GUIDANCE NOTE AN INTRODUCTION TO Developing a Risk-Based Approach to Financial Consumer Protection Supervision DECEMBER 2022 Finance, Competitiveness & Innovation Global Practice DISCLAIMER This work is a product of the staff of the World Bank with external contributions. The findings, inter- pretations, and conclusions expressed in this work do not necessarily reflect the views of the World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judg- ment on the part of the World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. RIGHTS AND PERMISSIONS The material in this work is subject to copyright. Because the World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank.org © 2022 International Bank for Reconstruction and Development/The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org GUIDANCE NOTE AN INTRODUCTION TO Developing a Risk-Based Approach to Financial Consumer Protection Supervision DECEMBER 2022 Contents ACKNOWLEDGMENTS v ABBREVIATIONS AND ACRONYMS vi HOW TO USE THIS NOTE vii 1. INTRODUCTION 1 1.1 Scope and intended audience of this Note 1 1.2 Structure of this Note 2 1.3 Keeping the FCP risk-based supervisory cycle in mind 3 1.4 Regarding risk-based supervision 4 2. CONTEXT FACTORS WHEN DEVELOPING AN FCP RBS APPROACH 5 2.1 Legal and regulatory foundation 5 2.2 Market characteristics 5 2.3 Overarching supervisory approach 6 2.4 Organizational setting 8 2.5 Staff considerations 8 2.6 Current data position 9 3. CORE COMPONENTS OF AN FCP RBS APPROACH 13 3.1 Data collection and analysis 13 3.2 Risk indicators 15 a) What are risk indicators? 15 b) Setting the parameters for individual indicators 15 c) “Start small but start right” approach 17 3.3 Risk assessment framework 17 a) Market-wide risk assessment 18 b) FSP-level risk assessment 19 c) Which framework will be the most appropriate? 21 3.4 Risk-based monitoring and supervision activities 23 a) Market and FSP-level monitoring 24 b) Common risk-based supervisory methods and tools 24 c) Selecting and deploying risk-based supervisory methods and tools 29 d) Enforcement 30 APPENDIX A:  Examples of Risk Indicators 33 APPENDIX B:  Illustrative Scenarios of RBS Approach Development 39 APPENDIX C:  Five Common Types of Overarching Supervisory Approaches 45 REFERENCES 49   iii iv  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision FIGURES Figure 1  Considering the Key Elements of Developing an FCP RBS Approach from the Outside In vii Figure 2  Ten Key Elements to Consider in Developing an FCP RBS Approach 2 Figure 3  FCP Supervisory Cycle—Main Components 3 Figure 4  Data Collection and Analysis Approaches Relevant to Developing an RBS Approach 13 Figure 5  Example of Risk Rating Model 20 Figure 6 Central Bank of Ireland’s Consumer Protection Risk Assessment 22 Figure 7 Illustration of a Possible Combination of Supervisory Tools 25 TABLES Table 1  Characteristics of Five Common Overall Supervisory Approaches 7 Table 2  Examples of Data Types Relevant to Help Implement an FCP RBS Approach 10 Table 3  Sample Template for Risk Indicator Parameters 16 Table 4  Market-Wide Risk Assessment Example 19 Table 5  Example of Impact Grading 20 Table 6  Risk Matrix Example 21 Table 7 Illustrative Example of a Combination of Supervisory Activities for FCP RBS 30 Acknowledgments This Guidance Note is a product of the Financial Inclusion and Consumer Protection team within the Financial Inclusion, Infrastructure & Access Unit of the World Bank Group’s Finance, Compet- itiveness & Innovation Global Practice. This publication was written by Sergio José de Mesquita Gomes (Senior Financial Sector Spe- cialist, Financial Inclusion and Consumer Protection Team, World Bank Group) and Aute Kasdorp (Senior Consultant, Financial Consumer Protection Supervision, World Bank Group) with Gian Boeddu and Jennifer Chien (Senior Financial Sector Specialists, Financial Inclusion and Con- sumer Protection Team, World Bank Group). Mahesh Uttamchandani (Practice Manager, World Bank Group) provided overall guidance. The team is grateful for valuable comments received from Marc Schrijver (Senior Financial Sec- tor Specialist, World Bank Group), Eric Duflos and Juan Carlos Izaguirre (Consultative Group to Assist the Poor (CGAP)), and the International Financial Consumer Protection Organisation (FinCoNet). The team also gratefully acknowledges editorial assistance provided by Charles Hagner and design and layout assistance provided by Debra Naylor of Naylor Design, Inc.   v Abbreviations and Acronyms FCP financial consumer protection FSP financial service provider RBS risk-based supervision vi How to Use this Note This Guidance Note is intended to serve as an introductory guide RBS approach “from the outside in.”—i.e. starting with an intro- on key elements to be considered by financial sector authorities duction of key concepts, moving on to a consideration of the (Authorities) when implementing a financial consumer protec- context in which RBS is being implemented, to ultimately a dis- tion (FCP) risk-based supervision (RBS) framework or adapting cussion of its core components. (See figure 1.) an existing supervisory framework to include RBS. These key ele- • Introduction: The Note first discusses some key concepts, ments are discussed by exploring questions that Authorities will including introducing the supervisory cycle that underlies any typically need to address when initiating FCP RBS development. FCP RBS approach and the concept of RBS. Such questions will also be pertinent for RBS implementation on an ongoing basis, as the answers to those questions are expected • Context factors: These are the factors that are not embed- to evolve and change with time as FCP RBS frameworks continue ded into RBS itself but have a strong impact on how the RBS to be enhanced. approach will be formed and developed from a practical and operational perspective, thus requiring an Authority’s aware- This Note is not intended as a comprehensive one-size-fits-all ness and assessment. guide on FCP RBS. Developing such a guide would not be real- • Core components: These are the supervisory processes and istic considering the adaptations and customizations required for tools that make up the fabric of an FCP RBS approach. They are each Authority and country. Rather, this Note seeks to provide a presented in a way intended to facilitate an Authority’s under- higher level, practical, guided tour of the key issues, constraints, standing of them and to highlight the advantages and limita- and decisions that Authorities will usually find themselves dealing tions of the processes and tools. with, particularly during the initial stages of developing an FCP RBS framework. The Note aims to facilitate the awareness and manage- • For ease of comprehension, readers are encouraged to read ment of key issues without dictating predefined solutions, so that through the Note sequentially to first gain awareness of rele- readers will better understand the issues and potential approaches vant context factors before moving to the core components to choose from. The Note is written with particular consideration for the poten- FIGURE 1 Considering the Key Elements of Developing an tial needs and context of Authorities implementing FCP RBS in FCP RBS Approach from the Outside In emerging markets and developing economies. Different authors may of course choose different ways of elaborating on the issues 3. Core components of an it explores, since ultimately there is no single and standardized FCP RBS approach methodology to guide or describe FCP supervision or RBS. 2. Context factors for developing an FCP RBS A key insight that informed the structure of this Note is that approach the many choices to be made while implementing an FCP 1. Introduction—key RBS framework are interconnected and should therefore be concepts considered holistically. This holds especially true for the core • Scope, audience • Structure components of an FCP RBS approach. The Note therefore pres- • Supervisory cycle ents discussion of relevant elements for developing an FCP • Risk-based supervision   vii viii  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision of an FCP RBS approach. Each step is linked to the previous Considering the wide array of possible RBS methodologies and one. The core components of an FCP RBS approach are also supervisory tools, this Note addresses select issues deemed of presented in a suggested logical order of implementation. more immediate relevance with greater detail and examples. Where possible, the Note provides additional references for fur- In practice, the context factors and core components will ther elaboration on various issues. Although crucially important often be considered in parallel and will always be subject to for an effective FCP RBS approach, additional elements such as further development as supervisory activities naturally evolve. risk-mitigation efforts are not discussed in detail in order to main- Developing an FCP RBS approach is not a static exercise, but an tain focus on those issues of greater relevance during the early ever-evolving activity. For example, the legal and regulatory foun- stages of FCP RBS implementation. dation for FCP supervision could alter over time as a result of a suc- cessful FCP RBS approach. Also, the data position of supervisors will need to be reevaluated periodically, even continually. 1 Introduction Financial products and services play a significant role in enabling Unfortunately, very limited international literature has been consumers to build their resilience, seize opportunities, and developed on this topic to date. Authorities, particularly those in meet essential needs but consumers also face risks when engag- emerging markets and developing economies, are therefore left ing with such products and services. This is due to a range of fac- with little public guidance on how best to develop and implement tors, including information and power asymmetries and abusive or FCP RBS processes that are appropriately tailored to their legal, overly aggressive market practices. regulatory, and institutional contexts. Although an ongoing effort, over the past decade significant This Note seeks to assist in addressing this critical knowledge gap progress has been made around the world to strengthen FCP by providing introductory guidance on key issues, constraints, regulatory frameworks. Policy makers have been incorporating a and decisions that Authorities should consider when establish- broader range of regulatory approaches to protect consumers from ing RBS for FCP. Given the need to customize RBS models to the inappropriate market practices, assist consumers to make better-in- characteristics of each country and its existing supervisory infra- formed decisions regarding the use of financial products and ser- structure, this Note does not specify predefined solutions but pro- vices and ultimately achieve better outcomes for consumers. vides Authorities interested in implementing an RBS model with an overview of various matters to be considered when designing However, such regulatory frameworks must be operationalized, a tailored RBS approach, with the aim of assisting the planning including through supervision, to be effective. Authorities are and development of a context-appropriate approach. A range of increasingly turning to the task of developing appropriate supervi- practical examples are provided as illustrations. sory processes and frameworks to monitor and implement FCP reg- ulation effectively and foster compliance across the financial market as well as good conduct and consumer outcomes more generally. 1.1 SCOPE AND INTENDED AUDIENCE OF THIS NOTE Undertaking FCP supervision can be a daunting task given the wide range of financial products, providers, and issues to be considered, Although this Note may be useful for any reader interested in FCP combined with limited supervisory capacity and resources. and RBS, its content is targeted at supervisors who have the task of developing an FCP RBS framework or adjusting an existing Many Authorities are seeking to develop an RBS approach spe- FCP supervisory framework accordingly. It is not intended as a cifically for FCP. RBS is an approach developed previously by pru- comprehensive guide to conducting FCP RBS. The Note provides dential supervisors as a way to make more effective decisions in both a holistic and a practical view of situations and alternatives supervisory planning and promote the more efficient use of limited that supervisors need to consider when making their first design supervisory resources. In summary, RBS generally refers to a for- decisions with regard to FCP RBS. The Note is relevant both for ward-looking, structured process aimed at identifying the most Authorities responsible only for FCP supervision as well as Authori- critical risks on which to focus supervisory efforts, including by ties undertaking prudential and FCP supervision in parallel. understanding and assessing the adequacy of relevant risk man- agement systems in place at the level of supervised financial ser- The most successful RBS strategies observed by the authors tend vice providers (FSPs). While RBS in a prudential context generally to entail the initial development of relatively simple but concep- focuses on an assessment of risks from an FSP perspective, RBS tually well-defined risk-based supervisory processes, which over in an FCP context assesses risks not to FSPs, but to financial con- time pave the way for the implementation of more sophisticated sumers, a very different focus, requiring an appropriately adapted structures. For this reason, the Note focuses on basic and prelim- form of RBS. inary elements that may not otherwise receive sufficient attention   1 2  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision and does not seek to cover more complex issues to be consid- 1.2 STRUCTURE OF THIS NOTE ered down the line in an RBS context, nor does it seek to cover more specific financial product or provider angles. For example, Authorities preparing to develop an effective FCP RBS approach although new technologies are continually altering supervised customized for their circumstances typically need to consider products and supervisory tools, a discussion of risks specific to a range of key practical elements. Some elements relate to the digital financial services and fintech products is beyond the scope setting within which FCP RBS is being implemented, such as the of this Note. However, it is noted that this risk dimension would be legal mandate and supervisory powers or available capacity and a strategic consideration for any type of FCP RBS (or in fact any resources. Other elements are more strategic or conceptual, such FCP supervision regime).1 as those regarding preferences in the supervisory approach to be taken. Carefully considering these elements from the first stage of The Note discusses implementation of RBS in the context of FCP developing an FCP RBS approach is critical. supervision (whether risk based or otherwise) but is not intended as a guide to establishing FCP supervision arrangements and This Note presents 10 key considerations that Authorities processes more broadly, which is a much wider area of consid- should consider when undertaking the process of designing a eration. For example, this Note discusses considerations relevant customized approach to FCP RBS. These are divided into what to ensuring that an Authority has appropriate powers and suitable have been termed “context factors” and “core components”— staff specifically for a risk-based approach to FCP supervision, but, the outer (circular) items and inner (rectangular) items in figure obviously, the topics of supervisory mandate and powers, and the 2, respectively. In addition, general background information on selection of staff, are themselves broader areas. supervisory cycles and the concept of RBS is provided in section 1.3 and section 1.4, respectively. FIGURE 2 Ten Key Elements to Consider in Developing an FCP RBS Approach Legal and regulatory foundation Current Market data position characteristics Data collection Risk indicators and analysis Risk-based Risk assessment monitoring and framework supervision activities Staff Overarching considerations supervisory approach Organizational setting 2 Introduction  |  3 • Six context factors for FCP RBS (section 2): When designing an  EEPING THE FCP RISK-BASED SUPERVISORY 1.3 K RBS approach, Authorities should consider these six practical CYCLE IN MIND factors relating to the context in which they will be undertaking FCP RBS. The discussion is intended to help Authorities identify When an Authority is starting to consider how it will develop its the main variables, opportunities, and limitations they have to FCP RBS process, or adjust its existing FCP process to be more work with (such as their supervisory powers, staff, current data risk based, it is important first to have sufficient familiarity with position, and market characteristics) in order to arrive at an RBS the overall concept and aims of a risk-based supervisory cycle. setup that is suitable to their particular circumstances. Section Although there is no single internationally accepted standard 2 includes hypothetical examples that illustrate how differ- definition, the “supervisory cycle” is a common concept familiar ent answers to the stated questions may shape the design of in both prudential and FCP supervision regimes. Its purpose is to Authorities’ RBS approaches. plan for a recurrent period of time that will comprise a full range of supervisory activities, from planning to enforcement and reevalu- • Four core components of an FCP RBS approach (section 3): ation, in order to start a new subsequent supervisory cycle begin- Section 3 discusses the four suggested core components of ning at a new planning step. A risk-based supervisory cycle in an an RBS process (collection and analysis of data, risk indicators, FCP context is intended to enable an Authority to direct its finite a risk assessment framework, and risk-based monitoring and resources, as systematically and effectively as is feasible, to the supervision activities) to be implemented as appropriate for most important conduct risks facing financial consumers. Concep- an Authority, having regard to the context factors discussed in tually, all supervisory activities must fit within the cycle, which is section 2. This section presents various strategies, frameworks, usually designed to align with a calendar or fiscal year (but some and tools that may be adopted to establish these elements and Authorities may opt for different timeframes). discusses practical issues, such as benefits or limitations, that can influence their adoption. A typical FCP supervisory cycle can be described as follows and is represented in figure 3. It starts with market monitoring For each factor and component, key questions are provided to (itself comprising a range of monitoring activities), intended to help Authorities analyze that particular item. Simplified examples give supervisors a sense of the most significant FCP-related con- are provided of how different answers to these questions may cerns and risks in their market. This will influence how FSPs will shape the design choices an Authority may make in its FCP RBS be supervised in a risk-based manner. For example, which issues approach. It is suggested that Authorities explore all 10 elements should be assessed specifically at individual FSPs and why? Which using the associated questions, to make initial choices in terms of FSPs might require closer attention given the identified risks and the design of their RBS approach based on their answers to these questions. They should begin to implement the choices while keeping in mind that relevant items will require revisiting and fur- FIGURE 3 FCP Supervisory Cycle—Main Components ther consideration, including in parallel, as an Authority’s custom- ized RBS approach progresses and develops. Market monitoring The appendices provide additional materials and illustrations to assist an Authority’s consideration and analysis. Appendix A pro- vides a range of examples of possible risk indicators from an FCP perspective (emphasizing that indicators should be selected care- Feedback into policy and FSP-specific fully and designed to ensure that they are useful and appropriate approaches monitoring in an Authority’s supervisory context). Appendix B includes two fictional scenarios intended to illustrate (in simplified form) how initial choices regarding the development and implementation of an RBS approach may be made in practice, having regard to the practical context in which different Authorities are operating. Tracking and Reviews and While a discussion of the use of technological tools to support follow-up inspections FCP supervision—that is, supervisory technology (suptech)—is outside the scope of this Note, it will also be a key consideration for RBS implementation, as with any form of FCP supervision. A proper consideration and understanding of the RBS elements Enforcement discussed should take into account, and also contribute to, any (formal/ informal) intended adoption of suptech, such as for data collection and analysis.2 4  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision trends? FCP-specific monitoring and off-site/on-site inspections 1.4 REGARDING RISK-BASED SUPERVISION and reviews are undertaken to gain a more in-depth and specific understanding of FCP-related concerns. If such findings identify Before moving to the main content of this Note, it is useful to noncompliance with current regulatory requirements, enforce- provide a brief introduction to RBS. As previously stated, this ment action may follow, ranging from informal or formal warnings Note does not intend to establish a universal definition of RBS. to penalties or referral for prosecution, for example. Enforcement Considering the uniqueness of each Authority’s context, setting actions should involve follow-up to ensure that the intended specific definitions and standards might limit the flexibility that results are achieved. All supervisory activities should then feed every Authority needs to develop a customized RBS approach, into continuous reevaluation of FCP components: policy, regula- as opposed to a “standard one.” However, to provide context for tion, supervision, and so on. Future supervisory planning should the following main sections of this Note, common RBS objectives specifically take into account and benefit from the information and concepts are summarized below. and conclusions arrived at in prior cycles. All steps are intercon- nected, feeding into one another. Sometimes they overlap or At its core, RBS intends to focus supervisory time and resources run in parallel, and not all have the same weight or relevance at to engage systematically with the most important issues within all times. Also, the supervisory cycle does not function in isola- the supervisory scope in a forward-looking manner. In this con- tion. For example, the licensing and authorization processes of text the concept of “risk” is often understood formally as the prob- an Authority should anticipate the risk-based approach (such as ability that harm will occur to the relevant supervisory objectives, by identifying red flags to be monitored), and the findings that multiplied by the impact on those objectives if the harm indeed substantiate formal/informal enforcement may also give rise to occurs. In the more specific context of risk-based market-conduct guidance provided to industry on a particular issue. supervision, those supervisory objectives typically revolve around appropriate conduct of regulated entities and/or the intended Regardless of how a supervisory cycle is ultimately defined within results of such appropriate conduct (for example, market integrity, an Authority, it is key to have one that is structured according to consumer protection). In the context of risk-based financial con- available resources, a particular Authority’s context and charac- sumer protection supervision, the supervisory objective might be teristics, and the size and nature of the supervised market. (This compliance with FCP regulation and/or to ultimately achieve ade- can be referred to as an Authority’s “supervisory universe.”) If quate consumer protection or appropriate consumer outcomes. an Authority develops FCP RBS while establishing its overall FCP The concept of risk in the context of FCP supervision thus tends to supervisory function and cycle for the first time, then consider- revolve around the perspective and interests of consumers, rather ation of these elements will include a broader range of issues than those of the regulated entity.4 going beyond RBS-specific aspects. For example, the Authority should consider not only whether its existing legal mandate and There is no single or standard definition of RBS concepts and powers appropriately support RBS but also whether the Authority methodologies being applied by financial sector Authorities has a sufficiently clear legal mandate to undertake FCP supervision internationally.5 For a discussion on risk-based supervision con- more broadly.3 cepts generally, suggested reading includes publications on risk- based supervision from the Toronto Centre6 and from the Financial Action Task Force.7 These publications discuss in more depth the various concepts involved in risk-based supervision and as appli- cable across various prudential and market conduct contexts. NOTES 1. For a discussion of new or enhanced risks to consumers arising from fintech or digital financial services, see WBG (2021a). See also Chalwe-Mulenga, Duflos, and Coetzee (2022). For a discussion of supervisory challenges and implications arising from digital transactions, see FinCoNet (2022). 2. For a discussion of suptech in the context of FCP supervision, see WBG (2021b). See also FinCoNet (2020). 3. This mandate would normally be derived from FCP regulation. However, in some instances, other types of regulation, such as general consumer protection regulation and/or prudential regulation, might also provide a mandate for FCP RBS at least until FCP regulation can be put into effect. For further information, see G20/OECD Taskforce (2014). 4. Although this Note refers to FCP RBS, the insights offered are also largely applicable to developing market-conduct supervisory approaches (even if the market conduct that is within the supervisory scope extends beyond conduct that affects consumers). 5. General risk management methodologies are standardized by ISO 31000:2018 and Guide 73 “Risk Management—Vocabulary.” However, regarding supervision of financial services specifically, guidelines and papers have not yet been consolidated or standardized as a result of the complexity and singularity of the context factors faced by prudential and conduct supervisors around the world. 6. See Toronto Centre (2018). See also Toronto Centre (2019). 7. FATF (2021). 2 Context Factors when Developing an FCP RBS Approach This section describes several practical factors, relating to the d. In case of FSPs’ noncompliance with cooperation requirements context in which an Authority is developing and implementing and/or substantive FCP regulations, does the Authority have its FCP RBS, that the Authority should take into consideration legal powers to take appropriate redress and/or enforcement when designing its RBS approach. They comprise the legal and actions, such as corrective measures, compulsion, or the impo- regulatory underpinning for FCP RBS supervision (discussed in sition of sanctions, based on an RBS approach? 