10 Global Compliance Concerns for 2024

At the time of the 2023 report, there was no clear indication of what artificial intelligence (AI) would do over the course of the year. The pace of rapid advancement has been almost unimaginable. We are at a stage in progress where we cannot un-ring the bell, but can only move forward with the proper use and applications of AI and generative AI (Gen AI).

Although AI tools have been used in financial services for years, 2023 saw a significant acceleration. Financial services firms have historically used AI applications in areas such as customer service, insurance claims handling, risk modeling, and algorithmic trading, but the progression of Gen AI applications has allowed firms to develop solutions even more quickly.

A recent survey found that banks and market institutions were significantly ahead of other industries in terms of AI adoption.

In Asia, for example, firms have been using different forms of AI for detecting suspicious transactions, credit scoring, and automated risk reviews. And the technology has brought many advances to fields such as machine learning, visualization, data preparation, data operations, government systems, and anti-money laundering (AML) applications. Indeed, compliance functions can leverage AI for their own purposes. With resources remaining stretched, compliance officers will aim to use AI to maximize efficiency. AI can be used in a range of compliance disciplines, including content summarization for horizon monitoring, aiding fraud and money-laundering detection, assessment of regulatory risk, and prioritization of monitoring and testing in compliance reviews. Analyzing AI's implications for compliance will also continue in 2024.

Customers are now questioned more frequently about their dealings, and some transactions are being prevented. Over the next three years, AI will reshape financial businesses and capital markets, but it will also create challenges. To begin with, organizations should assess AI's likely benefits, such as performance improvements, revenue growth, and cost savings, while understanding that over-reliance on AI can pose a threat. Three-quarters of banks and capital market organizations told a survey that AI was considerably important or very important, ranking it higher than all other industry categories.

With firms and markets at various stages of AI development, organizations are likely to become more reliant on AI. Internally, this raises questions about executive responsibility and outcomes. Increasingly, organizations will need to assess what talent, skills, and capabilities are needed to implement AI initiatives and how far these initiatives should go.

Regulation of AI

Not surprisingly, many governments and regulators advanced frameworks for governing AI in 2023. Members of the G7 adopted 11 principles for guiding the design, production, and implementation of advanced AI systems, as well as a voluntary code of conduct for AI developers.

The European Union provisionally approved the AI Act in December 2023. And while compliance will vary according to industry and company size — with some measures coming into effect in 2025, but most not applicable until 2026 — firms will need to focus in 2024 on compliance preparations.

In the United Kingdom, the government released a white paper on the regulation of AI, and its response to feedback is expected in the coming months. UK regulators also issued a feedback statement to their discussion paper on AI and machine learning in October 2023, and the debate on issues raised will surely continue this year.

While regulation in the United States did not advance on a national level, nearly a dozen US states were quick to enact AI-related legislation. In its 2024 Annual Regulatory Report, the Financial Industry Regulatory Authority (FINRA) classified AI as an "emerging risk," highlighting widespread concerns about AI accuracy, privacy protection, model bias, and intellectual property rights. "The use of AI tools could implicate virtually every aspect of a member firm's regulatory obligations, and firms should consider these broad implications before deploying such technologies," the report noted.

In 2023, US financial regulators added AI to their list of financial stability risks. The Financial Stability Oversight Council (FSOC) stated in its annual review that these risks should be better understood and monitored by institutions and regulators.

Regardless of where final oversight lands, AI is here to stay as a new regulatory obligation for financial institutions and likely will find a permanent home in compliance and risk departments, alongside cybersecurity and data privacy obligations.

The debate around cryptocurrency risk and the need for regulation will continue in 2024. Last year saw criminal and civil action against several crypto-asset firms, such as FTX, Binance, Kraken, and Coinbase.

The UK government published a consultation paper on a crypto-asset regulatory regime and subsequent feedback statement in October. The government plans to regulate crypto-assets through the Financial Services and Markets Act and is expected to introduce secondary legislation to advance rulemaking.

Further, the U.K. Financial Conduct Authority (FCA) introduced new rules on the marketing of financial promotions for crypto products. Within the first 24 hours of those regulations going live, the FCA issued 146 alerts to firms for poor practice. The FCA also has issued a discussion paper on regulating stablecoins, with public feedback expected soon. The Bank of England is said to be exploring a digital pound — a central bank digital currency (CBDC) — and has created a task force to explore the potential for the UK CBDC.

