May 2019

SGV thought leadership on pressing issues faced by chief executives in today’s economic landscape. Articles are published every Monday in the Economy section of the BusinessWorld newspaper.
20 May 2019 Carlo Kristle G. Dimarucut

Risk and cybersecurity for critical infrastructure

When we talk about cybersecurity, we usually think of information technology systems that manage and access data. But there’s another side of technology that is often overlooked by enterprise security processes — the industrial control systems that handle physical processes through monitoring or direct control, such as valves, pumps and similar systems that have a physical “switching” function. The reason for this is that most of these systems have traditionally been isolated from corporate information networks, operated separately as they have functions outside of processing data — such as regulating power or water flow for utilities companies, the control network of a train system, or medical scanning equipment in a health care entity. However, as business operations and processes become more complex and data-driven, there has been an increasing need to connect industrial control systems to corporate information networks in order to provide access to vital or relevant information. One example is how power companies are transitioning to digital metering to promote more accurate power quality monitoring and reporting. These systems will need to be connected to the power company’s data systems to link to customer data and information. Because of this growing interdependency between IT systems and industrial control systems, businesses will need to revisit how they understand cybersecurity within these types of operational technologies. The government has recognized this growing problem and in 2017, through a Department of Information and Communications Technology memo, introduced guidance on how to secure “critical infrastructure” i.e. banking and finance, power and utilities, transportation, health care, telecommunications, and similar industries that are vital to public health, safety or well-being. Considering that these systems are linked to real physical systems, organizations will need to find ways to seamlessly integrate these systems while ensuring physical and logical security. INTERCONNECTION CHALLENGES The rapid deployment of digital technologies and web-enabled devices brings many advantages, but also increases cybersecurity risks. Because industrial control systems are increasingly being linked to broader IT systems, cyber attacks have more potential to breach customer and employee privacy and incur regulatory action. This can even disrupt critical infrastructure operations and put lives at risk. Every new device connected is one more device that can be compromised by a potential attacker. In 2017, WannaCry ransomware became a wakeup call when it hit critical infrastructure, impacting over 10,000 organizations in over 150 countries, including those in the health care industry like the UK’s National Health Service. Although there is no evidence that any patients died directly from the attack, thousands of hospital computers were made unavailable, forcing doctors to physically transport lab results by hand and cancel at least 20,000 patient appointments. In the same year, the NotPetya ransomware attack struck at numerous companies including Maersk and Mondelez, which cost them an estimated $300 million and $100 million, respectively. Overall, the attack did an estimated $10 billion in total damage. Attacks can also come from unexpected directions, such as the instance when US retailer chain Target was hacked through its heating, ventilation, and air-conditioning (HVAC) systems. Companies that are interconnecting industrial control systems need to understand and manage these threats as not just a significant risk, but potentially a public safety concern. Industrial control systems will now need to be integrated into overall corporate IT and risk management, instead of being managed in silos. In this broader risk landscape, companies need to consider that: – A successful attack is inevitable — it is just a matter of when and how much. Organizations get lulled into thinking that they can deploy enough solutions or spend enough money to protect themselves. Organizations will have to live with managing the risk, and not trying to fully eliminate it. Knowing how to react and having the resilience to withstand a cyber attack is the best strategy. – Interconnection will happen whether organizations like it or not. Vendors recognize that interconnectivity for industrial systems is a wave they have to ride and features for such are already being embedded in the systems that organizations are purchasing. It must be recognized that these features are present and have to be addressed from a policy level. WHAT ENTERPRISES CAN DO TO HELP PREEMPT CYBER ATTACKS There are some actions that companies can take to help manage their risks in the face of today’s emerging cybersecurity threats. In the short term, companies should ensure that their security monitoring programs cover everything that it needs to cover. Most security monitoring purchases are limited to corporate information systems. Boards should ask their security departments whether their companies’ current attack detection capabilities extend to industrial control systems. Since interconnectivity is inevitable, organizations have to extend cybersecurity practices and adopt them more diligently when it comes to industrial control systems. Such practices include implementing standard security baselines, supported by effective incident response plans. LOOKING AHEAD Enterprises identified as part of the country’s critical infrastructure need to take steps to “future-proof” their business. This includes developing more agile and resilient responses to the disruptions being brought about by technology, evolving regulations and compliance challenges across their industry. Organizations within the scope of critical infrastructure need to accept that regulation over cybersecurity controls and breach reporting will become part of their businesses. Investing in cybersecurity systems needs to be considered as part of the cost of doing business. On the other side of the coin, investment in cybersecurity is an expense that most organizations will not be able to recover directly through traditional return-on-investment models. This is why governments should consider awarding tangible incentives to encourage cybersecurity spending and not just award beyond mere seal of approval from government agencies. However, given the significant risks and threats posed by cyber attacks, can any company actually afford not to invest in cybersecurity? This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of EY or SGV & Co. Carlo Kristle G. Dimarucut is an Advisory Senior Director of SGV & Co.

