Banking Regulatory Guide Q2 2018

p MegatrendsLight at the end of the regulatory tunnelFollowing five years of dealing with the heavy, continuous burden ofregulatory change, 2018 allows banks to start thinking about shifting thebalance of their transformational investments into more discretionaryareas, with a greater focus on achieving competitive advantage.

Of course regulation will continue – with the alphabet soup of CRD V/CRRII, Open Banking / PSD II, GDPR, BCBS 239, MiFID etc. continuing to drainvaluable resources – but with strengthened balance sheets and relativestability of market conditions, firms will see this as an opportunity toinvest in automation, customer experience improvement and furtherdigitalisation, as well as upgrading core systems.

Known regulatory challengesWhile a few newer items of regulatory compliance (such as CRD V/CRR IIand Brexit implications) will loom on the horizon, the bigger theme in2018 will be the overhang of unfinished business from 2017:

p The first release of Open Banking in January will be followed by six-monthly incremental changes, expected to carry through into late2019

p GDPR go-live in May will be only the beginning of the compliancejourney for most institutions

p Larger banks will continue to execute their UK ring-fencingrequirements by the end of 2018

p BCBS 239 will require a significant push to the end of the year p Firms need to be mindful of the ongoing evolution of Financial Crime

operating models to remain compliant.

Service resilience and systemic risk will continue to be on the regulatoryagenda.

Technology disruptionThe relative lull in the regulatory onslaught will allow firms to breakaway from competitors in terms of technology investment andadvancement. This, combined with traditional competitive pressures ofcustomer acquisition, rising costs and new market entrants in the formof FinTechs will prompt significant investments in proven areas such asautomation, data analytics and digitalisation. This is also an opportunityfor banks to invest further in upgrading, refactoring and replacing legacysystems, and implementing modern API-based integration solutions toenable cheaper and faster change in the future. We will start to seefurther applications of blockchain being tested in the market, with a realbreak-through moment a bit further away.

p HOT TOPIC: Resolvability expectationsand contingency planning for BrexitBanks are still unclear as to the scale and impact of Brexit, and whilethe political agreement to an extended transition period has removedsome of the urgency, it still hasn’t clarified the outcome, nor have theregulators yet confirmed whether or not the transition agreement willbe applied to financial services. Discussions around the equivalenceregime have not been particularly productive thus far, and the FCA isstill looking for firms to outline their response in respect of the worstcase scenario – a hard Brexit with no transition period.

Banks are responding in various ways – Goldman Sachs appear to havebitten the bullet and put some London staff on notice of a move toFrankfurt; Dublin and Frankfurt are still overloaded with licenceapplications; other banks are in the midst of impact assessments andscenario planning, and the responses thus far make it clear that onesize does not fit all. A crucial consideration here is capital – simplyestablishing a parallel operation is unlikely to be an option due toexpense – but the customer, IT and especially people impacts all havethe potential to be equally significant. And in some ways the potentialtransition period adds, rather than removes, complexity – it now bringsinto play an element of doubt around how realistic the worst casescenario really is.

Our recommendation would be to focus on two scenarios. Thetimescale in the event of the worst case is such that there is limitedtime for nuance, and firms need to put in place a hedge in the event ofa draconian Brexit. However, the possibility of the transition periodmeans that banks have the opportunity to consider more fully how tooptimise their future model, exploring all elements of the operatingmodel as well as regulatory and capital implications. There is, however,a real need to move forward. Even if the regulators do confirm thetransition period in the weeks ahead, there is limited time for designand many questions remain unanswered.

p HOT TOPIC: Technology in banking in2018 and beyondIf 2016 and 17 were the years of successful proofs of concept for newtechnologies, 2018 will see these begin to deliver at scale, with realcommercial benefit. Macro-level trends that will persist in 2018 include:

1) Good data is still critical. Organisations now better understand howto harness the opportunities presented by AI and Robotics through abetter understanding of how essential high quality source data is tothe success of these technologies, as without good quality data theirapplication will continue to be limited

2) Automated Intelligence and advancements in ‘Cognitive’. At themore innovative end of the scale, the biggest strides in 2018 arelikely to be around the cognitive application of Robotic-typetechnologies. Instead of limiting the technology to the morereplicable and repeatable jobs, the real power is in replacing thehigher value ‘human’ activity, and use cases are already live thatexploit this opportunity

3) Distributed Ledger Technology at scale. Where 2017 saw DistributedLedger Technologies enter the mainstream, 2018 will see scaleexamples of the technology being used in production, as well asnew, more innovative applications for it

4) RegTech will remain important. Firms will continue to look to replacetactical solutions built to ‘get compliant’ with more strategicRegTech solutions.

