Are your IT and compliance teams more Tom and Jerry than Batman and Robin? Radar plays mediator between the functions in a spot of corporate relationship therapy.
Compliance and IT departments are both crucial to the orderly functioning of financial services and yet the pair are often at loggerheads over internal projects, as the lines between operational risk and information security have become increasingly blurred.
The relationship should be relatively straightforward, mutually beneficial, working towards the same goal of protecting the organization, but with the moving targets of domestic and international regulations, the pace of modern business and app-driven demand from clients, it is never that simple.
When new technology comes along that can help move the business forward in multiple ways, compliance officers at several buy-side and sell-side firms in the US and Europe told Radar that the path to production is frequently dogged by internal squabbling, outright in-fighting, miscommunication and frustration, to the point that projects can often get shelved simply because of disagreements over ownership.
“Our IT department told us it would take at least a year to rip out our old anti-money laundering software and stick the new one in, even though we felt we were happy with what we had found,” the director of compliance monitoring at a Tier 1 European bank, speaking on condition of anonymity, told Radar. “This was 12 months after an internal project looking to see if we could build our own.”
It turned out that the bank could, but that would take up to three years before it was fully operational.
“So we laughed them out of the room,” the director said. “Except no one was really laughing; we’d been stung with a massive fine and everyone felt so exposed, helpless. You’re just waiting for it to happen again.”
The scene may be familiar to many, and no doubt IT will have their own perspective on a compliance department making unreal demands on their time. It is entirely natural in organizations of any size to find the functions siloed, and driven to meet their own particular framework.
Before long, both sides can find themselves at cross-purposes; compliance is viewed as an extra burden instead of an essential part of a culture that’s driven by security.
“How many times have you heard ‘I’m security, I don’t do compliance’ or ‘I don’t have time to do my real job because I’m stuck doing all of this compliance stuff?'”
The issues seem to appear regardless of whether both are working on something relatively straightforward, such as installing new software, to dealing with substantial ongoing regulatory change.
“There is always a bit of a tension between teams internally when there is a big initiative like MiFID II or GDPR; on the one hand it is a compliance project, they have their timetable, but the actual implementation is often an IT project,” said Ian Mason, head of the financial services practice at law firm Gowling WLG. “IT may say it will take a certain amount of time, when compliance deadlines are often tighter. The big projects have to be owned by senior management; it is down to them to set tight deadlines and ensure good cooperation and collaboration between those teams. Resources are always a factor, and the IT team may not have sufficient resource to manage multiple projects.”
Mason, a former regulator at the UK Financial Conduct Authority, said there are many simple things which can fall through the cracks between teams and end up as enforcement cases. “Transaction reporting under MiFID II is a lot more demanding and complicated than it once was,” he said. “It is very technical, and if you look back over the FCA cases, there are a lot of examples where firms have simply got it wrong, and it’s an easy enforcement case to bring. It’s a traffic light case in all honesty. You’ve either got it right or you haven’t, it’s black and white.”
The heightened risk around data protection and increased threat of regulatory sanctions have led to an environment where internal miscommunication can cost tens of millions of dollars and even claim the scalps of senior executives; this can prompt both sides to hunker down and adopt a siege “us against them” mentality.
In one recent high profile example, the head of the British bank, TSB, stepped down in September after an IT meltdown in April 2018 that locked thousands of customers out of their accounts and was still causing problems in October.
TSB chief executive, Paul Pester, had already received a warning from the FCA over the bank’s failure to be open and transparent with customers when a failed IT upgrade locked up to 1.9m people out of their accounts.
The regulator said he was “portraying an optimistic view” of services after the meltdown, which began on 20 April when accounts were migrated from an IT system inherited from the bank’s previous owner, Lloyds Banking Group, to one operated by Sabadell, the current owner of TSB.
Observers thought Pester’s handling of the matter was particularly poor, alongside his willingness to attach blame to certain departments within the bank.
“You’re looking for a partnership, to solve problems together. Easy thing to say, much harder in practice when working on certain initiatives,” said the chief compliance officer at a Tier 1 UK investment bank.”
“I don’t think regulators care about tensions inside a firm, their first priority is events that impact customers. For the CEO to throw IT under the bus was fairly spectacular, and he ended up paying the price for it himself.”
The most important lesson is to never outsource risk, he said, as it is ultimately the firm’s responsibility and the regulators will look at your firm first.
“Support from senior management is vital,” said Mason. “During a major cybercrime incident the FCA will look at the tech team, but they will also ask questions of senior management and who has responsibility for either cybercrime or financial crime, they will look up the chain at what monitoring and reporting was going on,” he said. The FCA’s question, he said, will be “What did you, a senior manager, do?”, that is where they see accountability. “The scope of any project, timelines, who is doing what, must be accurately documented.”
Step one towards a healthy relationship is a consistent dialogue, open communication channels, and clear direction as regard to large projects.
