The overwhelming mindset of the financial services sector towards managing compliance risk has historically been for institutions to focus on implementing point controls that meet specific regulatory or legal demands, thereby establishing a clear picture of risk coverage that they are able to reference in conversation with regulators and clients, as well as in on-going risk management decisions.
The application of such a simplistic strategy is attractive not only to the industry but also to the technology vendors who sell compliance solutions; enabling them as it does to treat laws and regulations as a set of requirements for systems or features that they can sell to a captive market (although I would say that whether this behaviour is cause or effect is open to debate).
Whilst seemingly convenient to all parties, the approach has led to a somewhat blinkered mentality in the implementation of risk management controls which, I would suggest, has had the consequence of restricting the effectiveness of swathes of existing compliance risk controls*.
This is particularly true where spotting said breaches is more nuanced or complex; in the case of market abuse regulation for example, merely considering a narrow range of source data for a specific set of information in relation to a distinct regulatory concern tends to generate huge volumes of false-positive "alerts" in the process of uncovering a relatively tiny number of genuine instances of minor misconduct.
I have had a couple of conversations recently in which professionals with far more experience in this industry than I have agreed with my assessment that proactively detecting a reasonably sophisticated breach is highly unlikely using the current methodology.
To my mind it is not only the effectiveness of the traditional approach that is in question, but also it's sustainability from a cost perspective: Currently the introduction of new regulation of in the sector tends to prompt a knee-jerk response by the industry in implementing additional controls based on new, dedicated tools and processes, which normally require additional staff and training to operate them; compliance is expensive and the cost is only going to increase whilst the trend towards greater regulation and oversight continues.
So what is the alternative?
The purpose of compliance enforcement is to maintain the integrity of the financial system by ensuring that it operates as intended and is not open to illicit use by criminals, terrorist organisations or any other actors seeking to profit illegitimately. Since the threat to the fair and legal operation of the system ultimately stems from people seeking to benefit themselves or their organisations, what if institutions started to place more emphasis on analysing the people who pose the risk rather than continuing to rely on spotting the specific sets of events that constitute a breach of a given regulation?
Clearly technology has a significant role to play in enabling this approach but it is not a case of waiting for #regtech to supply a silver bullet through the miracle of AI (ok I'm being flippant, of course AI has a large part to play but it is far from fundamental here). The technology required to facilitate detailed analysis of the activity of individuals and groups has been in operational use for years and is already employed in some form by all major FS institutions (which raises some interesting possibilities in terms of seeing ROI on compliance spending, but more on that next time); the most significant change required here is one of perspective by the leadership of compliance functions.
I believe the shift in paradigm I am suggesting offers numerous advantages in managing operational risk, and it is those perceived benefits (along with a few of the key challenges) that I intend to discuss in my next post.
*Whilst I believe this to be true for large portions of compliance risk, there are clearly certain types of regulation (e.g. MIFID II reporting) for which existing controls are perfectly sufficient.
I am currently working with Matt Pockson and a team from DMW in defining an intelligence-led, entity-centric approach to managing the risk posed by market abuse and conduct regulations at a global FS client, so if anything in this post has a struck a chord or piqued your interest feel free to get in touch to find out a bit more.