What are the threats?

Many threats don’t relate to the underlying technology, but to howindividuals and firms apply the technology and understand the broaderorganisational and sociological implications. Technology is neutral, butit’s how we use it that’s important. However, increased geo-politicaluncertainty and the rise of on-line criminality mean cyber-attacks willcontinue to rise but with the potential to be far wider reaching thenwhat’s been seen before.

Final thought… a quantum leap?

It is highly likely that in 2018 we will begin to see the meaningfulapplications and proofs of concept using Quantum technology. Theability to process huge volumes of data within complex models veryrapidly, could revolutionise computing and banking. Although we areunlikely to see this technology at scale in 2018, we do expect to seesigns of a few viable examples of its use.

p HOT TOPIC: Incident response plansto the readyWith GDPR entering into force in May and the sharp increase inawareness raising by the Information Commissioner’s Office, banks arebracing themselves for a sharp increase in external attention. Ageneral feeling of nervousness is being observed across industry withregards to the first round of data breaches to be reported in the mediaand the regulator scrutiny that will ensue.

This is an important time to remind ourselves that data loss andsecurity incidents are a natural result of conducting business. The onuswe apply on data security should be based on our ability todemonstrate effective resilience – the ability to anticipate and adapt,to detect and to respond swiftly and effectively.

The ability to identify and respond to an incident quickly and efficientlyand in a manner that puts our customers first is critical to minimisingthe negative impact caused by a breach, and in this day and age caneven elevate your reputation in the market and lead to a competitiveadvantage. Organisations are not necessarily judged by an incident,but by the way in which organisations are identified and managed.

Organisations should ensure that they have robust and practicedprocesses in place to respond to incidents with agility, proportionalityand transparency. Key to this, is the ability to become aware ofincidents quickly and this comes to ensuring adequate awareness anda culture that promotes incident reporting without risk of harmfulrepercussions. In essence, a blame-free cybersecurity culture.

We advise organisations to reassess their readiness to identify andrespond to incidents in a manner that ensures compliance whilstpromoting awareness and continuous improvements.

p About Baringa PartnersBaringa Partners is an independent business and technologyconsultancy. We help businesses run more effectively, navigateindustry shifts and reach new markets.

We use our industry insights, ideas and pragmatism to help eachclient improve their business.

Collaboration is central to our strategy and culture ensuring weattract the brightest and the best. And it’s why clients love workingwith us.

Baringa. Brighter together.

p Baringa’s Finance, Risk andCompliance TeamBaringa’s Finance, Risk and Compliance Team specialises in helpingfirms understand and respond to the strategic, financial andoperational implications of new regulation and to enhance riskmanagement. A trusted advisor to risk, compliance and treasuryleaders, Baringa Partners’ capabilities and credentials span banking,insurance, asset management, capital markets, commodities andwholesale energy.

For more information please contact: risk@baringa.com or SimonWilson, Partner, Finance, Risk and Compliance on +44 7398 213 181or Colin Preston, Head of Banking on +44 7803 038 084

Baringa Partners LLP, 3rd Floor, Dominican Court, 17 Hatfields, London SE18DJ T +44 (0)203 327 4220 F +44 (0)203 327 4221 W www.baringa.comE risk@baringa.com

p HOT TOPIC: The 'open banking era':the compliance ‘tightrope’ continuesMany parties going into Open Banking felt that when 13th January2018 arrived we’d collectively take a sigh of relief for a job well done.However, through 2017 it became increasingly apparent that thiswouldn’t be the case – discussions with the CMA have led to the CMAenhancement period and ongoing considerations of theImplementation Trustee.

Similarly with the RTS on Strong Customer Authentication and SecureCommunication now published in the Official EU Journal you would beforgiven for anticipating that the regulatory view on direction wouldnow be clear, however, as an industry we are still far from it. Forexample, is gaining an exemption to the fall back requirements a ‘no-brainer’ or are there merits from additionally deploying super-chargedscreen-scraping. Similarly what approach should you take to theTrusted Beneficiaries list and what do you believe is compliance foryour organisation with respect of authentication – is Redirectsufficient? It is likely the picture is still unclear for your organisation,yet the delivery timeline (March 2019 if considering an exemption) isputting pressure on programme delivery.

