Corporates Regulatory Readiness Series - Edition 2
Corporates Regulatory Readiness Series Edition 2 – Preparing you for upcoming regulatory and compliance developments
*Corporates* **Regulatory Readiness**
Edition 2 – February 2021
Times of crisis often prompt change and transformation, as we saw with the global financial crisis of 2008-09 and most recently, the COVID-19 pandemic.
Building resilience in a digital world
Some changes are instant, as governments, institutions and individuals seek to manage the short-term impact of a crisis, while others are slower to materialise, but represent a more permanent shift. In this latest edition of Regulatory Readiness for corporate treasurers, Standard Chartered explores some of the fundamental changes in attitude towards risk, responsibility and opportunity, and how regulators are responding.
In 2009, with the most immediate impact of the global financial crisis still fresh in corporate memory, the Basel Committee on Banking Supervision introduced Basel III (or the Third Basel Accord) to strengthen regulation, supervision and risk management in the banking sector, and provide greater assurance and confidence to corporate and institutional clients. Since then, the Committee has continued to refine the regulation, which are now being finalised in the form of Basel IV (or Basel 3.1). Although the new rules will not take effect until January 2023, treasurers should consult with their banks early to understand the implications, particularly in areas such as trade finance. You can find out more about Basel IV here.
A major shift we have seen over the past decade is the drive towards e-commerce, with consumers and businesses alike embracing new ways to communicate, do business and consume products and services. As a result, we all now demand a convenient, instant experience when we engage or transact online.
Both driving and responding to this trend, we have seen the emergence of financial technology companies (fintechs), which have contributed to a very different payments landscape to that of a decade ago. This has led to a blurring of lines between the services traditionally offered by banks and those of non-bank players. By introducing the new rules, regulators aim to increase competition and innovation in banking services. These aim to give greater choice and protection to consumers, and greater flexibility in how corporations connect with, source data and exchange transactions with banking partners and third-party payment gateways. Find out more about open banking here.
The massive growth we have seen in e-commerce and new payment opportunities are facets of the broader shift towards digitisation. This has increased dramatically since the start of the COVID-19 pandemic, with a shift to remote working and an acceleration in the adoption of digital tools and business models resulting from an extended period of social restrictions. Likewise, however, the increase in digitisation has proved an opportunity for cybercriminals to step up their activities, exploiting new working practices, business models and human anxieties. To help organisations of all sizes protect their assets and data, staff and clients, regulators are introducing measures to help businesses protect core applications and networks, ensure resilience, and put in place response and recovery plans. You can find out more about measures to help defend against cybersecurity risks here.
These primers are just one part of Standard Chartered’s toolkit to help corporations of all sizes to understand and mitigate their changing risks, identify and leverage new digital opportunities, and build robust digital infrastructures that enable them to be agile and resilient during good times and bad. Please don’t hesitate to contact your relationship manager for more information. You can also learn more about some of the main regulations impacting treasury and what you need to consider to prepare for them through our Regulatory Readiness series here.
Global Head of Transaction Banking
The massive growth we have seen in e-commerce and new payment opportunities are facets of the broader shift towards digitisation.