2.1);8 the characteristics of the market to be supervised using RBS (discussed in 2.2); the Authority’s overarching approach and posi- The answers to these initial high-level questions may determine tioning for FCP supervision (discussed in 2.3); the organizational whether an Authority should even proceed yet with developing setting within which RBS is being implemented (discussed in 2.4); an FCP RBS approach. In such a scenario, the Authority may first staff-resource considerations (discussed in 2.5); and the Authori- need to undertake regulatory reforms before proceeding with the ty’s current data position (discussed in 2.6). development of an FCP RBS approach. If proceeding with FCP RBS development, the answers to the 2.1 LEGAL AND REGULATORY FOUNDATION above questions may affect what choices will be made in terms of supervisory approaches. For example, an Authority may deter- Authorities should consider whether they have an appropriate mine that its powers to compel the provision of necessary informa- legal and regulatory underpinning to support RBS, having regard tion are sufficiently comprehensive, but there may be limitations to their legal mandate and powers and any regulatory parame- to more direct supervisory activities (for example, on-site inspec- ters within which they are undertaking FCP supervision. Such an tions). In such a scenario, the Authority could proceed with devel- analysis should be performed during preparations to introduce an oping an FCP RBS approach while addressing some remaining FCP RBS regime. How these questions are analyzed and addressed weaknesses in its legal and regulatory foundation. will be affected in part by whether an Authority is establishing FCP supervision generally for the first time or embedding RBS in an already existing FCP supervisory function, in which case decisions 2.2 MARKET CHARACTERISTICS on some aspects may have already been made (but this may cause them to be revisited). For current purposes, it is assumed An FCP RBS approach by definition is focused on addressing the that the Authority has confirmed that it has a mandate to conduct most important FCP risks in a particular market. This implies that FCP supervision and, more generally, that its scope and mandate the regime is customized to the characteristics of the regulated are sufficiently clear and unambiguous. market(s), including the size and characteristics of FSPs, the cus- tomers they have, and the consumer segments they serve. Key questions include the following: a. Does the Authority have appropriate discretion to (de)prioritize Authorities should consider the following key questions when its supervisory activities based on its risk assessments? assessing market characteristics to help inform the appropriate b. Does the Authority have legal powers to implement and apply design of their FCP RBS approach: any monitoring and supervisory methods and tools necessary a. How many consumers are there in the supervised market? for RBS? c. Does the Authority have legal powers to require FSPs to coop- b. What are common profiles of consumers in the supervised erate with RBS activities, such as submitting or giving access to market? relevant information and materials needed for these purposes?   5 6  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision c. How many FSPs (currently supervised or not) are active in the sory approaches often combine aspects of two or more of these market? approaches to varying degrees. d. What are common profiles of these FSPs? • Compliance-based supervision: This is arguably the sim- e. Which retail products are most relevant to the market and con- plest form of FCP supervision. An Authority taking a compli- sumers? ance-based approach to supervision focuses on promoting that FSPs comply with regulations. The main perspective f. What are the main medium and long term market trends? (although others are relevant) is legal. The Authority takes reg- • Market growth ulations as the starting point for its actions. Generally, the core • Industry entry/exit activity is to systematically monitor and investigate whether • Consumer profile changes regulated entities have transgressed applicable rules and reg- • Technological developments ulations and, if transgression is established, to take legal mea- • Societal changes that affect market dynamics sures (impose fines, issue injunctions, and so forth). In addition g. Are there key stakeholders to engage with who might contrib- to these activities, primarily intended to counteract noncompli- ute to the supervisory objectives (such as consumer associa- ance, the Authority may also actively promote compliance—for tions, dispute resolution bodies, and other Authorities)? example, by issuing guidance on the interpretation and imple- h. Are there other jurisdictions with existing FCP supervision mentation of regulations. regimes and somewhat similar market characteristics, and • Risk framework–centered supervision: An Authority taking what lessons could be learned from supervision in those juris- this approach focuses on analyzing and mitigating the risks dictions? that an FSP’s activities pose to the interests of consumers, using a risk framework as the primary focal point to structure The outcome of such an analysis may shape the way FCP RBS is and guide its actions. The supervisory objectives may be organized by the Authority, the supervisory staff profiles most compliance objectives, or they may include a broader objec- appropriate to understanding and addressing relevant risks, the tive to promote the spirit of the law or to achieve adequate data sources leveraged, the supervisory approach and support- outcomes for consumers. (The risk framework may or may not ing methods and tools adopted, and the approach to risk anal- be geared toward such outcomes.)10 The main perspective ysis. For example, large numbers of financial consumers with low is risk management. For this Authority, the starting point of levels of financial literacy, low levels of technology at FSPs, and analysis and intervention activities is usually the risk profile of growth trends in digital financial services are all market character- an FSP. Typically, significant effort is devoted to developing, istics that introduce certain FCP risks or limitations that an FCP RBS implementing, and employing instruments and methods to approach will need to accommodate. Naturally, these variables assess how much risk an FSP poses to the supervisory objec- may change with time, which will lead to the need for ongoing tives (including assessing the quality of the FSP´s measures evolution of an FCP RBS regime. to mitigate these risks). These risks are ranked and prioritized, and based on such assessments, the Authority will adjust its interventions. 2.3 OVERARCHING SUPERVISORY APPROACH • Industry-centric supervision: An Authority taking an indus- The FCP RBS methodology that an Authority develops will try-centric approach to supervision places greater focus on depend in part on its overall strategic direction for FCP super- promoting that FSPs adhere to appropriate business standards. vision. Conversely, this methodology may also have implications The sectoral point of view provides the main perspective. In for (and may result in changes to) that approach going forward. terms of activity, the Authority would obviously monitor, con- When an Authority considers the possible implementation of RBS duct investigations, and impose legal measures. However, the for FCP, it should first consider what is its current, and intended, Authority also attaches greater importance on maintaining overall strategic approach to FCP supervision. This overall stra- a cooperative relationship with FSPs. It expends significant tegic approach affects not only how the Authority ultimately effort on account/relationship management. Regular conver- embeds and executes RBS within its processes but also factors sations with FSP representatives are a crucial instrument and such as staffing and organizational arrangements, which, as dis- component of its supervisory approach (as well as with other cussed below, have their own implications for RBS development approaches), both to maintain this relationship and to gather and implementation. information and steer FSPs in the right direction. This approach may also include efforts to promote self-regulation (for exam- One way to conceptualize an Authority’s possible overall strate- ple, codes of conduct) and work with third parties (for exam- gic approach to FCP supervision is by reference to the five dom- ple, to grant certifications). inant supervisory approaches indicated below.9 Note that these • Responsive (motivational) supervision: An Authority taking a approaches are not mutually exclusive. In fact, real-life supervi- Context Factors when Developing an FCP RBS Approach  |  7 responsive/motivational approach focuses on influencing FSPs’ nificant effort on analyzing potential problems in the financial behavior. The main perspective is motivational—namely, moti- sector and identifying their underlying drivers or root causes. vating FSPs to comply with regulations and possibly good con- Each substantial problem has its unique features that need to duct principles and other relevant standards or, more broadly, be considered to devise a custom-made—and, if necessary, to serve consumers’ interests adequately. Responsive supervi- even untested—solution. The Authority would not necessarily sion makes use of aspects of both a compliance and an indus- limit itself to a fixed set of instruments. try-centric approach. It starts from an assumption that FSPs Pros and cons of each supervisory approach are summarized in will want to comply with regulations and serve consumers’ table 1. Appendix C describes in more detail the key characteris- interests. Therefore, the Authority may initially use light-touch tics of each approach and its pros and cons. supervision (for example, provide guidance, perform less intru- sive investigations). However, in its interactions with FSPs the Except for a purely compliance-based approach, all the supervi- Authority makes it clear that, in response to noncompliance, it sory approaches described above are “risk based” in the sense will apply escalating pressure, up to a heavy-handed enforce- that they are set up to focus an Authority’s attention on the issues ment approach. If, in response to such escalation, FSPs return that it deems pose the biggest risks to its supervisory objectives. to compliance, the enforcement effort can be scaled back. To However, the perspective and methodologies used in delivering implement this approach, the Authority would expend much on these objectives vary considerably. As mentioned, the five effort in conveying its approach to FSPs (letting them know approaches are not mutually exclusive, and an Authority may very what to expect in case of compliance or noncompliance, mak- well adopt an overall strategy that combines multiple approaches. ing them see how compliance is in their best interest), as well For example, the overall approach of an Authority might be more as gathering accurate information about FSPs and industry seg- problem focused, but its licensing department may function in ments to assess to what extent FSPs comply and what their a compliance-based manner—focusing on whether regulatory compliance motivations are (to be able to tap into those moti- requirements to attain a license have been met. vations). • Problem-focused supervision: An Authority taking a prob- Importantly, implementation of RBS for FCP does not mean lem-focused approach concentrates on identifying and fixing that an Authority should adopt one approach permanently, to issues in the supervised markets that threaten its supervisory the exclusion of the others. For example, an Authority that is objectives (for example, preventing or mitigating harm to con- only starting its FCP supervision journey may decide to begin sumers). The main perspective is pragmatic: the Authority is with a simpler compliance-based approach while it gains confi- focused on finding solutions that work. This includes using a dence with RBS in parallel. Or an Authority that is already more broad range of supervisory techniques and may go beyond confident with FCP RBS may, for example, have a strategy that applying regulations (for example, averting through informal focuses primarily on a risk framework–centered approach but interventions FSP conduct that may be legal but nevertheless is with increasing use of problem-focused supervision. Similarly, harmful to consumers), if that is deemed effective to deal with combining traits of responsive supervision with a risk-based an identified problem. The Authority is likely to expend sig- approach is equally feasible. TABLE 1 Characteristics of Five Common Overall Supervisory Approaches 1) Compliance- Risk Framework– 2)  3) Industry- 4) Responsive 5) Problem-Focused Approaches Based Centered Centric (Motivational) Perspective Legal Risk management Industry-centric Motivational Pragmatic Core activity Enforcement Risk analysis and Account management Assess and steer FSP Problem-solving mitigation motivations Typical tool Legal checklist Risk analysis tools Regular conversations Responsive conversations Custom-made and methodology intervention Method and Enforcement Risk management Account structure Escalation pyramid Project-based organizational model process cycle (network) Preferred measure Enforcement Risk mitigation Market and industry Carrot and stick” “ Reporting of problems of results tally statistics development examples solved Potential Simple legal Priorities fine-tuned High industry issue Sophistication and Customized upside reference point to risk level awareness flexibility interventions Potential Legal myopia Overemphasis on Regulator may be too Complexity and Limited standardization downside and inefficiency tools and methods lenient on FSPs unpredictability and learning 8  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision When an Authority is developing its RBS approach, consider- not exist yet and RBS implementation was only one aspect of the ation of the following key questions is suggested to assess what overall initial setup. the Authority’s current overall approach to FCP supervision is, a. Has the Authority ensured leadership’s long term credible what it will be in future, and what changes may be necessary to commitment to the development and implementation of FCP accommodate RBS and respond to market conditions. RBS at all hierarchical levels, including its executive and super- a. What is the predominant perspective of the Authority’s future visory board(s)? FCP supervision? Does this perspective “match” with its current b. Do the current and/or future organizational structure and approach(es), and, if not, what might need to change? reporting lines ensure that the Authority’s FCP function has b. What aspects of other supervisory approaches may be adequate operational mandate and practical autonomy from adopted as part of the intended approach of the Authority? other functions (for example, from prudential functions, which may have already previously developed and implemented pru- c. In considering the first two questions, what approach seems dential RBS, as well as from handling consumer complaints) to most likely to be effective and legitimate in the context of the develop and implement RBS effectively for FCP purposes? Authority, considering • The resources and capabilities available to the Authority c. How can effective and efficient cooperation with all other rel- presently and in the foreseeable future; evant functions within the Authority (for example, licensing, prudential supervision, complaint handling, financial inclusion, • The nature of (i) the regulated sector, (ii) the FSPs active in financial education, legal, research, IT/data management) be this market, and (iii) the predominant FCP issues presented secured to support RBS appropriately? by these FSPs’ activities; and • The expectations of the various external stakeholders (pub- d. Do the Authority’s organizational culture and the attitudes of its lic, political, administrative, and so on)? key officials sufficiently support FCP RBS implementation? 4. Which choices regarding the supervisory approach have e. Does the Authority possess sufficient change management already been made (implicitly or explicitly)? Which additional capabilities? These capabilities may include the following: choices can be made in the foreseeable future, to enable the • Executive time and focus dedicated to implementing an implementation of a focused, coherent, and well-customized FCP RBS regime FCP RBS approach? • Sufficient dedicated staff, with ample formal and informal standing within the Authority, to coordinate and push for- The answers to these questions may guide the Authority in ward a range of parallel and interconnected change and adjusting its approach. They will also inform other practical ques- implementation work streams tions discussed below, such as decisions regarding internal orga- • IT and data management change capabilities nizational arrangements and resourcing. The outcome of such an analysis may lead to changes in inter- nal responsibilities, the organizational structure (organigram) for 2.4 ORGANIZATIONAL SETTING FCP, and the budget available for FCP. An analysis of the orga- nizational setting for implementation of RBS should also guide The internal organizational setting for undertaking FCP RBS is subsequent decisions on topics such as staff composition for a crucial for its efficacy. The department primarily responsible risk-based FCP supervisory function, data sources, supervisory for executing FCP RBS requires sufficient resources, institutional methods and tools adopted, and the risk framework to be devel- support, and autonomy to conduct adequate risk analyses and oped. For example, if the initial analysis identifies insufficient orga- engage FSPs effectively based on the outcome of these analyses. nizational willingness to support change, it may be unfeasible to In addition, the trajectory of implementing an RBS regime—which proceed with FCP RBS implementation at the current time. Efforts typically spans several years and the development of multiple should be focused first on generating high-level and broad sup- iterations or developments while continuing to discharge FCP port for change management. supervision responsibilities—can put substantial demands on the Authority’s organization. 2.5 STAFF CONSIDERATIONS The following key questions should be considered when con- structing and maintaining an appropriate organizational setting An RBS regime is likely to place considerable demands on the for FCP RBS. The questions identified here are focused on organi- staff primarily responsible for its execution. These demands zational support for RBS implementation. The Authority also needs relate both to staff hours and to skill sets and experience. Regard- to ensure adequate support for FCP supervision more generally, less of approach, the qualities frequently required of staff engaged which would be even more front of mind if such a function did in FCP supervision (formal background, knowledge, skills, expe- Context Factors when Developing an FCP RBS Approach  |  9 rience) already differ significantly from those required of staff ancillary and supporting departments. For example, the initial responsible for functions such as consumer complaint handling, analysis may determine that current staff lack data analytics skills, as well as those sought for prudential supervision.11 However, in but there is sufficient scope to expand capacity (such as by hiring an RBS context these qualities can also differ substantially from supervisory officers and a quantitative researcher, or by bringing in those required of staff engaged in a simpler and more mechanical officers from prudential supervision or other specialized risk units compliance-based supervisory approach to FCP supervision. (See whose skill sets can be adapted) or to upskill existing staff. appendix C for further elaboration.) For instance, effective FCP RBS requires substantial knowledge of the workings of financial prod- ucts and services and underlying FSP processes, associated FCP 2.6 CURRENT DATA POSITION regulation, and consumer behavior. It also requires strong inter- personal skills and thorough quantitative and qualitative analytical RBS tends to be a data-intensive form of supervision. An Author- abilities (for example, root-cause analysis). ity’s access to data—which can also be referred to as its “data position”—is a crucial factor in constructing an effective FCP RBS When developing a customized FCP RBS approach, it is import- approach. As discussed later in this Note, for the risk-based frame- ant to consider the following key questions regarding staff: work at the center of an Authority’s RBS approach to be useful, the Authority will need to be able to obtain the data required to a. How many staff members dedicated to FCP RBS are currently conduct the analyses required by the framework to a reasonable available, and how many can be made available in the foresee- degree (as data is never complete). A risk-based framework that able future? does not match available data can be ‘worse than useless,’ poten- b. Which technical backgrounds are available; which others may tially taking up supervisors’ attention with ineffective information, be needed? For example: or taking them in inappropriate directions, rather than allowing • Law/regulatory them to make better—even if more limited—decisions based on whatever accurate information they actually have. • Economy/business administration/sociology • Auditing/analysis To start conducting RBS analyses for FCP purposes, a wide range • IT/data management and analysis of data types may be relevant. Examples of such data types are • Administration/support listed in table 2, which sets out a high-level overview intended to assist in an exploratory analysis of an Authority’s current data c. Which relevant practical knowledge, skills, and experience position. (A more detailed stocktaking will likely be required at fields are available; which others may be needed to contribute later stages of the implementation of the FCP RBS approach.) More specifically to effective RBS? For example: detailed discussions about useful data, associated risk indicators, • Legal/regulatory and their relevance to FCP are included in sections 3.1 and 3.2 and • Industry segments appendix A. • Financial products/services The following are key analytical questions to assess an Authori- • Monitoring/supervisory/enforcement methodology ty’s current data position for its FCP RBS purposes: • Analytical and data management a. Which data sources, relevant for FCP RBS, are currently avail- d. Do relevant staff have the necessary mindset and perspective able within the Authority (including data from functions other needed to deliver on the Authority’s FCP RBS aims? Key traits than FCP supervision within the Authority, such as prudential or include being proactive (this is crucial because it can take con- other supervision/oversight, financial inclusion, complaint han- siderable initiative to identify FCP risks that are not apparent dling, any credit registry, and research functions)? and to take strategic action to deal with them) as well as flex- b. Which data sources, relevant for FCP RBS, are currently avail- ible (for example, to adapt to new methods and a changing able from FSPs context, even when the FCP RBS regime is fully developed). These are obviously not to the exclusion of other traits relevant • In a standardized format/frequency; or to FCP supervision more generally, such as a consumer-protec- • In an ad hoc manner (for example, via one-off information tion focus, thoroughness, tenacity, and integrity. requests)? c. Which data sources, relevant for FCP RBS, are currently avail- The outcome of such an analysis should guide an Authority’s prac- able from other entities (other regulators, external dispute res- tices and decisions with regard to hiring, training, and retaining olution mechanisms/financial ombudsman schemes, consumer staff in order to provide the necessary capacity to operate a new associations, social media, and so forth) FCP RBS approach. This applies to the staffing of both the depart- ment primarily responsible for executing the FCP RBS regime and • In a standardized format/frequency; or 10  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision TABLE 2   Examples of Data Types Relevant to Help Implement an FCP RBS Approach Data Type Relevant for FCP Further Specifications 1 FSP organizational profile 1.1 License type 1.2 Governance Organizational structure, governance and ownership, outsourcing arrangements 1.3 FSP leadership Executive and nonexecutive board members; other key executives 1.4 FSP risk profile 1.5 FSP conduct track record Regulatory compliance; fair treatment of customers (also questionable conduct besides regulatory noncompliance) 1.6 FSP regulatory relations Interactions with the Authority 2 FSP customer profile 2.1 Number of customers 2.2 Customer characteristics Age, wealth, customer segments 2.3 Regional customer distribution 3 Product and service characteristics 3.1 Types of sales and service channels 3.2 Categories of products/services 3.3 Product/service characteristics Reported by FSPs or available via, for example, corporate websites 3.4 Marketing materials Digital/analog 3.5 Terms and conditions 3.6 Realized service data For example, customer interactions recorded by FSP or other entities; mystery shopping data 4 Incentives that drive market conduct 4.1 Executive remuneration Including bonuses and other potential incentives such as share options, expense accounts, discounts, vouchers 4.2 Sales staff remuneration Including bonuses and other potential incentives such as share options, expense accounts, discounts, vouchers 4.3 Organizational incentives For example, intermediation commissions 5 Business and commercial indicators that drive market conduct (prudential data) 5.1 Macroeconomic and monetary analyses 5.2 Business model analyses 5.3 Solvency indicators 5.4 Liquidity indicators 5.5 Commercial indicators For example, product margins, profitability, marketing expenses 5.6 Client-related money movements Payments, collections, and other client-related money movements (for example, refunds, benefits) 6 Complaints data 6.1 Formal complaints data Complaints submitted to FSPs, the Authority, an external dispute resolution mechanism (for example, financial ombudsman scheme) 6.2 Informal complaints data For example, grievances expressed via social media 7 Operational supervisory data (if transitioning from compliance-based to RBS approach) 7.1 Information reporting data 7.2 Inspection data 7.3 Enforcement data Context Factors when Developing an FCP RBS Approach  |  11 • In an ad hoc manner (for example, via a one-off information of data available. For example, if available data regarding com- request)? plaints is limited to a basic set of general data, then just one category of “complaints” may be enough. However, if available d. Which data sources, referred to in the questions above, might data is more granular and diverse, then it is likely that “com- be made available in the foreseeable future? plaints” would be better framed by having subdivisions (that is, “internal complaints,” “external complaints,” “ombudsman The answers to such analytical questions will directly affect what complaints,” and so