Furthermore, what if your organisation also wants to be an AISP orPISP? Suddenly there’s the need to consider the approach to NCAregistration (or notification in the case of a credit institution), Consent(and the associated GDPR implications for example how this applies tochildren), segregated dispute management and the PSD II liabilitymodel and SYSC reporting requirements amongst other areas.

The EC has signalled clearly to banks that it will take a tough line oncompetition issues, but banks also risk hefty fines under GDPR –managing appropriate security in light of Open Banking and the set ofconsiderations around the interim versus the period post ‘the RTS’. Werecommend any organisation having a clear set of views around whatneeds to hold true for each decision to be made and to work closely interms of education for programme teams and building a mutualunderstanding of the basis for these compliance decisions.

Update on key timings and trendsYour guide to critical regulatory milestones, analysisof hot topics and emerging regulatory trends

p HOT TOPIC: Basel IV, CRD V / CRR II,stress testing and other requirementsIn December 2014, the Basel Committee on Banking Supervisionintroduced the idea of restrictions to the internal models banks used tocalculate their risk-weighted capital requirements. In combination withother tweaks to the capital and liquidity requirements, bankers havebeen labelling these changes Basel IV – reflecting their size, scope andimpact – to the protestations of the regulators who reject the labellingand insist they are refining and finalising Basel III to prevent regulatoryarbitrage.

Two years on, the EC published its proposals for the revised rules in theform of a directive (CRD-V) and regulation (CRR-II), in addition toamendments to the BRRD-II. The new regulations introduce significantrevisions to capital, funding, and liquidity requirements coveringmarket risk, counterparty credit risk, interest rate risk, and liquidity andfunding risk, impacting both banking and trading books.

Finalisation of the credit risk, CVA risk, operational risk and outputfloors remained a sticking point with the US and EU apparently atloggerheads. This was finally resolved at the Basel Committee level inDecember 2017, with proposed implementation dates from 2022through to 2027 (to phase in the output floor). However, this has yet tobe incorporated into CRD-V or CRR-II and, with a number of areas opento national discretion, where the final regulation will land is stilluncertain.

This legislative package will require significant enhancements to theinfrastructure, data granularity, processes and controls that will requirelarge, multi-year change programmes to deliver. Furthermore, withsuch wide ranging changes to capital, funding and liquidity in one go,firms will need to begin to understand and model the interactionbetween the different elements and review their product mix tobalance regulatory requirements, cost and profitability.

Regulatory Developments Tracker 2018-20+

MarketStructure

JAN FEB MAR APR MAY JUN JUL AUG SEP

2018 | Q1 2018 | Q2 2018 | Q3 2018 | Q4 2019 | Q1 2019 | Q2

Retail Banking

Theme Sub-theme

This document: (a) is proprietary to Baringa Partners LLP (“Baringa”) and all copyright resides in Baringa; (b) should not be disclosed to any third parties or re-used without our consent; (c) shall not form part of any contract nor constitute an offer capable of acceptance or an acceptance; (d) excludes all conditions and warranties whether express or implied by statute, law or otherwise; (e) places no responsibility on Baringa for any naccuracy, incompletenessor error herein; and (f) is provided in a draft form ‘as is’ and should not be relied upon for commercial purposes. Copyright © Baringa Partners LLP 2018

2019 | Q3 2019 | Q4

Regulation

p CMA Remediesp Consumer Creditp Retail Banking

Strategic Review

OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP

Resolvability

Q1 2018: Under remedies from CMA Retail banking Investigation: All Personal Current Account providers to implement overdraft alerts with grace periods, All banks to address transaction history data, Largest banks in GB to develop SME loan price andeligibility tool, All banks to have BCA opening procedures; 13.01.18: CMA 9 to make personal and current account transaction data with full read write functionality available through an open API; Q1 2018: FCA to publish policy statement on staffincentives and Performance Management in consumer credit firms; Q1-Q2 2018: FCA to publish policy statement on assessing creditworthiness in consumer credit

p Creditor HierarchyDirective

StructuralReform

Structural Banking Reform / Recovery & Resolution / FCA& PRA / EU

p EU StructuralReform

p BRRDp UK Ring-fencing

Conduct EU / Global p AMLD Vp FATCAp EU Benchmarks

Regulationp Shadow Bankingp Vulnerable Customersp GDPRp MCD

Q4 2019: Amended Directiveexpected to enter into force by theend of 2019 (i.e. 18 months after itspublication, expected in mid-2018)

FinancialRegulation

Capital p Basel III p CRD V / CRR IIp Stress Testingp EBA Stress Testingp FRTBp TLAC (UK)p MREL

