Skip to main content

How too much compliance might actually increase the risk of financial service companies?


Following the financial crisis, bank control authorities (like the FCA in the UK or the FSMA in Belgium) and compliance departments within banks have grown exponentially. As a result, regulatory costs have also increased dramatically relative to banks’ earnings.

At first sight, this seems indeed the correct reaction, to better control and monitor the banks and avoid a new crisis. Unfortunately in reality, this increased supervision, both internally and externally, often leads to bureaucracy (a check-the-box mentality), a lack of innovation and contraproductive measures, which often lead to an increase of risk rather than to a decrease.

This doesn’t mean that the increased government scrutiny and focus on compliance should be reduced, but a revision and modernization is in order. Instead of a prescriptive regulation, enforcing strict rules and often forcing specific solutions, which are quickly outdated (especially as regulations take several years to be agreed upon) due to technical and business evolutions, the ultimate goal of each compliance measure should never be forgotten, i.e. consumer protection (compliance should never be turned into an end, but should always be a means to an end).

Of course such goal-based compliance (= outcome-based compliance) is more difficult to impose and control than a rule- and process-based compliance, but it will ultimately lead to much better results, as it fosters a culture of innovating towards the best possible solution. For such goal-based compliance to work a strong open collaboration between project teams and external regulators and internal compliance and security departments is required. Hopefully this can allow regulators to become more forward-looking (anticipating future problems), rather than backward-looking (i.e. regulating what went wrong in the past).

Typical examples of well intended rules and policies imposed by regulators and compliance departments, which ultimately lead to bigger risks are:

  • Strict password policies: many companies enforce complex passwords, with the need to change each password every X weeks. As a typical employee has often dozens of applications, each requiring to change its password on regular intervals (and usually at different moments for every application), this becomes almost impossible to remember. As a result almost each employee has some kind of file (at best password protected) with all his passwords. The result is a weaker security, than if passwords would not have to be modified every X weeks.
    Of course, the goal of the password policy is excellent, but the implementation lacks an end-to-end vision. Such a strict password policy can only be enforced, when SSO is in place or when a proper password management tool (like 1Password) has been deployed within the company.

  • Separation of Dev (Change) and Ops (Run) departments(segregation of duties). In order to avoid fraud by internal employees and to ensure sufficient focus can be given to the day-to-day operations on bank systems, many regulators and compliance departments have imposed a strict separation between Dev and Ops departments (with only Ops departments having production access). The result is however all issues the DevOps movement (cfr. my blog https://bankloch.blogspot.com/2020/10/devops-for-dummies.html) tries to resolve, such as:

    • Bugs which can not be properly investigated by Dev teams as insufficient possibilities to analyse and reproduce the issue and thus stay open for a long time, resulting in significant operational risk

    • Lack of ownership of the IT systems, as Dev and Ops departments point to each other in case of issues

    • Ops departments which are often outsourced to off-shore countries, as it is difficult and expensive to hire internal Ops teams and keep them motivated. As a result many banks have very little info about the identity of the people having access to production data, because they assume that the contract with the outsourcing party sufficiently protects them.

    • Data extracts and log files from production which are shared in an unprotected way (e.g. via mail) between Ops and Dev teams for further analysis, as the Dev team can not access these files directly

    • …​

  • Strong restrictions in security roles in applications: regulators and compliance departments impose that everyone should only have the minimum application access required to execute his job. In reality a job is not so strictly defined, as several people combine multiple roles or need to take-on temporarily additional tasks in context of a temporary assignment (such as a project) or in case of absense of a colleague or for supporting an overloaded department.
    In these cases, the need for an access is rather urgent. Unfortunately most banks don’t have the fine-grained authorization and the fast authorization change processes in place for quickly giving people the necessary authorization (usually handled via a ticketing system to a central shared team, which has often a large backlog and thus long lead times).
    As a result, people typically ask colleagues to execute tasks on their behalf or even worse they get the password of their colleagues. In the end this leads to a higher risk, as there is no clear trace anymore of who did which action.

  • 4-eyes principle: in banks it is a standard that all critical processes (like executing payments or making important data updates) are protected via a 4-eyes principle mechanism. This seems again at first sight a great practice to reduce fraud and errors, but in reality research has showed that a 4-eyes principle actually leads to a lower quality, as none of the 2 persons feels fully accountable for the action (lack of ownership).

