In my previous post "Financial Compliance Controls - Shield of Steel or Expensive Comfort Blanket?" I suggested that the existing approach to compliance risk management is too expensive, and ineffective to the point where the timely detection of a sophisticated breach of the rules is extremely unlikely. I went on to propose an alternative whereby institutions place greater emphasis on the assessment of the people from which the risk originates rather than persisting in attempts to identify specific breaches of a given regulation in isolation (see What Do You Mean Entity-Centric?).
To be clear, I am not saying that the analysis of individuals as a way to mitigate compliance risk is appropriate in all cases; transaction reporting regulations for example have a pretty well defined set of criteria to meet that no amount analysis of humans is going to benefit. I also recognise that a small set of controls (e.g. "Know Your Customer") are inherently focused around the entity in question, what am proposing is that a truly entity-centric strategy is applicable to broader sections of compliance and wider operational risk as a whole. I contend that adopting such an approach can create a more effective, more efficient and ultimately more agile operation, but since it is of more importance to me (and in order to keep these posts consumable) I’ll cover effectiveness here and talk to efficiency and agility in my next post:
Given the lack of any reliable figures on the number of compliance breaches that actually occur it is impossible to give an accurate figure on the effectiveness of the existing controls (all we have are statistics that represent the number of suspected breaches that were reported). This fact makes a quantitative justification of my assertion somewhat challenging and so the position is largely based on a combination of knowledge as to how the controls work, statistics indicating their appalling inefficiency and a significant amount of anecdotal evidence; perhaps it helps my credibility to share some comments from a couple of people in the know though:
"We observe firms taking comfort from the perception that ‘others are also failing’ in the same way that they are. This can become an incredibly self-referential cycle – ‘I match my standards to others and then say I am not failing any worse than any others because I match my standards to theirs’. As a regulator, I must say there is something rather depressing about that logic."
Julia Hoggett Director of Market Oversight at the FCA in her speech at the AFME Implementation of the Market Abuse Regulation in the UK event, London in February of this year.
"Our current… system is broken, it is extraordinarily inefficient and outdated and driven by perverse incentives. Fundamental change is required to make that system an effective law enforcement and national security tool, and reduce the collateral damage it is doing to global development, financial inclusion, and other U.S. policy interests."
Greg Baer, then president of The Clearing House Association during his testimony regarding financial crime controls to a House Financial Services Subcommittee in 2017.
The alternative I am proposing helps address the ineffectiveness of the existing system in several ways; but at the most rudimentary level an entity-centric strategy increases the emphasis on the collection and consideration of context, which leads to greater potential for more accurate decisions, and better decisions result in more effective controls (see my previous post for a longer discussion on this subject).
In addition to improving the accuracy of decision-making, the entity-centric mindset is fundamental to discovering compliance breaches caused by coordinated group behaviour. The chances of discovering group activity that results in a breach by assessing each observation of an entity in relative isolation (as is currently the case) are minuscule and almost entirely reliant on an individual effectively admitting their guilt over a monitored communication channel. The entity-centric paradigm on the other hand makes it possible to identify other indicators of coordinated malign behaviour; unusually high volumes of communication between a certain group of individuals, particular characteristics of the choice of words used in conversation within a group, patterns across communication and trading activity within a group, sentiment towards a given entity across a group, patterns in changes of sentiment towards an entity in relation to communication between individuals etc. Whilst none of these things are in themselves evidence of foul play, when taken in the context of each other (facilitated by the entity-focused perspective) they may signal an increased risk of a compliance breach that warrants further investigation of the entities in question.
During her speech in February, Julia Hoggett referenced a particular weakness in the current mechanisms in regard to risks that straddle multiple areas of compliance:
"Fundamentally, we recognise that by being more explicit about the fact that certain forms of market abuse are a financial crime – and that therefore you need to think about the inter-connectivity of surveillance tools, STORs and financial crime systems and controls – we can trigger a helpful industry response."
The entity-centric paradigm provides a framework for such inter-connectivity and by requiring multiple compliance functions to consider each entity as a whole, increases the likelihood that entities posing a risk in multiple areas or those that are associated with high-risk entities in other areas are spotted. This effect may be further enhanced by consolidating the technology and data supporting each function into a single exploitation platform (more on which in my next post).
The final aspect to increasing the effectiveness of controls that I want to talk about is perhaps the most interesting in that it regards the opportunity for organisations to take a more proactive stance to risk mitigation. The application of an entity-centric method to identifying compliance breaches enables an organisation to develop a better understanding of the behaviour (and circumstances) of entities that breach risk controls*. Such understanding offers insight into the indicators that may be observed in the lead-up to a breach, and knowing what to look for enables organisations to identify the entities that present the most significant threat before the event occurs and to take appropriate action to mitigate it (e.g. applying increased scrutiny and oversight to the entity, making a positive intervention to alter the circumstances that may be contributing to said risk etc.).
More strategically, this information can be fed into operating practices and management decision-making in order to reduce the occurrence of the circumstances that contribute to increased risk, and thereby lower the chances it materialising. Not only does this represent more effective compliance risk mitigation, but (depending on the scenario) it offers wider benefits such as improving the well-being and performance of the staff involved. From a more fiscal perspective (we are talking finance after all), I was in a meeting recently in which it was reported that one consultancy had estimated the total cost of replacing an experienced trader at over 1m USD; thus the ability to identify signs of worsening behaviour before it becomes a serious issue has the potential to save firms a significant sum of money, a subject I'll discuss further in my next post...
*An example of behaviour and circumstances leading to an increased risk of a breach might be (based purely on conjecture): Consistent poor performance of an individual despite increased working hours (motivation) in combination with having access to sensitive information and being subject to reduced scrutiny due to organisational change (opportunity).
I am currently working with Matt Pockson and a team from DMW in defining an intelligence-led, entity-centric approach to managing the risk posed by market abuse and conduct regulations at a global FS client, so if anything in this post has a struck a chord or piqued your interest feel free to get in touch to find out a bit more.