How to Establish a Sustainable and Sound Approach to Regulatory Compliance
Updated: Oct 27
In the 20yrs I spent in the finance industry, I rarely came across a “successful” regulatory implementation, never mind sustainable ongoing compliance.
This is usually not due to a lack of resources and trying. Invariably, regulatory projects suffer from delays, too much focus on day 1 compliance and are approached as an overlay to existing activities – which further amplifies in-built complexity and ends up increasing costs and risks, which usually leads to regulatory breaches down the line.
I believe that the “regulation fundamental” is about the “WHY” – e.g. purpose and expected outcome(s) of MiFID2 – and to an extent the WHAT/HOW – i.e. the 30,000 pages of the MiFID2 regulation
Focus on expectations would lead to material benefits for firms above and beyond sole regulatory compliance. To get there, a paradigm shift on how financial firms get to and then maintain ongoing compliance is required. And here is why.
What is financial regulation?
“Financial regulation refers to the rules and laws that firms operating in the financial industry, such as banks, credit unions, insurance companies, financial brokers and asset managers, must follow. However, financial regulation is more than just having rules in place - it's also about the ongoing oversight and enforcement of these rules” – Central Bank of Ireland
Yet, financial firms are subject to far more than “just” financial regulations. The wider their footprint, the wider the scope of potential regulatory bodies. I will further expand on this later.
Why does Regulatory Compliance matter?
The ability to conduct financial transactions has been at the heart of our societies for millennia. It underpins our ability to exchange, to trade and execute many more fundamental human activities. Here is an interesting article on the background of History of Money and Payments.
In that context, the primary purpose of financial regulations is to maintain a stable financial system and to protect consumers. It is to protect our societies and our way of life.
To my mind, regulators tend to step in when the financial industry fails to do what it is supposed to do. When financial activities have, or are about to destabilise the financial system and our wider society, whether because of too much of risk taking, too many uncontrolled innovations, and/or too much greed.
Sometimes, it is also about creating a plain level field to further develop and integrate disparate markets (e.g. General Data Protection Regulation or GDPR)
What does Regulatory Compliance mean for the financial industry?
An easy way to avoid regulations is not to “mess up”, preferably by constantly keeping the interest of our clients, consumers, and the wider financial system at the heart of what we do. Thus, protect our society and its people.
The alternative is to establish the mechanism to oversee what we do and stay on top of what the many regulators out there are telling us we should pay attention to. Be diligent in adhering to both “the spirit and letter of the law”.
How to identify applicable laws, rules and regulations?
This is about horizon scanning, ie. a mechanism built to enable early and systematic detection of all applicable laws, rules, and regulations (LRRs)
Financial firms are subject to many types of LLRs coming from many different regulatory bodies (in the UK it could be HMRC, the FCA, the PRA, etc.) The bigger the footprint, the wider the scope of LRRs to consider and their sources.
In my experience, this invariably triggers a debate on compliance department vs compliance function, including key aspects such as the scope of Compliance department (e.g. if they are focused on financial regulations), compliance monitoring, etc.
Some of the most stringent regulations pertain to labour laws, physical security, employee safety, etc. I found over time, that these types of regulations are rarely on the radar of a compliance function and can trigger multi-million-dollar fines – or worse, when it comes to employee safety.
A few years ago, I had my team develop a “regulatory radar” and gathered a very large group of SMEs from many functions to fill and maintain it. The objective was to identify and assess relevant LLRs and be clear on the time horizon.
As it turned out, most departments across the firm knew what regulatory body(ies) they should monitor for their own purpose and which regulations would apply to them. Bringing some structure to what was an informal process helped -
1) To create a common understanding on and maintain the scope of relevant regulatory sources for the business. This includes which regulatory bodies to consider, from which jurisdiction and the type of “papers”. A big discussion at that time was on the relevance of regulatory speeches and how they could inform current and future expectations across all activities of the firm.