on). If there are more specific subdivisions, FCP RBS activities can be undertaken in the near term and will such as categories related to products or the nature of com- guide the Authority’s actions to improve its current and future plaints, these could provide even more accurate data sources data position to build up its FCP RBS model. For example, an to be prioritized. initial assessment may determine that the licensing and pruden- tial supervisory departments administer several databases that • Data source systematically track several data types listed in table 2, while This category is intended to record the origin of the data— banks report limited amounts of such data, but additional data on more specifically, the organization (if external) or department/ complaints may be available from several relevant ombudsman area (if internal) responsible for the data. Some data may orig- schemes. In such a scenario, the Authority should seek to establish inate from external entities or persons but is processed and operational data sharing linkages with relevant internal and exter- delivered by an internal data owner (such as complaints or nal data sources while also planning to rely on ad hoc information prudential data from FSPs). Most of the data already available requests in the short term for its FCP RBS activities. will likely be internal, but some relevant external data may also already be available. Alternatively, an initial assessment may determine that existing • Data description systems collect very limited data that can be utilized for FCP RBS Name of the data, including the original source (if it comes orig- activities. In this scenario, it may be necessary to rely on more inally from FSPs, for example), even though it has an internal qualitative and ad hoc assessments during the initial stages of FCP data owner. RBS activities while making it a critical priority to dedicate time and resources to exploring and improving the Authority’s overall • Other data characteristics data position for FCP to enable expanded FCP RBS activities over Qualitative/quantitative data, frequency of collection, seg- the longer term.12 ment/product relation. It is useful to undertake such a stocktaking through active and To assist with an initial data stocktaking and, importantly, to con- broad engagement (for example, workshops) and not only via tinue to build on this as its RBS approach is further developed, passive means. After finalizing the list, it should be easier to it is useful for an Authority to capture various details about data assess whether there may be important data types, segments, or items. The details captured may vary, but they need to help in products that are not sufficiently available. If that is the case, two identifying not only the data and its source but also its reliability solutions are possible: (1) to seek existing additional data cur- and feasibility of collection, since these segmentations will help rently unavailable, or (2) to look directly for indicators (instead of to prioritize, in a next step, which set of data will actually be col- identifying the data and then creating the indicators). Unavailable lected, at least in a first supervisory cycle. This exercise is meant data may be costly to collect, so the first option should be con- only for supervisory purposes and should not be confused with sidered cautiously. Indicators generated by other departments formal “Data Classification Policy” methodologies used by orga- or organizations will limit the Authority’s capacity to influence its nizations to manage data sensitivity. The following list suggests a governance and updates, so it is more viable as an alternative possible (non-exhaustive) set of categories: when the owner of the indicator is closer—for example, inside • Data type the same organization. External indicators could be considered A brief description that allows the reported data to be seg- depending on how critical the gap is that they would be able to regated by its purpose. This can be standardized (for exam- close. A final output would be a list of all relevant data available ple, complaints, regulatory reporting, commercial data, social to start data collection and analysis, the first of the core elements media). There is no single way of defining this categorization, of an FCP RBS approach, as discussed in the next section. so it is important to create categories according to the kinds 12  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision NOTES 8. For more information on the legal and regulatory context see WBG (2017). 9. For example, see Kasdorp (2018). 10. A substantive supervisory strategy geared toward achieving specified outcomes for financial consumers is sometimes referred to as a “customer-centric strat- egy.” Such a strategy may feature a risk framework that is geared toward measuring and analyzing the degree to which such specified outcomes for financial consumers are achieved. 11. For further information on the different skill sets required for FCP supervision, see WBG (2014). 12. For additional information on tools to assess the quality of regulatory reporting data, see Izaguirre et al. (2022). 3 Core Components of an FCP RBS Approach This section discusses four components that typically make up dimensions, as illustrated in figure 4.13 Note that the two “oppo- the core of an Authority’s FCP RBS approach. Authorities will want site” types of data collection and analysis highlighted for each of to consider these components holistically, together with the con- the four dimensions presented can be considered as opposite text factors outlined in section 2. A first core component is the data ends of a continuum. They do not necessarily exclude each other collection and analysis strategy that underpins the Authority’s RBS and indeed are often complementary. approach (discussed in 3.1). Another core component is a set of a. A first consideration for data collection and analysis is to what risk indicators, which in an FCP context will normally include both extent an Authority’s FCP RBS approach will rely on super- qualitative and quantitative indicators (discussed in 3.2). Authorities vised FSPs’ risk identification and control processes versus adopting an RBS approach will frequently (though not always) use directly verifying whether the providers’ resulting conduct a formalized risk assessment framework to structure and guide risk affecting consumers (the output of these processes) is appro- analyses that inform prioritization and other decisions regarding priate. In this context, an FSP’s control processes may refer to monitoring, supervision, and enforcement (discussed in 3.3). The the full set of explicit and tacit measures (procedures, forms, final core element of an RBS approach comprises the ongoing mon- IT systems, governance arrangements, leadership, aspects of itoring, supervisory, and enforcement tools and activities that will corporate culture, and so forth) that an FSP uses to steer the be deployed on a risk basis and used in turn at least in part to sup- market conduct of the organization and its staff. The extent to port the ongoing identification and assessment of risks (discussed which an Authority relies on a process-based approach has a in 3.4). In effect, these activities constitute a risk-informed version of profound impact on the type of data it collects and analyses to the continuous supervisory cycle described in section 1.3. ensure an appropriate degree of FCP, as well as on the type of risk indicators, risk assessment framework, and risk-based mon- itoring and supervision activities that may be suitable to deliver 3.1 DATA COLLECTION AND ANALYSIS on its RBS approach. How an Authority collects and analyzes data lies at the heart of For example, using a primarily process-based approach to its RBS approach. From a conceptual viewpoint, Authorities tend data collection and analysis, the Authority might audit the to balance how they collect data for RBS purposes along several procedures that an FSP employs to control how its staff han- FIGURE 4 Data Collection and Analysis Approaches Relevant to Developing an RBS Approach a. Data at which level? b. How much data? c. Data obtained on what basis? d. Data with what scope? Process based Selective Standard FSP specific Output based Comprehensive Ad hoc Thematic/cross-cutting   13 14  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision dles consumer complaints. This may require obtaining copies to drill down to pinpoint the precise nature of market conduct of relevant policies and procedural manuals, doing a walk- issues. On the other hand, a selective approach is likely to be through of relevant IT systems and procedures, reviewing the more powerful—for example, if backed up by the collection and staff training setup, interviewing relevant officials, and so on. In analysis of more comprehensive preparatory information. How contrast, in a primarily output-based approach, the Authority an Authority strikes the balance between comprehensive and would audit how individual complaints are handled in prac- selective data collection and analysis is typically closely con- tice. This would require other types of data and analysis. This nected to the other core components of its RBS approach, such Authority might obtain and analyze a sample of complaint files, as its selected risk indicators and toolkit of risk-based monitor- recordings of complaint-handling calls, and consumer feed- ing and supervision activities, discussed in the sections below. back—for example, via social media channels. c. There is also a balance to be struck between a focus on stan- An advantage of a primarily process-based approach is that dard (regular/periodic) and ad hoc data collection and analy- it can be more efficient and less time-consuming than an sis. Standard data collection and analysis (for example, regular/ output-based approach, such as when analyzing large-scale periodic FSP reports and data transfers) can be efficient in the operations, where representative direct verification requires sense that both the Authority and relevant FSPs can adjust their large samples. In certain circumstances, such an approach systems and practices to this information flow. However, stan- may be more effective in identifying the cause of shortcomings dard data collection and resulting analysis alone is unlikely to (for example, a flaw in the training of complaint handling staff), produce a sufficient indication of significant supervisory issues. rather than just the symptoms (incidents of inappropriate com- An Authority can, in addition, customize ad hoc data collection plaint handling). This approach might more effectively stimu- and analysis to increase the effectiveness and relevance of data late investigated FSPs to improve their practices and mitigate capture, providing in-depth insights into potential conduct the risks they present to consumers. issues that cause risks to consumers. In addition, addressing However, a process-based approach alone can also prove to newly identified issues effectively often requires ad hoc data. be ineffective or inappropriate. It can easily be reduced to a The potential for ad hoc requests for data can also assist to paper exercise (supervisory officials scrutinizing policy docu- keep FSPs themselves vigilant for new issues. ments) that does not accurately identify actual daily practices The balance an Authority strikes between standard and ad (for example, how well consumers are treated). It may thereby hoc data collection and analysis will have significant implica- also stimulate FSPs themselves to focus on the paperwork, tions for how its RBS approach works in practice. For example, rather than on the purpose of that paperwork and on what an Authority that emphasizes standard data collection and anal- happens in practice. ysis will typically devote more resources to setting up an ongo- Therefore, it is generally advisable to combine elements of ing monitoring data flow (from FSPs and other sources) that process-based and output-based approaches. Practical imple- feeds into its risk indicators, which in turn feed into FSP-specific mentation factors, such as staff capabilities (for example, data risk ratings. A greater part of its engagements with FSPs may analysis skills) and the technology that it adopted to support also be devoted to improving this data flow. In contrast, an data capture and analysis, should account for how and to what Authority that emphasizes ad hoc data collection and analy- extent an Authority relies on process-based or output-based sis may devote its FSP engagements mostly to discussing the approaches. substantive FCP risks that result from the FSP’s market conduct. d. A fourth crucial data-related balancing choice for an Authority b. A second data-related consideration in developing an Author- is the extent to which its data collection and analysis focus on ity’s FCP RBS approach is the extent to which it will be FSP-specific issues or on thematic issues relevant to part or all focused on selective data collection and analysis, in contrast of the financial sector it supervises. Risk framework–centered to undertaking more comprehensive data collection. Statisti- and problem-focused supervisory approaches (discussed in cal analysis of a more comprehensive dump of transaction data section 2.3 above and in more detail in appendix C) lend them- may, for example, reveal patterns not evident from a limited selves well to addressing risks and issues that transcend an sample. However, selective data collection—such as scrutiniz- FSP-specific context (also referred to as “thematic/cross-cut- ing a selective sample of transactions, followed by a targeted ting issues”), either because many FSPs are affected by the series of interviews with an FSP’s relevant staff—may better same issue (for example, a widespread failure to comply with enable an Authority to understand such patterns and identify certain new regulations) or because it is a collective issue (for their underlying drivers. example, intense competition pressures triggering patterns of An optimal approach is likely to include a balance of both misconduct among a range of FSPs). For thematic analyses, the comprehensive and selective data collection and analysis. Authority will need to build up a data set and conduct in-depth An approach that focuses only on the former is less likely to analyses that cut across a range of FSPs. In contrast, a primar- be effective, given that at some point the Authority will need ily FSP-specific approach to risk-based data collection may be Core Components of an FCP RBS Approach  |  15 focused more on issues that are unique to a particular FSP (typ- 3.2 RISK INDICATORS ically the most impactful FSPs in the local market). The balance that an Authority strikes between focusing on FSP-specific or Once an Authority has made initial choices about its data col- thematic issues will affect its choice of risk indicators, the type lection and has a sufficiently clear perspective regarding the and elements of its risk assessment framework, and the risk- context factors discussed above, the natural next step is devel- based supervisory activities in which it engages. oping an initial set of risk indicators. As with other core compo- nents of its RBS approach, choosing and designing risk indicators In addition to the four balancing choices discussed above, an will require an Authority to select not only what is relevant to its Authority’s ability to analyze and address the root causes of the approach but also what is feasible. Context factors of particular FCP issues identified will likely have a dominant impact on its relevance here include having a sufficient understanding of the long term efficacy. A pitfall to avoid is that interventions may have characteristics of the market it supervises and of its data position, only short-lived effects. Once supervisory attention is focused as these will have a direct impact on what are likely to be the most elsewhere, if the root cause of an issue has not been addressed, useful and feasible indicators. the issue may reemerge (in the same or a similar way). Performing root cause analyses of FCP issues requires experience, a sound a.  What Are Risk Indicators? understanding of business issues, and strong critical analysis skills. Subsequently addressing these root causes by engaging the rel- Risk indicators provide much of the basis for undertaking the risk evant FSP(s) also requires strong communication skills and perse- analyses that ultimately support risk-based supervisory decisions verance. in the context of RBS. They are intended to provide a measure, or other relevant indication (whether direct or indirect), of risks that Capacity limitations are a crucial factor to bear in mind when that an Authority’s FCP supervision is concerned with addressing. developing an initial data collection and analysis approach, An Authority that has accurately defined its supervisory approach especially for Authorities with limited resources. For instance, having regard to its context will be able to determine more easily process-based data may at times be easier to come by (through which indicators will provide a useful perspective of the market. reporting and/or information requests) than output-based data With time, changes within the market and context factors, espe- but may require more expertise to assess appropriately. Also, set- cially the legal and regulatory foundation, will likely require new or ting up a standard (regular/periodic) data flow tends to require enhanced indicators. a greater up-front investment of time and resources, as well as expertise, than obtaining samples of data by issuing ad hoc infor- When selecting an appropriate set of initial risk indicators, an mation requests. Authority will need to focus on the indicators’ intended purpose and ultimate relevance to apparent FCP issues. It will also be In light of the above, a key focus for an Authority will be what necessary to consider whether and how an indicator will be able choices it makes with regard to data collection and analysis for to show changes relevant to supervisory action. A good practi- its FCP RBS function. The choices made on the questions listed cal test, if possible, is to evaluate what prior outputs of potential below will affect the types of data an Authority collects and ana- indicators would have been. If a particular indicator would have lyzes to support its FCP supervision generally, as well as the type shown little relevant change over, say, the last two to three years, of risk indicators, risk assessment framework, and risk-based moni- such an indicator may not be as useful to prioritize in an initial indi- toring and supervision activities that may be suitable to deliver on cator set (unless there are other compelling supervisory reasons its RBS approach. for including it, such as if the lack of change is due to persistent ongoing issues).14 a. How will the Authority balance and combine process-based and output-based approaches to data collection and risk analysis? b.  Setting the Parameters for Individual Indicators b. How will the Authority balance and combine selective and Developing well-defined indicators requires identifying sufficient comprehensive approaches to data collection and risk analy- parameters for each indicator, which should be captured in some sis? standardized form. It is important to describe each indicator with c. How will the Authority balance and combine standardized and sufficient detail and clarity to ensure consistency in how staff (and ad hoc approaches to data collection and risk analysis? any systems) capture, administer, and report on these. Table 3 pro- d. How will the Authority balance and combine FSP-specific and vides a sample initial template, with suggestions for parameters. thematic approaches to data collection and risk analysis? This is only one possible way of defining indicators; an Authority should choose both the parameters and a format appropriate for e. To what extent will the authority engage in root cause analy- its context. ses? 16  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision TABLE 3 Sample Template for Risk Indicator Parameters Indicator Name of indicator to be tracked Description Brief description of what is being tracked/measured (and how this is calculated, if necessary) Format Whether the indicator reports qualitative or quantitative data (and any other relevant details) Periodicity Indicator may be reported monthly, quarterly, or yearly, or periodicity may be not applicable (for example, if frequency is irregular or it is based on qualitative data) Purpose How the indicator is relevant in terms of FCP-focused risks and corresponding risk assessment Risk correlation For quantitative indicators only, state if the indicator output is positively correlated to risk (the higher the figure, the higher the risk) or not Data source Specific data (available to the Authority) that will be used to generate the indicator There is likely to be a variety of ways to determine individual indi- different sizes, types, and complexities. An example of a com- cators and interpret results for the purposes of a risk assessment, mon and useful measure is “complaints per 1,000” (or a similar as well as to establish thresholds or triggers for supervisory measure), which consists basically of weighting the number actions. It is important to ensure that the set of selected indicators of complaints by some metric of the volume of business (for includes appropriate complementary indicators to support better example, per 1,000 accounts, per 1,000 sales, or per 1,000 supervision decision-making. Reaching sound conclusions based insurance policies). on indicators will of course also always require sound supervisory Example: Three or four FSPs have almost the same number of judgment. complaints reported for the last quarter. However, since the FSPs have considerably different numbers of active consum- Indicators may assist in identifying FCP-related risks through, for ers, the absolute figures are not comparable. The Authority example, the following: therefore creates an index: total complaints divided by num- a. Nominal numbers (over a reporting period, in total, and so ber of customers for each FSP, or calculating the number of forth): What is the current figure? How does this figure com- complaints per 1,000 accounts, then dividing by the number of pare to prior periods/performance? Is it above or below aver- active accounts. In both cases, an FSP with a higher index will age? Changes between reporting periods or to averages could indicate a worse ratio of complaints. indicate a relevant change in FCP risk concerns. d. Data aggregation (combination of all FSPs’ results, when avail- Example: If there is a sudden/material increase in an FSP’s able): Many FCP risk indicators will also allow consolidation of total complaints indicator, or in complaints about a particular individual FSPs’ figures to reach a total market number. This can product, this may warrant further analysis or action. be key not only to monitor the market but also to provide a basis for weighting each FSP against the market figure. b. Growth rate: This figure is calculated by dividing the difference between the start and end values for the period(s) being ana- Example: An Authority is monitoring a market composed of lyzed by the starting value. It can be useful to understand and five major FSPs in terms of total complaints. However, two are compare the pace of growth of different indicators. responsible for 70 percent of all market complaints. This may draw greater attention to them than to the three other FSPs. Example: The total complaints indicator for an FSP shows a The level of supervisory attention will also be influenced by growth rate of 10 percent in the last two quarters, but the other FCP risk indicators. number of the FSP’s active consumers increased by more than 15 percent within the same period. The figures in combina- e. Market average: Calculating an average for a market by using tion may therefore indicate that the increase in complaints is individual FSP figures will allow an Authority to compare not as potentially concerning as may be suggested by the FSPs above and below that average (and the extent to which first indicator alone. This example shows the importance of this is the case for each FSP), which can provide a relatively selecting a sufficiently complementary set of indicators and straightforward perspective of possible priorities to address not treating the selection of each indicator as a separate and in supervisory activities. Market averages will provide more stand-alone exercise. meaningful results when used to compare FSPs of the same peer group, usually grouped by factors such as by provider c. Weighted measure (for example, by total market figures, total type, product, or size. However, an FSP’s performance may accounts, total consumers, total assets, and so on): Absolute be affected by several endogenous and exogenous factors numbers may need parameters that allow verification of the that must be accounted for carefully to produce a more accu- real weight of an indicator. This may require the calculation of rate comparison. an index that allows the comparison of indicators from FSPs of Core Components of an FCP RBS Approach  |  17 Example: In a supervised market comprising 10 major FSPs in • Profile of target segment(s) terms of total complaints, four FSPs are close to the average • Evaluation of FSPs’ internal control and quality of management complaints index, two are below the average, and four are to mitigate risks significantly above it. • Geographic coverage f. Market benchmarks and performance ranges: Highest/er and lowest/er historical figures for indicators and individual FSPs After defining all individual risk indicators, some Authorities pre- can be key in understanding FSP performance and potential fer to separate the indicators into impact indicators16 and proba- risk implications. It is important to consider such historical per- bility indicators.17 Other Authorities compile them together. There formance ranges and the implications of indicators that show are different possibilities for combining indicators and the best significant change in either direction. option for each Authority will depend on considerations relevant Example: If an FSP reaches the highest complaints figure ever to the framework in which they will be used. These are discussed recorded, that could merit further attention. However, an FSP in section 3.3 on the risk assessment element of FCP RBS. showing a very low relative number of complaints, depending on context, may raise concerns regarding the quality of the Appendix A provides a range of examples of qualitative and data being reported, also potentially meriting further super- quantitative risk indicators from an FCP perspective. The indi- visory attention. cators used by any Authority should be selected carefully and designed to ensure that they are useful and appropriate in that Authority’s supervisory context. The G20/Organisation for Eco- c.  “Start Small but Start Right” Approach nomic Co-operation and Development’s Task Force on Financial RBS is an evolving process for any Authority. At first, it is rec- Consumer Protection has also published guidance on FCP risk ommended that an Authority develop a relatively small number drivers relevant to the selection and development of risk indi- of indicators, using the best possible data and prioritizing essen- cators.18 tial risks within the jurisdiction. As the Authority progresses and staff members gain confidence and experience, the indicator set can be expanded. For example, FCP supervisors may initially have 3.3 RISK ASSESSMENT FRAMEWORK access only to some complaint-related data and other basic data regarding FSPs, such as number of customers, number of trans- An Authority developing an FCP RBS approach will frequently actions, loan volumes, and so forth. A small set of risk indicators adopt some form of formalized risk assessment framework to built around the monitoring of complaints received, transactions structure and guide the risk analyses that ultimately inform its processed, loans approved, and similar indicators can be more prioritization of supervisory efforts and resources. The extent of than sufficient to support an initial RBS-based supervisory cycle. formalization, detail, and specificity of such a framework will vary Starting with a large number of indicators, or with more complex significantly depending on each Authority’s context and needs. indicators, may be tempting, given the potential information it The characteristics of the framework that an Authority ultimately generates. However, particularly at the start, it can raise the risk of settles on will depend on factors such as its current legal and reg- relying on or attempting to reconcile bad information (as the num- ulatory foundation, organizational setting, and overarching super- ber of indicators grows, so grows the risk of “garbage in, garbage visory approach. It is also important to ensure that the way any risk out”), and it may overwhelm the risk-based prioritization process, assessment framework is ultimately applied, and relied on, is not affecting the effectiveness of resource allocation. excessively rigid. Room should always be left in supervisory deci- sion-making for adjustments based on supervisors’ professional An initial set of indicators could include the following, for exam- judgment. ple:15 A risk assessment will be the result of the analysis of selected • Number of retail (consumer) clients risk indicators and other relevant and available data, with the • Number of accounts (for example, loans, deposits, credit cards) purpose of obtaining a risk view of the market and of at least the • Volume of consumer complaints relative to a measure of size, most relevant FSPs. This risk view will be key to determining which such as total depositors, borrowers, turnover, or assets FSPs merit more intensive supervisory attention and resource • The nature of consumer complaints (for example, complaints deployment and for which FSPs a less intensive, more reactive related to fraud and abusive behavior may be deemed more approach is justifiable on a risk basis, or which consumer seg- important than those related to errors) ments are being exposed to the most harm by market risks being monitored. The same approach will also apply, one level down, • Main product line(s) (for example, complexity) and market share with regard to which activities, internal processes, and business • Distribution channels (for example, third party agents or bro- lines within relevant FSPs may merit more supervisory attention kers) 18  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision and resources. For example, a risk assessment can inform supervi- choose to begin with FCP RBS as part of their existing prudential sors about which areas and products should be prioritized during assessment framework and thus to undertake an FCP risk assess- an FSP’s examination and which ones may not be examined at all ment as an element within the prudential risk assessment. This in a particular instance. A risk assessment methodology therefore strategy is not entirely consistent with the reasons why an internal helps indicate not only what to focus on and how intensively but twin peaks approach is advisable, nor with the differences in risk also what should not be prioritized, ensuring that the Authority has focus between prudential and FCP supervision noted above. Nev- a reasonable and coherent process for validating supervisory deci- ertheless, in practical terms, it may at least allow an Authority to be sions, including placing more attention on only some FSPs. This is able to start FCP RBS more quickly and, with time, to then move crucial also because the success of any RBS approach depends on to a separate RBS framework dedicated to FCP. Other Authorities having sufficient capacity and in-depth engagement to address may be able to adopt a separate FCP RBS framework from the start. the most important issues. Particularly within an Authority that covers both prudential and A risk assessment for FCP supervision purposes has a different FCP supervision, there may also be expectations that FCP RBS focus compared to a prudential supervision risk assessment. will reflect some prudential approaches and elements, including Prudential supervisors focus on an assessment of an FSP’s sound- those allowing for some comparability between both risk views. ness. This is typically achieved by considering relevant key risk If that is the case, it is important to reinforce that any FCP-related factors, such as considered in the ‘Capital adequacy, Asset qual- risk definition adopted for this purpose, for consideration with ity, Management, Earnings, Liquidity, and Sensitivity’ (CAMELS) prudential risks, is connected to the probability of harm to financial system,19 as well as inherent risks that could harm the financial, consumers (or similar), rather than risks for the FSP, even if there operational, and liquidity capacity of the FSP (credit, market, can be overlap in terms of risk implications for consumers and FSPs operational, IT, and so on). On the other hand, FCP supervision from some of the same sources.20 must assess the risks not to the FSP, but to financial consumers (typically individuals, rather than all customers, given that not all Once an Authority is working on an FCP-specific RBS frame- financial customers, such as government and most corporations, work, it will have a range of alternatives to consider and choices are equally vulnerable). Risks to be managed come from FSPs’ to make. The framework may be divided into two elements: (1) a conduct or from the broader consumer relationship and use of market-wide risk assessment and (2) an FSP risk assessment, both financial products and services. This is quite a different focus, feeding into and complementing each other. Some examples of focusing on interactions between consumers and FSPs (and a approaches to risk assessment frameworks are outlined below. The range of related parties relevant in this context), the areas and examples do not represent all types of approaches adopted inter- processes affecting those interactions (consumer-facing, gover- nationally but represent some of the more common approaches. nance, product development, and so forth), as well as consumers’ What they all have in common is that they seek to identify FSP-spe- use of relevant products and services. FCP supervisors must also cific risks and specific aspects (products, controls, and so forth) weigh market factors, including financial sector developments, that may warrant greater focus during a supervisory cycle. given that risks being assessed generally relate to mass markets, standardized products, and common distribution channels. More a.  Market-Wide Risk Assessment recently, some Authorities have evolved their FCP risk assessment focus to include the outcomes to consumers or the effects that Implementing a market-wide risk assessment as part of an RBS FSP actions may have on them, in the pursuit of a more custom- risk assessment framework is not strictly mandatory but highly er-centric supervisory approach. recommended, because it can provide an Authority with a more comprehensive view of the main FCP concerns in the market, If an Authority undertakes prudential supervision as well as FCP important trends, and emerging risks for financial consumers. supervision, this can affect some of the choices made in devel- This can be extremely valuable for FCP RBS, since international oping and implementing a risk assessment methodology for FCP experience has demonstrated that the most pressing FCP issues purposes. An Authority may have responsibility only for FCP super- often tend to be cross-cutting/market-wide, rather than isolated vision (for example, being part of a “twin peaks” model, where to individual FSPs. Having a more complete view of risks across prudential supervision is the responsibility of another Authority), or the market can assist an Authority to anticipate issues that may it may be responsible for both. If it is responsible for both, tasks not be as readily identifiable at the FSP level (or are affecting may then be undertaken by separate units or departments (“inter- many FSPs even if a more limited set are subject to more exten- nal twin peaks”) but are sometimes executed by the same unit or sive supervision). A market-wide risk assessment also supports department that undertakes all supervisory functions (although this thematic supervisory interventions (for example, thematic inspec- is generally not recommended from an FCP supervision perspec- tions across a range of FSPs), which can be an effective method to tive, given the risk of conflicts of interest between the two func- generate substantial improvements in the level of consumer pro- tions and the risk that FCP supervision may not receive adequate tection in the market. resourcing or emphasis). In such circumstances, Authorities may Core Components of an FCP RBS Approach  |  19 There are two main approaches to undertaking a market-wide output for FSP-level specific risks; inputs for necessary thematic risk assessment: (1) an approach based on combining individual reviews; and any kind of additional responses to new and emerg- FSP risk views to produce a consolidated risk view (supply-side ing risks, which could include additional examination procedures, perspective), and (2) an approach focusing on how consumers the publication of guidelines, recommendations and warnings, are being affected and are behaving in the market (demand-side and even regulatory changes. Table 4 provides a simple example. perspective). In the first approach, the process of undertaking a market-wide risk assessment will comprise two elements: the col- While it is desirable for a market-wide risk assessment relying lection of results for selected risk indicators for all monitored FSPs on FSP-related data to combine data from all FSPs, this is not for a specific timeframe, and then compilation of these results essential, as it may be difficult to collect all necessary data from so they can be analyzed together for a market risk view. The data all FSPs. It may be sufficient, at least for initial assessments, to for this risk assessment will be obtained from both market- and undertake an assessment comprising a smaller set of the most rel- FSP-level monitoring (discussed in the next section). The second evant FSPs, depending upon the context factors of the legal and approach will require collecting risk indicators that measure con- regulatory framework and overarching supervisory approach. An sumer behaviors and circumstances irrespective of their existing Authority may decide which FSPs are essential to include based relationship with specific FSPs (for example, indicators of indebt- on such impact measures as number of consumers or total assets, edness, vulnerability, financial literacy, demographics, and experi- as discussed under “FSP-Level Risk Assessment” below. ences with and results of using financial services or engaging with FSPs in general). Authorities may choose to use both approaches b. FSP-Level Risk Assessment combined into their risk assessment methodology, depending on the context factors. In addition to market-wide risk assessments, an Authority’s risk assessment framework will typically (but not always) include The resulting risk assessment may be documented in formal undertaking risk assessments of individual FSPs that the Author- reporting, updated periodically. The assessment could be pre- ity supervises. There are various ways to undertake such risk sented as a report of all identified risks (for example, new devel- assessments, ranging from using a single type of measure (for opments, historical trends, possible upcoming concerns) along example, grading FSPs based on impact indicators) to using with a risk-level score (for example, high, medium high, medium a combination of risk and impact indicators. Regardless of the low, or low), taking into account the significance of each issue for indicators used to compare FSPs, qualitative and quantitative consumers and the estimated likelihood that a particular pattern of assessments must be balanced and combined, since quantitative misconduct or mistreatment will materialize. Outputs may include indicators alone may hinder the supervisors’ capacity to account a periodic list of key FCP risks, assessed for significance and the for environmental contexts and other underlying “drivers of risk” likelihood of consumer mistreatment, similar to the process and that may affect such metrics. TABLE 4 Market-Wide Risk Assessment Example Issue Source of Risk Risk and Impact Indicators Risk Rising consumer losses - Increasing use of digital channels - Total consumer losses High due to fraud and scams - Low digital financial literacy levels - Total fraud events Losses may be significant - New technologies - Complaints about fraud and scams at FSPs with lowest control - Total digital payments transactions quality ratings Increased sale of -New entrants in the lending sector Total new loans originated via agent/ - Medium High personal loans through marketing aggressively to gain third party channels There is still a limited number agents/third party market share Complaints about mis-selling of loans - of FSPs using agents/third distributors - Sales-based incentives by agents/third party distributors party distributors as a sales -Agents/third party distributors channel for personal loans, targeting low-income segments though next year may register of consumers a sharp increase Rapid growth of Consumers may have difficulty - Total digital channel investment sales Medium Low investment products understanding options and risks -Complaints about investment mis- Limited sales yet, though it through digital channels of offers selling through such channels could deliver increased risks / apps in the foreseeable future ... ... ... ... 20  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision Prioritizing FSPs for Further Risk Assessment a deeper risk assessment in light of other factors (for example, An Authority may undertake an individual risk assessment for all exponential growth or new products released in the market). or only some FSPs, based on impact indicators and other con- Supervisory judgment will play a significant role in such deci- siderations. To support such prioritization, the risk assessment sions. Examples of risk assessment tools that an Authority can should include multiple tiers into which FSPs will be categorized consider are discussed next. for impact indicators. The FSPs assessed (graded) to be in a high- FCP Risk Matrix er-impact tier would then be prioritized, for example, for the more in-depth individual risk assessments. An FCP risk rating model based on a matrix such as the one shown in figure 5 is aligned with typical prudential methodology Tiers should be well defined and appropriate to allow meaning- for risk assessments and can be the most appropriate alternative ful segmentation of all FSPs based on selected indicators. Often when an Authority is contemplating some kind of integration of four tiers are adopted for this purpose—although an Authority both types of supervisory assessments. The framework requires may prefer to work with more or fewer tiers—where tier 1 is the identifying an inherent risk view22 and an evaluation of the quality lowest-level peer group for the relevant indicator(s) and tier 4 is of controls at the FSP applicable for relevant risks. The analysis of the top-level peer group. Statistical methodologies and/or super- these two items in combination produces a final net risk rating visory judgment may be applied to select the most appropriate (that is, “residual risk”). The matrix allows risk assessment of dif- range for each tier, including possible weights for each indicator. ferent business lines within the same FSP, as well as cross-cutting elements such as governance and culture, producing a final net Examples of impact indicators that can be used for the purposes risk rating for each business line and a final overall risk rating for the of ranking FSPs include the following: FSP when all of these aspects are combined. Risk grades, whether for individual inherent, final net risks, or the overall risk rating, are • Number of retail customers at the reporting date typically graded as high (H), medium high (MH), medium low (ML), • Number of active accounts per product type low (L), or a variation of these. • Volume of product sold by type and by distribution channel over the reporting period An Authority will often be able to assign an inherent risk assess- • Market share of each segment ment rating only for the most intensely supervised FSPs. This is because also evaluating internal controls is a more complex exer- • Financial value of products21 cise, usually requiring more in-depth individual engagement with Each FSP would be allocated a specific impact grade, allowing all an FSP and more extensive supervisory resources, and tends to be supervised FSPs in the market to be ranked as shown in table 5. feasible only for the highest inherent risk (and highest impact) FSPs. After selecting FSPs that warrant a deeper risk assessment (or Numerical ratings or grades are not the only important aspect of if an Authority decides to undertake a risk assessment for all applying a risk assessment methodology. Qualitative descriptions FSPs), an Authority should apply an appropriate risk assessment and justifications supporting any assessment will also be crucial tool for this purpose. Regardless of the result, an Authority may when indicating the most relevant concerns and assisting to prior- determine that some FSPs below the defined threshold require itize supervisory attention based on the risk assessment. TABLE 5 Example of Impact Grading Impact Indicator Tier 4 Tier 3 Tier 2 Tier 1 Total [accounts] [retail customers] Over five million Four to five million Two to four million Fewer than two million Total transactions Over 2,000/day 1,000–2,000/day 500–1,000/day Fewer than 500/day Market share Over 55% 45%–55% 15%–44% Less than 15% FIGURE 5 Example of Risk Rating Model High Likelihood (how likely Medium high is the risk to Medium low materialize) Low Low Medium low Medium high High Conduct impact (how harmful the risk could be to consumers if materialized) Core Components of an FCP RBS Approach  |  21 A detailed and wide-ranging exploration of the different risk low. The overall risk will be a final composite of all topics. Such a matrices that may be in use internationally is outside the scope framework can aid an Authority in focusing on key FCP elements, of this Note, but the following are two examples of such matri- but it also comes with challenges in assessing different business ces for illustrative purposes. The generic example shown in table lines within the same FSP. 6 illustrates an approach sometimes adopted by Authorities that focus on undertaking separate risk assessments for each business Product Life Cycle line of an FSP. Of course, the specific elements making up the The U.S. Consumer Financial Protection Bureau uses a product approach will also depend on the context factors and other core life cycle–based approach that reflects a relatively intensive risk components discussed in this Note. assessment methodology. It has also made its risk assessment framework publicly available.25 This approach is designed to assess The Central Bank of Ireland, publisher of the detailed A Guide each business line separately; supervisory judgments are used to to Consumer Protection Risk Assessment,23 is one of a limited determine how to combine multiple products from the same FSP number of Authorities that have made their risk framework and to achieve this view. When assessing inherent risks, the approach matrix public. Figure 6 shows how the Central Bank represents requires evaluating products, consumers, market methods and its approach in diagram form. The figure reflects a complex and sales, customer-relationship management, and compliance-man- highly sophisticated methodology that was developed over time agement challenges and scoring them as low, moderate, or high.26 to reflect the Central Bank’s particular context and necessities, As part of assessing “Quality of Consumer Compliance Risk Controls and like other examples, it should not be viewed as a predefined and Mitigations,” the bureau’s methodology requires risk analyses framework that another Authority can adopt automatically and of the FSP’s board and management, authority and accountability easily. The Alliance for Financial Inclusion has also published a for compliance, compliance risk management and oversight, prod- Guideline Note on market conduct RBS that can be a further useful uct and system development and modification, training, and com- reference point. The Note includes a range of detailed definitions plaint management, all to be scored as strong, adequate, or weak.27 and descriptions of impact and probability indicators, as well as Impact is then considered based on the size of the FSP and the inherent risk, internal controls, net risk, and overall risk.24 number of customers. A final overall risk classification is then pro- duced, again scored as low, moderate, or high. Outcomes Based An alternative, simpler framework that can be used to assess c.  Which Framework Will Be the Most Appropriate? risks for an FSP from a consumer perspective is to refer to key topics or desirable outcomes to consumers that may be defined The examples presented above exhibit various differences, by the Authority. Possible topics or outcomes may be developed including a range of choices made by Authorities across multiple according to risks supervised by the Authority and could include, dimensions. They differ in how they categorize risk and controls, for example, topics such as: confidence, transparency, disclosure, score risk assessments, combine net risks, and so on. Differences equitable treatment, advice, recourse, product performance, and in approach between Authorities’ risk assessment frameworks and sales. Such a framework requires the development of a list of indi- RBS approaches more generally are common and should not be cators and questions for each topic to guide an assessment and a point of concern, provided that the methodology adopted by possibly to determine a final composite score based on risk scor- an Authority is suitable and feasible for its purposes at a particular ing for all of these topics. Questions may be divided into “risk” and time. These differences again demonstrate the fact that Authori- “controls” types, in order to evaluate the FSP’s current risk profile ties can choose from a range of different approaches when build- and mitigating measures. This assessment will deliver a final grade ing the FCP RBS approach best suited to their own needs and for each topic—for example, high, medium high, medium low, or circumstances. TABLE 6 Risk Matrix Example Business Line Inherent Risks Processes Controls Net Risk For example, personal H, MH, ML, or L H, MH, ML, or L H, MH, ML, or L H, MH, ML, or L loans, insurance, etc. .... .... Firm/group H, MH, ML, or L H, MH, ML, or L H, MH, ML, or L H, MH, ML, or L Governance and culture (assessed for the whole firm/group) H, MH, ML, or L Overall risk H, MH, ML, or L 22  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision FIGURE 6 Central Bank of Ireland’s Consumer Protection Risk Assessment MODULE 1: Governance & Controls M1.1–Organisation Structure M1.4–Strategy and Risk Appetite M1.2–Board & Board Committees and Management & M1.5–Consumer Protection Risk Management Management Committees M1.3–Control Functions/Consumer Monitoring M1.6–Consumer Reporting Product Life Cycle MODULE 3: MODULE 4: MODULE 5: Product Development Sales/Transaction Process Post Sales Handling • M3.1–Product Governance • M4.1–Sales / Transactions • M5.1–Post Sales Arrangements Governance Arrangements Governance Arrangements • M3.2–New Product Development • M4.2–Operation of The Sales / • M5.2–Operation of the • M3.3–Product Monitoring / Transactions Processes Post Sales Process Existing Product Reviews • M4.3–Quality Assurance • M5.3–Quality Assurance • M3.4–Distribution Arrangements • M4.4–Management Information • M5.4–Management • M3.5–Product Management Information Information • M3.6–Marketing and Advertisement MODULE 2: People & Culture M2.1–Firm’s Values & Behaviours M2.5–People Practices M2.2–Leadership & Tone from the Top M2.6–Training M2.3–Internal Communication M2.7–Performance Management, Reward & Incentives M2.4–Speak Up, Challenge & Escalation M2.8–External Environment & Communication Source: CBI (2017) The following are key questions that an Authority may consider, a. Will the Authority develop a formalized FCP risk framework having regard to the framework examples discussed in this sec- at this time? tion and the context factors discussed in section 2. The best For example, an Authority that also undertakes prudential super- framework for an Authority will be the one that makes more sense vision may already have a formal risk framework for its pruden- for and best fits its current organizational setting, level of comfort tial function. That risk framework may cover market conduct/ with RBS, experience and overall supervisory approach to FCP, FCP risks only at a high abstract level and/or only to the extent and data position. Authorities taking the first steps to building an that market conduct may harm the interests (for example, rep- FCP RBS framework may find themselves more comfortable with utation or due to litigation) of the FSP itself, rather than focus- simpler methodologies, while Authorities that have been under- ing on the interests of consumers. The Authority may therefore taking FCP supervision for some time and are currently supervising decide that its FCP function would benefit from a more specific larger and more complex sectors may feel the need to develop and tailored risk framework for FCP RBS purposes. a more complex methodology. The answers to these questions should be revisited periodically, as relevant answers are likely to evolve over time. Core Components of an FCP RBS Approach  |  23 b. Is there a need to define formally what constitutes risks from e. What will be the relationship between the FCP risk framework an FCP RBS perspective, or is this already well understood? and any prudential risk framework employed by the same (And related to the above, what is the risk definition? What Authority or a separate prudential regulator? are the associated risk scope and consumer perspective? i. How will these frameworks relate to each other conceptu- What are the long term FCP supervisory objectives?) ally? For example, an explicit FCP risk definition may be useful within ii. How will these frameworks relate to each other formally? an Authority that also undertakes prudential supervision, at iii. How will any risk ratings based on