Skip to main content

How too much compliance might actually increase the risk of financial service companies?


Following the financial crisis, bank control authorities (like the FCA in the UK or the FSMA in Belgium) and compliance departments within banks have grown exponentially. As a result, regulatory costs have also increased dramatically relative to banks’ earnings.

At first sight, this seems indeed the correct reaction, to better control and monitor the banks and avoid a new crisis. Unfortunately in reality, this increased supervision, both internally and externally, often leads to bureaucracy (a check-the-box mentality), a lack of innovation and contraproductive measures, which often lead to an increase of risk rather than to a decrease.

This doesn’t mean that the increased government scrutiny and focus on compliance should be reduced, but a revision and modernization is in order. Instead of a prescriptive regulation, enforcing strict rules and often forcing specific solutions, which are quickly outdated (especially as regulations take several years to be agreed upon) due to technical and business evolutions, the ultimate goal of each compliance measure should never be forgotten, i.e. consumer protection (compliance should never be turned into an end, but should always be a means to an end).

Of course such goal-based compliance (= outcome-based compliance) is more difficult to impose and control than a rule- and process-based compliance, but it will ultimately lead to much better results, as it fosters a culture of innovating towards the best possible solution. For such goal-based compliance to work a strong open collaboration between project teams and external regulators and internal compliance and security departments is required. Hopefully this can allow regulators to become more forward-looking (anticipating future problems), rather than backward-looking (i.e. regulating what went wrong in the past).

Typical examples of well intended rules and policies imposed by regulators and compliance departments, which ultimately lead to bigger risks are:

  • Strict password policies: many companies enforce complex passwords, with the need to change each password every X weeks. As a typical employee has often dozens of applications, each requiring to change its password on regular intervals (and usually at different moments for every application), this becomes almost impossible to remember. As a result almost each employee has some kind of file (at best password protected) with all his passwords. The result is a weaker security, than if passwords would not have to be modified every X weeks.
    Of course, the goal of the password policy is excellent, but the implementation lacks an end-to-end vision. Such a strict password policy can only be enforced, when SSO is in place or when a proper password management tool (like 1Password) has been deployed within the company.

  • Separation of Dev (Change) and Ops (Run) departments(segregation of duties). In order to avoid fraud by internal employees and to ensure sufficient focus can be given to the day-to-day operations on bank systems, many regulators and compliance departments have imposed a strict separation between Dev and Ops departments (with only Ops departments having production access). The result is however all issues the DevOps movement (cfr. my blog https://bankloch.blogspot.com/2020/10/devops-for-dummies.html) tries to resolve, such as:

    • Bugs which can not be properly investigated by Dev teams as insufficient possibilities to analyse and reproduce the issue and thus stay open for a long time, resulting in significant operational risk

    • Lack of ownership of the IT systems, as Dev and Ops departments point to each other in case of issues

    • Ops departments which are often outsourced to off-shore countries, as it is difficult and expensive to hire internal Ops teams and keep them motivated. As a result many banks have very little info about the identity of the people having access to production data, because they assume that the contract with the outsourcing party sufficiently protects them.

    • Data extracts and log files from production which are shared in an unprotected way (e.g. via mail) between Ops and Dev teams for further analysis, as the Dev team can not access these files directly

    • …​

  • Strong restrictions in security roles in applications: regulators and compliance departments impose that everyone should only have the minimum application access required to execute his job. In reality a job is not so strictly defined, as several people combine multiple roles or need to take-on temporarily additional tasks in context of a temporary assignment (such as a project) or in case of absense of a colleague or for supporting an overloaded department.
    In these cases, the need for an access is rather urgent. Unfortunately most banks don’t have the fine-grained authorization and the fast authorization change processes in place for quickly giving people the necessary authorization (usually handled via a ticketing system to a central shared team, which has often a large backlog and thus long lead times).
    As a result, people typically ask colleagues to execute tasks on their behalf or even worse they get the password of their colleagues. In the end this leads to a higher risk, as there is no clear trace anymore of who did which action.

  • 4-eyes principle: in banks it is a standard that all critical processes (like executing payments or making important data updates) are protected via a 4-eyes principle mechanism. This seems again at first sight a great practice to reduce fraud and errors, but in reality research has showed that a 4-eyes principle actually leads to a lower quality, as none of the 2 persons feels fully accountable for the action (lack of ownership).