This material has been prepared by one or more members of SC Group, where “SC Group” refers to Standard Chartered Bank and each of its holding companies, subsidiaries, related corporations, affiliates, representative and branch offices in any jurisdiction, and their respective directors, officers, employees and/or any persons connected with them. Standard Chartered Bank is authorised by the United Kingdom’s Prudential Regulation Authority and regulated by the United Kingdom’s Financial Conduct Authority and Prudential Regulation Authority. This material is not research material and does not represent the views of the Standard Chartered research department. This material has been produced for reference and is not independent research or a research recommendation and should therefore not be relied upon as such. It is not directed at Retail Clients in the European Economic Area as defined by Directive 2004/39/EC. It has not been prepared in accordance with legal requirements designed to promote the independence of investment research and is not subject to any prohibition on dealing ahead of the dissemination of investment research. This material is for information and discussion purposes only and does not constitute an invitation, recommendation or offer to subscribe for or purchase any of the products or services mentioned or to enter into any transaction. The information herein is not intended to be used as a general guide to investing and does not constitute investment advice or as a source of any specific investment recommendations as it has not been prepared with regard to the specific investment objectives, financial situation or particular needs of any particular person. Information contained herein is subject to change at any time without notice, and has been obtained from sources believed to be reliable. Some of the information herein may have been obtained from public sources and while SC Group believes such information to be reliable, SC Group has not independently verified the information. Any opinions or views of third parties expressed in this material are those of the third parties identified, and not of SC Group. While all reasonable care has been taken in preparing this material, SC Group makes no representation or warranty as to its accuracy or completeness, and no responsibility or liability is accepted for any errors of fact, omission or for any opinion expressed herein. The members of SC Group may not have the necessary licenses to provide services or offer products in all countries, and/or such provision of services or offer of products may be subject to the regulatory requirements of each jurisdiction, and you should check with your relationship manager or usual contact. You are advised to exercise your own independent judgment (with the advice of your professional advisers as necessary) with respect to the risks and consequences of any matter contained herein. SC Group expressly disclaims any liability and responsibility whether arising in tort or contract or otherwise for any damage or losses you may suffer from your use of or reliance of the information contained herein. This material is not independent of the trading strategies or positions of the members of SC Group. It is possible, and you should assume, that members of SC Group may have material interests in one or more of the financial instruments mentioned herein. If specific companies are mentioned in this material, members of SC Group may at times seek to do business with the companies covered in this material; hold a position in, or have economic exposure to, such companies; and/or invest in the financial products issued by these companies. Further, members of SC Group may be involved in activities such as dealing in, holding, acting as market makers or performing financial or advisory services in relation to any of the products referred to in this material. Accordingly, SC Group may have conflicts of interest that may affect the objectivity of this material. You may wish to refer to the incorporation details of Standard Chartered PLC, Standard Chartered Bank and their subsidiaries at http://www.sc.com/en/incorporation-details.html.
This material is not for distribution to any person to which, or any jurisdiction in which, its distribution would be prohibited.
© Copyright 2020 Standard Chartered Bank. All rights reserved. All copyrights subsisting and arising out of these materials belong to Standard Chartered Bank and may not be reproduced, distributed, amended, modified, adapted, transmitted in any form, or translated in any way without the prior written consent of Standard Chartered Bank.
Opening access to banking data and payments
Opening access to banking data and payments
In the past, banks effectively ‘owned’ their customers’ data, and controlled the way that this data could be accessed.
The regulatory recap
Opening access to banking data
Under new regulations, notably the Open Banking Standard in the UK and the Second Payment Services Directive (PSD2) in the European Union, this is no longer the case. Since January 2018, banking data has been accessible directly by customers or regulated third parties acting with their consent. This means that corporations and individuals are now able to access their data and initiate transactions in the manner and timing of their choice.
The move towards open banking marks a major change in the payments industry. By introducing the new rules, regulators aim to increase competition and innovation in banking services and ensure that both banks and fintechs offering payment services are subject to the same regulations.
For corporations, these regulations will ultimately give greater choice and flexibility in how they source data, connect and transact with banking partners and third-party payment gateways. The use of application programming interfaces (APIs) underpins open banking. These enable developers to embed third party data and services, such as banking services, directly into their applications.
Scope, scale, and structure
Global momentum towards open banking
PSD2 applies in all EU member states, and the Open Banking Standard in the UK. In addition, open banking regulations have been introduced in jurisdictions such as Australia, Hong Kong, India and Singapore. In the UK, there were 267 regulated open banking providers in July 2020, comprising 77 banks and 190 third parties, of which 87 had at least one live solution in operation1. Digital banks such as Monzo (UK), Starling (UK), N26 (Germany) and Fidor (Germany) have emerged strongly, as well as digital lenders such as Klarna (Sweden).
As well as aiming to increase convenience and choice for consumers and businesses, open banking regulations are a response to changing business models, and in particular the rise of e-commerce. Increasingly, business is conducted in real-time, with the expectation of immediate fulfilment. Instant payment is integral to the success of e-commerce business models, which has led to the rise of new payment methods such as PayPal, ApplePay, Alipay and WeChat, as well as instant national payment schemes.
These support a real-time experience, but with the rise of new players, and new ways of conducting business, these regulations provide greater security for electronic payments and protection of financial data.
