Lombard Risk announces ComplianceASSESSOR at the BBA annual risk management conference
Lombard Risk at the British Bankers’ Association’s annual risk management conference: 27th November 2012
On November 27th 2012 the British Bankers’ Association (BBA) held its annual risk management conference.
The event was attended by a combination of BBA members, regulators and representatives from firms associated with the financial services industry.
- Jo Paisley, Director, Risk Specialists Division, Financial Services Authority – “The FSA on banking in the new financial landscape”
- Michael McKee, DLA Piper – “Legal update on risk management”
- Alain Stangroome, Head of Group Capital Planning, HSBC Holdings plc – “Risk and bank capital”
- Christopher Blake, Senior Manager, Liquidity Risk – Group Asset & Liability Management, HSBC Holdings plc – “The relationship between liquidity and risk management”
- Conor MacManus, Head of Prudential Requirements, HM Treasury - “Measuring the impact of Basel 3 on banks”
- Annemarie Durbin, Group Head, Corporate Governance, Property, Environment and Security, Standard Chartered – “How can non-executive directors (NEDs) be supported in their oversight function?”
“The BBA Annual Risk Management Conference highlighted the considerable changes in the regulatory landscape and the challenges ahead for risk and compliance professional.” – David Wilford
Lombard Risk at the BBA risk conference
Lombard Risk sponsored, exhibited and presented at the BBA annual risk conference.
John Wisbey – CEO, John Shield – Advisor to the CEO, Rebecca Bond – Group Marketing Director, James Phillips -Director Regulatory Strategy, Tony Glover – Business Development Manager – Lombard Risk – attended the risk management conference and were on hand to discuss delegates’ regulatory and risk issues.
Lombard Risk announced Compliance ASSESSOR at the event – a solution that provides firms with a centralised, secure and dynamic means of assessing, evidencing and recording compliance against an unlimited library of regulations.
Lombard Risk ComplianceASSESSOR
addresses regulatory risk –
being the risk of non-compliance
and the penalties and
reputational risk that follow.
Introducing David Wilford
David Wilford, Director Compliance Product at Lombard Risk
David Wilford has over 35 years’ experience, primarily in the area of credit risk management and regulation. Over the last 10 years he has been involved in the interpretation and implementation of the Basel II/III Accord as reflected in the EU CRD and subsequently the FSA Prudential Sourcebooks. He has been advising banks on the adequacy of their risk governance frameworks to address these and other regulatory requirements and implementation issues.
David Wilford, Director of Compliance Product at Lombard Risk presented at the event:
“The challenges of compliance in the new regulatory framework”
- The biggest challenge banks now face
- Why banks remain exposed to compliance issues
- A new approach to compliance?
As you are all aware, the banking sector is currently subject to a plethora of regulations governing every aspect of an institution’s business. As a result, even the smallest institution is now subject to thousands of regulations. This may appear to be an exaggeration but the FSA’s GENPRU and BIPRU alone contain in excess of 5,000 regulations and guidance that banks are expected to comply with. Add to these SYSC, COBS, Internal Regulations governing KYC and TCF not to mention the Data Protection Act, Consumer Credit Act, AML legislation and other applicable laws and regulations and the number of regulations can soon be counted in their tens of thousands.
Cross border organisations are further faced with European and other directives, complicated in some cases by the application of National Discretions by individual regulators, increasing substantially the number of regulations and therefore the complexity of ensuring compliance in the various jurisdictions.
It is therefore not surprising that many of the smaller institutions are now having difficulty in even keeping track of new and amended regulations, never mind ensuring adequate compliance.
Indeed, the pressure on compliance functions was borne out in a Thomson Reuters’ survey earlier this year when over 500 compliance professionals were surveyed. The results indicated (quote) “that the deluge of new rules, regulations and enhanced vigour of regulators coupled with a lack of additional internal resources and headcount has pushed compliance departments to the breaking point”.