these two frameworks least to clarify the contrast with the concept of prudential risks relate to each other? for both staff members and FSPs. However, even if an Author- ity does not have a “competing” prudential function, adopting iv. How will the data underlying such risk ratings be shared and a formal FCP risk definition, risk scope, and perspective may reconciled? be useful for both development and implementation purposes For example, an Authority that also undertakes prudential (for example, when deciding whether risk indicators are in supervision with its own dedicated formal risk framework may fact relevant to an FCP risk), or if the Authority is also required decide that its FCP RBS risk framework will be structured con- to address other objectives (for example, financial inclusion, ceptually as an elaboration of the FCP risk rating category used consumer education, competition), to assist in distinguishing in prudential supervision but that both risk frameworks will be between these different objectives. applied separately.28 Assessments of FCP-related risks by pru- dential and FCP supervisory officers may be reconciled period- c. Will the FCP risk framework be used only to guide risk analy- ically where the nature of the risk suggests this is appropriate. ses in a qualitative manner (that is, without specific risk rat- An Authority that is separate from its prudential counterpart ings), or will it also be used to generate risk ratings? may decide it is unnecessary to undertake such harmonization For example, an Authority whose initial data position is very in terms of risk assessment, although it may nevertheless be limited—limiting its ability to generate individual ratings for useful also to have an appropriate level of information sharing FSPs—may decide to start with a basic risk framework consist- with an external prudential supervisory function. ing of mostly qualitative profiles of key FSPs. FSP profiles will then be based on the collective professional judgment of the e. Given the answers to these questions, what would be an supervisory officers involved, rather than attempting to set up a appropriate approach to (further) develop an Authority’s FCP rating mechanism without access to the required data. risk framework? For example, an Authority may choose to begin with limited, d. How central will the role of the FCP risk framework be in the purely qualitative risk assessments. Only after it has sufficient Authority’s supervisory cycle? critical mass in terms of its quantitative knowledge and capa- i. Will the FCP risk framework (and any ratings based on this bilities might the Authority start to lay the groundwork for a framework) support, or determine more strictly, how the quantitative risk framework and decide that some quantitative Authority sets its supervisory priorities? FCP risk ratings are necessary. This will also depend on the ii. Will the FCP risk framework (and any ratings based on this availability of supervisory resources and the number of FSPs framework) support, or determine more strictly, how the that may require some level of one-on-one supervision, now Authority decides on supervisory and/or enforcement inter- and in the foreseeable future—any such decision should always ventions? follow actual needs. This may involve experimenting with differ- For example, an Authority whose market means that FCP- ent methods of arriving at FCP risk assessments for individual focused RBS attention is initially likely to be limited mostly to FSPs, appropriate testing of these (for example, through peer a small number of key FSPs (with other FSPs meriting thematic review or “devil’s advocate” testing), and evidence-based doc- attention) may decide that there is less value in developing a umentation of relevant methodology. framework—at least initially—that generates more sophisti- cated quantitative risk ratings as the basis for its priority set- ting. The Authority may opt to use its risk framework simply as a RISK-BASED MONITORING AND SUPERVISION 3.4  way to structure analyses and internal discussions more gener- ACTIVITIES ally. On the other hand, an Authority with a more disparate and numerous cohort of supervised FSPs may decide that, even Risk-based monitoring and supervision for FCP purposes can be in the initial stages of FCP RBS, a more fully fleshed-out risk executed through a range of possible activities and tools. It is rating function is needed. For example, it may decide to rank crucial first to establish all the core components of an FCP RBS FSPs from a risk perspective using three or four risk categories approach previously discussed. Once these components are in to inform and direct decisions on monitoring and supervisory place, determining which are the most suitable types of supervi- efforts, such as how often it will conduct supervisory meetings sory activities to utilize to achieve a risk-based approach becomes with a particular FSP. more straightforward, though of course it is never entirely so and 24  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision adjustments will continue to be necessary.29 Sound data collec- a.  Market and FSP-Level Monitoring tion and analysis (discussed in 3.1) feeds into appropriate risk As previously mentioned, monitoring activities enable Authorities indicators (discussed in 3.2), which in turn deliver relevant key to gain insight into FCP risks and FSP conduct in their regulated information to conduct an accurate risk assessment (discussed in domain, without directly affecting the conduct of specific FSPs. 3.3), which is ultimately used by an Authority to decide when and This activity is important both to feed into the FCP RBS framework how to engage in supervisory action to mitigate the most cru- (as a reminder, see figure 3, which shows the FCP supervisory cial risks to consumers. The ultimate aim always being to enable cycle) and also to provide a continuous assessment of FCP com- effective and efficient deployment of finite supervisory resources pliance, identifying current and emerging risks across the industry for optimal impact. Crucial to achieving this aim is ensuring that, at any time. Monitoring includes not only monitoring previously as far as feasible, the Authority selects the most appropriate tools established impact and probability indicators (discussed in 3.2) to mitigate particular risks. Such tools will, in turn, also support but also any additional monitored situations and issues that could the ongoing identification and assessment of risks, creating an identify problems or trigger the need for further investigations. ongoing supervisory cycle. As defined for the purposes of the discussion in this Note, moni- For the purposes of this discussion, a conceptual distinction is toring involves not only reporting risk indicators but also review- made between risk-based monitoring, supervisory and enforce- ing them and extracting insights into what has happened and ment activities, even if there is typically overlap between these what could happen, requiring a type of intelligence analysis. activities and some tools may relate to multiple activities. Market and FSP-level monitoring should be reported in conjunc- • Monitoring activities enable an Authority to gain insight into tion, since they are mutually dependent. Authorities will be able to FCP risks and FSP conduct in its regulated domain, without analyze an FSP’s trends effectively only if they are able to compare directly affecting the conduct of specific FSPs. their indicators’ performance with those of the market overall. • Supervisory activities enable an Authority to engage with FSPs During its initial supervisory cycles, it is important for an Author- directly to gain insights about FSP conduct and, potentially, to ity to focus monitoring activities on the main risks to consumers affect and improve FSP conduct directly. as articulated in the FCP RBS framework, choosing indicators and • Enforcement activities typically involve the use of formal legal situations that really need to be monitored. Monitoring activities powers to coerce FSPs to change their market conduct (for take up valuable supervisory resources. Therefore, selected mon- example, fines, injunctions, formal warnings, license suspen- itoring activities must always result in valuable outputs, such as sions/revocations). tracking key risk indicators, triggering alerts of new noncompli- ance situations, providing internal reports that offer a historical Risk-based monitoring and supervisory and enforcement activi- view of the market and FSPs, or generating key inputs for super- ties are all essential for an FCP RBS regime and complement each visory interventions and strategic planning. Although much inter- other. Without adequate monitoring, supervisory activities cannot esting and valuable data could be monitored, such data may need reliably focus on the key FCP risks. Without focused supervisory to be disregarded in order to have fewer monitored situations efforts, monitoring insights cannot lead to in-depth understanding and issues but more time to interpret and analyze the results for a of FCP conduct in the regulated domain. In addition, both mon- select set of issues, to provide more detailed and thoughtful sug- itoring and supervisory activities are typically required for sub- gestions on potential courses of action for supervisory planning sequent formal enforcement actions, as they allow the Authority and ongoing activities, and to generate inputs to improve the FCP to collect the data and take the procedural steps necessary for legal and regulatory framework and the supervisory approach. legitimate enforcement actions. Conversely, without a credible With time, monitoring processes will evolve and gain maturity and enforcement regime, it is very hard to maintain an effective super- scale, covering more issues and situations without losing quality visory function. analysis. Regardless of the monitoring activities to be prioritized, their connection to the FCP legal and regulatory framework and to Given that risk-based monitoring, supervision, and enforce- the overarching supervisory approach will hopefully increase the ment are inherently interconnected and rely on each other to efficiency and effectiveness of the FCP RBS approach as a whole. be effective, an Authority will need to choose and develop its methods and tools in a way that ensures that each of these b.  Common Risk-Based Supervisory Methods and Tools activities is sufficiently robust and mutually reinforcing. For example, a mistake to avoid is setting up a new FCP RBS regime Planning for a supervisory cycle should consider the use of all that focuses mostly on monitoring methods and tools without available supervisory tools in a holistic manner. When starting a systematically engaging FSPs to improve their performance in a first RBS cycle, it is expected that not all supervisory tools will be way that benefits financial consumers (such as via direct supervi- available, and some tools may never be, due to legal restrictions. sion and enforcement). Furthermore, activities that will call for more supervisory resources Core Components of an FCP RBS Approach  |  25 should be reserved for the highest priority risks and the riskiest • Assess the potential impact of and level of compliance with FSPs, and simpler and less resource intensive tools should be new FCP rules; or used for all remaining situations. By following such an approach, • Identify good practices and publicize them in order to be used RBS ultimately provides more comprehensive coverage of all risks to communicate supervisory expectations to FSPs and other and FSPs and, hence, greater protection for consumers overall. stakeholders. The greater the number of tool options, the more results may be obtained, provided such tools are well applied. A few common Guidance based on thematic inspections provides an effective supervisory tools are described below, along with discussions way to disseminate supervisory concerns and expectations of their potential benefits for an RBS approach and potential lim- to the entire market at once. Because this kind of examination itations and considerations. Although there are several possible focuses on a defined objective and examines the same issue ways to organize and categorize the following tools, they are dis- across a group of FSPs, it is a practical way to initiate an RBS FCP cussed here in a way that highlights their potential contributions supervisory regime. For example, thematic inspections could be to a successful RBS approach, as well as the limitations to take into utilized to examine the top risks that emerge from conducting a account before applying them (see also figure 7). market-wide risk assessment. It is expected that most initial RBS supervisory cycles will rely on thematic inspections as one of the Thematic Inspections main supervisory activities. The inspection results are typically dis- Thematic inspections (also known as thematic reviews) involve seminated through a series of follow-up actions (for example, new assessing a specific issue based upon the assessment of a sample guidelines development, self-assessment exercises by FSPs) that of relevant FSPs, usually within the same timeframe and using the may also substantially affect the assessed FCP risks and concerns. same examination procedure. This method tends to fit particularly well with an FCP RBS approach, since international experience Limitations and Other Considerations consistently indicates that most of highest-priority FCP risks are While thematic inspections can be very effective and relatively strongly related to sector-wide themes and issues. efficient, they also tend to require substantial workforce capac- ity, so the objective of any such review should be chosen wisely. Contribution to RBS Approach For example, unexpected noncompliance situations will often be Thematic inspections provide a market-wide and comparative observed at one or a few FSPs. Utilizing thematic inspections to view of any topic within the most relevant FSPs. Thematic inspec- pursue such situations could potentially drain precious supervisory tions may aim to resources without providing sufficient results, given that the non- • Identify new FCP problems and find solutions for them; compliance situation is not more broadly present in the market. Such situations will call for supervisory judgment to determine if • Push for market-wide improvement in already familiar FCP such breaches should be prioritized and, if so, which supervisory issues; tools should be used. Useful criteria to consider include the esti- FIGURE 7 Illustration of a Possible Combination of Supervisory Tools In-depth • More resource intensive inspections • In-depth and focused coverage Off-site inspections FSP meetings/engagements/letters/ information requests Thematic inspections • Less resource intensive Collective engagements/dissemination efforts • Comprehensive high-level coverage 26  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision mated extent of harm to consumers, the level-playing-field princi- additional supervisory activities indicate the need for more accu- ple,30 the number of FSPs involved, and the possible side effects of rate, in-depth supervisory investigations. the issue. Taking all these criteria into account will help to deter- Limitations and Other Considerations mine if thematic inspections are the appropriate tool to employ, In-depth inspections usually demand a high amount of supervisory if the scope of a thematic inspection should be redesigned, or if resources, which means their use should be rationed carefully. these new items should be considered for future FSP examinations. For example, it is always advisable to assign at least two inspec- Off-Site Inspections tors/supervisors for any on-site activity, since perceptions can be complemented and compared for a fuller picture and there will be Off-site inspections are one of the most common risk-based double testimony of what has been said in interviews. Depending supervisory tools. They involve conducting any of a range of inter- on the Authority’s organizational culture, different hierarchical lev- actions with an FSP without necessarily having to delve too deeply els may be involved, so the assigned supervisory team can avoid into an FSP’s internal systems and procedures or visit the FSP’s potential team conflicts during on-site procedures.31 facilities. This kind of inspection allows for a wide array of activ- ities, ranging from a simple inquiry resulting in a noncompliance Considering resource limitations, in-depth inspections should finding to a more comprehensive inspection that could involve have a well-determined focus, prioritizing any issue that would several different FCP policies and procedures and identify/miti- be too troublesome to be evaluated through off-site inspections. gate an array of FCP risks. Ideally, an in-depth inspection should originate from previous Contribution to RBS Approach off-site supervisory activity that was unable to assess a particular Off-site inspections can provide a fast and relatively straightfor- issue fully due to information gaps that can now be addressed ward way to address issues of consumer risk that need some level only by in-depth activities. of analysis that can be executed without in-depth examinations. In-depth inspection aspects should include interviews with man- Limitations and Other Considerations agers and operational employees and agents and normally also Off-site inspections are commonly the best alternative for a involve accessing management systems and conducting walk- supervisor to find out the status of an FSP risk or concern, pro- throughs of procedures, either on site or via remote channels. vided it is subject matter that has a low likelihood of being con- Typical in-depth inspection activities also include observation of cealed or disguised by an FSP. Supervisors should always be staff at branches and agents conducting their daily activities (in appropriately skeptical of an FSP’s responses and be ready to initi- particular, the interaction between consumers and sales staff), ate further inspections depending on the findings, such as for find- checking disclosure materials in the main sales channels, and inter- ings related to sales staff management and IT situations (both of viewing sales and agent staff, board and management members, which are usually some of the hardest to inspect effectively solely auditors and compliance officers, and any other staff that could on a remote basis). help examiners understand the current situation. In-Depth Inspections (Remote or In-Person) Letters to FSPs While off-site inspections are less costly and highly valuable in Once an FCP issue has been identified, properly analyzed, terms of supervisory findings, in-depth inspections provide a and documented (for example, via a thematic inspection or unique and thorough view of specific FCP concerns, regardless of FSP-specific inspections), it may be necessary to set down this whether the physical presence of supervisors at the FSP´s prem- finding in a formal communication to the FSP’s board/senior ises are necessary. Some relevant findings are obtainable only management. Such communications are conveyed via a warning by specific inspection procedures or on-site visits. Walkthroughs letter, order, or other equivalent document depending on the conducted by an FSP’s operational staff (whether conducted in terminology applied by each Authority regarding formal com- person or via remote channels) are frequently a useful way to find munication procedures to FSPs. Regardless of the term used, out how procedures are being executed, as opposed to reviewing these documents can be key to addressing FCP risks in a timely written policies. But this is even more likely to be the case when manner, with an appropriately calibrated level of intrusion, where it comes to FCP RBS, since the weight and impact of the organi- appropriate.32 zational culture in driving an FSP staff’s conduct can be perceived much more easily when observed directly by supervisors, whether Contribution to RBS Approach in person or through remote inspections. The objective of such formal communication is to indicate clearly to FSPs an Authority’s awareness of the situation and also to for- Contribution to RBS Approach malize the FSP’s acknowledgment of it. Such communications are In-depth inspections enable a thorough assessment of an FSP’s a frequently applied tool used to assure that the risk situation has performance on a specific FSP risk or concern in a manner that at least been formally addressed while also providing evidence to cannot be obtained from off-site examinations. Therefore, their track the mitigating actions put in place. use will be more valuable whenever risk assessment results and Core Components of an FCP RBS Approach  |  27 Limitations and Other Considerations • Formality/recurrence: Again depending on the purpose, some Delivering any kind of formal communication of an identified non- meetings may require more formal procedures. Examinations compliance situation is always a sensitive undertaking. As a for- usually have opening and closing meetings that are described mal communication from an Authority to an FSP, its content should in supervision manuals and demand that predefined condi- be standardized or carefully customized depending on need. tions be met. Outside of examinations, ordinary meetings can Having standard form content to communicate the necessity to be used whose only purpose is to check some information present a corrective measure tends to facilitate its acceptance. or concern. Recurring meetings/engagements are also a valu- However, there may be situations when a customized letter would able means of maintaining an up-to-date view of an FSP’s per- be more appropriate. Supervisory judgment should be used to formance and intentions on any given FCP risk or issue, so they determine which option will provide the best results. are one of the best strategies to use to enrich an FSP’s risk profile in an efficient manner (such as using meetings instead FSP Meetings and Engagements on-site/off-site examinations for lower-risk FSPs). For exam- Holding meetings or equivalent engagements (for example, ple, for each supervisory cycle, an Authority may proactively video calls, email exchanges) with different management levels require quarterly or semiannual meetings/engagements with of higher-risk FSPs potentially can provide strong benefits for an FSP’s relevant business lines and internal controls, internal RBS while requiring relatively limited resources. It may be used dispute resolution and internal audit functions. The recurrence at any time and in multiple ways, allowing great flexibility. It is one of these meetings could be defined according to the FSP risk of the most frequently used supervisory tools for FCP RBS, con- level assessed for the current supervisory cycle. Another rele- tributing to keeping a good grip on higher-risk FSPs’ activities and vant recurring meeting strategy is often referred to as a “moral even replacing costly inspection procedures for medium or low suasion” meeting. This is a more formal meeting (for example, risk FSPs. Meetings and engagements can be used ad hoc or as held once or twice a year) with an FSP’s board. It is an occa- part of a more comprehensive supervisory activity (for example, sion for the supervisor to report its assessment of the FSP’s off-site or in-depth inspection meetings). performance and risk profile. It is intended to make sure that the board is made aware of all or key identified issues and con- Contribution to RBS Approach cerns with the FSPs’ activities and then is persuaded to com- The objective of FSP meetings is to have direct interaction with mit to improvements that will be followed up on during the an FSP’s representatives, to do things such as obtain information next period. It is a powerful tool if well executed on a recurring or clarification from them or to inform them of a concern or of basis (for example, every supervisory cycle), thus triggering all a rule or guideline the Authority expects should affect the FSP’s FSP functions/departments to anticipate the Authority’s con- conduct or policies. Each meeting/engagement should have cerns and to seek to address those issues prior to the next clear, specific objectives and be based on appropriate pre-plan- scheduled meeting. ning. Considering RBS is all about prioritizing and saving scarce supervisory resources, the proper use of meetings is essential in • Attendance: Defining the purpose of a meeting or engagement pursuing such a goal. will facilitate the decision about who should attend the event on both sides. For example, operational staff attendance may Limitations and Other Considerations be sufficient for technical meetings/engagements. However, There are many potential strategies for approaching RBS meet- enforcement meetings or engagements will call for the atten- ings. It is helpful to consider a list of elements that will guide the dance of at least one or more FSP directors (or similar senior best options for each scenario. management) who are directly responsible for the issue of con- • Purpose: What is the expected outcome of the meeting? Gen- cern. It is advisable to hold meetings with at least two Author- erally, it is possible to divide supervisory meetings/engage- ity representatives to strengthen the supervisory position and ments into three categories: (i) informational, when it is only to try to balance the rankings of each side (top-level FSP man- expected that an FSP receives or delivers some position on agement meeting representatives of equivalent seniority from a risk or issue; (ii) enforcement, when an informal or formal the Authority’s side), to avoid the risk of underrepresentation enforcement measure is to be applied, such as a warning let- on either side, which could jeopardize the desired outcome of ter, corrective measures order, or another type of noncompli- the meeting. ance reporting; and (iii) deliberative, when there is not a firm • Location: The location should always be chosen by the position from either side and where the meeting allows for an Authority’s representatives. Though location is not crucial exchange of ideas and perceptions regarding a relevant FCP to achieve a meeting’s purpose, there are two issues to be issue or risk. A strong standpoint from the Authority during considered: the location’s relevance to local culture (for some an informal enforcement engagement/meeting, requesting a countries this may play a role, while for others it may not be change of position by the FSP, often achieves its objective and that important), and the impact of the subject on the FSP. thus avoids the necessity of formalizing warning letters or even Operational meetings are usually held at the FSP’s premises. the execution of a specific in-depth inspections. More delicate and higher-level subjects may call for a meet- 28  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision ing at the Authority’s premises. Also, when starting an initial Limitations and Other Considerations supervisory cycle, choosing the Authority’s facilities for meet- Collective engagements can have the benefit of being able to ings is a way to demonstrate a “soft power” presence for the reach the whole market at once, but organizing such events is newly established FCP unit. usually time consuming and may require complex content and logistics management to achieve their objectives. Also, Authori- Dissemination