Instant payment is integral to the success of e-commerce business models, which has led to the rise of new payment methods such as PayPal, ApplePay, Alipay and WeChat, as well as instant national payment schemes.
Building the blueprint for your business
Leveraging open banking in your business
For companies with significant e-commerce activities, particularly across borders or in multiple jurisdictions, the use of APIs, often in conjunction with other bank services, can simplify the exchange of data and transactions. This enables greater interoperability through the use of standards, implementation of rigorous authentication mechanisms and bespoke capabilities.
Most open banking initiatives to date have been targeted at consumers; however, the next 12-24 months could see significant developments in areas such as multi-bank connectivity and cross-border commerce, whether for accessing data or initiating transactions. Open banking creates the opportunity for treasurers and finance managers to develop their strategic, as opposed to transactional role within their organisations.
Many large multinational corporations have a mature bank connectivity strategy, such as using SWIFT to connect with their banking partners. However, treasurers are increasingly looking for ways to exchange data more frequently and consistently with their banks and third-party payment gateways, including in real-time. By doing so, they can consolidate data from multiple banks to provide a 360-degree view of their cash position to manage ‘just in time’ liquidity, risk and working capital more effectively. In addition, treasurers should also be looking at where points of friction or omission exist, such as lags in information flows and ‘nuisance’ accounts that are not included in existing connectivity strategies and discussing with their banks and third-party providers how APIs might resolve these issues.
For companies with significant e-commerce activities, particularly across borders or in multiple jurisdictions, the use of APIs, often in conjunction with other bank services, can simplify the exchange of data and transactions. This enables greater interoperability through the use of standards, implementation of rigorous authentication mechanisms and bespoke capabilities. For example, companies operating internationally, and selling in local currency, have to deal with the resulting currency exposure. By using APIs for connectivity, companies can access instant FX rates on transactions and convert the funds to an operating currency, avoiding FX risk and minimising the administrative effort of managing or transferring foreign currency balances.
Building the blueprint for the industry
Promoting collaboration for innovation
Open banking will create radical change, and prompt innovative ways to use artificial intelligence (AI), machine learning and robotic process automation to streamline, automation and build greater insight into payments and data processing and analytics.
On one hand, open banking creates new opportunities for third parties, such as fintechs, to ‘own’ customer relationships, potentially increasing already strong competition and disintermediating existing bank relationships and services. However, fintechs will also be subject to more regulation than in the past, offering better protection for customers, but also creating a more level playing field with banks. Therefore, just as regulated fintechs are eligible to deliver more digital banking services, so too can banks.
Many corporate clients have expressed security concerns about working with a wider range of less familiar vendors, and prefer to deal with a trusted bank to lead on new solutions. Consequently, at Standard Chartered, we are partnering with pioneering fintechs to develop new value propositions that directly meet the evolving needs of our customers.
Ultimately, while many open banking initiatives have focused first on retail and commercial banking clients, corporate and institutional clients are ultimately seeking the same level of ease, convenience and speed, which will drive further solutions and new business propositions.
Championing change with Standard Chartered
Open banking expertise across our network
We are excited about the opportunities that open banking creates both for our clients and the bank and we are working with clients to leverage these opportunities, such as intraday reporting and balance transfers. We have introduced digital-only banking services in nine African countries in 2018 – 2019, and ramped up digital banking services in other jurisdictions. In Hong Kong, we launched Mox, a new virtual bank, with plans too to launch a similar enterprise in Singapore. Through our aXess platform, we offer open access to our APIs, applications and libraries to our clients, partners and fintechs to promote and co-create innovative banking services that support our clients’ digital connectivity ambitions.
Many of our existing solutions already follow the direction of open banking, reflected in our partnership with SAP Ariba, which allows clients to connect with multiple banks directly from the SAP Ariba platform. Our APIs are now widely used, particularly in Asia Pacific. Although initial interest was from digital and e-commerce clients, we are now seeing considerable take-up from a wide range of industries, such as insurance, auto, FMCG, amongst others, for instant policies and distributor incentive programmes. Our New Payment Method (NPM) solution offers a single channel to connect with multiple third-party payment gateways, such as Worldpay from FIS, PayPal and Stripe. Over the next 12-24 months, we expect to see compelling new solutions emerge to take advantage of open banking, and we look forward to remaining central to these initiatives that offer demonstrable value to our clients.
