By Rachel Woolley, Global AML Manager, Fenergo
In the 10 years since the global financial crisis, regulatory frameworks around the world have been radically transformed. And although the aim of the overhaul was to improve the resilience of financial institutions and regain investor confidence, it has left many financial organisations grappling with an ever-increasing regulatory burden. With lapses in compliance requirements attracting billions of dollars’ worth of fines, keeping on top of regulatory requirements is proving to be both a cumbersome and costly exercise for financial institutions.
Recent research by Fenergo found that since 2008, $27 billion in fines have been levied against financial institutions worldwide, predominantly for failure to comply with Anti-Money Laundering (AML), Know Your Customer (KYC) and sanctions regulations.
In 2015 alone, the most punitive year for fines, a massive $11.52 billion was levied against financial institutions around the world.
Interestingly, although the number of fines is declining, the value is increasing. Global financial institutions have experienced stiff regulatory scrutiny with regard to their AML and counter-terrorism financing controls over the past 10 years. This is clearly reflected in the significant monetary penalties that have been imposed worldwide for violations against AML, KYC and sanctions rules.
Considering the 2015 fines, the US accounted for 91% of all AML, KYC and sanctions fines by monetary amount globally and the highest penalty of $8.9 billion was issued by the US Dept of Justice. Sanctions violations accounted for 20% of enforcement penalties issued globally. In order to combat the risk of being hit with increasingly excessive fines, financial institutions are now spending between $900 million and $1.3 billion on financial crime compliance every year.
Regulation in 2019 and beyond
With no regulatory let-up in sight, 2019-2020 has already proven to be a busy year in terms of regulatory priorities, with a continued focus on data privacy, OTC derivatives reform and cybersecurity. Europe is preparing for the impact of Brexit, while also still working through the transposition of the Fourth EU Money Laundering Directive and the fast approaching deadline to transpose the Fifth Directive by January 2020.
A number of key deadlines came into effect in 2018, including the introduction of Markets in Financial Instruments Directive II (MiFID II), a new regulation making the legal entity identifier (LEI) mandatory for transaction reporting, and the implementation of General Data Protection Regulation (GDPR), which was implemented to modernise and harmonise data protection legislation across Europe.
GDPR’s Impact for 2019-2020
Europe set the stage for data protection rules when GDPR came into effect last year. The regulation required a huge amount of preparatory work from organisations globally as it doesn’t just impact European organisations – it also assigns extra-territorial obligations on many firms if they have an establishment in the EU or if they offer goods or services, or monitor the activities of data subjects, within the EU. There are common threads that will run through any organisation’s approach to GDPR compliance that may help when preparing for data protection and privacy requirements in other jurisdictions. Approaches will depend on the nature, scale and complexity of the business, and the quantity and sensitivity of data they process, among other factors, but all organisations should take a ‘privacy by design and default’ approach to data protection.
In 2019, the European Union is focusing on REFIT (regulatory fitness), which means reviewing its current book of legislation, particularly with regards to reporting measures. Continued development of the Capital Markets Union and securitisation supervision have been called out by the European Securities and Markets Authority (ESMA) as key regulatory priorities. There will also be an increased focus on governance and culture, with increased emphasis on accountability, which will result in senior managers being held personally responsible for breaches and failures of a firm and its staff. This also applies to retail and wholesale misconduct risks.
The European Banking Authority (EBA) is due to publish final guidelines on internal governance this year. Outsourcing is an area that has also been highlighted by several European regulators, specifically outsourcing IT security and IT risk. The EBA has formulated draft guidelines around outsourcing, with a view to ensuring only reliable service providers are employed to ensure all regulatory compliance requirements are adhered to.
Anti-Money Laundering and Client Due Diligence
Over the past year, there have been a lot of changes to AML legislation within Europe. Despite the fact that the Fourth EU Money Laundering Directive, which is designed to strengthen the EU’s defences against money laundering and terrorist financing, is long past its implementation date, a number of countries still haven’t formally transposed this rule into law.
To date, the EU Commission has issued a number of reasoned opinions and letters of formal notice to Member States that have not fully transposed the requirements of the Fourth EU Money Laundering Directive. Despite this, the transposition deadline for the Fifth EU Money Laundering Directive is now less than a year away with Member States required to transpose the Directive by January 20, 2020. Hot on its heels, the Sixth AML Directive was adopted in October 2018 and must also be transposed by Member States by December 3, 2020.
This year marks 10 years since the G20 commitment to reform OTC derivative markets in response to the financial crisis. Initial margin requirements are being introduced in a phased approach globally. September 2018 was the most recent deadline (becoming applicable for Phase 3 entities), bringing a larger number of counterparties into scope.
OTC reform will have some key impacts on EU regulation this year. Notably, the Securities Financing Transaction Regulation (SFTR) – the reporting obligation for investment firms and financial institutions – is expected to come into effect in Q3 2020 (following the European Commission’s extension of the scrutiny period of the RTS by three months). There are also set to be additional changes under global investor protection in Switzerland, by January 2020, with the introduction of the Financial Services Act (FinSA) and the Financial Institutions Act (FinIA).
Data Privacy and Data Protection
The final draft of the ePrivacy Regulation still remains to be published. The regulation is intended to increase the effectiveness and level of protection for privacy and personal data in electronic communications. Meanwhile, the final version of the regulation on a framework for the free flow of non-personal information, known as the fifth freedom of the European Union, was published in November 2018 and will be directly applicable from May 2019. The regulation will, among other rules, prohibit non-personal data localisation and will complement rather than overlap the requirements of GDPR.
As we move ahead in 2019, it’s clear that financial institutions continue to operate in an uncertain and demanding regulatory environment. Although the pace of regulatory reform has slowed in Europe, geopolitical factors, such as Brexit, combined with new regulatory priorities and ongoing supervision will increase the regulatory burden for global organisations. Enhancing industry culture and conduct will be a key supervisory priority for the year ahead across many regions, with a focus on individual accountability, OTC reform and data protection.