Changing Compliance environment
October 21st, 2015
Romanian Banking Institute, Bucharest
1
Regulatory pressure is increasing while costs and consequences
for non-compliance are becoming more and more severe
Consequences from non-compliance events
More far-reaching, detailed and complex, with
higher moral bar applied:
New regulation issued at accelerated speed
Increase in details and complexity
Specific requirements often enforced ex-post
Trends in regulatory requirements
Higher scrutiny for international banks:
Extra-territoriality imposed by more advanced
regulators (e.g. US)
Compliance to Global Corporate standards
penalising international Banks vs. Locals
▪ Over Euro 10 bln for PPI
mis-selling
▪ GBP 1.9 bln fines and
license under threat due to
missing anti-money
laundering controls
▪ Bob Diamonds resigned
due to LIBOR manipulation
scandal
▪ BaFin opposes to William
Broeksmit appointment as
CRO due to "professional
qualification"
▪ Higher supervision following
the recent scandals
2
Example of regulatory enforcement actions – Q3 2015 only!
▪ Crédit Agricole negotiated with US authorities to pay up to $1 billion in order to settle
allegations arising from disrespecting the US embargo on Iran and Sudan.
▪ BNP Paribas paid a fine of $115 million for FX benchmark manipulation as, starting in
2003, traders at a group of large banks shared confidential customer information and
discussed trading strategies in private chatrooms to manipulate World Markets/Reuters
closing spot rates.
▪ The Consumer Finance Protection Bureau (CFPB) and Department of Justice (DoJ)
issued a joint order against Hudson City Savings Bank for discriminatory practices
affecting majority Black-and-Hispanic neighborhoods that denied fair access to
mortgage loans. Hudson City was ordered to contribute $25 million to a loan subsidy
program, pay $2 million for targeted advertising and outreach, open new branches in minority
areas, and pay a $5.5 million penalty.
▪ CFPB also announced actions against the nation's two largest debt buyers and
collectors for deceptive tactics in the collection of bad debt.. The two companies agreed
to stop collection on $128 million worth of debts, refund $61 million, and pay $18 million in
penalties.
▪ Citigroup has agreed on paying $180 million to settle charges that two of its subsidiaries
claimed that hedge funds that collapsed during the crisis were safe and low risk
investments. The funds raised approximately $3 billion from about 4,000 investors before
their collapse.
3
Number of pages in regulation documents
1 BCBS Basel I Framework incl. amendments 1988 - 96
2 BCBS Basel II, Basel II.5, and Basel III Framework
3 European Capital Requirements Directive IV, proposal as of July 2011, ratified June 2013
4 Including other recommendations and regulations such as MiFID, EMIR/MiFID2, ICB, G-SIFIs, recovery and resolution frameworks, etc.
5 As of Summer 2013, only ~40% of Dodd-Frank regulation written (nearly 14,000 pages) according to Compliance Week
SOURCE: BCBS; EU Commission; Davis Polk; press
New detailed regulations issued at accelerated speed and with
increasing complexity
848
516435333
22
Basel I1
EU CRD IV3 Basel III2 Basel II2
Other key
regulations4
Dodd-
Frank Act5
> 14,000
> 1,100
Dodd
Frank Act
Basel III, national implementation of Basel III and further
regulations in response to financial crisis since 2010
4
Growing application of regulations outside home
territory penalizes international Banks vs. locals
SOURCE: 2012 Protiviti Financial Services Industry Survey; internal estimates
ESTIMATES
Anti-Money laundering
Terrorism financing
Tax and Accounting
compliance
~25% of Compliance budget related to
enforcement extraterritorial laws and
regulation for International Banks
~53% of International Banks declare to
have decided not to enter a line of
business or to exit a business due to
compliance with another country’s laws and
regulations
Compliance to extraterritorial laws and
regulation may imply up to 0.5% RoE
difference vs. a local player
Extraterritorial application of
laws and regulations Penalizes international Banks vs. locals
5
Challenges for effective non-financial risk control have become
transformational for leading institutions… Focus of current transformations
Reinvigorated control framework
Intensification – “modular
remediation” approach Business’ focus on financial risks –
non-financial risks resolved by
control functions
▪ Major focus of Risk function on
financial risks – Operational Risk
Management mainly model- not
management-driven
▪ Compliance function for oversight
▪ Low number of incidents and
audit findings
▪ Limited accountability by
business – delegation to the
control functions
Stage 1: Late 90’s-2008 Stage 2: 2008-14 Stage 3: 2015+
▪ Uniform and forward-looking risk
taxonomy beyond current regulation
▪ Full business areas (1st line) control
structures, end-to-end accountabilities
and adequate resourcing
▪ Coordination, streamlining and
coordination of the modules created in
Stage 2
▪ Activation of control functions (2nd
line) covering all risk types with adequate
resourcing
▪ Empowered audit function (3rd line)
with effective tools, infrastructure, and
capabilities
▪ Stringent adaptation of business and
operating model in light of new control
requirements
▪ Strong control culture with control
framework embedded in the DNA of the
organization
▪ Crisis losses, litigations, and
incident reviews
▪ Increased focus of regulators,
several hundred audit findings
▪ Remediation along multiple
modules
– New regulatory adherence
– Turbo-charge OpRisk,
Compliance and/or Legal TOM
upgrade
– De-risking/strengthening controls
in business, e.g., benchmark
submission
– Audit finding remediation
– Incident management
▪ Massive capacity build up in
control functions
▪ Budgets dominated by risk and
regulation
SOURCE: McKinsey Risk Management Practice
6
…leading them to review Compliance role and operating model
Clarify
mandate vs.