Although initial interest was from digital and e-commerce clients, we are now seeing considerable take-up from a wide range of industries, such as insurance, auto, FMCG, amongst others, for instant policies and distributor incentive programmes.
Opening up banking data and payments
Embedding payments into your digital strategies
<BR>Rising to new cybersecurity challenges
Rising to new cybersecurity challenges
As organisations globally adopted remote working at the start of the pandemic, the use of mobile and remote access capabilities to gain entry to both internal and third-party systems, including for financial services, increased dramatically.
The regulatory rationale
A catalyst for criminals
While this proved essential for business continuity, it also presented multiple points of entry for criminals looking to exploit uncertainty, anxiety and new, largely untested working environments and practices.
While cybersecurity was already a priority before the pandemic, the cyber threat has increased dramatically, with a surge in COVID-related phishing campaigns, business email compromise (BEC), ransomware and denial of service attacks reported. For example, Standard Chartered’s Cyber Defence Centre recorded a 31.6% increase in cyber security incidents, of which 77.6% were phishing incidents. These heightened risks create additional challenges for businesses, but also greater urgency amongst regulators.
Scope, scale, and structure
Adapting to a changing threat
At the same time as organisations globally try to mitigate the impact of new and increasing cyber threats on their own business, regulators are stepping up to support them by focusing on a number of core areas:
- Protecting core applications and networks, particularly given that employees’ home environment is likely to be less secure than their corporate offices. While many companies have had established protocols for patching systems, securing connections and monitoring of suspicious activities etc. these measures may be less effective in a remote working environment.
- Ensuring resilience through contingency planning and periodic testing within the business and across supply chains and third-party providers.
- Accelerating response and recovery through robust processes for organisations to identify and report on any security compromise, data breach or cyber incident to the regulators quickly. Again, while these practices were already well-established before the pandemic, widespread remote and hybrid working is an additional consideration that needs to be factored into these processes.
This is especially crucial for financial services. In the UK, for example, the Bank of England’s CBEST framework assesses the resilience of an organisation’s security controls and culture using accredited penetration test companies to mimic cyber attackers. The European Central Bank (ECB) has also published Threat Intelligence Based Ethical Red-teaming (TIBER) which follows a similar framework and intent to CBEST. Furthermore, the European Commission is proposing a new Digital Operational Resilience Act (DORA). This introduces new rules for financial entities but also expands the regulatory reach to technology service providers.
In Singapore, the Monetary Authority of Singapore (MAS) has focused on robust foundational controls, encouraging organisations to balance the need for security with their drive to innovate. For example, in August 2019, MAS issued a Notice 655 for Cyber Hygiene, which outlines legally enforceable cyber security requirements for banks. The Notice introduces essential controls such as multi-factor authentication, secure administrative accounts and security patching, which are also effective practices in safeguarding information assets.
Building a blueprint for your business
Looking at your business through a ‘Threat’ lens
Criminals are looking for any opportunity to exploit human and technical weaknesses. Business leaders therefore need to:
- Identify critical assets and sensitive data
- Determine what value cyber-criminals could gain e.g. the value of financial assets is different to data, and security mechanisms will differ
- Explore in detail how these assets and data are currently stored and accessed, including controls applied by third parties (e.g. cloud and outsourcing providers)
- Pinpoint potential weaknesses and implement resolution plans.
However stringent these plans, they will be effective only if employees – who are the ‘weakest link’ in any cybersecurity strategy – become the first line of defence. This requires a regular and sustained programme of employee awareness training on how to work securely – including in a remote working environment – and how to identify, thwart and report malicious attempts.
Working with a trusted bank with extensive expertise in managing data and transactions securely can contribute significantly to managing cyber risks. Every request for proposal (RFP) and regular review meeting should seek to understand how banks balance innovation and cybersecurity, their investment track record in security and fraud prevention, their approach to client education and information sharing, and partnerships with stakeholders to strengthen financial ecosystems.
Building the blueprint for the industry
A collaborative approach to tackling cyber threats
In addition to individual efforts by corporations, banks and regulators, there is growing global collaboration on cybersecurity regulations. For instance, the Financial Stability Board (FSB), which represents ministries of finance, central banks, supervisory and regulatory authorities from 25 countries, published a toolkit containing effective practices on cyber incident response and recovery for financial institutions.
