In its Financial Markets Regulatory Outlook for 2018, the accountancy firm of Deloitte predicts plenty of trouble for financial firms as they struggle to comply with the tidal wave of European Union legislation next year. It also detects a growing regulatory trend towards the protection of vulnerable customers and prescriptions for business models.

Deloitte, rather myopically, refers to the last few years as the 'post-crisis' era, claiming that "the post-crisis regulatory framework is yet to hit steady-state, particularly on the prudential side of things." It also believes that in compliance terms the financial services industry is close to "maximum operational stretch."

Many regulatory deadlines loom for financial institutions in the European Union in 2018, notably in January for the Benchmarks Regulation, the Markets in Financial Instruments Directive or MiFID II, the Packaged Retail and Insurance-based Investment Products (PRIIPs) Regulation, and the second Payments Services Directive or PSD II; in February for the Insurance Distribution Directive or IDD; and in May for the General Data Protection Directive, the GDPR.

Two-thirds of the buy-side firms that Deloitte interviewed in late 2017, with total assets under management of US$6.1 trillion, said that they were generally implementing parts of MiFID II on time but also had 'tactical overruns' built into their plans. Firms are finding the GDPR daunting and their problems with the IDD are such that the EU is coming under intense pressure to delay next year's deadline until October. There is some respite for benchmark administrators because many will be able to rely on transitional arrangements for authorisations, which the European Securities and Markets Autority says will keep going until 2020." Deloitte thinks that firms should co-ordinate their efforts to comply with the GDPR and PSD II.

The accounting giant echoes the ambivalent attitude that many commentators have about the impending failure of many firms to observe these deadlines on time and in their entirety: "Firms should not assume that regulators and supervisors will refrain from early use of enforcement powers across all regulations that go live in 2018, notwithstanding indications from a small number of regulators that they will adopt a pragmatic approach to early post-implementation supervision of MiFID II." It notes that the British Financial Conduct Authority has said that it has “no intention of taking enforcement action against firms for not meeting all MiFID II requirements straight away” as long as firms do their best efforts. Danish and Finnish regulators, it adds, also sympathise with the problems of implementation and want to be pragmatic in the early stages, but other national regulators in the EU have not been forthcoming about their intentions towards MiFID II.

Among buy-side firms, i.e. the investors, who analyse investment opportunities and decide to buy or sell investments, Deloitte divined that all firms were having trouble with regulatory interpretation and that this was holding up their attempts to comply; 12.5% found 'resourcing' an obstacle; nobody thought that budgetary considerations were a problem; the management of timelines plagued more than one-third of them; half were being held up by the complexity of the business; and one-half complained about the availability of the right software.

The start of the open banking era

Open banking refers to the use of open application programming interfaces or APIs that allow third-party developers to build applications and services around a financial institution, often using open source technology to achieve it. Open banking is intended to shake up the payments market by requiring banks to provide 'third-party providers' or TPPs with customers’ transactional data and access to customers' accounts to make payments on their customers’ behalf. Deloitte expects this revolution to get off to a slow start while several regulatory questions remain to be answered. Most banks, it concludes, will embrace the European Union's second Payment Services Directive to help them 'digitalise' their operations. Regulatory uncertainty will remain a problem and will slow down the development and adoption of new services. The accountancy firm does believe, however, that banks will come together to set up a common communication standard for the market. Areas of high priority for regulators, meanwhile, will include the reporting (to regulators and investors) of information about transactions, 'best execution,' the protection of investors from various ills, the rights of investors to know more about costs and charges, and data protection.

The accountancy firm also warns firms that they will not only have to badger customers for information from time to time in order to comply with the product governance rules and the suitability and appropriateness regime of the EU's Markets in Financial Services Directive or MiFID II; they will also have to pass on 'enhanced disclosures' to them (under MiFID II and PRIIPs), and ask for their approval to keep data (under the GDPR). The more integrated and streamlined they make these processes, the better the customer’s view of them will be.

The supervisory spotlight on business models

Supervisors, according to Deloitte, will expect the board and senior management team of each financial firm to demonstrate tangible improvements in the quality of debates and discussions they have about business strategy and its riskiness and the quality of data that supports that debate. Business strategy will become an important lens through which supervisors will view the competence and effectiveness of the board and senior managers.

Product ranges, Deloitte expects, will be scaled back in response to tougher product governance requirements on complex products, and distribution networks (particularly for insurance broking) may diminish in some countries as smaller intermediaries struggle with the gathering weight of regulation.

Supervisors are not in the business of directing firms’ business strategies or models but the insights they have gained through business model analysis are leading them to challenge firms extensively on these fronts.

Vulnerable customers

The United States have long led the way in using regulators to protect HNW investors - especially elderly investors - who are vulnerable to the machinations of unscrupulous advisors and firms. This is now becoming a regulatory priority in the wider world. Through its Committee on Retail Investors, IOSCO (the International Organisation of Securities Commissions) is examining the vulnerability of older investors in 27 jurisdictions and bringing together examples of best practice. In the UK, as readers know, the FCA has expressed a general concern that older people’s financial services needs are not being fully met, resulting in exclusion, poor customer outcomes and potential harm. In Holland, supervisory concern has arisen over interest-only mortgages and EIOPA, the centralised EU insurance regulator, wants to ensure that the 'digitisation' of products and services and the increasing use of customer profiling does not cause trouble.

Cyber-risk and resilience

Deloitte notes in passing that 2018 will see regulators, most notably the Bank of England and the European Central Bank, issue a range of new standards for cyber-security in financial services, building on earlier pilot studies that tested 'resilience' and expanding into newer areas such as the sharing of intelligence about various threats. European banking supervisors will increasingly alight on this-or-that firm to root out any problems it may have in detecting or managing cyber risks. Fines and even capital charges are in the offing. Insurance supervisors will spend more time trying to detect risks that might arise from cyber insurance underwriting.