The financial services industry continues to grapple with zealous regulators and the ongoing fallout from legacy and new conduct issues, whilst facing a fast-evolving regulatory environment and attempting to manage costs as far as possible across infrastructure functions. In this environment, it seems as though optimising the functionality, robustness and ‘value-add’ of compliance functions should be a strategic priority for market participants over the coming decade.
One of Halsey Keetch’s friends in global banking compliance, James Ritchie, a former Managing Director with Credit Suisse and Barclays plc and now a senior member of the team with Eiger Regulatory Partners, shares here his highly topical views on whether boardrooms across financial services would benefit from the presence of Independent Non-Executive Directors (INEDs) with an increased level of compliance and conduct knowledge / professional experience.
H/K: James, you have spent the last fifteen years in compliance leadership roles with global banking groups, and recently as a Managing Director overseeing a substantial function, in terms of budget and headcount. What are the key regulatory issues that have driven the intense activity we have seen in compliance in recent years?
JR: Over the last five years, we have continued to see FCA enforcement action against firms and individuals for familiar compliance and conduct failings, some of which appear to have persisted for years, leading to significant fines and redress costs which the firms in question are forced to shoulder. For example, continued breaches of the money laundering regulations related to financial crime compliance across the investment banking, retail banking and asset management sectors, both in the UK and internationally, are highlighting that this remains a major issue for both the industry and regulators to address. Continued transaction reporting failures in the investment banking sector are another major issue, along with breaches of market abuse rules. Mis-selling and the unfair treatment of customers in the pensions and life assurance sectors have come hot on the heels of the PPI scandal that has taken the best part of the last decade for some of the UK’s major financial institutions to resolve, not to mention the mis-selling of interest rate derivatives to small and medium-sized businesses that caused such damage in the wake of the financial crisis, driven by the mis-selling of sub-prime mortgages to unsuitable borrowers and the subsequent mis-selling of asset-backed securities to underinformed investors.
Meanwhile, some institutions have simply failed over the years to be open and co-operative with regulators, leading to a breakdown in that very important relationship. The UK’s Financial Conduct Authority was formed in 2013, with transforming culture and improving standards of conduct across the industry at the core of its supervisory agenda. Clearly there is a lot more to be done at this stage and the Covid-19 pandemic is also raising concerns. Remote working across all facets of the industry, due to ongoing lockdowns in many financial centres such as London, is generally considered as likely to elevate compliance and conduct risks over time.
More importantly, what do you feel are the root causes of these issues?
Based on my experience as a practitioner and consultant, I think the root causes are multiple. These are perhaps helpfully listed here for the benefit of our readers:
- Bearing in mind the newly imposed Senior Managers and Certification Regime, which is now in force across the whole industry in the UK, from major banks to sole traders in the financial planning space, what Senior Managers may think ‘taking reasonable steps’ to remediate control weaknesses looks like often differs materially with what the FCA deems acceptable. This difference of opinion typically results in the firm in question falling short of regulators’ expectations and facing the consequences.
- Failures in the effectiveness of the ‘Three Lines of Defence’ model and deficiencies in demarcation lines between functions causing vulnerabilities in control processes. The need for increased cross-functional co-operation, teamwork and sharing information from front-to-back across an institution is particularly pressing at this point and this needs to be driven from the top of an organisation’s compliance and / or risk management hierarchy.
- A continued lack of investment in compliance functions, leadership teams and human capital, leading to operational inefficiencies, occasionally sub-standard compliance programmes, inadequate compliance technology and outdated regulatory infrastructure, all leading to control deficiencies.
- Failures in the proper identification of and understanding of key current and evolving compliance and regulatory risks at board-level, perhaps driven by a lack of experience in the compliance field.
- A greater focus on financial risks and prudential management issues at board-level, perhaps taking these issues more seriously than non-financial risks which include conduct and compliance factors.
- Weaknesses in management information / data provided to board-level stakeholders. On the basis of this data, risk decisions are made, including those relating to ensuring and maintaining regulatory compliance. Faulty data leads to the wrong decisions and further weakens controls.
