The Compliance Ostrich: An Endangered Species Facing Extinction
With financial institutions under increasing regulatory pressure to overhaul wide-ranging compliance deficiencies, is the era of firms burying their heads in the sand coming to an end?
In certain financial circles, and particularly with regards to compliance, you often hear executives discuss the virtues of being part of the herd. This is the belief that as long as your firm isn’t lagging behind its peers, you’ll appease the regulators, but, simultaneously, you shouldn’t be doing more than your peers, and stifling business with controls that are unnecessarily strict.
There was a period of time when being part of the herd provided peace of mind for Chief Compliance Officers. However, with regulators growing increasingly frustrated with firms failing to implement effective compliance programs, could it be that the herd is no longer the place to be? When you lift your head out of the sand and take a look around, have you been left behind?
Regulators Say Enough Is Enough
The consequences for failing to operate an effective compliance program could not be clearer. In October 2020, the Federal Reserve (Fed) and Office of the Comptroller of the Currency (OCC) finally lost patience with Citigroup’s lack of urgency in addressing its failure to, “implement and maintain an enterprise-wide risk management and compliance risk management program, internal controls, or a data governance program commensurate with the bank’s size, complexity, and risk profile.”
The regulator issued a US$400 million penalty due to what it saw as “long-standing compliance deficiencies.” In addition, Citigroup Chief Risk Officer, Brad Hu, stood down from his role with immediate effect and the OCC ordered the bank to beef up its risk and compliance program to “ensure a robust staffing model that provides for ongoing monitoring of the bank’s aggregate staffing for the risk management-related functions in the front-line units, independent risk management functions, and internal audit function, including addressing the number, skill, and expertise gaps, and dual roles and matrix reporting as identified.”
To that end, the bank pledged a $1 billion investment in its operational systems and CEO Jane Fraser pledged the firm will, “…invest in our infrastructure, risk management, and controls to ensure that we operate in a safe and sound manner.”
These measures, which will take years to implement, will need to be rolled out while under observation by the Fed, with the regulator able to reject acquisitions sought by the bank and request changes at a board and executive level if necessary.
So, to review, there are numerous risks of burying your head in the sand and failing to improve compliance controls: Huge monetary penalties, irreversible reputational damage, the loss of senior executives, increased regulatory scrutiny, and, the real kick in the teeth, having to invest heavily in your compliance controls anyway but under the watchful eye of the regulator.
How to Get Ahead Of The Herd
While firms may point to enforcement action at Citigroup as an extreme example, a November 2020 risk alert from the U.S. Securities and Exchange Commission’s (SEC) Division of Examinations (DOE) stated that deficiencies relating to the Compliance Rule were among the most common issues cited by their staff. The Rule stipulates that it is unlawful for investment advisers to offer advice unless they have implemented policies reasonably designed to prevent violation of the Advisers Act, which monitors and regulates the activities of investment advisers.
The risk alert broke down the DOE’s findings into six key deficiencies:
- Inadequate Compliance Resources
- Insufficient Authority of CCOs
- Annual Review Deficiencies
- Implementing Actions Required by Written Policies and Procedures
- Maintaining Accurate and Complete Information in Policies and Procedures
- Maintaining or Establishing Reasonably Designed Written Policies and Procedures
A common theme found by the DOE is that many advisers do not devote adequate technology, training, and staff to enable an effective compliance program. The concern is that although firms have a CCO in place, their role is often stretched across wide-ranging responsibilities leaving little time for their core compliance requirements.
The alert also concluded that, in general, more staff are needed for the compliance team to function properly. At present, policies and procedures such as annual reviews and accurate reporting cannot be implemented properly as there simply aren’t the resources to do so.
Many of the firms observed by the DOE had grown significantly in size in recent years and it is suggested that these failings are a by-product of their inability to scale their compliance efforts in accordance with the complexity of their business. Advisers are failing to adopt the latest compliance technology that would enable them to monitor for risk in a scalable way that would satisfy the SEC.
Another damning indictment found in the risk alert is a perceived lack of authority possessed by CCOs. DOE staff found that CCOs are routinely denied access to important compliance materials “such as trading exception reports and investment advisory agreements with key clients.”
CCOs are often given restricted access to the senior management team meaning they are kept out of the loop regarding high-level business decisions that may have significant regulatory repercussions. Even when senior management and employees discuss matters related specifically to compliance, CCOs are rarely consulted.
This risk alert should provide a wake up call for firms who have yet to elevate compliance from a check-box exercise to a function that helps to create real business value.
It should also provide comfort for financial institutions that have already made significant steps to empower their compliance team to introduce a culture of compliance.
Finally, it should vindicate the forward-thinking firms who have broken away from the herd by placing compliance at the heart of their business.
Regulators are only going to become increasingly demanding. There are no longer any excuses to leave your head buried in the sand. Isn’t it about time the compliance ostrich became extinct?