Further, the EU adopted the Markets in Crypto-Assets Regulation in 2023, providing a framework for issuers of certain crypto-assets. It comes into force on Dec. 30, 2024, but certain provisions will go live earlier, on June 30, 2024.

US activities

The intersection of traditional finance and cryptocurrency is now well underway in the US. Wall Street juggernauts that had largely avoided digital assets are now beginning to embrace some aspects of the novel sector. Stablecoins are now the 16th largest holder of U.S. Treasuries. Further, the tokenization of Treasuries has further connected the fixed-income market to the blockchain and digital economy.

BlackRock and its CEO, Larry Fink, have become some of the crypto sector's biggest supporters after previously urging caution and voicing skepticism. In fact, Fink's change of heart and interest have helped legitimize digital assets. "We do believe that if we can create more tokenization of assets and securities, that's what bitcoin is, it could revolutionize finance," Fink said in July.

Moving the ball forward, the U.S. Securities and Exchange Commission (SEC) authorized the first US-listed spot bitcoin exchange-traded funds (ETFs) for 11 applicants, approving applications from BlackRock, Ark Investment-21Shares, Fidelity, Invesco, VanEck, and others.

Many observers had anticipated the approval, particularly after the Grayscale appeal marked a reversal for the SEC, which had rejected bitcoin ETFs for a decade. These approvals were a watershed moment for bitcoin and the broader crypto industry, as it offers institutional and retail investors exposure to the world's largest cryptocurrency without directly holding it.

Although regulators have closely monitored the interconnectedness of digital assets and traditional finance, more barriers are coming down. And as digital assets become more intertwined with traditional finance, the shift will create new and more complex risk, regulatory, and compliance obligations and challenges.

The dominance of environmental, social & governance (ESG) initiatives will continue to occupy many compliance professionals’ minds. Indeed, COP28 highlighted the difficulty of reaching strategic agreements to control global warming, and firms must now factor climate change considerations into their operational and investment strategies. Regulators are also accelerating climate rulemaking, with anti-greenwashing initiatives set to potentially trigger significant penalties.

Sustainable investments account for more than $35.3 trillion, and ESG assets are projected to exceed $53 trillion by 2025, potentially representing more than one-third of all assets under management, Reuters found.

Some firms have pursued growth by carelessly misrepresenting the sustainability credentials of their products and investments. While such so-called greenwashing is on the rise, penalties across Asia remain lower than in the UK and EU. To catch up, regulators are likely to launch more cases that target deceptively advertised investments.

With regulators increasingly focused on protecting investors from losses, misrepresentations, and false advertising, non-compliance will yield significant penalties more frequently. And if violations proliferate, regulators may seek new enforcement powers in line with Western counterparts.

Among the main problems facing regulators in the UK and EU are Net Zero transition planning and greenwashing. The FCA announced it will consult on expectations for listed companies' transition plan disclosures. Meanwhile, its anti-greenwashing rule is expected in Q4.

Additionally, European authorities are reviewing their own anti-greenwashing measures, with final reports expected in May. There is also a growing supervisory focus on carbon markets and biodiversity loss.

Further efforts to improve environmental reporting and disclosure remain ongoing. In 2023, the EU proposed the Corporate Due Diligence Directive, which will apply beginning in 2026. The European Sustainability Reporting Standards detail specific disclosure requirements. The International Sustainability Standards Board (ISSB) finalized its first voluntary sustainability reporting standards (IFRS S1 and IFRS S2) in June 2023.

The UK has finalized the Sustainability Disclosure Requirements, investment labeling regime, and its anti-greenwashing rule while moving forward on changes to the new Listing Rules. Also, the UK government is reviewing the ISSB sustainability reporting standards, and the FCA plans to consult on incorporating these standards into its existing climate-related disclosure rules for listed issuers.

Meanwhile, the European Commission is reviewing the Sustainable Finance Disclosure Regulation (SFDR), and there are pending regulations for ESG rating providers that aim to improve the reliability of ESG information.

Regulators will also refine monitoring techniques, such as deep dives and stress tests on financial firms' climate risk management. The ECB Banking Supervision stress tests must be met by banks by year’s end.