  • Strict release cycles: in banks there are very strict release procedures, with very complex governance around it. These procedures are in place to safeguard the quality of the production systems, but in reality they are often very bureaucratic in nature and not very content driven. The downside of these strict processes is that bug fixes and security patches often take weeks to get deployed, resulting in unnecessary operational risks.

  • Directives forcing the bank to warn/inform customers about different risks and forcing the customer to accept them before continuing, e.g.

    • MiFID2 directive in the securities space, where customers are requested to sign (accept derogation) when the Appropriateness test (test for necessary Knowledge & Experience in a financial product) fails. In practice most customers just sign this, without reading in detail the content. Again the intend to protect the customer against investment risks is great, but the execution does not take the typical behavior of a customer into account.

    • GDPR directive imposing pop-ups for users to confirm to store cookies: this recent directive results now in a lot of additional friction (all websites overloading us with messages) and very few users intentionally taking a decision with regards to their cookie policy (i.e. most people just accept without any thoughts). This overload of opt-ins actually results in less compliance as users tend to accept these pop-ups automatically, while the more important opt-in consents might be clicked away now as well.

    • Agreeing on Terms & Conditions: research has showed that if we need to read all Terms & Conditions of all sites and transactions we engage with online, this would take us 76 years per year. As a result everyone confirms without actually reading the content, making the forced reading of terms and conditions not very adequate.

  • Raising capital through an IPO is highly regulated and complex. Obviously this is very desirable, but again this leads to some perverse side-effects:

    • As IPOs are very complex, companies only go public, when the majority of their growth trajectory has passed. During the steepest part of the growth curve, only wealthy individuals can invest (via VC funds) in these growth companies, resulting in an increase in wealth inequality (which is one of the issues regulators try to reduce).

    • Due to the complexity of the IPO process, companies find creative work-arounds, which are usually insufficiently regulated and as such very prone to fraud. Examples are Direct Listings (such as Palantir, Slack, Spotify and Asana) and ICOs (Initial Coin Offering).

  • Other very regulated financial processes, being circumvented by innovative work-around and alternatives, such as:

    • Consumer credit origination being circumvented by different peer-to-peer initiatives and "Buy now, Pay later" vendors (such as Klarna)

    • Bank licenses bypassed by taking over a small player just for the license or by operating under an eMoney license which is less regulated

    • Payment and eMoney licenses avoided via different exemption mechanisms, like the commercial agent model, staying under certain thresholds by delivering the service via several small entities or by creative usage of the exemptions foreseen in the definition of the eMoney regulation

    • AML (Anti-Money Laundering): the AML regulation imposes that suspicious cash transfers should be reported and potentially blocked from execution. In reality the rules are so strict, that almost every large transaction of a (wealthy) customer should be reported or even stopped, which negatively impacts customer satisfaction. As a result, very creative solutions are found by relationship managers to make sure AML checks can be bypassed.

All these examples show that as soon as compliance impacts too much the usability and the operational business, people will find creative solutions to circumvent the regulation, often leading to a higher risk than if the standard service would have been used, without its strict policies.
While compliance is guaranteed on paper (the boxes are checked), in reality the compliance risk remains or has even increased, but under another form (which due to its additional complexity is usually less easy to understand, manage and mitigate).

The answer should be found in innovation and (new) technology (especially now that banks become more and more digital), allowing to impose the compliance goals, without jeopardizing usability and business models. The compliance departments and regulators, applying goal-based compliance, will verify if the goal is met, while the market can find the best solutions to find the optimal compromise between compliance and user convenience.

In order to transform to a goal-based compliance model, following practices should be implemented internally within a bank:

  • Improve collaboration between all stakeholders of a project: compliance departments and security officers are too often considered by project teams as hurdles (bariers) to delivery. Instead these departments should be involved from the start (cfr. DevSecOps movement) but in a collaborative way, where all stakeholders try to find together the optimal solution to meet everyone’s objectives.

  • Compliance departments should always look at the end-to-end process, when adding an additional rule (policy), i.e. can all persons impacted by a compliance/security rule still effectively execute their work, also in the case of situations of exception, i.e. a situation of stress, crisis or emergency.
    If this can not be guaranteed, alternatives for the policy should be investigated (or existing processes should first be improved), which meet the same goal. If this is not done, people will invent work-arounds, leading to higher risks.

