Beyond Compliance: The Top 5 Risks & Opportunities in Financial Services Customer Communications

For banks, insurers, pension funds, debt collection agencies and building societies sending out hundreds, even thousands of customer communications per day, there will always be risks that have to be managed. Both to the business and to the customer. 

Staying compliant with standards and regulations that protect the resilience of the service, the security of customer data, and the security and sustainability of the supply chain is a good way to mitigate these risks, but it’s not always enough. 

Compliance regulations can only go so far. Cyber threats are always becoming more sophisticated, and vendor accountability gets more diluted as you go down the chain. So, there is a business case to be made for going further than compliance. To show customers and shareholders that the customer experience is important and the supply chain is as risk-free as possible.

In this article we will run through the top 5 risks to businesses and customers, and help you discover opportunities for customer communications management to go further – to do better than the bare minimum.

1. Consumer Duty

Consumer Duty is the FCA backed regulation that came into effect in July 2023 to increase the level of consumer protection in the retail financial services market. The intention is to influence financial firms’ culture and conduct, to embed the delivery of good outcomes across the entire customer journey.

Consumer Duty came into force for all open products and will expand to all closed products in July 2024.

What does compliance entail?

Compliance with Consumer Duty requires demonstrating that the business is driving better outcomes for customers. Firms have to be able to “​​assess, test, understand and evidence the outcomes their customers are receiving.” This means sending the FCA documentation such as product and service governance frameworks, fair value assessment frameworks and customer support monitoring policies. 

The risks of non-compliance

Non-compliance with Consumer Duty can expose financial services firms to reputational damage, disciplinary actions and financial penalties. The FCA enforces the regulation with proportionality depending on the vulnerability of customers, the complexity and risk of products, the size of the firm and the firm’s general ability to influence customers.

How to be compliant

Key areas of risk include inconsistent language, poor user interface design, insufficient accessibility and inadequate attention to the digital customer journey. 

Proactively tackling these risks requires firms to provide:

• Accessibility: Ensure that customer communications and platforms cater to users with diverse needs and preferences.
• Preferred channel: Adapt to customers' preferred channels of communication, ensuring seamless integration across different touchpoints.

A holistic approach to driving better outcomes includes multiple aspects of customer communications. Financial services firms should:

1. Improve the UX design of their platforms by analysing user needs and preferences, and adapting the design accordingly.
2. Enhance UI design to make digital interfaces intuitive, visually appealing and functional for the user, as well as offering a unified brand experience that customers can trust.
3. Use consistent language ensuring that the messaging is clear and easily understandable, but also feels like the customer is interacting with the same brand at all times.
4. Develop self-serve options within the customer journey, to help customers navigate the journey independently, and save their time and effort to do business with you.

Opportunities to go beyond Consumer Duty for better customer experience

Taking the following measures can help firms surpass compliance requirements and create a superior customer experience in financial services:

• Personalise the experience: Tailor products, services, marketing materials and communication to the customer's unique needs and preferences.
• Digitise the customer journey: Optimise the end-to-end customer journey by incorporating interactivity, easy navigation and useful functionality that reduces the need for customers to call into the contact centre.
• Proactive communication: Provide timely and relevant content to customers, anticipating their needs and pleasantly surprising them with value-added services and support.
• Voice of the customer: Continuously gather feedback, perform regular reviews, and iterate accordingly to stay aligned with customers' evolving needs.

We will be discussing the themes from this article at our conference on 21 November 2023, Small Steps to Transformational Change. To get your free tickets, register via the link below.

2. Data Security Management

The risks of poor data security management

Non-compliance with data security regulations and standards such as ISO 27001, GDPR, and the PCI Data Security Standard can lead to high penalties or financial fines, financial losses derived from data breaches, litigation, business interruptions, reputational damage and loss of customers. 

