Regulating for Better Outcomes, Remarks by Director Gerry Cross, Director Financial Regulation - Policy and Risk

01 October 2024 Speech

Gerry Cross

These remarks were delivered at the Compliance Institute Annual Conference - 'Embracing The Challenge of Change’, on Tuesday 1 October 2024

Good morning. It is a great pleasure to be here at the Compliance Institute’s Annual Conference.

At the Central Bank of Ireland we are outcomes focused. We consistently and determinedly use our powers and deploy our resources to deliver the outcomes that fall within our mandate. Our mission is clear: we exercise our powers to serve the public interest by maintaining monetary and financial stability while ensuring that the financial system operates in the best interests of consumers and the wider economy. In the area of financial regulation and supervision our aim is to achieve a resilient and trusted financial system that functions well to support the economy and the financial wellbeing of citizens.

An outcomes focus means that we must constantly seek to do things better. Why do I say that? Firstly because these outcomes are inherently difficult and elusive. Like any organisation which wants to fulfil a challenging mission it is necessary to build on our successes and learn from our mistakes to constantly improve in a way that allows us to more fully realise the outcomes we seek.

And secondly of course, we operate in a rapidly changing environment where nothing stays still for a moment. Whether it be rapid innovation, deep technological adaptation, behavioural change and changing expectations, or the transition to a net zero economy, to mention but a few, change is all the time everywhere. Unless we too are changing and always learning to do things differently and better than we will simply be left behind and ultimately be unsuccessful in our mission.

In line with our determination to continually improve and better achieve our mission, regulation and supervision have been evolving. This morning I want to consider some of those changes in the round and discuss them under the heading of Regulating for Better Outcomes.

Compliance professionals are at the heart of well-performing firms and a well-performing financial system. They are key to firms’ understanding of, and approach to fulfilling, their societal responsibilities and as such they are key partners in achieving the best regulatory outcomes. This is one reason why I am so pleased to be able to exchange views with you this morning.

I would like to do consider our evolving regulatory approach under four headings: resilience, protecting consumers, individual accountability, and how we supervise.

Resilience

After the financial crisis of 2008-2010, the key financial regulatory task was repairing the financial system. This has been successfully achieved so far. Across a range of interlocking regulatory aspects – governance, risk management, capital, liquidity, provisioning for losses, interest rate risk management, etc. – we have developed a framework that has delivered significant levels of resilience to individual firms and to the system as a whole.

That we have been, at least to date, reasonably successful in this work has been demonstrated by the resilience shown by the financial system during recent periods of stress. This included the Covid-19 pandemic, the Russian invasion of Ukraine, and the failure of a number of US banks and Credit Suisse when the economy was being buffeted by high inflation and rapidly increasing interest rates. 

It is important to say that vulnerabilities were revealed during these episodes - for example in relation to the non-bank sector - and that resilience is something that needs to be constantly monitored and maintained. For example risks from cyber events are a constant and growing threat in themselves and given the increasing reliance on, and complexity of, the information technology architecture that now underpins the financial sector. 

Resilience is a continuing and changing demand. We need to ensure that we keep it in a constant state of readiness as it were and not let it become stale or out-of-date. The risk landscape changes all the time – look at the recent rapid changes in inflation and interest rate dynamics – and we live in a context of significant external threats. Here, I am thinking of geopolitical fragmentation, trade flow reconfiguration, heightened security threats, and political volatility. All of these mean that we need to keep our levels of resilience high.

We must do so in a smart manner. It will not ultimately be successful to develop new regulations in response to each new risk and threat so that they layer on top of each other in an ever-expanding rulebook. Nor indeed is this what we have been doing in our ongoing evolution of the financial regulatory framework. Rather, we should, and we do, leverage existing built resilience and ensure that it is adaptable to new risks that are emerging.

Let me take as an example the new regulatory framework for digital operational resilience in the European financial system (DORA). DORA is an example of smart regulation in a number of ways. It is fundamentally a form of ecosystem regulation. If I can borrow a phrase used by Frank Elderson, Vice Chair of the SSM Supervisory Board, in a recent speech, it is designed to ensure that when stress comes on, the system bends but does not break.1

DORA builds on the existing sets of requirements and guidelines and brings them together in a coherent, proportionate, business-model adaptable set of cross-sectoral requirements. It reflects the fact that resilience will be materially determined by speed of communication of relevant information and establishes a sophisticated incident reporting network. It establishes comprehensive but streamlined mapping of the overall ecosystem through registers of third party outsourcing. And it does very new things: it sets up a system of oversight (not, it should be noted, supervision) of critical third party providers, and it sets up joint cross-sectoral structures to ensure the optimal implementation of that new framework.