2) To share knowledge across all impacted functions and plug any gaps. For instance, certain regulations the Finance department was aware of impacted other functions as part of the process. Without that process, they would not have known about them.
3) To prioritise an initial assessment of new LRRs from a complexity and applicability standpoint. This high-level assessment helped to understand what we should focus on and when, and to inform both executive and boards on resource allocation. This included getting to a common and agreed interpretation of the LRRs across all functions leveraging the expertise of compliance folks.
4) To track progress against an expected regulatory timeline.
This approach proved to be particularly effective at “taming” the flow of new LRRs; but by its very nature, it was forward looking. We decided to proceed with backward looking review after it transpired some regulations had been missed prior to the implementation of this new process. As a result, we established an inventory of existing LRRs and how they were met.
What does successful implementation mean?
I favour getting to compliance by managing the risks targeted by a piece of regulation. This approach relies on getting to compliance “by design” through a business centric vision or target state and an understanding of what needs to be changed or transformed to get there.
As conduct officer, I had to (re)establish the conflicts of interest framework of the
business I worked for, following negative feedback received from many regulators.
Breaking with protocols, I had my team ignore all known regulations and define a framework that would enable effective identification, management and, when relevant, mitigation of all potential and actual conflicts generated by the business and its people. With a single principle: – keep the interests of our clients/customers front and centre to our activities.
We identified 50+ categories of potential sources of conflicts split between business practices (e.g. new product, remuneration, marketing, distribution, asset allocation, etc.) and employee practices (e.g. personal trading, directorship, etc.) by repurposing the existing compliance and risk framework. We also tweaked the existing risk/legal entity governance to bring transparency to the Board and Execs on the existing list of conflicts and enable their oversight. Finally, we had to plug some governance gaps to cater for cross-business conflicts (e.g. the investment bank team being on one side of a deal and the asset management team on the other side).
Once finalised, I had the compliance function assess all aspects of the framework against regulatory expectations across our footprint. As expected, it met regulatory expectations without tweaks.
It was also commended by the business. Until then, they had to cater for various approaches across jurisdiction and product landscape. This led to inconsistent business decisions and was confusing for business folks and clients alike. The standardisation and transparency brought by the framework enabled them to do the right thing, without added complexity – in fact, the number of controls was reduced through standardisation.
How to stay compliant?
As long as financial firms will approach regulatory implementation as an add-on to existing activities, they will struggle to maintain ongoing compliance. They will increase complexity especially through control proliferation, and as a result, increase their cost base and their risks. They will also lose out on the business opportunity arising from the ever-changing regulatory landscape.
Successful implementation of LRRs means no need to redo it, no day 2, and never mind being fined for non-compliance months after the official compliance date. More practically, it means establishing sustainable and embedded mechanisms that deliver on expectations.
So what’s next?
Ongoing compliance should be a piece of cake. But it’s not!
Financial firms have a massive opportunity to save on costs; to design and deliver better services and products, and materially increase the value they deliver to their clients and other stakeholders, all whilst meeting regulatory expectations.
Regulatory compliance can cost anywhere between 6-10% of a firm’s revenues every year based on the Bloomberg survey. And more, if those firms end up being fined.
So, the case for change is here. And it should be focused on a new approach to the identification and implementation of LRRs. It should focus on an end-to-end integrated approach to regulatory compliance based on a principle of “compliance by design”.
The easy solution is to implement more controls, more procedures and fundamentally not change the business by treating regulatory compliance as an add-on. But this defies the purpose of what regulations is all about and explains why so many implementations fail. It also explains why regulatory costs have been ballooning for years.
This becomes a vicious circle. As implementations fail, regulators are tempted to take even more corrective actions, adding to the complexity.
So, for them, a good place to start would be to define from the outset – and in plain English – what a successful implementation would deliver to end clients and market stability; and have firms demonstrate 1) the benefits accrued against set principles and 2) how their activities have been changed or transformed to get there and ensure ongoing compliance.
This is a multi-billion opportunity in terms of cost savings and potential new revenues. So, who will grasp it?