The focus on diversity, equity & inclusion (DEI) will also progress in 2024. In the UK, proposed DEI rules are likely to come into force in 2025; and in the EU, the European Banking Authority (EBA) is consulting on guidelines for benchmarking diversity practices.

Just as with counterparts in Asia, the UK, and the EU, the US is also continuing its focus on ESG and DEI as new generations of workers and citizens who are defined by social consciousness and a desire for equitable representation grow in size and power. Compliance professionals must maintain an awareness of these issues surrounding ESG to be most effective.

Cybercrime comes in many forms, from cyberattacks on corporate networks to data breaches to customer fraud. According to the most recent Internet Organised Crime Threat Assessment from Europol, cybercrime is becoming "more aggressive and confrontational" across several forms, including high-tech crimes, data breaches, and sexual extortion.

Instances of cybercrime continued to rise in 2023, driven by the cost-of-living crisis, increasing customer vulnerability, and the use of AI applications. Threats such as ransomware, social engineering attacks, and the rise of Gen AI are all predicted to worsen this year.

More specifically, financial firms face a new era of advanced, ever-evolving cybercrime, and their defenses must be agile to stay ahead. Cyberattacks are likely to focus on extortion, critical service disruptions, and massive data theft. Employees and customers should be informed about the ease with which all devices can be compromised.

Disrupting cybercrime requires a resilient culture that distributes security responsibility throughout the organization. Many successful cyberattacks in 2023 stemmed from customers granting access to cybercriminals who were posing as firm employees. Governments in Asia are building partnerships to facilitate information-sharing and improve best practices across the public sector. Besides cyber defenses, organizations must ensure they have incident reporting standards.

The UK government's cybersecurity breaches survey for 2023 showed that only 32% of businesses and 24% of charities identified any breaches or attacks over the last 12 months. The UK's Information Commissioners Office reported that in Q2 2023, there were 2,893 data breach incidents reported to them. This was an increase of 41% since Q2 2022, with finance, insurance, and credit being the most attacked sectors, accounting for 17% of all reported breaches.

UK Finance reported that criminals stole more than £1.2 billion through authorized and unauthorized fraud in 2022, with 78% of authorized push payment (APP) fraud cases starting online and 18% starting via telecommunications.

The UK Online Safety Act received royal assent in 2023. It requires platforms to scan for child pornography and creates a new duty of care for online platforms that compels them to act against illegal or legal but harmful content from their users. Platforms face fines of up to £18 million or 10% of their annual turnover, whichever is higher.

Firms in the EU will need to comply with the EU's Digital Operational Resilience Act beginning on Jan. 1, 2025, which includes a common set of rules and standards to mitigate information, communication, and technology risk across the EU financial services sector by harmonizing fragmented rules and improving risk management.

In the US, a critical aspect of cybersecurity and data privacy assurance is the effective management of third-party risk. Many breaches have been traced to third-party vulnerabilities in recent years, IT professionals have said. As a result, organizations and regulators are emphasizing the importance of due diligence, heightened monitoring, and third-party vendors' risk management programs.

There are often regime changes in government, and this coming year is no exception. The importance of many elections across the globe seems to be elevated this year.

The global economic outlook appears to be stabilizing on the heels of widespread uncertainty and belt-tightening in 2023. Although most organizations seem to be cautiously optimistic about 2024, compliance and risk managers unanimously predicted that "firms will continue to be forced to do more with less."

US firms and the public are keenly aware that political polarization and uncertainty will escalate in this election year. Indeed, this political uncertainty often spreads to the regulatory domain. SEC Chair Gary Gensler might become more assertive with the agency's agenda if he believes his tenure might end if President Biden's re-election appears doubtful in November. The SEC's regulatory agenda includes 25 rulemakings slated for final adoption in the spring or fall of 2024.

Commercial real estate woes

Another area of great economic concern, which could have ripple effects on risk and compliance, is weakness in the commercial real estate market. Pension funds, banks, and private equity funds hold vast amounts of debt and equity in the sector. And already many funds are experiencing liquidity challenges as they struggle to refinance at higher interest rates or are reluctant to sell at discounted valuations to meet liquidity needs.

The California State Teachers' Retirement System, one of the country's largest public pension plans, is considering a strategy that involves borrowing $30 billion against its approximately $318 billion real-estate portfolio to avert selling assets at discounted valuations. While the wisdom of increasing leverage to manage cash flow is unclear, it reflects the difficulties facing commercial real estate investors.