  • Strict release cycles: in banks there are very strict release procedures, with very complex governance around it. These procedures are in place to safeguard the quality of the production systems, but in reality they are often very bureaucratic in nature and not very content driven. The downside of these strict processes is that bug fixes and security patches often take weeks to get deployed, resulting in unnecessary operational risks.

  • Directives forcing the bank to warn/inform customers about different risks and forcing the customer to accept them before continuing, e.g.

    • MiFID2 directive in the securities space, where customers are requested to sign (accept derogation) when the Appropriateness test (test for necessary Knowledge & Experience in a financial product) fails. In practice most customers just sign this, without reading in detail the content. Again the intend to protect the customer against investment risks is great, but the execution does not take the typical behavior of a customer into account.

    • GDPR directive imposing pop-ups for users to confirm to store cookies: this recent directive results now in a lot of additional friction (all websites overloading us with messages) and very few users intentionally taking a decision with regards to their cookie policy (i.e. most people just accept without any thoughts). This overload of opt-ins actually results in less compliance as users tend to accept these pop-ups automatically, while the more important opt-in consents might be clicked away now as well.

    • Agreeing on Terms & Conditions: research has showed that if we need to read all Terms & Conditions of all sites and transactions we engage with online, this would take us 76 years per year. As a result everyone confirms without actually reading the content, making the forced reading of terms and conditions not very adequate.

  • Raising capital through an IPO is highly regulated and complex. Obviously this is very desirable, but again this leads to some perverse side-effects:

    • As IPOs are very complex, companies only go public, when the majority of their growth trajectory has passed. During the steepest part of the growth curve, only wealthy individuals can invest (via VC funds) in these growth companies, resulting in an increase in wealth inequality (which is one of the issues regulators try to reduce).

    • Due to the complexity of the IPO process, companies find creative work-arounds, which are usually insufficiently regulated and as such very prone to fraud. Examples are Direct Listings (such as Palantir, Slack, Spotify and Asana) and ICOs (Initial Coin Offering).

  • Other very regulated financial processes, being circumvented by innovative work-around and alternatives, such as:

    • Consumer credit origination being circumvented by different peer-to-peer initiatives and "Buy now, Pay later" vendors (such as Klarna)

    • Bank licenses bypassed by taking over a small player just for the license or by operating under an eMoney license which is less regulated

    • Payment and eMoney licenses avoided via different exemption mechanisms, like the commercial agent model, staying under certain thresholds by delivering the service via several small entities or by creative usage of the exemptions foreseen in the definition of the eMoney regulation

    • AML (Anti-Money Laundering): the AML regulation imposes that suspicious cash transfers should be reported and potentially blocked from execution. In reality the rules are so strict, that almost every large transaction of a (wealthy) customer should be reported or even stopped, which negatively impacts customer satisfaction. As a result, very creative solutions are found by relationship managers to make sure AML checks can be bypassed.

All these examples show that as soon as compliance impacts too much the usability and the operational business, people will find creative solutions to circumvent the regulation, often leading to a higher risk than if the standard service would have been used, without its strict policies.
While compliance is guaranteed on paper (the boxes are checked), in reality the compliance risk remains or has even increased, but under another form (which due to its additional complexity is usually less easy to understand, manage and mitigate).

The answer should be found in innovation and (new) technology (especially now that banks become more and more digital), allowing to impose the compliance goals, without jeopardizing usability and business models. The compliance departments and regulators, applying goal-based compliance, will verify if the goal is met, while the market can find the best solutions to find the optimal compromise between compliance and user convenience.

In order to transform to a goal-based compliance model, following practices should be implemented internally within a bank:

  • Improve collaboration between all stakeholders of a project: compliance departments and security officers are too often considered by project teams as hurdles (bariers) to delivery. Instead these departments should be involved from the start (cfr. DevSecOps movement) but in a collaborative way, where all stakeholders try to find together the optimal solution to meet everyone’s objectives.

  • Compliance departments should always look at the end-to-end process, when adding an additional rule (policy), i.e. can all persons impacted by a compliance/security rule still effectively execute their work, also in the case of situations of exception, i.e. a situation of stress, crisis or emergency.
    If this can not be guaranteed, alternatives for the policy should be investigated (or existing processes should first be improved), which meet the same goal. If this is not done, people will invent work-arounds, leading to higher risks.