How to be compliant

Compliance with the various regulations and standards involves several key steps. First, organisations should adopt a strong data governance strategy, covering aspects such as data aggregation, management, storage, security, retrieval and destruction. Implementing proper data security measures like Transport Layer Security (TLS) 1.2 – which encrypts all data “at rest” (stored) and when it’s transferred mitigates against the threat of any vulnerabilities.

It is important to conduct regular risk assessments and penetration testing to identify potential security loopholes and vulnerabilities. Companies should also obtain certifications like Cyber Essentials Plus and adhere to guidance from the Data Protection Act, GDPR and other applicable legislation.

Financial institutions can streamline login processes and improve security by adopting single sign-on (SSO) authentication measures and employing robust identity management solutions like Azure. This ensures that users have a secure and efficient way to access the various systems they need.

Opportunities to go beyond compliance

Going beyond basic compliance means focusing on a proactive approach to data security, rather than merely checking off regulatory boxes. Financial services companies should consider the following steps:

1. Adopt a risk-based approach: Identify and prioritise data security threats based on the likelihood and impact, ensuring resources are efficiently allocated to address the most critical risks.
2. Develop a hybrid working security strategy: As remote work becomes more prevalent, consider adopting security measures that address the unique challenges of hybrid working environments. If remote employees are using hybrid mail to send physical post, ensure that TLS 1.2 is in place and all GDPR guidelines are followed.
3. Invest in staff training and awareness: Ensure employees are well-versed in data security best practices and understand how their actions can contribute to or mitigate risks.
4. Maintain an up-to-date security posture: Regularly update security policies, procedures, and technologies in line with evolving threats and industry advancements. 

By adopting these practices, financial institutions can not only achieve compliance but also build a strong and proactive data security culture that helps to safeguard against increasingly sophisticated cyber threats.

3. Quality Management

The risks of poor quality management

Poor quality management in customer communications that leads to an inferior service is likely to end up in a loss of customers, lower productivity and increased costs as confused customers call into the contact centre or begin to distrust the brand.

How to be compliant

As such, it is of great importance that financial services firms, or their CCM suppliers, adhere to applicable standards such as ISO 27001, ISO 9001 and BS 10008. While these kinds of standards are not regulations themselves, implementing their advice will help firms to be compliant.

Whether a CCM vendor or the financial services firm itself, anyone communicating with customers regularly and at high volume should establish effective quality management systems. One key component of these systems is quality control, which involves checking that processes and results meet specified requirements (like those laid out by ISO 9001 and BS 10008.)

Implementing quality management systems typically involves the following steps:

1. Developing a quality policy that communicates the firm's commitment to quality.
2. Establishing objectives and key performance indicators (KPIs) for measuring success.
3. Appointing a management representative responsible for overseeing the quality management system.
4. Establishing documented procedures to ensure consistency across all activities.
5. Regularly monitoring, measuring, and reviewing the effectiveness of the processes and making improvements as needed.

Opportunities to go beyond compliance

To truly excel in quality management, financial services firms should strive to go beyond basic compliance and incorporate a culture of continuous improvement. This can be achieved by adopting methodologies like Agile for sprint-based project management, and Prince 2 for large-scale structured projects with multiple stakeholders. Both are focused on delivering projects on time, within scope and on budget.

Furthermore, financial services firms can benefit from the following best practices:

• Emphasising the importance of communication and collaboration among employees.
• Providing ongoing training and development opportunities for staff.
• Constantly reviewing and updating policies, processes, and controls to ensure they remain fit for purpose.
• Setting a strong tone from senior management that demonstrates the organisation's commitment to quality.
• Engaging external experts to conduct independent audits and assessments to identify areas for improvement.
  
  

4. Environment Management

Risks of non-compliance

Non-compliance with environmental regulations and standards can pose significant risks to financial services firms. These risks include fines, reputational damage and potential loss of business. Failure to adopt sustainable practices may lead to increased operating costs and material waste, further impacting the bottom line.