We also expect to see financial regulations continuing to reach beyond the financial sector to fintechs, telecoms and cloud service providers, reflecting the growing role of non-bank players in the financial ecosystem. For example, the Cyber Security Agency (CSA) of Singapore has launched a ‘Cybersecurity Labelling Scheme’ for consumer internet of things (IOT) devices, such as home routers, as part of ongoing efforts to raise cyber hygiene. The Association of Banks in Singapore (ABS) has also launched an industry-level ‘Cloud Computing Implementation Guide’ which provides practical considerations for governing, designing and securing cloud services.
Championing change with Standard Chartered
Sharing best practices to counter evolving cyber threats
It is vital that regulators continue to challenge organisations’ cyber security policies, practices, testing and response mechanisms, and set best practices. The difficulty for international organisations, however, is that as every country’s regulator and cyber agency set their own rules and requirements, compliance can become very challenging. This is exacerbated further in instances where regulators set rules around data onshoring and localisation.
Given that cybercrime is borderless, we particularly welcome international collaboration on cybersecurity, such as through the FSB, which will help in establishing a baseline of effective practices on cybersecurity for adoption by member jurisdictions. We continue to work closely with regulators across our footprint to encourage harmonisation and principle-based regulations with the aim of streamlining, whilst also strengthening, the global approach to cyber risk.
Consequently, in 2019, Standard Chartered co-sponsored a comprehensive Capacity Building Toolbox on Cyber Resilience in partnership with the Carnegie Endowment for International Peace, SWIFT Institute, the IMF, the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Cyber Readiness Institute, and the Global Cyber Alliance. Available in seven languages, this Toolbox provides checklists and practical guides for key business functions to help them lead their organisations’ cybersecurity strategies, protect their organisations and their customers, secure third party connections and respond to incidents. This was a significant example of how organisations with a common purpose can work together to share complementary expertise, engage customers and proliferate best practices.
It is vital that regulators continue to challenge organisations’ cyber security policies, practices, testing and response mechanisms, and set best practices.
risk and capital calculations
Basel IV: Standardising risk and capital calculations
The Basel Committee on Banking Supervision (BCBS) introduced the Third Basel Accord (Basel III) in 2009 in response to the global financial crisis.
The regulatory recap
Basel IV: continuing and complementing the aims of Basel III
The aim of Basel III was to strengthen regulation, supervision and risk management in the banking sector, and provide greater assurance and confidence to corporate and institutional clients. Basel III impacted corporate treasurers in a variety of ways; for example, under banks’ liquidity coverage ratio, clients’ operational and non-operational cash were treated differently, resulting in new deposit solutions to reflect banks’ risk appetite for different types of cash.
Since then, BCBS has been reviewing risk measurement approaches, resulting in additional measures proposed in 2016-17 to continue and complement the Basel III reforms. Although these measures are referred to as ‘finalised reforms’ by the BCBS, given the scale of change, they are more commonly referred to as the Fourth Basel Accord (Basel IV) or Basel 3.1. Like Basel III, the new requirements aim to create a more robust capital framework and increase confidence in the banking sector. Some of the new measures that Basel IV introduces include the standardising of the risk-weighted asset (RWA) calculations used by banks and limiting the use of internal ratings-based (IRB) models. By doing so, the BCBS aims to reduce variations resulting from banks’ internal models.
Most of the changes introduced by Basel IV take effect in January 2023 (delayed from January 2022) to give banks time to adapt their internal risk models, operations and reporting, and work with their customers to understand the impact on their solutions and, in turn, pricing.
Scope, scale, and structure
A global impact
The RWA calculation is used to determine the capital requirement, or capital adequacy ratio, required by a bank. The standardised approach is not only more stringent than IRB but also based on different factors. Under Basel IV, banks’ own IRB models used to calculate capital requirements must be at least 72.5 per cent of the standardised approach (known as the ‘output floor’), with banks having to ‘top up’ any shortfall in risk weightings and capital allocation. This could result in banks allocating more risk and capital to many of their products, which could impact pricing, resulting in some products becoming less commercially viable. The European Banking Authority’s (EBA) impact assessment dated December 2019 indicates that RWAs will increase by an average of 23.6 per cent based on full implementation of Basel IV, with a total capital shortfall of EUR125 billion for European banks alone.1
The impact on global systemically important banks (i.e. the 29 leading regional and global banks considered “too big to fail” in terms of the wider economic and market impact that this would have) is greater than for the wider banking community, with a higher leverage ratio. Most multinational corporations will bank with one or more of these banks, which include Standard Chartered.
