2024 Financial Institutions Outlook & Trends

Alert
|
37 min read

This article, updated quarterly, looks ahead to the areas expected to be prioritised by financial services regulators across the globe; we look at the key regulatory trends emerging from the past year which inform our expectations for 2024. As an overview, we expect that the following will be core focus areas across the EU, UK and US:

ESG

What is the nature of this market development?

Transition towards more concrete ESG outcomes and better risk management will be a key priority for financial regulators. There is a growing concern that firms are making exaggerated or misleading sustainability-related claims about their investment products. Consumers and regulators alike are growing increasingly alert to false or exaggerated ESG claims. Where statements do not stand up to scrutiny, regulators are conscious that this may cause consumer harm while eroding trust in the market for sustainable investment products. Furthermore, banks are subject to increasing prescription and regulator expectation regarding the management of their own exposure to climate and sustainability risks, with the ECB in particular raising the prospect of enforcement action where banks fail to meet expectations.

Transition towards more concrete ESG outcomes and better risk management will be a key priority for financial regulators.

What are the regulators doing about it?

Europe

Proposed Sustainable Finance Package:

The European Commission proposed a new sustainable finance package in June 2023. The proposal includes the following points of interest which will gain relevance in 2024:

  • The addition of further activities to the EU Taxonomy.
  • A proposal for a regulation on the transparency and integrity of ESG rating activities, to increase transparency on the market for sustainable investments.
  • A Commission Recommendation on facilitating finance for the transition to a sustainable economy which aims at providing guidance on how companies can use the tools of the EU sustainable finance framework.

Greenwashing

In June 2023, the European Supervisory Authorities ("ESAs" comprising the European Banking Authority ("EBA"), European Insurance and Occupational Pensions Authority (“EIOPA”) and European Securities and Markets Authority (“ESMA”) presented their Progress Reports on Greenwashing and a common understanding of greenwashing and a corresponding warning on related risks for consumers, investors or other market participants, as well as on reputational and operational (litigation) risk. The Progress Reports address the key areas of the sustainable investment value change vulnerable to greenwashing, the causes of greenwashing and calls for remediation actions, while acknowledging that the regulatory frameworks need clarification and to gain in maturity. The ESAs also published an interactive factsheet on sustainable finance directed at consumers.

It is anticipated that the ESAs will issue final reports on greenwashing during May 2024.

It is anticipated that the ESAs will issue final reports on greenwashing during May 2024, including final recommendations and possible changes to the EU regulatory framework.

European Green Bond

Apart from setting out requirements for the designation under the European green bond standard ('European green bond' or 'EuGB'), the regulation adopted in October 2023 sets out the following noteworthy points:

  • registration procedures;
  • supervisory framework for external reviewers of the requirements; and
  • voluntary disclosure requirements for other environmentally sustainable bonds and sustainability-linked bonds issued in the EU.

The European green bond standard aligned with the EU taxonomy for sustainable activities will be applicable by late 2024. This will mean that proceeds of European green bonds will need to be invested in economic activities that are aligned with the EU taxonomy.

Management of Climate and Environmental Risk

Beyond disclosure regulation and the European green bond, the effective management of climate and environmental risk has become increasingly relevant.

Accordingly, ESG risks are set to become part of the review of EU banking rules with the 'banking package' amending the Capital Requirements Regulation ("CRR") (Regulation (EU) 575/2013) and the Capital Requirements Directive ("CRD") (Directive 2013/36/EU). Originally proposed in 2021 and recently endorsed by the preparatory bodies of the Council and Parliament in December 2023, the rules are still subject to revision and final adoption. Nevertheless, the legislative package in its current form deserves attention regarding the following ESG-considerations:

  • banks will have to draw up transition plans that will need to be consistent with sustainability commitments under EU law;
  • supervisors will oversee how banks handle ESG risks in the context of the annual supervisory examination review (SREP);
  • ESG reporting and disclosure requirements will apply to all EU banks; and
  • banks will only be able to enjoy a favorable risk weight treatment where they finance an infrastructure project with a positive or neutral environmental impact assessment.

These amendments are in line with steps taken by the European Central Bank ("ECB") and EBA requiring attention:

  • Financial institutions continue to be required to disclose Pillar 3 information on ESG risks as per the Annexes of the Implementing Technical Standards ("ITS").
  • The EBA published templates to collect climate-related data from EU banks in the context of the one-off Fit-for-55 climate risk scenario analysis.
  • The EBA recommended short-term actions as part of the implementation of the CRR and CRD to accelerate the integration of environmental and social risks across Pillar 1. Among others, these comprise:
    • the inclusion of environmental risks as part of stress testing programs;
    • the acknowledgement of ESG factors as part of external credit assessments; and
    • greater emphasis on the importance of transition planning.

Banks will be expected to update their strategies to ensure they effectively deal with climate and environmental risk by the end of 2024.