In short, DORA is smart regulation, designed to deliver significant levels of resilience in the face of ICT risk and proliferating cyber threats in a way that is sophisticated, adaptive, proportionate and evolving.Of course designing regulation is one thing, implementing it well is another.

Implementing a significant piece of EU cross-sectoral legislation like this requires consistency across borders and across sectors, as well as proportionality, transparency, and timeliness, aligned with optimal outcomes.

Again in an innovative approach, aligned with smart regulation, the ESAs and Competent Authorities are maintaining cross-sectoral working arrangements amongst supervisors to ensure a high quality and consistent approach to implementation. We are currently working on providing some further information as to what firms should expect from DORA implementation and how to prepare for it.

After fifteen years of important, successful resilience building work, it would be surprising if there were not areas where the combination of individual – or micro-level rules – did not combine at the macro level to have a more restrictive effect than might have been envisaged. This is particularly so given that we have had to be moving on many fronts at the same time during some of the more intense periods of repair. For this reason, smart regulation reflects a willingness to assess outcomes and consider whether there is room for improvement.

In his recent report on The Future of EU Competitiveness,2 Mario Draghi identifies securitisation as an aspect of capital markets activity that is underperforming in the EU. He calls for certain aspects of the post-crisis regulatory reframework to be modified.  Now, I have little doubt that the great majority of the requirements contained in the securitisation regulatory framework will prove to be justified and appropriate. However, it is possible that the combination of requirements imposed on originators, banks, investors, and rating agencies when further combined with the resilience measures created more generally may have resulted in a more restrictive effect than is optimal. So we should, indeed, be willing to review these requirements in the round to see whether there may in fact be some room for improvement.

But to be very clear: we have learned starkly from the crisis  and we must not forget - that there is always a gap between the level of resilience that financial firms and their shareholders will seek and the level of resilience that society needs to ensure that the economy functions as well as it should. And of course compliance professionals play an important role in bringing together those two imperatives – the commercial and the societal - in firms’ activities and conduct.

Protecting consumers

At the Central Bank, we are seeking to deliver smarter regulation in how we protect consumers. By smart regulation, I mean, regulation that is proportionate, targeted on outcomes, and adaptive to changing circumstances. The proposed revisions to the Consumer Protection Code are a good example of such regulation.

It is essential to a successful financial system that consumers have confidence that financial firms will work in their favour and that their interests will be protected. This consideration is behind the significant work that we have done together with the wider ecosystem over the recent period to revamp, update and enhance the Consumer Protection Code. As you will be aware, we have identified an obligation to secure customers’ interests as at the heart of financial firms’ regulatory obligations. We consulted on this proposal in the first half of the year and we are in the process of finalising our new regulations and publishing them in the coming months. 

We think that this regulatory approach will deliver significant benefits in improving the outcomes that we are seeking to achieve. There will always arise circumstances of ambiguity. Firms have to make decisions in a new and evolving context, and even where rules are being complied with, how they are being complied with makes a significant difference to customer outcomes.

We have seem time and time again -  through the Tracker Mortgages Examination, Business Interruption Insurance during COVID-19, Differential Pricing, Payment Account Migration - that many of the key decisions and behaviours that firms must deliver for their customers are to do with circumstances where detailed rules do not apply. Rather, firms have been found wanting in meeting the general requirement to protect their customers’ interests in line with what those customers could legitimately expect to happen.

A good example of how the way in which firms approach meeting their obligations matters can be seen from some behavioural research that we carried out two years ago. And this will, I think, be of particular interest to you as compliance professionals.

Under the Consumer Protection Code, mortgage lenders are required to inform variable rate mortgage holders about other, lower-cost mortgage products that are available. This should be done when interest rates change as well as annually. Borrowers whose fixed rate term is nearing its end are also required to receive such information.

Working with a large financial services firm, we sought to understand whether changes to the language used in these letters might encourage more consumers to engage with refinancing opportunities. The results were striking.

  • The strongest performing communication increased refinancing activity among mortgage holders by 76% when compared against the pre-existing standard notification.
  • Adding a reminder letter is especially impactful in driving increased refinancing rates. The addition of personalised euro savings estimates can help borrowers in making the most informed choices.
  • Among those borrowers who did refinance their mortgage, average savings of €1,209 were achieved just within the first 12 months.

This is an important example, because it illustrates the heart of what we get to with our smarter consumer regulation. Where firms internalise the outcome, and not just the letter of the regulation, the outcomes achieved are materially improved.

