After years of handling internal pressure from companies leaning on risk controllers to shield organizations from legal troubles, external pressure from regulatory forces now threatens to increase the personal liability of compliance officers if something goes wrong.
The last 18 months has been a period of unprecedented change for the compliance industry; with high-profile exits, evolving responsibility, and a swathe of new regulations to contend with, from MiFID II to GDPR to the UK’s Senior Manager’s and Certification Regime (SMCR).
Figures suggest that banks are hiring more staff and attempting to create larger buffers to protect against a growing number of risks. However, this has led to concerns that valuable and experienced compliance professionals are becoming more expendable and less valued.
“Personal liability is a very real concern for compliance professionals,” said Stacey English, head of regulatory intelligence at Thomson Reuters. “Around the world, individual accountability regimes are on the rise in parallel with growing sources of regulatory risk, such as technology. Cyber-attacks, data security issues and infrastructure failures are no longer just an issue for IT – they’re a priority for compliance because of the potential detrimental impact on customers.”
In December 2018, Thomson Reuters Regulatory Intelligence asked more than 750 compliance practitioners their opinion on personal accountability in the year ahead. The vast majority of respondents felt it would rise, with around a quarter believing it would go up dramatically.
Radar spoke about the changing demands of compliance and the evolution of the function (on condition of anonymity) with compliance executives at several Tier 1 multinational banks headquartered in London, New York and Singapore.
“It used to be the case that the job provided a measure of protection, but not any more,” said a senior compliance official at a UK investment bank. “I do feel more exposed, less secure, and I know comrades in similar roles at other firms feel the same.”
“There is a worry you will be hung out to dry and it’s been creeping in since 2015, but really has amped up in the last two years.”
The UK Financial Conduct Authority (FCA) put the function on notice when it carried out research into the compliance operations of 22 wholesale banking firms in 2017.
The exercise was viewed as an effort by FCA to better understand how assessments of compliance have shifted.
FCA uncovered a rise in “checking the checker” activity, where compliance teams examine the effectiveness of their compliance functions. Conflicts of interest need to be managed effectively, FCA said, but the indications were of a job that carried more scrutiny than ever.
The introduction of the SMCR is the main driver of change, placing individual accountability on senior professionals at a level far beyond the old management regime. It has resulted in organisational maps being redrawn, jobs shifted and updated, and clear lines of responsibility – pitfalls and all – where perhaps an individual could once shield themselves behind a rulebook.
For some, such as recruitment agencies, this has resulted in a significant uptick in activity.
“From my own observations and speaking to industry professionals, I have seen a positive change,” said City of London recruiter Christopher Fields, of Broadgate Search. “I do believe that companies are taking regulatory requirements more seriously.”
Fields said he has observed a rise in companies hiring to increase team sizes and “compliance heads” having to replace any staff losses. “Typically speaking, compliance teams are not getting smaller,” he said.
In the US, political instability has caused Wall Street to further insulate itself as banks continue to bed down the Dodd-Frank requirements.
Technology and the threat landscape
Regulators are keen to encourage responsible innovation in financial technology and, while the pendulum swings towards regulatory relief, firms have been warned it will smack them on the way back if they do not continue to update risk frameworks and embrace new tools to help with surveillance and monitoring.
Compliance executives report that their firms are trying to strengthen infrastructures to organize and analyse data and efficiently manage legal documentation. They are pouring resources into new regulatory technology (although no one uses this term in real life, “RegTech”) solutions.
In the UK, fines have slowed since the glut of Libor and FX punishments, but in the US the regulators are breaking records with the penalties they hand out, and are also incentivising whistleblowers through significantly inflated pay-outs.
What British regulators have increased is their number of investigations; knocking on doors, demanding to see books, as they respond to government criticism that they have been too soft on the sector following the financial crisis, and the collapse of lender HBOS.
In Singapore, jail time and industry bans are becoming the standard “go-to” punishment for financial services professionals who step out of line.
Combined, risk is up, and compliance professionals all over the world are feeling the heat.
There are some long-standing issues that have historically dogged compliance and may contribute to the exodus of entire teams, many staff exits can be attributed to supply and demand, he said.