Banks will be expected to update their strategies to ensure they effectively deal with climate and environmental risk by the end of 2024. The ECB's November 2022 thematic review on banks' progress in meeting the expectations under the ECB's November 2020 Guide on climate-related and environmental risks revealed that banks are still far from adequately managing climate and environmental risks. More recently, the ECB has publicly warned of enforcement action, with press reports of warning letters sent to specific banks.

As 2023 came to a close, a report from a joint ECB/ESRB team 'Towards macroprudential frameworks for managing climate risk' heralded the likelihood of further changes over time, with bank regulation potentially forming part of a wider EU macroprudential framework for climate risk.

Amendments to disclosure regulation

Further developments brought forward by the ESAs in regard to disclosure regulation are to be monitored in 2024:

  • The recommendation of amendments to the Delegated Regulation of the Sustainable Finance Disclosure Regulation ("SFDR") (Regulation (EU) 2019/2088) aiming to extend and simplify sustainability disclosures.
  • A call for climate-related disclosure for structured finance products through harmonised climate-related data requirements for the underlying assets together with the ECB.
  • New Regulatory Technical Standards ("RTS") on the ESG impact disclosure for simple, transparent and standardised ("STS") securitisations under the Securitisation Regulation ("SECR"). The key proposals would apply to STS securitisations where the underlying exposures are residential loans, auto loans and leases.

Beyond the financial sector, financial institutions should be aware of the transposed Corporate Sustainability Reporting Directive ("CSRD") (Directive (EU) 2022/2464), which will require firms to report on their environmental impact starting January 1, 2024. It updates and replaces the existing Non-Financial Reporting Directive ("NFRD") and Accounting Directive (2013/34/EU). These changes will be particularly relevant for financial institutions in regard to Pillar 3 disclosures and risk management perspective.

United Kingdom

Sustainability Disclosure Requirements

The Financial Conduct Authority ("FCA") published a policy statement (PS23/16) introducing new rules around sustainability disclosure requirements ("SDR") and investment labels on November 28, 2023. PS23/16 made changes to the naming and marketing rules to allow for the use of certain sustainability-related terms.

The policy statement explained that the FCA is a strong supporter of international corporate reporting standards on sustainability, noting the launch of the ISSB's first sustainability-related reporting standards in June last year. These international standards were used as a reference point for asset managers in scope of the rules, and the FCA intends to consult on updating its Taskforce on Climate-Related Financial Disclosures to reference these standards. This is expected to form the basis for a new set of rules for listed companies, which will likely be developed over the course of this year.

Key implementation dates under PS23/16 are:

  • May 31, 2024: anti-greenwashing rule and guidance (FG24) comes into force.
  • July 31, 2024: firms can begin to use labels, with accompanying disclosures (the FCA introduced a fourth label 'Sustainability Mixed Goals' for funds that invest in a blend of different sustainability objectives and strategies).
  • December 2, 2024: naming and marketing rules come into force (with accompanying disclosures).
  • December 2, 2025: ongoing product-level and entity-level disclosures for firms with AUM > £50 billion.
  • December 2, 2026: entity-level disclosures rules start applying to firms with AUM > £5 billion.

The FCA published a new webpage on its sustainability disclosure requirements and investment labelling regime on 2nd February 2024, which reflects the new rules introduced in PS23/16. Over the next few months, we expect further FCA input on the assessment by managers of their assets against the criteria for labels. We also expect to see further clarification of the FCA's approach to overseas funds, pensions and investment products in respect of sustainability disclosures, with additional focus to come on financial advisers.The FCA's Business Plan 2024/25 confirmed that they will continue to integrate the Sustainability Disclosure Requirements and Investment Labels across the Market, including the anti-greenwashing rule and guidance. The FCA will continue to expand the regime, starting with a consultation on Portfolio Management 2024.

Management of climate change risks

In its January 11, 2024 letters to both UK deposit takers and international banks on its priorities for 2024, the Prudential Regulation Authority ("PRA") chose to emphasise its view that there is still considerable work for all firms to do in their development of climate-related financial risk management capabilities, and linking these more concretely into decision-making. The 2024 'priorities' letters referenced Supervisory Statement 3/19 on 'Enhancing banks' and insurers' approaches to managing the financial risks from climate change', as supplemented by an October 2022 'Dear CEO' letter containing thematic feedback on firms' embeddedness of climate-related financial management. The message conveyed in the 2024 'priorities' letter appears to be more urgent than the October 2022 'Dear CEO' letter, and an inference is that the PRA will be looking for tangible implementation during 2024.

Diversity and inclusion in PRA-regulated firms

On September 25, 2023, the FCA (CP 23/20) and PRA (CP 18/23) published separate consultation papers on diversity and inclusion in financial services, in which they propose to introduce new strategies, targets, reporting and disclosure requirements for regulated firms. The proposals set flexible and proportionate minimum standards to raise the bar, placing more requirements on larger firms. Proposals set out for firms include requirements to:

  • develop a diversity and inclusion strategy setting out how the firm will meet their objectives and goals;
  • collect, report and disclose data against certain characteristics; and
  • set targets to address under-representation.

