Please address correspondence to the managing editor, Rob Monish ([email protected] Com). Compliance and Control 2. 0: Unlocking potential through compliance and laity-control activities From the periphery to the center In recent years, with the increased awareness that operational and control failures can be extremely costly, banking compliance and quality control has become much more relevant to senior executives. Greater business complexity has introduced new compliance challenges that have been augmented by formal regulatory requirements.
The established role of compliance and control to simply observe laws and follow regulations is now being replaced by an integrated, much broader view on requirements and standards necessary to conform to. Compliance requirements increasingly derive from emerging industry standards, internal business or ethical guidelines, or awareness of reputation risks; they also derive from transparency requirements and assurance of quality and control of governance, processes, methods, and IT or infrastructure in such critical areas as risk and finance.
In particular, we observe “ex post compliance failures” in banking, that is, personal liability for actions that were viewed as standard market practices a few years ago, but carry compliance relevance today, for example, with regulatory capital relief trades. Exhibit 1 provides an overview of the key areas of compliance and control across banking institutions. In addition, the task of compliance and control today has become much more complex for institutions that have breaching global footprints and therefore face myriad local laws, regulations, supervisory authorities, cultural differences, languages, time zones, and so on.
We estimate that an effective compliance and control system consumes three to five times (in some cases, even more) as much profit as it did 10 years ago. On the other hand, noncompliance or control failures due to limited management transparency or insufficient quality intro of governance, processes, or systems have become much more expensive than in the past. Board directors and top management face increasing levels of personal-liability risk and fines. Failures often result in high media attention and costly damage to corporate reputations that have been earned over decades of hard work.
Noncompliance or control failures can also lead to significant loss of core-client business, distract senior management from their task of running the business and focusing on clients, and produce depressed stock-market valuations. This can, in turn, impose substantial, even existence-threatening costs. Furthermore, the challenges imposed on compliance by a broader range of relevant requirements, standards, and guidelines and increasing business complexity have been amplified by tightening regulatory supervision.
In particular, various regulatory bodies at national and international levels have responded to the financial crisis by issuing a barrage of new rules and by continuing to tighten and more comprehensively audit existing requirements. For example, increasing consumer-protection regulations, introduced by the Dodd-Frank Act in the United States and by EX.-wide rules, as well s national rules, are having a major impact, creating an imperative for retail banks and financial institutions that sell investment products to reengineering their compliance efforts.
Although many of the proposals, such as the new Basel Ill regulations, are still under discussion, it has become clear that banking institutions will face significantly stricter and more extensive regulation, as well as more intrusive supervision in the future. Also, many regulators and supervisors are beginning to impose their own interpretations of specific rules and regulations. Their intention is o set minimum standards across the industry and, in certain areas, to define “market best practices” as experienced or perceived by the supervisory authority.
For example, we observe regulators across the board now employing Pillar 2, especially the Internal Capital Adequacy Assessment Process (ICECAP), to accelerate the formal timeline for key capital requirements
NOT EXHAUSTIVE High criticality Operational Sustainability (CARS,I environment) Internal production of goods and services Medium to low criticality Medium criticality Low criticality Commercial Governance, code of conduct, human resources Strategic rights and ownership Preternaturally responsibility Support Sales and marketing (consumer information,fair competition, sales bribery) Finance, accounting, auditing, tax Risk management (effective risk management, capital requirements) IT and data privacy Key challenges ; Many new regulations and lack of portfolio approach to compliance: Need for pronunciation of topics – Planning need for investments in compliance solutions ; Inefficiencies in system arising from compliance efforts; high potential savings ; Reactive, not proactive, shaping: – Insufficient focus on shaping the regulatory environment – Compliance management from a cost center to a profit center – Disconnect between compliance/regulation and strategy ; Fiduciary duties/consumer information sharing, egg: – Transparency on fee structure – Abusive tying of customers – Complex and unintelligible product leaflets – Investment advice