Cost Of Compliance 2018: Outsourcing, Cyber Resilience, Data Protection And GDPR

The survey is now in its ninth year and generated responses from more than 800 senior compliance practitioners worldwide, representing global systemically important financial institutions (G-SIFIs), banks, insurers, broker-dealers and asset managers. As with all previous years, the report builds on annual surveys of similar respondents and, where relevant, highlights year-on-year and regional trends.

OUTSOURCING

Upholding the trend from 2016, when the question on outsourcing was first introduced to the survey, almost a quarter (24 percent) of all firms still outsource all or part of their compliance functionality.

In line with previous years, the top three reasons for outsourcing have remained relatively consistent year on year:

– need for additional assurance on compliance processes;

– lack of in-house compliance skills; and

– cost.

Regionally, there are some wide disparities. More than a fifth (21 percent) of firms in the United Kingdom, Continental Europe and Canada, and 20 percent of firms in Asia, outsource all or part of their compliance functionality, compared with 42 percent of firms in the United States.

Of potential concern is the continued need to outsource activities to supplement a lack of in-house compliance skills. There is no substitute for having the appropriately skilled compliance resources. One area where firms and their compliance officers may be seeking to bridge a skills gap is to deal with evolving technology, notably in the shape of fintech developments and regtech solutions. While it is encouraging that compliance functions have recognised any skills gap, firms need to keep the balance between in-house expertise and any outsourcing under review. It is critical that firms continue to invest in all aspects of their risk and compliance infrastructure, an essential part of which is the skills of the compliance function.

No matter what the reason, the golden rule for successful outsourcing is that while activities can be moved to a different group, company, or a third party, the skills to manage those activities must be retained in-house. This may be less obvious in an intra-group outsourcing scenario, but for a separate legal entity with a separate licence, it is essential. Equally, if there is a branch or other structure involved, then the firm needs to consider the efficacy of the outsourcing arrangements and the skills, governance and local responsibilities of the branch.

CYBER RESILIENCE

Technology affects the role of the compliance function in a number of ways, not least of which is the need to assess cyber resilience. Overall, expected compliance involvement with assessing cyber resilience fell somewhat in 2018 (43 percent in 2018; 48 percent in 2017 and 2016). The decrease could be associated with other areas picking up more of the work or perhaps the use of outsourcing. It would be a matter of concern if the decrease was due to a lack of required resources.

In June 2017, the UK FCA published an update to its cyber resilience advice and its expectations, such that firms should be aware of the threat, able to defend themselves effectively and respond proportionately to cyber events. As part of the advice, the FCA quoted statistics to illustrate the increasing threat from cyber attacks, perhaps the most startling of which was the 1,700 percent increase in the number of attacks reported to the regulator since 2014.

What was previously often seen as simply an IT concern has become an important part of risk and compliance functions’ role. The FCA has stated that its goal is to “help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld”.

The FCA expectations on effective cyber security practices include:

– Managing the risk, in particular by having an accurate and up-to-date picture of all information held, together with an understanding of why that information is retained.

– Encryption is critical and all sensitive data must be identified as such and protected.

– Disaster recovery plans must be in place and tested with the ability to back up critical systems and data as and when required.

– Network and computer security must be kept up-to-date with all “patches” applied as soon as is feasible.

– Use and device credentials need to be fit-for-purpose with all staff required to use strong passwords and the default administrator credentials changed on all devices.

– Training and awareness is an essential part of good cyber security with the “people factor” to be considered an integral part of the approach to cyber resilience.

– Consideration to be given to gaining a recognised accreditation to improve firm-wider cyber security.

– Sharing threat information with peers through approved networks.

The FCA is all too aware of the sheer breadth of cyber issues facing firms, with more than half of UK businesses reported to have been hit by ransomware attacks. The expectation is that firms should seek to put all reasonable measures in place to protect against this particularly prevalent form of attack. There is no single type of ransomware attack but whichever form of ransomware is used, all will seek to prevent a firm or an individual from using their IT systems and will ask for something (usually payment of a ransom) to be done before access will be restored. There is no guarantee that paying the fine or doing what the ransomware attacker demands will restore full access to all IT systems, data or files.

