Special Contributor Report: The Costs of Compliance – Expectations for Bending the Cost Curve

By Gary Ferrari
A Financial Crime/AML and Compliance Risk Management Leader and Advisor in Banking and Financial Services for more than four decades
December 27, 2019

November 1991 marked the beginning of recorded time for compliance programs, when Congress enacted the U.S. Federal Sentencing Guidelines for Organizations, essentially compelling U.S. corporations and financial institutions to formalize effective compliance programs.

Since then, investments in personnel, technologies, and controls to develop and operate effective programs have charted a steady incline on the cost curve, with no signs of abatement yet in sight.

At the micro level, many organizations continue to attack that rising spending curve, trying hard to bend it in a downward direction.

The boards of several of the largest global banks have mandated compliance departments to stem the tide and push the cost curve at their own institutions in a more profit-friendly direction.

These cost-cutting edicts extend to north of $1 billion annualized. Now, keep in mind, that’s not the overall compliance operating budget – that’s what the budget overlords want to cut!

At the same time, Chief Compliance (CCO) and Anti-Money Laundering (AML) Officers remain charged with managing their institution’s regulatory and financial crimes risks under the constraints of fewer resources, legacy systems and workflow tools, manual processes, and disparate data sources.

These issues, cumulatively and individually, can absolutely hamstring a compliance department – in particular on the AML side.

That’s because there are so many things that have to go right in order for an AML compliance department to function to the level to adequately mitigate its risks, or do so up to the increasingly rising expectations of regulators.

For instance, AML teams need updated systems – hardware, software and at times even outside technology vendors – to have a robust transactional monitoring system that is properly tuned by underlying customer risk assessment data, algorithms and the latest transactional red flags, typologies and scenarios to properly create strong alerts.

Those alerts then have to reviewed by AML teams – teams that themselves need to have deep and broad training along with extensive experience – who need to review these alerts, possibly swim them against internal or external data and make subjective decisions to disposition the alerts into a suspicious activity report (SAR) or clearly and concisely detail why items were not escalated.

Moving from a focus on technical compliance to effectiveness

As a point of context, the accuracy of customer data, used to create customer risk assessments that sensitize the transaction monitoring system, in the eyes of many examiners, is considered the new foundation of AML compliance programs while the overall depth and breadth of data is viewed as the lifeblood of the overarching counter-criminal initiative.

At the same time, U.S. federal regulators – echoing mantras set out by global counter-crime standard-setting body the Financial Action Task Force (FATF) – are focusing more on the effectiveness of bank AML programs, not just the adequacy of following the law and being in “technical compliance” with regulations.

This was the main takeaway from a joint interagency statement in December by the federal banking and credit union regulators and the country’s financial intelligence unit which exhorted financial institutions to be more aggressive and innovative in tinkering with new AML technologies to improve efficiency, effectiveness and results.

So now, not only must bank AML teams contend with the unique obstacles older monitoring systems can bring to uncovering and reporting on instances of potential financial crime, they also have to deal with the extra pressure and tacit expectation they are actively going beyond the daily challenges of running a compliance department to also being a fintech hub humming with the promise of artificial intelligence, machine learning and automation.

Not surprisingly, for some institutions, that will be a particularly wide gulf to cross.  

Consequently, the current state of the financial services industry largely reflects operational inefficiencies, and expenditures that are ineffective at achieving the compliance mission.

Dealing with aggressive cost cutting targets: Balancing quality, battling scarcity

Naturally, with many institutions having aggressive cost takeout targets, it is vitally important to identify the key drivers of cost reduction without ceding effective service delivery or risk management.

The largest drivers of cost tend to accompany remediation, particularly when mandated by regulators through Matters Requiring Immediate Action (MRIAs) or worse, enforcement actions.

Under the duress of time constraints and threats of fines and penalties that can impact business growth, new product introductions, or a license to operate, management tends to overspend, or spends in an un-thoughtful way in order to “make it go away.”  

Worse, being ordered to operate under the watchful eye of a federally-mandated monitor drives costs higher, longer.

Let’s also not forget that the monitor reports directly back to the regulator, or regulators, overseeing the remediation and can be even more draconian than the government.

Think of this individual as an on-the-ground sentinel that is more aggressive than an auditor, is around more than an examiner and in some recent cases has even swayed judges because they believed an institution had not made enough meaningful progress to be in compliance with a heavily-negotiated settlement, like a deferred prosecution agreement.

The figures, as well, in these settlements have soared over the past decade. 

Currently, when it comes to financial crime compliance and sanctions penalties, the highest fine in recent years topped out at $9 billion – and as we mentioned, that is just the floor for how much an institution will pay to broadly bolster a sagging compliance function.

While experts will debate the exact figure, an AML remediation can easily cost the financial institution triple, quadruple or more of the original penalty.   

The lesson here is to run a compliance program effectively in the first place, so as not to get behind this Eight Ball. 

Cost considerations during BAU mode versus remediation escalations, descents

It is too easy to lose control of costs when having to hire external legal counsel, consultants, and contract labor to address a significant regulatory action and demonstrate sustained performance in curing it.