  • Teams should get more end-to-end responsibility and accountability, including taking decisions (in cooperation with compliance departments) for specific compliance issues.

  • Alignment of objectives: compliance and risk departments should also get business objectives, but vice-versa business departments should also get objectives on compliance and risk. This way both department have common objectives to find compromises on.

  • Instead of blocking all entrances, resulting mainly in user frictions for benevolent employees and customers, it is better to give more flexibility (and access), but have a continuous automated monitoring system, which keep an audit trail of all actions of everyone, but which also identifies (using Machine Learning algorithms) anomalies in an application usage. Such a system is much more convenient for users and it is also harder to bypass for malicious users (as the security policies are less strictly defined).

  • Compliance projects should also be initiated based on a business case, instead of just accepting them under the category "mandatory compliance". Currently in many banks, large percentages of IT budgets are being consumed by so-called "mandatory" compliance and regulatory projects, which means that very little budget remains for business added value projects. Often those projects don’t effectively improve compliance.
    In order to calculate the business case, the cost of a risk should be calculated (by multiplying the probability of the risk with the cost ,such as penalties from regulators, lawsuit costs, reputation risk, loss of business…​) when the risk occurs. By multiplying this cost with the percentage the project is going to mitigiate this risk (very important factor, as many compliance projects only marginally mitigate the risk), we arrive at an estimation of the revenue of the compliance project, which can be balanced with the project cost, to create a standard business case.
    Via such business cases, the compliance projects can be compared between each other, but also compared with business projects (such as new product launches or cost-reduction exercises). Many compliance projects will still appear on the top when classifying projects on ROI, as the cost of certain risks are so enormous. For example companies not complying with GDPR regulation can face fines of up to 4% of their global annual turnover.

For external regulators, a number of improvements should also be considered:

  • Regulations should be enforced more severely. E.g. many banks are still implementing improvements in context of MiFID II, now 2 years after it came into effect. Idem for PSD2, where ver few banks in Belgium already provides a well-working API for AIS/PIS services.

  • Don’t focus on the low hanging fruit (i.e. the simple businesses, products and processes). As the financial crisis has showed, most risk is in the complex trading departments, where banks are not not always willing to cut too deep, as these are their most profitable departments.

  • Transform from a prescriptive to a goal-based (outcome-based) compliance, allowing to give freedom for banks to implement the best solution (often based on real feedback and insights obtained from their customers). This is especially important as regulations tend to take several years, meaning that any solution proposed in a regulation will likely be already outdated by the time the regulation comes into force.

  • Don’t be afraid to get rid of ineffective regulations. Governments should understand that rules and reports imposed, which do not bring additional protection, have ultimately adverse effects on customers, as the extra costs of those practices are in the end charged to the customers.

  • Have a long term vision (a plan), instead of reacting on issues. Such quick measures on incidents, typically leads to overregulation and an inconsistent policy.

Of course all this is easier said than done. The job of a compliance deparment and regulator is typically not a very grateful job. If everything goes well, everybody complains about compliance as it imposes restrictions and frictions. However once an issue occurs, everybody shouts that compliance departments and regulators should have seen it. It’s a "Damned if you, damned if you don’t" situation.

It’s clear that with our world becoming more complex and digital, compliance will need to increase even more. However it’s time to go for a new approach, driven by innovation and technology, with a focus on the goal (outcome) and not on the process.

Check out all my blogs on https://bankloch.blogspot.com/

Comments

  1. Good and Nice post thanks for the info about How too much compliance might actually increase the risk of financial service companies Statutory Compliance software helps in monitor the employee complaince. and this software is based on cloud usage.

    ReplyDelete
  2. Good Post. Keep posting like this kind of content about how-too-much-compliance-might-actually Hr Software India . They are one of the leading software outsourcing company in India. This hr software helps in monitoring the employee salary and tax, etc. And this software is based on cloud usage.

    ReplyDelete
  3. Thanks for share nice Article. Capital Fund International are a Global Financial change agent that serves your need through Small Business Loans Online. Here you get Best financial service .

