The rapidity and extent of regulatory changes along with the complex business environments that banks, financial services, and insurance firms now work in, have resulted in a huge surge in their compliance budgets across the globe. According to a Thomson Reuters survey in 2015, more than two thirds of the firms surveyed (68%) were expecting an increase in their compliance budgets with 19% of them expecting this increase to be significantly more1. While the commitment from these firms is huge in terms of time, resources, and money invested in meeting a multitude of regulatory compliance requirements, the inability to take the necessary precautionary steps may be even more costly. Consequences can vary from potential penalties to heavy financial losses and reputational damage. According to Reuters, twenty of the world’s biggest banks have paid more than $235 billion in fines and compensation in the last seven years for breaching a variety of financial regulations2.
The incessant flow of upcoming and changing regulations is putting a significant cost burden on firms in terms of time and resources spent in dealing with regulatory compliance. A financial institution faces an average of more than 150 alerts on any given business day and more than 40,000 alerts in a year3. The additional time and resources required to decipher and implement some of the recent regulations is also due to their complexity. A prime example is the Dodd-Frank Act which has over 5900 pages of proposed regulations with additional 7700 pages of final rule. This will require more than 60 million hours of paperwork for compliance6. Typically, each new regulation involves hundreds of singe spaced, 3 column, and 9-point font pages7. Furthermore, analyzing and implementing these regulatory updates gets even more complex due to the inconsistency of regulations across multiple geographies. The cost and resources required by the institutions to play by the regulator’s rulebook often results in business objectives and growth taking a backseat.
The scope of regulatory compliance is also continuing to increase with emerging areas of risk under the regulator’s radar such as conduct risk, model risk, information security risk, risk data aggregation and reporting, etc. In a recent report, Chartis has identified that out of top 50 operational loss events in 2015, 98% of these losses (by value) and 82% (by frequency) were due to misconduct4. Additionally, after witnessing the numerous data breach incidents which have brought some of the major financial firms to their knees, cybersecurity has become one of the highest priority areas for regulators. UK-based fraud prevention company, Semafone, last year found that an overwhelming majority of people would not do business with a company that had been breached, especially if it had failed to protect its customers’ card data5. The threat vectors are constantly being multiplied as more devices are being embedded into IoT (Internet of Things), storing their data on the cloud. These new areas of focus will require specific skill sets and resources, which will inflate compliance costs significantly.
Building a skilled and high-quality compliance function depends on the ability to recruit and retain compliance professionals with rich experience and background. There seems to be a genuine lack of skills in the marketplace, which escalates the costs of hiring seasoned compliance professionals. A survey by Thomson Reuters found that almost 70% of the organizations expect the cost of senior compliance staff to increase over the next 12 months8. Additionally, regulators have starting holding the senior compliance officers responsible not only for their own actions but also for the action of their firms. In last couple of years, many senior compliance professionals at Deutsche Bank, Brown Brothers Harriman, Aegis Capital, and BlackRock have been fined, suspended, or asked to leave9. This has resulted in a lot of experienced compliance professionals moving to firms with strong risk and compliance cultures.
Compliance budgets will continue to rise for organizations but may not be sufficient because of the reasons mentioned above. Moreover, the expense involved will directly impact an organization’s bottom line. According to E&Y, the cost of compliance for 44% of all firms globally, represents between 11-25% of their operations budget10. The focus needs to shift from increasing budgetary allocations to increasing the efficiency and effectiveness of their compliance programs by making best possible use of the available resources. Many of the redundancies found in compliance operations need to be streamlined, and quality needs be improved with technology playing a vital role. The tone needs to be set from the top, which may help in optimizing the compliance spend while mitigating risks. A compliance aware board is a must for a wide understanding of the changing regulatory environment and its implications. The way forward for firms to manage spiraling compliance costs would be to take a more proactive and holistic approach by leveraging the effectiveness of their Governance, Risk, and Compliance (GRC) programs.
The primary approach that each organization needs to adopt is centralizing their siloed and disparate governance, risk, and compliance operations across multiple geographies and business units, and aligning them with the overall business strategy and objectives. This will help to create an enterprise-wide and integrated view of the risks and compliance across multiple regulations that are affecting the organization.
Implementing a holistic and integrated GRC approach will help in standardizing compliance management processes, taxonomy, and operations. This will reduce many of the redundancies across multiple control tests, policies, risk assessments, audits, and reports configured for meeting different regulatory requirements. Each regulation will be mapped to the organizational objectives, business processes, risks, controls, and policies which will help identify similar compliance patterns across multiple business units and areas of compliance.
To stay abreast of the numerous regulatory updates, organizations need to refer to a variety of regulatory intelligence sources. According to MetricStream research, regulatory agencies and trade associations are the top two sources of regulatory content followed by trade industry publications, national media, and specialized media11. Instead of having to track all these sources individually, which will be time consuming and inefficient, a single and centralized content repository can route the content to specific business units and compliance professionals for their analysis and review based on pre-defined business rules.
Once the regulatory risk and compliance taxonomies are standardized across the organization, it will simplify the process of assessing the impact of the change on the organization’s business processes, risks, controls, policies, and other entities. This will help streamline the action planning and issue remediation for regulatory change implementation, which would otherwise be resource and cost intensive.
There has been a data overload in financial institutions because of the various compliance requirements that they need to cope with. Regulators are constantly demanding for more information to be submitted, which is getting accumulated in the data warehouses of these organizations. According to a Deloitte survey, data analytics and reporting are among the top three challenges for 35% of the organization12. Extracting specific information from this Big Data is becoming an arduous task which can only be streamlined by ensuring the consistency and efficiency of data flows. Maintaining a centralized and uniform compliance library which connects to the other elements in the GRC framework will help to keep the costs under control, and at the same time ensure compliance to applicable data rules and regulations.
A compliance strategy, which is tightly integrated with the GRC framework in an organization and aligned with its business objectives, can significantly streamline the compliance processes, and help to reduce the compliance costs. In a highly dynamic regulatory environment where organizations are struggling to put a tab on their compliance budgets, developing a compliance-aware culture supported by the use of GRC technology will go a long way in optimizing compliance budgets.