Unfortunately, the situation is set to deteriorate further from a compliance perspective, as the regulatory landscape is now undergoing a radical change in response to political and regulatory pressures and demands designed to restore economic and financial stability, both here and abroad. Clearly a major challenge is the need to increase both capital and liquidity to levels deemed by the regulators to be sufficient to weather another financial crisis … no easy task given the increasing scarcity of high quality capital in a deteriorating economic climate, particularly in Europe.
And in the case of those firms deemed ‘too big to fail’, these challenges are further complicated by demands to restructure or even ring fence their retail and investment activities whilst remaining compliant with all applicable regulations.
In addition, firms are also facing the challenge of both restoring and promoting the sector’s reputation and integrity, helped in no small measure by the regulators who are demanding propriety, transparency, better risk management and perhaps most important of all, accountable governance.
And finally, as we heard this morning, the new Prudential Regulation Authority intends to exercise a more judgemental approach to supervision aimed at promoting the ‘safety and soundness’ of financial institutions whilst the new Financial Conduct Authority intends to exercise a similar approach with regard to conduct in the financial market place. On the face of it, the application of a more judgmental approach that will no doubt be based on empirical evidence may be welcomed by many in the belief that such an approach provides firms with more ‘flexibility’ in the interpretation of the underlying regulations. However, as many of us know from past experience, the application of such an approach can lead to differences in opinion as to the interpretation of the evidence, leading to even more challenges for firms when trying to justify their interpretation to the authorities.
And no doubt there will be even more regulations – and differing approaches – as politicians and regulators seek to further refine and tighten their control over the banking sector as a means of protecting individual economies.
In conclusion, it is clear that the situation for many compliance functions is extremely serious, especially given the lack of investment in appropriate resources that many firms have experienced.
I would therefore venture that given the enormous task faced by compliance functions in ensuring compliance in an ever changing and demanding regulatory environment, the biggest challenge firms now face is REGULATORY RISK that may be defined as the risk to earnings, capital and reputation associated with a failure to comply with regulatory requirements and expectations; or to put it more bluntly, the risk of non-compliance.
There is obviously no way to avoid these changes or the challenges they pose.
The question therefore is “How are compliance personnel – consisting of Risk, Compliance and Audit officers – going to ensure compliance with the current and future regulations that under pin these regulatory demands? “
And I include Risk officers as their duty is not only to identify and mitigate risk but to ensure that the methodologies and approaches they use comply with the underlying regulations that are designed to ensure minimum standards of acceptability … and integrity in the output of their deliberations and computations.
To answer this question, I believe that we first need to examine current practices and then the challenges to understand the enormity of the problem..
If we go back approximately 20 years, the approach to auditing changed significantly from a tick box approach to a risk based approach, the latter identifying high risk business operations and processes and auditing them on a more frequent and comprehensive basis than low risk areas. While this approach had the benefit of utilising more efficiently audit and compliance resources, there were two consequences. First, simple, ‘straightforward’ businesses and processes within the institution were effectively removed from the radar; and conversely, compliance and audit became focused on specific, high risk areas and processes, the risk being measured in terms of risk to the bottom line. And this was in the days when institutions were required to follow the spirit of the regulations and regulations could be measured in a couple of thousand rather than tens of thousands.
Jumping forward to the years leading up to and immediately after Basel II came into force, compliance with the new regulations was embedded within the implementation process so that when the projects went ‘Business As Usual’, businesses and their processes were, by default, compliant with the new regulations. Some institutions went so far as to develop tools to determine compliance with the Basel II regulations during implementation. However, most of these models were mothballed upon implementation or have subsequently become out of date. And in the case of the smaller institutions, their size and / or lack of complexity did not warrant expenditure on the development of such tools. Whether tools were employed or not, the same process of ensuring compliance with new regulations within the implementation process has persisted over the years.
The result is that even today reliance is placed upon the majority of simple business operations being inherently compliant with applicable regulations and therefore off the radar as far as a detailed examination – to determine the state of compliance – is concerned. Yet the majority of fines and settlements this year alone have been in respect of these exact same simple operations. Take for example the back office processing of payments to and from countries on the U.S. embargo list, lack of due diligence on the source of funds when processing payments, the simple processing of mortgage applications prior to securitisation or indeed the reasonable business model of selling insurance products to existing customers. All of these processes were no doubt deemed simple and straightforward and as a consequence, only warranted the occasional cursory review, yet the financial and reputational impact on individual banks for non-compliance with the relevant regulations has been enormous.
