Top 10 Compliance Challenges in 2020 and Beyond
In an increasingly regulated world, organisations are facing greater scrutiny than ever. And in 2020 the focus on compliance is expected to continue to increase.
According to Thomson Reuters Cost of Compliance 2019 Report three quarters of firms expect the amount of regulatory information published by regulators and exchanges to increase over the next 12 months.
With the continuously evolving governance, risk management and compliance (GRC) landscape, compliance officers need to keep pace. As new regulations emerge, they need to be ready with the appropriate training programmes to get their staff up to speed on new regulations and re-educate them about the changes to the existing one.
With this in mind, we examine the 10 biggest challenges faced by compliance in 2020.
- Artificial intelligence
- Outcome testing
- Money laundering (5MLD)
- Transforming corporate culture
- P2P communications
- Transaction monitoring
- The usual suspects!
In the UK, the number one topic is still Brexit! Yes, we now have a government with a clear majority and an "oven-ready" plan, but there's plenty of devils hiding in the details. What deal will we have after the transition, which is now only eleven months long! What, if any, arrangements will be in place for personal data transfers. What level of equivalence/passporting will be given to the financial services firms? What political moves are afoot in Scotland and Northern Ireland that might derail the whole process.
People will be considering the future employability of existing staff, ease of employing good staff from outside of the UK, firm relocations etc. Legal and Compliance departments will be charged with drafting plans and even contingency plans against their own plans, for how their firm can continue to operate, thrive and grow in a post-Brexit world.
2. Artificial intelligence (AI)
With waves of continual legal and regulatory change and expectations, firms can and do struggle to know what is right and how best to achieve compliance whilst satisfying those internal stakeholders who hold the purse strings and balance the books. It is no surprise then that the ascension of the Regtech and Fintech firms has been welcomed with open arms.
Solutions that can apply the speed and operational accuracy of AI for firms, thus ensuring split-second processing, and reducing the need to recruit more staff and the costs and human error factor associated with that, are very attractive indeed.
PwC’s State of Compliance study shows that 70% of 'dynamic' compliance officers are using technology to monitor employees’ policy compliance. Certainly, these systems are valuable for allowing instant access to data and reports at the click of a button.
It is unquestioned that AI can deliver the automation of repetitive and time-consuming tasks efficiently and effectively, and terms such as AI, cognitive computing and machine learning are all very impressive. But thankfully, firms are also recognising the dangers of AI, and how over-reliance on computer-based solutions can be a risk for them.
Undoubtedly technology can help you to be more compliant, but firms are still considering the balance between AI and human activity. AI can only process what it is programmed to process and cannot readjust its programming when an unexpected event occurs, as that would require cognitive, sentient thinking, which computers are not capable of, yet! Often firms are finding that cutting-edge technology, whilst wondrous in its capabilities, is simply not as effective when plugged into legacy systems if it can be plugged in at all!!
We see examples of this when ATM’s stop working, or mobile banking Apps go down, they stay non-operational for hours and sometimes days, as staff work to fix the problem.
Firms are realising that computer-based decision making can be costly to them too. GDPR and Data Subject’s rights, allow for computer-based decisions to be overturned and re-processed by a human, and have been heavily advertised and promoted.
There’s no denying that the latest developments in technology can help firms to meet the demands of the increasingly complex world of regulation, however, no matter how much firms invest in the latest Regtech and Fintech, thankfully they are starting to apply an appropriate balance between AI and their investment in experienced and knowledgeable staff.
After all, it is the staff who program the computers or seek and appoint the external provider, and most often fix the computers when they go wrong. It is only reasonable therefore to conclude that the regulators will expect the staff to know how their computerised systems and controls work, and it most certainly be those staff that the regulators will wish to interview during any regulatory interaction, not the computers!
3. Outcome testing
One such area where AI is of assistance is in outcome testing, a subject which is increasing in popularity within the regulator and regulated sectors alike. Ensuring good consumer outcomes is a key regulatory focus, and one which is essential if the regulated market is to (regain and) retain consumer confidence in the financial services markets.
A lot of work is underway in this field, and many firms are seeing the return of their investment in this area, as it helps to prevent future complaints and increases customer loyalty, and from this firms are seeing that outcome testing is multi-dimensional and can be designed and used in virtually any circumstance.
Areas being viewed through an outcome testing lens include:
- Products – does the product deliver what a customer was promised, or indeed, what that customer could reasonably expect it to deliver, i.e. are there any hidden or unjust clauses?
- Wording – Ensuring that documentation and literature is easy to understand, no jargon and acronyms, or any complex wording that it would be unreasonable to expect a consumer to understand, especially when intended by the provider to be a “get out of jail card”.
