The dubious benefits of compliance

The concept of risk-based compliance may sound grand, but the results of a new survey show that financial services firms have a very different idea of the risks that they face than regulators.

Speaking in general terms, regulators have a fairly broad agenda – they have to protect society at large, the financial system specifically, and ensure the soundness of individual firms. When regulators seek to define a 'risk-based approach', it is often with these objectives in mind.

However, an analysis of responses to the survey – especially spending plans for 2005 on compliance tools – shows that the biggest risk in the risk-based analysis of a financial services firm is of a fine or censure by a regulator.

This first annual survey on risk-based compliance issues was organised by Operational Risk in conjunction with risk management consultants Protiviti to better assess how organisations are managing the multitude of risk-based compliance challenges that institutions currently face.

The survey shows that while firms are getting to grips with various compliance issues – they are either purchasing or building software packages, putting other types of infrastructure in place, and working to fulfil the business potential of their compliance efforts – executives remain unconvinced of some of the wider benefits of certain compliance initiatives. The costs of compliance are increasing, and so financial institution executives want to see results for their money – in the form of reduced institutional risk, increased efficiency or savings, or the wider societal benefits that regulators say are important. So, for example, firms would like to be able to use anti-money laundering software to improve intelligence on customer relationships, and also want to see regulators and law enforcement agencies act on the suspicious activity reports that they file to reduce criminal activity.

There is little doubt among respondents that compliance costs are on the rise. Non-technology costs are rising the fastest, with more than 24% of respondents saying that this category has risen by more than 25% over the past two years. Nearly 33% said these expenses had risen by between 10% and 24%. But technology costs aren't far behind. About 32% say their technology expenses have risen by 10% to 24%, while this category of costs has risen by 25% or more for nearly 16% of respondents.

And financial services executives expect more of the same. Some 37% expect compliance-related technology costs to rocket by 10% to 24% in 2005, while nearly 17% think those expenses will increase by more than 25%.

What is the reason that these costs are rising? In part, it is because of the sheer proliferation of regulations that are hitting the financial services industry at the same time. According to respondents, the three most important initiatives at the moment are – in order – Basel II operational risk, Basel II credit risk, and audit/accounting rule changes. In fourth place – and statistically some distance behind – was Sarbanes-Oxley (Sox). However, this can be accounted for by the geographic spread of respondents and the fact that non-US listed firms don't have to comply with that law – so in fact Sox is probably of equal importance to the top three issues for firms that fall under its jurisdiction.

But there are many other initiatives that executives must pay attention to. In order of importance according to the study, these are data protection rules, straight-through processing, complex structured products rules, EU corporate governance regulations, US anti-money laundering laws, national business continuity regulations, and the Coso enterprise-wide framework. And while 57% of respondents say they have put in technology frameworks to cope with the Basel II credit and operational risk challenges, and 44% have implemented a system to cope with the audit/accounting rule changes, less than 20% of respondents have purchased or built a system to cope with business continuity, money laundering and other compliance challenges.

The other reason costs are rising is the change in approach to regulation – the advent of a 'risk-based' approach to compliance has had a mixed response in the financial community. Nearly 48% of respondents believe that a risk-based approach to compliance will result in high compliance costs. But, on the other hand, a whopping 72% believe that a risk-based regime will decrease the potential for regulatory and reputational risk.

And delivering that reduction in regulatory and reputational risk is what risk-based compliance seems to be about. But executives also showed themselves to be fairly pragmatic in their views about the level of risks that their firms face in key compliance areas. For example, 47.9% of respondents said that it was either "not very likely" or "unlikely" that their firm would experience an event that would result in the use of part, or all, of their business contingency plans within the next 24 months. And nearly 57% said that their business contingency plans were either "somewhat impacted" or "not at all impacted" by concerns about the effects of a terrorist attack within the next 24 months.

There is a view, perhaps, that although compliance departments are being asked to jump through hoops, their efforts are not being taken up by other stakeholders. For example, only 6% of respondents thought that the suspicious activity reports they file as part of their anti-money laundering requirements have a very high impact, in terms of helping law enforcement authorities to track and fight financial crime. Some 24% thought it had a "high" impact, but nearly 70% thought it had a moderate, low or no impact. And only about 19% of respondents characterised their relationship with law enforcement in the financial crime area as "strong and productive". Some 42% thought their relationship was just "moderately" productive, while nearly 11% thought it was "not very productive". And nearly 33% of respondents thought that the anti-money laundering legislation in their jurisdiction was either "not so well drafted" or "poorly drafted".