At the other end of the spectrum, compliance and audit functions still focus on ‘high risk to the bottom line’ businesses and areas of operation and undertake specific audits and investigations at the ‘coal face’, usually relying upon hard copies of the regulations, manual files and Excel spread sheets. Unfortunately, this focused approach, while serving a particular purpose, prevents senior management, auditors and compliance officers from seeing the overall state of compliance of the institution against the tens of thousands of regulations applicable to their business. It also fails to address the fundamental requirement of the regulators and that is to comply with their regulations, irrespective of how insignificant an institution may think they are, because at the end of the day, a regulation is a regulation and a breach in compliance is not acceptable.
Having said that, Mr Andrew Bailey’s introduction to the joint Bank of England / FSA paper issued last month and entitled ‘The PRA’s approach to banking supervision’ stated that the PRA’s approach “will be very clearly based on judgement rather than narrowly rules-based, and it will be forward looking to take into account a wide range of possible risks to our objectives.” And as mentioned earlier, the paper then goes on to say that the PRA intends to focus its approach on “the safety and soundness’ of individual firms and therefore the stability of the financial system.” Clearly, safety and soundness are the new buzz words, having been repeated 52 times in this paper alone!
Consequently, on the face of it, we appear to have come full circle with the PRA, and indeed the FCA, exercising judgement rather than imposing a rules-based approach. However, there is a catch and a rather large one at that, which can be found in Clause 69 of the paper.
This Clause states: “This requirement, for the firm and those managing its affairs to be ‘fit and proper’, is in addition to the obvious need for a firm’s board and senior management, and in particular its Chair, to have regard to the need for the firm to comply with all applicable laws and regulations. These obligations are extensive and not limited to the laws and regulations enforced by the PRA. This is because other laws and regulations — for instance, conformity with tax laws — could affect a firm’s fitness and properness, and the probity and reputation of its management.”
Clearly, compliance and audit functions are faced with a dilemma, particularly given limited resources. Should the focus continue to be on high risk business areas and run the risk of non-compliance in what are deemed low risk areas OR should compliance functions restructure their approach to try and address both the principles based and rules based regulatory requirements?
But before answering that question, consider the following.
In the not too distant past, an identified breach in compliance would have been dealt with quietly by the regulator, enabling the bank to correct the situation and contain or at least control any reputational damage. Unfortunately, the current climate is far more hostile and unforgiving as banks are now subject to the full glare of publicity and public opinion. This is certainly the case in the U.S. where even the slightest hint of non-compliance or impropriety – the two being indistinguishable in the eyes of the general public – attracts head line news, sizable fines or settlements and immediate reputational damage irrespective of the validity of any accusation or the extent of any breach being known.
Whether the substantial increase in litigation in the U.S. is an attempt to be ‘seen to be doing the right thing’ and / or perhaps taking advantage of the political climate for a regulator to stamp their mark within their peer group is difficult to tell. What is certain is the impression that the U.S. regulators have a tendency to litigate first and ask questions later … with serious consequences for the institution concerned in terms of retained earnings and reputation. Fortunately, on this side of the ‘pond’, any response to wrong doing is a measured response to identified breaches in compliance. And may this approach ever continue!
Clearly, one of the major problems, particularly in the U.S., is that many firms appear unable to evidence the fact that they have at least endeavoured to comply with, what are often very complex and constantly changing, regulations. Obviously, endeavouring to comply is not the same as complying and will not prove to be a defence if a regulator really wants to punish a firm, for whatever reason. However, it may sway public opinion and help to restore confidence in the sector if the enormity of the task facing compliance officers is better understood and firms are at least seen to be doing their very best to comply with the regulations.