Since Russia's invasion of Ukraine in February 2022, Western powers have imposed a significant number of sanctions on that regime. In the UK, the Office of Financial Sanctions Implementation reported that more than 90% of Russia's banking sector had been sanctioned. Additionally, 130 Russian oligarchs and their family members, with a combined net worth of around £145 billion, have been sanctioned.

In the US, sanctions are also complicated as there are traditional threats, such as terror groups and drug cartels. In fact, the new normal for sanctions is far-reaching across the globe and extends to other areas, such as cryptocurrencies, businesses, and their owners.

Sanctions complexity is also increasing. The UK’s FCA reviewed financial firms' systems and controls in September 2023, with results showing that firms lacked governance, oversight, skills retention, resourcing, screening capabilities, customer due diligence, know-your-customer procedures, and breach reporting.

In the EU, members of the European Parliament (MEPs) adopted a draft targeting sanctions evasion. Agreeing that individuals and entities should be punished for violating European sanctions, the EU agreed to provide more detail about activities that constituted circumvention of sanctions.

In the UK, there were changes to the Economic Crime (Transparency and Enforcement) Act 2022, which aims to ensure that assets held by sanctioned individuals can be controlled. In 2023, the Economic Crime and Corporate Transparency Act of 2023 received royal assent and will come into force in 2024.

Compliance officers cannot ignore the wider subject of financial crime. The United Nations Office on Drugs & Crime estimated that between €715 billion and €1.87 trillion is laundered each year (between 2% and 5% of global gross domestic product).

Money laundering and market abuse offenses remain a priority for regulators, with penalties for anti-money laundering breaches totaling approximately £53 million in the UK in 2023. Firms that were fined included ED&F Man Capital Markets Ltd (£17.2 million), Equifax Limited (£11.1 million), and Guaranty Trust Bank (UK) Limited (£7.6 million).

In its Business Plan for 2023-24, the UK’s FCA committed to "increase the volume of our proactive assessments of firms' anti-money laundering systems and controls" and to "develop further data-led analytical tools to use in our anti-money laundering supervisory work," noting that this will continue into 2024. Additionally, the FCA said it strengthened its data and monitoring capabilities to cover market abuse in 2024.

The EU approved measures in 2023 to further deter money laundering, including creating a single rulebook regulation that featured guidelines on customer due diligence, beneficial ownership, anonymous instruments (such as crypto-assets), and new entities such as crowdfunding platforms. 

Financial scams are increasingly happening at lightning speed as technology develops, and criminals and rogue states have a seemingly unlimited appetite for theft. Preventing such crime is challenging, as no cyber defense is foolproof. Firms and government agencies face a constant backlog of infiltration reports, making it difficult to stay ahead of potential threats.

Preventing cybercrime requires customer outreach, which firms provide regularly. Compliance and risk professionals are responsible for fielding capable cyber-defense systems and providing updated information to customers. Sharing information between firms and governments will improve the prevention of fraud, identity theft, and money laundering.

Every year there is a need for compliance professionals to manage risks better than in years before, including understanding the issues regarding cryptocurrencies, decentralized finance, beneficial ownership, artificial intelligence, sanctions, cybersecurity, and other geopolitical factors.

Regulators in Asia remain primarily concerned about risk culture, which they view as a driver of conduct. The failure to foster a proper risk culture can affect firms' reputations and long-term survival. And while culture reviews are continuing and may become part of the permanent process, they are never complete.

Risk culture reflects a firm's prudential mandate and its attitude toward risk-taking and risk management. It can be understood as the shared perceptions, attitudes, and beliefs about a firm's stated posture toward risk, compliance, and fair customer treatment.

Some commentators argue that understanding organizational culture can be difficult, as it involves an array of behaviors and attitudes. The only true principle is whether the firm is acting in the interests of its customers and whether those interests are aligned. Sound risk culture ensures that institutions prioritize client interests and are receptive to feedback when things go wrong.

The US faced its most significant shift in the area of beneficial ownership this year. The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) released its most powerful new tool to combat financial crime: the beneficial ownership information (BOI) registry, launched on January 1 of this year.