The proposals represent an ambitious set of proposals aimed at improving diversity and inclusion, and the outcome of the consultation will initiate a very high-profile workstream for firms during 2024 and beyond.

United States

In December 2023, the Securities and Exchange Commission ("SEC") publicly announced that it would yet again delay finalising its long-awaited climate-related public company disclosure rule. The proposed rule (initially introduced in March 2022 and dubbed "The Enhancement and Standardisation of Climate-Related Disclosures for Investors") was met with sharp criticism under market feedback. We expect the SEC to finalise this rule in Spring 2024.

While federal regulators may have been slow to develop ESG regulation, California has proceeded full steam ahead, signing three bills into law in October 2023 that would require climate-related disclosures from California businesses. The Climate Corporate Data Accountability Act requires covered businesses to report their greenhouse gas emissions, the Climate-Related Financial Risk Act requires covered businesses to prepare climate-related risk disclosures and the Voluntary Carbon Market Disclosures Act requires covered businesses who make net-zero, carbon-neutral or similar emissions-related claims to report the accuracy of such claims on their website and disclose the purchase, use, or sale of carbon offsets.

Banks should also look out for SEC movements towards mandated reporting on climate matters (anticipated in early 2024) and the New York State Department of Financial Services plans to issue a request for information from regulated institutions about their proposed plans to assess and manage climate-related financial and operational risks.

[back to the introduction]

Cryptoassets

What is the nature of this market development?

While cryptoassets are still largely unregulated in a number of jurisdictions, regulators internationally are taking emphatic steps to bring cryptoassets within the scope regulation. 2024 promises to be a busy year in this regard, with the ongoing implementation of the Markets in Crypto-Assets Regulation (EU) No 2023/1114 ("MiCA Regulation") and the UK government's plan to implement its two-phased approach to cryptoasset regulation. In the US, we expect to see the wave of regulatory enforcement action against the US cryptocurrency industry continue.

Regulators internationally are taking emphatic steps to bring cryptoassets within the scope regulation. 2024 promises to be a busy year in this regard.

What are the regulators doing about it?

Europe

The MiCA Regulation came into force on June 29, 2023 and is set to become fully applicable in 2024. This establishes a regime for the regulation and supervision of cryptoasset issuance and cryptoasset service provision, aimed at creating a harmonised European regulatory framework for cryptoassets to balance innovation with financial stability and investor protection.

The MiCA Regulation defines cryptoassets as a "digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology", and distinguishes between (i) utility tokens, (ii) electronic money tokens ("EMTs") and (iii) asset-referenced tokens ("ARTs"). ARTs and EMTs can be designated as 'significant' by the EBA and trigger the application of additional (stricter) requirements. The MiCA Regulation provisions relating to ARTs and EMTs will apply from June 30, 2024.

The MiCA Regulation establishes a licensing requirement for a number of cryptoasset activities (including the operation of a trading platform for cryptoassets, custody and administration activities, execution of orders for cryptoassets on behalf of clients, RTO in respect of cryptoassets, etc.) as well as establishing a harmonised prudential and business conduct framework in respect of specific cryptoasset services (Articles 59 – 85 of the MiCA Regulation).

Furthermore, the MiCA Regulation sets out an ownership control procedure for acquisitions of cryptoasset service providers ("CASPs"), Articles 83 – 84 MiCAR, as well as a specific regulatory regime that is aimed at protecting market integrity and preventing market abuse (Articles 86 – 92 MiCA Regulation).

The MiCA Regulation came into force on June 29, 2023 and is set to become fully applicable in 2024.

For a comprehensive overview see "MiCA Regulation: New regulatory framework for Crypto-Assets Issuers and Crypto-Asset Services Providers in the EEA"

The EBA and ESMA are currently consulting on the final package of rules under the MiCA Regulation, including a consultation on guidelines for the assessment of the suitability of the members of the management body of issuers of ARTs and shareholders/members that have qualifying holdings in issuers of ARTs and CASPs. This consultation closes on January 22, 2024.

Beyond the MiCA Regulation, EU regulators and supervisors are also focusing on anti-money laundering and countering the financing of terrorism (AML/CFT) in the context of CASPs. The EBA has extended its AML/CFT supervision guidelines to AML/CFT supervisors of CASPs. It is also currently working on guidelines aimed at CASPs on preventing the abuse of funds and certain cryptoassets transfers for money laundering and terrorist financing purposes.

We also note that the BCBS issued a standard on capital requirements for banks' direct exposures to cryptoassets at the end of 2023. This standard is not yet legally binding but must be transposed into EU law by January 1, 2025. The ECB has expressed its expectation that the standard is taken into account in banks' business and capital planning even prior to this date.

United Kingdom

The MiCA Regulation will not apply in the UK. In contrast, in October 2023, HM Treasury published the responses received on its 'Future Financial Services Regulatory Regime for Cryptoassets'. This sets out extensive proposals to bring cryptoassets within the scope of UK regulation and we expect to see this realised over the course of 2024.

