Speech by Megan Butler, Director of Supervision - Investment, Wholesale and Specialists at the FCA, delivered to ICI Global Conference, London
Speaker: Megan Butler, Director of Supervision - Investment, Wholesale and Specialists
Event: ICI Conference, London
Delivered: 05 December 2017
Note: this is the speech as drafted and may differ from the delivered version
Highlights:
- Effective co-ordination between national regulators is fundamental to addressing the global issues affecting capital markets.
- Cyber and financial crime in capital markets require an open and co-operative response from both firms and regulators.
- We need to preserve open markets and enhance our close regulatory links with other nations.
It is a pleasure to help close your conference today and to help usher in ICI’s holiday party. What better way to get in the festive spirit than a speech on capital markets regulation?
As I understand it, a lot of your discussions this afternoon have focused on issues that have been, or are being, shaped by global regulation (including ETFs, MiFID and IPOs). With that in mind, I want to focus on the importance of effective co-operation between national regulators. Obviously this is a particularly critical point in light of last year’s referendum vote – a topic I’ll return to later.
But I want to spend the majority of my time this afternoon looking at an issue that is very much in the public eye at the moment: the ongoing threat posed to firms by cyber attacks. We take firms’ technology resilience seriously, and the risks posed by cyber are ones that are not going to go away.
Recently Uber announced it paid a $100,000 ransom to delete stolen information. And just over two months since Equifax announced its own data hack. I don’t think it is particularly controversial to say that these incidents send a powerful warning to the financial sector.
So what can we learn from them?
FCA’s role in tackling Cyber crime
I want to begin by looking at the lessons for the FCA and other enforcement agencies. And I think the obvious, but important starting point, is that the impact of cyber-attacks are not constrained by physical borders or legal perimeters. And the hackers themselves aren’t concentrated in any one location.
From our perspective, this immediately means it’s hard to think about policing cyber-attacks on a nation-by-nation basis. Domestic enforcement agencies can directly mitigate and detect home-grown cyber threats. But for a majority of countries, this amounts to a small percentage of their total risk, as the vast majority of cyber-attacks have an international component.
So you won’t be surprised to hear me say then that we believe multi-national, multi-agency co-ordination is absolutely integral to containing the cyber threat.
the impact of cyber-attacks are not constrained by physical borders or legal perimeters. And the hackers themselves aren’t concentrated in any one location.
And the FCA looks to achieve this in two key ways:
First, we share intelligence and expertise with other financial and enforcement authorities in the UK, including the National Cyber Security Centre and the National Crime Agency.
Second, we work extremely closely with international colleagues in Europe, and further afield, to try and align our different approaches. For example, we have recently spent time with a number of agencies in the USA, looking at alignment and harmonisation of our approaches to cyber supervision. We will continue with this work. Co-operation brings real value by reducing the burden on firms whilst improving our collective regulatory knowledge.
As you might imagine, one important goal of this work is to try and avoid a successful, Uber-style hack on a high street bank, or other financial service firm with lots of retail clients.
I think it is important to be clear though that the cyber risk to capital markets is also large and escalating.
Machine learning and artificial intelligence have made enormous inroads into the industry over the last five years – particularly in the form of high frequency and algorithmic trading.
This brings its benefits: including the potential to reduce trading costs in equity markets. But it also begs questions around cyber security. What are the possible systemic risks, for example, of a successful attack? What happens to liquidity and market confidence if a trading algorithm is compromised by ransomware or malware?
And what happens to the credibility of the market if a hacker accesses confidential, market sensitive information and uses it to deal?
We work closely with the Prudential Regulation Authority (PRA) to agree a common set of resilience standards and expectations, and you can expect to hear more on this over the coming months. The UK Financial Authorities are seeking to understand better the potential answers to these questions; and these are the kind of questions that we need to urgently answer because we have seen, and we continue to see, a steady rise in attacks.
In 2014, firms reported just five material cyber-attacks, or attack campaigns, to us.
In 2015, this figure rose to 27, and in 2016 to 39. In the last year, firms have reported 49 attacks and counting, a pro-rata 67% increase.
I should also say that behind these headline stats, there are some worrying underlying trends. Perhaps no surprise, but ransomware is on a significant upward trajectory and currently makes up close to 17% of attacks reported to us.
In particularly, we are seeing the emergence of more so-called enterprise ransomware. Ransomware that is specifically designed to cause maximum harm to the IT infrastructure of the biggest firms, with the most data.
The chief attraction of enterprise ransomware to criminals is, of course, the intrinsic value of data. On the black market, health care records reportedly sell for $5 apiece. So the more data they can get, the more value they create.
I should immediately say that big financial firms generally manage this threat extremely well. But the price of failure is high.
In theory, a firm could end up with their servers locked, their staff computers locked, and their backups unavailable. Making it nearly impossible to conduct business.
