Compliance Budgets – art, science or a hybrid of both?

It’s that time of year – when budget planning can make or break the lofty plans for new people, technology or approach to transform the compliance department, or simply maintain a standard that keeps a firm among its peers. Radar spoke to practitioners and consultants to establish how they quantify their needs and pitch them to those holding the purse strings.

Compliance budgets have been as cyclical as the markets in the last two decades and have certainly seen times of boom and bust. Generally, the trend has been towards growing the compliance department, but this has started to change in the last three years. The financial crisis that dogged banking reputations and the highly publicised scandals related to LIBOR rigging and FX manipulation resulted in a huge investment in “compliance bodies”. This has since been considerably pared back by the advent of new technology, a drift towards quality over quantity, and the same cost control and reduction that has affected the whole industry as dwindling volumes have affected margins.

Compliance leaders can also feel challenged when having to present their plans to budget holders, the business and senior management. Some are more comfortable buried in a rulebook, closing alerts or doing a deep dive into a complex market abuse investigation. Justifying and evaluating spend is not always their strong suit, let alone presenting it in a way that makes tight-fisted senior managers sit up and listen. This article explores some of the views and methodologies of a number of experienced compliance people who have adapted to changing times and resources to adequately equip their departments.

Regulators are attuned to the quality and quantity of compliance personnel and their resources as they establish relationships with regulated firms and those who regularly liaise with the supervisors during routine exams and visits. There is a tendency to make the expensive hire after the event and many banking entities have been guilty of bringing in the “big guns” after a major hiccup; either as part of regulatory remediation or to try to signal to the market and other regulators that they take compliance seriously. These situations are lucrative for the individuals coming in to take the new lead role, but there are alternatives to this reactive action that preempt the requirement and dramatically reduce the cost and reputational hit of regulatory enforcement.

Steve Strombelline, managing director at Capital Forensics – a compliance veteran who has held top posts at Charles Schwab, Barclays and BNP Paribas – comments, “very few firms are prepared to spend cash preemptively, but after the fact there is no debate and it is five times what they would have had to spend before.” A head of EMEA compliance for a global investment bank agrees:

“Being fined does precipitate a huge amount of investment, but we should all get better at funding it before we are fined.”

Regulators through time have noted dips in compliance spend and this observation has been spelled out in numerous speeches by influential commissioners and enforcement heads. It is a development that has led to regulators making a point to perform analysis on compliance resourcing during their examinations and routine visits. As one compliance officer at a sellside broker-dealer in New York said, “it is not unheard of for an examiner to take you aside at the right moment, ask you how you are doing, have you got enough help or is it a real struggle right now coping with everything. They are not daft. They can see when you are stretched and stressed.”

ACA Compliance Group conducted a survey in 2018 of Alternative Fund Managers in which 70 percent of the compliance officers stated that they receive sufficient compliance resources. The remainder felt exposed to not being adequately covered and at risk of potential discovery of violations and enforcement.

A global head of compliance at a large traditional asset manager in New York sums it up nicely, “the culture of the firm and the attitude towards compliance from the senior management, plus the budget set for it all, tells so much of the story.”

It all begins with education

Alma Angotti, managing director at Navigant, is clear about how to prime senior management about the implications of under-investment, “you must accurately and realistically communicate the risk of the products and services. If you have been educating them about all the types of risk, it can help. Tell them what bad things can happen if you don’t upgrade your transaction monitoring system, if you have a KYC backlog, or don’t have a strong compliance testing department.”

The head of EMEA surveillance at an investment bank outlines change as individual liability starts to focus more attention, “our SMFs like being kept in the loop and don’t want to take any risks. They care and engage now, we meet monthly and they ask and delve deep – SM&CR has worked. The more they understand it, the more they get that it costs money. We still need to show them how difficult and challenging it is but they are starting to get it. If we are not doing good surveillance, we are not finding stuff. If we are not finding stuff and spending a lot, that is going to look odd.

There is always some bad stuff going on. If you are not looking, you just won’t find it. There is no better way to convince people of the power of what we do than finding stuff.”

“The problem with surveillance is that it is expensive, requires continual development and needs funding each year. Not an overhaul every ten years, as you fall a long way behind.”

There are definitely signs in the market that a number of large, sophisticated sellside firms that managed to avoid the direct attention of the regulators in the big regulatory scandals have fallen significantly behind in terms of their commitment to compliance and technology investment. While some are starting to evaluate and replace legacy systems and approaches, there is a sizeable gap in standards between the top tier and the one just beneath it.

It’s a paranoid sell

Everyone we spoke to said that they had resorted to some form of scare tactic when they were angling for increased budget. But they all added that the anecdotes must be structured and relevant to make the point properly. Steve Strombelline outlined his approach, “we would compile the actions against other firms in similar areas and say this could have been us, it reflects what we have seen in our testing so it feels real. Or we’d show that we know we have some weaknesses, we are afraid we are getting in too deep and no one ever looked properly so we had no idea how bad it might be.” A compliance chief at a multi-strategy hedge fund group, headquartered in New York, does not quibble on his approach to justifying the required spend.

“When I am chasing budget I play on the risk to them as an individual. How can you measure that risk? What are the mitigants? What are the inherent risks? If you conduct a risk review of an area and your findings conclude that it will take you five years to bridge the gap between the status quo and the standard regulatory expectation, that is not defensible.”

“Now two years is defensible. So to bring your approach forward three years, you are going to need say $Xm or the senior execs end up in jail! I like to major on that regulatory and PR risk.”

Is there an operating model that can quantify the need?