HM Treasury confirmed that it intends to use the 'designated activities regime' to expand the list of 'specified investments' in Part III of the RAO, requiring firms conducting relevant activities involving cryptoassets by way of business to obtain FCA authorisation (under Part 4A of the Financial Services and Markets Act 2000, "FSMA"). HM Treasury sets out a phased approach; Phase 1 will introduce fiat-backed stablecoins into the regulatory perimeter while Phase 2 proposes regulation for a broader set of cryptoassets.

Phase 1: HM Treasury has stated that it expects to define fiat-backed stablecoins as a cryptoasset that "seeks or purports to maintain a stable value by reference to a fiat currency and by holding fiat currency, in whole or in part, as backing".

Secondary legislation for both phases to bring cryptoassets within the scope of UK regulation is due to be brought forward in 2024.

Phase 1 proposes to bring within scope of UK regulation: (i) the issuance of fiat-backed stablecoins in or from the UK; and (ii) safeguarding, safeguarding and administering, or the arranging of safeguarding or safeguarding and administering of UK issued fiat-backed stablecoins.

Phase 2: Phase 2 is intended to cover a broader set of cryptoassets than Phase 1, including algorithmic or crypto-backed stablecoins and, furthermore, HMT proposes to bring a fuller list of activities within scope, including issuance activities, activities relating to the exchange of cryptoassets, investment and risk-management related activities, certain lending, borrowing and leverage related activities and safeguarding and/or administration (custody). Following on from HM Treasury's proposals in October, over the course of H2 2024 (if not earlier), we expect HM Treasury to clarify a number of points in respect of each phase:

  • The proposed treatment of non-fungible treatments and utility tokens, especially on what constitutes a 'financial services use case' – the UK government proposes capturing cryptoassets only when the subject of the financial activities, but that they will fall out of scope where they are not being utilised in the context of a financial activity.
  • The treatment of overseas firms, including making clear the applicability of the 'overseas person exemption', reverse solicitation and intra-group exemptions.
  • Delineate further between Phase 1 and Phase 2, both in terms of specific timelines for implementation and considering potential challenges for firms and consumers.
  • Distinguish between services provided to professional/sophisticated investors versus retail consumers.
  • Clarify the position on staking (HMT have proposed a definition of 'staking' as the process where a given amount of native cryptoassets are locked up on smart contracts in a PoS consensus mechanism blockchain (on-chain) in order to activate validator nodes which collaboratively validate subsequent transactions and achieve consensus on the network's current state).

The secondary legislation for both phases to bring cryptoassets within the scope of UK regulation is due to be brought forward in 2024 (subject to available parliamentary time), although Phase 1 legislation is expected "as soon as possible" this year.

Once the cryptoasset regime is ready to be implemented, firms undertaking relevant cryptoasset activities will likely need to adhere to similar financial services activities, standards and rules that apply to traditional regulated firms.

The FCA's Business Plan 2024/25 states that the FCA will assist in delivering a proportionate market abuse regime for Crypto assets.

United States

2023 was a tumultuous year for the United States cryptocurrency industry and we expect the consequences will continue into 2024. The wave of cryptocurrency bankruptcies that began in mid-2022 has continued: The Genesis Global and FTX bankruptcies have continued progressing through the Chapter 11 process, and former crypto lender BlockFi began its post-bankruptcy wind-down process in October.

Action by the SEC and other US Authorities

Prominent US cryptocurrency exchanges, including Kraken (see here and here), Coinbase and Binance, have been besieged by litigation from the SEC, charged with (1) failing to register as national securities exchanges, broker-dealers, and clearing agencies and (2) offering unregistered securities by providing staking services to retail customers. While the United States Department of Justice ("DOJ"), Department of the Treasury's Financial Crimes Enforcement Network ("FinCEN") and Office of Foreign Asset Control ("OFAC"), and the Commodity Futures Trading Commission ("CFTC") each announced record-breaking settlements of their respective criminal and civil enforcement actions against Binance and its (now former) CEO, Changpeng Zhao ("CZ") on November 21, 2023, the SEC appears resolved to push its case against Binance and CZ forward.

2023 was a tumultuous year for the United States cryptocurrency industry and we expect the consequences will continue into 2024.

Ramped up enforcement efforts from the SEC and other US authorities throughout 2023 have stoked concerns that the US cryptocurrency industry may be facing an "Operation Chokepoint 2.0"—a reference to an earlier push by the Obama administration to cut undesirable but legal industries off from the financial system. While US officials have denied such claims of concerted enforcement action, enforcement efforts against cryptocurrency actors are near all-time highs and will likely persist throughout 2024.

On August 29, 2023, the United States Court of Appeal for the District of Columbia ruled that the SEC wrongfully denied Grayscale Investments application for a Bitcoin Spot ETF. The SEC has since approved Bitcoin ETFs (on January 10, 2024), clearing 11 ETFs to list. This perhaps marks a change in the SEC's approach, although the SEC Chair stated on the day of the approval that "while we approved the listing and trading of certain spot bitcoin ETP shares today, we did not approve or endorse bitcoin".

