For the last two decades banks have adapted to significant and wide-ranging regulatory change. From Basel III and interest rate reforms to individual accountability regimes and responsible lending, the regulatory changes have been significant. These reforms have largely been inward looking, the result of conduct within the financial system.
However, banks are increasingly subject to changing regulation that stems from external threats and events. Scams, cyber risk, consumer vulnerabilities and climate change are all forces that increasingly drive regulatory reform and changes to the expectations on banks. As a result, banks are having to adapt to regimes that are far more expansive, and harder to predict and prepare for, than in the past.
Scams
Online fraud and scams are a growing problem and scammers rely on the banking system to undertake their criminal activity. Because of this, the international response of governments to address scams has included a role for banks. What this role looks like, and the appropriate allocation of responsibility for the resulting customer harm, is a fraught issue – in which different approaches have been taken in different jurisdictions, as we assess below.
Hong Kong
The Hong Kong Monetary Authority (HKMA) has updated its guidance in recent years relating to payment cards, e-banking and bogus phone calls, requiring banks to implement additional security measures and monitoring, and enhance customer communication, education and support. In particular, with regard to unauthorised payment card transactions, banks are expected to take into account the actual circumstances, limitations and practical difficulties faced by the cardholder in protecting himself/herself against frauds and scams, as well as other factors relating to the cardholder, when considering the losses they propose the cardholder to bear. Banks are also expected to adopt a pragmatic and sensitive approach towards cardholders who report unauthorised transactions, be transparent about the investigation process and the results, and provide an appeal mechanism for cardholders.
Over 230 financial institutions and merchant institutions are part of the Anti-Scam Consumer Protection Charter, in which they commit to four key principles to assist the public to guard against credit card scams and other digital frauds, including phishing messages.
Australia
As Australia moves towards the introduction of mandatory industry codes to outline the responsibilities of the private sector in relation to scam activity, the initial focus is on banks, digital communication platforms, and telecommunications providers. Banks in Australia and other jurisdictions will need to understand both their own role (in the whole-of-ecosystem approach needed to combat scams) and how that role fits in with that of other participants. Moreover, they will need to keep up with the ever-evolving modus operandi of scamming operations and learn from what is working well (or not so well) in other jurisdictions. Agility, collaboration and significant investment are needed to navigate the complexity and challenges of this landscape.
Singapore
The Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) have introduced the Shared Responsibility Framework to outline how responsibility for certain phishing scam losses which have a “digital” and “clear Singapore” nexus will be shared among relevant stakeholders. Such stakeholders are defined to be financial institutions, such as banks (FIs), telcos and consumers.
Key rationales outlined by the MAS and IMDA are to preserve confidence in digital payments and banking in Singapore and to strengthen FIs’ direct accountability to consumers from losses incurred from digital scams where they should assume responsibility.
The main thrust of this framework is embodied in the “waterfall approach”, which is a multi-layered approach involving a responsible FI as the first layer of accountability: if it has breached any of its stated duties, such as sending outgoing transaction notification alert(s) on a real-time basis, it is expected to compensate the consumer fully for the loss incurred by the customer.
The MAS and IMDA proposed this framework after considering the approaches from the UK, EU (Germany and France) and Australia. It is expected to come into effect by this year.
United Kingdom
In the UK, scam activity is on the rise. The Financial Ombudsman Service quarterly report in September 2024 confirmed that “fraud and scam complaints are at their highest ever quarterly level”. According to this report, scam activity is largely focused on online bank transfers.
One response has been to force banks and other payment services firms to reimburse customers. As of 7 October 2024, UK Payment Service Providers (PSPs) will be required to reimburse victims of authorised push payment fraud made under the faster payments system. This new mandatory requirement was introduced by the Payment Systems Regulator (PSR) via a policy statement and a number of legal instruments. The new regime not only protects consumers. It also incentivises PSPs to implement effective fraud prevention measures.