first line of
defense
Foster
accountability
Re-think
delivery
model vs. the
business
Partnership
with business
Foster
stronger
integration
vs. 2nd line
of defense
Integrate 2nd
line control
environment
Strengthen
compliance
culture of the
front line
Be consequent
Mandate and
strategic
priorities
Pillars/
Lines of
action
Compliance mandate
Ensure compliance to regulations
Partners to the business
Maintain cost efficiency
b c d
Organizational set-up, coordination mechanisms …
Incentives, enforcement/escalation of breaches …
Enablers
a
7
… shifting the mandate of the Compliance function increasingly
towards ensuring value creation
Increased customer satisfaction by serving their needs in a fair way
▪ Better customer protection, e.g., fraud and identity theft
▪ Increased customer-orientation and service quality, e.g., “treat customers fairly”
▪ Reduced operational and service failures
▪ Improved reputation
Enhanced risk mitigation effectiveness
▪ Comprehensive approach across all processes and regions
▪ Improved controls across all lines of defense
▪ Improved governance, clear accountabilities and consequences
▪ Forward looking view beyond immediate control and regulatory issues
Efficient compliance cost structure
▪ Risk-based prioritization of requirements and controls
▪ More efficient and effective business and control processes
▪ Increased automation and digitization of processes and controls
Improved alignment with the regulator
▪ Higher alignment with regulator from use of superior compliance practices
MANDATE AND STRATEGIC PRIORITIES
8
…to better tackle emerging challenges
From To
d ▪ Formalized and structured positive and
negative enforcement mechanisms to
ensure embedding of compliance culture
into front-line behavior
Consequence management based on
informal management practices
c ▪ Integrated 2nd line of defense hierarchy
of controls to avoid gaps (e.g. risks not
covered) and duplications of controls while
ensuring full accountability
Compliance controls in addition to
controls from other 2nd line of defense
(e.g. Risk, Finance) – thus fostering lack
of accountability
b ▪ Compliance function partnering with
business to address ex-ante risk root-
causes of risk stemming from business
processes
Compliance function focusing on policy
making, control and ex-post remedial
actions
▪ Front-line playing goal-keeper role with
primary responsibility on compliance
risk based on expert advice of Compliance
Officers
a Compliance Officers playing goal-
keeper role for the businesses
PILLARS/ LINES OF ACTION
9
Front line appointed as primary responsible for Risk
compliance via clear split of responsibilities
a
Business
line
Measurement and
assessment Risk identification Mitigation
▪ Applicability of rules
and regulations
▪ Emerging risks
(identification)
▪ Operating controls
▪ In-line QC and
monitoring process
▪ Complaints
management
▪ Breaches escalation
▪ LOB reporting
▪ Mitigating actions
(identification and
execution)
▪ Policy and procedures
▪ Risks inventory
▪ Tolerance limits for indivi-
dual defects/breaches
▪ Emerging risks (process
for identification)
▪ Regulatory alerts for new/
developing external risks
▪ Policy and procedures
▪ Results of LOB (review)
▪ Independent risk
testing programs
▪ Risk aggregation
across LOB “silos”
▪ Enterprise wide
reporting
▪ Mitigating actions
(validation and
monitoring)
Compliance
function
PILLARS/ LINES OF ACTION
10
Example of detailed split of responsibilities in business line
controls vs. compliance function independent controls
Risk inventory Business line controls Compliance controls Risk event Compliance advice
Responsibility split on the overall risk inventory
▪ Deficiencies in
measuring and
monitoring of
settlements
▪ Run reconciliation tests
on a regular basis and
maintain issue log
▪ Select randomly tests
from the log and checks
if 1st line controls are
executed as defined
▪ Propose automatic
reconciliation
▪ Analyze feasibility/ costs
with business and IT
Transaction
level
reporting
▪ Deficiencies in
controls on bench-
mark submission
▪ Check for unusual
increase in trade flows
▪ Check frequency and
accuracy of 1st line
control
▪ Introduce 2nd line controls
in Finance and/or Treasury Market
manipulation
▪ Improper business
practices due to no
controls on
communications
▪ Dedicated inspections
on the trading floor to
ensure that private
mobile is not used
▪ Listen to a certain % of
random client calls per
month
▪ Embed into remuneration
Conduct of
employees
▪ No automatic
controls on res-
pect of trading
mandates per
trader/desk
▪ Review trading books
and history of
transaction to ensure
compliance with man-
date on a regular basis
▪ Checks a certain % of
trades per week vs.
