The Evolution of Compliance

Do you remember the sound of the dial-up modem? An alien ting-a-ling sound interrupted by peculiar beeping noises and a droning burr?

The Early Days

If you wish to hear the old low-speed connection, type “dial-up internet” on a search engine and be transported back to the early 1990s. I find the sound strangely evocative: It reminds me of a time when the internet was new, fresh and exciting, notwithstanding that the access speeds were slow; a typical web page would take 15 to 30 seconds to download and often longer.

On the work front, things were also changing; I remember a colleague from our legal team introducing me to the idea of a separate, independent compliance team: “They will do a bit of regulatory reporting, the nonfinancial stuff and some monitoring.” Those were the days when report preparation was largely a manual exercise involving hard-copy submissions. Monitoring was often done in person or by listening to telephone recordings. We had yet to see some of the enormous fines and penalties for improper conduct. Those came later.

Back to the Future

So, we are now fast approaching the year 2020, with superfast and ultrafast connection speeds ranging from between 24 and 100 megabits per second. If you consider that a megabit (Mb) represents a million bits, you begin to understand the enormity of the changes that have taken place. In the early 1990s, access speeds were around 56,000 bits per second.

So, what do these changes mean on a practical level to compliance and risk practitioners? Well, the exponential growth in data processing capability is a game-changer. All firms are grappling with demands from regulators for rapid reporting against a backdrop of ever-increasing volumes of data. We are moving to real-time reporting and advanced analytics with regulators prepared to levy substantial fines for firms that fail to identify reporting errors or notify them promptly.

The Regulatory Response

Regulators are starting to require more in-depth, timely and transparent reporting. Three examples are set out below:

1. Markets in Financial Instruments Regulation (MiFID II) has increased the number of data fields for transaction reporting. Although a great deal of cost has been incurred by the sector in MiFID implementation, reporting errors have occurred and attracted some significant fines. Earlier this year, UBS and Goldman Sachs were fined £27.6 million and £34.3 million respectively for reporting failings.
2. Common Reporting Standards (CRS) – Although CRS was broadly based on FATCA reporting requirements, CRS is wider in scope, includes more jurisdictions and has no minimum reporting thresholds. In the U.K., the CRS reporting requirement applies to all financial institutions with a reporting obligation to HMRC and “reportable accounts” (i.e., account holders with an equity or debt interest in a trust). FIs are required to report a great deal of information for each trust – including the settlor, trustees, beneficiaries and individuals who have “control” over the trust.
3. General Data Protection Regulation (GDPR) requires certain types of personal data breach to be reported without delay, but no later than 72 hours of the organization becoming aware. As we all know, the penalties for data-related breaches increased substantially on May 25, 2018, when GDPR was introduced. However, it is not only the size of the potential penalties that is sobering, it is the knowledge that the regulators can carry out online checks on their own initiative or in response to complaints. In the Google case (which resulted in a record fine of €50 million), the regulators made online checks to test compliance of Google’s processing operations with the GDPR.

The overall regulatory response adds up. In short, increased volumes and velocity of data must be matched by good levels of transparency; regulators can only protect markets and consumers by requiring more in-depth and timely reporting and pushing for consumers to have increased control over their data. For some organizations, this will be a significant cultural change with their transactions, processes and stakeholder engagement under a more intense spotlight.

The Challenge for Organizations

A key challenge is the level of regulatory reporting. There is a steady cascade of different regulations requiring different and often similar or overlapping information. To comply with the reporting requirements, organizations need to look at their data through different regulatory lenses. In an ideal world, we would have a uniform reporting requirement across the globe; however, this is not feasible given the varying ways individual countries implement regulations.

Given the increased volumes and velocity of data and the demand from regulators for enhanced reporting, many organizations are responding by introducing real-time applications, such as analytics, artificial intelligence and robotics.

The Implications for Compliance Functions

Given the broad backdrop from a technology, regulatory and organizational perspective, what are the implications for the compliance function? Well, the growth in data processing capability is propelling change; an increasing number of companies are implementing a range of new automated solutions for high-volume/rule-based compliance related tasks, such as surveillance, testing and reporting.

As a compliance professional, how do you respond to the new environment? The first step is to recognize that poor data quality is becoming the single biggest driver of compliance inefficiency. If you are working within a patchwork of unconnected processes and systems, it will be difficult (if not impossible) to produce meaningful and timely information for regulatory and risk management reporting purposes.

ICA recently hosted a series of roundtable events that gave some senior compliance professionals an opportunity to discuss the future and the impact of technology. It was felt that introducing digital elements to an existing framework in isolation for data management purposes was not the answer. Several participants had seen the downside of regulatory projects being managed in silos. It was agreed that a collaborative style of working was required, with key stakeholders working toward collective outcomes that reduce risk and improve efficiency.

If we are to adopt new ways of working and feel comfortable working in multidisciplinary teams, we need to look at our own technical and business-related skills. We will no longer spend as much time on routine and administrative tasks, but look at the outputs from automation. Perhaps job adverts in the future will be along the following lines:

Risk and Compliance Director

Sets the risk and oversight strategy for bots that perform a range of automated tasks, including product updates, policy communications and financial coaching services.

At the beginning of this article, I touched on the early 1990s. In many ways, the desired outcome for compliance teams has not changed: They need a robust framework for breach detection, monitoring and reporting. The key change is the introduction of automated solutions on digital platforms, which will enable considerable amounts of data to be processed at speed.

As compliance functions evolve and begin to use analytics, they will uncover new patterns and insights not previously achievable. Our focus will turn to higher order/more complex tasks. The key questions: Do we have the right mix of skills for the future? Do we have the most effective communication strategies? Do we have the skills to solve complex problems through logic? Do we have investigation skills?

Continuous development has never been so important. Before you decide on any training, you need to decide what competencies are a priority. As a colleague said to me recently, “the secret is to decide what muscles to flex and how.”