In business as usual (BAU) mode, key levers of compliance costs gravitate around systems, processes, and data.

Designing and managing these components thoughtfully will avoid bloat in staffing levels that invariably ramp up dramatically for remedial projects and then must be scaled back upon reaching the point of arrival – or the very subjective point of adequate compliance as perceived by the monitor, regulator or federal investigative agency.

Legacy systems allowed to outlive their useful lives create chaos and inefficiency in the forms of manual workarounds, consolidations, and non-integrated data sets due to lack of interface – and as we mentioned before, in the eyes of many examiners, data, and its accuracy, is the flowing lifeblood of any informed and dedicated compliance team.

But without the required data on customers or transactions and systems to properly analyze for aberrant patterns, that means more work for the human component of an AML team – and adds more pressure on their accumulated acumen for proper decision making.

Scrimping on AML systems now could contribute to compliance bloat later

Typically, human capital is deployed to compensate for the inefficiencies, performing comparatively menial task work in place of critical analysis and risk management duties.

Headcount expense bloats as a result and, left unchecked, repeats over multiple operating cycles.

Overlapping and redundant systems are another cost-sucking condition that tends to result from inertia when businesses and functions are not integrated following acquisition – the classic compliance trap of attempting to weave together data and systems that were never meant to talk to each other to converse like old friends.  

Their upkeep, on parallel tracks, along with personnel having to deal with duplicate or inconsistent output, also inflates headcount-associated operating costs.

This also opens up the specter of certain customers, transaction histories and even oversight of current activities to fall through the proverbial cracks, leading to suspicious activity being found years later by auditors of, worse, regulators who are none too pleased a recently-merged institution is beset by compliance blind spots.

But there are ways to prevent these fraught and friction-filled scenarios from happening.

Smart capital investments in current and centralized technology will provide return on those investments in the form of permanent and repetitive reductions in annual operating expenses.

Processes that are manual in nature, or inconsistently applied, generate much human error and unacceptable results outside established or acceptable norms. The cost of making an error is the expense incurred in having to correct it.

When error-prone processes involve low-value, high volume tasks, they become prime candidates for automation – particularly, robotic process automation that can drive significant saves in unit costs while reducing error rates.

When is the last time you heard a compliance leader speak about delivery of outcomes in terms of unit cost?

Better data capture at the front end can help form foundation for innovation

A bank making a move to automation and other cutting-edge technologies would also likely give the institution’s examiner a better sense of confidence in the operation’s compliance function, potentially leading to a less confrontational, and more collegial, exam.

Remember, with the December joint statement by groups like the U.S. Treasury’s Office of the Comptroller of the Currency (OCC), Financial Crimes Enforcement Network (FinCEN), Federal Reserve and others, examiners are hoping to see banks try different technologies in this new “era of innovation.”

One of the most surprising statements made in the communique: That examiners won’t “necessarily” criticize, condemn or penalize a bank if the new technologies they are testing find gaps the institution’s legacy systems had missed.

But the not-so-hidden message from regulators is that they want to see a shift – something that may well turn out to be the beginning of a tectonic movement – from AML compliance being a focus on process and rote tasks delineated by didactic regulations to a focus on results and outcomes delivered by lean, efficient and tactically-trained teams.

But at the heart of any AML program’s bid to bolster effectiveness while better balancing the budget is its handling of data.

Poor data management and governance practices can result in issues around data quality, completeness, or integrity, all of which can drive up the cost of compliance through the need for extensive validation, collection, or remediation.

These situations are often accompanied by repetitive and dissatisfying customer interactions. 

A word to the wise: get your data right at customer on-boarding, and endeavor to keep it current by following through with the refresh of customer due diligence profiles on a defined, regular cycle.

Doing so will avoid costly data clean-up exercises, hiring of surge labor to do so, and significant down-stream effects in the form of inadequate alerting and reporting of suspicious activity. 

Customer data is owned by the business, not Compliance, but Compliance must insist on highly effective governance standards and practices if the costs of compliance are to be reigned in, contained, and kept from bloating.

The solution to bending the cost curve of compliance lies in the form of good governance.

About the author

Gary Ferrari is an accomplished executive and advisor across the Compliance and Financial Crime Risk Management landscape, a former Executive Director – FCC Advisory for Ernst & Young, and Vice President – Global Compliance & Ethics at American Express, where he co-founded the corporate compliance program in 1991.

In three decades of regulatory compliance experience, Mr. Ferrari has served in senior organizational leadership and governance roles integral to building, executing, and remediating regulatory and financial crime compliance programs in retail and institutional business lines in the U.S. and internationally.

He has designed the framework, standards and methodology for building and resourcing compliance programs, and overseen core compliance functionality, including strategy, governance, risk assessment, policy administration, learning programs, monitoring & testing, and issue escalation & reporting. And he has led AML Advisory, Technology, and Investigative client engagements.

Mr. Ferrari is a former member of the Board of Advisors for the NY Chapter of ACAMS, and was among the first group of AML practitioners to achieve the ACAMS certification, in the initial year it was offered.