To support this centralisation of a clear requirement on firms to secure their customers’ interests we have developed a set of rich guidance setting out in detail what this requirement does and does not mean for firms and the expectations that consumers can have as a result of it.

A key point that I want to make here is that what is happening here is the evolution of the regulatory framework to be smarter and more effective to deliver better on our mandate -  a financial system supporting the economy and trusted by and working for citizens. By requiring firms and their leaders to think about securing their customers interests, rather than simply complying with rules, we are we are delivering regulation that works with the grain of firms’ own activities, that meets robustly the cost benefit analysis that new regulations must meet, and that fundamentally delivers better outcomes in the interests of consumers and a well-functioning financial system.

Individual accountability 

One of the new features of the Irish regulatory landscape - though one that we increasingly see also elsewhere - is the concept of individual accountability. This framework has recently come into effect in Irish financial services, following a period of intensive consultation and engagement. 

The Individual Accountability framework (IAF) requires firms to develop good levels of clarity as to who is responsible for what within their governance structure and makes senior executives accountable for ensuring they take reasonable measures to run their parts of the business effectively and in line with regulatory requirements.

The IAF is a further example of smart regulation. Proportionality is at its heart.  It is designed to fit with whatever structural design a firm adopts and demands only what is reasonable. It is targeted. Whatever the business of a firm it seeks to ensure that that business is well run. And it is dynamic in that what it requires will adapt to meet the changing circumstances in which the firm finds itself operating.

The IAF is also a form of “with the grain” regulation. It seeks to take what a firm and its leadership is trying to achieve and to embed a regulatory perspective within that.

How the new framework will be supervised was a key topic during our extensive engagement on the IAF. We heard very clearly that while stakeholders are generally supportive of the proposed regulatory developments, there was concern that our supervisory practices had not evolved sufficiently to make such “accountability” regulations work effectively. There was concern that rather than representing an enhancement of the regulatory context and of the operating environment, the new framework would be seen as an “enforcement” mechanism to be deployed by the Bank.

We have listened closely during the engagement, and are reflecting these concerns in our implementation. While good regulation, like good societal functioning, must always be underpinned by an ultimate possibility of sanctions, our approach to implementation and supervision is centred on the idea that the process and quality of implementation by firms of these advanced governance concepts is our central focus. Done well, these will create a better functioning financial system and improved dynamic to deliver the outcomes that we seek.

Supervision

And this brings me to the final part of my comments today which is supervision and how we supervise effectively in our evolving regulatory framework. 

Over the recent period we have been redesigning how we organise ourselves to supervise at the Central Bank of Ireland.

Being outcomes focused, as I have said, we have to continually improve how we do things. We operate in an environment that is evolving and changing rapidly. We need to continuously evolve to be continuously successful.

Building on the strong foundations of our current approach to supervision, we are moving to an integrated supervisory framework where directorates with oversight of banks, insurance companies and capital markets will be responsible for the supervision of all the functions in their respective sectors. Our approach will continue to be risk-based; but the new framework will ensure we are more efficient and effective in our supervisory work. It will make it easier to direct our supervisory resources to the areas of most risk to consumers or the system. Importantly, it will also place consumer protection at the heart of day to day supervision.

Each of the Directors in these areas will have explicit responsibility for consumer protection, ensuring the safety and soundness of firms and the integrity of the system in their role. The Central Bank and its leadership team led by Governor Makhlouf will continue to deliver on the whole of our mandate, which has protecting the best interests of consumers and the wider economy at its core.

And of course, the focus on consumer protection at the most senior level of the Central Bank will not change. The Deputy Governor (Consumer and Investor Protection) will continue to have consumer protection at the heart of their responsibilities.

The Consumer Advisory Group will continue to play its important role in advising the Bank on the performance of its functions and the exercise of its powers in relation to consumers of financial services. 

In short the changes we are making are designed to deliver more effectively on the outcomes we are mandated to achieve and consumer protection will continue to be at the heart of this. 

Conclusion

Let me conclude here.

I hope that I have been able to capture here some of the ways in which financial regulation is evolving to deliver ever more effectively on the outcomes with which we are charged at the Central Bank of Ireland – a well-functioning financial system supporting the economy and the financial well-being of citizens.

And I hope that this has been helpful to you as compliance professionals who have a centrally important role in ensuring that the firms you represent are well-positioned to meet these expectations.

I look forward to your questions.

ENDS

1“The art of bending without breaking”, speech at the joint European Banking Authority and European Central Bank international conference on “Addressing supervisory challenges through enhanced collaboration”.

2The Future of EU Competitiveness, Mario Draghi, 2024