News round-up: September/October 2021

Climate stress tests will shift focus of banks and insurers

Banks and insurers around the world are likely to face mandatory climate-related stress tests in the next two to three years as supervisors become increasingly aware of the urgent need to gauge the risks caused by climate change, according to Fitch Ratings.

Regulatory stress testing is expanding fast, led by supervisors in jurisdictions with a clear focus on environmental policies, such as the EU and the UK. The tests announced so far will not test capital adequacy, but may require companies to look more closely at whether they need to hold more capital to cover potential losses from climate-change risks, Fitch warned.

In the longer term, the ratings agency said that it expects climate stress tests to feed into prudential capital requirements. It predicted that increasing numbers of banks and insurers are likely to start shifting their balance sheets away from some of the sectors most exposed to climate-change risks, such as manufacturing, electricity, construction, transport and real estate.

In a separate survey conducted by big four consultancy EY, researchers found that climate change was ranked as the most important long-term risk for banks. 


Firms doubt bribery compliance 

Risk consultancy Kroll’s 2021 Anti-Bribery and Corruption Benchmarking Report has found that 90 per cent of the companies who responded to its survey expect bribery and corruption risks to increase, or to remain the same, as last year. Just over half (51 per cent) rated their organisation’s anti-bribery/anti-corruption programme as “highly effective”. 

When the findings were broken down into regions, more respondents in the US and Canada expressed the highest level of confidence in their anti-bribery/anti-corruption compliance than anywhere else (66 per cent). In comparison, European respondents were far less positive, with only 40 per cent saying they were fully confident in their anti-bribery/anti-corruption compliance.

The survey highlights current trends in third-party risk management, including evolving challenges around enhanced due diligence, the rise of automation and the increasing incorporation of environmental, social and governance (ESG) matters into compliance programmes.

When asked about their due diligence processes when taking on new third-party suppliers, 22 per cent of respondents listed data security as their greatest threat. Other concerns were costs (19 per cent) and “lack of knowledge” (18 per cent).


New framework seeks to assess cyber security culture

A framework and survey to classify cyber security culture and systematically measure results has been developed by cyber security education company Infosec. It is intended to help organisations turn this security variable into a data-driven element in their cyber security strategy.

The developers said they designed the framework to help organisations judge the level of cyber security awareness among their employees and departments. This, in turn, should also help to highlight any areas of concern. 


Over half of UK businesses have ransomware payout policies

More than half (54 per cent) of UK businesses now have a defined policy in place to deal with ransomware attacks – whether this means paying a ransom, relying on insurance policies or refusing to pay at all – according to research by business continuity IT firm Databarracks.

When asked whether their organisation had a policy for paying out after a ransomware attack, 21 per cent of respondents said that their policy is to never pay a ransom; 14 per cent said they will pay a ransom if it is lower than the cost to recover systems; 13 per cent said they will pay if the ransom is covered by their cyber insurance policy; and 6 per cent said they will pay only as a last resort if there is no other way to recover their lost data. 


Sharp rise in financial crime compliance costs in 2020

Projected costs for financial crime compliance among financial services companies worldwide reached nearly $214bn last year – an increase from $180.9bn in 2019.

According to LexisNexis Risk Solutions’ Global True Cost of Compliance 2020 report, the biggest increases in compliance costs were in Europe, particularly in Germany, and in the US. European financial crime compliance spending accounted for $150.6bn of the total, while the US and Canada accounted for $42bn.

Customer risk profiling, sanctions screening, regulatory reporting, identifying politically exposed persons (PEPs), Know Your Customer (KYC) requirements for opening new accounts, and efficient alerts resolution were all similarly ranked by respondents as key challenges. 


Governance metrics lag in ESG reporting

Analysis of the world’s biggest companies’ environmental, social and governance (ESG) reporting has revealed that governance metrics comprised just 8 per cent of all referenced metrics across industries, according to new research by consultancy Gartner.

Gartner’s analysis of S&P 500 companies found that ESG reporting in many formats is becoming standard –for example, 89 per cent of companies issued reports that addressed the impacts of environmental and climate change. However, while 47 per cent of organisations issued formal reports on organisational governance, actual metrics for tracking progress within governance-related topics, such as executive pay and pay equity, made up just 8 per cent of total ESG metrics. 


Mothballed sites and zombies top risk list

The top short-term risk for companies is the immediate danger posed by bringing mothballed facilities back into operation after lockdowns, according to Swiss Re’s SONAR 2021 report into emerging risks. The researchers found that missed inspections and delayed maintenance significantly increase the risk of larger accidents as operations resume at oil refineries, chemical plants, mines and power plants. The second biggest threat is financially risky “zombie” companies – unviable firms that stayed afloat because of Covid-19 support and which may quickly go bankrupt once pandemic relief ends.

Looking further ahead, the report considers the threats caused by climate change and those related to increasing human-machine interactions as being the key risks that companies need to be aware of and to mitigate. 


Cyber security and risk teams increase levels of collaboration

Collaboration between IT or cyber security teams and risk management functions has increased over the past year, fuelled by increased budgets and heightened fears of data breaches, according to research by risk and compliance specialist NAVEX Global. 

It found that three-quarters of the companies it surveyed reported increased levels of collaboration between IT security and enterprise risk management over the past year.

Furthermore, nearly all the companies it surveyed (95 per cent) included cyber security within their overall integrated risk management (IRM) approach. 


FCA warns banks about ongoing AML weaknesses

The Financial Conduct Authority (FCA) has issued a warning to retail banks about continuing weaknesses and failings surrounding their financial crime controls.

The key control weaknesses outlined in the FCA’s “Dear CEO” letter included governance and oversight; risk assessments; due diligence; transaction monitoring; and suspicious activity reporting (SARS).

The regulator informed banks that they should complete a gap analysis of each of the identified weaknesses and take prompt and reasonable steps to resolve them by 17 September this year.

The banks were also told that they must work proactively and collaboratively with the FCA and other regulatory bodies to ensure they are onboarding customers and reporting information correctly, and complying accurately with existing regulations and industry recommendations. 


FRC issues ESG guidance

The UK’s corporate governance regulator, the Financial Reporting Council (FRC), has published a paper setting out how companies’ environmental, social and governance (ESG) reporting should – and could – be improved.

The FRC is concerned that, as regulations change (not just in the UK, but also internationally), so too will the quality and consistency of reporting on ESG matters.

To tackle this problem, it has proposed a series of measures that it believes companies could benefit from. 

In particular, the FRC told companies that there needs to be better:

  • Production of ESG data
  • Audit and assurance to assess whether the reported information is robust and reliable
  • Distribution of ESG information so that it is made accessible to interested parties;
  • Consumption to ensure that ESG information leads to better decision-making by stakeholders
  • Supervision so that information and activity is appropriately monitored and requirements are enforced
  • Regulation – it said that coordinated and coherent regulation will lead to improvementsin efficiency. 

This article was first published in September 2021.