Regulatory and Cultural Changes upon us – [FULL INTERVIEW]

0:02
So hi, everyone. I’m here with Frank Brown today, who’s the director of gr consulting. So we know Frank from a lot of your previous work and all of your speaking particularly around regulatory interactions in the UK market. So, so thanks very much for joining me today. And I thought it’d be great just to find out a little bit about what you’ve been up to. But also, you know, what’s, what’s the latest happening from from a regulatory point of view as well? Yeah. Hi, good to Good to see you again. Yes, it is a as it always is a sort of busy time for firms on a regulatory basis. I mean, the one that is capturing most people’s focus at the moment is consumer duty. And that is perhaps somewhat overshadowed some of the regulation as well, I mean, things like operational resilience, the the the sort of anniversary that passed without comments, really, because people were so focused on the on the consumer duty side of things. And, you know, a lot of challenges with them, certainly, both in the interpretation of the rules, and also in the implementation of the requirements. So just on consumer duty, we’ve got the final implementation day, which like the 31st of July, I mean, I mean, how are you finding the readiness of firms, at least the ones you’ve been speaking to? Because you’ve got wide context across the industry? I mean, has implementation going for most folks, you chat to? You. I’d have to say there are challenges without question. I mean, there are it’s an extra challenge as it is challenges in interpretation. So what does this actually mean for us? What’s in scope? What do we need to do? And equally challenges and implementation? You know, how far down that journey we are? And we had a milestone recently, we had the April milestone recently, which again, seemed to pass without comments were met, the expectation was manufacturers should be passing a lot of detail onto distributors if you had that kind of relationship. And talking to distributors in particular, not a lot of communication from manufacturers. Unfortunately, not, not a lot of information being passed down. What do you think the holdup is? I mean, in terms of like the implementation of it, because it is quite a fundamental change that sort of going through? I mean, what do you think? What’s the holdup? What do people find most difficult? Um,

2:12
there is a degree of I mean, you know, change management and the sort of Kubler Ross journey of, you know, denial, anger, despair, or whatever. And there is still a lot despair normally, yeah, there’s an awful lot of spare. But equally a fair degree still of denial as well. I mean, that sort of hump of, it’s not TCF 2.0. It is different. And we do need to do things differently as perhaps not been sold in effectively within firms, and particularly within operational departments or firms. I mean, again, classic change management, you have to get people to believe a change needs to happen before they will follow you on that journey.

2:59
I mean, it’s definitely coming down the pipe, isn’t it? Sometimes you got almost like feel the flames from the from the fire. That’s all that the train that’s coming towards you before actually things actually happening. But it’s definitely happening. I’m gonna just say the first. The first deadlines passed. I mean, although their most recent deadlines passed, I mean, I mean, it’s an it’s getting nearer and nearer. Do you think it’s a matter of sort of like, there’s going to be a rush to do everything at the end? Or do you think that there’s going to be potentially people who aren’t ready?

3:23
I think without question, there will be a proportion of people who are not ready. Yeah, that is just reality. And I think a lot of firms are

3:34
recognising the fact in themselves and thinking about the sort of triage activities they can be doing between now and July. And,

3:43
you know, back to the sort of despair concept, you know, just because you’re not 100% Ready, doesn’t mean you shouldn’t be charging forward and trying to get as far as you can. I mean, I was on a webinar earlier in the week, and there was there was discussion about consumer duty. And it did seem like there was a readiness, even from the regulators. As long as if you’re making progress, and you’ve actually invested in it, there’s a little bit of sympathy that will there because you’re having that dialogue with them. It’s almost like it feels like the worst thing to do is just pretend it’s not going to happen, and then have done nothing. I mean, that’s that seems like that’s a worst case scenario. But at least if you start and you’re having a dialogue with the FCA, then, you know, you’re starting on that journey. I mean, it’s that kind of a fair observation. Yes. And I mean, if we’re talking about milestones, there was obviously the October milestone as well, which many firms didn’t didn’t reach. And that was the one where the the expectation that the Board should have presented with the plan.

4:37
And if a regulator were coming in on the first of August to look at a firm they would be asking questions about okay, let’s have a look at the plan. Let’s have a look at what what the board were doing, what resources were put against this. And if you had a good plan, you have been working towards it, but just genuinely you’ve not made the progress that you thought you’re going to make that as a degree of mitigation. Hmm.