You have mentioned Boards and their role in controlling and addressing regulatory issues. I know this is close to your heart based on your experience and with the SMCR now in place across the whole industry, UK regulators in particular are clearly going to be diligently policing the industry and may look to make examples of deficient firms where they can. This should mean that Boards are looking more closely than ever at their compliance functions over the coming years. What should Boards be doing differently at this point and in future, in your opinion?
In my opinion, it comes to down to the question of who is genuinely challenging the effectiveness of an institution’s compliance and conduct programme. We have reached a point now in the evolution of post-financial crisis compliance management where the level of attention paid to the operation of these functions needs to meaningfully transcend the function itself, in order to let these teams improve performance and add value to their wider organisations over time. Boards need to be asking themselves questions such as:
- How many of our Board Directors have been compliance, conduct and / or financial crime practitioners (as compared to, say, accounting or law professionals, or ex-bankers / businesspeople)?
- Is our Board able to define, model and measure compliance risk exposure and cost of management / regulatory failure in a similar way to how market, credit and operational risk is modelled?
- How does the Board objectively assess the adequacy of the operating effectiveness of the compliance function, its annual compliance programme, and its assessment of key regulatory risks?
- Is the Board really clear on the key enterprise-wide compliance risk and control priorities which need active management?
- Do our CCO and MLRO have sufficient support in place to help them focus on the strategic compliance issues?
- What is the Board’s comfort level in the quality of compliance reporting and management information, use of compliance technology and the quality of the compliance team, and its engagement with the first line and other support functions?
- What is the quality and quantity of training Board members receive on key compliance issues?
Bearing all of these in mind, the Board really needs to ask itself: ‘do we as a Board have sufficient interest and expertise in this topic to ask these questions and pursue the right people within the business for satisfactory answers?’ If the answer is no, then the Board needs to accept that regulatory issues will probably continue to proliferate. To accept this in the current environment would seem counter-intuitive.
And yet we continue to see quite significant regulatory issues being identified by regulators and firms having to foot the cost of these failures, don’t we?
That’s correct. It’s not yet clear that the opposite route is being pursued with sufficient energy at this stage. In the US, the OCC’s recent US$400 million fine against Citibank relating to deficiencies in enterprise-wide risk management, compliance risk management, data governance, and internal controls is a stark reminder that even the world’s biggest banks don’t always get things right. The Consent Order requires Citibank to make enhancements in a broad range of fundamental core compliance components which include:
- Establishing roles, responsibilities and accountability for compliance in front line business units and compliance;
- Improvements in policies, procedures and control systems to measure, aggregate and limit regulatory compliance exposures;
- Enhancements in independent monitoring and testing to provide credible challenge;
- Improvements in compliance information systems, compliance training and compliance escalation protocols.
I cannot help but question how these basic but systemic failings had not been self-identified and rectified over the last decade. Interestingly, the Consent Order also requires Citibank to establish a Compliance Committee to monitor and oversee the remediation programme. The Committee is required to have a majority of directors who are not employees or officers of the entities covered by the Consent Order, which is a measure that is clearly designed to inject independent thinking and credible challenge. One could surmise, though, that such a Committee’s operations could be enhanced by having an advanced level of compliance expertise among at least some of its members.
It sounds as though having suitably informed former compliance professionals on boards could increasingly be seen as a necessity, rather than a nice to have. There are only so many seats on a given board, though – beyond a certain number, a group’s capacity to effectively discuss issues and make decisions ends up compromised, doesn’t it?