01.01.19: Deadline for the revised market risk framework

to be implemented;01.01.19: TLAC due to be

applied to G-SIBs;Q1 2019: Implementation date for the

large exposures framework

Accounting p IFRS 9Q4 2018: First annual financial statement in which IFRS 9 applies

Q1 2019: Application date for revising the creditor hierarchy for unsecured debt to facilitate the implementation of TLAC

Q4 2019: Implementation date for therevised GSIB assessment methodology;

Q4 2019: FSB expected to conduct a reviewof the technical implementation of TLAC

01.01.18: National regulators will be able to enforce the legalseperation of high risk trading activities from core lending anddeposit taking activitity (if perceived risk to stability of thefinancial system exists) under EU Structural Reform

Liquidity p NSFR

OCT NOV DEC

Q4 2018: Earliest date for politicalagreement by EU institutions on the Level

1 text of the CRD V/CRR II package;Q4 2018: BoE expected to publish the

results of the 2018 exercise;Q4 2018: BoE to publish details of a new

approach to stress testing in the UK

Q2-3 2019: Earliest date for secondaryrulemaking to begin following a politicalagreement by EU institutions on a Level 1 textfor the CRD V/CRR II package

Q2-3 2018: BoE to conduct2018 stress testingexercise;Q2-3 2018: EBA 2018stress testing exercise

02.11.18:Publication ofEBA 2018 stresstest results

22.03.18: BCBS initiated anew consultation on furtherrevisions to the market risk

capital requirementsframework

01.01.20: UK firms to be subjectto interim MREL requirements;2022: Final MREL requirementsto come into force;01.01.22: BCBS target date forimplementing all rules as partof FRTB

01.01.18: IFRS 9 must be applied to annual reporting periods

01.01.18: NSFR minimal standard takes effect

Brexit p Negotiating directives -transitionalarrangements

p Triggering ofcontingency plans

p Guidelines -framework for futurerelationship

pWithdrawalagreement andratification process

p UK exits EU

Q1 2018: EC to adopt additional negotiating directives on Brexit transitional arrangements;Q1 2018: Firms are expected to trigger their worst-case scenario contingency plans by March2018 if no transition deal has been reached between the EU and the UK;Q1 2018: EC to adopt additional guidelines in March 2018, in particular as regards theframework for the future relationship

01.10.18:EC's targetfor finalisingwithdrawalagreementand startingratificationprocess

29.01.19: UK exits the EU (in case of no extension agreed by EU27 members)

Q4 2018: Earliest date for a EUpolitical agreement on Level 1 text ofrevised BRRD

Q3 2018: BoE expected tofinalise its policy onvaluation capabilities tosupport reoslvability

01.01.19: BoE rules onoperational continuityin resolution, includingreporting requirements,

enter into force;01.01.19: UK Ring

Fencing requirementsmust be in place (with

the exception ofseparation of pension

schemes)

Q1 2020: BoE policy onvaluation capabilities to enterinto force around 18 monthsafter finalisation of the policy

Q3 2018: Banks topublish service qualitymetrics from this date

Q2 2018: FCA to consult on high-cost credit in respect tooverdrafts, rent to own borrowing, home-collected credit andcatalogue credit; Q2 2018: FCA expected to publish findings ofits strategic review into retail banking business models

Fin Tech p EU FinTech ActionPlan Q1 2018: EC's TFFT expected to publish policy proposals and recommendations in relation to FinTech; 2018: ESA expected to publish joint report on relevant FinTech and digital issues

InvestmentManagement

p IDDp PRIIPS 01.10.18: Member States' implementation deadline for IDD01.01.18: Revised PRIIPS framework to apply 31.12.19: End of transitional period for UCITS KIDs to be converted into PRIIPs KIDs

Trading p MiFID II / MiFIR p EMIR 03.01.18: MiFID II/MiFIR application date 21.12.18: Category 4 firms subject to EMIR

clearing obligation for interest rate derivativesQ1 2019: CCPsupervision proposalexpected to be finalised

09.05.19: Category 4firms subject to clearing

obligation for CDS

21.06.19: Category 3 firms subject to clearing obligation for interestrate derivatives;21.06.19: Category 3 firms subject to clearing obligation for CDS

01.09.20: Initial Marginrequirements in force for allapplicable counterparties

Payments p PSD II13.01.18: PSD II becomes applicable 14.09.18: RTS for SCA and SCC to come into

force (a couple of Article 30 paragraphs willkick in 6 months earlier - 14th March 2019)