5:00
conversely, if your plan for October was was fairly shaky, and you haven’t devoted resources, you’ve been focused on that shiny project you always wanted to be doing at the same time as opposed to this, it becomes more challenging

5:16
human interaction that’s kind of going on there isn’t there to certain extent. Yeah, yeah. And, you know, as always, without wishing to say the sky is falling in Oscar people, the regulator has devoted a remarkable amount of resource to consumer duty, you know, you look at the amount of material they’ve put out there, the podcasts, etc, the way they’ve built it into their three year plan. So it would be surprising if they did not use it. Yeah. And in terms of that, that the implementation process, I mean, what are the what are the elements that are probably people finding most difficult to put in there, you got policy changes, you got product changes, you got evidencing that needs to be built. And all of these things need to be built by the by the deadline for implementation, which which bits do you think are the most tricky, and probably the biggest, the biggest struggle that you’ve really got to concentrate on first and think about deeply? I mean, the biggest, I mean, there are many struggles, I suppose the the biggest processes issue is was couple of process issues. One, not fully engaging first line, and not really the first line to drive this. And then too many projects are compliance, led, compliance driven, which just isn’t going to work. These are operational changes you need to make in the business. So that side of things and back to my point around, have you spent that time to convince or educate first line, why this is important. So you got that side of it. A lot of people also not particularly focusing on the cross cutting rules as well. It’s a very sort of, okay, customer understanding outcome, service outcome, etc, etc. But the cross cutting rules are, I always described them as the principle of the principles. Yeah, yeah. You know, if you look at foreseeable harm, I strongly suspect that if when the enforcement’s come down the pike, it is going to be foreseeable harm. Yeah. I, the cross cutting roles was like, the most interesting because you got the sludge practices foreseeable harm, and the kind of it if you look at them, I mean, they’re, they’re interesting. So like, how would that actually then interact with the business? Or how would you do that? And I kind of almost like feel like they’re the, the more complex piece, and it can certainly generate a lot of change, because they’re quite sort of detailed and have a lot of sort of ramifications across multiple processes. Yeah, absolutely. And that and they go to the heart of where the regulator came from. And in the regulator, in many respects, the sort of gestation of this was, was the FCA repeatedly thinking, Oh, for God’s sake, can you just not do that? When they when you create new products, processes, etc, not thinking about the underlying rules, so that that frustration that the regulator was thinking that they were playing whack a mole in the market, when something new happens. So flipping it on its head to you firm must think about the impact of the future, the foreseeable harm for the customer? Yeah, it’s interesting what we were just chatting about the difference between markets before this in terms of like, what would happen if if if we didn’t have the regulation? And what is the impact that regulations potentially had on the business and business processes really, for a good thing into the light? Has it sort of driven us to more digital has driven us to different ways of working, which I think is quite an interesting sort of thought exercise in terms of, yes, I know, there’s a lot to do, but then, you know, has it actually changed our processes for the better even if you look back over the last five years? I’m not sure where you can’t you kind of kind of think of that, because there’s sort of like this, this loop isn’t there between regulation and development, regulation, development, and it’s sort of it does help us push push the business forward in many ways. Yeah. And I often present a sort of utopian scenario to firms have a concept of, you shouldn’t really think about your second line, you should think about operating without a second line in place, your first line people should know the rules know, the regs know the right thing to do and get out. Yes, it is a utopian concept. But if you think about it, in those terms of that’s where the risk driver should be. That’s where the cultural change should be in the organisation with second line third line, just, you know, the guidelines. Yeah.

9:21
Yeah. What’s interesting, it sounds like there’s a lot to do and I suppose and the other topic was originally I talked about was, was operational resilience as well. So I mean, there’s that’s also going on the background which feels like that’s been a little bit under the radar to a certain extent, although we did have the one that you had the first deadline was March 22.

