Are global compliance functions giving the financial market, investors and the regulators the reassurance for which they were designed?
From a certain viewpoint, Compliance functions in financial services have never had it so good. The recognition of the critical role of Compliance in senior executive accountability frameworks across the globe completes a meteoric rise from the box-checking beginnings over 30 years ago to a seat at global boards holding the trust and confidence of the regulator. And we shouldn't forget the huge increase in budget and headcount in that time, after all, a financial services institution that doesn't lavish funding on its Compliance function can't be taking its regulatory responsibilities seriously, can it? Regulators can pass more complicated and onerous regulation safe in the knowledge that the Compliance function has it covered.
But there is another view of the state of the Compliance function which is gathering support if recent market commentary is to be believed, that the current design and operation of the Compliance function is no longer fit for purpose, and in fact, does not achieve the goal of better regulatory compliance - worse still, it may in fact may hinder that objective.
In the first part of this article, we willexamine the case against the Compliancefunction, is there really an existential threat or is it simply a bump in the road?
> Accountability – a compliance failure is a failure of Compliance
The Compliance function is responsiblefor Compliance, right? And so, breachesof regulation must represent a failure of Compliance. Let's fire the Compliance Officer and move on.
Sensibly put, the problem is thatthe very existence of a Compliancefunction takes away or undermines the responsibility that the business feel for ensuring compliant outcomes. Having a Compliance function means the business can spend more time driving revenues and building bonus pools, and less time worrying about how to mitigate regulatory risks. In fact, Compliance is rather like a seatbelt – we can drive the car at top speed safe in the knowledge that we have protection from an accident.
There are many theories on the continued value of the three lines of defense concept, but do front line businesses really see themselves as the first line of defense, or rather a unit to go out and attack?
Of course, with the increase of personal liability for front office, both financial and reputational, you don't find too many business leaders who are reckless about the need to mitigate risks effectively. But coupled with outsized incentives and a short-term culture, having a function badged with the responsibility for compliance creates an unhelpful duality and blurs accountability.
> Culture – speaking-up leads to blame
Compliance officers are the police force of the financial markets, the instrument of the regulator who reports back to them with the inside story. The power wielded by Compliance is significant – driving disciplinary sanctions, objecting to promotions, challenging bonus pools, calling out poor business culture when they see it.
Unchecked, this can lead to the development of a blame culture, and fear of the consequences of making an honest mistake. After all, we all make mistakes under pressure at work or stress in our personal lives. But a blame culture can obviously lead to sweeping issues of concern under the carpet, and firms may find themselves relying on their whistle blowing programs to discover some unpleasant truths.
The work of Amy Edmondson, a Harvard business School professor known for her work on organizational learning and psychological safety, has recently highlighted the discomfort in the regulated world with the concept of an honest mistake. In industries like Aviation where safety is paramount, they take a more positive approach. One national airline ensures all flight crews are immediately debriefed after touchdown in a no-blame environment because of the critical need to find out every concern with processes, technology, people. Without that no blame environment, problems can't be found and fixed where lives are at stake. Imagine a Compliance function that adopted a similar strategy on the grounds that safety of the institution was paramount for shareholders and regulators alike.
Interestingly, the development of behavioral science and its application to financial services has critical implications for the operation of a Compliance function, how else can a Compliance function be certain that it is driving behavioral in the right direction without understanding the basics of why people behave as they do? Does the very existence of the Compliance function, the regulatory police force, inevitably lead to the fear of blame (and discipline) and therefore inhibit the psychological safety required to create an effective speak up culture?
> Size – never mind the quality, feel the width
One blunt instrument wielded too often by regulators is to
challenge the budget and headcount in the Compliance function, in
the event of poor regulatory outcomes, the expectation is more
budget, more headcount. But adding more manual resource to a badly
managed function is simply throwing good money after bad. As
Compliance functions take a larger share of a firm's profits,
efficiency is not guaranteed, nor is more effective mitigation of
risk. Would it be helpful if regulators were to place a cap on the
cost ratio of the Compliance function, a firm cannot spend more
than (say) 7% of a rolling five year average of its gross profits
on the day-to-day operation of its Compliance function (technology
investment may be different). This would drive focus on how the
Compliance function actually achieves its purpose, and where does
it spend its funds, what delivers best bang for the
buck.
