My previous posts have described the compliance risk control mechanisms in operation by the financial services sector as fundamentally flawed and suggested that the industry would benefit by adopting an entity-centric model more analogous to the one employed by security and law enforcement agencies. Last time around I highlighted the improvements in effectiveness offered by such an approach, today's post will outline the potential gains in efficiency and organisational agility.
The astonishing level of inefficiency demonstrated by many controls in the current system means that the bar for improvement is incredibly low. The PWC 2019 Market Abuse Surveillance Survey clearly articulates this inadequacy the area of market abuse and conduct regulations, indicating that on average in the EMEA region less than 0.01% of alerts results in a Suspicious Transaction and Order Report (STOR) being submitted to the regulator. Whilst not in quite the same ballpark, the picture is similarly bleak across other areas of compliance risk with the the Ernst & Young AML Transaction Monitoring 2018 EMEIA Survey Report finding that on average only 5% of alerting designed to detect breaches of Anti Money Laundering regulations resulted in a Suspicious Activity Report (SAR) being filed.
Clearly any judgement towards efficiency is only really valid if a reliable metric regarding successful outcomes exists; unless we are confident that a significant percentage of breaches are being detected in the first place then any talk of efficiency gains is something of a fallacy and all we are really discussing is how to reduce costs. Whilst I consider the effectiveness of existing controls to be somewhat questionable, if we assume that a useful number of successful outcomes in detecting compliance breaches can be achieved based on a shift to an entity-centric strategy then talk of efficiency gains starts to become more meaningful.
Operational Efficiency
The most obvious benefit that can be expected from an entity-centric approach is a reduction in the number of false-positive results generated by detection algorithms due to the improved decision-making that it facilitates (see “What Do You Mean Entity-Centric?”); fewer false-positives means a reduction in the amount of effort wasted by the compliance officers tasked with processing them, which translates to a more efficient process.
The second improvement to operational efficiency stems from the change in the way that the output of detection algorithms is thought of in the new paradigm; rather than being treated as an "alert" that must be worked through an auditable process by a compliance officer, these results are thought of as an indicator of suspicious activity and considered in the context of the overall behaviour and risk profile of the entity. The effect of this is that low-risk output may be rapidly dismissed or perhaps never actually assessed by a human, and thus the amount of time spent by staff on performing meaningless tasks is further reduced.
Consolidated Investment
In addition to decreasing the amount of effort spent on non-productive work, the fact that this methodology is applicable to multiple areas of compliance risk presents opportunities for the consolidation of costs, whereby money that may have traditionally been spent on discreet controls by individual functions can be invested in a common service (i.e. a combination of people, processes and technology) that will benefit all. The degree to which that potential is realised is dependent on the ambition of the organisation but I would suggest a logical ideal is probably some form of "Surveillance as a service" which can then be leveraged by more mission-focused teams who have responsibility for specific areas of compliance risk.
The opportunity for cost consolidation in terms of technology and certain staff proficiencies actually extends outside the world of compliance into broader operational risk management and beyond: Whilst people pose risk to an organisation, people are also responsible for its success and therefore the technology and techniques employed to entity-centric analysis for risk mitigation are also ideally suited to supporting profit generating activities... I'll just leave the thought of tangible ROI from risk control costs with you...
Where an institution is not ready for such significant change a perhaps more palatable first step may be the construction of a single platform that consolidates data holdings, technological capabilities and access mechanisms that is funded and employed by multiple compliance functions. Failing that, a possible route to achieving a certain level of cost savings is for those functions to continue to adopt discreet technical solutions that nonetheless share some common components.
Speaking as a techie, shared investment by multiple areas of the business into a single platform that is flexible enough to serve all stakeholders is the obvious ideal, and having previously led the construction of a platform with this breadth of capability I am confident that the technical aspect of this vision is entirely achievable. That said, I am currently leading the inception of the type of solution that I describe at a client, meaning that I am well aware of the challenges presented by such an undertaking in a global financial organisation.
Organisational Agility
Creating such a platform is not only in the long-term more cost effective than running multiple discrete systems but by consolidating technology and data it enables an IT department to adapt far more quickly to new and changing requirements because the overheads of delivering capability on a known foundation are less than for deploying a new solution (or attempting to knock the corners off a square peg in order to fit it into a round hole).
The deployment of a fundamentally entity-centric approach allows an organisation to extend this agility into the human aspects of risk controls by creating an environment in which the core competencies, analytical approach and processes are common across compliance functions, with specialisation occurring only where required in order to mitigate specific risks. This construct is better able to adapt to new regulations because the bulk of the resulting change is limited to those specialist aspects, furthermore any redistribution of staff across compliance functions in response to a changing risk profile is made more efficient due to skills and experience being more widely applicable.
Over the last two posts I have outlined potential improvements in terms of effectiveness, efficiency and flexibility offered by the adoption of an entity-centric strategy to mitigate compliance risk in the financial services sector; so if the benefits are so great why are more institutions not investing in this type of methodology? Unsurprisingly, there is no simple answer to that question but I intended to explore some of the factors that I believe are to blame in my next post.
I am currently working with Matt Pockson and a team from DMW in defining an intelligence-led, entity-centric approach to managing the risk posed by market abuse and conduct regulations at a global FS client, so if anything in this post has a struck a chord or piqued your interest feel free to get in touch to find out a bit more.