Read More
14 May 2019 Lee Celso R. Vivas

Tomorrow’s tax professionals

The global business environment continues to evolve at a rapid pace, with factors such as globalization and technology disrupting traditional roles, processes and operations. One of these areas is in the tax landscape, where the changes are fundamentally and permanently changing how tax professionals operate. A recent article published in Ernst & Young’s Spotlight on Business magazine, “Three trends shaping taxation for business,” identifies some significant traits that are redefining the tax function, as well as the role of tax practitioners all over the world. These trends include: MORE COMPLEXITY With recent collaboration among global tax administrations, such as with the Base Erosion and Profit Shifting (BEPS) project implemented by the Organization for Economic Co-operation and Development, signatory countries now have minimum standards to adopt in order to review bilateral tax treaties and enable better tax compliance, close taxation gaps and review business structures, supply chains and operations. With increased data submissions (like Country-by-Country Reporting) and automatic exchange of information being adopted by more countries to facilitate tax transparency, companies will need to consider more complex standards in their tax compliance strategies. MORE DIGITAL CHALLENGES Because of the speed at which digitalization is spreading, traditional tax rules are often hard pressed to keep up, creating uncertainty. However, there is still no clear guidance or consensus for tax administrations on how to address the challenges of the digital economy. This lack of clarity means that each country may choose to find its own solution to address the taxation of the digital economy. This may pose more challenges in the future in trying to create a consistent body of digital taxation standards on a global level. MORE POWERFUL TAX ADMINISTRATIONS Digital technology is changing how tax administrations interact with taxpayers and other tax authorities. With direct access to taxpayer data, tax administrations are increasingly relying on data analytics to help them step up tax collection and target tax audits. Some countries are even initiating real-time data collection from taxpayers with machine-based tax assessments and collection. Empowered by digital and technology, tax administrations are expected to have more tools and processes to ensure tax compliance. With these three emerging trends, how can future tax professionals evolve to meet the demands of tomorrow’s tax practice? TECHNOLOGY ENABLEMENT Traditionally, tax professionals and IT consultants are widely different personalities with entirely different skill sets (e.g., the highly specialized tax professional versus the highly specialized technology or IT professional). However, as we move further into the digital age, the gap between the tax professional and the IT professional will continue to narrow. While the tax professional of the future does not necessarily have to also be an IT professional, they will still need to acquire a modicum of technology proficiencies to complement their tax technical skills. At the minimum, the future tax professional must be able to understand and appreciate emerging technologies and how they affect the tax function and the tax environment. COLLABORATION AND MULTI-SKILLED TEAMS Traditionally, the world of tax compliance was a simple relationship between the tax preparer/reviewer, the tax return and the local tax authority. As the tax environment becomes more and more digital, the number of elements involved and the interrelationships among these parties will become increasingly complex — these include (among others) the taxable event/transaction (data source), the accounting/recording process, the accounting system, the tax preparer, the digitally empowered tax administration, and multi-jurisdictional reporting – each with its own tools and technology enablers. Different elements and technologies will require different skill sets to address. Working in such a dynamic tax environment therefore requires a flexible, multi-skilled service team, in some cases even capable of working across multiple tax jurisdictions. And given the pace at which the tax environment is evolving digitally, “mixed teams” of people who are either tax or technology proficient will ultimately evolve into “blended” teams with blended skill sets (e.g., tax people who understand tech, tech people who understand tax). SHIFTING FOCUS TOWARDS ANALYSIS AND SOLUTIONS As digitalization and automation become more and more widespread, the fear of the traditional tax professional is that he may eventually become obsolete. Tax return preparation will eventually become automated, and there are already many tools in the market that can help to sift, process and analyze high volumes of digital tax data (or tax Big Data). Traditional tax compliance skills (i.e., tax return preparation, filing, reconciling books vs. returns, etc.) may soon lose value. Tax professionals, as tax “advisors,” must therefore be able to elevate their roles from “preparers and processors” to “reviewers and analysts.” In recent tax audit case, for example, a BIR examiner had asked the taxpayer to check the completeness of the sales reported in the taxpayer’s VAT returns by reviewing and matching transactional level sales data – data that consisted of hundreds of thousands of transactions, each with dozens of fields of information, resulting in millions of data points that needed to be analyzed. If we were to apply traditional worksheet/spreadsheet skills, it would have taken months to perform such a task — if it was even possible to process the big data through traditional means in the first place. With various big data tools available, reconciliations and exception reporting may soon be “automated,” performed in minutes, and ultimately rendering these traditionally man-hour based tasks obsolete. In order to stay relevant, tax professionals must be able to elevate their roles by understanding the complex tax environments in which they operate and being able to provide answers to questions such as “What went wrong?” “Why did it go wrong?” and “What can we do about it?” Moreover, as submission of tax digital data to tax authorities moves towards real time or near real-time, traditionally sought-after corrective or remedial tax advice might likewise soon become irrelevant. Traditionally, the practice of tax required highly specialized understanding of tax rules and regulations, which may be something that has defined the persona of tax practitioners. However, given the trends shaping taxation in the future, tax professionals may have to learn to be more adaptable and transformative, both personally and professionally, to stay relevant to tomorrow’s tax expectations. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the authors and do not necessarily represent the views of SGV & Co. Lee Celso R. Vivas is a Tax Partner of SGV & Co.