New reimbursement rules have also been introduced by the Bank of England for CHAPS payments from the same date. PSPs participating in CHAPS will be required to reimburse victims of CHAPS scams in accordance with the new PSR requirements.
Cyber risk and operational resilience
The operational resilience of banks and the banking system came into sharp focus with the Covid-19 pandemic. The pandemic brought fresh attention to operational resilience and resulted in international regulatory change. While Covid-19 was an example of external events driving regulatory requirements, the focus of operational resilience has continued to shift.
In 2022, the HKMA introduced significant enhancements to its Supervisory Policy Manual in relation to operational resilience, including a new standalone module OR-2 on operational resilience and updates to modules on operational risk management and on business continuity planning.
Module OR-2 provides guidance on developing a holistic operational resilience framework.
It also highlights the HKMA’s expectations on operational risk management, business continuity planning and testing, third-party dependency management, and information and communication technology (including cyber security). Banks had to develop their operational resilience frameworks and timeline by 31 May 2023, and they must become operationally resilient by 31 May 2026 at the latest.
The HKMA expects senior management of banks to be accountable for operational resilience and sets out detailed guidance on the respective roles of the board and senior management in module OR-2.
In addition, banks are expected to put in place effective cyber defence covering their own operations as well as linkages with third-party service providers. In relation to the latter, the HKMA recently shared sound practices observed from its thematic examinations of banks in 2023. The HKMA noted that, in light of advancements in technology and digitalisation of banking services, banks are placing greater reliance on third party services, resulting in increased exposure to cyber risks as threat actors target the weakest link in the supply chain of digital banking services.
Similar to Hong Kong, the MAS introduced updated Business Continuity Management Guidelines (BCM Guidelines) in 2022 to enhance operational resilience and incorporated key learnings from the Covid-19 pandemic. Key additions include requirements for FIs to identify their critical business services (for instance, private banking and wealth management for banks) and map interdependencies on people, processes, technology and other resources (including those involving third parties) for each critical business service.
Similar expectations in respect of managing operational risk, including through robust governance arrangements, will take effect in Australia through CPS 230 Operational Risk Management, from 1 July 2025. Banks are currently reviewing their engagements with service providers and considering appropriate uplifts to service contracts, particularly in light of expectations in connection with fourth parties.
In the UK and the EU, the focus is on risks to banks’ operational resilience arising from dependency on third-party providers of critical services (CTPs) – especially information and communication technology (ICT). New regimes are being rolled out which bring CTPs directly within the regulatory universe for the first time. But the approaches are different.
The UK has introduced a new CTP designation regime (under the Financial Services and Markets Act 2023). Service providers designated as “critical” (not licensed) by the UK Government will then be subject to regulators’ minimum operational resilience standards rules (covering governance, risk management, technology and cyber resilience) similar to those for banks. CTPs would be required to develop and test ‘financial sector continuity playbooks’ to improve their ability to respond and recover from disruption affecting multiple banks simultaneously. The regime will fully come into effect by the end of 2024.
On the EU level, a similar CTP oversight regime for CTPs has been introduced under the EU Digital Operational Resilience Act. This applies to all types of services, not just ICT. It also has extra requirements for EU regulated banks – including, for example, mandatory requirements for contracts with CTPs. Banks and CTPs must comply by January 2025.
Cyber risk is another supervisory priority of the European Central Bank (ECB) for 2024-2026. In July 2024 the ECB tested the responses of 109 banks to cybersecurity incidents. The test will contribute towards the banks’ risks profile evaluations under the ECB Supervisory Review and Evaluation Process. Digital accessibility for consumers has also been at the heart of recent reforms in the European Union. The recently adopted eIDAS 2 Regulation on digital identity will oblige banks that require strong user authentication (ie, two-factor) for online identification to accept for this purpose ‘European Digital Identity Wallets’. These are personal digital wallets to be issued through the EU Member States, which will allow EU citizens (and businesses) to identify themselves digitally and present official documents in digital form, with high levels of security. These European Digital Identity Wallets will have to be accepted on a cross-border basis within the EU, with the aim of enabling frictionless access to key online services to EU citizens across all EU Member States.
