The 1LodD team has published a report summarizing key insights from its XLoD 2024 Conference in London (to avoid frustration, click on the report cover to access this document as, at the time of publication, the “read the full report” button is incorrectly linked).

The GRIP team covered some of the key sessions at this outstanding event, but the report is well worth examining closely because it is brimming with useful information and insight. It also does an excellent job of summarizing some of the key current compliance trends and challenges.

Particularly interesting to us here at GRIP was the highlighting of the persistent and serious issues with data as a result of years of inattention to this “strategic asset.” These issues have led to some significant enforcement actions recently, including a steep fine against JPMorgan for venue data incompleteness.

There is no doubt that an adequate focus on, and investment in, the technology that ingests, routes and disseminates data within organizations is critical. As is the adequate resourcing of teams who maintain, supervise and interpret the datasets that a firm holds and utilizes, both internally and in its regulatory reporting.

Increasing data literacy within an organization is one possible way of improving outcomes.

The report suggests that attendees are well aware of both the challenge, as well as the need to address this persistent area of weakness – 75% of respondents to one of the conference polls believed that core data quality and availability was the most significant data issue in their organization.

An attendee is quoted suggesting that increasing data literacy within an organization is one possible way of improving outcomes. And while we agree that it is a laudable objective, it does come with its own challenges, not least of which is the fact that, for many, data is just as “interesting” as compliance and regulation!

It was also unsurprising, given the regulatory focus on this area, to see resilience and third-party dependencies appearing as a key risk and a priority for firms.

Cyber threat

This is not only the result of a persistently elevated cyber threat level, but also the consequence of the high levels of interconnectedness within the financial ecosystem. Market players have also begun to acknowledge the sector’s excessive levels of dependence on a few critical third-party providers, particularly those supplying cloud services in one form or another to the vast majority of firms and institutions.

Continuous regulatory scrutiny in this area, including the impending DORA regime in the EU, is also resulting in firms paying much closer attention to resilience in general and their relationships with third parties more specifically.

Data and the management of third-party service providers and their respective associated risks are also increasingly overlapping areas. In the EBA’s key findings from the 2024 ESA dry run exercise that tested for firm preparedness for DORA, the regulator observed a “high degree of data quality issues.”

The EBA’s report tries to put a positive spin on this, stating that it was “expected and is in line with the ‘best effort’ nature of the exercise.” The fact that 86% of all data errors were connected with missing information that was mandatory, highlights the extent of the data challenge for firms who are expected to be compliant (or at least well under way to being compliant) with this third-party regulatory regime later this month.

The focus on uncovering issues and vulnerabilities before they become a serious problem is particularly pressing when it comes to operational matters.

Another fascinating trend, and one that we will cover in more detail in 2025, is the emergence of the internal audit function as “outputs-focused” and “strategically aligned, outcomes-driven, and deeply embedded in organizational governance”. 

The focus on uncovering issues and vulnerabilities before they become a serious problem is particularly pressing when it comes to operational matters, as well as cybersecurity. The suggestion of one attendee quoted in the report was that there may be a “gap between expectations and actual readiness” of organizations because “scenario testing simply is not severe or realistic enough”. This is a good prompt for some reflection and a long hard look at existing systems and processes.

The tail end of the report includes the results of the polls held at the event and these are well worth reviewing in detail, if only to benchmark against current industry trends.

The data supports the conclusions drawn in the report itself and also points to a few likely regulatory and enforcement trends for 2025.

Data capture

So, for example, 42% of respondents were “not confident in the level of capture of trading venues” believing that there will likely be “a number of exceptions” when it comes to data capture. Given this, and the data issues highlighted in the report (and briefly summarized above), it seems quite likely that we will see further regulatory and enforcement action in this area in 2025.

More than 74% of respondents agreed or strongly agreed that when it comes to non-financial risk management their organization’s technology strategy “requires a fundamental overhaul” if regulatory requirements are to be met. And these inadequacies in technology may well compound existing cultural issues, such as inconsistency in the treatment of staff or a “say-do gap between management words and actions”, highlighted as key problems at organizations by 34% and 40% of respondents respectively. Non-financial misconduct and risk is therefore likely to remain in the headlines in 2025.

There is a lot more to unpack in this highly recommended read, which should be of particular interest to those with strategic planning responsibilities in risk, compliance, audit and other connected areas.