9:39
Yes, much Trinsic came in and then march 23. Obviously, a year in

9:45
I mentioned earlier that you know, the classic bit of sin Cinderella regulation that just not been mentioned at all, by everybody and a significant risks to organisations who are in scope because

9:59
it’s

10:00
Similar to consumer duty, and as perhaps a new trend for the regulator, a very strong focus on the board must review this, the board must own this. So if you think about the linkage with SMCR, you have people in SMF positions who will be potentially challenged on reasonable steps. When the inevitable banking failure happens, it failure happens. So there is an enormous, enormous amount of baked in risk with with operational resilience. I mean, one of the challenges with it is, you don’t realise you need some of the resilience until it actually happens. And then then it’ll be like, Well, why wasn’t this done years ago, right sort of thing. So for example, you have a, an IT breach and it failure or if you have a, you know, a cyber attack, something like that. And it’s only after it happened, then then it comes out as like, well, all of these things needed to be done. I mean, how do you sort of get beyond that sort of making sure that people are doing because we’ve always had BCP plans as far as I suppose. And it’s really just making sure that we’re testing some of those, making sure that they’re robust enough, I would think, yeah, and again, it comes back to the the sort of making it real concepts, I mean,

11:13
boards, with the self assessment documentation boards have effectively done an attestation here to say, you know, my business is in this state, my controls are in this state. And as you say, if you know, if the inevitable failure happens, then the first thing a sensible supervisory team, from the regulator will do will say, Okay, let’s have a look at your self assessment.

11:35
Why did you not think this was an important business service? You know, why did you think that was a reasonable impact tolerance for this? Show me the evidence, show me the the discussions that you had internally, which will be painful, awkward questions. only think about some of the large IETF particularly it outages that we’ve had. So thinking about, like in the airline industry, I mean, not just in the UK, but in other markets around the world, and just how painful that is unhelpful, brand damaging that is as well.

12:07
So as I was looking through the regulation, I mean, part of it was setting tolerance levels. So it felt like that that was done in a more detailed way than you would have done on BCP plans as an example. And it had a lot more rigour around it around BCP plans. And going back to what we were talking about before around, do you need the regulation? I mean, if we don’t have the regulation that becomes best practice? Is it done in the rigour that needs to be feels like this new ready regulation is, is almost like specifying it in a lot more detail in terms of what you need to do to be more resilient?

12:38
How do you start thinking about tolerance levels? How you start thinking about assessing where the risk is, and doing that, and what’s what’s what’s been the guidance around that? I mean, as you say, firms should have done a fairly extensive BCP work before, and you would have had these sort of business impact assessment concepts within that. And even though the regulator would always say, you know, this is not business continuity, effectively, the process is the same, and you shouldn’t be looking at because, you know, business impact assessment is, what’s my important business services? What’s what’s going to happen if it goes wrong? What do I need to do about it? So conceptually, it is the same idea.

13:16
It’s, I mean, in contrast, properly to consumer duty wasn’t as well signposted and guided. The idea that the expectation is that the firm will decide what is an important business service, the firm will decide the impact tolerances, which puts that great onus on the organisation. I mean, how how do you make a larger play within a company to say that this is important to increases visibility, when it’s your time almost like ensuring for something that that may happen? And if you do it well, it won’t happen? And how do you make the business case around that? I mean, avoiding regulation, non compliance is one way of doing it. But I mean, how do you do that, if that is not there, but it does feel like it’s good, good business practice. I mean, the good press business practice point is is very important. And I wrote about this a while ago, before the original regs came out the idea of using the operational resilience as a operational improvement concept, because you look at,

14:17
you know, online banking system goes down on Pay Day, people can’t get cash out the machines. I mean, these are public issues, and issues in the confidence of organisations and people these days can use in banking, as an example, can switch bank accounts pretty quickly. So if you’re not delivering service to customers, it can have it we’ll have a pound notes response. I was reading the regulatory site or the the regulator site. Earlier today. I was in preparation for this. And there was talk around conflict, I mean, particularly around the cyber attacks from potential cyber attacks because of the war in Ukraine. I mean, how do we have to start thinking about some of those larger scale events potentially impacting us as well? I mean, is that something

15:00
We need to factor in are those sort of like out of out of scope? If you look at what’s happened in some of those markets, when they’ve been in the massive impacts, for example, if, if the internet goes down, what do you do? I mean, that’s a, that’s, that’s way bigger than, than, than a single firm. Yeah. And it’s thinking about the risk in a sufficiently broad manner. If you take cyber, for example, I’ve seen an awful lot of plans which have cyber, obviously, the reference cyber but it can be quite narrowly drawn, it can be somebody comes into our system and steal some money concepts, as opposed to we get a you know, denial of service, or ransomware. In particular, there’s somebody comes in and locks down our system, and then we can’t do anything, and we have to pay a ransom. And if you are,

15:46
you know, part of the infrastructure, if you’re, if your service provides services for other companies, etc, etc, then you can be in a situation of, you know, I’ve got nothing else to do but pay up for this, because my business has stopped at this moment in time. So thinking about your risks, and and why and pandemic is a classic example of that we all thought, in our business continuity plans that we would be moving to our second offices. Yeah.