mandate of trader/desk
▪ Propose embedding of
controls into front-line tool
▪ Analyze feasibility/ costs
with business and IT
Trading
beyond
mandate
▪ … ▪ … ▪ … ▪ …
…
a PILLARS/ LINES OF ACTION
CIB EXAMPLE
11
Compliance scans risks embedded into business practices and
selects key areas of focus for discussion with business Key areas of focus
Identified conduct risk exposures across product categories
Risk embedded
in business
practices
assessed based
on scoring of
product
characteristics
and lifecycle
management
Red, Amber,
Green flags
approach to
identify key areas
of focus for
discussion with
Business
Retail product
areas
Product characteristics and lifecycle management
Product
design,
suitability,
and usage
Product
approval
decisions
Product
disclosure/
marketing
practices
Customer
communica-
tions and
servicing
Current account
Debit card
Cash deposit
Cash withdrawal
Payments order
Savings account
Term deposits
Mutual fund
Retail certificates
Securities brokerage
Credit card Personal loan
Car loan Mortgage
Life insurance
P&C insurance
PPI Safe/lockbox
Portfolio management
Payments
Savings/
invest-
ments
Lending
Protection/
insurance
b PILLARS/ LINES OF ACTION
RETAIL EXAMPLE
12
Compliance also proactively engages business in a discussion
around risk drivers embedded into business practices
▪ High product complexity
▪ Manual disclosure processes
▪ Sales to vulnerable groups
▪ Misaligned sales incentives
▪ Excessive focus on near-term earnings
▪ Variability of marketing practices
▪ Opaque communication in sales process
Compliance function maintains a structured list of risk drivers Assessment for mortgage
Risk drivers
Product
disclosure and
marketing
practices
Customer
communica-
tions and
servicing
▪ High volume of complaints
▪ Untimely product information updates
▪ Long cycle times
▪ High volume of adverse customer decisions
▪ Lack of / poor availability of a single point of contact
▪ Data protection/privacy breaches
Product
design,
suitability, and
usage
▪ Cross-subsidies, concentrated profitability, penalty fees
▪ Ability to repay and sources of funds
▪ Lack of prescriptive tools to assess suitability for target
segment
▪ Incidents of unanticipated usage
▪ Fixed installment and variable duration potentially
pushing the latter above 40 years
▪ Use of online channel, networks of agents, Points of
Sale and call center implying high variability
▪ Network of agents and Points of Sale info material
printed on site
▪ No physical branch, no dedicated call center for
mortgage, no dedicated call center for complaints
Product
approval
decisions
▪ Inconsistent application of underwriting policies
▪ Variability of underwriting outcomes
▪ High volume of disputes on underwriting decisions
▪ High usage of escalation to credit committee for
missing independent valuation of the Real Estate asset
b PILLARS/ LINES OF ACTION
MORTGAGE EXAMPLE
13
Compliance partners with Business to address risks’ root
causes via revision of control or redesign of the processes
b
Root causes identified Identified course of action
▪ Fixed installment and variable duration
potentially pushing the latter above
40 years
▪ Launch massive campaign to convert to fix rate
▪ Introduce scenario analysis from the client
perspective
▪ Use of online channel network of
agents, POS and call center implying
high variability
▪ Redefine sales scripts to align the different channels
and train agents + Points of Sale
▪ Launch mystery shopping campaign to verify actual
alignment
▪ Network of agents and POS info
material printed on site
▪ Eliminate printers from Points of Sale and move to
use of pre-printed material
▪ Allow for agents sales only if client submit a code
printed on the official brochures
▪ High usage of escalation to credit
committee for missing independent
valuation of the RE asset
▪ Impose insurance for files with missing independent
valuation and/or eliminate possibility of approval by
credit committee
▪ No physical branch, no dedicated call
center for mortgage, no dedicated call
center for complaints
▪ Training of specialized resources in call center
dedicated (not exclusively) to complaints management
PILLARS/ LINES OF ACTION
14
Common risk taxonomy is key to assign
2nd LoD responsibilities
NON-FINANCIAL RISKS
Process Risk
Disasters &
Public Safety
Technology &
Infrastructure
Failures
External Fraud
Risk
Level 2
Internal Fraud
Risk
People and
Workplace Risk
Clients, Products
& Business
Conduct Risk