- Complaints – Examining the root cause of complaints, to help eradicate future complaints of a similar nature. Although this is one of the areas where perhaps more work is still required.
- Firms need to decide if they are attempting to eradicate future complaints because their investigation and compensation have been costly, or simply because even one more customer experiencing the effects of the cause of the complaint would be one customer too many.
- If a customer complaint is upheld and remediation work and compensation is applied. Does the firm scan its customer database for all other customers that exhibited the same set of characteristics, and apply the same remediation and compensation to them, no matter how many their number ran to, or would they wait for each customer to complain individually?
Would firms be that proactive, to contact a customer and advise them that another customer’s complaint has resulted in them being owed compensation? Would such an activity be possible? Judging by the fact that each PPI claimant had to complain to their product provider to lodge a complaint and initiate an investigation, it would seem that even a systemic issue of even the largest scale does not warrant such an approach.
- Are firms routinely examining all products and services through the outcome testing lens, or just those that are brought to their attention, i.e. if a customer does not complain, is it assumed that they are satisfied with their product? Or could it be that they have yet to discover its inadequacies, or that they do not understand the product enough to identify them?
We all appreciate the warning of “Caveat Emptor”, but this must be balanced with the certain knowledge that all firms must have; that some people will sign whatever they need to sign when they need the product or service.
Another area of outcome testing where work is in its infancy and growing is around vulnerable customers. Those holding complex products, where no evidence exists to suggest that they understand them for example, we are starting to see a swell of interest in the SIPP market now, where a large number of SIPP holders are claiming that they are not financially mature enough to have ever been able to self-manage their pension investments!
Other areas where outcome testing can help is addressing the disconnect between a customer advising of an upcoming negative life event and a firm being able to help before that event. For example, many customers notify their mortgage lender that they will be unable to meet their monthly payment, through any number of legitimate reasons and so will go into arrears, and yet the mortgage lender and it's overly restrictive systems are unable to help until that person has gone into arrears, then a payment plan can be put into place. Outcome testing of product's flexibility to deal in advance of this situation would be of great benefit to the consumer at large.
Similarly, another example of inflexibility, where flexibility is needed is when a family member or friend contacts a bank. For example they want to advise that the account holder has befallen a serious illness or condition, a stroke for example, and is currently incapacitated and without cognitive function. The situation was completely unexpected and so there is no Power of Attorney or Court of Protection Order in place, so how can the bank help this family member or friend manage their account holder’s affairs immediately, now, and until something official is in place?
Similarly, some simple outcome testing of a firm’s ability to deal with someone who has requested documentation in Braille, at least to evidence that their staff know what to do with such a request would be of benefit.
4. Money laundering (5MLD)
Having seen the successful transition of the 4MLD into jurisdictional law, it wasn’t long before the Fifth Money Laundering Directive (5MLD) was chasing at its heels. It finally came into force on 10th January 2020 and firms are expected to be prepared and in compliance with areas such as:
- More ultimate beneficial ownership information
- Increased use of digital identity technologies
- Clarification of Politically Exposed Pep roles by member states
- Registration of cryptocurrency exchanges
5. Whistle-blowing controls & procedures
Recent adverse news in this space has had an international reach, so firms would be well advised to invest time and manpower into reviewing their whistle-blowing protocols.
Whistle-blowing is taken very seriously by the UK regulator, the FCA and at a conference in London in June 2018, the FCA’s Director of Strategy and Competition confirmed that “the reality is whistle-blowers provide some of the best intelligence we get as an organisation” and according to the FCA website, information secured via such intelligence has led to fines and the issue of warning letters to firms and individuals alike, as well as the variance and withdrawal of permissions and other forms of early intervention.
A November 2018 FCA report reviewed how firms had applied the 2016 whistle-blowing rules, generated in response to the recommendations of the Parliamentary Commission on Banking Standards. Overall, the FCA found a positive impact on the way that firms approached the rules and the efficacy of the whistle-blowers’ champion. However, they also highlighted some areas for improvement, which undoubtedly firms will be reviewing and acting upon during 2019.
Areas needing improvement included:
- Training – inadequate training provided to staff relating to whistle-blowing as a whole, and in particular a lack of training that particularly distinguished between staff and managers and investigation teams.
- Protection – Some firms had not clearly documented how a whistle-blower would be protected from future victimisation.
- Investigations – Most firms needed to enhance and document their investigation process.
- Reporting Clarity – Concerns were raised over some firms incorrectly stating, within their whistle-blowing policy, that employees must raise their concerns internally, before contacting the regulator.
- Annual Reporting – Gaps were found in the annual whistle-blowing reports, that firms are required to provide to their regulator, and the gaps were greater the lesser number of reports were filed.