Efforts ties should not underestimate the risk of fostering the image of a Publicizing supervisory activity findings and results, and guid- “soft” Authority (inclined to bend to the industry’s wishes) or of an ance, can be an efficient way to disseminate an Authorities’ Authority that does not meet the expectations of stakeholders not views regarding an emerging or newly trending risk arising from included in the engagement (for example, consumers). market-wide risk assessments. All FSPs can then receive relevant guidance at the same time. Information Requests Formal information requests include asking an FSP to answer Contribution to RBS Approach questions or provide a set of data, usually assuming that the FSP Public dissemination efforts can be a powerful way to address is legally bound to respond truthfully. Such requests may form a risk concern without the cost of conducting some kind of part of a broader supervisory activity (such as a thematic inspec- inspection. They provide a fast and agile means of addressing an tion or an in-depth examination), but they can also be considered Authority’s concern and providing guidance regarding an FCP risk as a stand-alone RBS tool, since they can be used on an ad hoc identified across a significant part of the market, giving all FSPs basis as a single supervisory activity. opportunity to address the potential situation at the same time. This method may also serve to disseminate supervisory expecta- Contribution to RBS Approach tions regarding new FCP rules or standards. Since it is a public Used as a stand-alone supervisory tool, RBS information requests communication, it is also the case that other FSPs may “whis- are designed to obtain information considered key to assessing an tle-blow” a competitor, which may assist to indicate where super- FCP risk or compliance issue. Information requests are also some- visory intervention may be necessary. times used to send a message that an issue is being monitored by the Authority (for example, requesting information on how FSPs Limitations and Other Considerations are dealing with new issues or developments, or the schedule for The main potential shortcoming regarding publicizing guidance achieving compliance with a new rule in the context of upcoming is related to the capacity and propensity of the Authority to then deadlines). In both situations, information requests are especially take action whenever an FSP is found to not be heeding such advantageous when it becomes necessary to address a new and public guidance. An Authority will need to be sufficiently ready unanticipated risk (for example, a sudden increase in complaints to follow up to ensure such guidance is taken seriously by the regarding a product offered by an FSP categorized as medium to market, while not taking up excessive resources for this purpose. lower risk, or a concern regarding a new product in the market) Such communications should therefore be reserved for situations that needs some sort of response but not enough to require a with a substantial negative impact on the entire market or where formal inspection (at least not yet). The difference with information the content of communications is suitable to be disseminated in requests during thematic inspections is that the answers to an ad an open-ended manner (more informative and less directive), in hoc information request will not necessarily be thoroughly ana- order to avoid excessive pressure on supervisory resources to lyzed, and immediate additional supervisory interventions are not respond to the particular issue at hand. necessarily expected. It is common for issues to be identified by Collective Engagements monitoring processes that may be further explored and contextu- alized via an information request, thereby avoiding additional and Collective or industry engagement is a direct interaction unnecessary supervisory activities. between an Authority and FSPs, as well as industry and consumer associations. Distinct from public dissemination efforts, this tool Limitations and Other Considerations is designed to collect intelligence on market risks and responses As with public supervisory communications, stand-alone infor- and to understand business conduct and FCP risks based on infor- mation requests are intended to address market-wide or mation gathered from other stakeholders’ perspectives. FSP-specific FCP issues without undertaking more formal, intru- sive, and costly reviews or examination procedures, though this Contribution to RBS Approach may not always be the case. Depending on the answer obtained, Collective engagement is a feasible alternative to address it may or may not be necessary to dig deeper into some FSPs’ cross-sector risks in a flexible way, usually when feedback from processes. It is also important to consider the weight of an infor- stakeholders is necessary to improve the Authorities’ risk percep- mation request, since this can vary depending on the country tion. It is usually well-accepted by industry and consumer bodies, background (for example, depending on cultural perceptions and since it can provide an open forum of discussion. expectations) and legal mandate of the Authority. This tool is more effective when the very sending of the request is regarded as an Core Components of an FCP RBS Approach  |  29 impactful supervisory intervention; this may not be the case for all and is faced with limited capabilities may initially adopt mon- countries and for all Authorities, especially when the FCP regime is itoring and supervision methods and tools that are primarily still in its early stages. qualitative. Thus, its supervisory interventions—even if risk based—may be much more ad hoc and limited, and its RBS Mystery Shopping methodology and toolkit will expand over time. Mystery shopping is a technique that uses individuals (supervisors c. How can the Authority achieve an appropriate balance or not) trained to experience and measure customer interactions between risk-based monitoring and supervisory activities? by acting as potential consumers and analyzing as well as report- For example, an Authority that has been undertaking super- ing back on their experiences in a detailed and objective way. It visory activities—such as a central bank already undertaking is often also used as a market-monitoring tool. It is can be a unique prudential supervision (and possibly also FCP supervision, and sometimes quite accurate way to obtain evidence of how con- even if not yet on a risk basis)—may be able to commence the sumers are being exposed to FCP risks, providing a better under- monitoring component of its RBS supervisory cycle immedi- standing of their overall experience when interacting with FSPs. ately, using a mixture of methods such as analysis of prudential Contribution to RBS Approach reports, analysis of complaints data, media monitoring, and Mystery shopping can provide a relatively vivid practical per- industry engagements. The supervisory methods and tools that spective of situations faced by consumers during their interac- it could already engage with a risk-based focus may include tions with FSPs, focused on preidentified FCP risks. It can also supervisory engagements with market incumbents backed up work as a conduct deterrent for FSP staff or agents, given the risk by FSP-specific inspections where needed and some thematic of interacting with a mystery shopper. inspections aimed at particular parts of the market. It may also choose to adopt an initial position regarding allocation Limitations and Other Considerations of resources to have a more immediate impact on the indus- It is important to analyze in advance whether the procedure is try’s FCP performance despite limited capacity, such as initially legally possible in a given jurisdiction, and also whether it would dedicating, for example, 60 percent of its annual operational actually be able to provide a useful viewpoint depending on the capacity to supervision and 25 percent to monitoring (and the issue that is of concern. As it is a simulation, legal systems in some remainder to other activities). countries may consider that mystery shopping is not an adequate practice for inspection purposes. Costs are also a constraint, d. Of the additional risk-based monitoring and supervisory since it is a highly specialized tool that is not easy to conduct fre- methods and tools that are not yet available, which might quently.33 In addition, not all issues affecting consumer interactions realistically be developed in-house? with FSPs can necessarily be tested effectively through mystery e. Of the additional risk-based monitoring and supervisory meth- shopping so the appropriateness of this method needs to be care- ods and tools that are not yet available, which might real- fully considered in advance. istically be acquired? From which outside providers (either for-profit or not-for-profit)? Selecting and Deploying Risk-Based Supervisory c.  f. Of the additional risk-based monitoring and supervisory Methods and Tools methods and tools that are not yet available, which would As can be seen from above, Authorities can draw from a range add the most value to the Authority’s FCP RBS regime, given of monitoring and supervisory methods and tools as part of the context in which it finds itself? their FCP RBS approach.34 The following are key questions that For example, the increasingly digital nature of financial ser- Authorities should ask to help determine which methods and vices delivery and business models in an Authority’s market tools should be selected and deployed for their circumstances. may make expansion of tools that focus on supervising digital The answers to these questions will be affected by various key distribution and communication channels (online apps, social context factors discussed in section 2, including, for example, media, and so forth) one of the selected priorities. any legal limitations on supervisory activities, the structure and size of the financial sector being supervised that may warrant Once an Authority has established its initial RBS approach, includ- certain prioritization choices, and the overarching supervisory ing development of its initial set of monitoring and supervisory approach of the Authority. tools to be employed, it would aim to combine these to cover all FSPs under supervision (the supervisory universe referred to a. Which risk-based monitoring methods and tools are avail- earlier) as far as feasible using its market and FSP risk assessment able for FCP RBS or can be made available in the foreseeable results as drivers. The total supervisory activities to be undertaken future? will be determined by the availability of supervisory resources b. Which risk-based supervisory methods are available for FCP (human and technology), and the subject matter of each activity RBS or can be made available in the foreseeable future? will be determined by the completed risk assessments. Table 7 For example, an Authority that is just beginning its operations provides an illustrative example of what an initial preplanned com- 30  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision TABLE 7 Illustrative Example of a Combination of Supervisory Activities for FCP RBS Supervisory Tool Planned Coverage of the Supervisory Universe Information requests Market-wide Thematic inspections Three inspections per year for tier-4-risk FSPs; two inspections per year for tier-3-risk FSPs; one inspection per year for tier-2-risk FSPs In-depth inspections Two inspections per year for tier-4-risk FSPs; one inspection per year for tier-3-risk FSPs FSP meetings Recurring biannual meetings for tier-4-risk FSPs; recurring annual meetings for tier-3-risk FSPs; ad hoc meetings for tier-2-risk and tier-1-risk FSPs Mystery shopping Scheduled for tier-4-risk FSPs for specific issues (Other relevant activities—for example, public supervisory communications) bination of risk-based supervisory activities may look like. Natu- and strengthening a culture of compliance and respect for FCP rally, it is expected that throughout the periodic supervisory cycle, in the jurisdiction. there will be new risks or issues that will necessitate review and adjustment of this plan. Enforcement may be divided into soft-power measures, which are the informal tools available to shape an FSP’s conduct, such as those mentioned above (for example, meetings, information d. Enforcement requests, warnings), and hard-power tools (for example, sanc- While a detailed discussion on enforcement activities is beyond tioning, fines, penalties, compensation orders). However, hard- the scope of this Note, it is important to emphasize that, after power tools and strategies are less often an immediate part of RBS an Authority has properly established its monitoring and super- regimes, as their use is more rigid and based upon the legal frame- visory activities and risks have been identified and assessed, work and context of each country (as opposed to the discretion- the ultimate success of its approach will rely heavily on the ary judgment employed within an RBS regime). Precisely for this effectiveness of its risk mitigation/enforcement regime, includ- reason (and also to preserve a “screen” or “firewall” between both ing formal and informal enforcement efforts. Monitoring and duties), when it becomes necessary to employ hard enforcement supervisory efforts will lack real world impact without taking measures, some Authorities choose to assign formal enforcement proper enforcement measures where needed. The enforcement activities to nonsupervisory teams in different departments, assur- regime should be able to deter FSP misconduct, granting credi- ing that this matter will be carried out strictly under a compliance- bility to the Authority’s reputation for seriousness and follow up, based approach, as opposed to a risk-based approach. Core Components of an FCP RBS Approach  |  31 NOTES 13. Note that these four dimensions are not exhaustive. For example, one might also distinguish data collection and analysis approaches on a continuum of aggre- gated versus granular. Section 3.2 considers this dimension. 14. For example, if a sector has a history of significant complaints regarding fraud events in general, or of a wide incidence of fraudulent credit card transactions not being resolved, there would be a compelling reason to include indicators relevant to these issues (whether in terms of complaints, market metrics, consumer losses, numbers of customers affected, and so forth) despite—or, arguably, even because—such indicators did not show significant change. 15. For further details, see Dias (2013). 16. Impact may be defined as the potential impact of an FSP’s conduct-related harm to consumers and/or to the confidence and trust in a financial market. It is typi- cally assessed by reference to factors including the size of the business and number of consumers. An Authority will need to develop a context-specific definition depending upon its RBS framework characteristics. 17. Probability may be defined as the likelihood of the event (in this case, FSP conduct harming consumers and/or confidence and trust in a financial market). It is usually assessed by reference to the nature of the financial products. (For example, for a consumer, acquiring a credit card can result in a greater likelihood of harm than just having a prepaid card.) An Authority will need to develop a context-specific definition depending upon its RBS framework characteristics. 18. G20/OECD Task Force on Financial Consumer Protection (2018). 19. See, for example, Sahajwala and Van den Bergh (2000), 7. 20. For instance, an increased probability of harm to consumers (FCP perspective) may coincide with an increased probability of reputational harm to the FSP (pru- dential perspective), as the FSP’s reputation may be damaged through rising complaints and adverse media coverage. 21. In contrast with other impact indicators more related to scale, the financial value of products focuses on the potential financial detriment to which consumers are exposed as a result of the products (although there are considerable challenges in measuring a variable that does not affect all consumers equally). 22. Inherent risk could be defined as the level of risk present in (presented by) an FSP before controls are applied. In the model presented in figure 5, it is the result of impact versus likelihood. 23. CBI (2017). 24. AFI (2016). 25. https://www.consumerfinance.gov/compliance/supervision-examinations/ 26. To underscore to what extent risk assessment frameworks can differ, some elements, such as customer-relationship management and compliance, are consid- ered internal controls in other methodologies. 27. Again, some of these elements are regarded as inherent risks in other methodologies. 28. Prudential supervisors without an FCP-specialized unit often incorporate FCP risk assessments into their prudential methodology as a specific element or embedded into other prudential elements, such as reputation and strategy risks. However, once such an Authority has developed any level of an internal-twin- peaks model, the prudential risk assessment framework will require revision in order to ensure that prudential and FCP risk assessments are consistent and complementary and not competing processes. 29. For further elaboration on some relevant risk-based monitoring and supervisory tools and activities, see Izaguirre et al. (2022) and FinCoNet (2018). 30. The level-playing-field principle or concept, meaning that all competitors should compete under the same set of rules, is even more relevant for FCP supervision, since corrective measures in this area usually result in direct impact on an FSP’s operational results and commercial strategies. Hence, any situation found in a particular FSP whose correction may substantially affect its profitability should also be assessed as soon as possible at other FSPs of a similar type. 31. In-depth inspections are also a crucial method of on-the-job training for less experienced inspectors/supervisors, due to their intensity and in-depth nature. It can be useful to have seasoned and new staff to work together as a team for training purposes. 32. Although part of the description here may suggest enforcement measures, and not risk-based supervision activities per se, the use of letters to FSPs is also a valuable tool for addressing FCP risks efficiently and in a timely manner, thus its relevance to the present section on supervisory methods. 33. For further information about mystery shopping, see Izaguirre et al. (2022). 34. As noted above, for further information on some of these tools, also see Izaguirre et al. (2022) and FinCoNet (2018). APPENDIX A Examples of Risk Indicators An Authority can theoretically develop a wide range and large The examples suggest briefly how individual indicators (or lim- number of combinations of indicators for FCP RBS purposes. The ited combinations) may be interpreted and used to trigger addi- following are examples of possible indicators for use from an FCP tional risk-based activities. However, more accurate conclusions perspective. Some examples may result in a subset of multiple will always rely upon the combined interpretation of all available indicators (rather than necessarily a single indicator), depending indicators, the background behind those indicators, and sound on how they are organized by the Authority and the level of gran- supervisory judgment. ularity in terms of different issues. Importantly, as discussed earlier in the Note, RBS is an evolving process for any Authority, and it is In addition, an Authority will need to define relevant segments recommended that an Authority develop a relatively small num- (such as product segments) for specific indicators. For example, ber of indicators at first, reflecting the best possible quality data loan-specific indicators may be derived having regard to all loans the Authority has available and prioritizing essential risks within and also specific results/data for mortgages, auto loans, credit the jurisdiction. Examples of indicators that would require a set of cards, payday loans, and so on. more complex data have not been included below. As an Author- ity progresses, and as staff gain confidence and experience, the indicator set size and complexity can be expanded, but always ensuring that each indicator serves a clear and useful purpose. Indicator Consumer perspective(s) Description Assessment of the current situation for financial consumers (or certain types of consumers) combining/including information on financial literacy, vulnerability profiles, and demographics Format Qualitative Periodicity Usually quarterly, semiannually, or annually Purpose To be used to assess relevant risks at a market level regardless of consumer dealings with specific FSPs. It relates to consumers’ profiles/life circumstances, rather than FSP performance. It gives an important perspective by providing a risk view that may not necessarily be assessed only through FSP data, and it can offer a more comprehensive view of some consumer risks Risk correlation N/A Data source Authority’s databases or research or other government, industry, or consumer association databases, or research/FSP data and social media regarding vulnerability circumstances of consumers, such as financial health or digital maturity Potential additional The data may allow assessment of historical trends. Data relating to/from FSPs regarding vulnerability factors indicators for consumers may also be used for a qualitative FSP-related indicator, although the data quality (or availability) may be limited   33 34  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision Indicator Total consumer accounts/products Description Total number of active/open deposit accounts, credit card accounts, and payments accounts. Depending on the circumstances, it may be replaced with total number of active consumers, instead of accounts Format Quantitative Periodicity Usually quarterly, semiannually, or annually Purpose This can be one of the most important indicators of potential impact for FSPs, whether combining all/multiple products or reporting on each business line/product type separately. For some segments, it can also be an important market-share indicator Risk correlation Positive (the higher the number, the higher the risk) Data source FSPs Potential additional This data can also allow assessment of historical trends regarding total accounts/products (for example, indicators increases in number of accounts, growth rate, gender disaggregation, and level of relevance of each product/ type/business line for the market and the individual FSP) Indicator Total assets Description Total assets per segment (total active loans, total deposit accounts balance, and so forth) Format Quantitative Periodicity Usually quarterly, semiannually, or annually Purpose This can be one of the most important indicators of potential impact for FSPs, whether combining all/multiple products or reporting on each business line/product type separately Risk correlation Positive (the higher the number, the higher the risk) Data source FSPs Potential additional This data can also allow assessment of historical trends regarding total assets (increase in assets/balances indicators during the reported period, total asset/account balance growth rate, and so on) Indicator Total revenue Description Total revenue per segment (credit, insurance, accounts, payments, and so forth) Format Quantitative Periodicity Usually quarterly, semiannually, or annually Purpose Although typically more prudentially focused, this can also be a useful indicator regarding share of market activity Risk correlation Positive (the higher the number, the higher the risk) Data source FSPs Potential additional This data can also allow assessment of historical trends, such as those relating to revenue growth rate, including indicators weighted by total number of consumers and/or complaints Indicator Segment profile Description Profile classification for each FSP’s business line(s) Format Qualitative Periodicity Annually Purpose This is to identify which FSPs may have higher inherent risks due to a greater focus/more extensive dealings with more vulnerable consumer segments, especially considering possible gender disaggregation. FSPs targeting lower-income segments are expected to present higher FCP risks. The classification for the purpose of the indicator is developed using the four tiers used for risk levels (that is, each possible market segment is classified as high, medium high, medium low, or low risk) Risk correlation N/A Data source Data from FSPs with application of risk classification methodology Potential additional N/A indicators Appendices  |  35 Indicator Distribution channels Description Use of third party/outsourced distribution channels Format Qualitative Periodicity Annually Purpose Heavier dependence on agents/other third parties to market and sell products can present higher inherent risk for consumers, as controls and oversight tends to be inherently more limited than those of an FSP’s own branches (or directly administered digital channels). The risk indicator classification for the purposes of different levels of reliance on third party distribution is developed using the four tiers used for risk levels (that is, levels are classified as high, medium high, medium low, or low risk) Risk correlation N/A Data source Data from FSPs with application of risk-classification methodology Potential additional N/A indicators Indicator Product profile Description To assess relevance for FSPs of product types with higher inherent risks Format Qualitative Periodicity Annually Purpose Products must be categorized in terms of inherent risks for consumers. (For example, credit cards present higher inherent risks than prepaid card accounts, which present higher inherent risk than some other types of accounts, and so on.) The riskier the products an FSP offers, the higher the inherent risk. The risk indicator classification for the purposes of different products is developed using the four tiers used for risk levels for each possible financial product (that is, levels are classified as high, medium high, medium low, or low risk) Risk correlation N/A Data source Data from FSPs with application of risk classification methodology Potential additional This indicator could additionally take into account (or analysis could be combined with) the relevance of each indicators product/business line to an FSP while also considering “Total consumer account/product” and “Total assets” indicators Indicator Consumer complaint drivers Description To assess the most significant types of/reasons for complaints at each FSP (including resulting in complaint increases) Format Quantitative Periodicity Usually quarterly, semiannually, or annually Purpose Each FSP reports a list of the statistically most relevant complaint types/reasons (for example, the top 10 or top 20) and corresponding complaint numbers, assisting to provide a view of which issues may need to be prioritized during the next supervisory cycle Risk correlation N/A Data source FSPs Potential additional indi- This indicator may additionally be considered together with indicators relating to account/product numbers, cators market share, and so forth, providing a weighed perspective, given that the nature of complaints is usually at least in part connected to product features. (Other considerations, such as distribution channels and gender disaggregation are, of course, also relevant.) 