A number of people we interviewed referred to peer comparisons, not just from an enforcement perspective, but in terms of the number and quality of their team and also their level of investment in technology. Even if regulators are not bringing this to the attention of the senior management, it helps enormously for the compliance leads to call it out. But when it comes to a target operating model and actually putting numbers and data into the evaluation process, there is evidence that more science is starting to work.

A global head of surveillance sets the scene, “I hate telling people the number of alerts we generate. It is meaningless, but people love this in the MI. Activity is not a substitute for surveillance; we rate our alerts on closure – from zero for a false positive (FP) to five for a STOR/STR/SAR or disciplinary action. We then analyze our resource requirements based on that. We can tell what percentage of 5000 alerts we generate are a 5 (say 10 percent and an hour of work is required per 5) while an FP takes two minutes to close so we have a theoretical resource requirement (TRR) if we have roughly equal percentages across zero to 5.”

“It’s actually a really valuable exercise as a stand-alone. It changes your view on FPs. We spend very little time on a genuine FP. The biggest issues are the alerts rated as 1s and 2s which are valid but we are only generating these because our tech is not good enough and we are not ingesting the right data. They suck our resources so we really try to focus on those in terms of our calibration. It means I can use this TRR calculation to show we are 1.5 people down on where we need to be – this is very powerful. What happens is people don’t work later, they just do the alerts quicker and then you miss stuff; if alerts go up, findings go down. This is the beauty of calibration – you can just get swamped and never have a chance to investigate properly.”

The pervasive view is that regular, consistent and thoughtful funding will keep a firm up-to-date and give more return than is invested.

How can a business cope as it scales?

In previous times, changes in the business were usually something that Compliance would be the last to hear about, but things are different now – we are in an inclusive society! In fact, Compliance is often the first port of call as the business looks to innovate and grow. But how is this managed when it comes to esoteric needs like monitoring? What is the best way to account for a brand new line of the business?

One head of surveillance is adamant on the approach to this, “if there is no surveillance, there is no MBC. It makes people think hard about the full cost of doing business. There are very strict market abuse surveillance rules now for the EU on each and every order. This might wipe out the profit and, in some cases, revenue for that line. There are some things that create little money and enormous compliance cost.”

Others stress the value of being looped into plans early, giving examples such as the booking systems design where very small decisions that have zero impact on the business can have a massive impact on the ability to do surveillance. Others have access to the monthly trading stats and can track any notable changes there. If a firm suddenly triples its gilts business, the team needs the ability to track that. While all said they are better informed than ever, they still get a few surprises.

The big negative was reserved for manual surveillance. A sellside compliance head from the US concluded:

“A manual approach to compliance is very limiting when a firm wants to scale; you cannot scale compliance of a growing business unless you invest in technology.”

A global head of compliance in London concurs, “I’ve tried to outlaw manual surveillance as I just don’t think it’s effective. It actually generates a lot of other issues, you then have a monitoring and testing team saying “actually you’ve got no controls over that” so you need to do a verification check on everything. Suddenly you’ve got 10 people running this manual check every day and it’s become a much bigger deal.”

Humans or machines?

Inevitably, as technology improves and the use of various forms of artificial intelligence such as supervised machine learning begin to take hold, the question of how to split funds across tech and human resource surface.

Our EMEA global surveillance head opines, “it is easier to get tech spend as headcount seems to be an explosive word. Ironically if you want to build in-house or implement good tech you need good people for that. I focus on improving the brain power of the team if I want to do high quality surveillance. You cannot get away from that. We had developed some in-house models designed by junior people and the logic behind those is just not right.”

He continues, “there was no governance and no signoff and no process behind that. If you build or buy good tech, you still need people who know what they are doing and have experience to offer a real insight. Alerts generated by the best tech in the world still need the right team to analyse them.”

The perfect team

Behavox roundtables highlight the change in formation and indeed diversity of skills that are now being sought by compliance heads to create the ideal blend of expertise and knowledge to deliver effective compliance.

One compliance head at an investment bank in New York sets out the changes in thinking; “the fact that the majority of compliance people are lawyers makes no sense. We need people who are tech conversant. I can hire as many lawyers as I like on a day rate. I need folks with diverse skills who can build an efficient compliance team. The interactions that a CCO faces now are multiple; you have to deal with regulators, you have to deal with vendors, you need to know cyber. Surveillance itself is an art form. You have to be sufficiently curious and paranoid to be good at compliance.”

The funding circle is still a complex one as the situation below illuminates. One head of EMEA compliance in the UK sums it up, “we are looking to hire a data scientist to be the point person on our growing tech investment, but we also need folks with trading experience that are more senior and are not straight out of college. The younger, less experienced folks don’t know when a trade looks odd, or when the banter between people has become inappropriate. But we have a set budget and so we cannot afford an SME necessarily. It is a catch-22 as the SME would cut down headcount, as would a good data scientist. We could retire legacy systems and people doing a ton of unnecessary false positive clearance manually. So we eventually retire these inadequate systems, hire the data scientist, and invest in a proper search engine. Until then we are just burning unnecessary cash.”

The message is getting through

In conclusion, the compliance leads we spoke to were very positive about the new alignment they feel with the business; they stated that this increased connectivity and understanding were essential to educate senior management on the true cost of doing business. This educational process is bearing fruit as more executives appreciate how hard it is to do compliance well, and that there is a natural cost attached to that. This keeps the firm, and more importantly the senior manager, out of the regulatory crosshairs. One BD compliance head said, “the requirement to do surveillance is not getting reduced anytime soon. It is part of the business flow; you have pre-trade transparency, you trade and book it and then you do surveillance. Every time.”