Level 3
Systems Security
Theft and Fraud
Individual Employee Related Matters
Safe Environment
Improper Business or Market Practices
Selection, sponsorship & exposure
Unauthorised Activity
Physical Security
Physical Security
Conflicts
Suitability, Disclosure & Fiduciary
Product
Advisory Activities
Theft and Fraud
Systems Security
Customer Account Management
Customer Documentation
Monitoring & Reporting
Transaction Capture, Execution & Maintenance
Other Legal risk
Vendors & Suppliers
Trade counterparties
Systems
Business disruptions
Accidents & Public Safety
Natural Disasters and other events
Wilful Damage & Terrorism
Collective Labour Law
Employee Lifecycle
Organisational Duties
2nd line control function responsibility
Compliance, Finance, ORM
Corporate Security Services
Corporate Security Services
Anti-Fraud
HR
Compliance
Legal
Corporate Information Security Office
Corporate Security Services
Corporate Security Services
Anti-Fraud
Corporate Information Security Office
HR and Compliance
Corporate Security Services
Compliance
Compliance/AML, Legal, Anti-Fraud
Legal
Operational Risk Management (ORM)
Compliance and Legal
Vendor Risk Management
Example for gaps:
“Collective Labor Laws”
previously not covered by
any control function – now
HR assigned with primary
ownership
Example for overlapping
responsibilities:
“Money Laundering”
previously covered by 4
units (Compliance, Legal,
Corporate Security Services,
ORM) – now allocated to
Compliance /AML as primary
owner
c PILLARS/ LINES OF ACTION
15
Leverage on controls from other of 2nd LoD is key to ensure
effectiveness and efficiency
Allocation of 2nd LoD control responsibility
▪ Clearly delineated 2nd LoD control
responsibility required (minimum
overlap, no gaps) for effectiveness of
control & avoidance of redundancies
▪ Allocation of 2nd LoD control
responsibility based on
legal/regulatory requirements and
level of expertise
▪ For adequate performance, enabling
elements need to be in place such as
– Proximity to processes
– Access to relevant data
– Resource (quality/capabilities &
quantity/capacity)
– Infrastructure and tools for control
activity/testing and reporting
Typical 2nd LoD risk type ownership set-up
Example 1 Example 2
1 Risk of inadequate price submission to calculating agent in order to manipulate the market
2 Hiring inappropriate staff due to lack of adequate background screening or staff assessment (skills & culture) processes can lead to fraud and inadequate behavior
3 Risk of inadequate or failed internal processes
Compliance (policy,
communication
surveillance, training)
Control 1 HR (hiring strategy,
policy, processes, tools,
communication and
training)
ORM (policy, bank-wide
reporting, training)
Control 2 Finance (transaction
surveillance)
Operations (back-
ground screening)
Finance (quality control
of all Finance-related
processes, e.g.,
reconciliations)
Primary risk
type owner Compliance
Risk type Market manipulation
(benchmarks)1
HR
Hiring risk2
ORM
Processing risk3
Control 3 Treasury (pre-
submission price shift
review)
Credit risk
management (credit
worthiness check if
available)
Credit risk manage-
ment (document check,
data quality check in
credit application)
Example 3
2nd LoD control activities
c PILLARS/ LINES OF ACTION
16
From informal consequence management approach to
structured scoring of behaviours
From: Enforcement via
compensation committee
To: Structured scoring approach
▪ Aggregation/Allocation of breaches
across individuals, areas and functions
▪ For all employees inclusion of personal
breaches into performance charter
▪ For middle/top management, inclusion
into performance charter of:
▪ Personal breaches
▪ History of breaches (frequency and
severity) for the area/function of
responsibility
▪ Discussion in compensation committee
of potential adjustments to individual
bonus and bonus pool for the area/
function (no explicit weighting)
▪ Monitoring system of breaches based on
structured indicators around pillars of
Group Risk Culture
▪ Behaviors resulting in breaches of specific
indicators are weighted based on
frequency and severity of the incident
▪ Aggregated compliance score are
produced for individuals, areas and functions
and monitored via a structured reporting
▪ Consequence management decided upon
discussions in committee but based on
specific materiality thresholds
▪ Consequences may include reduction in
bonus, no promotion, firing
d PILLARS/ LINES OF ACTION