36  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision Indicator Volume of consumer complaints Description Total number of consumer complaints relative to a measure of size, usually per number of consumers/accounts Format Quantitative Periodicity Usually quarterly, semiannually, and annually Purpose Providing a relative view regarding an FSP’s complaint levels Risk correlation Positive (the higher the number, the higher the risk) Data source FSPs Potential additional The data additionally allows assessment of historical complaint trends, spikes (or improvements) for a reporting indicators period, and so on Indicator Complaint resolution Description Total number of (fully) resolved consumer complaints Format Quantitative Periodicity Usually quarterly, semiannually, and annually Purpose To identify possible issues with complaint resolution (and, if feasible, segmented by available classification methods—for example, complaints relating to different products). Risk correlation Negative (the higher the number, the lower the risk) Data source FSPs Potential additional indi- There are typically various standard indicators used by FSPs to assess the quality of their internal dispute resolu- cators tion processes, such as FCR (First Call Resolution), dropped-call rates, and so forth, that could also be request- ed from FSPs, including for peer comparison Indicator Number and volume of transactions Description Total number and volume of transactions by any type of financial product/service. More relevant for payment services. Format Quantitative Periodicity Usually quarterly, semiannually, and annually Purpose This can be an important indicator of potential consumer impact of an FSP, whether based on a combined fig- ure or reporting by service/product separately Risk correlation Positive (the higher the number, the higher the risk) Data source FSPs Potential additional The data can also allow identification of historical transaction trends, transaction increases, growth rates, and indicators significance of each business line for the FSP and for the market, as well as weighting by total number of con- sumers/complaints Indicator Media and social media monitoring Description Analysis of mentions of FSPs on social media platforms, blogs, online forums, and mainstream media. The latter may be measured through a separate indicator, apart from social media Format Qualitative Periodicity Usually semiannually and annually (but it may be monitored even daily, if resources allow) Purpose It can provide additional perspectives regarding potentially significant or problematic concerns in relation to an FSP as reported by their own customers, consumer associations, or others Risk correlation N/A Data source Internal specialized monitoring team or outsourced. It requires media monitoring expertise and technology Potential additional The data may be compared with complaints and total accounts/total assets indicators to improve relevant risk indicators perspectives (for example, a rapid growth in sales by a specific product followed by an increase in consumer dissatisfaction expressed via social media) Appendices  |  37 Indicator Dispute resolution and compliance reports Description Analysis of mandatory reports to the Authority from FSPs regarding their internal dispute resolution processes and their FCP compliance (including internal audit) and management of FCP issues Format Qualitative Periodicity Usually semiannually and annually Purpose Although such reports may have the most relevance to the quality of an FSP’s controls, they may also provide a good perspective for possible inherent risks or issues to be prioritized during future supervisory activities Risk correlation N/A Data source FSPs Potential additional indi- The data may be compared with complaints and total accounts/total assets performance indicators to provide cators a more accurate risk perspective The following is a more extensive list of possible indicators (including those listed above) that may be used for different purposes in an RBS context. All indicators may be disaggregated by relevant FCP variables, such as sociodemographic segments, gender, consumer vulnerability, ethnic groups, financial literacy, and digital maturity, all depending upon the quality of available data, market characteristics, and overarching supervisory approach. Indicator Category Total consumer indebtedness Market conditions Financial literacy Market conditions Technological literacy Market conditions Country’s banking access rate Market conditions Total active retail accounts/consumers General profile New retail accounts/consumers acquired during reporting period General profile Number of retail accounts/consumer relationships ended during reporting period General profile Number of vulnerable consumers/percentage of vulnerable consumers General profile Market share per relevant segment (as defined by the Authority) General profile FSP’s relevance of higher inherent risk products (as defined by the Authority) General profile Total inactive/dormant accounts General profile New inactive/dormant accounts General profile Total assets by segment/total accounts balance General profile Net interest income earned by FSP General profile Net non-interest income earned by FSP (fees, charges, and commissions of any type) General profile Total penalties and losses to consumers General profile Penalties and losses during the reporting period General profile Total complaints (filed with FSPs, the Authority, or, for example, ombudsman schemes) Complaints Total complaints by critical subject (filed with FSPs, the Authority, or, for example, ombudsman schemes) Complaints Complaints by resolution time Complaints Complaints by status Complaints Complaints by product Complaints Total branches and agents Distribution channels Total agents by service delivered Distribution channels Share of new accounts/new consumers originated from digital channels Distribution channels Total fraud events Assets misuse continued 38  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision Indicator Category Total value of fraud loss Assets misuse Total new loans Loans Nonperforming rate Loans Average interest rate Loans Value of new loans Loans Events of early payments Loans Value of loans transferred from the FSP to another provider Loans Total events of loans transferred from the FSP to another provider Loans Total unsuccessful events of loans transferred from the FSP to another provider Loans Total payment events Payment services Total volume of payments Payment services Average payment ticket Payment services Total unsuccessful transaction events Payment services Total insurance claims Insurance Loss ratio Insurance Renewal events Insurance Sanctioning history (by all legally mandated Authorities) Supervision Timely solution of noncompliance findings Supervision FSP’s quality of regulatory reporting Supervision APPENDIX B Illustrative Scenarios of RBS Approach Development The following are two fictional scenarios illustrating how initial Context Factor 1: Legal and Regulatory Foundation choices regarding the development and implementation of an Due to recent regulatory reforms, Authority A has a clear mandate RBS approach may be made in practice, based on the practi- to conduct FCP supervision with regard to banks, but not yet cal context that different Authorities may be dealing with. The with regard to non-banks and financial intermediaries, which are scenarios describe how an analysis and decision-making process subject to limited and largely ineffective self-regulatory regimes. based on the context factors and core components discussed in The internal mandate of the Authority’s FCP department to under- this Note may progress for hypothetical Authorities, including con- take supervisory actions, including on-site inspections, is not yet text-specific answers they may give to key questions mentioned explicit (in contrast with the prudential supervisory departments, in various sections of the Note. These scenarios illustrate how which do have an explicit mandate). Until an explicit mandate is context factors and core components discussed in the Note are arranged, the FCP department may have to rely on prudential crucial to adopting a sound FCP RBS implementation approach; supervisory departments for on-site inspections and enforcement how such analyses will and should vary in light of the situation in actions.35 which an Authority finds itself; how these context factors and core components interact with each other; and how this can yield a decision-making process for implementing a pragmatic FCP RBS. Context Factor 2: Market Characteristics Potential conclusions and action items for these fictional examples The supervised market features a large number of consumers (50 are provided in footnotes. million), of whom a large portion are unbanked and/or have very low financial literacy. There are two major local banks (incumbents) Note that these examples are brief and highly stylized—a real- and a range of international bank branches. The local banks are rel- world example would likely be more elaborate and complex. atively “low-tech” general banks that are slow to change and use Although aspects of these scenarios may appear to be more or mostly manual processes. The international banks are relatively less similar to an actual Authority’s specific situation, the Author- “high tech” and feature elaborate control systems; these banks ity’s mix of practical and strategic considerations will vary and are mostly active in specific niche markets focused on specialized ultimately be unique, and it may make different but equally valid target groups such as high net worth individuals or corporate cus- decisions. Nevertheless, it is hoped that the examples will provide tomers. Market growth is positive but limited, and industry entry/ readers with a more tangible feel for how these context factors exit of significant FSPs is rare.36 and core components can guide their own, customized analyses and subsequent conclusions and actions. Context Factor 3: Overarching Supervisory Approach Crucial approach-determining factors in the context of Author- EXAMPLE A ity A are the limited staff resources available to the FCP depart- ment, the greater supervisory expertise available within Authority Authority A is a central bank that has recently decided to A’s prudential supervision departments, and the particular struc- implement an FCP supervisory function that will take an RBS ture and nature of the industry—that is, two incumbents and a approach. There has been a considerable FCP regulatory reform range of international bank branches. Authority A considers that effort, and some staff members have been earmarked to help a basic risk framework–centered approach seems the most sen- set up and execute the FCP supervision, but other than that, not sible supervisory approach for the foreseeable future.37 Once the much has been decided or implemented yet. FCP department has gained sufficient experience, reputation, and 39 track record, from an RBS perspective it may consider further except for monitoring analyses that can be (mostly) automated. developing its risk framework and, from a broader strategic per- The expected limited ability of FSPs in the market to deliver reli- spective, adopting elements of a responsive or problem-focused able periodic monitoring data suggests that the FCP department approach—for example, customized supervisory projects.38 will rely heavily on ad hoc information requests and analyses. The approach toward the international bank branches will be the- matic unless an incident forces the FCP department to adopt an Context Factor 4: Organizational Setting FSP-specific intervention.42 There are currently no board members at Authority A who have affinity with FCP. The FCP department currently reports to the Core Component 2: Risk Indicators board member responsible for prudential supervision. Awareness of the upcoming implementation of the FCP RBS regime among Considering the limited capacity in data collection, Authority A’s relevant departments within Authority A, other than within the FCP FCP department will incorporate a basic set of indicators that are department, is limited. The prevailing mindset/attitude toward already managed and monitored by prudential supervision: num- FCP within Authority A (outside of the FCP department) is neutral ber of accounts, total assets, and total loans will be monitored to negative, as only a few officials at the Authority as yet are cog- with data from the entire market and will be combined with com- nizant of its importance.39 plaints indicators restricted to the data reported by just the two incumbents and the data reported by the ombudsman scheme once a technical cooperation agreement has been formalized. Context Factor 5: Staff Considerations Since Authority A already has an outsourced media monitoring, There are currently six staff members in the FCP department and the FCP department will request a monitoring specific for con- one FCP regulatory specialist within the policy department. There sumer protection issues, at a market-wide perspective and at is some budget available to expand this capacity. Prudential FSP level. supervision officers may also be interested in switching to an FCP supervisory role. The FCP department consists only of lawyers, all Core Component 3: Risk Assessment Framework of whom have substantial knowledge of FCP theory and regula- tions and some knowledge of financial products and services but The risk framework applied by Authority A’s prudential supervision no supervisory experience. There is, however, a lot of enthusiasm departments covers market conduct and consumer protection to protect financial consumers better and a willingness to pursue risks only at a high abstraction level, and only to the extent that this goal vigorously and overcome the associated organizational market conduct may harm the interests (for example, reputation) and practical challenges.40 of the FSP itself, rather than focusing primarily on the interests of customers. The FCP RBS function will benefit from a more spec- ified and tailored risk framework. This framework should feature Context Factor 6: Data Position an explicit risk definition, if only to clarify the contrast with a pru- The licensing and prudential supervisory departments admin- dential risk definition for the benefit of all staff members as well ister several databases featuring a range of data types that may as FSPs. be combined to substantiate risk indicators for FCP RBS. The two major incumbent banks for the moment are not expected to be Given that the FCP-focused RBS attention to specific FSPs will able to report much additional and relevant detailed data on a mostly be limited to two incumbents (the other FSPs will receive recurring basis (other than perhaps on complaints); the other mostly thematic attention), the development of a sophisticated (international) banks are expected to have this ability, but given risk rating system seems counterproductive. Rather, a high-level the variation in data systems between them, establishing stan- risk framework guiding just risk analyses and internal discussions dardized reporting lines may nevertheless be problematic. There covering basic market concerns will be more than sufficient. The is a separate ombudsman scheme that should be able to provide FCP RBS risk framework will conceptually be structured as an formal complaints data.41 elaboration of the market conduct risk rating categories used in Authority A’s prudential supervision, but both risk frameworks will be applied separately, once a year.43 Core Component 1: Data Collection and Analysis Given the analyses above, Authority A’s FCP department will pri- Core Component 4: Risk-Based Monitoring and Supervision marily apply a system-based risk analysis approach to the two Activities incumbents (leveraging their own control systems), supplemented by direct verification if confidence in the outcome of system-based The FCP department will likely be able to commence the monitor- analyses is lacking. The approach toward the international bank ing component of its supervisory cycle using a mixture of meth- branches will be determined on a case-by-case basis. Given the ods: analysis of prudential reports, analysis of complaints data (if limited capacity available, all analyses will be selective (risk based) data exchange with the ombudsman scheme can be established, Appendices  |  41 as well as from direct FSP reporting), media monitoring, and indus- with such approaches in conducting various supervisory functions try engagements. Its initial supervisory methods and tools will in other authorities and jurisdictions. This approach may also be include supervisory engagements with the incumbents backed up appropriate for developing a customized engagement style for by FSP-specific inspections where needed (in cooperation with the various Big Tech companies and the range of start-ups. Once the prudential supervision departments) and thematic inspec- Authority B’s data and analytical capabilities have developed suf- tions aimed primarily at the international bank branches. Once ficiently, this approach can be complemented with a formalized the department has amassed sufficient experience, a reputation, risk framework.47 and a track record, this arsenal might be enriched with collective engagements and public supervisory communication. To enable Context Factor 4: Organizational Setting sufficient supervisory capacity to have an impact on the industry’s FCP performance despite the limited capacity, the FCP depart- Authority B’s leadership is recruited mostly from financial regula- ment will initially dedicate 60 percent of its annual operational tors—both prudential and consumer protection oriented—includ- capacity to supervision and 25 percent to monitoring, the focus of ing from other jurisdictions. The organization is still developing; each of these being informed by its risk insights.44 currently there is no clear distinction of responsibilities, as every- one is involved in setting up all functions. There is a strong col- lective drive and enthusiasm to set up an FCP RBS regime and EXAMPLE B “get on with it,” which is certainly needed at this stage (also given the dynamic and constantly evolving market conditions), although Authority B is a new government authority dedicated to FCP. In some prudence may be necessary as well. Understanding of the addition to its mandate to supervise and enforce FCP regula- local context is also an important concern, given several execu- tion, it is tasked with monitoring and promoting financial con- tives and many staff members are from other jurisdictions as well sumer education and competition. Staff and management have as on term contracts. The change capabilities of the organization been recruited primarily from other supervisory agencies. are very strong, although the capabilities to set up stable monitor- ing and supervisory processes remain to be seen.48 Context Factor 1: Legal and Regulatory Foundation Context Factor 5: Staff Considerations Authority B has a clear legal mandate to supervise FCP, although the legal basis for compelling FSP assistance during an on-site Authority B currently has 25 staff members, including four exec- inspection is disputed, and industry lobbying has meant that the utives and two board members, but the total is set to expand to imposition of fines or other legal measures cannot be publicized. 45 staff members and three board members. There are ample staff Regulatory context therefore does not seem to present an obsta- members with legal and auditing backgrounds, but basic IT and cle to implementing FCP RBS, but Authority B will need to consider data expertise is lacking and therefore needs to be outsourced how to address limitations on its supervisory and enforcement entirely, which is creating multiple issues and prevents substan- tools.45 tial development of supervisory functions. Quantitative analytical capabilities are also scarce. The collective mindset and attitude (proactive, flexible, consumer protection focus) are excellent for Context Factor 2: Market Characteristics the present “start-up” phase of the FCP RBS function.49 The supervised market features 10 million financial consumers. A large portion of these consumers is young, relatively tech savvy Context Factor 6: Data Position (mainly with mobile phones), but solid financial literacy is scarce. Besides a few international banks and insurance companies, the The only market data currently available at Authority B is staff’s market is dominated by nontraditional players: financial start-ups qualitative knowledge of the local industry and consumer markets. as well as some major Big Tech companies that seem to con- It is as yet unknown which data may be readily available from FSPs. sider this a suitable jurisdiction to test new financial propositions. Presumably, the Big Tech companies have large amounts of data, Due to these consumer and FSP profiles, the market is extremely but how this data is structured is unknown, and these companies’ dynamic; FSPs frequently introduce new and aggressively mar- attitude toward sharing the data with Authority B remains to be keted propositions.46 seen. The start-ups are unlikely to have much quantitative data available. There is a new financial ombudsman, which seems to be overwhelmed by the flow of complaints. There is also a central Context Factor 3: Overarching Supervisory Approach bank that may have relevant data. Currently, Authority B does not Given Authority B’s limited data position and quantitative analyt- have the expertise (until further successful recruitment occurs, as ical capabilities, an elaborate risk framework–centered approach noted above) systematically to explore and improve its data posi- seems unrealistic for the short term. However, it may be realis- tion for RBS.50 tic to develop a responsive approach, given the staff’s expertise 42  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision Core Component 1: Data Collection and Analysis Core Component 3: Risk Assessment Framework In light of the short-term constraints on data availability, the ana- Given its current data position, Authority B will start with a basic lytical approach for the short term will partially rely on engaging risk framework consisting of mostly qualitative profiles of key FSPs. FSPs through supervisory meetings, questioning how they set up Even though Authority B does not have a “competing” prudential their systems and controls to ensure that they comply with con- task, it may still be worth adopting a formal FCP risk definition, risk sumer protection regulations and realize appropriate “customer scope, and perspective, given that the Authority and its supervi- fair treatment/fair customer outcomes” objectives. Once more sory officers will also serve other objectives (consumer education data sources become available (prioritizing the implementation of and inclusion, competition, data privacy). Both for analysis and FSP reporting and data exchanges with the central bank and the for priority setting purposes, it is important to distinguish these new ombudsman), this approach will be supplemented and veri- objectives clearly. fied through direct verification of FSPs performance in this regard. The analysis approach will be highly selective/risk based, build- FSP profiles will be based on the collective professional judgment ing on an incrementally improved understanding of key FSPs’ of the supervisory officers involved, rather than attempt to set up business models. Analysis will be mostly ad hoc, but Authority B a rating mechanism without access to the data required for such a can gradually work toward a standardized method of conduct- mechanism. These FSP profiles will be ranked from a risk perspec- ing analysis on compliance motivation/capabilities and aspects tive and on that basis grouped into three or four risk categories, to of corporate culture. Given the variation in profiles and business inform and direct decisions on monitoring and supervisory efforts, models, analyses will be mostly FSP-specific, rather than the- such as how often Authority B will conduct supervisory meetings matic, except for thematic efforts to assess and correct social with a particular FSP. With time, Authority B expects to increase media engagements (once the required data gathering and anal- its knowledge and capability to develop a more quantitative risk ysis methods are operational).51 rating framework and possibly even harmonizing the future risk framework with that of the central bank, whose data will be key to improving Authority B’s data position.53 Core Component 2: Risk Indicators Considering the market characteristics, overarching supervisory Core Component 4: Risk-Based Monitoring and Supervision approach, and the data collection possibilities, in the immediate Activities term Authority B has decided to prioritize qualitative indicators, since quantitative indicators will require additional time to develop Given Authority B’s current capabilities, in the immediate period agreements for exchange of information with the central bank and the initial monitoring and supervision methods and tools will be the other authorities, as well as the new ombudsman. Some qual- primarily qualitative. Considering the data-heavy business models itative indicators will be developed from the start leveraging data of the main players—especially the Big Tech companies—this is made publicly available by the central bank and other government unfortunate but unavoidable (and, as noted above, in the mean- agencies (the latter more related to financial consumers’ behavior time the aim is to scale up qualitative data gathering). Besides and sociodemographic factors).52 developing solid off-site and in-depth inspection capabilities (a cornerstone of any supervisory regime), a range of other methods and tools should be considered in light of the market character- istics. For example, the marketing and operations of the Big Tech companies as well as many of the current start-ups rely heavily on social media engagements with their customers—from this, it is already evident that Authority B will need strong social media mining and analysis capabilities.54 Appendices  |  43 NOTES 35. Potential outstanding work for the Authority that goes beyond RBS implementation includes, for example, the following: » Initiating further regulatory reform » Implementing a clearer and stronger internal supervisory mandate for the FCP department » Implementing internal coordination/cooperation arrangements 36. Potential conclusions and action items from an RBS perspective include anticipating the need for a supervisory regime that is able to perform both sys- tem-based and direct-verification risk monitoring and inspections (to adequately analyze and correct the operations of both the incumbent and international banks). 37. Within this overall approach, the FCP department will grow and leverage a strong account-management relationship with the two incumbent local banks, incor- porating elements of an industry-centric approach. With regard to the range of international bank branches, the supervisory approach will be mostly thematic (rather than FSP-specific). 38. Potential conclusions and action items: » From an RBS implementation perspective: Work toward a basic FCP risk framework. Learn the expectations of senior leadership/board members in this regard, and manage those expectations where needed. » In addition, ensure that at least one or two experienced supervisors from existing supervisory departments, potentially supervisors who already have familiar- ity and engagement with the two incumbents, join the FCP department. 