Product design, distribution and life cycle
The global financial crisis led to increased expectations on banks when extending credit and selling financial products. From responsible lending reform in Australia well over a decade ago, to suitability obligations in Hong Kong and product mis-selling laws in the UK, regulators have shown a significant focus on the selling practices of institutions on a customer-by-customer basis.
More recently, regulatory reforms have required financial institutions to take a step back and put the customer at the heart of product / services design and delivery, end-to-end. The focus is now more on achieving good outcomes for customers, particularly retail.
Banks are facing both law reform requiring changes to their day-to-day processes, and the threat of enforcement action from regulators if implementation is not up to standard. For example, Australia’s corporate regulator has issued more than 85 interim ‘stop orders’ to suspend the issuing of certain financial products, since that country’s design and distribution regime commenced in October 2021. Indonesia’s Financial Services Omnibus Law issued in late 2023 expressly requires financial institutions to design products and services to suit the needs and capabilities of the target consumers.
While regulators continue to be focused on the appropriate design and distribution of products, banks must also be alive to regulatory expectations on their conduct throughout the product life cycle. In Australia, there is a clear focus from the corporate regulator on treatment of customer hardship during the life of a loan (see, for example, its review of 10 lenders in late 2023 and ensuing report in May 2024 subtitled: “Lenders fall short in financial hardship support”). From taking measures to identify hardship proactively, to ensuring senior management is engaged with the consumer impact of these situations, ASIC’s expectations in connection with hardship are another illustration of the need for financial institutions to respond capably to events outside their control.
In Hong Kong, the HKMA and the Banking Sector SME Lending Coordination Mechanism introduced a series of measures throughout the pandemic to support small and medium-sized enterprises facing financial hardship and announced further support measures in March 2024. These include, among others, never demanding early repayments from mortgage customers who repay on schedule, supporting customers facing difficulties by being sympathetic in providing suitable credit relief (subject to prudent risk-management principles), and providing convenience to customers to switch lending banks.
In Indonesia, the Financial Services Omnibus Law prohibits financial institutions from carrying out any action that may cause physical and/or psychological disturbance to consumers. Such actions include seizing security assets in public without the consumers’ prior consent or disseminating information regarding the consumers’ failure to meet their payment obligations.
In the UK, it is over year since the new FCA Consumer Duty, with its high-level outcomes, came into force. It has become the high-water mark of retail banking compliance.
The FCA has since publicised good and poor practice examples to assist firms with achieving the ‘price and value’ outcome.
The FCA also issued a wider Call for Input to gauge the scope for streamlining or replacing other rules now that that Consumer Duty is in place. It is partly motivated by the FCA’s new statutory secondary objective to facilitate the international competitiveness of the UK economy: effective regulation can facilitate innovation and competition. Further reform may follow.
Conclusion
As the scope of regulatory regimes continues to expand, banks that adapt most successfully will be those that are:
How we can help you protect your interests
Prolegis LLC successfully acted for PIMD in obtaining valid service of Singapore court process through the HSC and resisting the application to set aside the service in the above proceedings. As the Formal Law Alliance partner of Herbert Smith Freehills in Singapore, Prolegis LLC is uniquely positioned to assist you in these matters with our access to a wider network of international offices, which allows us to provide comprehensive advice on cross-border litigation and disputes in the Singapore courts.
To find out more about protecting your interests and our disputes capabilities, please contact Chee Hian Kwah below or your usual Herbert Smith Freehills Prolegis contact.
Prolegis LLC and Herbert Smith Freehills LLP (www.herbertsmithfreehills.com) are members of a Formal Law Alliance in Singapore marketed as Herbert Smith Freehills Prolegis (https://www.herbertsmithfreehills.com/content/herbert-smith-freehills-prolegis).
Chee Hian, Kwah |