Compliance and the role of the compliance officer has changed significantly over the past decade as a result of escalating regulation, technology development, an increasing focus on culture and conduct risk, and the ever closer relationship between compliance and the business. Automation has also come to the fore as compliance departments working with rising volumes of data look for improved efficiency, accuracy and evidence of compliance, as well as the ability to cover their continually growing remit.
Thomson Reuters Regulatory Intelligence (TRRI) has tracked changes in compliance for 10 years, and in its 10th anniversary report – Cost of Compliance 2019: 10 years of regulatory change – details not only the results of its annual research into the challenges financial services firms expect to face in the year ahead, but also, for the first time, how practitioners predict compliance will evolve over the next 10 years.
The report is based on a survey of towards 900 senior compliance practitioners worldwide, representing global systemically important financial institutions, banks, insurers, broker-dealers and asset managers. Over the lifetime of the report, it has included towards 6,000 participants and been downloaded over 40,000 times, making it a trusted voice for risk and compliance practitioners around the world.
Ten years of change
Looking back over the past 10 years, Susannah Hammond, Senior Regulatory Intelligence Expert at Thomson Reuters, and co-author of the report with Stacey English, Head of Regulatory Intelligence, says there has been a massive advance in the role of the compliance officer and how its viewed, noting that after the 2008 crisis the role was primarily that of a policeman and that it is now that of an enabler and business partner.
Breaking down the change, the report notes three particular areas where the role and expectations of the compliance function have changed significantly – culture and conduct risk, personal liability, and technology. Culture and conduct risk has become a regulatory concept on a global basis, and as a ‘new normal’, requires compliance officers to demonstrate strong positive culture in action, as well as the ability to mitigate conduct risk.
Accountability and personal liability has also escalated and is manifested in regulations such as the Senior Managers Certification Regime (SMCR) in the UK, and interventions in other jurisdictions including Australia and Hong Kong. Ireland and Singapore are in the planning stage.
The biggest change, and a game changer in its own right, has been in technology, with the introduction of fintech, regtech, insurtech, suptech, bigtech and cyber solutions. This change is expected to spill over into the next 10 years, as successful deployment of technology and the ability to automate compliance activities was identified by survey participants as one of the greatest potential innovations of the next decade.
Key issues for compliance today
Unsurprisingly, the perennial problem of high volumes of regulation and the pace of regulatory change remains the single biggest challenge for the year ahead. While financial institutions hoped they could relax after the 2018 implementation of Markets in Financial Instruments Directive II (MiFID II), perhaps the largest regulatory reform ever undertaken in Europe, the opposite has occurred and there has been no slowdown in regulatory change.
Relief may come from the Financial Stability Board (FSB), which is looking at whether regulations have been correctly implemented and are working well.
Financial crime is also expected to be a considerable issue in the coming year as new Anti-Money Laundering (AML) directives come into force and are implemented by compliance teams. The difficulties of sanctions compliance will also increase, requiring compliance offers to be more aware and nimbler than ever before.
Hammond explains: “Sanctions can be applied in different ways by different bodies. For example, the EU may not necessarily agree with the US or United Nations on how sanctions should be applied. Compliance officers will have to tread carefully to avoid treading on the toes of companies and regions they want to do business with.”
Topping changes in compliance over the past 10 years, culture and conduct risk remains in the spotlight, challenging compliance to understand the context of issues such as complaints and deliver considered and impartial information to the board. In turn, the board must keep up with culture and conduct risk, as well as regulatory change, cyber resilience and personal accountability.
These issues rise above the main challenges of the previous year, which were noted as continuing regulatory change, data privacy and General Data Protection Regulation (GDPR), enhanced monitoring and reporting requirements, and increased regulatory scrutiny.
The compliance role
The role of the compliance officer has advanced dramatically over the past decade, in line with ongoing evolution of the compliance function. While the report suggests compliance teams will remain roughly the same size over the coming year and budgets will rise a little, the key change lies in the skillset and capability of individual officers.
Hammond says: “The skillset of a successful officer has become much broader over the years and the need now is to be a polymath. Compliance officers need not only fundamental knowledge of rules and regulations, but also the ability to understand what technology can and cannot do, where it can be relied on and why workarounds have been implemented.”
More individual requirements of compliance officers include the ability to manage accountability regimes and embrace their own personal liability. They must also be able to mediate divergent views on what is appropriate from a cultural perspective and ensure good conduct across the business. Hammond adds: “Successful compliance officers are also superlative relationship managers with visibility of all areas of the business, not just those that are regulated.”
Compliance and the business
Building on the role of the successful officer, effective compliance can deliver advantage to the business, or in Hammond’s view, the ability to avoid disadvantage. She suggests firms handling culture and conduct risk well are likely to avoid additional capital requirements meted out by the UK Prudential Regulation Authority (PRA) to those doing less well. Where additional capital requirements are imposed, a firm is at an instant disadvantage to its peers.
Similarly, if compliance can ensure the business operates correctly, the disadvantages of regulatory enforcements, such as fines, imposed changes and use of management time, can be avoided. The adage that every £1 not spent on compliance will require £10 to fix compliance fits well here, calling for a proactive rather than reactive approach.
The role of RegTech in automation
RegTech has a key part to play in automating compliance, particularly around the client lifecycle, compliance monitoring, and tracking information flows among trading desks. Applied to the client lifecycle, automation can support Know Your Customer (KYC), due diligence, AML obligations and sanctions screening, making it simpler, quicker and easier to onboard a client and providing information necessary to deciding whether or not to do business with a particular individual or entity. The Legal Entity Identifier (LEI) will also help here, while ongoing adoption of RegTech, machine learning and artificial intelligence will further automation.
Automation also plays well into compliance monitoring and alerting across an organisation, and is emerging in trading to provide a clean line of sight across chatrooms, trade flows and deals, and allow firms to crack down on insider trading, collusion and cartels. Without automation, this is a labour intensive task that is prone to manual error and difficult to achieve consistently and evidence.
Looking at the big picture, Hammond says: “Automation of compliance functions and evidence will be very powerful in future.” The caveat, however, is that robust and reliable IT infrastructure must be in place before the benefits of automation and new technologies can be gained.
A look into the future
As well as looking back and forward into 2019, Thomson Reuters Regulatory Intelligence 10th annual Cost of Compliance report offers predictions of the biggest changes in compliance over the next 10 years.
Heading the list is automation of compliance activities, including increased use of machine learning and artificial intelligence. This is followed by continuing regulatory change – no surprise there, an enhanced role for compliance within the business, culture and conduct risk, and technology risk.
If these are the issues compliance teams will manage going forward, Hammond notes the need for compliance officers to prepare themselves for the next 10 years by investing in their skill sets and ensure senior managers have the skills they will need to take their firms into the future.