The average financial institution has dozens of regulations it must follow and more than half a dozen regulatory bodies to which it must answer. Complying with existing rules and preparing for new ones is a big job, and organizations that don’t have a comprehensive understanding of the compliance value chain risk exposure to blind spots, writes Samiksha Sharma, a veteran banking consultant.
In addition to knowing the existing compliance requirements in their jurisdictions, banks and financial institutions must demonstrate their ability to keep up with near-constant changes. In the U.S. alone, there are 40 or so key regulations for banks and financial institutions, to say nothing of the alphabet soup of regulatory bodies to deal with, the Fed, SEC, CFTC and FDIC, just to name a few.
And this is just the tip of the iceberg. Throw in new state regulations, industry standards and best practices and watchdog guidelines for every sector, whether banking, insurance or payments. To say nothing of compliance– and risk-related terms like anti-bribery and anti-corruption, whistleblowing, AML, ESG and data privacy.
The financial sector is swamped with regulation — and they’re still growing.
Financial institutions also need to ensure compliance with contractual obligations to their customers and stakeholders. This becomes further complicated by supply chain compliance, which requires oversight and responsibility for the compliance of the vendors, subcontractors and service providers.
The task that lies ahead of risk and compliance officers is to not only understand the regulations but also understand the complex products, markets and the risk factors affecting these products.
To understand the true scope of the complexity, let us follow the compliance value chain.
Legal or compliance
We start with the legal department or the compliance department of an organization. If a compliance requirement is considered as an input or an event, then that event needs to be analyzed, assessed, operationalized, monitored and reported.
The input to this department is any regulatory guidance, law, guideline or mandate that needs an analysis, understanding and its applicability to the financial institution needs to be determined. Best practice would be to have an automated summary of relevant regulatory legislation.
The requirement is analyzed for its applicability to a particular product, department or function. It can be applicable at one or all these levels.
Financial institutions have increasingly embraced the practice of de-risking as part of their AML strategies. This approach involves reducing or severing business relationships and services with entities deemed high risk. While de-risking may seem like a sound strategy in theory, it is crucial to examine its impact on the very customers these financial systems aim to serve.Read more
The requirement then is assessed for its impact. Key questions include:
- What timeline has been set by regulators for compliance?
- What impact does that regulation have on a particular product(s), department or function?
- Does it warrant a change to current policy, process, organization structure, the markets it operates in, its human capital, infrastructure, technology, etc.?
If it does warrant a change, then determining its impact both in financial and non-financial terms becomes imperative. Another important aspect to consider is the timeline provided by regulators to comply with the requirements and a cost-benefit analysis of operationalizing the change. Plus, analysis of non-financial requirements like training or cross-skilling.
Once policies at an organizational level are updated with the requirements of applicable compliance mandates, it’s disseminated to downstream functions that it impacts. Defining product/department-level policy and operationalizing the applicable compliance mandate is the responsibility of individual product lines or lines of business and will often require help from the centralized second-line compliance function.
This is a two- to three-stage process. Procedure manuals and processes are updated with the changes necessitated by the mandates. As needed, technology changes and updates are carried out or workarounds are built and documented after getting first, second and third-line buy-in and sign-off.
Demonstrating compliance also requires being able to report on operational controls. Based on their criticality via the risk assessment process or the risk control security assessment process, risks are identified, analyzed and controls put in place.
Periodic and frequent monitoring of compliance-related controls will ensure both design and operating effectiveness of key controls. For identified issues, the root cause needs to be addressed. It also helps regulators and authorities to review and place reliance on those controls to help them determine if the compliance framework is effective.
Final reporting to authorities has two components: seamless transition or translation of the regulatory mandate to policy-level changes and subsequent mapping of that mandate/change to product, business, operations and technology departments.
What remains and typically determines the success of a compliance program is the organization’s culture and tone at the top. It is the most critical aspect. If the tone at the top does not support a zero-tolerance policy to compliance lapses, the issues will continue to pop up. The potential result is a systemic problem. Systemic problems ultimately lead to major fines, penalties and loss of reputation and customer trust.
Within the lifecycle of the compliance value chain, ensuring that a blind spot does not lead to a fatal crash is the important task. Proactively identifying, analyzing, operationalizing and monitoring these requirements is an ongoing process. Building a governance mechanism and top-down and bottom-up approach leads to a no-surprise culture and a safe drive.
The compliance risk matrix
To show that organizations are complying, they should create a regulatory or compliance risk matrix. This matrix involves mapping critical compliance mandates to risk identification, assessment and mitigating control. This will help bring all key risk indicators (KRI) in one place. A subset of applicable compliance risk matrix items can be then evaluated as part of exercises conducted by organizations periodically.
This matrix will enable the identification of key risks and exposure at the most granular level. If the KRI breaches do take place systemically, they need to be highlighted and reported to leadership. That may include the board and other stakeholders, such as risk committees and audit committees.
Training compliance resources and staffing the compliance organization with the right skills is as important as the rest of the process. Skilled compliance resources are an asset that can bridge the gap between the organization-level compliance office and the actual business lines.
Knowing the blind spots in an organization is the first step. Implementing mitigating strategies is the second step. Improved processes and technologies help compliance organizations mitigate that risk. With an ever-changing environment and the fast pace of regulatory change, organizations must be nimble and adapt to these changes quickly.
Creating a cohesive framework throughout the organization and adopting modern technologies will enable compliance organizations not only eliminate blind spots but also proactively anticipate potential roadblocks.