The answer may therefore be to adopt a more transparent, dynamic and comprehensive approach to compliance that evidences a concerted effort to comply. This may in the future enable a firm to at least evidence to a regulator that all reasonable action had been taken to comply with the regulations at the time of the apparent ‘offence’. And hopefully, this may even sway public opinion and help to restore confidence in the sector.
There is also another reason to take this type of approach. Going back to the speech this morning from the FSA, regulators are clearly going to place more and more reliance on a firm’s compliance and audit functions to enforce compliance and where necessary, justify partial or non-compliance. There is therefore a compelling argument to manage compliance more dynamically and evidentially in a centralised fashion.
Ultimately, the Board of Directors and senior management will be held responsible – possibly at a personal level – for any failures in compliance. It is therefore imperative that compliance and audit functions, senior managers and executives have the ability to clearly and easily determine the state of compliance with all relevant regulations throughout their institution, identifying any deficiencies and areas of concern for appropriate action.
Ensuring full compliance with every applicable prudential and non-prudential regulation is obviously an impossible task given the dynamics of any financial institution and the resources available to compliance and audit functions who, historically, have suffered from a lack of investment. The answer may therefore be to assess regulations not only in terms of the impact on the bottom line but also in terms of the regulatory consequences of non-compliance. In other words, a regulation may be deemed low risk if the institution believes that the consequences of non-compliance would be a disapproving look from the regulator whilst non-compliance with a ‘high risk’ regulation may prompt a Pillar 2 capital levy or drop in share price as a result of reputational damage. Determining what regulation is low risk and what is high is obviously subjective. However, the simple task of determining the appropriate risk may focus attention on areas of the business previously deemed to be of little concern from a compliance perspective.
Certainly, it would be inappropriate to focus simply on ‘high risk’ regulations for exactly the same reason as focusing on ‘high risk’ business areas diverted attention from areas that subsequently proved to be costly when breaches in compliance were uncovered. However, combining the two approaches may assist an institution in avoiding the same mistakes made by some institutions this year.
In summary, compliance and audit functions are caught between a rock and a hard place, having responsibility for compliance with thousands of regulations but often restricted as to appropriate resources, on the grounds of cost. Indeed, it is fair to say that these functions have in the past been deemed to be a necessary evil, costing an institution money to run but with no apparent benefit. Unfortunately, it is failures in compliance that are head lined, not the success of ensuring compliance.
A new approach to compliance
Having examined the past approach to compliance, the current environment and the proposed ‘New World’, what else can be done to address the problems of compliance, going forward.
As detailed in many articles recently, and in fact headlined in City AM just last week, risk, compliance and audit experts are in high demand as a direct result of the new regulatory landscape and the challenges it brings. However, I would suggest that increasing headcount cannot be considered the sole answer for a number of reasons.
First and foremost, given the lack of investment in compliance functions in the past and therefore a lack of appropriate training in compliance and the interpretation of regulations, it must be questionable as to whether there is a sufficiently large pool of appropriately experienced personnel available to meet demand. Certainly, firms that do not have a large enough budget to recruit these experts are going to lose out, with possibly severe consequences.
Secondly, even if a firm does recruit additional risk, compliance and audit experts, are they really going to be able to ensure compliance with the tens of thousands of regulations and the interpretation and application of new regulations and approaches in supervision? Very doubtful.
Clearly, more needs to be done than just increasing headcount and hoping for the best. The answer may lie in better utilisation of existing staff by appropriate training within an enforced culture of compliance throughout the firm. Perhaps then firms may avoid the reputational and financial damage suffered as a consequence of non-compliance with even the simplest of processes, as discussed earlier. However, it is all very well increasing headcount and training front-line officers to be more vigilant in what they do. They also need the right tools to do their job.
It cannot be denied that many compliance and audit functions still operate in a very labour intensive environment with spread sheets and hard copy files of regulations that are often in different filing cabinets or even different departments within the bank. As a consequence, one of the problems many firms face is the easy identification of applicable regulations to a particular business area or authoritative body. Considerable reliance is therefore placed on the knowledge of individuals as to which regulations are applicable.