Otherwise, the greater the regulatory expectations and remediation requirements, the more the Compliance officer puts out the begging bowl underpinned by a tacit regulatory threat. Adding headcount is not the way to go, and regulators should look for measures other than headcount and costs to assess a firm's commitment to doing the right thing. With the technology available today to drive efficiencies, Compliance headcount should be going down and that is before we get into a conversation about deployment of Generative AI to the risk and control infrastructure. A Compliance function staffed entirely by intelligent robots is still (fortunately) a pipedream but a technologically empowered strategic team driving operational excellence in the Compliance function should be today's reality.
> Structure and personnel – married, divorced, re-married
An indication that all might not be right in the Compliance world is the relative frequency of news that a Compliance function in a global financial institution has been merged, de-merged or re-merged with a sister function. At different times, it has been important for Compliance functions to be standalone with a seat on the board or combined with the General Counsel function to ensure they don't lose sight of the relevant laws and regulations or with Operational Risk, on the basis that Compliance risk is a sub-set of Operational Risk or with the Risk function generally because risk identification, assessment and mitigation is what Compliance should be about.
These regular reorganizations can be dispiriting for a Compliance function that isn't sure of its place or doesn't feel properly appreciated. GCs usually don't want to own the risk of owning Compliance, and CROs often feel more comfortable crunching models. Similarly, there are discussions about what background makes for a perfect Chief Compliance Officer. For some, a legal background can be ideal, or can be disastrous. For others, time in the Front Office can be helpful; for others, a cultural mis-match. An Audit background requires a shift in mindset from commentating on the sidelines to actually playing the game. There is no obvious right or wrong. for SMF-16 appointments, the FCA looks for experience in a Compliance function as critical, not the path that got you there. But that rule isn't always followed by firms when they make appointments at the highest level.
> Responsibilities – sorry, that's not in my silo today...
There is also little consistency about exactly which tasks a
Compliance function should own, there are quite a few hot potatoes
that get passed around. The Regulatory affairs and Liaison role
will often be with Compliance, but sometimes is transferred
elsewhere so that Compliance doesn't monopolize the regulatory
relationship (or where
Compliance has been blamed for a regulator on the warpath). The
Regulatory Change team which scans the horizon for new regulatory
developments may also be with Compliance (after all, Compliance
owns the policy framework), but again, some firms prefer legal
smarts to be brought to bear on legal and regulatory
interpretation. Conduct risk outcomes can demonstrate strengths or
weaknesses in a firm's compliance program, but conduct risk
initiatives may be driven by Human Resources or Employment Legal
teams. In some cases, even responsibility for mitigating financial
crime risk can fall outside the Compliance function, with
leadership provided across a front-toback team looking at the end
to end processes.
With so much variety in the responsibilities of the Compliance function across the market, one can wonder whether this is a sign of existential angst. All firms need a Compliance function, but how is its value perceived? Can its profile be reduced to a core of policy, training and assurance? Surely that would mean a step backwards.
> Technology- join the queue
It's difficult to see why the Compliance function should be at the forefront of a firm's technology spend, particularly when we may be on the verge of a significant technology transformation. Implementing technology that is more closely linked to revenue generation or customer outcomes surely come first in the queue. The main driver for Compliance's technology goals should be efficiency, implementing tools that remove the need for manual tasks, allowing reduction of headcount or diversion to more meaningful tasks with better risk mitigation. Or tools that embed compliance in front office processes, removing the risk of human error and making it easier for front office personnel to comply with otherwise complicated rules.
Technology for Compliance should be a team effort across many functions, after all you would think all operational teams could use workflow and case management tools, and ideally not a different tool to that employed to achieve the same purpose elsewhere in the firm. Is Compliance at the forefront of the technology debate? It's not clear, you hear people talk about Fin Tech, Reg Tech, and Legal Tech much more than you do Compliance Tech. Of course, Compliance Tech is a subset of all of these terms, but it illustrates again that the Compliance function today is not at the cutting-edge, perhaps where you might expect it to be.
> The philosophy of Compliance – purposeful action
What this adds up to is a sense that some Compliance functions have lost their way, failing to keep hold of their central philosophy of mitigating the risk for a firm of regulatory non-compliance. This means evaluating all of its activities by that criteria, and expecting to be judged accordingly. Any activity which cannot be reported on in a way that demonstrates its effectiveness as a risk mitigant should be restricted or stopped.
This philosophy brings to life, for example, the annual Compliance Risk Assessment, not a worthy but dull exercise that holds an annual reservation in the board calendar, but rather an activity critical to a firm's long-term success and survival that requires intellectual rigor and robust communication. Re-evaluating a Compliance function against this philosophy (with a focus on the application of behavioral science to support effectiveness testing) will prevent it becoming staid and simply going through the motions. What might have worked yesterday is not going to work tomorrow.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.