The database, created under the Corporate Transparency Act (CTA), was designed to combat longstanding abuses of shell-company structures. It will require an estimated 32.6 million legal entities to report their identifying ownership information to the database. An additional five million entities will be added each year thereafter. Access to the database by financial institutions will be phased in and will ultimately need to be harmonized with existing obligations under FinCEN's customer due diligence rule.

Nations around the world have implemented or are in the process of implementing beneficial ownership collection requirements as part of their efforts to enhance transparency, combat money laundering, and prevent other financial crimes.

The new rules in the US will complement the growing regulation in the area over the course of 2024.

As compliance professionals move forward, they also need to focus on leaders who are able to achieve compliance goals.

Since the 2008 financial crisis, there has been an increasing requirement that senior managers face accountability for their decisions and behavior. The UK has had a Senior Managers and Certification Regime (SMCR) since 2016 to extend liability to senior managers. And Ireland enacted the Individual Accountability Framework Act in 2023, with parts of that framework coming into effect last year, although many firms will still be implementing compliance plans.

As part of the Edinburgh Reforms in banking, a review of the UK's SMCR is underway. In 2023, the UK government issued a call for evidence, and UK regulators issued a discussion paper. Undoubtedly, 2024 will see the outcome of those deliberations.

In other EU countries, there is no overarching regime, but some elements still do exist. For example, the European Supervisory Authorities have guidelines on fitness and propriety that are applied in other countries.

Enforcement cases also have been slow to emerge, but UK regulators used enforcement powers in 2023 to fine individuals for breaches of market abuse rules and pension mis-selling. The use of enforcement powers will likely continue this year.

Regulators are also consulting on structured proposals around non-financial misconduct. This is an area in which regulators have been keen to clarify expectations of senior management, especially as it relates to the boundaries between an individual's personal and professional lives.

In Asia, the focus is on moral leadership, especially around establishing and preserving trust with clients, investors, and partners inside and outside the business. It is now regarded as essential to success and longevity, and mismanagement or complaints can trigger litigation and reputational damage.

To be sure, financial firms increasingly recognize that ethical leadership is a strategic requirement and are ready to make tough decisions quickly when senior managers fail to meet expectations. One of the largest insurers in Australia announced that their group’s general counsel and company secretary had resigned over behavior that violated the firm's code of ethics and conduct. The insurer's board of directors had to rebuild a culture of trust and unity so that employees were respected and valued.

Reforms that deter boards and senior managers from ignoring ethical lapses, regardless of individual skill, are increasingly the norm. And firms are also prioritizing accountability and transparency by replacing leaders for serious transgressions. For example, the former chief executive of a London-based oil giant resigned after acknowledging that he misled the firm about his relationships with colleagues.

As compliance professionals boldly move through 2024, they must be careful navigating this precarious terrain. As elections come to a close, technology continues to develop, and nefarious actors do what they do, it is more important than ever that today’s compliance professionals stay tuned in. Indeed, they need to remain the first line of defense, protecting institutions from financial crimes and major losses.

Thomson Reuters

Thomson Reuters is a leading provider of business information services. Our products include highly specialized information-enabled software and tools for legal, tax, accounting and compliance professionals combined with the world’s most global news service – Reuters.

For more information on Thomson Reuters, visit tr.com and for the latest world news, visit reuters.com.

Thomson Reuters Regulatory Intelligence

Authors:
Niall Coburn – Asia Correspondent
Mike Cowan – EU and UK Correspondent
Todd Ehret – United States Correspondent

Editor:
Alexander Robson

Thomson Reuters® Regulatory Intelligence is a market-leading solution that empowers you to make well-informed decisions to confidently manage regulatory risk while providing the tools to make proactive decisions and action change within your organization. It has been developed with a full understanding of your compliance needs – locally and globally, today and in the future.

Learn more: legal.thomsonreuters.com/en/products/regulatory-intelligence

Thomson Reuters Institute

Editors:
Rabihah Butler
Gregg Wirth

The Thomson Reuters Institute brings together people from across the legal, corporate, tax & accounting and government communities to ignite conversation and debate, make sense of the latest events and trends and provide essential guidance on the opportunities and challenges facing their world today. As the dedicated thought leadership arm of Thomson Reuters, our content spans blog commentaries, industry-leading data sets, informed analyses, interviews with industry leaders, videos, podcasts, and world-class events that deliver keen insight into a dynamic business landscape.

Visit thomsonreuters.com/institute for more details.