  • Teams should get more end-to-end responsibility and accountability, including taking decisions (in cooperation with compliance departments) for specific compliance issues.

  • Alignment of objectives: compliance and risk departments should also get business objectives, but vice-versa business departments should also get objectives on compliance and risk. This way both department have common objectives to find compromises on.

  • Instead of blocking all entrances, resulting mainly in user frictions for benevolent employees and customers, it is better to give more flexibility (and access), but have a continuous automated monitoring system, which keep an audit trail of all actions of everyone, but which also identifies (using Machine Learning algorithms) anomalies in an application usage. Such a system is much more convenient for users and it is also harder to bypass for malicious users (as the security policies are less strictly defined).

  • Compliance projects should also be initiated based on a business case, instead of just accepting them under the category "mandatory compliance". Currently in many banks, large percentages of IT budgets are being consumed by so-called "mandatory" compliance and regulatory projects, which means that very little budget remains for business added value projects. Often those projects don’t effectively improve compliance.
    In order to calculate the business case, the cost of a risk should be calculated (by multiplying the probability of the risk with the cost ,such as penalties from regulators, lawsuit costs, reputation risk, loss of business…​) when the risk occurs. By multiplying this cost with the percentage the project is going to mitigiate this risk (very important factor, as many compliance projects only marginally mitigate the risk), we arrive at an estimation of the revenue of the compliance project, which can be balanced with the project cost, to create a standard business case.
    Via such business cases, the compliance projects can be compared between each other, but also compared with business projects (such as new product launches or cost-reduction exercises). Many compliance projects will still appear on the top when classifying projects on ROI, as the cost of certain risks are so enormous. For example companies not complying with GDPR regulation can face fines of up to 4% of their global annual turnover.

For external regulators, a number of improvements should also be considered:

  • Regulations should be enforced more severely. E.g. many banks are still implementing improvements in context of MiFID II, now 2 years after it came into effect. Idem for PSD2, where ver few banks in Belgium already provides a well-working API for AIS/PIS services.

  • Don’t focus on the low hanging fruit (i.e. the simple businesses, products and processes). As the financial crisis has showed, most risk is in the complex trading departments, where banks are not not always willing to cut too deep, as these are their most profitable departments.

  • Transform from a prescriptive to a goal-based (outcome-based) compliance, allowing to give freedom for banks to implement the best solution (often based on real feedback and insights obtained from their customers). This is especially important as regulations tend to take several years, meaning that any solution proposed in a regulation will likely be already outdated by the time the regulation comes into force.

  • Don’t be afraid to get rid of ineffective regulations. Governments should understand that rules and reports imposed, which do not bring additional protection, have ultimately adverse effects on customers, as the extra costs of those practices are in the end charged to the customers.

  • Have a long term vision (a plan), instead of reacting on issues. Such quick measures on incidents, typically leads to overregulation and an inconsistent policy.

Of course all this is easier said than done. The job of a compliance deparment and regulator is typically not a very grateful job. If everything goes well, everybody complains about compliance as it imposes restrictions and frictions. However once an issue occurs, everybody shouts that compliance departments and regulators should have seen it. It’s a "Damned if you, damned if you don’t" situation.

It’s clear that with our world becoming more complex and digital, compliance will need to increase even more. However it’s time to go for a new approach, driven by innovation and technology, with a focus on the goal (outcome) and not on the process.

Check out all my blogs on https://bankloch.blogspot.com/

Labels:

Comments

  1. rachelsg27 May 2021 at 14:06

    Good and Nice post thanks for the info about How too much compliance might actually increase the risk of financial service companies Statutory Compliance software helps in monitor the employee complaince. and this software is based on cloud usage.

    ReplyDelete
  2. payroll software india7 June 2021 at 14:14

    Good Post. Keep posting like this kind of content about how-too-much-compliance-might-actually Hr Software India . They are one of the leading software outsourcing company in India. This hr software helps in monitoring the employee salary and tax, etc. And this software is based on cloud usage.

    ReplyDelete
  3. Amelia25 August 2021 at 06:16

    Thanks for share nice Article. Capital Fund International are a Global Financial change agent that serves your need through Small Business Loans Online. Here you get Best financial service .

