by us and, of course, risks to consumers.  Fintech certainly has the potential to bring many benefits for firms and consumers and the framework should protect the consumer’s best interest and enable the management of additional and new risks by firms while not stifling innovation or damaging consumers’ trust and confidence in financial services.

It is certainly a challenge and one that we are responding to in a strategic and balanced way.  By way of illustration, I would like to briefly outline a few areas where Fintech and innovation are impacting on our consumer protection work including (1) the monitoring of consumer risks, (2) authorisation process for new firms, (3) new product development and (4) how we are changing our approach to assessing consumer risks in firms.

1.       Monitoring of emerging risks

In the context of our consumer protection mandate it is important that we monitor current and emerging consumer risks arising from the rapidly changing face of financial services, products and business models.  In order to inform and provide an evidence-based approach to our work, we undertake consumer research and significant market monitoring through our engagement with stakeholders including the Financial Services Ombudsman and the Competition and Consumer Protection Commission as well as analysing data submitted by regulated firms.

For example, we will shortly be publishing our research on consumer complaints.  We have found that traditional channels for making and handling complaints, such as face-to-face or telephone, are the most popular among consumers. Consumers also cited a knowledgeable and experienced point of contact within the firm as one of the most important aspects when going through the firm’s complaints process.   When we delved deeper in our consumer focus groups, we found that people are “time poor” and would welcome a more convenient and less time consuming complaints process including an appropriate online channel as part of the overall formal complaints handling process and supported by knowledgeable staff.  This presents a real challenge as to how innovation can be utilised better to marry the two consumer needs i.e. having a convenient and easy to use complaints process while at the same time enabling interaction with an experienced member of staff to resolve complaints in a fair, timely and transparent way.

The Central Bank also undertakes regular social media monitoring and gathers intelligence from platforms such as social media sites, public discussion fora and media sources in order to gain an insight into and keep abreast of current issues being raised by consumers. Availability of service, charges and security of new payment methods, as well as customer service dissatisfaction regarding the quality of automated support services and the lack of human interaction, are regularly raised by consumers.  These public fora bring greater transparency and provide a “real-time” voice for consumers on their financial services experiences.  They require firms to be alert, responsive, open to feedback and willing to listen and act as a result of issues raised on social platforms.

In a broader European context the issues of consumer data and automated advice are receiving greater regulatory attention, particularly with the recognition of consumer data as an important and valuable asset within firms.  As part of its mandate to monitor new and existing financial activities, the European Banking Authority (EBA) is examining firms’ innovative uses of consumer data and will publish a discussion paper on the topic.   The EBA’s discussion paper presents a real opportunity for all interested parties to have an open and structured debate on the benefits and risks of firms’ innovative uses of consumer data.

The impact of financial innovation is also having a disrupting effect on the provision of financial advice with more and more firms automating advice to consumers.  The ESAs noted this increased automation in its discussion paper published in December 2015 and highlighted some of the potential benefits (wider access, lower cost, more consistent consumer experience) as well as potential risks (consumers’ understanding of the nature of the service, limitations or errors in the tools or algorithms used).   The ESAs are now considering what, if any, specific regulatory or supervisory actions should be taken to mitigate consumer risk in automated advice.  Consumers place a great trust in firms that they are working in their best interests and I believe firms need to live up to that expectation and demonstrate that they are acting in the interests of all consumers including those who are more vulnerable.

2.      Authorisation Process

Not all Fintech activity requires an authorisation from the Central Bank.  However for those specific areas of financial activity where the legislation requires providers to be authorised by the Bank, we look to see that applicants clearly demonstrate to us that they have met our required standards and will continue to do so post-authorisation. The payment and electronic money sector is one area where, as gatekeeper, the impact of new innovations is particularly evident, reflected in the growing range of business models, advances in technology and the emergence of new firms seeking to bring new products and services to the market.  In 2015 we enhanced our authorisation process for payment institutions and e-money institutions based on three key principles:

• Accessibility – potential applicants have the option of an initial meeting with us to discuss the application process thus enabling them to submit the required information during their formal application
• Transparency – applicants have a clear understanding of how their application is progressing through the various stages of the authorisation process and further information required to assess the application
• Timelines – applicants have greater certainty on when a decision will be made in line with the specific timelines clearly outlined from the outset of the process.

Our role is not to act as advisors to potential applicants seeking authorisation but rather to provide clarity and certainty to all applicants by responding to them in an open and facilitative way while maintaining the robustness of our approach to determining what firms should be authorised. Full details of these Authorisation Processes are available in the Financial Regulation section of our Website.

