Predicting the future is a notoriously difficult exercise. For this, and other reasons, regulators in general have always tried to avoid doing so, aiming to avoid both missed opportunities and, in hindsight, glaringly obvious deficiencies.
Ignoring this and keeping with a pattern of very different, somewhat unusual, but always enlightening speeches, Monetary Authority of Singapore MD Ravi Menon decided to step all the way into 2028 for his latest delivery[1].
Containing some interesting hypotheticals, some (possibly uncomfortable) truths, and what seems to be a very cloudy crystal ball, his speech at the Symposium on Asian Banking and Finance is worth a read in full.
So, what did he say?
Some of the topics covered in the section on the Global Financial Crisis (GFC) are not so much peering into the future as using already established doctrine. This doesn’t make them any less valid, but the three time periods highlighted by D Menon are strikingly like those outlined in the General Model of Regulatory Development, first outlined in a book focused on compliance in Singapore from 2015[2].
‘The Compliance Revolution’, by Professor David Jackman, gave us a remarkably useful model with hot to analyse and view not only regulatory development, but also compliance development.
The story told by MD Menon starts at the end of the GFC, in what Jackman refers to as the ‘Crisis’ phase. The tart of the era of hyperregulation, greater coverage of ‘too big to fail’ banks, increased regulatory and compliance resource, and a significant upsurge in volume and frequency of fines, are all evident in this phase, and continue into ‘Expansion’.
MD Menon outlines an era of ‘Regulatory Evaluation and Adjustment’, something Jackman most closely equates to ‘Sustainability’. This is, of course, a more ideal situation for both regulators and the regulatory community.
Certain highlights here stand out, for example the passing, almost fleeting, nod to Trade Finance. This is something that has been referenced repeatedly in recent years, by industry bodies[3], the industry[4], and regulators, but without ever having been linked to a real, solid solution.
In the MD Menon hypothesis, we are between 2017-2020, and trade finance has a so far ’sub-optimal social outcome’. Whilst this is undoubtedly true, what is the proposed regulatory solution? Here we have, apparently, a look back from 10 years in the future, but no reference to how this issue gets anywhere close to improving, which feels like a missed opportunity.
The final section, an ‘Era of Enhanced Regulatory Supervision’, mirrors very closely the Jackman ‘Outcomes-Led’ end goal. A more efficient, cost-based approach to regulation, with a strong focus on the beneficial outcomes of regulation and compliance, which is a real shift away from the current input driven model.
I think MD Menon should be applauded for explicitly referencing this idea. There is a strong focus here on Conduct Risk & Culture, although this would seem to be far too late (from 2021) to be getting around to this job. MAS themselves have released a paper on Individual Accountability this year[5], following on from the UK SMCR[6], HK MIC[7] and BEAR[8] in Australia.
One line that was of concern is:
Supervisors began to use data analytics, sentiment assessments, and the tools of behavioural psychology to gain insights on the culture and conduct in financial institutions. These insights served as inputs to supervisory assessments of the risk culture in financial institutions and, where necessary, pre-emptive interventions.
A ‘pre-emptive’ intervention certainly sounds a lot like Minority Report.
Of course, no good regulatory speech would be complete these days without some focus on technology, but, once again, some of the coverage feels dated. And this speech is not due to take place for another decade.
The hypothetical ‘Global Cyber Crisis’ of 2023 certainly sounds terrible, with US $45 billion stolen from 500 banks. However even a cursory scan of news tells us this is already happening and hasn’t just started.
Crypto Exchanges have been hacked to the tune of billions (or ‘lost’ currency), as have central banks. The Bangladesh Bank Heist[9] took place in 2016, for an attempted USD $1 billion. USD $45 billion is a lot of money, no doubt. It is also lower than the amount of fines paid by the top 20 banks in 2016, which according to the Conduct Costs Projects, was over USD $63 billion[10].
It was ironic that in an industry where there were detailed internationally accepted standards for capital, liquidity, and a range of prudential norms, there were no standards for cyber risk management
– MD Menon
Much like an Alanis Morrissette song, this isn’t ironic. If this did eventuate, there would be no irony to share around, but an awful lot of blame. Cyber breaches of vast scale have been happening for several years, so it is incumbent on regulators, including MAS to come up with suitable guidelines and standards.
To their credit MAS have announce they are planning to review cyber standards for banks[11]. The industry absolutely should, and must, do a lot more. Most major financial institutions still have, at best, a very rudimentary view of cyber risk and security.
To Finish…
To finish we must go back to the start. Crystal ball gazing is fraught with peril. A lot of the themes addressed appear, on the surface, to be radical predictions for the next decade. In most cases, they are not.
This doesn’t detract from their value, not to mention the good sense from MAS, and MD Menon, to highlight these for the industry to consider. The progressive timeline of regulatory developments (The General Model) has been discussed for some time – Complilearn have used this as a core element of learning materials for over three years.
Likewise, the rising elements and issues around Fintech and Cyber Risk haven’t just come to light. The North Korean hacking group known as Lazarus have been operating as far back as 2009[12]. And as for Conduct Risk, the FCA[13] and ASIC[14] have outlined their ideas going back a few years.
In summary, this is a very entertaining speech, and a very interesting, not to mention useful, set of ideas to think about. But, if you work in regulation or compliance, and this speech was the first time you thought about or came across these concepts, then the next ten years might be even tougher for you than even MD Menon imagines.
[1]http://www.mas.gov.sg/News-and-Publications/Speeches-and-Monetary-Policy-Statements/Speeches/2018/Financial-Regulation.aspx
[2]https://www.wiley.com/en-sg/The+Compliance+Revolution:+How+Compliance+Needs+to+Change+to+Survive-p-9781119020615
[3]https://www.baft.org/about-baft/news-and-press-releases/2017/09/08/baft-releases-guidance-on-trade-based-money-laundering
[4] https://abs.org.sg/industry-guidelines/aml-cft-industry-partnership
[5]http://www.mas.gov.sg/News-and-Publications/Media-Releases/2018/MAS-to-strengthen-individual-accountability-of-senior-managers-in-financial-institutions.aspx
[6] https://www.fca.org.uk/firms/senior-managers-certification-regime
[7] https://www.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/doc?refNo=17PR131
[8]https://www.aph.gov.au/Parliamentary_Business/Bills_LEGislation/Bills_Search_Results/Result?bId=r6000
[9]https://www.reuters.com/article/us-cyber-heist-bangladesh/bangladesh-to-sue-manila-bank-over-81-million-heist-idUSKBN1FR1QV
[10] http://conductcosts.ccpresearchfoundation.com/conduct-costs-results
[11] https://www.businesstimes.com.sg/banking-finance/mas-to-raise-requirements-on-cyber-resilience-in-singapores-financial-sector
[12] https://gpinvestigations.pri.org/how-north-korean-hackers-became-the-worlds-greatest-bank-robbers-492a323732a6
[13] https://www.fca.org.uk/publication/business-plans/fca-risk-outlook-2013.pdf
[14] https://www.ashurst.com/en/news-and-insights/legal-updates/asics-3cs-message-on-conduct-risk/