Banks trying to cope with increasingly high regulatory burdens can learn many lessons from how they managed compliance with the Sarbanes-Oxley Act.
Congress frequently passes major legislation in reaction to crises. Both Sarbanes-Oxley and the Dodd-Frank Act share such heritage.
Looking back at SOX
The Sarbanes-Oxley Act (SOX) became law in 2002 as a reaction to accounting scandals at Enron, Tyco, Adelphia, and WorldCom. These scandals cost investors billions of dollars. SOX addressed corporate governance, board responsibilities, and financial disclosures.
The Act created a new agency, the Public Company Accounting Oversight Board, which provided oversight and regulation of public accounting firms. Restrictions were placed on non-audit activities of audit firms and partner rotation rules were tightened to help ensure the independence of the audit firms.
One of the most significant aspects of SOX was Section 404. This section required management to certify in writing that the internal controls over the financial reporting of the company were effective. Although management has always been responsible for the financial statements and the internal controls around them, having to now sign a statement that would be included in the 10 K was a different thing.
Companies invested heavily in their internal audit, information security, and IT functions to create and test those controls. Significant effort was devoted to document every process in the company that would possibly have an impact on the financial statements.
Controls were put on controls, which were further controlled by other controls.
No one wanted to be the one who had to tell the CEO his publicly filed certification was wrong!
Now, consider Dodd-Frank
Eight years later, Dodd Frank became law in reaction to the financial crisis of 2008. The activities of certain financial players, particularly those dealing with subprime mortgages and the securitization of those loans, cost investors trillions.
The multi-faceted Act encompasses the concept of too big to fail, the fair treatment of consumers, abusive mortgage practices, the regulation of significantly important financial institutions not previously subject to federal regulation, and a number of other key issues. The Act created a new agency, the Consumer Finance Protection Bureau (CFPB).
At the same time Dodd-Frank was becoming law, banks faced interagency foreclosure reviews, a settlement with the states’ Attorneys General, and lawsuits filed by investors and the government over the subprime residential mortgage-backed securities issued at the time. In the recent period, the GSEs have become more active in attempts to put back loans.
And, on top of all this, regulators significantly increased their efforts to enforce existing statutes, such as the anti-money-laundering laws and fair-lending statutes. Significant new regulations are being issued by the prudential regulators and the CFPB, including the new mortgage rules, which just became effective; more formalized third-party risk management rules and capital stress testing requirements.
Banks’ reaction has been understandable. They are making significant investments in people and technology focused on risk management and regulatory compliance. Risk and compliance people are being embedded in every aspect of a bank’s business, thus creating the same layering effect we saw with SOX when controls were put in place to control other controls.
In bank mortgage divisions, for example, you may have quality control and quality assurance groups, Internal Audit, ERM, Operational Risk, and Regulatory Compliance all reviewing the same activities.
No one wants to tell the CEO about any new putback, enforcement action, or fine!
Wait a minute, doesn’t this sound familiar?
Shortcutting the learning process
So what happened once SOX had been around for several years?
And what can banks learn from recent history?
Companies reached a tipping point and realized they had overdone it with controls. A wave of finance process improvement ensued, where companies looked at ways to provide the same effective controls more efficiently.
They automated controls, consolidated and centralized functions, and outsourced other functions, converting fixed costs to variable. Processes were broken down to common elements where internal control expertise was not needed and those processes were often offshored to lower-cost jurisdictions.
Can banks learn from the SOX experience, and take a short-cut before déjà vu hits?
Yes—a basic three-step process improvement methodology can be applied by banks today to achieve those same efficiencies companies secured through finance transformation.
1. Banks must first understand their current state.
Get a good grasp of who is involved, what are they doing, what systems are involved, and the true costs of these people, processes, and technologies.
2. Determine your future state: What are your goals and what is the optimal way to achieve them?
There is no one silver bullet for all banks, but with vision, creativity, and an understanding of best practices in compliance and risk management, banks can develop an optimal future state for their risk and compliance functions that maintains effectiveness while improving efficiency.
Identify the obstacles to achieving the future state. This could be short-term budget concerns; lack of knowledge that alternatives exist; structural issues, such as turf battles; or even inertia.
3. Develop and execute an action plan.
Once you know the roadblocks to success, develop a plan to eliminate them, secure executive sponsorship and the budget for the plan, and execute it.
Adaptation is already underway
It appears that banks may just be reaching that tipping point that companies reached after SOX was enacted. It seems we are in seventh or eighth inning, as some of the largest banks appear to have reached the point where the costs of compliance and risk management are not sustainable, and are beginning to evaluate alternatives as to how they can optimize their risk functions.
Hopefully more banks will remember the lessons from SOX that effective controls can be achieved more efficiently—with effort.
About the author
Dan Hayes, a senior director of Treliant Risk Advisors, has 30 years of diverse experience as an advisor, CFO, and investment banker. Hayes has advised companies on a variety of critical financial, risk, and operational issues, including improving financial processes, documentation of processes and controls, tax, human resources, corporate real estate, and strategies to address nonperforming assets and raise capital. Prior to joining Treliant, Hayes was a Director in the financial services risk advisory practice at McGladrey, a provider of consulting services to community and regional banks.