to private customers Mandatory overdraft information ; Protection from customer fraud ; Cross-border requirements, egg: – Cross-border flows of capital/loans – SEPAL initiative ; Advertising restrictions ; Account portability ; Limitation on pricing ; Financial regulations Capital-market law ; Securities/Stonehenge law ; Audit guidelines – JOSS branch audits ; Auditor independence ; Extended fair-value introduction of expected-loss model ; Increased accounting requirements ; Internal monitoring, control, reporting ; External reporting ; Banking risk requirements (egg, Basel Ill) Risk modeling – Collateral management, treasury – Market and credit limits – Capital and liquidity adequacy – ICECAP documentation – Key processes – Maximum loan-to-value limits Dodd-Frank Act – 5% serialization retention for issuance – Blocker Rule: proprietary trading prohibited ; Protection of systemically important institutions ; Increase of obligatory deposit insurance Migration of TOCK derivatives to central clearing ; Need for more sophisticated and independent early-warning function Data protection/ subjectivity, egg: – Data theft – E-communication risks – Management of unauthorized activity Bank secrecy ; Documentation and data quality, egg, consistency of data across units/ geographies (egg, between risk and finance) ; IT application Compliance focus topics Compliance is at the core of the banking industry; you can’t pick and choose regulatory focus. Several regulation topics assert overwhelming impact, such as risk management (egg, Basel Ill, Dodd-Frank Act) and finance and accounting (egg, FIRST 7, Serbians-Solely). Subjectivity is becoming more important as new technologies and trends, like social networks, increase vulnerability and as attackers become more pesticides. 1 Corporate social responsibility. 2 Single Euro Payments Area. 3 Office of Supervisory Jurisdiction (US Securities and Exchange Commission). 4 Internal Capital Adequacy Assessment Process. 5 Over-the-counter. 6 International financial reporting standards.
We believe it is high time for leading global financial institutions to undertake a comprehensive assessment of their compliance efforts in regard to (expected) regulatory requirements and to review in detail the quality control for core processes, governance, and infrastructure. The success of such initiatives will have an important impact on future performance because the implementation of new requirements and quality control demands an ever-increasing share of management attention and bank resources. Banks should see this review as an opportunity to articulate clear expectations and behavioral guidelines for their employees and to define the quality and integrity of products and services they offer to their customers.
We think that institutions with superior approaches can convert this investment into sustainable and formidable competitive advantage. However, too often the knee-Jerk response to increased regulation or to errant behavior is to introduce more bureaucracy-?another set of “essential” operating checklists or, worse, another layer of control leading to duplication of functions across the organization. Compliance and quality control that is aimed purely at satisfying the letter and not the spirit of the regulation will fail to make the material improvements intended to strengthen both the banking institution and the industry as a whole. Control activities We call this “blind compliance and control”; recent observations indicate, troubling, that it appears to be on the rise.
This form of compliance and quality control is hardhearted by the following developments: 00 A multitude of overlapping, poorly structured, and even inconsistent rules, regulations, and guidelines that are often difficult to read or understand 00 Requirements without a clear purpose and intention 00 Requirements that exist only on paper and are either not ingrained or are poorly applied in the institution 00 Rules, regulations, and guidelines that are perceived as red tape, a distraction from core tasks, and a cost or tax, instead of as a source of value Ironically, an increase in the number or the stringency of policies, especially when hose are detached from the realities of the business, may actually increase risks as employees resort to ticking boxes without reflecting on the intention behind the rule and the potential danger of noncompliance for the institution. Sample tests assessing the material effectiveness of some of the most important regulations often return poor results.
At one large European bank with external regulatory requirements for an early-warning system and a “watching” process with clear handover criteria for the workout unit, those critical risk-management elements only existed on paper. The early-warning system was revealed to be rudimentary at best and substandard compared with those of competitors. Additionally, the handover criteria were not widely known, or they were ignored. All these revelations came as a shock to senior management, not only as a compliance failure but also as a business failure. At another large regional bank, a comprehensive self-assessment unearthed systematic inconsistencies between the credit-risk strategy and the overall business strategy, leading to unwanted exposures with negative risk surprises.