The pragmatic attitude of compliance officers and risk managers is also reflected in the initiatives and technology that firms chose to implement. For example, in the corporate governance area, 71% have improved their reporting management system, 67% have enhanced IT security and 63% have a code of conduct in place. On the flip side, only 18% have improved privacy regulations, 23% have Sox compliance monitoring software and 28% a whistleblower programme.

And in terms of corporate governance initiatives for the next year, firms are continuing to focus on improving reporting management systems (34%) and enhancing IT security (28%). Added to the mix are improved corporate governance policy frameworks and processes (26%) and a reputational risk management strategy (28%). It's hardly surprising that the focus of firms is on areas where the spotlight of legal, regulatory and reputational risks have been focused for the past few years. Sox and related corporate governance initiatives have kicked reporting system improvement into high gear, while increased levels of losses associated with virus attacks, phishing and other breaches of IT securities have hit headlines. Eliot Spitzer's conflict-of-interest lawsuits in the US have also mobilised firms to manage the potential for that risk more effectively.

What are firms not focusing on in the corporate governance sphere? Just 9% are going to put a code of conduct in place, or overhaul their existing code, or enhance Chinese walls between existing business lines. These concerns, which grew out of cases such as Enron or Worldcom, have presumably been already dealt with by firms. Only 13% say they plan to add new, outside boards of directors, install an email messaging or monitoring system, or put a whistleblower programme in place. A mere 7% are planning to invest in an email or messaging storage system.

On the financial crime side of things, the story is much the same. Firms currently have in place the tools that offer the most 'bang for the buck'. Some 65% have transaction and account monitoring software, while 50% have transaction filters for screening against government lists, and 42% have fraud detection software. It is no coincidence that these are areas of particular regulatory focus over the past two or three years. But just 16% have case management software, 17% have product and transaction risk scoring software, and 19% have identity theft detection software – areas that are considered more 'cutting edge'.

Going forward, firms are looking to invest in politically exposed persons databases (23%), public records search databases (20%), fraud detection software (20%) and ant-money laundering/fraud reporting software (20%). Low on the priority list are case management software (7%) and identity theft detection software (11%).

And in the business continuity arena, 64% have alternative communication networks, 63% have signed up for a dedicated back-up facility, and 58% have a human resources business continuity plan. Just 20% have a contingency fund, 17% have a counselling programm, and 23% have electronic vaulting. For the next 12 months, firms plan to invest in human resources business continuity plans (26%), emergency control centres (25%) and dedicated back-up facilities (23%). Less popular are shared back-up facilities (11%) and electronic vaulting (10%).

These results show that it is mainly concerns about compliance with specific regulatory initiatives that continues to drive firm investment in business continuity, financial crime and corporate governance. At the moment, a 'risk-based approach' is perhaps best defined as the risk of being slapped on the hand by a regulator. Few firms seem to be making progress in terms of investment in more advanced forms of compliance tools, even when business arguments could be made to support such a strategy.

But this is in line with firms' pragmatic approach to compliance issues more broadly. The risks involved, if one looks at the focus of their efforts for the past 24 months and for the next year, are primarily that of having a regulator put their firm's name 'in lights'. The losses that result from regulatory transgressions – taking the form of regulatory, legal and reputational risk – are the stick that continues to drive compliance spending.

On the other hand, if risk-based compliance as a philosophy is to succeed, it cannot just be about how firms play the regulatory game. Instead, regulators and enlightened compliance officers and risk managers must attack this problem from another point of view – firms must get to grips with understanding how their businesses can be improved by many of the suggestions regulators make. Operational risk is a good example of this, in that banks now widely acknowledge that it is starting to revolutionise the way they think about whole categories of risks, and they are beginning to see real business benefits. For their part, regulators must not lose touch with what makes the business community tick, and understand that they must hold up their end of any bargain – for example, by boosting law enforcement's focus on financial crime – for firms to follow their lead willingly. OpRisk