Several weeks ago I had a post about compliance trends in the financial sector, based on a report from Thomson Reuters. That report found most financial firms aren’t cutting compliance budgets, and it offered practical insights into how compliance officers might tiptoe into more automation and use of technology.
Both issues are important for compliance function leaders, so today we have a follow-up podcast with one of the authors of that report: Susannah Hammond, senior regulatory regulatory expert with Thomson Reuters Risk Intelligence. You can hear the full 15-minute interview above (I reached Susannah by phone in rural England), and meanwhile, here are some key thoughts below.
Regulatory uncertainty is still driving budgets and priorities. The Thomson report surveyed more than 800 compliance officers at financial firms around the world, and 94 percent of them said their budgets for next year will either increase (61 percent) or hold steady (33 percent). Similar numbers said the same for staffing levels.
So, um, what’s that about? Aren’t financial firms supposed to be hacking budgets for compliance and staff left and right?
Hammond admits she was surprised at those figures too, since last year’s report hinted that budget cuts might indeed be coming. Her theory: even if deregulation of the financial sector does happen over the long term, in the immediate term that’s still a lot of regulatory change to digest. The implications need to be considered and managed, and that takes time and people. (And while we talk a lot about deregulation in the United States, it’s unclear how much deregulation is truly happening across the whole globe.)
“Firms need compliance functions — and functionality — to deal with regulatory change,” Hammond said. The key word there is functionality: an ability to get things done. Even if those things to do are moving in a direction opposite of what we’ve seen in the last decade, they’re still things to do. Firms need people, technology, and resources to do them.
Even if deregulation of the financial sector does happen over the long term, in the immediate term that’s still a lot of regulatory change to digest. The implications need to be considered and managed, and that takes time and people.
Awareness of IT strategy is crucial. Two of the top concerns for compliance officers in the report were compliance with the EU General Data Protection Rule, and cybersecurity generally. That’s no surprise.
But when you frame those concerns as issues to manage at an actual organization, the perspective changes. It becomes much less, “How do we keep confidential data secure?” and much more, “How do we configure our IT systems and applications to keep data secure?”
That is, compliance officers need to participate in conversations about IT strategy from the start, to address privacy and security risks as those systems are selected and developed. Otherwise compliance becomes (yet again) another bolt-on exercise at the end of a business process — a drag on performance that operations people don’t like because it slows them down, and CFOs don’t like because it costs them money.
Which leads to the next question: Are compliance officers sufficiently versed in technology to participate in those conversations? Is your board? “One of the things we’ve seen repeatedly is that it’s the boardroom who need to up their technology skills,” Hammond said.
I’ve said before that we’re at a precarious moment for compliance technology. In a world where the tech can do whatever the company wants, corporate executives now actually have to understand what they want the tech to do. That’s a big ask for some organizations.
Hammond phrased that point more diplomatically: “One of the many ramifications of the fintech-regtech revolution is that the need to truly understand what technology can or can’t do for you has been much more prevalent.”
Regulatory focus on culture is driving up liability concerns. Another finding that surprised me: fears about compliance officer liability are rising — which, at least in the United States, isn’t supposed to be a concern, since regulators keep saying that they don’t want to pursue compliance officers for broader failures beyond their ability to control.
Globally, the picture is different. The Senior Managers Regime in Britain, for example, does push more responsibility onto senior executives for an ineffective compliance program. Hammond said that since compliance officers are part of that senior team (yay!) they also feel that added pressure (awww).
“We’re seeing compliance officers understanding that their personal liability is still increasing, but I would suggest it’s increasing alongside senior managers as a whole, rather than CCOs being singled out,” she said. And that does square with U.S. officials who stress that they have never intended to single out compliance officers.
The podcast also talks about how compliance officers can think about automation smartly (since an ill-conceived push into automation is pointless at best, disastrous at worst); and about concerns over corporate culture rising to be a big fear for compliance officers these days