Compliance Modernisation: Creating an effective, adaptable and efficient compliance function
Compliance functions in 2021 are facing growing pressure from stakeholders to simultaneously improve the effectiveness, adapt to changing regulation and reduce costs of compliance risk management.
These three key drivers require constant re-evaluation and functional analysis, in tandem with targeted transformation to meet stakeholder expectations – something that, as yet, is not widely adopted by Swiss financial institutions.
Swiss financial institutions are facing a number of challenges related to their Compliance functions:
- Technologies are available to support the effective management of compliance risks, but many compliance functions lack the strategy and/or expertise to capitalise on these opportunities
- The number of full time employees (FTEs) working in non-financial risk (including compliance) can range up to 7% of the total number of FTEs, while leading institutions average around 3%
- Enforcement reports from FINMA frequently cite regulatory actions against banks due to inadequate control frameworks, for example failing to adequately manage market abuse or money laundering risks.
Swiss financial institutions cannot successfully overcome these challenges by doing more of the same. If banks want to demonstrate good practice to the regulators while remaining competitive in their market, they need to transform their compliance functions.
The three drivers of compliance transformation
It is crucial to understand the drivers and potential levers for the transformation of Compliance functions. Starting with the former, we identify three key drivers of Compliance transformation:
- Effectiveness: Developing a compliance strategy and operating model that focuses on the most material compliance risks
- Regulatory change: Adapting to ongoing changes in Swiss financial market regulation
- Efficiency: Increasing the efficiency of compliance by ‘doing more with less’ through automation and process streamlining
Compliance transformation driver overview
Driver 1: Effectiveness
The compliance functions in many financial institutions do not yet operate at an adequate level of effectiveness, because either they do not have a strategy that focuses on the most material compliance risks, or they do not have enough influence within the organisation to enforce changes.
Manifestations of ineffectiveness include:
- Business compliance and specialist teams gather comprehensive KYC data about clients, but do not share useful insights with the front office about the economic background or networks of clients.
- Compliance Risk Assessments (CRAs) are performed without guidance from group-wide control objectives. This leaves room for differences in application across locations.
- The balance between preventive and detective controls still tilts towards detection, which adds to the amount of human effort required.
- Compliance risk frameworks and capabilities are not realigned at sufficient speed considering the dynamic changes in the overall risk landscape, and specifically the significant increase in conduct risks and anti-money laundering risks.
Wider consequences include:
- Compliance processes do not complement or contribute effectively to the enablement of business processes.
The business and compliance functions should engage in early dialogue regarding the implications for compliance in business decisions. For example, compliance should advise on data protection concerns about a new product and help the business address these concerns from the outset. - Business models and processes do not yet incorporate ‘compliance-by-design’.
Best practice suggests that there should be a systematic approach to including preventive controls in business processes, which can be mostly automated/system-based, in order to mitigate compliance risks.
Driver 2: Regulatory change
In the future, we expect regulatory changes across jurisdictions to be more frequent, and impose greater demands on the compliance function. Compliance teams need to interpret the impacts of regulatory changes on end-to-end processes and prioritise the required policy, procedure and controls updates. If compliance functions do not operate efficiently, for example because they do not make use of the latest automated tools and technologies, then they could face serious risk of non-compliance and litigation.
For further information regarding the regulatory outlook for banks, please also refer to our Banking Blog article Financial Services Regulatory Outlook 2021.
Key regulatory challenges for Swiss banks:
- Consensus among regulatory authorities around the globe is being lost. This is evident in the growing divergence between the regulatory requirements across different jurisdictions.
- Regulatory authorities across the globe continue to impose large fines on banks that do not sufficiently implement and comply with their rules. For example between 2012 and 2017 approximately $375bn in global regulatory fines were paid by banks as a result of conduct Risk failures (fmsb.com) and in 2020 a single bank was fined $920m for market manipulation.
- Regulators require specific control frameworks to be in place, such as AML/CTF or trade surveillance systems, when carrying out normal business activity. Banks need to ensure that these system meets the expectations of the regulator
- Short time frames between the revisions of regulations increase the difficulty for banks to remain compliant. For example, the Swiss Anti-Money Laundering Act (AMLA) and Ordinance (AMLO) have undergone several substantial changes in the past few years, requiring banks to adjust their procedures and controls to maintain regulatory compliance.
Wider consequences include:
- Swiss banks will now, more than ever, need a well-aligned strategy and processes for regulatory change across their locations.
As the global regulatory consensus is fraying, maintaining regulatory compliance across international locations will be challenging for institutions that do not have a well-implemented process for tracking, coordinating and adapting to regulatory change. - Swiss banks require a centralised rule-tracking tool to ensure that the ongoing maintenance and updating of controls is adequate and litigation risks are minimised.
As regulatory changes differ between jurisdictions and can change within short time frames, banks require a tool-based tracking of regulatory rule changes. This will enable them to coordinate Group interpretation across business lines, prioritise business critical changes and link new rules to the control library.
Driver 3: Efficiency
Many institutions are faced with inefficiencies due to the persistent use of manual processes for standard and repetitive advisory and control activities.
While the future role of compliance should converge around enabling the business and advising on complex regulatory matters, staff are often preoccupied with standard advisory and control tasks – many of which can be automated and performed more efficiently through the use of risk analytics tools and solutions.
Manifestations of inefficiencies include:
- 50% of institutions in the Deloitte Wealth Management Executive Survey (2020) perform client onboarding checks with a fully paper-based process, with average lead times of up to 40 days.