    ReplyDelete
  4. Anuindhu19 September 2022 at 14:39

    Nice post! These are helpful to understand the content Compliance Management Solutions . They are one providing all business service to worldwide

    ReplyDelete
  5. Yogeshwaran24 September 2022 at 08:10


    The blog is amazing as always, I have been following your blog for a long time. Keep posting.
    architecture firms in Kolkata
    best furniture shops in Hyderabad

    ReplyDelete

Post a Comment

Popular posts from this blog

Transforming the insurance sector to an Open API Ecosystem

1. Introduction "Open" has recently become a new buzzword in the financial services industry, i.e.   open data, open APIs, Open Banking, Open Insurance …​, but what does this new buzzword really mean? "Open" refers to the capability of companies to expose their services to the outside world, so that   external partners or even competitors   can use these services to bring added value to their customers. This trend is made possible by the technological evolution of   open APIs (Application Programming Interfaces), which are the   digital ports making this communication possible. Together companies, interconnected through open APIs, form a true   API ecosystem , offering best-of-breed customer experience, by combining the digital services offered by multiple companies. In the   technology sector   this evolution has been ongoing for multiple years (think about the travelling sector, allowing you to book any hotel online). An excellent example of this
45 comments
Read more

Are product silos in a bank inevitable?

Silo thinking   is often frowned upon in the industry. It is often a synonym for bureaucratic processes and politics and in almost every article describing the threats of new innovative Fintech players on the banking industry, the strong bank product silos are put forward as one of the main blockages why incumbent banks are not able to (quickly) react to the changing customer expectations. Customers want solutions to their problems   and do not want to be bothered about the internal organisation of their bank. Most banks are however organized by product domain (daily banking, investments and lending) and by customer segmentation (retail banking, private banking, SMEs and corporates). This division is reflected both at business and IT side and almost automatically leads to the creation of silos. It is however difficult to reorganize a bank without creating new silos or introducing other types of issues and inefficiencies. An organization is never ideal and needs to take a number of cons
6 comments
Read more

RPA - The miracle solution for incumbent banks to bridge the automation gap with neo-banks?

Hypes and marketing buzz words are strongly present in the IT landscape. Often these are existing concepts, which have evolved technologically and are then renamed to a new term, as if it were a brand new technology or concept. If you want to understand and assess these new trends, it is important to   reduce the concepts to their essence and compare them with existing technologies , e.g. Integration (middleware) software   ensures that 2 separate applications or components can be integrated in an easy way. Of course, there is a huge evolution in the protocols, volumes of exchanged data, scalability, performance…​, but in essence the problem remains the same. Nonetheless, there have been multiple terms for integration software such as ETL, ESB, EAI, SOA, Service Mesh…​ Data storage software   ensures that data is stored in such a way that data is not lost and that there is some kind guaranteed consistency, maximum availability and scalability, easy retrieval and searching
26 comments
Read more

IoT - Revolution or Evolution in the Financial Services Industry

1. The IoT hype We have all heard about the   "Internet of Things" (IoT)   as this revolutionary new technology, which will radically change our lives. But is it really such a revolution and will it really have an impact on the Financial Services Industry? To refresh our memory, the Internet of Things (IoT) refers to any   object , which is able to   collect data and communicate and share this information (like condition, geolocation…​)   over the internet . This communication will often occur between 2 objects (i.e. not involving any human), which is often referred to as Machine-to-Machine (M2M) communication. Well known examples are home thermostats, home security systems, fitness and health monitors, wearables…​ This all seems futuristic, but   smartphones, tablets and smartwatches   can also be considered as IoT devices. More importantly, beside these futuristic visions of IoT, the smartphone will most likely continue to be the center of the connected devi
16 comments
Read more

Neobanks should find their niche to improve their profitability

The last 5 years dozens of so-called   neo- or challenger banks  (according to Exton Consulting 256 neobanks are in circulation today) have disrupted the banking landscape, by offering a fully digitized (cfr. "tech companies with a banking license"), very customer-centric, simple and fluent (e.g. possibility to become client and open an account in a few clicks) and low-cost product and service offering. While several of them are already valued at billions of euros (like Revolut, Monzo, Chime, N26, NuBank…​), very few of them are expected to be profitable in the coming years and even less are already profitable today (Accenture research shows that the average UK neobank loses $11 per user yearly). These challenger banks are typically confronted with increasing costs, while the margins generated per customer remain low (e.g. due to the offering of free products and services or above market-level saving account interest rates). While it’s obvious that disrupting the financial ma
7 comments
Read more

PFM, BFM, Financial Butler, Financial Cockpit, Account Aggregator…​ - Will the cumbersome administrative tasks on your financials finally be taken over by your financial institution?

