Subscribe to QUMAS Communications QUMAS Compliance Room Blog
Media Center Printer Friendly

GT News.com

Compliance Risk Management: Cross-Atlantic Regulatory Consensus?

By Kevin Ludwick
Head of Regulatory Services
QUMAS
05 Feb, 2007

This article was first published on gtnews.com on February 5, 2007. You can view the online version at:

http://www.gtnews.com/article/6622.cfm

Compliance risk management is the latest in a long line of tasks for compliance departments. This article looks at approaches to this challenge on both sides of the Atlantic.

Hank Paulson, the US treasury secretary, told the Economic Club of New York last November: "Our rules-based regulatory system is prescriptive, and leads to a greater focus on compliance with specific rules. We should move towards a structure that gives regulators more flexibility to work with entities on compliance within the spirit of regulatory principles." He was not just talking about Sarbanes-Oxley (SOX) and the reforms the SEC introduced at the end of last year. In making such a general statement he was heralding, not initiating, something far more significant.

Paulson was reflecting a change in regulatory approach on both sides of the Atlantic that began with the Basel Accord process but is now extending throughout the regulatory system. The Basel II process taught banking regulators the value of getting management to worry about the risks that concern them and factoring them into business and control decision-making. Axiomatic to this is that a regulator has to rely on senior executives with sound governance practices to manage the regulated firm. Basel II provides simple models and processes for identifying, managing and providing capital requirements for market, credit and operational risk. Smaller, simpler, less sophisticated firms will use these. But even firms taking that option are caught by the use test, which is the requirement that a firm's management are consuming the data produced by these models and factoring it into their decision making (for example, to consider the risk and capital implications before expanding a business). The large, complex firms have developed their own models (for review and approval by the regulator) but of course remain caught by the use test.

So much energy and engagement has taken place between banking regulators internationally, and within the industry, that the cultural changes within the wider (non-banking) regulatory community have been quite profound.

Put simply, there is an increasing belief that if you want firms to really embed the things that the regulator wants as outcomes - avoiding abusive practices like market-timing, for example - then management has to be encouraged to prioritise and focus their efforts on the areas of their business where those outcomes are most at risk, make informed business decisions and direct compliance activity to mitigate that risk. The extreme alternative is a world where management steps aside and leaves compliance to exhaustive box-ticking within pre-defined safe-harbours. This alternative world is one in which it is possible to have ticked every box, be in full compliance and yet fail to deliver the outcomes.

Compliance and Regulation Evolving

Now, for secretary Paulson and John Tiner, the UK FSA's (outgoing) chief executive, this is not really about cost. It is about effectiveness and aligning the regulator's concerns with the interests of business management. By becoming risk-based, as the SEC will advocate, SOX will not die, it will just become better business value and therefore become absorbed into business management. That is exactly what has happened with credit and market risk management: no executive team in a bank would now make a significant business decision without going through the kind of thinking and review of risk information that regulators originally required. Except now it doesn't feel like a regulatory requirement; it feels like normal sound management practice. This is what is now happening with the areas compliance departments look after: anti money-laundering (AML), conduct of business with customers and the marketplace.

Speeches from the SEC, Federal Reserve Board and the Office of the Comptroller of the Currency in 2006 focused on the ability of brokers, banks and asset managers to incorporate the wider regulatory agenda into their risk management process, in particular compliance with rules on AML and the conduct of business with customers. Former Fed governor Mark Olsen's speech on market-timing to the Fiduciary & Investment Risk Management Association (FIRMA) in April last year was a classic of its type: "Our review of best practices and an analysis of the experience of other industries suggests that organisations need to supplement their enterprise-wide compliance-risk management systems with strategic and dynamic thinking. To prepare for what might be ahead, organisations should draw not only on past experience but employ quantitative and qualitative scenario analysis and planning."

This is classic because while in the UK firms would quickly comprehend his point, and increasingly US banking compliance officers would nod sagely, he was speaking a language that many SEC regulated firms were somewhat unfamiliar with. It was SEC firms to whom his remarks were addressed. However, even the Commission has since begun speech-making on the need for compliance risk management.

But if firms are to take a risk-based approach to compliance we need a clear understanding on what this means for enforcement. In the UK, John Tiner confirmed in writing to the Joint Money Laundering Steering Group (JMLSG) chairman on firms' AML programmes: "If a firm demonstrates that it has put in place an effective system of controls that identifies and mitigates its money laundering risk, then [enforcement] action [by the FSA] is very unlikely." Will we get such an undertaking from the SEC?

To be fair most of us have always run the "it was an isolated incident" defence when serious breaches occur. What this is doing is raising the stakes on compliance to demonstrate the credibility of that defence.

If compliance departments are to respond and start to function like other risk management functions what would they look like? Think of it in these terms - if the head of the emerging markets division in an investment bank seeks a significant expansion of his business, market risk can supply management with a real-time view of the value-at-risk in current operations. This can be reviewed against the new business plan and any parts of the portfolio particularly affected (Russian corporate bonds, for example) can be picked out and reviewed in detail. There is certainty about what market risk models should look like and the information that must be pulled together and crunched to feed them. No-one would argue this is easy, but it is essentially a quantitative exercise. The compliance risk challenge, in contrast, is essentially qualitative and seeks to measure reputational risk. While when it all goes wrong the financial implications can be appalling, measurable data is hard to come by and may well be the wrong data upon which to make good decisions. For example, it is silly to regard the quantum of a fine levied by a regulator as the cost of significant non-compliance. A negative headline, or a series of them in the business pages, have much more significant implications for brand value.

Business Enforcement

So for compliance officers it is just not as simple as grabbing trade data and running it through a risk model with some price history. Compliance departments do not enjoy the same certainties in terms of risk models; far worse, the information they must use is disjointed and held in systems, spreadsheets, documents, filing cabinets, daybooks (and the compliance officer's head). Apart from making compliance work inefficient, this means that when confronted with the same request from the above bank's emerging markets business, compliance has to dig out its last essay on the subject. (How useful is that when making a business decision based on timely accurate information?).

The good news is that large complex firms have large and capable compliance departments that sit on massive amounts of information that reveal risk. The work they do - the policy development, procedure management, training, monitoring and investigation, compliance advisory - can be automated and made more efficient and integrated to be more effective. However, just as importantly, that work can produce measures that tell you a lot about the state of compliance in a given business unit or on a given regulatory theme. That work can then in turn be prioritized to mitigate the perceived risks. The same measures can be used to set risk appetite within a theme. For example, in a theme such as 'suitability', how many monitoring exceptions in our monitoring programme do we regard as being more than 'low' in risk to our general state of compliance in this theme? How much more training do we need to do? What level of pass/fail do we need to see on training exams? How many of our staff have not signed up to our latest policies and procedures?

Doing this in a small firm might mean a well-organized filing cabinet but for all others the key enabler is technology. There are three challenges that firms are addressing:

Conclusion

Compliance risk management is the new frontier in terms of regulatory challenge on both sides of the Atlantic. Responding to this requires compliance departments to do far more than developing a risk model that works for compliance. It requires us to engage with management while being confident that the infrastructure we have is producing timely information for the risk model and in the infrastructure's ability to be directed in risk mitigation.