“The industry has always been a little short in terms of compliance expertise, and individuals can command premiums,” said Vaughan Edwards, partner at management consultancy Elixirr and former UK regulator. “There was a thesis that over time this would erode, as more and more people become qualified and it becomes a much bigger thing, but that hasn’t really happened.”
He said he felt there was not enough talent coming through at a time when banks are desperate to bolster ranks; “the net result is weak growth in high-quality compliance officers, because supply can’t keep up with demand,” he said, adding that there have been significant changes in the shape and positioning of the compliance function in the last three to four years.
UBS is considered the first mover in terms of combining compliance with operational risk, a decision that generated mixed results for the Swiss investment bank and its peers who followed.
“The profession has moved in the direction of becoming more process-driven and has taken a more systematic approach – disciplines that some traditional old school compliance officers were not perceived as having,” said Edwards.
“Firms are taking a different approach to the function and that is reflected in who they bring in; the risk mentality has been taking over in the last six to seven years.”
This evolution, promoting or hiring people without traditional compliance backgrounds to head and run departments, is symbolic of a more disciplined, systematic, and measurable approach to risk, he said. But the risks of going too far has alienated the compliance experts who have the experience.
“In my opinion, firms have to strike the right blend and that will vary from firm to firm, i.e. compliance at an algorithmic trader or an MTF lends itself much more to a systematic, metric-based approach than compliance in an investment banking boutique.”
Industry chatter has also led some to believe the regulators are explicitly targeting compliance staff, to send a message to the wider company. However, these executives are already used to having targets on their backs, and most believe this is a symptom of a uniquely paranoid profession.
“We stick together, we’re used to being seen as “business prevention officers”, and that does breed a certain mentality,” said the chief of compliance at a US investment bank. “I don’t think the regulators see it that way, but we are held to higher standards.”
Edwards agreed, stating he did not feel that FCA would risk upsetting a function it relies on to help deliver its message.
“I don’t go with the idea that the regulators are really going after compliance officers,” he said. “They see compliance as a very important ally and would recognise the major risks in any perception that compliance officers were being targeted.”
Historically, no compliance operations are identical across different banks. The ever-expanding list of demands from senior management has also resulted in layers of inefficiency and duplication due to lack of coordination, said Kirsty Searles, risk advisory partner in Deloitte’s Governance and Compliance team.
There are clear benefits to better integration, for example by bringing together compliance operations such as training and reporting teams, she said.
“Longer term, integration will enable alignment between the compliance programme and various assurance functions, such as risk management and internal audit, making the three lines of defence model more fluid.”
This should relieve pressure, but it’s an area in which compliance professionals must make sure their voice is heard.
Accenture surveyed 150 financial services chief compliance officers for its 2018 Compliance Risk Study for Financial Services.
Of its main takeaways, the need to “skill up” was a headline. More than 50 percent of departmental expenditure would be on technology in the next three to five years, and compliance departments will move “towards deploying technology rather than people to fulfil its mandate.”
There is a real “Old School” vs. “New School” rivalry blossoming within compliance departments, where new recruits bring with them knowledge of faster and more agile technologies, whereas old hands prefer to rely on their experience, knowledge, and doing things the tried and tested way.
The ubiquity of mobile devices, for example, has already led to some organisations developing apps for their staff to access and search their organisation’s policies more effectively.
One bank has taken a bold approach, which involves locking out all users’ laptops once every quarter until three compliance-related questions are answered correctly.
In order to effectively use the inflated suite of solutions now at their fingertips, compliance professionals need to embrace the challenge and re-train themselves.
The regulatory direction of travel is clear; Dutch prosecutors who charged ING for major money laundering failures in 2018 said the bank’s compliance staff were “inadequately trained”, and the system that monitored transactions was set up in such a way that only a “limited number of money laundering signals were generated”.
The message has not been lost on the profession. “I’d say one of the largest gaps is around detective capabilities,” said a chief risk officer at a mid-size UK investment bank. “I’ve seen this weakness exploited.”
“Technology is available, and to be honest we as a profession must try to become more proactive and preventative, even if it means spending more time learning how a new technology works. It’s either that or we’ll be out of work ourselves.”