Compliance practitioners in the financial services industry were already facing an inflection point as their programs have had to mature significantly following the 2008 financial crisis—but now the coronavirus pandemic may shift risks and compliance practices in the financial services industry once again.
That is just one of the many observations drawn from the “Cost of Compliance Report 2020” by Thomson Reuters Regulatory Intelligence (TRRI), which is based on a survey that closed before the pandemic flipped the world on its head. “The challenges for 2020 raised in the survey may now have been superseded by the challenges that arise from the pandemic, but they remain underlying issues,” the report notes.
From a benchmarking perspective, compliance officers and risk officers in the financial services industry may want to pay specific attention to the global systemically important financial institutions (G-SIFIs), which are separately highlighted throughout the report. “The G-SIFIs are very much perceived as a leading indicator. In other words, where the G-SIFIs go, other firms tend to follow in subsequent years,” Susannah Hammond, a senior regulatory intelligence expert for TRRI and a co-author of the report, said in a Webcast discussing the results.
At a high level, according to the more than 750 risk and compliance practitioners in the financial services industry who responded to the survey worldwide, the top five compliance challenges they cited for 2020 are keeping up with regulatory change; budget and resource allocation; data protection issues; embedding regulatory changes; and instilling a culture of compliance.
Concerning data protection, in particular, a few factors are driving challenges in this area. Firstly, the EU’s General Data Protection Regulation is now being used as a template for data protection reform around the world. A prime example in the United States is the California Consumer Privacy Act. From a compliance standpoint—even beyond the financial services industry—fundamental data protection issues, like knowing what data the organization holds, is becoming a much bigger compliance challenge because there is now a regulatory spotlight on them, Hammond said.
Secondly, the coronavirus pandemic is further altering how data protection should be approached—for example, the ethical and compliance considerations of contact tracing apps. “That is another layer, another spotlight, of data protection, and it’s absolutely going to stay as a compliance priority and challenge for the coming year,” Hammond said during the Webcast.
Culture and conduct
The survey says considerations around culture and conduct risk have become the new normal. Thirty-four percent of all respondents, and 30 percent of G-SIFIs, said they have “discarded potentially profitable business propositions due to culture and/or conduct risk concerns.” This represents a slight increase from the 28 percent of respondents who said they did so in 2018.
This is a “powerful demonstration of culture and conduct risk policies working,” the report states. The report’s authors recommend documenting the reasoning behind the decision and seek to learn lessons from it—whether the reasoning was due to a third party whose culture doesn’t align with your own, or any other reason.
When asked what the single biggest culture or conduct risk facing financial services firms this year will be, the top five listed were creating a unified compliance culture; balancing competitive and compliance pressures; increasing regulatory requirements; evidencing good culture and conduct; and embedding accountability.
The report’s authors stress the impetus to create a unified compliance culture across a firm “must come from the board and be continuously championed by all senior managers.” Moreover, the firm must have tailor-made policies and procedures, whereas the board needs regular reports on the efficacy of those policies and procedures. “The firm’s stance on culture needs to be supported by a control infrastructure covering a comprehensive suite of preventive and detective controls, the three lines of defense, and an appropriate risk-aware approach to reward, recognition and, where needed, discipline,” the report states.
Skills and personal liability
The top three skills most in demand for compliance officers today, according to the report, are subject-matter expertise, communication skills, and integrity. “Good compliance officers are a very valuable commodity,” Hammond said.
Subject-matter expertise speaks to the need for compliance officers to have qualifications not just from a compliance-skillset perspective, but also qualifications within individual disciplines—whether that is in banking, asset management, insurance, or elsewhere, said Mike Cowan, also a senior regulatory intelligence expert for TRRI and a co-author of the report. Communication and interpersonal skills are also important to have when communicating with senior leaders, the board, and others.
Moreover, highly skilled compliance officers can also help reduce personal liability for themselves, the firm, and senior leaders. “Not only can they manage their own personal accountability, they can put in place the infrastructure to help everybody else manage theirs,” Hammond said. “That, again, is an enormously valuable skill to have.”
And it’s an especially valuable skillset given that compliance officer personal liability remains a top concern. Consistent with previous years, more than half (58 percent) of respondents said they expect personal liability of compliance professionals to increase in the coming year. In addition, 73 percent of respondents think the regulatory focus on culture or conduct risk will increase the personal liability of senior managers.
“All of this is set against the background of a literal proliferation of accountability regimes around the world,” Hammond said. Such countries include the United Kingdom, Australia, Hong Kong, Ireland, and Singapore. And in the United States, the Department of Justice is also placing greater emphasis on personal liability.
To reduce personal liability effectively, compliance officers “should first consider how best to manage their own personal regulatory risk,” the authors recommend in the report. In doing so, “they will be better able to advise other senior managers on the best, or better, practices associated with managing personal regulatory risk.”
Budgets and outsourcing
The report also finds that 49 percent of respondents expect their compliance budgets to increase slightly, while 31 percent said they expect them to remain the same. Just 11 percent said they expect the total compliance budget to increase “significantly.” At this time, however, it’s still too early to predict how the coronavirus pandemic will impact compliance budgets in the future.
The report notes that budgets and the skilled resources available to compliance functions are inextricably intertwined. “Without an appropriate budget for the compliance function, firms will begin to lack the skillsets required for the future regarding the ramifications of COVID-19, climate risk, data science, and technology,” the report states. “Budgets need to be sufficient for firms to invest in day-to-day compliance activities, to update essential skills, and be able to deploy technology to improve compliance efficiency.”
Part and parcel with these findings, 34 percent of firms reported outsourcing some or all their compliance functionalities, up from 28 percent in 2019. The reasons given included the need for additional assurance on compliance processes, cost, and a lack of in-house compliance skills.
The latter is a bit concerning, because while a firm can outsource almost any service, the one thing it cannot outsource is liability. “You absolutely must maintain the ability to oversee and control that activity in-house,” Hammond said. “You, as a regulated firm, are responsible for the compliance activities wherever they are happening.”
Amid a pandemic or not, if the firm has a “persistent lack of in-house compliance skills,” Hammond said, you should really scrutinize why that is the case: What skills are missing in-house, and should you fill that gap?