6. Transforming corporate culture
Creating a culture of integrity and accountability has been a major theme in financial services, with the Financial Conduct Authority (FCA) rolling out the Senior Managers and Certification Regime (SMCR) to over extended to 40,000 solo-regulated firms in December 2019 (in addition to the banking and insurance firms that were previously covered). We see this trend of individual accountability and responsibility spread to other sectors.
The need and complexity around measuring culture is likely to give sleepless nights to some compliance officers.
The four main drivers that they should focus on are:
- A firm’s purpose
- Approach to rewarding and managing people, and
- Governance arrangements
No matter how hard it may be to measure good culture, it perhaps can more easily be promoted by the leaders of firms and how arguably such “tone from the top” is also not a silver bullet. Holding, adopting and believing in the right culture and doing the right thing is everyone’s responsibility, and good behaviour should be chosen not imposed.
Claims of “toxic” cultures within firms, emanating from the senior managers, and CEO’s hunting down whistle-blowers certainly do not serve to promote good culture, but the problems do not stop there.
In 2017, we saw the emergence of the #MeToo movement, starting from Hollywood actresses and then spreading through the corporate world. Claims of inequality, gender pay gaps, lack of women in the boardroom, harassment and discrimination are now the warning barriers that guide businesses. Although more generally, keeping on the right side of the “snowflakes” seems to be a key driver for culture now. However, if by standing up for your rights, or complaining or whistle-blowing when things go wrong get you tarred and labelled with such names, does this encourage the right culture and behaviours, or will it force some to remain silent through fear of public shaming and retribution?
Establishing the right culture has to be everyone’s responsibility and for the right reasons, not just a box-ticking exercise. For example, when applying for jobs now, firms are keen to ascertain your gender (now and at birth), sexual orientation, religion, ethnicity, disability etc. But what do they do with this information? How is the collection of such personal data used to ensure a correct culture, and used to protect that employee from harm whilst working for that company? Or, is that data is collected to tick a box, to prove a point when asked, that the firm has the appropriate culture as it employs X number of BME, gay or disabled staff.
And even when trying to achieve a culture of openness, friendliness and inclusivity, senior managers cannot always get it right for getting it wrong, as we saw from the promotion of hugging staff at Ted Baker.
It can be by no coincidence that adequate and appropriate staff training has always been a topic close to the hearts of the regulators, and when looking at the myriad of compliance topics that we expect our staff to deliver on, in addition to the actual job that they were employed to do, it is no wonder.
Investment in staff takes many forms, and training is just one of them, but regrettably, this is one area that is all too often first in line for budget cuts whenever a firm is looking to make economic efficiencies.
However, just placing the academic values of training to one side for a moment, if we are looking to improve our culture, if we are seeking ways to measure how we deliver good behaviours, surely there can be no better place to start than looking at how well we train our staff to fulfil our core obligations, whether they be hard (regulatory and legal) or soft (customer-experience driven), these obligations and a company’s desire to display good behaviour and culture starts with recruiting the right people, and then ensuring that they remain the right people throughout their tenure in the company.
There are so many sayings that come to mind when thinking about this topic, such as “from small acorns grow big trees”, or “look after the pennies and the pounds will look after themselves”, but perhaps the best of all, and the most accurate, are a couple of quotes by Richard Branson, “I have always believed that the way you treat your employees is the way they will treat your customers and that people flourish when they are praised”, and “Train people well enough so they can leave, treat them well enough so they don’t want to”.
We need to remember, training is not supposed to be an annual roll-out of the same material so we can put a tick in the box. Training should be about imparting knowledge and/or changing behaviour, and if the material, medium or frequency of our staff training doesn’t deliver on these points, then we should seriously be considering whether it is fit for purpose.
8. Peer to peer communication
“What are my peers doing?” is the most frequently asked/wondered question in the compliance circles, and it's not always easily answered. For anyone of an age to remember, in the 1990’s and early 2000’s, industry forums and Chatham House Rule governed breakfast and lunch meetings with peer groups, to discuss the topics and challenges of the day, were very fashionable and very well attended events. Even Money-laundering Reporting Officers (MLRO) were able to enjoy a valuable relationship with other MLRO where a mutual customer might present some challenging characteristics.
However, sadly this fight for the greater good approach, like all good things, came to an end. It is hard to say exactly when or why, but I am sure that the build-up to and experience of the financial crisis in 2008 had a lot to do with it. Firms no longer had the time and budget to be hosting or attending such events, and with eyes firmly fixed on every penny in every budget, now was certainly not the time to be declaring that you needed the help of a peer group to do your job. Frankly, such an admission would undoubtedly result in you being replaced by one of that peer group whose opinion you seemed to value so highly.