16:15
That didn’t quite work like that. Yeah, I remember that, in the BCP plans, it was we were all shipped off to an office somewhere else. But I mean, if you’ve got no staff, I mean, even now, we’ve got through the pandemic, you know, and it feels like we’re sort of slowly getting back to normal. But if something else happens again, and we can’t go into the office, and let’s say we lose a large portion of our workforce, and that’s that’s kind of a bit of a nightmare scenario, isn’t it you meet but you can build resiliency around that with digital processes, I suppose. Yeah. Yeah. And and, you know, most people did manage to muddle through, but it was probably a lot of luck rather than judgement. You know, an awful lot of things that people ended up doing. Were not in the plans.

16:54
An interesting aside, I suppose, how much do you think these plans, these regulatory changes are impacted by our bias towards optimism? So in business, we tend to be quite biassed towards optimism. So everything will work out? It will, you know,

17:10
we will work through things. And often we do and in fairness we do and a lot of firms did work through that pandemic. And it and it almost feels like when we’re talking about it, it’s like we’re being doom and gloom, talking about, you know, the world is going to fall apart. And this is a disaster scenario that is unlikely to happen, hopefully, because it impact us all. But it’s something we need to think about and be resilient about. And it’s very easy for us and firms to say, well brush that off as being sort of, you know, a doomster and not being optimistic versus being pragmatic and realistic. Do you think that’s Do you think that’s a problem with adoption? I think it’ll be slightly controversial here. But what the hell, I think there is a British trait of Dunkirk spirit. Yeah. And if you sort of actually unpack Dunkirk as the example,

17:57
wouldn’t it be better if you better resourced your expeditionary force and consider what their exit plan was from that campaign you were doing rather than rushing together lots of little boats and doing an incredibly successful rescue. But that wouldn’t be your start point for any journey. So the idea that we can come together and fix a problem if a problem arises, is a common trait and a common issue, as opposed to let’s really think about what could go wrong here and put some controls in place. As we go back to the consumer duty element, do you think that comes down to culture? So certainly, that’s, that’s, that’s our culture to a certain extent, or, you know, human culture or human nature to a certain to a certain extent, but is it a cultural issue that we’ve got to change? And how do we sort of make that change? Because I see it as being not being doom and gloom as much as being pragmatic? And let’s be pragmatic around how we do it and almost like logical around how we do I mean, how do we change that culture in firms? Do you think?

18:54
I mean, again, slightly, you know, when I want to talk about culture, I always use a sort of a slightly Willian concept of culture as a lever of control.

19:05
You know, you need to be framing your culture in terms of the actions you want to achieve without the organisation and the behaviours you want to see, as opposed to all those sort of sunbleached posters on the call centre wall, that were nice to our customers and all the rest of it, and we live our values, that’s great. What does that actually mean in terms of reducing the risk in your organisation? So on, you know, starting from a risk perspective, as we’ve said, and then thinking okay, what levers can I pull? And how is culture part of those levers to pull to achieve these objectives? And how do you go about assessing the culture I mean, I know you do advise your work, but assessing the culture and then putting elements into make actually make those changes because cultural change can be quite difficult. I mean, you know, for for all our trade, I mean, what do you think what’s your usually your recommendation? I mean, in an organisation in anywhere, you know,

20:00
culture is what happens when compliance and senior management are not in the room. So if bats are really appointed, you sort of step back from control and say, if I didn’t have these controls in place, what would be happening in the organisation that should culture at the end of the day, so if you’ve got misselling going on, and the only way you can control Miss selling is a really heavy QA programme, and compliance review and you know, all the calls, then you have a cultural problem

