U.S. financial institutions have never been more focused on the regulatory compliance risk management function—nor spending so much money to get the job done.
Since the passage of the Dodd-Frank Act, with its almost 400-required regulations, and the creation of a new regulatory agency (the Consumer Financial Protection Bureau), there have been so many regulatory changes. And there has been a seismic shift in regulator attitudes with which banks are still struggling to cope.
The combination of these events results in a situation where banks, particularly large ones, have had a difficult time developing compliance programs that actually work.
Not only is it difficult to create workable and effective compliance programs, institutions, both large and small are spending tens of millions of dollars trying. This situation is not likely to get better any time soon.
Time to stop repeating the same approach?
Everyone knows the old way of managing compliance is not working anymore. Yet most compliance professionals are just keep trying harder. They sweat to establish more monitoring programs, create new risk assessments, develop better complaint management processes, write new procedures, and, most importantly, hire new people.
They are running faster—but never reaching the goal.
I submit that the only way that large banks can implement effective regulatory compliance programs at an affordable cost is to treat compliance as though it were an element of product quality. The key to making that work is to require the line of business owners to “own’’ compliance quality. They would accept this as they would any other quality component, such as customer service.
Is this outlandish? Only in banking, it would seem.
Historically regulatory compliance has been seen as a completely separate function from the business lines; it has typically been owned by Risk Management or Legal. Frequently, Compliance has not been highly regarded by the bank’s executive management.
No other U.S. industry operates this way.
Think about this: In every other industry the business product executive owns every aspect of the product.
Consider the automobile industry, for example. The executive in charge of a particular car model will own and control every part of that car’s design, manufacture, and sale. If the car sells well and performs well, the product owner and his or her team reap the rewards. If there are defects, and a recall happens, he or she also takes responsibility for that and accepts the consequences for this outcome.
Imagine a car built the banking way …
But imagine what would happen if that business line executive did not regard the emissions control mechanisms to be within his jurisdiction, so that he just ignored that part of the car?
Because emissions control are regulated by federal and state regulations, the executive might just say—“It’s just government regulations; let the compliance group be responsible for that.”
As the car goes down the assembly line, no one is installing the emissions control parts. They are waiting until a separate compliance team installs it almost at the end of the line. The business line does not care how the emissions parts are installed because that system is outside their purview.
Of course, this sounds silly on its face. In reality no part of the process of designing and manufacturing the car is left to another entirely separate group that is in a different reporting line. The executive who owns the car model owns everything because he or she wants to make sure it is made well.
However, in banking, the regulatory aspect of a product has always belonged to the compliance team, in most institutions. Compliance is part of the so-called “second line of defense,’’ whereas the line of business—the ‘’first line of defense’’—is responsible for the other aspects of a product.
A business line will control its own product development, marketing, and sales. But when it comes to regulatory compliance the role of the business line is only to cooperate with the compliance team as they attempt to keep the product and the practices surrounding it in compliance. The business does not step up to own the entire compliance process.
Compliance starts with a handicap
In order to be effective, a bank’s compliance group must strive to be included in the right meetings and conversations and then monitor and test all of the functions to find errors. When the compliance folks find questionable practices, often the harder work begins. The compliance group usually must resort to persuasion tactics to get things changed or to have things fixed.
Normally, Compliance has limited leverage and no final control over the bank’s practices.
This state of things is where the industry’s basic problem lies. Effective compliance programs will work efficiently when the first line of defense owns regulatory compliance as a quality component of its products and services. Any other distribution of responsibilities leaves the compliance function in a second-class position.
No amount of money will solve that problem.
Banking’s compliance norm must change
The key to effective compliance is to consider it to be a quality component and to require the business line to own it. This means:
• Those businesses would be primarily responsible for effecting compliance within their own lines.
• Business lines would not expect that the compliance risk management team would intervene to make sure that there were no problems.
• If regulatory agencies found violations, the line of business executives would take the responsibility for that. They and their teams would be the ones to bear the consequences of mistakes.
This is not the norm in most institutions today. In the next article in this series I will examine how this new way of organizing a regulatory compliance program can be implemented.