Read More
07 May 2019 Armando N. Cajayon, Jr.

Banks and fintech: the next step

In recent years, the Philippine banking ecosystem has undergone rapid digital transformation driven by sweeping technological advances. The Philippine Banking Almanac states that the Philippine banking industry started as a government venture to provide deposit services and fund production in the agricultural and commercial industries. That was 160 years ago and since then, the industry has evolved to include various aspects of financing, up to the ubiquitous digital systems that are now used all over the world. This is no surprise since the banking industry has always been characterized by continuous, customer-driven innovation. RISE OF E-BANKING E-banking first revolutionized the Philippine banking industry in the 1980s with the introduction of automated teller machines (ATMs). These machines eliminated several geographic and time constraints as they allowed customers in urban areas to conduct cash withdrawals and deposits on an everyday basis. In 1999, the invention of smartphones, coupled with developments in the telecommunications industry, paved the way for early versions of mobile banking. Customers could now conduct basic banking transactions such as balance inquiry and fund transfers to accounts within the bank using a short messaging service (SMS). This was followed by internet banking in 2000 which allowed customers to accomplish transactions through computers and the Internet. It was at this point that banks started to veer away from their traditional bricks and mortar operations, integrating both online and offline operations into their physical presence. FINTECH SOLUTIONS AND OPPORTUNITIES As technology continued to improve alongside the increase in mobile ownership and Internet subscriptions, the next few years saw a rise in the adoption of financial technologies (FinTech). Financial services became further digitized with the invention of mobile wallets, payment gateways and virtual currencies. These services are now more accessible and convenient than ever as Filipinos can conduct transactions, pay bills, and purchase goods and services using applications on their personal computers or smartphones. However, most of these innovations are not actions of banks but initiatives of FinTech companies that envision providing enhanced financial services at a reduced cost. FinTech solutions present many opportunities for the Philippines that can be summarized in three main points. First, it reduces the country’s dependence on a paper-based payment system. A 2015 case study by the Better Than Cash Alliance (BTCA) titled Leaving money on the table: The corporate and SME experiences of digitizing business payments in the Philippines found that digital payments could save Philippine banks about $1.52 per transaction. Also, a digital payment system reduces the risk of graft and corruption because records are automatically created as money passes between accounts. Second, FinTech can spur greater financial inclusion. The 2017 Global Findex report by the World Bank revealed that majority of Filipinos remain unbanked with only 34.5% of adult Filipinos holding formal financial accounts. Access to financial services remains a challenge because it is difficult for banks to establish physical branches across the more than 7,000 islands that comprise the Philippines. However, FinTech services transcend geographical barriers by granting accessibility through technological platforms. Third, it provides SMEs with alternative financing opportunities. According to a 2019 study by the Milken Institute, FinTech in the Philippines: Assessing the State of Play, SME lending only made up 2.5% of the total lending portfolio of commercial banks. Sources of capital are a pressing issue for small business owners who are unable to fulfill the loan requirements set by banks. FinTech start-ups have developed an alternative credit-scoring system that can assess the repayment capacity of potential borrowers, allowing Filipinos without a formal credit history to apply for loans. COLLABORATION AND INNOVATION Today, FinTech has become a major industry composed of start-ups that are creating solutions for payments, consumer lending, financing for SMEs, remittances, logistics and transportation, and investments. The 2017 EY