20:29
within the organisation, so, you know, culture is behaviours, it’s not what’s in people’s head it well, yes, but the manifestation of it is in the behaviours. Yeah. And do we do a good job around changing cultures? I mean, because we do see so that you can see very heavy handed kind of compliance programmes that the need to be there to make sure you’re being compliant. I mean, if that’s if that’s if that’s potentially a red flag, or a an indicator, let’s say of, you know, the culture needs to improve, are we doing good job of changing it? Or is it was it was it tends to be difficult, we’re just not at that point of the evolution yet. It is, back to my earlier point, it’s not really opening up the box and thinking what is, you know, what do I want my culture to do in this organisation? Because I mean, most people don’t get up to work in the morning and think I’m going to rip off a lot of customers here. That’s, that’s what I want to do, or they don’t start their journey in the organisation thinking that but due to poor oversight, and particularly due to things like rewards, renumeration, bonuses, they will go down that road. So those are part of your culture, as well. So fixing those elements, but pointing everything in the right direction makes it much easier to start those softer messages of we’re nice to our customers, blah, blah, blah, you know, we do this, we do that. And the challenge is probably accumulation of lots of little, little things, isn’t it rather than one big thing that needs to be done? And I suppose coming back to consumer duty, I mean, this was that’s, that’s kind of the same in terms of processes, isn’t it? I mean, this was like, how do you make the accumulation of lots of different things throughout the process to then get to good customer outcomes? I’d imagine. Yeah, yeah. And, you know, back to the manufacturer or distributor point. I mean, one thing I flagged with firms is the concept of cultural alignment, because as we just articulated there, you know, you think about the culture within your own organisation, and how that can affect outcomes, should you not be having that same conversation with your counterparties as well, I mean, manufacturer or distributor, if you’re not on the same page, culturally, as to organisations, you know, no amount of due diligence or monthly reviews or anything like that, again, to achieve the consumer duty requirements. So when we got the deadline that’s coming in at the end of July, where do you think we go to next from there?

22:49
And imagine that, just pragmatically, there’s going to be a series of reviews that happens after the summer in terms of looking at test testing, make sure that people are compliant or the the has been implemented. But what do you think’s going to happen?

23:02
I mean, the important thing on the firm side is not to take your foot will not take the foot off the gas, because as we said, realistically, an awful lot of people are not going to be ready by July. So keep driving. And also not thinking about it as a deadline, thinking about it as a slightly flowery sort of concepts. But you know, a change of approach, ways of working, embedding this in Bau is going to be the challenge back to our cultural points. This is this is forever, going forward, or should be forever going forward. It’s your new principal, as in the same way, TCF was previously. So that is going to be a big challenge. So do you think there’s measures you can put in place to measure that change of culture or measure the evidencing that that might there might be new measures? To look at that? I mean, is there a way of us measuring the progress that we’ve made in terms of putting it putting it in?

23:59
I mean,

24:01
the, you know, a practical way of doing it as measured by company, customer outcomes. At the end of the day, I mean, that’s the way the regulator’s get to measure it and thinking, I mean, I’ve worked with firms a lot on their own AI and seeing not a lot of great progress on the EMI side. It’s the bottom top bottom down concept, you know, top down is, we’ve got a lot of our mind, let’s just give it to the board. Bottom up is okay, fine. What are the requirements of consumer duty? Therefore, what metrics do we need to establish whether we’re in line with those requirements or not? So building that model, building that change, you’re getting the right term, I both like leading and lagging indicators, qualitative and quantitative indicators, and then capturing it and obviously then giving it to senior management and senior management demonstrating they’re doing something about it. Yeah, that does sound like quite a lot to do.

24:54
I mean, it is I mean, if you go back and look at the finalised guidance and just go through

25:00
The what the regulator was saying, and there was a lot of it, you unpack all the questions and I did this in a spreadsheet for my clients, all the questions they asked in that finalised guidance and just ask yourself as an organisation, would I be comfortable sitting across from the regulator answering those questions? Yeah. So so if you if you’re a firm and so one of the firm’s listen to this, and you really haven’t been up to speed on it yet, I mean, just being honest, when you’re sort of sitting there in a darkened room, being honest with yourself, and you think you got to do more, and the deadlines pressing, what would you say the top five things that you would recommend they need to look at sort of immediately, at least to start to get ready and put yourself in the best position possible for July?