Legislative developments

On the legislative side, Congress appears poised to potentially pass much-needed, long-overdue cryptocurrency legislation.

On July 27, 2023, the House Financial Services Committee reported multiple pieces of cryptocurrency legislation to the House of Representatives for consideration that would establish a stablecoin regulatory framework, protect digital asset self-custody, and clarify CFTC and SEC jurisdiction over cryptocurrencies. These renewed legislative efforts could spark the reintroduction of previously stalled bills, such as the Lummis-Gillibrand Responsible Financial Innovation Act (introduced in the 117th Congress and the Digital Commodities Consumer Protection Act).

Cryptocurrency regulation efforts have also ramped up at State level. In 2023, California enacted its Digital Financial Assets Law, which will take effect July 1, 2025, and require any person engaged in "digital financial asset business activity" in California or with, or on behalf of, a California resident to obtain a license with its Department of Financial Protection and Innovation.

[back to the introduction]

Artificial Intelligence

What is the nature of this market development?

The use of generative AI platforms (i.e., ChatGPT, DALL E, Jasper, Soundraw) proved to be a talking point of 2023. While the Oxford University Press may have named 'rizz' (charm, attractiveness) as its 2023 Word of the Year, 'prompt' (being an instruction given to an AI program) still made its top 8 shortlist and the Cambridge Dictionary went for 'hallucinate' as its 2023 Word of the Year, in recognition that this concept gets to the heart of why we all are talking about AI. Given the depth of competition across the financial services sector and the fact it is data and process rich, there is potential for AI to have a major impact. Firms are increasingly developing their use of AI across a broad range of activities (e.g., credit and regulatory capital modelling, claims management, product pricing, trading, investment advice), and as a tool to support the legal, compliance and risk functions (e.g., AML monitoring).

Many regulatory bodies have been calling for greater regulation of AI and its uses. Given the speed with which AI capabilities change, it can be challenging for financial services regulators to stay ahead. In early January 2024, Basel Committee on Banking Supervision (BCBS) Chair Pablo Hernandez de Cos urged global leaders ahead of the World Economic Forum Annual Meeting to use financial regulation as a blueprint for tackling the issues presented by AI, noting "If we are not able to give a co-ordinated global response, the likelihood of getting the right solution to these challenges will be reduced." The BCBS is expected to publish a report in the coming months on financial stability implications of AI.

Many regulatory bodies have been calling for greater regulation of AI and its uses. Given the speed with which AI capabilities change, it can be challenging for financial services regulators to stay ahead.

What are the regulators doing about it?

Europe

Currently, express regulation for AI in the financial sector only concerns high frequency trading under the markets in financial instruments directive ("MiFID II").1 This requires financial entities to have effective systems and risk controls suitable to the business in place and to ensure that the trading systems are "resilient and have sufficient capacity, are subject to appropriate trading thresholds and limits and prevent the sending of erroneous orders or the systems otherwise functioning in a way that may create or contribute to a disorderly mark".

However, the European Parliament and Council reached a landmark political agreement on December 9th, 2023, on the EU 'AI Act'. The political agreement remains subject to formal approval from the European Parliament (vote in the plenary expected on 13 March 2024) and of the Council and will enter into force 20 days after publication in the Official Journal. The AI Act will become applicable two years after its entry into force, except for some specific provisions: prohibitions on those AI systems considered to be a clear threat to the fundamental rights of people (i.e., AI systems deemed to pose an 'unacceptable risk') will apply six months from the AI Act's entry into force. The rules on general purpose AI (discussed below) will apply 12 months from the AI Act coming into force.

The horizontal framework intends to ensure that general-purpose AI systems/models (across industry sectors) are developed and used in the EU in accordance with EU rights and values including human oversight, safety, privacy, transparency, non-discrimination, and social and environmental wellbeing. 'General purpose AI' is intended to capture AI systems that can be used to perform generally applicable functions (i.e., image/speech recognition, audio/video generation) and is able to have multiple purposes. In other words, it is an AI system that can handle many different tasks rather than being used for a specific purpose.

The AI Act follows a technology neutral risk-based approach with a threefold categorisation. The categories are: (i) those AI systems deemed to pose an 'unacceptable risk'; (ii) 'high risk systems' which will be subject to certain supervision and conformity requirements; and (iii) 'low risk systems' which will be unregulated (although voluntary codes of conduct might be adopted).

The European Parliament and Council reached a landmark political agreement on December 9th, 2023, on the EU 'AI Act'.

It is anticipated that systems performing activities deemed to be critical to the access of certain financial services (providing access to 'essential public services') may be categorised as high risk, such as systems performing activities relevant to creditworthiness and affordability assessments of natural persons.2 There has also been much debate around systems providing certain activities related to individual's access to insurance, and we anticipate that systems used for risk assessment and pricing in relation to natural persons in the case of life and health insurance will also be categorised as 'high risk'. The recitals of the latest draft note that the authorities responsible for the supervision and enforcement of financial services law should also be designated as competent authorities for the purpose of supervising AI systems provided or used by regulated and supervised financial institutions.