The view from the infosec side is broadly similar, in regard to partnerships, but their perception of compliance is that they have the same ‘pack mentality’ as the traders they surveil, and that they are equally unwilling to explore new ways of working.
“People responsible for technical delivery are often sitting on a mountain of endless tasks which to the outsiders look simple, like ‘encrypt some data’, ‘secure some permissions’ or ‘configure firewall rules’,” said a senior information security executive at a European asset manager. “They tend not to be privy to ‘why’ they need to complete a task, or frankly become so jaded that they don’t care.”
The above has two causes, he said; a failure within management in giving staff a sense of belonging or information on where the organisation is heading, an issue that all mid-to-large organisations have and not one that many successfully combat; and the communication between the risk and compliance teams, and their IT colleagues.
“In my experience the message that comes down from compliance and risk project teams is not tailored to the audience, you have to be a certain type of person to be able to translate regulatory documents into something easily digestible so it’s not good enough to provide a link to ‘GDPR’ and say ‘this is important, just get it done’ to a technical team in the trenches, as they already have a hundred other people telling them that their particular project is the most important.”
Those who understand the importance of regulation tend to be few and far between outside of those in senior management roles, he said, and this is likely to be the result of a dearth of suitable training courses.
“There tends to be a fundamental issue with the divide between IT and compliance in which they dismiss each other as too painful to work with; anti-social techies vs boring regulators – and that’s an impasse which no one seems to be able to get past,” he said. “When I moved between IT and Risk, I was met by scepticism and surprise on both sides, ‘why would you want to work for THEM?’”
Contrary to the points from the compliance officer interviewed, the infosec executive we polled said that tensions and power struggles within a firm are on the regulator’s mind, and should absolutely be addressed. “When you get to setting strategy, this is a hot topic. For example, the FCA/PRA’s new paper on Operational Resilience and how business processes are stress-tested end-to-end subsumes IT and cybersecurity into a simple element of Operational Risk.”
He said this means IT and cyber resilience and certain regulatory elements, which were big, separate line items for the first line of the business, are now arguably under the remit of the second line functions.
“Understandably this could be perceived as a power grab and an arrogant sleight at those who have worked in the IT/cyber space for several years,” he said. “The obvious question to me is, if the second line is equipped to deal with this change, and my experience suggests that they are nowhere near technical enough to be able to support this in the short term, they will have to lean on those they have just replaced.”
The discussion at the moment revolves around who sets the strategy for IT compliance, he said, as the FCA and PRA have made it clear, but there are questions as to whether it will survive an internal political whitewash. “There needs to be a centralised, accepted risk methodology which drives project priority,” he said.
Even if there are staff on both sides of the fence who don’t care about the others priorities, he said, being able to see a dashboard with a pulsing red risk is a shared language everyone can understand.
“Both sides need to be open-minded and to understand the regulations and what they require,” said the head of compliance at a Tier 1 US bank. He said his team has a policy of trying to give as much context to IT and infosec as possible so they understand what the end goal is.
“My experience over the last twenty years has taught me it is important to talk the talk and try to understand their world. Often the techies are treated really badly, so it’s best to partner up and give them praise when they deserve it. Often just being on calls together can help, as then we start to swap phrases and understand better, talk each other’s language and have a greater understanding.”
Jack Pilkington, partner in the financial services risk advisory service at Deloitte, is often the man in the middle when compliance and IT are at odds, and he told Radar the challenge of joining the departments up is certainly nothing new, and that close engagement is key.
“The way in which compliance functions look at the requirements they have for a new technology solution needs to be translated into something that is meaningful to an IT department,” he said.
“What we see in the market is a desire for compliance functions to have a much more agile way of working with their IT teams.”
This should involve regular updates on what the IT function is building on their behalf, rather than a three or six-month period of silence before a grand unveiling of the new technology solution, he said.
While some financial services firms are keen to ensure their technology teams have the best possible regulatory knowledge, the reverse is also becoming true, and compliance teams are being challenged to develop and learn new skills.
“We are seeing an increasing level of technology skills and capability being built up within compliance functions to bridge the gap between themselves and the core IT department,” he said. “No longer can a compliance professional be completely naive to the world of technology and the methodologies used to design, build and implement IT solutions.”
The barriers to entry for new technologies are dropping increasingly fast in some cases, Pilkington said, and it is very easy for a compliance function to acquire a cloud-based IT service within a few clicks of a button.
“Everyone has such power at their fingertips through their phones and mobile devices, and we are used to expecting that in our professional lives too. It’s not easy in a highly regulated and legacy infrastructure organization,” he said.
Traditional IT departments of big banks and insurers, for example, still have some way to go to offer that level of instant service. “The expectations of compliance professionals need to be managed accordingly, but those in the technology function also have to adjust quickly to reinvent themselves,” he said.