    ReplyDelete
  4. Nice post! These are helpful to understand the content Compliance Management Solutions . They are one providing all business service to worldwide

    ReplyDelete

  5. The blog is amazing as always, I have been following your blog for a long time. Keep posting.
    architecture firms in Kolkata
    best furniture shops in Hyderabad

    ReplyDelete

Post a Comment

Popular posts from this blog

Transforming the insurance sector to an Open API Ecosystem

1. Introduction "Open" has recently become a new buzzword in the financial services industry, i.e.   open data, open APIs, Open Banking, Open Insurance …​, but what does this new buzzword really mean? "Open" refers to the capability of companies to expose their services to the outside world, so that   external partners or even competitors   can use these services to bring added value to their customers. This trend is made possible by the technological evolution of   open APIs (Application Programming Interfaces), which are the   digital ports making this communication possible. Together companies, interconnected through open APIs, form a true   API ecosystem , offering best-of-breed customer experience, by combining the digital services offered by multiple companies. In the   technology sector   this evolution has been ongoing for multiple years (think about the travelling sector, allowing you to book any hotel online). An excelle...

Are product silos in a bank inevitable?

Silo thinking   is often frowned upon in the industry. It is often a synonym for bureaucratic processes and politics and in almost every article describing the threats of new innovative Fintech players on the banking industry, the strong bank product silos are put forward as one of the main blockages why incumbent banks are not able to (quickly) react to the changing customer expectations. Customers want solutions to their problems   and do not want to be bothered about the internal organisation of their bank. Most banks are however organized by product domain (daily banking, investments and lending) and by customer segmentation (retail banking, private banking, SMEs and corporates). This division is reflected both at business and IT side and almost automatically leads to the creation of silos. It is however difficult to reorganize a bank without creating new silos or introducing other types of issues and inefficiencies. An organization is never ideal and needs to take a numbe...

RPA - The miracle solution for incumbent banks to bridge the automation gap with neo-banks?

Hypes and marketing buzz words are strongly present in the IT landscape. Often these are existing concepts, which have evolved technologically and are then renamed to a new term, as if it were a brand new technology or concept. If you want to understand and assess these new trends, it is important to   reduce the concepts to their essence and compare them with existing technologies , e.g. Integration (middleware) software   ensures that 2 separate applications or components can be integrated in an easy way. Of course, there is a huge evolution in the protocols, volumes of exchanged data, scalability, performance…​, but in essence the problem remains the same. Nonetheless, there have been multiple terms for integration software such as ETL, ESB, EAI, SOA, Service Mesh…​ Data storage software   ensures that data is stored in such a way that data is not lost and that there is some kind guaranteed consistency, maximum availability and scalability, easy retrieval...

IoT - Revolution or Evolution in the Financial Services Industry

1. The IoT hype We have all heard about the   "Internet of Things" (IoT)   as this revolutionary new technology, which will radically change our lives. But is it really such a revolution and will it really have an impact on the Financial Services Industry? To refresh our memory, the Internet of Things (IoT) refers to any   object , which is able to   collect data and communicate and share this information (like condition, geolocation…​)   over the internet . This communication will often occur between 2 objects (i.e. not involving any human), which is often referred to as Machine-to-Machine (M2M) communication. Well known examples are home thermostats, home security systems, fitness and health monitors, wearables…​ This all seems futuristic, but   smartphones, tablets and smartwatches   can also be considered as IoT devices. More importantly, beside these futuristic visions of IoT, the smartphone will most likely continue to be the cent...

PSD3: The Next Phase in Europe’s Payment Services Regulation

With the successful rollout of PSD2, the European Union (EU) continues to advance innovation in the payments domain through the anticipated introduction of the   Payment Services Directive 3 (PSD3) . On June 28, 2023, the European Commission published a draft proposal for PSD3 and the   Payment Services Regulation (PSR) . The finalized versions of this directive and associated regulation are expected to be available by late 2024, although some predictions suggest a more likely timeline of Q2 or Q3 2025. Given that member states are typically granted an 18-month transition period, PSD3 is expected to come into effect sometime in 2026. Notably, the Commission has introduced a regulation (PSR) alongside the PSD3 directive, ensuring more harmonization across member states as regulations are immediately effective and do not require national implementation, unlike directives. PSD3 shares the same objectives as PSD2, i.e.   increasing competition in the payments landscape and en...