We expect the AI Act to specify a conformity assessment procedure and some of the providers' procedural obligations in relation to risk management, post marketing monitoring and documentation under the AI Act will be integrated into the existing obligations under the CRD. We also expect that there will be limited scope for derogations in relation to the quality management system of providers and the monitoring obligation placed on deployers of high-risk AI systems (to the extent that these apply to credit institutions regulated by the CRD). The ECB has suggested that the AI Act's requirements for high-risk systems may be relevant benchmarks for updating the obligations set by the CRD regarding the (internal) governance of the risks posed by AI technologies and third-party providers.

The AI Act must also be considered in the context of existing and upcoming EU regulatory and policy initiatives, such as amendments to the EU Liability Directive and a new EU Liability Directive, as well as the EU Cyber Resilience Act and the NIS2 Framework.

For financial institutions deploying AI, the EU Digital Operational Resilience Act ("DORA") (Regulation (EU) 2022/2554) (entering into effect on January 17, 2025), requiring financial institutions to mitigate ICT risks, should also be considered. Financial institutions will need to prepare to monitor ICT-related incidents and report on these to regulators and affected clients. It will be important for firms to factor in AI to their monitoring and implementation of DORA requirements.

United Kingdom

In the UK, a Private Members' Bill (the AI (Regulation) Bill) was introduced to the House of Lords on November 22nd, 2023. This put forward key proposals for the regulation of AI, including the creation of a dedicated UK AI authority, designated AI officers, and requirements for businesses deploying AI systems to be to be transparent and compliant. Secretary of State for Science, Innovation and Technology (Michelle Donelan) has explained that while the UK government will look "to legislate" on AI, "it is the timing that is important. Rushing to legislate will not help anybody".

The government issued a response to its August 2023 white paper on AI regulation on 6 February 2024.  Some respondents to the white paper have noted that financial services could leverage an AI 'sandbox' to explore AI-based applications for risk assessment, fraud detection, algorithmic trading and customer service, but the response paper also looks at the use of AI in broader circumstances.

In the financial services sector specifically, the PRA and FCA joint feedback statement (published in October 2023) summarised key themes and feedback from several stakeholders on key artificial intelligence concerns while the FCA Chief Data, Information and Intelligence Officer stated, in an FCA speech in October 2023, that we are at a "pivotal junction" for the regulation of AI.

The FCA has since published a further 'AI Update' on 22 April 2024. On the same day, the Bank of England (the BoE) and the PRA published a joint letter to Michelle Donelan and the Economic Secretary to the Treasury and City Minister (Bim Afolami) on their strategic approach to AI.  The BoE and PRA emphasise that they are taking a technology-agnostic approach to the supervision and regulation of AI, but that they intend to address risks relating to the use of specific technologies that may have an adverse impact on their statutory objectives. The PRA is considering whether further regulatory guidance would be helpful in the areas of data management, model risk management, governance, and operational resilience and third-party risks, and the BoE will work with the Digital Regulation Cooperation Forum (DRCF) on selected AI projects, such as conducting joint research to better understand cross-sector adoption of generative AI (GenAI) technology.

Based on the recent updates from the PRA and FCA on AI, we expect the following areas to lead regulator discussions around AI:

  • Governance structures. While respondents to the FCA's October 2023 feedback statement confirmed that existing structures governed by the Senior Managers and Certification Regime ("SMCR") (the individual accountability regime applied to firms authorised under the Financial Services and Markets Act 2000) were sufficient to address AI risks, they noted that further guidance would be helpful. Most respondents stated further guidance on how to interpret the "reasonable steps" element of the SMCR in an AI context would be helpful, so long as it was practical or actionable guidance.

    In its recent AI Update published on 22 April 2024, the FCA agreed that the use of AI in relation to certain activities, business areas or management functions of a firm could fall within scope of an SMCR senior manager's responsibilities. The FCA confirmed that it plans to issue a consultation paper on the SMCR regime in June 2024.