The responsibility of firms to report material breaches
I want to be very clear that the FCA is aware of this risk - and sensitive to the challenge it poses.
Today’s technological world changes on an hourly basis, if not faster. And new malware variants emerge every second – potentially rendering an effective defence ineffective very quickly. In other words, we are realistic about the fact some cyber-attacks will succeed. And I want to stress that we do not operate a zero-failure regime.
And I want to make it very clear – especially post-Uber and Equifax – that we expect you to tell us about cyber breaches at your firms as soon as you are aware something is wrong.
That said, we do we expect candour from firms.
You wouldn’t, as American strategist Richard Rumelt put it, care to “fly in an aircraft designed by people who focused only on an image of a flying plane, and never considered modes of failure”.
It is an imperative you do consider ‘modes of failure’ and that you are honest about them. And I want to make it very clear – especially post-Uber and Equifax – that we expect you to tell us about cyber breaches at your firms as soon as you are aware something is wrong.
Our suspicion is that there’s currently a material under reporting of successful cyber attacks in the financial sector. Certainly the number of breaches relayed back to us looks modest when you set it against the number of attacks on the industry.
We do not wish to get in the way of firms’ efforts to resolve issues for their customers and the market, and we are sympathetic to the need to respond appropriately to each incident. But we expect to know when you are attacked.
With that in mind, let me speak very clearly to firms operating in our capital markets about their reporting responsibilities.
We absolutely expect all businesses to deal with us in an open, transparent manner. And this is an expectation that includes reporting of material cyber events.
The FCA works closely with the Treasury and Bank of England in our capacity as a first responder to cyber-attacks.
It is therefore essential we know about breaches in real time – as much as anything so we can support firms as they respond to an attack.
If you aren’t sure if you need to tell us about an incident, please tell us anyway. We will let you know if we need to refine reporting requirements.
Finally, and if it isn’t already obvious, I should say that we expect firms to put in place the essentials of good cyber security.
We issued an infographic aimed at smaller organisations in June – spelling out the fundamentals of effective cyber security practice. But its messages are basically applicable to all firms.
First, know your information assets. What data do you have, how important is it? And how do you protect it?
And I should say that we know this is not a straightforward task for firms.
A majority of organisations today hold so much data, it can be difficult, frankly, to classify and understand what you hold.
Second, manage the risk. So implement appropriate governance and make sure you have clear accountability across the three lines of defence.
Thirdly, how do you respond to an incident? Can you (or even should you) continue to operate during a cyber-attack?
We believe we have a role to play to assist with each of these fundamental elements of cyber resilience. Our Cyber Coordination Groups bring together organisations from across the spectrum of financial services to discuss best practices and approaches to manage a wide range of risks and issues, including those I have discussed today.
We are also actively assessing cyber capabilities across a large range of firms using our cyber resilience questionnaires. These questionnaires are built from a range of leading practice standards and guidance documents on cyber risk management.
We are looking to how we can share the outcomes of these initiatives, and others, more widely to benefit a larger range of firms. With each of these issues, we appreciate that the General Data Protection Regulation presents a further challenge to firms.
I don’t think there is any real dispute though that it is worthwhile to understand the data you hold, manage the risks associated with that data, and to be prepared to respond when capable and motivated adversaries attack you.
Financial crime through the capital markets
Let me turn now to a few broader issues related to financial crime in capital markets.
I am conscious that we talk a lot, quite rightly, about insider dealing and market manipulation.
But I’d like to highlight a different threat today: namely the escalation of money laundering through capital markets. Money laundering and the financing of terrorism are financial crimes with important social as well as economic effects. Effective regimes to combat these threats are essential to protect society as a whole, as well as the integrity of the UK’s financial system and that of the global financial framework.
Getting effective AML controls throughout the capital markets is a key part of achieving the FCA’s objective of ensuring that the UK financial system is a hostile sector for money launderers.
Last month, the government published an updated national risk assessment of money laundering and terrorist financing risks in the UK. This updated the UK view on risks across the financial services sector and other areas of risk. Unlike the 2015 report the assessment flagged capital markets as a significant emerging risk.
We agree with this assessment. We also take a view that the size and complexity of the market, and its cross-border nature, mean the problem could potentially extend well beyond recent, high profile cases. Getting effective AML controls throughout the capital markets is a key part of achieving the FCA’s objective of ensuring that the UK financial system is a hostile sector for money launderers.
This is not to suggest we have deep concerns across all areas of wholesale banking over approaches to risk management. We don’t. Like other areas of the financial services sector, we can see that the culture and tone from the top is good. We can also see that systems are moving in the right direction.
Moreover, I think it is worth putting on the public record that firms have generally made good progress around both detection, and reporting, of insider dealing and market manipulation. Particularly since the introduction of Market Abuse Regulation.
That said, we continue to take an extremely keen interest in the quality of AML systems and controls in your firms. Including the monitoring of security transactions.