FinTech Adoption Index emphasized the recent rise in the percentage of digitally active FinTech consumers. The survey conducted across 20 selected markets revealed that 50% of consumers use FinTech money transfer and payment services. Furthermore, 64% of consumers prefer using digital channels to manage several aspects of their lives. The study revealed that global FinTech adoption could increase to an average of 52%. The expansion of the FinTech industry is also due to the efforts of the Bangko Sentral ng Pilipinas (BSP) to continually update and reform much of their regulatory framework in response to the recent financial services trends. As the industry continues to gain momentum, it also gains capital from investors. In fact, over P5 billion was invested in the Philippine FinTech sector in 2018. These companies have been steadily gaining customers, expanding their market share, and competing with the banking industry. However, partnership and collaboration — not competition — between banks and FinTech companies can maximize innovation and unlock the potential of the Philippine banking industry’s digital future. Essentially, banks and FinTech companies share the same goal: to deliver better financial services, improve regulatory compliance and reduce long-term costs. FinTech companies offer a wide range of products such as robotic process automation, data analytics and artificial intelligence that can greatly enhance the business operations of banks. They are also more flexible in integrating and working with cryptocurrencies, rewards and loyalties in the form of tokens, and becoming the cash in and cash out alternatives. In addition, some FinTechs are capable of giving their partners and clients revenue in the form of rebates or commissions through services such as mobile e-loading and financial transactions. Meanwhile, banks are adept at handling the common challenges faced by FinTechs such as the significant costs incurred due to customer acquisition and the barriers encountered in cross-border business. Banks are also experienced in handling costly compliance matters such as Anti-Money Laundering Act (AMLA) and Know-Your-Customer (KYC) regulations. The anonymity that online financial services provide poses risks to AMLA and KYC regulations as cybercriminals and money launderers may see FinTechs as instruments for financial crimes. To better protect financial institutions from money laundering and other financial cybercrimes, BSP issued Circular no. 950 which contains additional requirements for AMLA and KYC compliance. Complying with these regulations is expensive and can greatly impact the finances of FinTech startups, but these costs are bearable for large financial institutions such as banks. Thus, FinTechs can benefit from the banks’ compliance and regulatory competencies, especially if they are already reaching their marketing saturation points. With the relative advantages of each side, it is clear that strong collaboration between banks and FinTech companies have great potential and opportunities that can result in relevant and sustainable solutions for their customers. In order for banks to form successful strategic relationships with FinTechs, they need to clearly define their digital solutions goals. Then, they must work together to design a FinTech framework that best suits their business needs, size, culture and operations as well as their customers’ banking needs and expectations. Banks should also encourage innovation initiatives that promote their long-term growth strategies. FUTURE OF THE FINANCIAL SERVICES INDUSTRY The change-driven history of financial institutions demonstrates that adopting emerging technologies unlocks many opportunities. Today’s digitally competitive business landscape requires leaders of financial institutions to embrace sustainable technological transformation and pioneer innovation. In turn, these efforts will lead to financial services that deliver prime transformational value to Filipinos, ultimately boosting their financial well-being and strengthening the economy. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the authors and do not necessarily represent the views of SGV & Co. Armando N. Cajayon, Jr. is a Principal in the Advisory Services of SGV & Co.

Read More
Leading the way in business

Other SGV News and Publications