39. Potential conclusions and action items: » The current organizational setting potentially precludes the implementation of an effective RBS FCP regime. An empowered FCP “champion” at the board level is required to effectuate the required organizational changes. » Identify and appoint a qualified executive for this purpose. 40. Potential conclusions and action items: » Prudential supervision officers may well complement the current staffing of the FCP department, both in terms of capacity and background/capabilities, including with regard to existing familiarity with RBS, albeit from a prudential perspective. Explore to what extent prudential supervision officers are interested in switching to an FCP RBS role. » Hire a quantitative researcher and a data management/analysis specialist to support FCP RBS. 41. Potential conclusions and action items: » Establish operational data sharing linkages with A’s licensing and prudential supervision departments and the ombudsman scheme. » Anticipate that, at least for the foreseeable future, much of the data required for FCP RBS will be obtained on the basis of ad hoc information requests, rather than via standardized monitoring efforts. 42. Potential conclusions and action items: » Set up a preliminary analysis of the controls and governance of the two incumbents from an FCP perspective (leveraging available data, knowledge, and insights from the prudential supervision departments) to facilitate future system-based analyses and risk ratings. » Develop basic procedures and formats to be applied in thematic reviews and inspections (leveraging available formats from the prudential supervision departments). » Draw up a preliminary list of known cross-cutting FCP risks/issues in the current market. 43. Potential conclusions and action items: » Begin drafting a customized FCP-specific risk framework, bearing in mind the analysis above. » Discuss the intended course of action and proposed framework with relevant board members and prudential supervision executives to ensure that they are comfortable with it. 44. Potential conclusions and action items: » Train staff for all of the selected monitoring and supervisory tools and methods and how to engage with them on an RBS basis. Develop the customized formats and procedures required to work with these tools and methods. » Work on creating a data analysis environment that enables the FCP department to combine RBS-relevant insights from all of its monitoring and supervision activities. 45. Potential conclusions and action items: » Pursue further regulatory reform to strengthen supervisory and enforcement powers. » In the meantime, when deciding on appropriate supervisory action given identified risks, the authority may need to consider alternative ways of encouraging and alerting FSPs to address those risks. 46. Potential conclusions and action items: » Recruit at least some staff members that have worked at—or are at least thoroughly familiar with the workings of—Big-Tech companies and/or financial start- ups—to assist in understanding potential risk dimensions and circumstances for RBS purposes. » Consider how any existing engagements with industry, including on innovation, can be leveraged on an ongoing basis to improve understanding of market developments from an RBS perspective. 47. Potential conclusions and action items: » Adopt a responsive supervisory approach, focused on analyzing and leveraging compliance and noncompliance motivations. » In the meantime, begin developing a profile of all major players active in the market, including their compliance motivations and capabilities, to inform risk identification and assessments. 44  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision » Set up a structured engagement agenda with all these players to support this analysis, and start applying the analytical findings on their individual compli- ance motivations through risk-based one-on-one engagements (and through the incubator, once established). » In these engagements, make data a recurring discussion item in order to systematically increase Authority B’s knowledge of the data types and sources avail- able to key players in the market (laying the groundwork for the future risk framework). 48. Potential conclusions and action items: » Study organizational models for FCP RBS in other jurisdictions, including internal responsibilities and reporting lines; consider what the organizational model should be in both the short and the long term, as well as the consequences of these choices—for example, IT and data management choices. » Consider how staff members recruited from other jurisdictions may be assisted in developing greater understanding of the local context and market, which will be crucial for understanding risks for RBS purposes. 49. Potential conclusions and action items: » Top human resources priority is to recruit IT and data management staff with experience working for supervisory organizations. » Recruit a Chief Analyst, then set up an extensive training program, overseen by the Chief Analyst, to nurture staff members’ analytical capabilities to support RBS. 50. Potential conclusions and action items: » Acknowledge that B’s data position is currently its biggest challenge and vulnerability in setting up an effective FCP RBS function. » For the upcoming one to two years, emphasize qualitative observations from one-on-one engagements with FSPs as the initial basis for the RBS regime. » Prioritize recruiting staff members who have the expertise to explore and improve B’s data position systematically. For to-be-recruited staff members with a Big Tech background, emphasize hands-on data and analytical capabilities. » Seek cooperation with the central bank, emphasizing the synergy between prudential and market-conduct/consumer protection supervision. » Safeguard budget for investments in B’s data position and analytical capabilities. 51. Potential conclusions and action items: » Develop formats and a knowledge base to set up and execute a risk-based cycle of supervisory meetings with FSPs. » Approach Authorities in jurisdictions with a substantial Big Tech presence in the financial industry to learn how they approach supervising these entities, which risk factors they prioritize in this regard, and what cooperation may be realized. 52. Potential conclusions and action items: » As soon as practical, implement exchange of data with other authorities and the new ombudsman to allow the development of some basic quantitative risk indicators. » As soon as practical, also develop at least basic FSP reporting requirements. 53. Potential conclusions and action items: » Draft a standardized FSP profile format. » Experiment with methods to ensure quality and consistency of qualitative risk analyses of FSPs (peer review, “devil’s advocate” methods, evidence-based documentation requirements). » Estimate how many FSPs might “fit” into the three or four risk categories, given the capacity required to deliver on the monitoring/supervisory intensity asso- ciated with each risk category. » Hold off on further risk framework development until Authority B’s data and analysis capabilities are sufficiently advanced for in-depth data mapping and developing a customized road map for risk framework development. 54. Potential conclusions and action items: » Proactively manage political and media stakeholder expectations, conveying why it may realistically take one or more years for Authority B’s monitoring, supervision, and enforcement functions to become fully effective. » Prepare for an investment in social media mining and analysis capabilities, but hold off on any impactful decisions on this work stream until sufficient in-house knowledge and capabilities are available to make sensible choices in this regard. » Until that time, invest in other monitoring of traditional and social media and one-on-one engagements with key individuals who represent the most impactful FSPs. APPENDIX C Five Common Types of Overarching Supervisory Approaches This appendix provides further elaboration of the five common ment´s function (Communications) may be to issue press releases types of overarching supervisory approaches discussed in sec- announcing such legal measures. tion 2.3.55 Although this Authority obviously employs a range of instruments, its quintessential instrument—the one that best represents how 1. Compliance-Based the organization supervises—is the legal checklist that is used to A compliance-based Authority focuses on promoting that FSPs determine systematically whether an FSP has complied with rele- comply with regulations. The main perspective (although others vant regulations. Its employees tend to take pride in being thor- are relevant) is legal. This Authority takes regulations as the start- ough, spotting the infringements, winning court cases, and being ing point for its actions. strict and heavy enforcers. The preferred way to report supervision results are enforcement tallies. (“Last year, X fines were imposed.”) Generally, the organization´s core activity is to monitor systemati- The main potential upside of a primarily compliance-based cally and investigate whether regulated entities have transgressed approach is that it conforms to the expectations of many of the applicable rules and regulations and, if it establishes a transgres- Authority´s stakeholders and has a clear and relatively unambigu- sion, take legal measures (impose fines, issue stop orders, and ous reference point: law and regulations. A potential downside is so on). In addition to these activities, primarily intended to coun- that an exclusively compliance-based approach can easily lead to a teract noncompliance, some Authorities also positively promote myopic focus on the law and subsequent systematic investigations compliance—for example, by issuing guidance on the interpreta- and enforcement (regardless of market impact), which tends to be tion and implementation of regulations. an inefficient use of resources, may not effectively stimulate good conduct, and might even undermine spontaneous compliance. Typically, the standard legal process that underlies this activity also provides the core for the way this Authority works and how it 2. Risk Framework-Centered is organized. One department´s main function—in terms of activ- ity and employees´ collective self-perception of their role—is to A risk framework–centered Authority focuses on mitigating the establish the legally relevant facts through investigations. A sec- risks that an FSP´s activities pose to its supervisory objectives. ond department´s function is to qualify these facts in legal terms The supervisory objectives may be compliance objectives, or they (the Legal Department). A third department´s function may be may include broader objectives such as to promote the spirit of to impose fines and other punitive measures. A fourth depart- the law or to achieve adequate outcomes for consumers. (The risk framework may or may not be geared toward such outcomes.)56 The main perspective is risk management. Illustration of a Compliance-Based Approach For this Authority, the starting point of analysis and intervention activities is usually the risk profile of an FSP. Typically, significant effort is devoted to developing, implementing, and employing sophisticated instruments and methods to assess how much risk Establish Qualify Impose legal Issue public facts facts measure statement an FSP poses to the supervisory objectives (including assessing the quality of the FSP´s measures to mitigate these risks). These risks are ranked and prioritized, and based on such assessments, the Authority will adjust its interventions. 45 46  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision The Authority´s organization and way of working will likely reflect an overemphasis on standardized risk management information, risk management functions, and departments will be linked to each tools, and methodology, rather than staying open-minded and other according to the steps of a risk management cycle. Thus, a focused on market realities. Policy department may formulate risk objectives, and a Monitor- ing/Analysis department frequently identifies and measures corre- 3. Industry-Centric sponding risk levels, Management evaluates and prioritizes these levels, and inspectors from Supervision mitigate and control the An industry-centric Authority focuses on promoting that FSPs prioritized risks through proportionate interventions (ranging from adhere to appropriate business standards. The sectoral point of informal communication to full-fledged enforcement). Employees view provides the main perspective. The Authority identifies itself tend to take pride in their financial risk management knowledge primarily as a government organization within the local financial and skills. The Authority´s result reporting will stress risk mitiga- sector. tion statistics. In terms of activity, this Authority obviously monitors, conducts This approach evolves around risks posed by individual FSPs. As a investigations, and imposes legal measures. However, this variation, a segment-oriented risk-based approach assumes that Authority attaches great importance to maintaining cooperative supervisory risks are usually not limited to single FSPs and can relationships with FSPs. It expends significant effort on account therefore be analyzed and mitigated on the aggregate level of a management. Regular conversations with FSP representatives are local industry segment. It will typically result in thematic investi- a crucial instrument and component of the supervisory approach, gations or other projects, focusing on groups of FSPs, rather than both to maintain this relationship and to gather information and singling out individual cases. For example, rather than scrutinizing steer FSPs in the right direction. This approach may also include the derivative sales portfolios of each major FSP in an industry seg- efforts to promote self-regulation (for example, codes of conduct) ment to pinpoint which of their products pose the greatest risks and work with third parties (for example, to grant certifications). to retail investors, this approach may identify as particularly risky a specific type of derivative that is increasingly being sold in this The Authority´s organization and way of working reflect this net- industry segment (for example, binary options). The Authority may work perspective. Departments mirror industry segments (large then push every FSP selling these products to mitigate these risks banks, small banks, brokers, multilateral trading facilities). The (regardless of this product’s contribution to the FSP´s portfolio). organization emphasizes account management, both in the way staff members work and wield influence within the Authority and A clear advantage of a risk framework–centered approach is that in how they self-identify. Employees typically take pride in being is allows for a fine-tuned adjustment of supervisory activity to the account managers for a major FSP, being considered a respected perceived risk level. A disadvantage is that it can easily lead to counterpart in their industry network, and understanding an FSP´s Illustration of a Risk Framework–Centered Approach Illustration of an Industry-Centric Approach Objectives Enforcement Legal and Communications Risk mitigation Risk levels policy Account Management Priorities IT and data Research and management analysis Appendices  |  47 issues. As a relay point within the Authority, they consider an FSP’s escalation, FSPs return to compliance, the enforcement effort can legitimate interest—for example, by managing the administrative be toned back as well. The typical motto is “Talk softly, and carry load imposed on an FSP through supervisory activities. In report- a big stick.” ing on results, the Authority may prefer to include such indica- tors as the depth, liquidity, and efficiency of its markets, as well as To play this responsive game effectively, this Authority expends industry growth. much effort in conveying its approach to FSPs (letting them know what to expect in case of compliance or noncompliance, making A clear advantage of an industry-centric approach is that the them see how compliance is in their best interest), as well as gath- Authority is well aware of the issues in the market from an industry ering information about FSPs and industry segments to assess to perspective. A disadvantage of a predominantly industry-centric what extent FSPs comply and what their compliance motivations approach is that it can easily lead to “regulatory capture” ten- are (to be able to tap into those motivations). Therefore, as with dencies—that is, the regulator effectively protects or spares the an industry-centered approach, conversations with FSPs are a cru- interests of FSPs. For this reason, this overall approach seldom cial instrument in this approach, but with a different conversation occurs in its pure form; rather, an industry-centric Authority´s content. working methods will typically contain some elements of a com- pliance-based or risk framework–centered approach. This Authority´s organization and way of working combine aspects of the compliance and industry-centric approaches; process and network are therefore both crucial organizational considerations. 4. Responsive The organization may reflect the escalation/de-escalation pyra- A responsive Authority focuses on influencing FSPs´ compliance mid, illustrated below: teams dedicated to industry compliance behavior. The main perspective is motivational. The Authority´s and motivational analysis, as well as a well-developed public com- approach is aimed at stimulating FSPs to comply with regula- munication function; one or more departments dedicated to main- tions and possibly good conduct principles and other relevant taining the Authority´s network and routine supervision; and other standards (or, more broadly, to serve consumers’ interests ade- departments or teams specialized in heavy-handed styles of super- quately). Responsive supervision makes use of aspects of both a vision and/or enforcement. Its employees typically take pride in compliance and an industry-centric approach. their skill in managing the escalation/de-escalation dynamics that responsive supervision demands and in effectively harnessing an Responsive supervisory activity starts from the assumption that FSP’s motivations to influence its compliance behavior. The Author- FSPs will want to comply with regulations, and therefore the ity´s result reporting may stress both carrot and stick efforts: how Authority initially uses a light-touch supervisory approach (for it is successfully eliciting voluntary compliance while making a example, providing guidance, performing less-intrusive investi- deterrent example of unscrupulously noncompliant FSPs. gations). However, the Authority makes it clear that, in response to noncompliance, it will escalate to applying more pressure, up A core advantage of a responsive supervisory approach is that it to a heavy-handed enforcement approach. If, in response to such allows the Authority to be flexible in leveraging compliance moti- Illustration of a Responsive Supervisory Approach Enforcement Intense supervision Routine supervision Monitoring, analysis and support 48  |  An Introduction to Developing a Risk-Based Approach to Financial Consumer Protection Supervision vations. However, a disadvantage is that this apparent sophis- The Authority´s organization and way of working reflect the need tication can prove complex and may be hard to predict by its for flexibility, as each new problem that is identified requires a cus- stakeholders. tom-made supervisory team that is organized around (tailored to) this specific problem, with the right mix of knowledge and skills needed for this job. It is typically a project-based organization. 5. Problem-Focused The organization creates project teams to deal with a prioritized A problem-focused Authority focuses on identifying and fixing problem and dissolves them when a problem is solved, reduced issues in the supervised markets that threaten its supervisory satisfactorily, or proves unsolvable at reasonable costs. If a prob- objectives (for example, preventing or mitigating harm to con- lem is particularly large or complex, it may merit a portfolio of proj- sumers). The main perspective is pragmatic: the Authority is ects, each aimed at dealing with a composite part of the problem. focused on finding problem solutions that work. This includes using a broad range of supervisory techniques and may go beyond applying regulations (for example, averting FSP con- A clear advantage of a problem-focused approach is that it encour- duct that may be legal but is nevertheless harmful to consum- ages open-minded analysis and customized—and, therefore, ers, through informal interventions), if that is deemed effective to more likely effective—interventions in response to market issues. deal with an identified problem. However, as a disadvantage, this analysis and customization tends to be challenging, it might lack continuity, and it also implies that In terms of activity, this Authority expends significant effort on the solutions are hard to replicate effectively and therefore allow analyzing potential problems in its financial markets and identify- for only limited standardization and learning from previous inter- ing their underlying drivers or root causes. Indeed, such analyses ventions. and subsequent interventions may go through several iterations before arriving at the natural shape and size of the problem. Each substantial problem has its unique features that need to be con- Illustration of a Problem-Focused Approach sidered to devise a custom-made—and, if necessary, untested— solution. This Authority therefore does not limit itself to a fixed Consumer Problem set of instruments. For example, the Authority may find that small intermediaries pay insufficient attention to regulations and cor- responding official guidance documents, as they find them too Project team lengthy and formal to digest. Parallel to possible enforcement actions, the Authority might then distribute an easily digestible summary of its core messages and determine if this is more effec- Supporting tive in delivering these messages in this industry segment. supervisory functions Employees tend to take pride in their problem analysis skills, as well as in their capability to craft creative solutions. The Authori- ty´s preferred result reporting will include accounts of problems diminished or solved. NOTES 55. See, for example, Kasdorp (2018). 56. A substantive supervisory strategy geared toward achieving specified outcomes for financial consumers is sometimes referred to as a “customer-centric strat- egy.” Such a strategy may feature a risk framework that is geared toward measuring and analyzing the degree to which such specified outcomes for financial consumers are achieved. References AFI (Alliance for Financial Inclusion). 2016. Market Conduct G20/OECD Task Force on Financial Consumer Protection. 2018. Supervision of Financial Services Providers: A Risk-Based Financial Consumer Protection Risk Drivers: A Framework for Supervision Framework. Guideline Note No. 21, August Identification and Mitigation in Line with the High-Level Princi- 2016. https:/ /www.afi-global.org/wp-content/uploads/ ples on Financial Consumer Protection. OECD. https:/ /one. publications/2016-08/Guideline%20Note-21%20CEMC- oecd.org/document/DAF/CMF/FCP/RD(2017)3/FINAL/en/pdf RiskBased.pdf Izaguirre, Juan Carlos, Denise Dias, Eric Duflos, Laura Brix CBI (Central Bank of Ireland). 2017. A Guide to Consumer Newbury, Olga Tomilova, and Myra Valenzuela. 2022. Market Protection Risk Assessment. https:/ /www.centralbank.ie/ Monitoring for Financial Consumer Protection. Toolkit. CGAP, docs/default-source/regulation/consumer-protection/ Washington, DC. https:/ /www.cgap.org/marketmonitoring compliance-monitoring/reviews-and-research/a-guide-to- Kasdorp, Aute. 2018. Renewing Capital Market Supervision. consumer-protection-risk-assessment.pdf?sfvrsn=4 Amsterdam: Singel Publishers. Chalwe-Mulenga, Majorie, Eric Duflos, and Gerhard Coetzee. Sahajwala, Ranjana, and Paul Van den Bergh. 2000. “Supervisory 2022. “The Evolution of the Nature and Scale of DFS Consumer Risk Assessment and Early Warning Systems.” Basel Risks: A Review of Evidence.” Slide Deck, February 2022. Committee on Banking Supervision Working Paper No. 4, CGAP (Consultative Group to Assist the Poor), Washington, December 2000. https:/ /www.bis.org/publ/bcbs_wp04.pdf DC. https://www.cgap.org/sites/default/files/publications/ Toronto Centre. 2018. Risk-Based Supervision. Toronto Leadership slidedeck/2022_02_Slide_Deck_DFS_Consumer_Risks.pdf Centre. https://res.torontocentre.org/guidedocs/Risk- Dias, Denise. 2013. Implementing Consumer Protection in Based%20Supervision%20FINAL.pdf Emerging Markets and Developing Economies: A Technical Toronto Centre. 2019. The Development and Use of Risk Based Guide for Bank Supervisors. CGAP, Washington, DC. https:// Assessment Frameworks. Toronto Leadership Centre. https:// www.cgap.org/sites/default/files/Technical-Guide- res.torontocentre.org/guidedocs/Development%20and%20 Implementing-Consumer-Protection-August-2013.pdf Use%20of%20RBS%20Assessment%20Framework%20FINAL. FATF (Financial Action Task Force). 2021. Guidance for Applying pdf a Risk-Based Approach to Supervision. https:/ /www.fatf- WBG (World Bank Group). 2014. Establishing a Financial gafi.org/media/fatf/documents/Risk-Based-Approach- Consumer Protection Supervision Department: Supervisors.pdf Key Observations and Lessons Learned in Five FinCoNet (International Financial Consumer Protection Case Study Countries. Technical Note, March 2014. Organisation). 2018. Practices and Tools Required to Support https://openknowledge.worldbank.org/bitstream/ Risk-Based Supervision in the Digital Age. http://www. handle/10986/25894/111265-WP-P152000-PUBLIC- finconet.org/Finconet_Report_Practices-tools-for-risk-based- ABSTRACT-SENT-TechNoteBelarusFCPDeptFINAL. supervision-digital-age_November_2018.pdf pdf?sequence=1&isAllowed=y FinCoNet. 2020. SupTech Tools for Market Conduct Supervisors. WBG. 2017. Good Practices for Financial Consumer Protection: http://www.finconet.org/FinCoNet-Report-SupTech-Tools_ 2017 Edition. https://openknowledge.worldbank.org/ Final.pdf handle/10986/28996 FinCoNet. 2022. Supervisory Challenges Relating to the Increase WBG. 2021a. Consumer Risks in Fintech: New Manifestations of in Digital Transactions, Especially Payments. Briefing Note, Consumer Risks and Emerging Regulatory Approaches. Policy May 2022. http:/ /www.finconet.org/Supervisory-challenges- Research Paper, April 2021. http://documents.worldbank.org/ digital-transactions.pdf curated/en/515771621921739154/Consumer-Risks-in-Fintech- G20/OECD Taskforce on Financial Consumer Protection. 2014. New-Manifestations-of-Consumer-Risks-and-Emerging- “Effective Approaches to Support the Implementation of Regulatory-Approaches-Policy-Research-Paper the Remaining G20/OECD High-Level Principles on Financial WBG. 2021b. The Next Wave of Suptech Innovation: Suptech Consumer Protection.” OECD. https://www.oecd.org/daf/ Solutions for Market Conduct Supervision. Technical Note, fin/financial-education/G20-OECD-Financial-Consumer- March 2021. https://openknowledge.worldbank.org/ Protection-Principles-Implementation-2014.pdf handle/10986/35322 49