Many financial crime compliance teams are struggling under the strain of new, ongoing and overlapping international regulations, higher regulatory expectations to flawlessly implement complex initiatives and finding, training, retaining and compensating qualified staff.
Those are just some of the conclusions of the “Cost of Compliance 2015,” released earlier this year by Thomson Reuters, that queried nearly 600 practitioners, including heads of compliance and others from financial services firms around the world between November 2014 and January 2015. They were asked to detail compliance costs and challenges and what they expect in the coming year. The full report can be accessed here.
The prognostications in the survey have proved prescient as state and federal regulators have sustained their heightened scrutiny and penchant for penalties, highlighted last week with French banking giant Credit Agricole’s agreement to pay nearly $800 million for sanctions stripping violations, the $15 million penalty against BNY Mellon for violations of the Foreign Corrupt Practices Act, a banking first, and the US Treasury currently pressing banks to consider cybersecurity risks at the same level as capital requirements and other financial crime risks.
The densely-packed, 20-page report issued in the second quarter is worth revisiting as it gives a stark glimpse of the at-times harried internal interplay of human and virtual machinery to detect and prevent a broad swath of financial crimes, including money laundering, corruption and tax evasion. A continuing worrying trend is that these problems are expected to worsen.
“There is a developing danger that compliance budgets and the availability of skilled resources is not keeping pace with the level and depth of the current compliance challenges facing firms,” according to the report.
“It is not that compliance budgets are not expected to continue to rise; it is more that, increasingly, they may not be sufficient to give beleaguered compliance functions a fighting chance of dealing with the mounting challenges.”
In fact, the report notes that cybersecurity teams should also have a seat at the compliance table as risk of hacker attacks rise.
The findings in the report make it clear that for compliance officers and financial institutions as a whole to better insulate themselves from criminal infiltration and regulatory fury, they need to break down the silos between AML, fraud and cyber teams, said Garry Clement, president and chief executive of Clement Advisory Group, and the former director of the National Proceeds of Crime program for the Royal Canadian Mounted Police.
“The problem in most banks is that they are siloed in terms of compliance structures, with AML, fraud and other areas and they need to get outside the box and talk about financial crime controls in a more holistic manner and take a more unified approach,” he said.
Compliance resources ‘not keeping pace’ with threats
The findings are clearly informed by in recent years what have been record-setting anti-money laundering (AML) and sanctions penalties, which have soared into the billions of dollars, an increased focus on individual penalties for broad compliance failures and high-profile cyber attacks that have perforated some of the nation’s largest banks and retailers.
The survey highlighted that while large, global systemically important financial institutions (G-SIFIS), faced the highest expectations for resources to analyze fluctuating regulations and stay nimble, smaller and medium-sized operations in many instances may not have the systems and expertise to create compliance programs that can consistently pass muster with examiners.
“Pulling the results together as a whole there is a growing sense that the compliance functions of non-G-SIFI firms are already feeling the strain of being stretched too thinly,” respondents told Reuters.
In the latest survey, however, respondents detail a marked shift in the compliance industry’s efforts to convince regulators and investigators their programs, processes and people are adequately complying with the letter and spirit of these laws, believing that more compliance officers could find themselves overwhelmed and exhausted.
Report notes potential rise of ‘regulatory fatigue’
“After several difficult but broadly speaking positive years for compliance functions, the 2015 findings show the first warning signs of potentially serious resource constraints,” according to the report. “One increasingly clear and present danger is that of regulatory fatigue.”
“Compliance functions continue to face diverse and demanding pressures, with shifting supervisory expectations, no let-up in the volume of regulatory change and the start of many of the big implementation programs for major complex legislation,” according to Reuters. “At the heart of the survey results is the sheer volume of change that continues to be expected: a repeat finding.”
Last year was one of record fines, also but “critically it was also a year when the sweep and scope of non-monetary enforcement action came to the fore as regulators used ever-more creative approaches in their drive to instill ‘good’ behavior in firms and individuals,” according to Reuters.
Respondents reported that they expect to see “no let-up in 2015 and that the challenges are set to increase further with the expected embedding of the more qualitative aspects of culture and conduct risk, together with a focus on personal liability,” according to the report.
High-quality compliance skills are “becoming more and more sought-after and the resources assigned to risk and compliance need to reflect the cost of the experienced resources needed to deal with the perfect storm of complex regulatory developments, a less prescriptive, judgement-based style of supervision together with a significant increase in personal liability,” according to the report.
To counter the inability to find the right people, banks are considering growing them in house, according to the report. “Firms may well wish to implement their own compliance training programs to begin to build the in-depth strength needed for compliance and risk skills.”
Here are some of the takeaways from the report:
- Never ending change: compliance officers are clearly experiencing regulatory fatigue and overload in the face of snowballing regulations. Seventy percent of firms are expecting regulators to publish even more regulatory information in the next year, with 28 percent expecting significantly more.
- Regulatory analysis: More than a third of firms spend at least a whole day every week tracking and analyzing regulatory change. Global regulatory change is creating the biggest challenge due to inconsistency, overlap and short time frames.
- Interpretative dance: Understanding regulators’ expectations and requirements and being able to interpret and apply them is as great a challenge as keeping abreast of the changes.
- Rising risk: Three-quarters of firms are expecting the focus on managing regulatory risk to rise in 2015. This is predominantly due to the greater regulatory focus on conduct risk.
- Personal liability: 59 percent of respondents, up from 53 percent in 2014, expect the personal liability of compliance officers to increase in 2015, with 15 percent expecting a significant increase. Twenty-one percent of G-SIFIs expect a significant increase in personal liability.
- Resource challenges: from recruitment challenges in finding and retaining suitably skilled staff to increasing pressure on budgets. Two-thirds of firms are expecting skilled staff to cost more in 2015.
- Bored boards: Regulatory matters are consuming disproportionate amounts of board time, from correcting non-compliance and preventing further sanctions to implementing structural changes to meet new rules.
- Coordinating controls: Interaction and alignment between control functions continues to show a lack of coordination. Nearly half of compliance functions are spending less than an hour each week with internal audit.
- Higher expectations: G-SIFIs, in comparison with the full population of respondents, have the greatest expectations about budget and resources available for tracking and analyzing regulatory change, updating policies and liaising with regulators.
Cyber concerns, penalties rising
The report also touched on the intersection of classic compliance programs and information technology, or cybersecurity, and the regulatory risks that come with hacker attacks and data breaches, which have become frontline issues in recent years.
Indications of the likely regulatory response to a cyber attack which affects customers can be seen in the related fines handed down by the Central Bank of Ireland and the UK regulators, according to the report.
In November 2014 the Central Bank of Ireland fined Ulster Bank 3.5 million euros and reprimanded it for IT and governance failings which resulted in 600,000 customers losing banking services for 28 days in June and July 2012. The fine and the reprimand were in addition to a customer redress program which has already paid out approximately 59 million euros.
In the UK the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), for the first time, took concurrent enforcement action against three banks in the Royal Bank of Scotland Group.
The PRA fined the Royal Bank of Scotland, National Westminster Bank and Ulster Bank £14 million and the FCA levied a fine of £42 million.
“In a clear warning for the future, the PRA stated that action had been taken because the proper functioning of IT risk management systems and controls should be an integral part of a firm’s safety and soundness,” according to the report.
The focus on cyber is “growing in leaps and bounds,” Clement said, adding that the future of financial crime compliance could be individuals across the program having a more “broad-based skill set,” including cyber, AML, fraud and institutions looking at compliance as less a cost center and more a “strategic investment in the future.”