Trade-offs Are Inevitable in Software Delivery - Remember the CAP Theorem

In the world of financial services, the integrity of data systems is fundamentally reliant on   non-functional requirements (NFRs)   such as reliability and security. Despite their importance, NFRs often receive secondary consideration during project scoping, typically being reduced to a generic checklist aimed more at compliance than at genuine functionality. Regrettably, these initial NFRs are seldom met after delivery, which does not usually prevent deployment to production due to the vague and unrealistic nature of the original specifications. This common scenario results in significant end-user frustration as the system does not perform as expected, often being less stable or slower than anticipated. This situation underscores the need for   better education on how to articulate and define NFRs , i.e. demanding only what is truly necessary and feasible within the given budget. Early and transparent discussions can lead to system architecture being tailored more close...

Low- and No-code platforms - Will IT developers soon be out of a job?

“ The future of coding is no coding at all ” - Chris Wanstrath (CEO at GitHub). Mid May I posted a blog on RPA (Robotic Process Automation -   https://bankloch.blogspot.com/2020/05/rpa-miracle-solution-for-incumbent.html ) on how this technology, promises the world to companies. A very similar story is found with low- and no-code platforms, which also promise that business people, with limited to no knowledge of IT, can create complex business applications. These   platforms originate , just as RPA tools,   from the growing demand for IT developments , while IT cannot keep up with the available capacity. As a result, an enormous gap between IT teams and business demands is created, which is often filled by shadow-IT departments, which extend the IT workforce and create business tools in Excel, Access, WordPress…​ Unfortunately these tools built in shadow-IT departments arrive very soon at their limits, as they don’t support the required non-functional requirements (like h...

An overview of 1-year blogging

Last week I published my   60th post   on my blog called   Bankloch   (a reference to "Banking" and my family name). The past year, I have published a blog on a weekly basis, providing my humble personal vision on the topics of Fintech, IT software delivery and mobility. This blogging has mainly been a   personal enrichment , as it forced me to dive deep into a number of different topics, not only in researching for content, but also in trying to identify trends, innovations and patterns into these topics. Furthermore it allowed me to have several very interesting conversations and discussions with passionate colleagues in the financial industry and to get more insights into the wonderful world of blogging and more general of digital marketing, exploring subjects and tools like: Search Engine Optimization (SEO) LinkedIn post optimization Google Search Console Google AdWorks Google Blogger Thinker360 Finextra …​ Clearly it is   not easy to get the necessary ...

AI in Financial Services - A buzzword that is here to stay!

In a few of my most recent blogs I tried to   demystify some of the buzzwords   (like blockchain, Low- and No-Code platforms, RPA…​), which are commonly used in the financial services industry. These buzzwords often entail interesting innovations, but contrary to their promise, they are not silver bullets solving any problem. Another such buzzword is   AI   (or also referred to as Machine Learning, Deep Learning, Enforced Learning…​ - the difference between those terms put aside). Again this term is also seriously hyped, creating unrealistic expectations, but contrary to many other buzzwords, this is something I truly believe will have a much larger impact on the financial services industry than many other buzzwords. This opinion is backed by a study of McKinsey and PWC indicating that 72% of company leaders consider that AI will be the most competitive advantage of the future and that this technology will be the most disruptive force in the decades to come. Deep Lea...

The UPI Phenomenon: From Zero to 10 Billion

If there is one Indian innovation that has grabbed   global headlines , it is undoubtedly the instant payment system   UPI (Unified Payments Interface) . In August 2023, monthly UPI transactions exceeded an astounding 10 billion, marking a remarkable milestone for India’s payments ecosystem. No wonder that UPI has not only revolutionized transactions in India but has also gained international recognition for its remarkable growth. Launched in 2016 by the   National Payments Corporation of India (NPCI)   in collaboration with 21 member banks, UPI quickly became popular among consumers and businesses. In just a few years, it achieved   remarkable milestones : By August 2023, UPI recorded an unprecedented   10.58 billion transactions , with an impressive 50% year-on-year growth. This volume represented approximately   190 billion euros . In July 2023, the UPI network connected   473 different banks . UPI is projected to achieve a staggering   1 ...