Читать книгу Non-financial Risk Management in the Financial Industry - Группа авторов - Страница 20

The first wave relates to the topic of conduct and mis-selling. As a result of the mis-selling scandals of the 1990s and early 2000s, including the dotcom bubble, and parallel to the development of Basel II, the European Markets in Financial Instruments Directive, also known as MiFID, was introduced in 2004 and has been applied since 2007. Its objective, amongst other things, was to set out the conduct of business and regulatory reporting to avoid market abuse.[14]

The second wave relates to financial crime risks. An understanding was gained that many compliance-related incidents included white collar-crimes. According to the US Federal Bureau of Investigation, white-collar crime refers to the full range of frauds committed by business and government professionals and is independent of the application or threat of physical force or violence.[15] In addition, it was noticed that retail customers were also involved in crimes, for example by committing tax evasion.

The third wave relates to the growing interest in data privacy that was triggered by the expanding use of data and online technology, including online banking. As early as 1992, the European Union published the European data protection directive, which came into force in 1995. It aimed to protect individuals with regard to the processing of personal data and the free movement of such data.[16] More than ten years later, in 2011, the European Union issued an opinion on a comprehensive approach on personal data protection.[17] This resulted in the European Union regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data in 2016, commonly referred to as the General Data Protection Regulation (GDPR), which is in effect since 2018.[18] Other jurisdictions have adopted this regulation under other names and in other forms, such as the California Consumer Privacy Act (CCPA), introduced in 2018 to enhance privacy rights and consumer protection.[19]

The fourth wave relates to information, communication and technology (ICT) as well as cybersecurity risks. With the growing relevance of technology, these risks have gained in importance and a necessity for the position of a chief information security officer (CISO) arose. Therefore, the EBA reacted in 2019 by issuing the guidelines on ICT and security risk management that were enforced in 2020,[20] and, in 2021, by launching, with Europol’s European Cybercrime Centre, a campaign called Cyber Scams 2.0 to spread public awareness of cybercrimes.[21]

The fifth wave relates to operational resilience and outsourcing/vendor risks. Along with increased technological risks, the need for the overall stability of financial institutions and the financial system triggered a regulatory push towards operational resilience. This was spearheaded by the UK regulatory authorities’ policies both on operational resilience as well as on outsourcing and third-party risk management (published in 2019 and enforced since 2021).[22]^,[23] The BCBS followed by publishing its principles for operational resilience in 2021.[24] The disintermediation of the value chain, driven by technological developments, lead to a higher importance of the understanding of both supply and process chains as well as knowing third parties such as vendors and contractors.

The sixth wave relates to environmental, social and governance (ESG) as well as general strategic risks. ESG is not perceived as a singular risk type of the risk taxonomy but is rather included in overall strategic risks. It influences, or materialises in, other risk types. The environmental element is found in supply chain management and the well-established know-your-supplier process. By contrast, the social element is generally associated with human resources and led to the introduction of anti-discrimination laws and quotas. With the increasing importance of the good citizenship model, an ethical change has taken place, and the public has developed higher expectations for moral behaviour in organisations. As such, ESG risks are clearly embedded in strategy discussions and form a part of the strategic risk faced by financial institutions and all other organisations.