25:41
I would I would start with that, that question list is really useful prompts. So pull the questions out, or come until somebody’s already done it. And, and then just go down that list and say, okay, tick, tick, tick, oops, we haven’t done this gives you a quick, quick and dirty gap analysis of where you are in the organisation. So that kind of have we grasped what consumer duty is for us.

26:07
Second point is just making sure. First line are being fully engaged, and also the first line are on the hook as well. I mean, you know, responsibilities, job descriptions, roles, performance management, making sure this is real for first line, because the classic, what gets measured gets done concept.

26:27
And making sure you’re focusing sufficient resource on this, if you are doing those important commercial projects at the same time, and that is to detriment to your consumer duty plan.

26:39
That is going to that’s potentially going to be a problem for you. Yeah. Okay. So good guidance. And if you look at both of them, what we talked about operational resilience and consumer duty, it feels like the regulators taking an increasingly more interventional type of approach, I suppose in the market. We’ve obviously got to get through the deadline at the end of July. But where do you think it goes from here? I mean, is this the new pattern? I mean, they’re taking a much more involved approach with businesses and how to run your business and making them put in best practice to a certain extent. I mean, what that’s been the challenge, the direction of travel, where do you think we go? I think it is more interventionist. And it is, in some respects, making life easier for the regulator, I mean, I’ve done section one specific skill person work. And when you read those notices, they tend to be focused on breach of principle, as opposed to breach of rule 3.4, to six and whatever. Because that is easier for the regulator, because it’s incredibly hard for anybody to challenge against the principle. So we now have in July, they will be on wrapping up quite a big stick. And quite an easy stick for them to use. Because, again, it’s a principle. It’s thing about foreseeable harm. What does that mean? It means what the regulator thinks it means, at the end of the day, do you think there’s other topics that will be picked on after this? Or do you think it’s just the focus is, let’s go through this first. And before we look at anything else, or it’s going to be circumstantial around how the world evolves. I mean, in the retail space in the consumer space, which they spend a lot of time focusing on, this is their big tent pole, this is the central tent pole. For them, they’re hanging pretty much everything else off that at the moment. So they will be in my view, they will be using this as the driver for most of the regulatory activity going forward. And one last question, I suppose I do have listeners that are outside of the UK? And you know, they might say, well, we’re not we don’t have to worry about this. Right. So what do you do the regulators talk between the different markets? And and if you look at different regulatory regimes, how aligned do they tend to be? I don’t have visibility around that in terms of, and in terms of like, aligning with each other as well? Yeah, I mean, they absolutely do talk and they have sort of College of regulator meetings and all the rest of it. I mean, maybe a slight shift, since Brexit, but certainly with some of the, like, the Australian regulators or the US regulators. There’s, there’s still a fair bit of dialogue and equally with it with obviously, with the European colleagues as well. And they do look at good practice. And I suspect,

29:19
other regulators would probably be looking at this and thinking that seems like a, you know, an efficient way of delivering outcomes. Obviously, that is balanced against commercial realities in jurisdictions. If you take the American jurisdiction, for example, which you mentioned at the start, you know, may be a little bit more entrepreneurial in their outlook, you know, so maybe not something they’ll be adopting, but other other jurisdictions might be looking at. So you might see similar kind of regulations coming in, albeit at different speeds and different markets, but similar kind of flavours, but I suppose it’s, it’s worth thinking around. How do you put these best practices in place now? Because if it does come even if it’s in five years time, then

30:00
and you’ve got the three or five years to basically get ready with some of the basic principles because quick change seems hard, I think. Yeah, and also recognising the commercial impact of this. I mean, there will be some products and some sales practices that you just simply won’t be or shouldn’t do. After July, some flurries, you won’t be able to sell to retail customers prudently after July. So there will be significant commercial impacts. Yeah. Well, Frank, thanks very much for that for the overview. It’s, it’s fascinating. I always love hearing hearing your chat. I mean, just a wealth of experience. So really appreciate it. And it does sound like that. We’ve all got our work cut out for in boxplots. Only a couple of months. Really? Yeah, yeah. I mean, but you know, back to the sort of ending on a positive or ending on a bit of a bit of positive. Do do your best in the time you’ve got left. Yeah, yeah. Okay, Frank. Thanks very much. All right. Thanks a lot. See you later.