Alerts & Crit Reduction
Tighter compliance regulations have challenged financial institutions in a variety of ways. Yet those who adapt best may enjoy a distinct competitive advantage. Compliance risk has become one of the most significant ongoing concerns for financial-institution executives. Since 2009, regulatory fees have dramatically increased relative to banks’ earnings and credit losses (Exhibit 1). Additionally, the scope of regulatory focus continues to expand. Mortgage servicing was a learning opportunity for the US regulators that, following the crisis, resulted in increasingly tight scrutiny across many other areas (for example, mortgage fulfillment, deposits, and cards). New topics continue to emerge, such as conduct risk, next-generation Bank Secrecy Act and Anti-Money Laundering (BSA/AML) risk, risk culture, and third- and fourth-party (that is, subcontractors) risk, among others. Even though a lot of work has been done to respond to immediate pressures, the industry needs a more structural answer that will allow banks to effectively and efficiently mature their risk-and-control frameworks to make them more robust and sustainable over time.
The traditional compliance model was designed in a different era and with a different purpose in mind, largely as an enforcement arm for the legal function. Compliance organizations used to promulgate regulations and internal bank policy largely in an advisory capacity with a limited focus on actual risk identification and management. However, this model has offered a limited understanding of the business operations and underlying risk exposures, as well as of how to practically translate regulatory requirements into management actions. Even if a compliance testing program was established, it frequently borrowed heavily from the late-20th-century operational-risk playbook by emphasizing a bottom-up, subjective process of control testing versus a more objective, risk-based monitoring of material residual risks. Frequently, business managers are left to their own devices to figure out what specific controls are required to address regulatory requirements, typically leading to a buildup of labor-intensive control activities with uncertain effectiveness. Many banks still struggle with the fundamental issues of the control environment in the first line of defense such as compliance literacy, accountability, performance incentives, and risk culture. Finally, compliance activities tend to be isolated, lacking a clear link to the broader risk-management framework, governance, and processes (for example, operational-risk management, risk-appetite statement, and risk reporting and analytics). More often than not, the net result is primarily a dramatic increase in compliance-and-control spend with either limited or unproved impact on the residual risk profile of a bank.