The speed and sheer breadth of regulatory change is an ever-present challenge for firms. New rules, requirements, and expectations are layered on top of each other in individual jurisdictions with the added complication of cross-border inconsistencies and divergence. To say that regulators around the world have been prolific in their policy pronouncements following the financial crisis puts it mildly. Firms don’t have a choice but to track, analyze, and assess the impact of regulatory change, despite the fact that these are exceedingly resource-hungry endeavors.
The parameters of what needs to be considered have also widened, as is borne out by the heightened focus on managing regulatory risk, the biggest driver of which was cited as conduct risk (67 percent). Compliance functions are now routinely assessing culture and conduct risk in line with developing regulatory expectations. As has already been said many times, the challenge and indeed level of skilled resources required to do justice to the qualitative issues regarding culture and conduct risk would be sufficient to fill the time of any compliance function, even if nothing else was changing. The results on the expected regulatory information flows make the point crystal clear.
In a December 2014 industry guidance letter to all banks regulated by the New York State Department of Financial Services (DFS), Benjamin Lawsky, Superintendent of Financial Services, said “Cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.”
As compliance functions are well aware, far more than just culture and conduct risk needs to be considered when assessing regulatory change. One particular area that is beginning to affect the compliance arena is technology, including IT risk and the issues regarding cyber crime and resilience. For firms, cyber risks are multifaceted and must not simply be left to the IT function. Compliance functions need to be engaged in the consideration of risks to the business (and by association the potential effect on their customers) from an attack on the wider financial services infrastructure, as well as the implications of a direct attack on the firms themselves.
Indications of the likely regulatory response to a cyber attack that affects customers can be seen in the related fines handed down by the Central Bank of Ireland and the UK regulators. In November 2014, the Central Bank of Ireland fined Ulster Bank 3.5 million euros and reprimanded it for IT and governance failings which resulted in 600,000 customers losing banking services for 28 days in June and July 2012. The fine and the reprimand were in addition to a customer redress program that has already paid out approximately 59 million euros.
In the UK, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), for the first time, took concurrent enforcement action against three banks in the Royal Bank of Scotland Group. The PRA fined the Royal Bank of Scotland, National Westminster Bank and Ulster Bank £14 million and the FCA levied a fine of £42 million. In a clear warning for the future, the PRA stated that action had been taken because the proper functioning of IT risk management systems and controls should be an integral part of a firm’s safety and soundness.
Lobbying on regulatory change comes in all shapes and sizes. For many firms, lobbying is limited to responding to proposed rule changes and other consultations, while others have a complete suite of activities including high-level meetings with regulators, lobby groups, and politicians. Lobbying remains the best way for firms to seek to determine their own regulatory futures and to minimize the chances of bad or unintended consequences of regulatory changes. However, as many of the comments received as part of the survey show, compliance functions may spend the equivalent of "person years" worth of skilled resources on analyzing and responding to proposed rule changes only to have the feedback or alternative suggestions made rejected by the policy maker. Despite this, firms need to regard responding to consultations as an investment. Even if rules do not end up being changed, there will then be a team in the firm which has acquired deep, detailed knowledge of the new requirements, and this will be invaluable when they need to be implemented, embedded, and tested.
Sixty-two percent of compliance officers are expecting to spend more time liaising and communicating with regulators over the next 12 months; just over a quarter of these (26 percent) attribute this to the need to lobby and influence future regulation.
The overall population of respondents expects a 70 percent increase in information published by regulators and exchanges (75 percent in 2014). The results are consistent around the world, with the UK and Europe having the greatest proportion of respondents expecting an increase (74 percent). The several-thousand pages of proposals and policy questions relating to MiFID 2/R are likely to be a factor in this. In contrast, fewer U.S. respondents expect an increase (64 percent), which is likely to reflect at least in part the progress made on Dodd-Frank implementation. In the G-SIFI population of respondents, 76 percent are expecting an increase, with 34 percent expecting the increase to be significant (28 percent in the full population).
The last few years have seen a gentle decline in the level of the expected increase in regulatory information being published by regulators and exchanges (83 percent in 2011, 84 percent in 2012, 81 percent in 2013, and 75 percent in 2014). While the baseline remains high with expected increases, any decline, even if it is only in the rate of increase in the volume of regulatory information published, is to be welcomed.
The amount of time spent tracking and analyzing regulatory developments can be seen as the corollary to the expectations regarding the amount of information expected to be published by regulators and exchanges.
The regional analysis year-on-year is up and down but the one consistency is the reduction in the number of firms spending more than 10 hours tracking and analyzing regulatory change. Ideally, for firms and their compliance functions, there should be consistency between the expectation of the amount of regulatory information to be published and how much time is spent tracking and analyzing regulatory change and then translating it into relevant policies and procedures. In contrast to the 7 percent of the full population spending more than 10 hours on updates, 25 percent of the G-SIFIs are devoting more than 10 hours a week to ensuring policies and procedures are in line with the latest regulatory changes.
The regional splits year-on-year paint a somewhat more balanced picture (the Middle East excepted) with an increase in firms spending more than seven hours per week updating policies and procedures.
Thomson Reuters has undertaken its annual survey into the cost of compliance and the challenges firms expect to face in the year ahead. Nearly 600 compliance professionals from financial services firms around the world took part in the survey. The report builds on annual surveys of similar respondents conducted over the last six years, and where relevant highlights year-on-year trends and developments. Download the full report.