3.      New Product Development  

 Developments taking place at the European level will impact greatly on how firms design, develop, sell and review their financial products.  From 2017 new guidelines will be in place for banks and payment institutions in the first instance, which will be followed by other sectors over time.  These guidelines will be a key part of the overall consumer protection framework placing responsibilities on firms to demonstrate that their products are delivering the best outcomes for consumers throughout their life cycle from product development to their launch and sales.  Product oversight and governance arrangements will be an integral part of the firm’s governance, risk management and internal control framework requiring firms, amongst other things, to identify the target market, test products before launch, monitor how the product is performing and take remedial action where problems arise.  Product testing will be required to enable the firm to “assess how the product would affect its consumers under a wide range of scenarios, including stressed scenarios”.  Product monitoring will be required on an on-going basis.

I believe these guidelines will really strengthen the consumer protection framework and the way we supervise firms.  There is a clear opportunity for firms seeking to meet these new product guidelines to adopt new financial innovations and technologies particularly in relation to product testing and monitoring – and no doubt beyond!

4.      Assessing Consumer Protection Risks

 Finally, financial innovation is also impacting directly on our evolving supervisory approach.  We are currently developing our Consumer Protection Risk Assessment supervisory model, a key part of which is an assessment of how firms are utilising technology to support their consumer risk management including:

• how systems are used to alert firms to emerging and existing consumer risks through exception reporting, reporting on breaches and near misses, complaints analysis and employee performance management;
• how firms consider consumer risk management and reporting when developing new systems;
• the maturity of firms’ analytics techniques in terms of identifying and escalating emerging and crystallised consumer risks.

 From a supervisory perspective, the Central Bank is seeking to influence a positive consumer-focused culture in firms where consumer risk is managed alongside other risks and where the focus from the top of the organisation to the frontline is on getting it right for consumers – acting quickly on identified risks and effectively fixing things when they do go wrong.  Technological innovation can enable firms to deliver an effective internal consumer protection risk model and management information and support the delivery of suitable products and services.

Future Challenges

I’ve outlined to you the context within which Fintech is providing innovation and, as a consequence, causing disruption in the traditional retail financial services marketplace. I’ve also shared with you my view that these innovations can bring positive benefits to consumers and firms when managed and delivered within a strong consumer-focused culture, but equally recognise that they can also present consumer protection risks that need to be managed and mitigated.  There is a step change in the regulatory interest in Fintech developments both at home and at an international level.   As those of us working in this field continue to strive to enhance the consumer protection framework it is important that we manage, but do not stifle, financial innovations that help to deliver better outcomes for consumers in the short and longer term.

I’d like to conclude today by providing some of my views on how we can ensure that new technologies and service and product innovations are channelled effectively to deliver for consumers.  I believe there is potential for: 

(i) a greater level of engagement between innovators, innovation centres such as the Financial Services Innovation Centre and regulators so that we can all be better informed and involved in helping avoid the crystalisation of consumer protection risks in new innovations.  Gatherings, such as this one today, is a good example of the benefits of engagement and networking;   

(ii) at a firm level, there is an opportunity for Fintech to play a bigger part in developing products and services that help support regulated firms in monitoring and managing consumer risks.  Although it is early days, we have seen some progress being made across a number of banks and insurers in developing their internal consumer risk frameworks;

(iii) at the product level, Fintech can bring forward innovative solutions for firms seeking to deliver suitable consumer-focused products and services and support firms meeting their regulatory requirements in  product oversight and governance;

(iv) and finally, at the consumer level, Fintech can help deal with the issue of product complexity and the increasing difficulties that consumers are having in understanding financial products and services.  Fintech can also bring forward solutions to the challenge of how to satisfy the consumers’ appetite for more convenient and efficient ways to do their financial business, with their continuing need for human interaction when it comes to customer services, particularly for more vulnerable consumers.  

Conclusion

Fintech is now an established part of how financial services are delivered to consumers across the banking, payment and wider financial system.  How we approach our work is impacted by the changing financial services landscape - naturally as a regulator with responsibility for consumer protection our focus is on the risks posed to consumers alongside those risks posed to firms and the wider financial system.  While it is not possible or realistic for us to be ahead of every innovation, it is essential that our focus is firmly on ensuring that the appropriate framework is in place to ensure that innovation develops in a manner that ensures the best interests of consumers are protected.  There is an exciting opportunity for Fintech firms to contribute in a positive way to protecting consumers and enabling greater access and availability of financial products and services.  We all can and must play our part in ensuring that innovation and consumer protection are closely aligned and, above all, that we are continuously focused on  getting it right for the consumer.

On Monday 25th April 2016 I gave a presentation to the attendees of the Cyber Security Exchange FS.

Click here for the slides. 

Any comments or feedback to [email protected]

We are speaking at many events in Ireland and overseas. And we are contributing to numerous articles on the topics of fintech, regtech, banking, payments, insurance, investment management innovation, marketplaces, e-commerce and regulation.  If you would like to discuss us contributing, please contact us at [email protected].