By January 2021: EC will submita report on the application andimpact of PSD II

Cyber Resilience

p PRA CyberStandards

p NIS DirectiveQ2 2018: PRA to give public indication of standards it is developing for the supervisoryassessment of cyber resilience capabilities in firms and financial market infrastructures

09.05.18: NIS directive to betransposed into national legislation

09.11.18: Operators of essential services to be identified

EU / Global p SecuritisationRegulation 01.01.19: Securitisation regulation applies

15.05.18: Form 1042-S reporting on gross proceed payments begins (with respect to the 2017 calendar year);25.05.18: GDPR will be directly applicable in all Member States

01.01.19: 30% U.S. withholding tax will apply toany gross proceeds from the sale / disposition ofany property of a type that can produce certain

U.S. source income (e.g. dividends, interest,insurance premiums)

01.01.18: EU Benchmarks Regulation applies; 01.01.18: List ofAdministrators and 3rd country benchmarks to be published;Q1-Q4 2018: FCA and FINRA leading work within IOSCO onsenior investor vulnerability. Report to be released in 2018

01.01.20: Transitionalarrangements for certainbenchmarks will expire

Q3-Q4 2018: FSB isexpected to publisha progress report onshadow banking

21.03.19: Professional experience of staff can be relied on tomeet MCD knowledge and competency requirements;21.03.19: ESIS to be in use under MCD;21.03.16-21.03.19: KFI will be phased out between 21 March2016 and 21 March 2019 under MCD

UK p FAMRp Vulnerable Customersp SMCR

From 2019: Industry to make a pensions dashboard available to consumers under FAMR; 2019: HMT and FCA to undertake review of FAMR outcomes (outcomes to be published in 2020)

Q3 2018: FCA is expected to finalise its approachto consumers as part of its new mission

21.02.18: FCA consultation on operational aspects of transitioning FCA firms and individuals to SMCR closes

Q2-Q3 2018: FCA & PRA to publish policy statements and finalrules relating to extension of SMCR to all FSMA authorised firms

H2 2019: Expected extension of SMCR to all solo-regulated firms

AI Artificial IntelligenceAISP Account Information Service ProviderALMD V Anti-Money Laundering Directive VAPI Application Programme InterfaceBCA Business current accountBCBS Basel Committee on Banking SupervisionBoE Bank of EnglandBRRD Bank Recovery and Resolution DriveCCA Consumer Credit ActCCP Central counterpartyCDS Credit Default SwapCMA Competition and Markets AuthorityCRD/R Capital Requirements Directive/RegulationCVA Credit Valuation AdjustmentEBA European Banking AuthorityEC European CommissionECB European Central BankEEA European Economic AreaEMIR European Market Infrastructure RegulationESA European Supervisory AuthorityESIS European Standardised Information SheetESMA European Securities and Markets AuthorityEU European UnionFAMR Financial Advice Market ReviewFATCA Foreign Account Tax Compliance ActFCA Financial Conduct AuthorityFI Financial InstitutionFINRA Financial Industry Regulatory AuthorityFRC Financial Reporting CouncilFRTB Fundamental Review of the Trading BookFSB Financial Stability BoardFSMA Financial Services and Markets AuthorityGDPR General Data Protection RegulationGSIB Global Systemically Important Bank

HMRC Her Majesty's Revenue & CustomsHMT Her Majesty's TreasuryIDD Insurance Distribution DirectiveIFRS 9 International Financial Reporting Standard 9IOSCO International Organization of Securities

CommissionsIoT Internet of Things KFI Key Facts IllustrationLCR Liquidity Coverage RatioMAD/R Market Abuse Directive/RegulationMCD Mortgage Credit DirectiveMiFID Markets in Financial Instruments DirectiveMREL Minimum Requirement for Own Funds and

Eligible LiabilitiesNCA National Competent AuthorityNIS Networks and Information SystemsNSFR Net Stable Funding RatioPISP Payment Initiation Service ProviderPRA Prudential Regulatory AuthorityPRIIPS Packaged Retail Investment ProductsPSD II Payment Service Directive IIREM CRIP New FCA Financial Crime ReportRPA Robotics Process AutomationRTS Regulatory Technical StandardsSCA Strong Customer AuthenticationSCC Secure Customer CommunicationSI Systematic InternaliserSMCR Senior Managers Certification RegimeSME Small and Medium EnterprisesTFFT Task Force on Financial TechnologyTLAC Total Loss Absorbing Capital TPPs Third Party ProvidersUCITS Undertaking for Collective Investments in

Transferable Securities

Abbreviations