Trend Watch - The impact of regulation on risk events
Regulation continues to be a key influencer in the financial services industry and can help firms focus and remediate key issues or challenges within the sector. The influence of regulation has had a significant impact on the total frequency and severity of risk events in 2019, with several firms implementing these changes into their key processes and identifying and combatting undesirable trends within their operational risk event reporting.
In 2019, we observed that the average severity of ‘Treating Customers Fairly’ risk events had progressively fallen from a peak of c. £1.08m in Q2 2019 (driven partly by one firm’s poor communication of paid up and exit charges on four longstanding pension and endowment products) to £140k in Q4 2019, as culture and conduct continue to appear frequently in board agendas. Furthermore, the UK regulators’ intention to introduce new operational resilienceregulation has challenged firms to ensure they can provide continuity of important business services with a key focus on minimising customer detriment. This sentiment inevitably feeds into product design and literature to ensure that all products provided are of benefit to the customer and that the customer has a thorough understanding of the product they are purchasing. Therefore, it is also no surprise that the number of product literature defects events has fallen by more than 50% over the last year as firms continue to place importance on the accuracy of the literature provided, ensuring product suitability, usage and risk and return information is clearly represented. In addition to this, the average severity of ‘Customer Service Failure’ events, which includes failing to meet customer expectations, have fallen considerably from a peak of c. £1.13m in Q2 2019 to £25k in Q4 2019 as firms’ focus on good customer outcomes have expanded beyond the boardroom and into their customer facing operations.
GDPR was also a major regulatory influencer in 2019 and similar regulation has since been adopted in a number of jurisdictions worldwide. Implemented originally in May 2018, GDPR focused predominately on data protection, privacy and the transfer of personal data outside of the EU and EEA areas. When the regulation was first implemented in 2018, we noticed a considerable peak in the frequency of near miss events as firms ramped up their preparedness for the new regulation. Since then and following a peak in total risk events in Q1 2019, we have observed a steady decline in ‘Data Protection Act’ risk events within the ORIC dataset as firms embed more rigorous controls and processes around data transfer, develop more explicit guidelines, and offer more transparency as to how personal data can be used. And firms are right to be cautious, particularly when the average loss in Q4 2019 was c. £800k as a result of one firm’s failure to obtain consent from an insurance customer before collecting and processing their health data.
As the impacts and lessons learned from the COVID-19 outbreak become more apparent over the coming days and weeks, we will have a clearer understanding as an industry as to where the strengths and weaknesses lie within our respective resilience programmes. This will naturally be an area of focus for the regulator and we may see new regulation over the next couple of years to address some of these weaknesses. The ORIC International dataset continues to capture the latest trends and therefore provides firms with a wealth of information on new and emerging risks which can help to inform riskassessments within your own firm. Therefore, we strongly advise you continue to monitor the loss data over the next few months with respect to the new COVID-19 outbreak and ORIC International will provide necessary commentary on any significant changes to the risk profile as and when these are identified.
If you’d like to propose a topic for analysis in next month’s Trend Watch or if you have any questions, please contact Ciaran.