But is all that changing again? Thankfully, it is in part. The UK regulator has long since been advising firms to take enforcement action against one firm as an industry-wide warning, and so horizon scanning and a more open inter-firm dialogue is starting to evolve once more. In an attempt to prevent one firm falling foul of the same pitfalls as another, the peer group breakfast and lunch meetings, where frank and open exchanges of positions, experiences, pressure and pain-points and hard-fought solutions to the challenges of compliance today are starting to pop up, like a phoenix from the ashes.
From a financial crime perspective, encouraging the sharing of information and learning, to create a joined-up approach to fighting money laundering and terrorist financing exactly mirrors a key recommendation of the Financial Action Task Force. Perhaps, with the creation of the Office for Professional Body AML Supervision (OPBAS) and the National Economic Crime Centre (NECC), the regulators, supervisors and crime-fighting agencies are leading by example, and showing us that collaboration and communication is vital if we are to beat financial crime both at home and abroad.
9. Transaction monitoring
Not necessarily a new concept by any means, but one where there is a greater interest, or at least a greater interest in getting it right. Undoubtedly effective transaction monitoring has widespread benefits ranging from fraud prevention, AML & Counter-Terrorism Financing (CTF) to identifying sales patterns and activity thus informing our marketing and product design.
But just like our sanctions screening rules and parameters, we also need to understand the rules behind our transaction monitoring and what drives the production of the daily/weekly/monthly reports. Despite its benefits, supporting the manual internal suspicious activity reporting mechanism for example, or identifying out of character customer transactions in straight-through processing, transaction monitoring can, quite often, be left to its own devices, running unchallenged for some time.
Transaction monitoring is a significant contributor to a firm’s suite of systems and controls, and to retain credibility it needs to be kept up-to-date.
Areas needing review include:
- Products and services – Remove those no longer sold or administered and add any new ones
- Geography – Reflect any changes to a firm’s countries of operation
- Customers – Addition of any newly targeted customer bases
- Complaints – Include up-to-date root cause analysis information
- Fraud/AML – Up-to-date CDD should be available to measure transaction monitoring rules against
- Reporting - Old, unnecessary reports should not be produced anymore
It is fair to say that a number of transaction monitoring reports are produced from unyielding legacy systems, and some for products or customers that are not held any more, but to stop the report from producing each day/week/month is often more troublesome than simply letting it run. This is not ideal, but as long as it is known that this is happening, it is understandable and, to a degree, defensible.
However, our business model changes regularly, as does the compliance environment in which we operate changes even more frequently, and more often than not our transaction monitoring systems and parameters were designed and implemented some while ago. Just like all technology, something that was new and shiny five years ago is now tarnished and outdated, so we need to ensure that the controls that we seek to rely on reflect the world in which we work, operate and are governed today. A lack of appetite or investment in attaining compliance is not a position that is likely to be given any credence by the regulator.
10. Not forgetting the usual suspects...
Amongst the ever-increasing new trends, areas of focus and emerging compliance risks, firms are still dealing with the usual suspects in relation to compliance and financial crime as a whole. AML, CTF, Sanctions, Fraud, Bribery, Complaint Handling, Conduct Risk, Data Protection, Market Abuse, SMCR, use of Electronic Communications and Social Media, Conflicts of Interest, to name but a few.
Cyber security, and in particular, email phishing is still the top concern for firms and their compliance departments. We reported on this in the six top compliance challenges we identified for 2019.
There can be no doubt that the world of compliance, regulation and legislation is a busy one, and it doesn’t show any signs of slowing down any time soon.
So how are firms dealing with this, well in the first instance by acknowledging the vast complexities that exist and ensuring that they have the understanding and support of their board and senior management, the SMCR is certainly helping in this regard.
Secondly, by focusing on the risks, in a true risk-based approach, ensuring that the highest risk, or indeed the one most likely to materialise is managed and mitigated first, and with the most intense level of resource and support.
Finally, inter-dependence. Firms are seeing the benefit in spreading the load, involving Internal Audit more, seeking external assistance to manage pinch points and seeing the benefit in having the correct number of staff for the job at hand.
It is unlikely that any firm will ever reach a state of utopia when it comes to compliance. There will always be a “new kid on the block” for us to analyse, manage and control. As firms come to grips with the concept that compliance is a job for everyone, not only their compliance department, hopefully those “new kids” will not seem half as menacing or insurmountable.
Want to learn more about Compliance?
As well as 30+ free compliance training aids, we regularly publish informative Compliance blogs. And, if you're looking for a compliance training solution, why not visit our Compliance Essentials course library.
If you've any further questions or concerns, just leave us a comment below this blog. We are happy to help!