The financial market and the regulations that govern it are complex and tangled in nature. The regulatory compliance model at most financial firms was designed in a different era, with slightly different purposes in mind, and banks have been slow to tackle today's risks. Compliance with Government regulation need not be complex or costly but, at the moment, it is.

Many financial institutions continue to follow a compliance oversight process that is 'siloed,' that is to say segregated by business unit or by type of regulation. Regularly I find that the people who oversee one piece of regulation in one internal business unit are doing it in a completely different way from the people who oversee another.

When institutions try to comply with regulatory rules, they ought to pursue - and be able to show their regulator that they are pursuing - three clear goals: that of telling people who have some kind of interest in their firms what their regulatory obligations are; that of understanding risks; and that of proving to the regulators that they are complying with their rules. It is becoming more and more imperative for them to do this in a world in which regulators are becoming more intrusive and adding to the volume of regulation all the time.

Since 2009, 54,000 regulatory documents have been published by 130 different regulatory bodies in the countries of the 'Group of 20' industrialised nations. It is obviously a herculean task for any internationally active firm to keep track of all of them and then adhere to them. In the UK alone, it is no mean feat for a financial institution to keep abreast of the Financial Conduct Authority's rulebook, with requirements differing between organisations and updates occurring frequently. In addition, the Senior Managers & Certification Regime - currently in force at banks only - is broadening its reach to include insurers and firms regulated solely by the FCA. The risk of non-compliance is going to become personal as never before. When the new regime is in place, the number of FCA probes is expected to soar.
 
Banks have to pay more and more money to comply. In Accenture’s recent "Compliance Risk" study, 89% of respondents expect the cost of compliance to increase "through training and technological solutions." The report also warns us that poor data quality is a significant barrier to progress, with one in three saying that it is going to hamper their efforts in the next three years.

In short, never has the need been greater for institutions to put their houses in order when it comes to overseeing their own compliance with regulations.

Present practice

When a new or updated regulation comes onto the radar of a financial institution, people on the compliance team ought to decide whether it is relevant to that institution. If it is, they ought to select the parts of the firm that the regulation is going to affect and update their policies accordingly. Once they have issued the rest of the firm with a policy, the business as a whole typically looks through its procedures, controls and IT systems to work out the changes it is going to have to make as a result. It then updates the relevant ones.

In today’s market, when someone from the risk department or the compliance team wants to find out whether the firm is complying with this-or-that regulation, he has to scramble to pick out the relevant facts, figures, control reports and assessments from the relevant departments. This process is complicated when the compliance department can only see whether the firm is obeying a regulation if a committee has to meet or a manager has to take action of some kind. Here the department is looking for pieces of proof (sometimes known as 'proof points') that the firm is complying and it typically finds them in emails, slides from presentations and the minutes of meetings. The process by which senior risk and compliance executives oversee things is inefficient and ineffective because such documentary scraps are hard to audit. They often lack a definitive record of authorship or, indeed, of how they came to be. The method for aggregating and collating data, moreover, may vary from report to report.

I have often seen board members who are legally obliged to sign letters that avow that their firms are complying with financial regulations being overwhelmed with thousand-page documents that explain their regulatory obligations. This practice should change, with new IT lightening the load that they have to carry.

There is another reason why compliance teams must use technology to make life easier for senior executives at their institutions: the fact that the Financial Conduct Authority is about to extend the Senior Managers and Certification Regime to all of finance. When this happens, it will be more imperative than ever for those executives to understand the things that their teams are giving them to 'sign off.'

What might good oversight look like?

To cope with these problems, every compliance department should employ visualisation software to map out a new or amended regulation when it first receives it, allowing itself to programme specific obligations in, with clear 'proof points' that the software has to identify. This done, it must draft policies and make everything work to specifications rather than assumptions.

The policy-writing team should then take these aforementioned visualised regulatory maps and be specific about the firm's obligations when writing its policies. At this stage it should also list the items that allow the compliance department to oversee things well. For each of those items it might want to specify the firm's appetite for various risks and set 'tolerances' (an engineering term that refers to permissible limits of variation for certain things).

Once this is done, the software can then ask the firm's employees to record and store all the information that the compliance department might need to present to the regulators (or use on its own account) later. The electronic 'maps' will state people's responsibility for various things very clearly, allowing the firm to make the "first and second lines of defence" (operations and risk/compliance) understand the jobs they must do for the sake of compliance. The aim is to please the regulators by producing a complete report with all the 'proof points' in order, listed according to each regulation that they are designed to discharge.

The ultimate goal is a map of all the firm's regulatory obligations, linked to a set of internal policy statements which are in turn linked to a set of internal 'proof points' of compliance (metrics, assessments, reviews), all of which record and store changes in real time – thus allowing anyone to go back to a point in the past to see the state of compliance should the regulator come knocking.

Instead of having to work through the traditional pile of paperwork, senior executives and board members will receive updates about the firm's compliance with regulations, or with internal policies to which they have given their signatures. The modern era does not call for a root-and-branch reform of regulatory compliance; merely the addition of helpful software to define and map the surveillance process at the outset. The days of running around looking for old spreadsheets, presentations and emails may be numbered.