Many firms have found that critical files, often containing client data, have been encrypted as part of an attack and large amounts of money demanded for restoration. Encryption is in this instance used as a weapon and it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key, which is deliberately withheld by the cyber attackers.

DATA PROTECTION AND GDPR

The new data privacy requirements are deliberately international in their reach and the UK Information Commissioner’s Office (ICO) has been a leading policymaker in translating the EU General Data Protection Regulation (GDPR){here} into practical guidance for firms. An important area for consideration is the core concept of “consent”, which is one of the six lawful bases (or conditions) for processing personal information. The definition and role of consent remains similar to that under the previous requirements but the new law contains more detail and codifies existing guidance and good practice.

In May 2018, the ICO published its final guidance on consent, which is structured as a series of questions: what is new, why is consent important, when is consent appropriate, what is valid consent and, finally, how should firms obtain, manage and record consent?

The GDPR sets a deliberately high standard for consent with the expectation that firms will have clear opt-in methods, good records and simple, easy-to-access ways for people to withdraw consent. The changes reflect a more dynamic concept of consent as an organic, continuing and actively managed choice rather than a simple one-off tick box.

The ICO has highlighted a number of changes, particularly with regard to the practicalities of consent mechanisms, including:

– Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.

– Active opt-in: pre-ticked opt-in boxes are invalid. Firms should use unticked opt-in boxes or similar active opt-in methods (e.g., a binary choice given equal prominence).

– Granular: give distinct options to consent separately to different types of processing wherever appropriate.

– Named: the organisation and any other third-party controllers who will be relying on the consent should be named. If a firm is relying on consent obtained by someone else, it should ensure it was specifically named in the consent request: categories of third-party organisations will not be enough to give valid consent under the GDPR.

– Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.

– Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means firms need to have simple and effective withdrawal mechanisms in place.

– No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller. This will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis where possible.

For firms, getting the approach to consent right is a fundamental element of data protection. Under the GDPR, the requirements and the penalties for getting things wrong will be enhanced. It is a measure of the central nature of consents that infringements of the basic principles for processing personal data, including the conditions for consent, are subject to the highest tier of administrative fines. This could mean a fine of up to 20 million euros, or 4 percent of total worldwide annual turnover, whichever is higher.

It is not just the size of the possible monetary sanctions that firms need to consider. The ICO is to be given expanded powers of investigation and enforcement which will enable it to have greater (and quicker) rights of access, as well a wider range of available sanctions including the ability to stop an entity from processing data.

Consent is not a one-off. The ICO is recommending the consideration of an automatic refresh of consent at “appropriate intervals”. The interval will depend on the particular context, including people’s expectations, whether or not the firm is already in regular contact with the person concerned, and how disruptive repeated consent requests would be to the individual. The ICO has stated that “if in doubt, we recommend you consider refreshing consent every two years”.

Consents need to be specific and granular and so the records equally need to be specific and granular to evidence exactly what the consent covers. The ICO has made it clear that firms will be expected to have an audit trail of how and when consent was given, together with the ability to provide evidence if challenged. Firms will need to keep the evidence for as long as they are still processing based on the consent, so they can demonstrate compliance on a continuing basis with accountability obligations. Good records are also seen as helping firms to monitor and refresh consent as appropriate.

The ICO has stipulated that firms must keep good records that demonstrate:

– Who consented: the name of the individual or other identifier (e.g., online user name, session ID).

– When they consented: a copy of a dated document, or online records that include a timestamp; or, for oral consent, a note of the time and date which was made at the time of the conversation.

– What they were told at the time: a master copy of the document or data capture form containing the consent statement in use at that time, along with any separate privacy policy or other privacy information, including version numbers and dates matching the date consent was given. If consent was given orally, firms’ records should include a copy of the script used at that time.

– How they consented: for written consent, a copy of the relevant document or data capture form. If consent was given online, firms’ records should include the data submitted as well as a timestamp to link it to the relevant version of the data capture form. If consent was given orally, firms should keep a note of this made at the time of the conversation. It does not need to be a full record of the conversation.

– Whether they have withdrawn consent, and if so, when.

To download the full report click (here).

Authors: Stacey English, Susannah Hammond

Source: Reuters