- Revisit ratios for some controls average up to 49% across the market, but can be as high 91-100% for activities relating to client onboarding at some Financial Institutions
- Controls that require substantial manual effort for compliance include:
- Conducting compliance risk assessments (CRAs) based on manually consolidated spreadsheets binds valuable FTE capacity and is prone to human error
- Responding directly to common and simple questions from front office staff on an ad-hoc basis causes repetition of efforts and uses valuable FTE capacity that could be used for more complex advisory matters.
Based on Deloitte benchmarking, we estimate that compliance staff spend on average 30% of their time performing control-related activities. Of these, up to 50% could be at least partly automated, with significant potential for efficiency improvements. Examples of controls that could be automated include regulatory horizon scanning, communications surveillance and regulatory reporting.
Wider consequences include:
- Compliance staff do not spend a sufficient amount of their time on complex advisory activities.
Best practice suggest that compliance experts should spend, on average, 60% of their time advising the business on complex matters, while in reality the figure is around 30%. - A large proportion of low value-added compliance activities could be automated but many are still performed manually.
Best practice suggests that there is the potential to automate 40 - 60% of compliance tasks, with the greatest gains achievable in compliance monitoring and approvals, surveillance and testing. - Compliance organisations employ a relatively high proportion of the work force in financial institutions.
Best practice suggests that the compliance function should make up about 0.5% - 2% of the total workforce, while some institutions have up to 7% of their total FTEs in compliance.
Key transformation levers for compliance
Driver 1: Effectiveness
- Front-to-back approach to client onboarding: KYC tools can be used by the front office as well as by compliance. Information gathered by compliance in the client due diligence process contains information that can be useful to the relationship manager in understanding the client's situation. Additionally, information sharing avoids the need for RMs and compliance to approach the client separately and ask for duplicate information.
- Top-down risk management: Provide top-down guidance to all locations regarding minimum expectations for the management of compliance risks. This includes providing clear objectives for group-wide controls to ensure consistent implementation of the control frameworks at local level.
- Make business activities ‘compliant-by-design’: A mapping of processes, risks and controls can identify potential for substituting costly manual detection controls with automated and efficient preventive controls that provide more effective risk mitigation.
Driver 2: Regulatory change
- Keep up with regulatory developments: Follow regulatory developments closely, on emerging topics such as sustainability and crypto-assets. It can be useful to remain up-to-date with regulatory changes in other countries in order to be prepared for regulatory proposals and consultation periods for similar changes in Switzerland.
- Coping with emerging money laundering/financial crime risks: With big changes to AML regulations on the horizon, financial services firms need to ensure current practices are sufficiently forward-looking to guarantee full compliance in the future.
- Establish an end-to-end process and governance structure to manage regulatory change: It is crucial that roles and responsibilities are clearly defined across the first and second lines of defence, while still allowing for sufficient flexibility to meet local regulatory differences. The process should make use of opportunities for applying technology solutions (e.g. the Deloitte RegHub) and data analytics (e.g. for AI based rule mapping).
Driver 3: Efficiency
- Centralised KYC data sourced by front office and compliance: Break up functional silos by connecting the front office with the compliance function, allowing relationship managers to utilise insights generated by compliance activities. This can result in lower lead times and faster onboarding decisions for clients. Furthermore, the front-to-back view allows enhanced monitoring of process efficiency due to a clear view on business activities.
- Use risk analytics tools to streamline and digitalise processes: Streamlining and digitalising key compliance processes through state-of-the-art risk analytics tools are key to freeing up time of compliance staff for more complex tasks. For example, compliance risk assessments (CRAs) and other processes can be coordinated and tracked centrally, automating consolidation efforts and providing a well-documented audit trail.
- Prioritise requests: Document and communicate standards and guidance for the management and prioritisation of compliance requests. This will help to minimise non-standard requests to a smaller number of special cases that require compliance expertise. Fostering compliance-by-design can further reduce the possibility of ambiguities in business processes.
New technological capabilities can be enablers of compliance transformation
Compliance in Swiss financial institutions can be improved by making more use of available technologies.
- Big data analytics can be used to enhance transaction monitoring or trade surveillance, allowing continuous end-to-end monitoring of payment or trading activities, or to challenge existing surveillance rule-sets and thresholds.
- Voice analytics can be used to automate the monitoring of interactions with clients and provide the compliance function with risk-scored alerts to detect potential instances of misconduct such as fraud.
- AI/ machine learning can be used to support model validation processes, forward-looking risk monitoring, or to create a chatbot for answering standard questions relating to compliance.
- Effective rule tracking and prioritisation: Centralised regulatory change tracking tools that perform horizon scanning and rule library mapping, with built-in impact assessment functionality, frees compliance staff to focus on implementing the required regulatory changes, rather than performing manual tasks with limited value-add.
Adequate skills mix in compliance. The growing use of technological applications in compliance suggests that the function will require a different mix of skills going forward. While jobs in compliance have been held predominantly by individuals trained in finance and the law, business engineers and data scientists are becoming increasingly important.
Conclusion
Is your Compliance function fit-for-purpose? Given the rapidly changing stakeholder expectations we have discussed and increased global uncertainty, we recommend that every institution performs a frequent current-state assessment (diagnostic) to identify the most pressing compliance challenges and the appropriate levers to combat these in their organisation. Deloitte can support you in this undertaking by providing an outside-in perspective and access to our benchmarking database.
We have developed an established approach to enable a rapid current state assessments (diagnostics) and produce a transformation roadmap that provides real stakeholder value, focusing on delivering changes with the greatest impact.
If you would like to learn more, or have a discussion about how we can support you with your current Compliance challenges, then please reach out directly to one of the authors.
Key contact
- Previous Internal audit and ESG business imperatives for Swiss banks – From stewardship to change catalyst
- Next Swiss banks: People don’t buy what you do - people buy why you do it