Subprime crisis heralded a new era of sharp focus in the compliance domain. Financial institutions, worldwide suffered losses of over $300 billion due to compliance-related fines and damages. Since then, compliance management has become mainstream for businesses, irrespective of their scale.
With new standards and regulations popping across the globe, McKinsey's report indicates that most C-suites still feel less confident about their control on compliance risk. The reason they say is: "Incoherence in the overall effective organizational approach and weak business ownership of compliance" (Survey, 2018).
Since 2008, institutions started investing heavily in compliance, without really seeing the desired end product, as standards and regulations need their own time to catch up with the latest business approaches. "Efficiency in compliance" has now become the new norm.
The first step is to create a baseline, McKinsey's "Compliance Benchmarking" of 22 leading institutes across Asia, Europe, and North America in 2017, followed by participation of 24 institutes in 2018 of Global Systemically Important (G-SIBs) and non-G-SIBs led to the following inferences:
- Compliance-spending growth is slowing
In order to keep pace with the initial burst of growing regulatory requirements, many institutions rapidly expanded their mandate and size of compliance function over the decade. However, the growth seemed to have peaked. Nearly 75% of the surveyed believe their compliance costs will stabilize or reduce in the near future. Rest are either catching up and investing or are already underway to reduce their compliance risk function in 2019.
- Size and effectiveness are yet to balance
Resources allocated for the same regulation or standard seem to vary from bank to bank, according to McKinsey's 2018 survey. The optimum size of resources needed for fulfilling a compliance objective is still very much a subjective question. Banks tracking input resources are generally more effective in achieving their compliance management system targets. This process makes compliance a dynamic issue aligned with board room discussions on future objectives.
- Banks assess the maturity of their compliance function
Compliance maturity is defined on five parameters:
- Core policies and oversight
- Critical business and management processes
- Control systems
- Foundational capabilities
Most banks scored low in areas relating to control systems, including automation, monitoring and assessment, reporting and management information systems, and analytics. While G-SIBs are looking at analytics and technology for integrated compliance management system, non-G SIBs are still trying to enhance their primary compliance expertise. Along with some G-SIBs, many non-G-SIBs reported challenges in investment compliance management integration within their broader risk management. Challenges include the need to build a robust risk taxonomy and control library to incorporate compliance within enterprise risk management. HCL's BRiCSTM(Business Risk Intelligence & Compliance Solution) framework is one such Industry tested solution, which is solving the exact need.
- Automation and analytics remain a challenge
With technology majorly focused on end-user, it requires constant attention and becomes outdated frequently, resulting in draining of resources rather than actual changes. The one that baffles most COOs is the lack of technology strategy as well as the failure of successful "proofs of concept" at large scale executions (Survey, 2018).
- Spending more on technology does not guarantee maturity
While being at the forefront of the field is expensive, the maturity that subsequent newer technologies should offer is yet to materialize. Hence, the personnel costs have failed to go down while the technology costs have gone up. Foraying into automation for standard processes of fraud detection, transaction monitoring, and screening KYC processes to achieve efficiency is the growing trend in Industry. Automation testing, however difficult right now, is the way forward for the industry with the natural language process and other new technological implementations.
Where next for compliance?
The survey results suggest that compliance has reached an inflection point. As regulatory pressures intensify, competition increases and costs squeezed, banks need to make their compliance risk management more efficient and effective. These five actions can define the way forward:
- Getting the fundamentals right
Compliance is still at a nascent stage in most of the companies across industries, with companies still finding ways to integrate key risk indicators with enterprise risk management frameworks to align controls with risk taxonomies. As risk and compliance is at a developing stage, companies are looking at the future than the present. Hence, real-time risk management is gathering speed in terms of newer models researched.
New ways in advanced analytics are being explored to conduct risk, trade, communications surveillance, and other areas. Large banks are beginning to rationalize, automate, and streamline their controls. Better controls improve the effectiveness of risk mitigation as well as monitoring and testing.
- Strengthening risk ownership in the first line
Setting up a compliance ecosystem with the right tools and people is the key to assigning roles and setting up a performance evaluation mechanism focusing on compliance as business owners rather than legal obligation.
- Streamlining compliance processes
Currently, compliance is used as patches, added to the existing system, on a requirement basis. This practice creates an integrated compliance that governs all other systems thereby giving rise to complications across the value chain within an organization. There is also a scope for optimization at the process level, which remains manual or supported by outdated tools.
Hence, an overall compliance objective in a phased approach with the help of experts should be the way ahead.
- Adopting a dynamic technology-enabled approach to risk management
The compliance function itself needs an overhaul that would add features for easy adoption and solutions. This is clear from the fact that even the top spenders in terms of compliance expenses are quite far from the mature status as others. Scaling up a proof up concept to solve specific problems while researching ways to utilize upcoming technologies for integrating compliance function can deliver business benefits as brands develop along the lines of data security.
- Building compliance talent
In a data-driven activity, building advanced analytics resources can become an enabler. Large banks are already building up a workforce with a risk management mindset, and legalistic approaches through strategic recruitment focused on selective talent academies.
With maturity in compliance function and technology yet to be achieved, the industries need a dynamic approach to build an ecosystem around compliance instead of the other way around. Each one of the five points mentioned above plays a crucial role in doing so. Those institutions that move quickly will reap the rewards and set the standard for the next-generation compliance function. Thus, becoming proactive to threats rather than reactive, which is the whole point of compliance function.