1. Introduction Personal Financial Management   (PFM) refers to the software that helps users manage their money (budget, save and spend money). Therefore, it is often also called   Digital Money Management . In other words, PFM tools   help customers make sense of their money , i.e. they help customers follow, classify, remain informed and manage their Personal Finances. Personal Finance   used to be (or still is) a time-consuming effort , where people would manually input all their income and expenses in a self-developed spreadsheet, which would gradually be extended with additional calculations. Already for more than 20 years,   several software vendors aim to give a solution to this , by providing applications, websites and/or apps. These tools were never massively adopted, since they still required a lot of manual interventions (manual input of income and expense transaction, manual mapping transactions to categories…​) and lacked an integration in the day-to-da
5 comments
Read more

Can Augmented Reality make daily banking a more pleasant experience?

With the   increased competition in the financial services landscape (between banks/insurers, but also of new entrants like FinTechs and Telcos), customers are demanding and expecting a more innovative and fluent digital user experience. Unfortunately, most banks and insurers, with their product-oriented online and mobile platforms, are not known for their pleasant and fluent user experience. The   trend towards customer oriented services , like personal financial management (with functions like budget management, expense categorization, saving goals…​) and robo-advise, is already a big step in the right direction, but even then, managing financials is still considered to be a boring intangible and complex task for most people. Virtual (VR) and augmented reality (AR)   could bring a solution. These technologies provide a user experience which is   more intuitive, personalised and pleasant , as they introduce an element of   gamification   to the experience. Both VR and AR
9 comments
Read more

Beyond Imagination: The Rise and Evolution of Generative AI Tools

Generative AI   has revolutionized the way we create and interact with digital content. Since the launch of Dall-E in July 2022 and ChatGPT in November 2022, the field has seen unprecedented growth. This technology, initially popularized by OpenAI’s ChatGPT, has now been embraced by major tech players like Microsoft and Google, as well as a plethora of innovative startups. These advancements offer solutions for generating a diverse range of outputs including text, images, video, audio, and other media from simple prompts. The consumer now has a vast array of options based on their specific   output needs and use cases . From generic, large-scale, multi-modal models like OpenAI’s ChatGPT and Google’s Bard to specialized solutions tailored for specific use cases and sectors like finance and legal advice, the choices are vast and varied. For instance, in the financial sector, tools like BloombergGPT ( https://www.bloomberg.com/ ), FinGPT ( https://fin-gpt.org/ ), StockGPT ( https://www.as
2 comments
Read more

From app to super-app to personal assistant

In July of this year,   KBC bank   (the 2nd largest bank in Belgium) surprised many people, including many of us working in the banking industry, with their announcement that they bought the rights to   broadcast the highlights of soccer matches   in Belgium via their mobile app (a service called "Goal alert"). The days following this announcement the news was filled with experts, some of them categorizing it as a brilliant move, others claiming that KBC should better focus on its core mission. Independent of whether it is a good or bad strategic decision (the future will tell), it is clearly part of a much larger strategy of KBC to   convert their banking app into a super-app (all-in-one app) . Today you can already buy mobility tickets and cinema tickets and use other third-party services (like Monizze, eBox, PayPal…​) within the KBC app. Furthermore, end of last year, KBC announced opening up their app also to non-customers allowing them to also use these third-party servi
9 comments
Read more

Eco-systems - Welcome to a new cooperating world

Last week I attended the Digital Finance Summit conference in Brussels, organized by Fintech Belgium, B-Hive, Febelfin and EBF. A central theme of the summit was the cooperation between banks and Fintechs and more in general the rise of ecosystems. In the past I have written already about this topic in my blogs about "Transforming the bank to an Open API Ecosystem ( https://www.linkedin.com/pulse/transforming-bank-open-api-ecosystem-joris-lochy/ ) and "The war for direct customer contact - Banks should fight along!" ( https://www.linkedin.com/pulse/war-direct-customer-contact-banks-should-fight-along-joris-lochy/ ), but still I was surprised about the number of initiatives taken in this domain. In my last job at The Glue, I already had the pleasure to work on several interesting cases: TOCO   ( https://www.toco.eu ): bringing entrepreneurs, accountants and banks closer together, by supporting entrepreneurs and accountants in their daily admin (and in the f
9 comments
Read more