Under Basel IV, banks’ own IRB models used to calculate capital requirements must be at least 72.5 per cent of the standardised approach (known as the ‘output floor’), with banks having to ‘top up’ any shortfall in risk weightings and capital allocation.
Building the blueprint for your business
Working with banks to explore potential effects
Given the delay to the implementation of Basel IV, and refinements still taking place, the specific impact on solutions being offered to corporate treasurers and FI clients is not yet clear. Furthermore, some measures, such as the output floor (i.e. the rule around capital requirement calculation described above) are not due to be enforced until January 2028.
However, there are some early indications of issues that corporate treasurers and their bank should consider. For example, the use of standardised models for calculating RWA is likely to result in the pricing of banking products becoming more consistent across the industry. On one hand, this is a positive development for treasurers; however, with banks needing to hold more capital, the price of some banking products could increase. Banks may need to be more selective in the products they offer, which could lead to less choice and competition. Corporates without an external credit rating could be particularly impacted, due to a significant RWA increase for unrated entities under Basel IV, increasing from 20 to 50 per cent today to up to 100 per cent.
One area that we anticipate to be impacted is Trade Finance, particularly documentary instruments such as collateralised trade loans, letters of credit and guarantees. The majority of international trade continues to be based on documentary instruments, particularly in emerging markets, even though we were seeing a gradual shift towards open account. During the pandemic however, with confidence in trading partners shaken, we have seen a revival of interest in documentary instruments, although it is not clear whether this is short term anomaly, or a more permanent shift. Treasurers should start discussing their trade finance requirements with their banks well before the 2023 date to establish which products and solutions would continue to be viable for them from a pricing perspective and how they can continue to manage risk in their supply chains.
During the pandemic however, with confidence in trading partners shaken, we have seen a revival of interest in documentary instruments, although it is not clear whether this is short term anomaly, or a more permanent shift.
Building the blueprint for the industry
Building transparency and trust
Given that the new regulations are still subject to refinement, and most banks have not yet finalised their implementation plans, some ambiguity and uncertainty still exists. For example, given the vital role of trade in the global economy, changes in pricing for trade instruments would have an impact on corporations and the real economy, which would be an unintended consequence of the Basel IV regulations. Banks are engaging with regulators bilaterally and collectively through industry associations to work through the implications, refine requirements, and achieve the best outcome for clients.
This is particularly important in trade finance given the scale of the trade finance gap that already exists, and its disproportionate impact on small businesses and emerging economies. The first of the United Nations’ (UN) Sustainable Development Goals is to eradicate poverty.2 Trade is a source of growth, development and jobs, which are crucial to achieving this goal. Today, however, the inability to access trade finance is one of the top three export obstacles of half of the world’s economies, in particular the poorest.3 In 2019, the Asia Development Bank calculated the global trade finance gap as around USD1.5 trillion, with nearly 60 per cent of survey respondents expecting the gap to increase further, even before the impact of Basel IV is factored in.4
Championing change with Standard Chartered
Representing stakeholders to avoid unintended consequences
Standard Chartered strongly supports measures that make the banking sector more resilient, build trust, and create greater assurance for our clients. However, we also recognise our role in getting the spirit of the regulations right, so that new regulations achieve their intended purpose, without damaging consequences for our clients and the wider economy. We are committed to working with regulators and industry bodies, both individually and collectively, to represent the needs of our stakeholders, and ensure that key instruments remain viable, attractive and available to all relevant client groups. We will also continue to work closely with our clients to understand the implications of the new measures on their liquidity, risk and trade finance activities, and find ways to manage change and mitigate any potentially disruptive consequences as seamlessly as possible.
Standard Chartered strongly supports measures that make the banking sector more resilient, build trust, and create greater assurance for our clients.