That’s a good point, although INEDs from a compliance background can only strengthen your Board by providing that highly topical and specialist expertise. The right person will adapt their knowledge to the situation, plus the leadership and delivery skills that senior compliance professionals have gained over the last fifteen years would rival anything gained in one of the other support functions – internal audit, for example, or the CFO space. The argument could also be made that now is the time for Boards to embed a healthy approach to regulatory issues in their processes and dialogues, if they haven’t already. I think the question for Boards is not, ‘should we appoint NEDS with compliance and conduct expertise?’, but ‘why don’t we have compliance, conduct and FCC experts on the Board?’ Compliance leaders will bring practical experience of managing non-financial risk disciplines, which typically include the management of regulatory, conduct, financial crime, reputational, governance, accountability and operational risk issues, plus a broad understanding of the systems and controls that are key to fulfilling the Board’s oversight role. Like other senior leaders in control functions such as finance and audit, compliance leaders have experience of working with a diverse range of stakeholders including board members, Senior Managers and other risk and control functions.
Moreover, if they are credible enough to be in consideration for a seat on a board, they will have developed the leadership skills required to be an effective NED through their executive careers, including strong interpersonal, communication and soft skills, the ability to coach and influence colleagues, patience, diplomacy, objectivity and independence. Perhaps most importantly, they will often have an unmatched ability to master complex and detailed problems, especially in the regulatory space, by gathering facts and reaching conclusions, asking the right questions and making sound judgements when advising and challenging management and stakeholders. A lot of this will be particularly influenced by their instincts, again developed in the course of their successful executive careers. Such first-hand experience of setting the cultural and conduct tone, acting with integrity and ‘walking the talk,’ would be invaluable in helping to monitor and manage regulatory and compliance issues at board-level.
This makes a lot of sense, especially in an era where the Financial Conduct Authority’s attentions and energies are likely to become newly focused under a new CEO. Once the decision has been made to bring a compliance specialist onto a firm’s board, the advantages are likely to be substantial, not only in avoiding regulatory problems but also in setting strategy and making commercial discussions that make regulatory sense. Thinking strategically, if compliance professionals were to become more commonplace on financial services boards, where might that take us in future? Where might the industry be in, let’s say, a decade or more?
I have a vested interest in highlighting the positives here as a former compliance professional myself, but I genuinely believe that if more firms appoint NEDs with compliance and conduct experience, this will send a clear message to regulators, investors and ultimately society that the industry is collectively taking compliance and conduct seriously. I don’t think anyone would dispute that it is time for the industry to both do so and to be seen as doing so. In light of the recent high-profile enforcement actions against major names such as Citibank, JPMorgan, Goldman Sachs and Commerzbank, you really have to question why these top-tier firms with all their resources are still failing to meet the required standards of compliance in 2020. Are these firms still viewing regulatory fines as a cost of doing business, or do they genuinely want to improve and be part of the solution? My hope is that it’s the latter and that as a consequence, the industry’s reputation will be much improved in a decade’s time.
You might also consider what I call the ‘regulatory dividend’, dividends in general being a major topic for company boards all over the world. Dividends accrue over time and can add huge value to a steady portfolio. Likewise, building a best-in-class compliance platform will also enable firms to move from ‘reactive’ to ‘proactive’ compliance, enabling commercial activity whilst avoiding the destabilising financial and reputational costs of enforcement proceedings. Established regulated businesses have needed input relating to specific new areas of regulatory risk; a ‘live’ example would be assessing the compliance, conduct and culture impacts of a financial services ecosystem characterised by increasing numbers of professionals ‘working at home’. Newly established financial services firms have sought guidance on how to deal with regulators, gain authorisation and develop a coherent approach to compliance. In both cases, adding the relevant expertise to boardrooms through specialist appointments will invariably strengthen businesses. These ‘regulatory dividends’ can ultimately be passed on to shareholders in the form of greater profits.
Thank you for your insights James. We will be discussing these issues with our contacts extensively over the coming months and this seems likely to be a major issue for consideration as 2021 approaches and the pandemic hopefully recedes. All the best to you and the team at Eiger for a busy autumn.
Eiger Regulatory Partners is a financial services regulatory consulting and human capital firm based in London. We work with our clients to provide specialist regulatory consulting advice and human capital in order to minimise their risks and assist with strategy. Our regulatory consulting and resourcing specialists bring subject matter expertise which spans investment banking, asset management, hedge funds, wealth management, retail stockbroking, consultancy and FinTech.