Our recent observations also suggest that while many risk-management departments are trundling to focus on managing and controlling risks, they instead end up overstretching to close audit points, implement new regulations, and satisfy ad hoc reporting requests. Similarly, many banks lack basic clarity as to who in the organization is actually responsible for compliance. In a typical organizational structure, compliance might be an independent governance unit sitting alongside internal audit and legal units, but not operationally connected to the risk- management function, IT, operations, and other key areas that are in effect performing compliance and control activities, including the frontline business.
Just as appointing a chief risk officer can induce in Norris staff a more casual attitude about taking responsibility for risk, having a chief compliance officer, as many banks do, also can lead to an institution taking a narrow view of compliance and control and failing to appreciate its broader importance. Compliance, Just as risk management, must become an institutional capability, not Just an organizational unit. It would be a mistake, however, in our view, to see the underlying intentions of lawmakers, regulators, and supervisors as being anything other than an effort to ensure the sustainable development of both individual banks and the industry as a whole. More often than not, the spirit of rules, regulations, and guidelines mirror those good intentions.
However, for banks to benefit from the overall imposition of regulation, it is vital to capture that spirit rather than getting lost in the letter. The same holds for quality control. It is hard to argue against assuring a sufficiently high quality of governance, processes, methods, and IT or infrastructure, especially concerning critical areas such as risk management. But how is it possible to ensure that those activities result in maximum material improvements? How can regulation and quality control be seen as an opportunity to catalyst change and promote excellence that ultimately leads to sustainable competitive advantage? 3 We believe that, given this backdrop, the time is ripe for a fresh look at compliance and quality control.
In the following sections, we outline a new and systematic methodology that institutions can use to transform their compliance and quality- control activities, positioning these activities to become a true source of strength and sustainable competitive advantage. In our view, effective compliance and control requires an explicit strategic consideration, the ultimate goal being compliance and quality controls that are not only effective but are also efficient, smart, and ultimately able to add strategic value (Exhibit 2). Avoiding the trap of blind compliance and control and focusing instead on transforming a perfect regulatory storm into an opportunity to create competitive advantage will require a systematic, disciplined, and somewhat innovative approach. Exhibit 2 Compliance and Control 2. 0 aspires to add strategic value. Increasing aspiration level Effective
Ensure nonnegotiable compliance and control, whether through written rules or through industry and internal standards Efficient Avoid wasting money, time, and energy through “blind compliance” (egg, redundancies and inconsistencies) and refocus resources on material compliance and control and business improvements Smart Align compliance and control aims with those of the business by focusing on the spirit of the regulation and best practices, using compliance and control as a change agent to improve overall risk and business performance Embrace proactive of compliance and control requirements through strong stakeholder management and a clear focus on material Our approach is deceptively simple and becomes even more so after its initial implementation. It effectively transforms compliance and control activities from distracting chores into opportunities to redefine business excellence in a systematic way.
The central idea is to take compliance and control back to the basics, to the conscious decision to adhere to sensible practices, rules, and regulations that serve as the foundation for safe and sound business conduct. The approach focuses on material process and infrastructure improvements, and on the spirit, rather than the utter, of regulation. This allows for significant improvements in effectiveness and efficiency, as well as smart alignment with business objectives. Furthermore, the approach offers an ideal platform for strategic shaping of the requirements through proactive stakeholder management with industry bodies, regulators, and supervisors, as opposed to waiting for supervisors to hand down detailed requirements. Compliance and Control 2. Starts with a comprehensive mapping of all market best practices, as well as regulations and guidelines, both external and internal, that the financial institution intends to comply with. Even “informal” regulation in the form of oral regulatory requests or audit findings from regulators, auditors, or internal audit can be included. Then management makes a conscious decision and commits to how the institution wants to comply. This is followed by a decentralized self-assessment to understand the gap between what the institution intends to achieve and what it had implemented before these internally defined targets can be reached and to identify the root causes. 1 This paper is part of a broader initiative, the Compliance service line, which cuts across industries and geographies. Four-step approach