And I say this because we still see examples of poor controls in capital markets – and we want to see systems respond to new and developing risks.
Deutsche Bank is probably the most high profile example here – subject to a £163m FCA fine in January for AML controls failings between 2012 and 2015 [Fined £163m for control failings between 1 January 2012 and 31 December 2015 ].
The final notice in this case is instructive. Giving a detailed account of how the bank developed poor systems. And I would encourage you to read it, alongside our financial crime guide, so you do not find your firms being exploited by criminals.
Not only will it give you an insight into the effectiveness of different systems and controls to counter money laundering. It can also help some firms assess how effectively their Market Surveillance function works alongside their Money Laundering Reporting Officer, or Financial Crime function. A key issue.
On top of this, I should also mention risks around financial sanctions.
We continue to see global policymakers looking at restrictions in capital markets, like those that restricted access to EU capital markets for certain Russian state-owned institutions.
This looks like a theme that will continue. So financial crime systems and controls in your firm need to be resilient to implement these types of measures.
A new sanctions authority was created in the Treasury last year and they provide detailed guidance to help firms meet their obligations. Alongside which, our financial crime guide has useful case studies to learn from.
In essence, all this information is intended to support you. But I appreciate it is not exactly light reading.
So can I also encourage you to think hard about how you take it in your own hands to reduce your AML compliance burden? A lot of technology providers at the moment are looking into innovative methods of streamlining AML activity. It may be worth thinking about how your own firm could use regulatory technology.
Brexit
Let me conclude by returning to the topic of international co-operation – and it is clearly impossible to talk about change in your industry without mention of Brexit.
Our Chief Executive Andrew Bailey, has spoken on the importance of open markets and regulatory co-operation.In essence, he made the point that we need to preserve close regulatory and supervisory links with the EU.
He also pointed to four key characteristics for successful co-ordination: comparability of rules, but not exact mirroring, supervisory co-ordination. exchange of information and a mechanism to deal with differences.
I want to re-emphasise that we think it is crucial for firms operating in capital markets that we uphold these principles.
As I have said before, there is no good reason why we should sacrifice open financial markets – in your own industry or any other market – as an inevitable response to Brexit.
Our chief responsibility is to ensure financial markets work well. We want an open market.
We want regulators to engage constructively, and to do this by keeping the efficiency of global markets uppermost in their minds.
MiFID II
Likewise, I want to assure you that we are working extremely closely with European colleagues on other developments, including MiFID II.
I think it is important to point out that the range, and depth of data we’ll get from January will improve our ability to monitor the market. Helping us spot abusive practices earlier.
From our perspective, we support the key objectives of the new legislation – particularly around its aims to improve market cleanliness and efficiency.
I think it is important to point out that the range, and depth of data we’ll get from January will improve our ability to monitor the market. Helping us spot abusive practices earlier.
From our perspective, this is a significant step forward, in as much as it will help us see the totality of the market – both buy and sell side.
And just to give you a flavour of the volumes sizes I am referring to here, we currently capture around 20 million transaction reports per day.
We estimate this will increase under MiFID II to around 30-35 million transactions – in excess of 50 million orders per day. Or a total of over one trillion data points per year.
To manage this, we have developed our capacity to collect and consolidate order book data from all equity venues, along with equity derivatives into a single view.
The logistical challenge of aggregating this data is no small obstacle. But it is possible – largely thanks to technological innovation and heavy lifting.
And I hope you’ll agree that ultimately everyone benefits from this in the sense that clean markets rely on participants having faith in appropriate price formation taking place, and tackling market manipulation is clearly critical to this.
That said, we are conscious that MiFID’s new reporting requirements do place an onus on you in terms of transaction reporting.
Keeping this in mind, I want to make it clear that we will take a sensible and proportionate approach to MiFID’s introduction.
My colleague Mark Steward – our Executive Director of Enforcement and Market Oversight – commented in September that we have no intention of taking enforcement action against firms for not meeting all MiFID II requirements straight away – if there is evidence they have taken sufficient steps to meet the new obligations by the start date, and that there are plans in place to complete the process.
Finally, I think it’s worth noting, even if just in passing, that the introduction of MiFID II brings with it the second tranche, so to speak, of market abuse regulation implementation.
So as some of you will know, January will see new obligations crystallise regarding instruments listed on OTFs and Emission Allowance products, which we expect the industry is well ready to meet.
There are also changes for issuers listed on the newly designated SME growth markets.
Conclusion
Let me conclude then by passing on my appreciation to you – directly – for your positive engagement with the FCA in what is clearly an extremely busy period.
I hope you enjoy your holiday celebrations.
I also want to assure you, again, that we are committed to collegiate working on topics of cross-border importance. Especially areas of enormous social and economic consequence, like cyber risk and money laundering and our relationship with Europe.