Adhering to standards such as ISO 14001 and certifications from the Forest Stewardship Council (FSC) or the Programme for the Endorsement of Forest Certification (PEFC) can help mitigate these risks by demonstrating commitment to responsible environmental management and supply chain practices.

How to be compliant

To achieve compliance with environmental regulations and standards, financial services firms should consider the following actions:

• Obtain an ISO 14001 certification, which demonstrates commitment to managing environmental impacts.
• Pursue a chain of custody licence from organisations such as FSC or PEFC, ensuring that products sourced from forests are responsibly managed.
• Assess and monitor suppliers through platforms like EcoVadis, which provides sustainability ratings for global supply chains.

Opportunities to go beyond compliance

Taking additional steps beyond fundamental compliance can help financial services firms achieve enhanced environmental management outcomes. These steps might include:

• Reducing paper consumption by embracing digital communications and signing processes. This not only conserves resources but can also lead to cost savings and operational efficiencies.
• Establishing robust sustainability policies that align with the United Nations Sustainable Development Goals and are visible to stakeholders.
• Implementing ongoing supplier assessments to identify environmental risks within the supply chain and enable procurement of more sustainable products or services. Good signs are vendors who use Microsoft Azure, which is committed to being carbon neutral by 2030.

By proactively addressing environmental risks and going beyond basic compliance, financial services firms can enhance their environmental management practices, demonstrating their commitment to sustainability and creating long-term value for stakeholders.

5. Business Continuity

Risks of non-compliance

Non-compliance with business continuity standards such as ISO 22301 can lead to significant risks like operational disruptions, financial losses, reputational damage and legal penalties. Implementing a robust business continuity plan (BCP) and disaster recovery (DR) strategy can help mitigate these risks by ensuring that critical systems and data are protected and recoverable in the event of a disruption.

How to be compliant

To achieve compliance with ISO 22301 and other relevant standards, financial services firms should consider implementing the following measures:

• Multiple sites: Maintain redundancy at data centres and operations across multiple geographic locations to ensure resilience in case of a site-specific incident. If using a CCM supplier, ensure they have more than one location for printing physical mail.
• Disaster recovery (DR): Implement comprehensive DR plans that outline the steps to be taken in the event of a disruption, with clearly defined recovery point objectives (RPOs) and recovery time objectives (RTOs).
• Data centre protection: Employ robust physical and digital security measures to safeguard data centres, including fire suppression systems, intrusion detection and access control. Single Sign On with cloud infrastructure such as Microsoft Azure.
• Resilience: Design IT systems and infrastructure for high availability and resilience, using technologies such as Kubernetes for container orchestration and automated failover between data centres.
• Business continuity planning: Regularly review and update BCPs, including conducting business impact analysis (BIA) to identify critical processes and resources, and testing the plans to ensure their effectiveness.

Opportunities to go beyond compliance

In addition to meeting compliance requirements, financial services firms can implement the following strategies to enhance their business continuity and disaster recovery capabilities:

1. Incorporate emerging technologies: Leverage new and emerging technologies as new ways to apply automation with machine learning to business continuity processes to improve the accuracy and efficiency of disaster recovery planning and execution.
2. Continuous improvement: Implement a continuous improvement process for business continuity, with a focus on regularly reviewing and updating BCPs, DR plans, and related documentation to ensure their effectiveness and learning from any disruptions or testing outcomes.
3. Train and empower employees: Foster a culture of resilience by providing regular training and awareness programmes to employees, empowering them to identify, report, and respond to potential risks and vulnerabilities.
4. Collaboration with external partners: Collaborate with external stakeholders such as regulators, suppliers and industry peers to share best practices, threat intelligence, and strategies for enhancing business continuity and disaster recovery capabilities.
5. Prioritise ESG factors: Incorporate environmental, social and governance (ESG) factors into business continuity planning and disaster recovery strategies to ensure long-term resilience and sustainability.