  • Model AI risk. Elements of the PRA's 'Model Risk Management Principles for Bank's' could be strengthened or clarified in order to address issues particularly relevant to models with AI characteristics.
  • Reliance on third-party AI applications. We expect further clarity around AI's role in the use of third-party models and data, noting that the risks posed by third-party exposure could lead to an increase in systemic risks (the FCA 's consultation paper on 'Operational resilience: Critical third parties to the UK financial sector' (CP26/23) closed in March 2024 and the FCA is currently inviting feedback).
  • In July 2023, the FCA in a speech confirmed that it was considering the risks that 'Big Tech' could pose to operational resilience in payments, retail services and financial infrastructure and, in April this year, the FCA published a feedback statement on the data asymmetry between Big Tech firms and firms in financial services(FS24/1). The feedback statement notes that Big Tech firms are increasingly a critical component of UK firm's operations and that this is likely to increase with the development of AI services. The FCA further notes that the data asymmetry between Big Tech firms and financial services firms may affect how competition evolves in retail financial markets.
  • Consumer protection. In the FCA's recent AI Update, the FCA noted that the regulatory approach to consumer protection is relevant to fairness in the use of safe AI systems by firms. In particular, the Consumer Duty requires firms to act in good faith, avoid causing foreseeable harm, and enable and support retail customers to pursue their financial objectives. AI has the potential to increase risks for consumers, and the FCA states that firms should consider their obligations under the Consumer Duty where using AI (for example, where a firm uses AI in risk assessments, some categories of customers may do better than others automatically and some might even be excluded from the market). The FCA has confirmed that the Dispute Resolution: Complaints Sourcebook (DISP) rules provide means of contestability and redress for consumers in relation to AI decisions or outcomes in breach of the rules.

Separately, the DRCF, a multi-regulatory forum comprised of the FCA, the Information Commissioner's Office, Ofcom and the Competition and Markets Authority, has announced the launch of its pilot advisory service, the AI and Digital Hub. The new advisory service is limited to products, services or business models which are digital or use AI, are innovative, and are likely to benefit consumers, businesses or the UK economy. The DRCF will publish case studies of all queries and responses addressed in the hub in an aim to help a wider pool of innovators.

United States

The SEC proposed new rules in July 2023 addressing conflicts of interest arising from the use of predictive data analytics by broker-dealers and investment advisers. The new rules aim to regulate firms using AI-related technologies and models, requiring them to evaluate and neutralise conflicts arising from their use of algorithms like machine learning, deep learning, natural language processing and large language models to prevent potential systemic risks.

On October 30th, 2023, the President of the United States published the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence ("EO") addressing near-term AI-related threats to national-security, pandemic-risk and infrastructure vulnerabilities, as well as the development of internal procedures. Various measures of the EO have implications for the financial services sector (where it notes that protections are "especially important" and mistakes by or misuse of AI could harm consumers and small businesses). We expect 2024 to see the implementation of the EO across the US, along with further discussion around the impact this will have on the financial services sector.

Furthermore, the Secretary of the Treasury must issue a public report on best practices for financial institutions to manage AI-specific cybersecurity risks and this is due by March 2024.

Independent regulatory agencies are encouraged to address risks to financial stability that may arise from the use of AI, as well as to clarify the responsibility of regulated entities to conduct due diligence on and monitor any third-party AI services they use. They should, in addition, emphasise or clarify requirements and expectations related to the transparency of AI models and regulated entities' ability to explain their use of AI models.

In January 2024, the White House announced that federal departments and agencies had completed all the 90-day actions tasked by the EO. In the financial sector, the Department of Commerce has compelled developers of powerful AI systems to disclose AI safety tests and U.S. companies that provide cloud computing power for foreign AI training to disclose that they are doing so. Additionally, the Federal Trade Commission has proposed a change to a privacy rule to limit the ability of companies to monetise children's data.

On January 25th, 2024, the staff of the CFTC responded to the President's EO by publishing a request for public comment on the use of AI in CFTC-regulated markets and by CFTC-regulated entities. The request's aims are threefold: (i) to assess the benefits and risks associated with the use of AI in CFTC-regulated markets; (ii) to inform staff's supervisory oversight, and (iii) to evaluate the need for any future guidance and rulemakings. The request, which takes the form of 20 questions, is limited only to comments about AI use in CFTC-regulated markets, to a definition of AI in the EO as a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments, and to understanding concerns raised by the broader set of similar technologies within and beyond the scope of this definition of AI. The public has until April 24th, 2024, to provide comments to the request after which the Staff of the CFTC will provide guidance on its regulatory response.

Requirements are also imposed on the Director of the Federal Housing Agency and the Director of the Consumer Financial Protection Bureau, for example, with respect to the evaluation of underwriting models for bias or disparities affecting protected groups.

Various state and local laws, such as privacy and employment law, will also impact the deployment of AI in the financial sector. We expect further discussion around the risks posed by AI from state level regulators over the course of 2024.

[back to the introduction]

Capital Requirements & Crisis Management

What is the nature of this market development?

The failures of Silicon Valley Bank ("SVB"), First Republic Bank, and Credit Suisse have highlighted the importance of key risks such as liquidity and interest rate and concentration risk, giving rise to regulatory attention.  The failures underscore the problems that liquidity vulnerabilities and maturity mismatches can pose for the financial system.

The BCBS, as well as the Financial Stability Board ("FSB"), are pursuing a series of follow-up initiatives related to these failures. These include strengthening supervisory effectiveness and assessing whether specific features of the Basel Framework performed as intended. Key takeaways of these events include the importance of supervisors analysing banks' business models and identifying outlier banks, the need to assess banks' governance and risk management, a review of liquidity risk oversight, the importance of exercising supervisory judgment and the continuous need for effective cross-border supervisory cooperation.