Another major problem is that compliance and audit information relates to specific exercises and consequently senior management and executives are unable to appreciate the overall level of compliance or identify weaknesses throughout the whole firm, a serious issue given the PRA’s intention to hold senior officers collectively and individually responsible for non-compliance.
It is therefore essential that compliance functions are armed with appropriate tools that can assist in addressing these issues. To address these and other issues, Lombard Risk has developed a powerful web-based compliance and audit application – ComplianceASSESSOR – that not only assists institutions to determine, manage and achieve compliance with applicable regulations but provides senior management, audit and compliance functions with comprehensive reporting and a multi-functional dashboard that identifies the state of compliance with any and all regulations at company, division and business unit levels.
To overcome decentralisation of applicable regulations, ComplianceASSESSOR accommodates an unlimited and searchable library of multi-jurisdictional prudential and non-prudential regulatory ‘books’ applicable to the firm’s businesses, including internal regulations. For example, the FSA Prudential Sourcebooks, European Directives, Sarbanes Oxley and even the various UK laws applicable to – in this case – the financial sector.
Once loaded and the regulations assessed for applicability, it then becomes very easy to search and identify all regulations applicable to a particular subject or business area and the state of compliance against those regulations.
But the library is not limited to regulations applicable to the business. Those appertaining to corporate governance may also be added; in other words, regulations governing the conduct of Boards of Directors, committees and specific functions within the institution. There are also two further ‘categories’ of book: staff training material; and even Consultation and Discussion Papers, each category having its own security access arrangements. Staff training material may therefore be made available firm-wide whilst consultation and discussion papers may be restricted to selective officers or even made available for assessment in order to determine the degree of current compliance with potentially new regulatory requirements.
Clearly, it is essential that new and amended regulations are assessed in a timely manner, especially given the current climate. ComplianceASSESSOR therefore highlights these for review and / or possible assessment, thereby avoiding inadvertent breaches in compliance.
Conversely, a change to a policy or procedure also poses a threat as the change may inadvertently result in a breach in compliance. One of the features of ComplianceASSESSOR is the ability to map policies, procedures or indeed any documents to the relevant regulations in order to evidence compliance with the relevant regulations – on the assumption that policies and procedures are adhered to in practice. Providing that the institution maintains strict version control over such documents, any changes to the mapping are identified and the relevant regulations highlighted for review and possible re-assessment.
At the heart of the system is the assessment process where not only are policies and procedures mapped to the relevant regulations but action plans may be established to address deficiencies in compliance, each action plan being documented where appropriate. The requirement to review assessments before approval by an independent officer not only enforces the ‘four eyes’ requirement but also enables the application of the ‘three lines of defence’ adopted by the larger institutions.
But perhaps the most important feature is the ability to code the regulations in terms of the consequences of non-compliance, as mentioned previously. While the concept is relatively simple, it enables the application to highlight issues previously over looked by audit and compliance functions. More importantly, assessments relating to high risk regulations must not only be approved by an independent officer but must also be signed off by an appropriate executive or senior manager who should take overall responsibility, especially where full compliance is not possible and partial compliance is accepted. As can be appreciated, this should prove a useful tool given the PRA’s intended approach to executive responsibility.
This Risk Severity Indicator is also used extensively in the dashboard to highlight, for example, action plans associated with the assessment of high risk regulations that exceed their anticipated completion date or where confidence in achieving compliance moves to red on a RAG code. As one would expect, all of this information and much more is captured and displayed, focusing attention on compliance issues and enabling senior management to monitor and manage compliance more efficiently, throughout the organisation.
As one would expect, all of this information relating to the assessment of applicable regulations, including all supporting documentation and reports, is immediately identifiable and retrieval, saving considerable time and expense when responding to a query or demand. Unfortunately, it appears that the frequency of such requests and demands is most likely to increase in the months and years ahead.
Finally, ComplianceASSESSOR provides the means of viewing all regulations, assessments, reviews and approvals, AND all policies & procedures and even old audit reports within the organisation … on an iPad … which must be a first!
In summary compliance functions have a major challenge ahead but perhaps with additional headcount, a more instilled compliance culture and of course ComplianceASSESSOR, life may easier going forward.