These initiatives will be further supported by the ongoing implementation of Basel III standards across each jurisdiction (currently anticipated to be applicable from January 1, 2025 in the EU, and from July 2025 in the UK and US). The Basel Framework requires banks to meet risk-based capital ratios and focus on the definition of banks' risk weighted assets. The final Basel III reforms will further increase the resilience of banks and the banking system although the proposed EU laws envisage some deviations from the overall framework (for example, an existing deviation in the calculation of the credit valuation adjustment).

The failures of Silicon Valley Bank, First Republic Bank, and Credit Suisse have highlighted the importance of key risks such as liquidity and interest rate and concentration risk, giving rise to regulatory attention.

What are the regulators doing about it?

Europe

In the EU, these recent bank failures have emphasised calls for a focus on capital requirements and a review of the EU's crisis management and deposit insurance (CMDI) framework as proposed by the European Commission in April 2023. We expect to see further discussion around these proposals over the course of 2024.

The review envisions an enhancement of the early intervention framework, as well as of the framework for collaboration and exchange of information between supervisors and resolution authorities, the adoption of a new "early warning" procedure, further calibrates some of the existing tools, including preventative and alternative deposit guarantee scheme ("DGS") measures and precautionary recapitalisations and revises the (optional) DGS framework.

Furthermore, in the EU, co-legislators reached political agreement on the implementation of Basel III standards on June 27, 2023 and are aiming to finalise the legal texts so that the rules can apply from January 1, 2025. This broadly aligns with progress being made by the UK's PRA and in the US.

United Kingdom

The PRA's January 2024 'Dear CEO' letters set out its key priorities for 2024, underlining the need for "robust governance, risk management and controls", to enable the effective and proactive identification, assessment and mitigation of risks. Other areas of priority include financial and operational resilience.

In specific response to the 2023 bank crises, HM Treasury published a consultation on 'Enhancing the Special Resolution Regime' on January 11, 2024 to consider "any lessons that can be learned about how best to manage the potential failure of smaller banks". The consultation proposes a new mechanism which would enhance the Bank of England's existing resolution regime to allow additional flexibility to manage small bank failures; the government states that it may be in the public interest to transfer a failing small bank into either a Bridge Bank (as in the case of SVB UK) or to a willing buyer, rather than placing it into insolvency. The Bank of England issued a statement on the same day confirming that it welcomes HM Treasury's consultation and supports measures to continue to enhance the UK bank resolution regime.

This consultation closed on March 7, 2024. HM Treasury is now analysing the feedback received and will issue a consultation response. We expect to see further discussion of these proposals develop over H2 2024.

In relation to the Basel III standards, on December 12, 2023, the PRA published the first of two near-final policy statements on the implementation of Basel 3.1 standards or market risk, credit valuation adjustment risk, counterparty credit risk and operational risk (PS 17/23). The near-final policy statement considers the feedback received to the PRA's consultation paper on the Basel 3.1 standards published in November 2022 (CP16/22). The near-final rules aim to enhance competition by minimising the disparity in risk weights calculated under internal models, commonly employed by larger firms, and standardised approaches. These rules also seek to align with international standards, fostering global competitiveness; they are designed to enhance the safety and stability of firms regulated by the PRA while ensuring greater consistency and comparability in capital ratios.

It is anticipated that the PRA will publish a second policy statement in Q2 2024, to cover the remaining chapters of the consultation paper (CP 16/22) not addressed in the first near-final policy statement published. The PRA does not intend to change the policy or make substantive changes before making the final policy material. The implementation date of the final Basel III banking standards is still planned for July 1, 2025.

The FCA's Business Plan 2024/25 further states that "As the increase in corporate insolvencies is expected to persist in 2024, we will continue to use data and horizon-scanning mechanisms to anticipate firms that are at risk of failure and make sure that we can respond appropriately in the event that they do to protect consumers and ensure market integrity".

United States

Similarly, the US federal banking agencies published their proposal on how they intend to implement outstanding Basel III standards in the US in July 2023, with the aim of ensuring they can apply from July 1, 2025.

Following the 2023 bank failures, the Federal Reserve also moved to increase capital requirements for US banks. On July 27, 2023, the Federal Reserve Board announced new large bank capital requirements, including a minimum capital requirement of 4.5 percent that were set to take effect October 1, 2023.

Additionally, on September 18, 2023, the Federal Reserve, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation proposed a new rule that would substantially revise capital requirements for large banks with substantial trading activity to more closely conform with international BCBS capital standards requirements. Following bank complaints that the new capital requirements would impair lending activities, the regulators extended the comment period to January 16, 2024, and we expect to see further discussion around this over the first half of 2024.

Monica Shah (White & Case, Trainee, London) contributed to the development of this publication.

[back to the introduction]

1 Art. 17 Directive 2014/65/EU of the European Parliament and of the Council of May 15, 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU.
2 Annex III – paragraph 1 – point 5 – point b, Draft Proposal June 2023.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2024 White & Case LLP

Top